05-25-2012 02:28 AM - edited 03-07-2019 06:53 AM
Hi Friends,
I encounter a big problem is that all computers cannot access network on the same VLAN, So after I show arp in computers, it display arp -a : 00-00-00-00-00-00.
SO I enable the Switch command: IP arp Inspection Vlan X, get many ARP errors:
May 25 15:13:37: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/6, vlan
11.([0022.641e.984e/10.114.240.56/0000.0000.0000/10.114.240.1/15:13:36 gmt Fri May 25
2012])
May 25 15:13:38: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/4, vlan
11.([4437.e648.fb9d/10.114.240.50/0000.0000.0000/10.114.240.1/15:13:37 gmt Fri May 25
2012])
May 25 15:13:38: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/3, vlan
11.([4437.e64d.72c5/10.114.240.39/0000.0000.0000/10.114.240.1/15:13:37 gmt Fri May 25
2012])
May 25 15:13:38: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/5, vlan
11.([4437.e650.f964/10.114.240.53/0000.0000.0000/10.114.240.1/15:13:37 gmt Fri May 25
2012])
May 25 15:13:38: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/26, vlan
11.([4437.e664.e870/10.114.240.36/0000.0000.0000/10.114.240.1/15:13:37 gmt Fri May 2
5 2012])
May 25 15:13:38: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/10, vlan
11.([4437.e662.3734/10.114.240.47/0000.0000.0000/10.114.240.1/15:13:37 gmt Fri May 2
5 2012])
May 25 15:13:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/48, vlan
11.([0018.7185.3c21/10.114.240.46/0000.0000.0000/10.114.240.31/15:13:38 gmt Fri May
25 2012])
May 25 15:13:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/6, vlan
11.([0022.641e.984e/10.114.240.56/0000.0000.0000/10.114.240.1/15:13:38 gmt Fri May 25
2012])
May 25 15:13:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/11, vlan
11.([e839.3548.6d9a/10.114.240.52/0000.0000.0000/10.114.240.1/15:13:39 gmt Fri May 2
5 2012])
May 25 15:13:40: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/5, vlan
11.([4437.e650.f964/10.114.240.53/0000.0000.0000/10.114.240.1/15:13:39 gmt Fri May 25
2012])
So I restart the Switch, and issues fix, but after one more day, it happen again. ( when I use IP arp Inspection commands, it will get this switch all port network down, I don;t know why, when I disabled this command, network is active).
I scanning all computers in the LAN, but no any arp Attacking found, So I doubt that's Switch problem?
05-25-2012 04:41 AM
Are the hosts that are getting the ARP inspection errors statically set? If they're not in the dhcp database on your device, it will deny the incoming arp request. For example, check the host 10.114.240.52 to see if it's statically set at the box. You have 2 choices if it is: you can create a static arp acl and apply that as a filter to your arp inspection OR you can trust the ports that these hosts are off of. I would do the latter if these are end hosts ports though because then they'd be able to run a dhcp server and not be subjected to dhcp snooping.
HTH,
John
05-25-2012 08:04 AM
it has record in dhcp server pool. But I am not sure if this command will cause all interface down
05-25-2012 05:00 AM
have you checked if its a BUG on cisco bug toolkit?
05-25-2012 08:05 AM
No, I don't know how to check? Can you tell me the link?
05-25-2012 08:13 AM
Look for cisco bug toolkit on google. I dont have the link on me now. Onve you go onto it its self explanatory. You choose ypur platform and IOS and igt will show you if there are any related bugs
Cheers
05-27-2012 06:03 PM
I have checked , not this bug, and I open TAC to cisco , who advice me no need any action. but I am still confused why ARP still send "0" packets continuously.
05-27-2012 10:03 PM
Hi,
The switch received ARP packets that are considered invalid by ARP inspection. The packets are invalid, and their presence may be an indication of "man-in-the-middle" attacks that are attempted in the network. This message is logged when the IP address and MAC address binding for the sender on the received VLAN is not listed in the DHCP snooping database.
DHCP snooping builds a table as the hosts acquire IP address from DHCP server, and then on uses this table as reference to allow or deny packets based on the lookup it performs against source MAC and source IP for the incoming ARP packets. When a host boots and comes up on the network, the first thing it does is to get an IP/mask/gateway and additional information like DNS from an available DHCP server.
Once the hosts gets an identify for itself in the network, then it would send an ARP for the gateway and other hosts in the network before it can communicate with other hosts, as the host needs to destination MAC address (ARP resolves from IP to MAC address). So, even before ARP occurs, IP assignment by DHCP is the first step and the DHCP snooping feature tracks these DHCP discovery/offer/request/acknowledgement messages between end hosts and DHCP server and builds the DHCP snooping binding table in this process.
May 25 15:13:37: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/6, vlan 11.([0022.641e.984e/10.114.240.56/0000.0000.0000/10.114.240.1/15:13:36 gmt Fri May 25 2012])
The above message indicates the switch has received an ARP request from host with source IP 10.114.240.56 and source MAC 0022.641e.984e located on Gi1/0/6 in vlan 11 to the host (Interface vlan 11 IP) 10.114.240.1 (destination IP) requesting the MAC address of the host (destination MAC). At this point the source does not know the destination MAC, so the ARP packet would have 0000.0000.0000 in the destination MAC field.
This ARP is not consistent with the DHCP snooping binding table that the switch already built, the IP 10.114.240.56 is likely not existing yet or already registered by another host with different MAC address on different interface. You can check by using "sh ip dhcp snooping binding vlan 11" command (please send it). This inconsistency causes the switch believe that the above ARP request has come from an unauthorized host and could be malicious from DHCP snooping point of view.
Possible reasons for this behavior could be hosts with manually configured IP addresses or acquired from another DHCP server. If you have hosts with static IPs, you can configure the following for them to stop triggerring this messages (enable trusting on the interfaces that have static IP enabled):
ip arp inspection trust
ip dhcp snooping trust
Also, do ensure the DHCP snooping is enabled on your switch.
Kind Regards,
Ivan
**Please grade this post if you find it useful.
05-27-2012 11:03 PM
it will be caused network issues when enable DHCP snooping in Access switch- 2960, I have tried enable the DHCP snooping, but the network will be down. So when i removed the DHCP snooping, the network resumed.
05-28-2012 08:37 PM
Enabling DHCP snooping/DAI where you have the right ports trusted should not call an outage. Should it? I have not used that command alot but from what I learned in SWITCH you need to enable it there, enable it on all the say up the chain to the DHCP server, configue your trust/untrusted ports (important!) correctly.
Cisco has alot of articles plus this one was useful:
When you say network is down, do you mean have no access any the switch management IP?, end users show slowness?, you can release/renew?
DAI info:
05-28-2012 09:16 PM
Hello Donglei,
I am not sure if you follow the perfect explanation that Ivan provided you but that is basically what you need to do!
If you wanna keep the ARP inspection enabled you will need to do what Ivan told you this to make everything work!
I think what you can do now is to read the following 2 links, try to understand them and afterwards you will now what we are talking about I used them to learn and understand DHCP snooping and DAI so this is definetely going to help you
http://cciesecure.blogspot.com/2010/01/dhcp-snooping-on-cisco-switches.html
http://packetpushers.net/yes-we-really-need-dynamic-arp-inspection/
Rate all the helpful posts
Julio
Security Engineer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: