Snooping/ARP inspection problem

Unanswered Question
Oct 21st, 2009

We have DHCP snooping and ARP inspection enabled on our 3750G switches for our Voice and Data VLANs. It works great--unless the switch is reloaded, like during a SW upgrade.

When the switch reloads, none of the phones are able to get IPs from DHCP. The data VLANs don't seem to be affected. The log buffers on the switches show DHCP SPOOFING DENY (Invalid ARPs) errors. Only after I disable ARP inspection for the voice VLANs do the phones come up.

OK, so am I doing something wrong? Shouldn't I be able to have ARP inspection enabled for the voice VLAN as well? Perhaps I'm doing something out of order, like I should disable ARP inspection, reload, then re-enable it after all phones get IPs and come up? If Inspection really works, I shouldn't have to do that.

The latest incident occurred after I simply reloaded the switch in the middle of the night after downloading and installing the new SW image (12.2.52SE-ipbase). In the morning when I got in, all the phones were "Configuring IP."

Any suggestions or common experiences that anyone can offer? Thank in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Giuseppe Larosa Wed, 10/21/2009 - 06:40

Hello Ben,

I would suggest to consider the usage of a DHCP binding database that is file saved on an external TFTP server that the switch after reload can import back to learn allowed DHCP clients.



DHCP Snooping Binding Database

When reloading, the switch reads the binding file to build the DHCP snooping binding database. The switch updates the file when the database changes.

Hope to help


cooperben Wed, 10/21/2009 - 13:19

Thank you for the reply. I have configured the DHCP snooping database to be stored in flash for now until I can set up an external TFTP server. Until then, I am noticing something else.

In order to allow the phones to receive an IP address from DHCP, I had to disable ARP inspection and DHCP Snooping on the voice VLANs. I then re-enabled just DHCP Snooping. I reset several test phones, and all were able to reset and get an IP address successfully. However, I am not seeing any entries for the phones in the 'sh ip dhcp snooping binding' output. Is this because I am now using a snooping database? Previously, all phones and hosts on both the data and voice VLANs showed in the output of that command. I just want to make sure that it is all working before I re-enable 'ip arp inspection' on the voice VLANs.


This Discussion