Dynamic ARP Inspection (DAI) and WiFi roaming

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
T

tubs-ffm

Active Member
Sep 1, 2013
171
57
28
Hello,

how does Dynamic ARP Inspection (DAI) works across a network with multiple WiFi access points connected to different switches?

I do not really need the DAI feature but I am playing around to get a better understanding. The basics of DHCP snooping and ARP Inspection and the function of trusted ports are clear to me. Now I am wondering what will happen if a client is connected to AP1 that is connected to SW1 will roam to AP2 that is connected to SW2. Both switches have ARP inspection enabled. In this case the ARP table of switch AP2 does not know the client and will block it. OR?
 
DavidWJohnston

DavidWJohnston

Active Member
Sep 30, 2020
242
191
43
I think since DHCP uses broadcasts, all switches connected to the same network segment will hear the same packets, and build identical DHCP snooping tables.

Depending on the implementation, for non-DHCP IPs on untrusted ports to work, I believe configuring static ARP is necessary.
 
  • Like
Reactions: Amrhn and abq
T

tubs-ffm

Active Member
Sep 1, 2013
171
57
28
DavidWJohnston said:
I think since DHCP uses broadcasts, all switches connected to the same network segment will hear the same packets, and build identical DHCP snooping tables.
Click to expand...
Thank you. Yes, they all will hear the broadcast messages. But for me it was not clear how it is getting handled. I found some time and tested it. Unfortunately, it looks like as I expected. The implementation of DHCP snooping could be different by maker to maker. I am using as switch two switches Ruckus ICX 7150 and as WiFi access points Ruckus Unleashed.

The device MD2 that is connected to access point AP2 is listed in the DHCP snoop table of switch SW2 and in the arp table of switch SW1. This is fine and arp inspection would work. But the device MD1 that is connected to access point AP1, is listed only in the DHCP snoop table of switch SW1. There is no entry for device MD1 on switch SW2.

This is somehow what I expected. But this is an issue if device MD1 will roam from access point AP1 to AP2.

Depending on the implementation, for non-DHCP IPs on untrusted ports to work, I believe configuring static ARP is necessary.
Click to expand...
Yes, this is clear. But it is not a problem. All devices with fixed IP are not roaming and static tables will work.

arp inspection.png
 
DavidWJohnston

DavidWJohnston

Active Member
Sep 30, 2020
242
191
43
In the case of WiFi, since the clients are authenticated at the AP, perhaps using a trusted port is the usual configuration. The WiFi authentication is far stronger than comparing MAC addresses.
 
T

tubs-ffm

Active Member
Sep 1, 2013
171
57
28
OK. I am not looking for a serious use case. It is more about to get the right understanding of functions.
But it looks like this is the way to go: Either use DAI on AP if provided or skip for the AP and its clients.
 
You must log in or register to reply here.
Top Bottom