Question Regarding Meraki DAI

NoviceInMeraki
Conversationalist

Question Regarding Meraki DAI

So I am just new with the Meraki Dashboard and we're planning to incorporate our switches with DAI. However, upon testing this, the servers became unreachable/the servers cannot reach the network.

We've tried whitelisting the mac where it has been blocked by DAI. 

On my take, since the server(s) are connected from a hub and hub is connected to switch -- should we enable trusted DAI that switchport instead?

Based from the Meraki Documentation, only the network devices should be trusted DAI. Should we trusted DAI all the switchports with connected servers and cameras(security devices) as well?

 

I know the question sounds easy but I do hope you all are able to answer them. Thank you.

Question Regarding Meraki DAI  Dynamic ARP Inspection (DAI) DHCP snooping and Dynamic ARP Inspection 

9 Replies 9
alemabrahao
Kind of a big deal
Kind of a big deal

https://documentation.meraki.com/MS/Other_Topics/Dynamic_ARP_Inspection#Configuring_DAI

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

It is recommended to configure only ports facing end-hosts as untrusted (Trusted: disabled). Ports connecting network devices such as switches should be configured as trusted to avoid connectivity issues.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
NoviceInMeraki
Conversationalist

Hello @alemabrahao  thank you for answering this.
However, we've enable trusted DAI on ports connecting from switch to uplink, switch to MXFW, switch to MR Access Points.
And these servers cannot connect to the network. We've even whitelisted the mac address (based from the block events) however these servers can be pinged via switch but for some reason, they cannot be pinged from the MX firewall. When we've tried checking the server / server storages, they are unable to connect to the network as well.

We've rolled back the change and disabled DAI and they worked again.

GIdenJoe
Kind of a big deal
Kind of a big deal

From what I read in your comment I have to assume the implementation is still buggy and needs some troubleshooting from Meraki.

This is the same issue I had when I tried it on my home connection.  It worked for a while and suddenly it didn't take even on ports that were trusted.

GIdenJoe
Kind of a big deal
Kind of a big deal

I've had mixed results with that feature at home alas.  I'm running a Cisco EWC with C9120AX AP's on a Meraki MS210-24P and once on a night suddenly the switches started blocking all packets coming from the whitelisted MAC addresses of the AP's causing my EWC deployment to fail.  So I had to disable the feature again.  I have yet to do another run at this soon.

 

Normally you have two ways to allow non-DHCP clients.
You can put the port on trusted or add a static entry for a specific MAC address.

Especially ports containing Access Points are important to check because if you have SSID's that don't enforce DHCP and you actually need static IP clients you will need to or add them all to your allowlist or whitelisting those ports but then you can't enforce DAI on wireless clients.

Jonathan-S
Meraki Employee
Meraki Employee

Thanks for pointing out some DHCP-specifics here, GIdenJoe.

 

NoviceInMeraki and GIdenJoe, I would recommend opening up a ticket with our Support team if you feel that you are seeing unexpected behavior with regards to the Dynamic ARP Inspection feature/functionality.

 

You can view the options for contacting our Support team at the following Meraki resource:

 

https://documentation.meraki.com/General_Administration/Support/Contacting_Support

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
GIdenJoe
Kind of a big deal
Kind of a big deal

That's on my TODO list 😉

It would be very handy however if the DHCP binding table and DAI binding to port mapping would be something you could query from the switch (perhaps via a REST API call?) Because that won't be an easy thing to troubleshoot without that ability.

Jonathan-S
Meraki Employee
Meraki Employee

Hi GIdenJoe,

 

This could potentially be an interesting feature request. If you haven't done so already, you can go ahead and submit this by using the "Give your feedback" button located in the bottom-right-hand corner of any Meraki Dashboard portal page. These requests go directly to our product and development teams for consideration.

 

That being said, a Network Support Engineer should be able to access additional logging that would help in the troubleshooting process.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
OmahaTim
Conversationalist

I have also disabled DAI across my thirty sites with MS-225's and MS-210's.  I don't know if it's my DHCP servers or my clients or the switches, but machines that are on untrusted ports that have obtained their IP address via DHCP and are working will just suddenly stop working and show in the logs as being blocked.  Of course when they're scattered across the country and it's happening at random times to random individuals... it's hard to troubleshoot.  I was forced to simply disable the feature on all of my switches.

Get notified when there are additional replies to this discussion.