My explaination is confusing

Andy White · ‎04-07-2014

Hello,

I have DAI running on 3 x 3560s in a remote WAN office, this is the topology:

WAN > Cisco router > SW1 (DHCP server ) > Etherchannel to SW2 > Trunk to SW3

I had to reboot SW3 today to update the IOS and after rebooting no one could connect and I could see the syslog server was getting filled up with arp errors like this:

Apr 7 07:31:34.811: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/3, vlan 1.([0026.b995.1g71/172.30.2.80/0000.0000.0000/172.30.2.1/08:31:33 BST Mon Apr 7 2014])

On trunks leading towards switch SW1 where the DHCP database is I have these command set

'ip arp inspection trust'

'ip dhcp snooping trust'

I thought if the IP and MAC were inthe DHCP DB then all is good?

Thanks

paul driver · ‎04-07-2014

Hello

Thais because when you rebooted the switch, DHCP DB for that switch lost it bindings and the DIA arp messages couldn't be validated.

I suggest that you backup this DB to a remote location to negate this occurring again.

ip dhcp snooping database tftp://x.x.x.x/dhcpbind.txt

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andy White · ‎04-07-2014

I understand now.

So I have to backup the DHCP database on the other switch that runs the DHCP service? So as soon as I rebooted this switch the DHCP switch cleared down it's DHCP table?

Or does the switch I rebooted host a DHCP database too, if so how can I see it as 'sh ip dhcp bindings' only works on the DHCP switch?

Thanks

paul driver · ‎04-07-2014

Hello

Snooping should be enabled on any switch that dhcp services for untrusted ports and I would back up both DB's if applicable.(binding and snooping)

ip dhcp database ftp://password@x.x.x.x/dhcpbind write-delay 300
ip dhcp snooping database tftp://x.x.x.x/dhcpsnoop.txt
ip dhcp snooping database write-delay 300

sh ip dhcp snooping binding
sh ip dhcp binding

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andy White · ‎04-07-2014

Think I will save to flash if poss.

Those commands only show information on the DHCP serving switch, so I should just back the 2 DBs on that switch as te switch in question is empty?

So the DHCP serving switch (SW1) would of cleared down these DHCP IP mappings when I rebooted the other switch (SW3)?

Andy

paul driver · ‎04-07-2014

Hello
I my have mis-read or mis-interpreted you OP

DAI running on 3 x 3560s - I was on the understanding that DAI and snooping was enabled on the switch you reloaded

So the DHCP serving switch (SW1) would of cleared down these DHCP IP mappings when I rebooted the other switch (SW3

NO it shouldn't - Apart from the dhcp binding DB, The Snooping and ARP are locally significant to the switch they are enabled on.

So if you haven't this enabled on the switch you reloaded, the users attached to that switch should have reconnected

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andy White · ‎04-07-2014

My explaination is confusing.

DHCP is on the other switch, DAI is on all 3 switch, I had to turn it off on the switch in question to allow users on.

I thought the DHCP switch held all this info, it certainly does when I run a 'sh ip dhcp snooping bindings' and the other switches use these tables one they are populated. I will turn arp inspection back on on this other switch, but the database are empty so I guess I will get the same issue.

Thanks

Andy White · ‎04-08-2014

For my understanding what is the breakdown of the log message highlighted:

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/5, vlan 1.([0025.64e3.479c/172.30.2.163/0000.0000.0000/172.30.2.209/08:21:12 BST Tue Apr 8 2014])

0025.64e3.479c/172.30.2.163 seems to be the PC that is being blocked but what is 0000.0000.0000/172.30.2.209 as it seems to be another PC?

Thanks

Eaglebear77 · ‎06-08-2018

I have spent all morning trying to track down this information. I have not seen any information related to this.

paul driver · ‎04-07-2014

Hello

Just confirm -

DAI can be used dynamically using the DHCP snoop DB and statically WITHOUT verifying against the snooping DB - in fact the snooping doesn't even need to be enabled.

regards your issue - Is it possible you enabled DAI after these users had already obtained there addressing, in that case DIA wouldn't validate at that time, unless the ports were shutdown and restarted or the switch was reloaded. Now if you didn't specify static DAI at this time then without the snoopinjg DB my understanding is it would prohibit access.

example static DAI:(Apply a static vlan filter lists on all switches requirung STATIC DAI.)

ip arp inspection filter-list vlan xx static DAI

arp access-list DAI

permit ip any mac host 0000.0000.1111

or
permit ip host 1.1.1.1 mac host 0000.0000.1111

Note:
once enable for the vlan it will only permit whats in the acl

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Andy White · ‎04-07-2014

I have an arp acl already for printers etc and works well, but I have a lot of PCs to add if this is the method to use rather than dynamic.

I did turn off DIA after the reload as users on that switch couldn't get online, when I re-enabled it they got knocked off again, I thought the DHCP switch would see that the computers requests were in the DHCP snooping DB (mac 7 IP) and allow, but they don't.

Dynamic ARP inspection, why did this happen?