×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ARP inspection issue

Unanswered Question
Mar 13th, 2014
User Badges:

Dear Sirs,

I kindly ask you to help me to clarify in the folowing issue

There are more then 40 switches Cisco series 2960 (WS-C2960-48TC-L) in the our interprise .On every switch is configured dhcp snooping/arp inspection :

 

ip arp inspection vlan 10

ip arp inspection log-buffer entries 1024

ip arp inspection log-buffer logs 1024 interval 10

!

!

ip dhcp snooping vlan 10

no ip dhcp snooping information option

ip dhcp snooping

Ports to hosts are configured:

interface FastEthernet0/1 - 48

  description "Desktop and Phone"

switchport access vlan 10

switchport mode access

switchport voice vlan 56

switchport port-security maximum 2

switchport port-security

ip arp inspection limit rate 100

storm-control broadcast level 60.00

storm-control multicast level 60.00

spanning-tree portfast

spanning-tree bpduguard enable

Trusted port to DHCP server is configured:

interface GigabitEthernet0/1

description ' To sw3-cs4507R-MTR [p. Gig 3/7] '

switchport mode trunk

ip arp inspection trust

media-type sfp

ip dhcp snooping limit rate 100

ip dhcp snooping trust

When I remove host  from swA-cs2960-48tcl-2 for exp. port FastEthernet0/1 and move to another swB-cs2960-48tcl-2 interface FastEthernet0/3 appers the following alarm:

SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/45, vlan 10.([0026.b99c.62ad/172.16.113.56/0050.56b1.0075/172.16.1.7/09:06:47 EET Wed Mar 12 2014]) Mar 12 09:06:50 192.168.255.60 3362: 003358: Mar 12 09:06:49: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/11, vlan

There isn't entry for host 0026.b99c.62ad/172.16.113.56  On the dhcp snooping binding database on switch B. In the Switch A is present:

 

swA-cs2960-48tcl-2#sh ip dhcp snooping binding

MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface

------------------  ---------------  ----------  -------------  ----  --------------------

00:26:B9:9c:62:AD   172.16.113.56   3546        dhcp-snooping   10    FastEthernet0/1

swB-cs2960-48tcl-2#sh ip dhcp snooping binding | i 172.16.113.56

swB-cs2960-48tcl-2#

Troubleshootind is:

int FastEthernet0/3

ip arp inspection trust

no ip arp inspection trust

Why is missing entry on dhcp snooping binding on the swB-cs2960-48tcl-2? May be switchport port-security is inconsistent with dhcp snooping/arp inspection ? Is it a normal behavior of ARP inspection?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion