I have DAI running on 3 x 3560s in a remote WAN office, this is the topology:
WAN > Cisco router > SW1 (DHCP server ) > Etherchannel to SW2 > Trunk to SW3
I had to reboot SW3 today to update the IOS and after rebooting no one could connect and I could see the syslog server was getting filled up with arp errors like this:
Apr 7 07:31:34.811: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/3, vlan 1.([0026.b995.1g71/172.30.2.80/0000.0000.0000/172.30.2.1/08:31:33 BST Mon Apr 7 2014])
On trunks leading towards switch SW1 where the DHCP database is I have these command set
'ip arp inspection trust'
'ip dhcp snooping trust'
I thought if the IP and MAC were inthe DHCP DB then all is good?
Thais because when you rebooted the switch, DHCP DB for that switch lost it bindings and the DIA arp messages couldn't be validated.
I suggest that you backup this DB to a remote location to negate this occurring again.
ip dhcp snooping database tftp://x.x.x.x/dhcpbind.txt
I understand now.
So I have to backup the DHCP database on the other switch that runs the DHCP service? So as soon as I rebooted this switch the DHCP switch cleared down it's DHCP table?
Or does the switch I rebooted host a DHCP database too, if so how can I see it as 'sh ip dhcp bindings' only works on the DHCP switch?
Snooping should be enabled on any switch that dhcp services for untrusted ports and I would back up both DB's if applicable.(binding and snooping)
ip dhcp database ftp://firstname.lastname@example.org/dhcpbind write-delay 300
ip dhcp snooping database tftp://x.x.x.x/dhcpsnoop.txt
ip dhcp snooping database write-delay 300
sh ip dhcp snooping binding
sh ip dhcp binding
Think I will save to flash if poss.
Those commands only show information on the DHCP serving switch, so I should just back the 2 DBs on that switch as te switch in question is empty?
So the DHCP serving switch (SW1) would of cleared down these DHCP IP mappings when I rebooted the other switch (SW3)?
I my have mis-read or mis-interpreted you OP
DAI running on 3 x 3560s - I was on the understanding that DAI and snooping was enabled on the switch you reloaded
So the DHCP serving switch (SW1) would of cleared down these DHCP IP mappings when I rebooted the other switch (SW3
NO it shouldn't - Apart from the dhcp binding DB, The Snooping and ARP are locally significant to the switch they are enabled on.
So if you haven't this enabled on the switch you reloaded, the users attached to that switch should have reconnected
My explaination is confusing.
DHCP is on the other switch, DAI is on all 3 switch, I had to turn it off on the switch in question to allow users on.
I thought the DHCP switch held all this info, it certainly does when I run a 'sh ip dhcp snooping bindings' and the other switches use these tables one they are populated. I will turn arp inspection back on on this other switch, but the database are empty so I guess I will get the same issue.
For my understanding what is the breakdown of the log message highlighted:
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/5, vlan 1.([0025.64e3.479c/172.30.2.163/0000.0000.0000/172.30.2.209/08:21:12 BST Tue Apr 8 2014])
0025.64e3.479c/172.30.2.163 seems to be the PC that is being blocked but what is 0000.0000.0000/172.30.2.209 as it seems to be another PC?
Just confirm -
DAI can be used dynamically using the DHCP snoop DB and statically WITHOUT verifying against the snooping DB - in fact the snooping doesn't even need to be enabled.
regards your issue - Is it possible you enabled DAI after these users had already obtained there addressing, in that case DIA wouldn't validate at that time, unless the ports were shutdown and restarted or the switch was reloaded. Now if you didn't specify static DAI at this time then without the snoopinjg DB my understanding is it would prohibit access.
example static DAI:(Apply a static vlan filter lists on all switches requirung STATIC DAI.)
ip arp inspection filter-list vlan xx static DAI
arp access-list DAI
permit ip any mac host 0000.0000.1111
permit ip host 188.8.131.52 mac host 0000.0000.1111
once enable for the vlan it will only permit whats in the acl
I have an arp acl already for printers etc and works well, but I have a lot of PCs to add if this is the method to use rather than dynamic.
I did turn off DIA after the reload as users on that switch couldn't get online, when I re-enabled it they got knocked off again, I thought the DHCP switch would see that the computers requests were in the DHCP snooping DB (mac 7 IP) and allow, but they don't.