DAI allows other source IP on DHCP MAC

Options
PeterUK
PeterUK Posts: 3,000 ✭✭✭✭✭
Community MVP First Anniversary 10 Comments Friend Collector

So yes might not get this fixed on GS2210-24 V4.50(AAND.4) being EOL but maybe this happens on newer models?

So I have a VLAN 50 port 24 to FLEX 200 with a LAG 25-26 as Trusted to internet router FLEX 200 does DHCP IP source guard lists the MAC and IP it got. I then added to FLEX 200 a virtual interface 192.168.100.254/24 this causes PC on LAN going to 192.168.100.1 for the FLEX 200 to ARP and send by source IP 192.168.100.254 same source MAC ... I was thinking that was easy? Which it shouldn't you should need to add 192.168.100.254 to the list to allow it so whats happening is the MAC is trusted to send by any source IP!

I tested with a Cisco switch does not have the same problem...but then you can't have a Dynamic IP with static IP on the same MAC by adding to the table.

«13

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,927  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @PeterUK,

    Could you share the IP source guard / ARP inspection / DHCP snooping table and the tech support collected after the issue occurs for me to clarify?

    Also, please share your topology with me. I will build a lab to verify. Thanks.

  • PeterUK
    PeterUK Posts: 3,000 ✭✭✭✭✭
    Community MVP First Anniversary 10 Comments Friend Collector
    edited April 2023
    Options

    Hi Melen

    Here is the setup

    What should not happen is for FLEX200 to ARP from 192.168.100.254 to 192.168.100.1 and for traffic to the modem IP by 192.168.255.193 SNAT from FLEX200 192.168.100.254 IP which IP source guard should stop unless its in IP Source Guard Static Binding.

  • PeterUK
    PeterUK Posts: 3,000 ✭✭✭✭✭
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    Update

    Ok I found the reason I more setup then what is show by doing a ARP bypass I have now removed that and its blocking 192.168.100.254 going to 192.168.100.1 but now I have the problem of how do I allow this?

  • PeterUK
    PeterUK Posts: 3,000 ✭✭✭✭✭
    Community MVP First Anniversary 10 Comments Friend Collector
    edited April 2023
    Options

    So I have tested three switches with DAI

    With Zyxel you add a IP (192.168.100.254) in IP Source Guard but it does not allow it due to ARP inspection blocking it.

    With Cisco you can add a IP (192.168.100.254) in ARP Inspection but you can not add a IP on the same MAC for Dynamic IP with static IP as source.

    With Netgear it blocks IP (192.168.100.254) but you allow it in ARP Inspection and it allowes the traffic without adding the IP (192.168.100.254) in IP Source Guard.

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,927  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2023
    Options

    Hi @PeterUK,

    So the original problem was due to static IP binding "192.168.100.254 with MAC address Any", right?

    But, now you need to allow 192.168.100.254 to go to 192.168.100.1 which uses the previous static IP binding "192.168.100.254 with MAC address Any" and failed?

  • PeterUK
    PeterUK Posts: 3,000 ✭✭✭✭✭
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    The first problem worked when it shouldn't due to a ARP bypass which I have now removed.

    So yes new problem is I can't allow 192.168.100.254 with MAC address Any likely due to that MAC is by DHCP in IP source guard

  • PeterUK
    PeterUK Posts: 3,000 ✭✭✭✭✭
    Community MVP First Anniversary 10 Comments Friend Collector
    edited April 2023
    Options

    To add this this what happens with ARP Inspection Configure enabled

    with it disbaled I can get to 192.168.100.1 by Source IP 192.168.100.254


  • Zyxel_Melen
    Zyxel_Melen Posts: 1,927  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options

    Hi @PeterUK,

    Thanks for the information.

    I can reproduce it in my LAB, I will take more clarification for this problem. In the meanwhile, could you share why you use IP source guard in this topology? What's your scenarios?

  • PeterUK
    PeterUK Posts: 3,000 ✭✭✭✭✭
    Community MVP First Anniversary 10 Comments Friend Collector
    Options

    Just to stop my connection from sending out traffic it shouldn't my reason for the 192.168.100.254 going to 192.168.100.1 is yes I can get to 192.168.100.1 from my WAN IP but this only works if the WAN gateway is up so 192.168.100.254 will ARP directly to the modem should I need to check the modem.

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,927  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2023
    Options

    Hi @PeterUK,

    After clarifying, the new models have the same behavior.

    This is because the switch will check the source MAC address of ingress packets using which IP address. If the IP address is not matched to the binding table, the switch will block this IP address.

    For your scenario, I recommend changing the Arp inspection port configuration to "trusted" on the USG FLEX connecting port.