Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dynamic ARP ispection

Hello,

I've had DHCP snooping running for a few days now a a remote site and can see the dhcp snooping database is populated.  I have turned on DAI for their vlan and added a filter list for static IPs for things like printers.  However I'm getting a few:

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res)

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req)

From a couple of IP's, I'm trying to find out what these devices are, but in your experience as they are not in the snooping binding database would you think they are statically assigned?  If so it is weird as they have an IP address that is part of the DHCP scope.

Thanks

11 REPLIES

Dynamic ARP ispection

Is your DHCP scope exhausted so that addresses are being re-used very quickly? Really short lease time?

Maybe MAC1 is bound to address IP1 but MAC1 has released it and MAC2 has now gotten it?

Or, someone statically defined those addresses and didn't realize it was from the DHCP pool? I've used DAI and DHCP snooping quite a bit and only have problems when static IP addresses were assigned or when VLAN assignments were done incorrectly.

New Member

Dynamic ARP ispection

What lease time do you normally use?

Dynamic ARP ispection

Typically 7 days for lease time. We don't have issues with IP address space so it's pretty long.

New Member

Dynamic ARP ispection

yeah we seem to have a class c scope with more than enough available and a day lease too.

How long do you normaly leave the DHCP snooping binding database before enabling the DAI for the VLAN?

Dynamic ARP ispection

I've been doing them simultaneously during switch refreshes. We've deployed ~200 switches without much issue.

Have you verified that the errors are coming from machines that are definitely DHCP?

New Member

Dynamic ARP ispection

I've been trying to find out without asking just in case it is a non corp PC, how do you approach that one?

Also if an invlaid arp is detected should it block the port from sending or just alert?

Dynamic ARP ispection

We typically don't allow non-corp machines on the network. I would just ask to check. Or your DHCP server should have a MAC address associated with each lease. You can check that association to see that it matches what's seen on the switch.

If an invalid arp is seen, the switch drops it by default. I've just left that alone. I don't remember if you can set it to only alert.

New Member

Dynamic ARP ispection

Out of interest how do you stop corporate PC connecting to the network?

Dynamic ARP ispection

In places that we use DAI, all interfaces are shut that are not in use. They cannot be enabled without an approved request. We also use port security to limit MAC addresses to 1 in most places, depends on if there is a phone or not.

There is also re-enforced policy that people cannot bring their own devices nor can they allow vendors to connect their devices. Visitor/Guest networks are provided for BYOD and vendors, for which access is easily requested and granted. Wireless guest network is secured by having anchor controllers in a specific DMZ so that the traffic is tunneled through our network.

In another division, we use Cisco NAC for access control. I'm not a big fan of product this but it does keep people out. Lots of ongoing upkeep and operational cycles. I think NAC products in general are inherently difficult to implement and manage.

New Member

Dynamic ARP ispection

Hi, we use DAI and snooping, I did shutdown unused ports and put them into an unused VLAN, but the 1st-2nd line guys were always asking me to open a port up as someone was moving around and we have many remote offices too, so it became an amdin headache.  I lock the ports down to 1 mac also, we are introducing VOIP soon and these will be soft phones (usb head sets) and desk phones, we I just need to increase the mac to 2?

Dynamic ARP ispection

We don't use the soft phones and I don't remember what you need to set for those. It may only be 2.

For the desk phones, you need to set it to 3; One for the PC, one for the phone and a 3rd for the internal switch on the phone. When you check the interface, the MAC address of the phone will show up on 2 different vlans.

264
Views
0
Helpful
11
Replies