DHCP/ARP

mscotto
Getting noticed

DHCP/ARP

Anyone running DAI?  I enabled this and had serious issues with slowness in the network.  I whitelisted the entries to the snooping tables which helped once I allowed the legit traffic.  My ports that are trusted are all the uplinks to the core however I was told that I need to also trust anything with a static entry such as AP's ports on the switch as well as servers printers etc?  Is this true?  I want to re enable this feature but I am kind of worried since it caused so many issues.  Thanks!

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

As long as you aren't having broadcast storms or ARP flooding it shouldn't have any performance impact on the network.  The "normal" data packets should continue to be switched by the silicon at line rate.

 

I haven't used DAI since Cisco Enterprise days.  I haven't used it on Meraki.

I like the idea of it.  But every time I have tried to use it in the past I have kept running into issues and special cases.   In the end, I feel the issues caused are greater than the security gained.  So a losing proposition.

GIdenJoe
Kind of a big deal
Kind of a big deal

Yes DAI relies on DHCP snooping which implies you need to have seen the DHCP flow between your client and the DHCP server.  Only then is other traffic allowed on the port because the switch now has the mapping between your IP and MAC address for the duration of the DHCP lease.

 

So yes if you have devices with static IP's you either need to add static mappings for those or just put the port on trusted DAI.

mscotto
Getting noticed

Thanks Joe, last question, so the static entries I get, however is the point to only trust those ports and then not trust anything else?  I have end users having issues with wifi and it only gets better when i whitelist them to the snooping table.  This was before I had the AP's as trusted.  I am worried about users who connect via ethernet to a vlan and the same issue happens.  I feel like I have to end up trusting every port which defeats the purpose of DAI unless I missed something?

GIdenJoe
Kind of a big deal
Kind of a big deal

The only clients you need to worry about are the clients with static IP's.

These are the ones you need static entries for OR define trusted ports for.

 

All the rest will follow the normal DAI operation which means, if the switch can see the DHCP traffic, it will dynamically allow the MAC address of the host on the port.

 

 

My recommendation would be to have DAI active only on access ports.

Trunk ports leading to infra devices like switches, servers, firewalls, access points should be trusted.

 

Access points might be the only exception if you want to enforce DAI on Wi-Fi users.

In that case maybe just put the port on untrusted but add the AP entries.  I'm not entirely sure how Meraki actually handles this, so testing will tell.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels