DAI allows other source IP on DHCP MAC

PeterUK

If I set all trusted both sides then Arp inspection will not do its thing thats the point of DAI you have trusted and untrusted on trusted ARP is allowed where as untrusted ARP is checked if you set all to trusted then there is not point in DAI being on.

Should be a some what simple fix ARP checks IP source guard for static IP/VLAN/MAC then allows it even if not for the switch I have but for newer models.

Zyxel_Melen

Hi @PeterUK,

Could you share more detail about your scenario? Is this virtual interface used to check the modem status only?

And why do you want to set untrusted on the USG FLEX connecting port?

I know setting trusted makes Arp Inspection do nothing, and we should configure the ports as untrusted when connecting with end devices. But I could not figure out why the USG FLEX connecting port needs to be set as untrusted in the Arp inspection configuration. It will be helpful if you share the reason.

PeterUK

I have a WAN IP that is dynamic I want traffic and ARP only by what this IP what it needs to do as in ARP to gateway ARP subnet any other ARP should be blocked by DAI. The virtual interface is used to check the modem status so that USG FLEX can ARP to the modem by 192.168.100.254

Because it is untrusted just like if the PC was connected in place of the USG FLEX there is more to the network then what is shown.

In any case the setup shows that setting up a static IP in static binding does not work or only if IP/MAC is not picked up by DHCP snooping.

PeterUK

At some piont Zyxel did what I have been looking for in a switch and that is allow/block ARP but with Destination maybe even Source IP of what the ARP is doing and then used policy rule for that ACL to use Send the packet to the egress port in my case 25 to allow around DAI

Zyxel_Melen

Thanks @PeterUK found a solution for this scenario.

However, IP source guard/Arp inspection only allows a whitelist(DHCP snooping table or Static binding table) of IP and MAC address binding may access the network.
If the IP and MAC address binding is not in the whitelist, IP source guard/Arp inspection will block the arp packets sent from an illegal IP address to prevent arp spoofing.

PeterUK

Yes but I did whitelist source IP 192.168.100.254 as shown above but it still blocks it?
my guess is when a MAC IP is spoofed to binding that same MAC even if whitelist to come from another IP is not allowed.

Zyxel_Melen

Hi @PeterUK,

This might be because some Arp packets are not sent to your DIP. So, you will see a block record on the Arp inspection list.

I suggest using the classifier below. I tested it with "sending the packet to the egress port" and didn't have any Arp inspection block record.

PeterUK

Sorry for the confusion I mean it all works fine with the rule I did.

What I was pointing out was Static binding table only may work if the MAC is not listed by DHCP snooping table.

So

MAC 1 binds by DHCP

MAC 1 binds in Static table does not work but if the MAC was not listed by DHCP table then it allows guess someone that did the DAI thought its a security problem.

Zyxel_Melen

Hi @PeterUK,

Do you mean if MAC 1 binds in the Static table and when the MAC is not listed by the DHCP table, the switch will allow any client's traffic to pass through? If I'm wrong, please correct me.

PeterUK

I have not tested this but yes MAC 1 binds in the Static table should be allowed for the given Source IP by DAI but as soon as MAC 1 is listed by DHCP table the Static table for MAC 1 will not work.