DHCP Snooping and DAI - Random One-way Audio

Unanswered Question
May 9th, 2007

We have a Catalyst 6506-E running Native 12.2(18)SXF8. It is being deployed in a IPT environment and so we wanted to make sure that L2 security was implemented. We turned on DCHP snooping for VLANS X,Y,Z we also turned on ip arp inspection for X,Y,Z. We put the commands under the ports for rate limit for both. We also have the trusted command under the port that the DHCP server is plugged into.

When we have this configuration we are seeing random one-way audio calls between phones that ride on the same subnet and even same switch. If we take off DAI then everything works fine. The customer is running CCM 4.3(1) OS2003.1.1sr1 and the phones are 7941/61 with 8.2(2)sr1. Would like to know if anyone has seen this? If so is it a misconfig or bug?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gogasca Wed, 05/09/2007 - 23:11

I remember this in an older version in which the DHCP packet become corrupted...but i dont think u r facing this problem...

Check:

CSCsb36874

DHCP clients may fail to renew IP address when DHCP snooping is enabled.

or also had a case in which there was a missing DHCP db config...

Please verify the config and let us know:

DAI

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/dynarp.htm#wp1072626

DHCP Snooping

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/snood

hcp.htm

when you get the one-way audio could be good to gather an sniffer capture...

mikeconiglio Thu, 05/10/2007 - 04:57

That is the documentation that we used to verify which is no more than the 6500 docs, but thanks for the links because you never know we might have gotten the wrong ones.

In looking at your bug ID you are correct in that its not having trouble getting DHCP (IP Address). The config is very simple and not much really to configure. The only thing is that we do not have configured is the database location which that is only there just incase the switch bounces it will have a place to look at the bindings and not have to re learn them.

We will test out on a different floor where there are 3750 switch stacks to see if we run into the same issue. If not then it would be a good lab mock up for Cisco. We currently do not have the windows to test this out because it is a 24/7 place. However I will get the configs off and if you want offline give you all the parameters to simulate.

Thanks for your assistance and looking forward to your reply.

ricky.eng Tue, 09/29/2009 - 08:49

I wonder what is the final resolution for you or you have to disable the DAI to avoid this one ways traffic issue.

I have done a TCP/sniffer trace and have interesting finding. The IP phone is depend on ARP reply in order to encode voice into RTP packet and send to the other IP phone. That mean if any of the IP phone can not receive the ARP reply packet, that IP phone will not send RTP to the other phone, hence the other phone will not heard any voice (total silent). For my case, the IP phone ARPing for the other IP phone for total of 6 ARP request with the first five ARP reply being drop by the switch. That resulted the one-way voice silent for 5 sec. All the 6 ARP reply look identical, so look like Dynamic ARP Inspection is not a bug but not reliable. Same as IPS having false-negative.

The DAI is enable on C3560-48PS running 12.2(25)SEE3.

Actions

This Discussion