cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
109328
Views
15
Helpful
6
Comments
TCC_2
Level 10
Level 10

Core issue

The error message looks similar to this example:

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/17, vlan 252.([xxxx.xxxx.xxxx/10.10.252.4/xxxx.xxxx.xxxx/10.10.252.254]

Note: The xxxx is the MAC address of the sender.

The default message is:

%SW_DAI-4-DHCP_SNOOPING_DENY: [dec] Invalid ARPs ([chars]) on [chars], vlan [dec].([[enet]/[chars]/[enet]/[chars]/[time-of-day]])

This message means that the switch has received Address Resolution Protocol (ARP) packets considered invalid by ARP inspection. The packets are erroneous, and their presence can show attempted man-in-the-middle attacks in the network. This log message appears when the IP and MAC address of the sender binding for the received VLAN is not present in the DHCP snooping database.

The first [dec] is the number of invalid ARP packets. The first [chars] is either Req (request) or Res (response), and the second [chars] is the short name of the ingress interface. The second [dec] is the ingress VLAN ID. [enet]/[chars]/[enet]/[chars]/[time-of-day] is the MAC address of the sender, the IP address of the sender, the MAC address of the target, the IP address of the target, and the time of day.

Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks. It also ensures that only valid ARP requests and responses are relayed.

Resolution

You receive this message when the MAC address does not match the binding. In order to display the DHCP snooping binding entries, use the show ip dhcp snooping binding command.

If the device does not use DHCP or the information is correct and you trust the device on the port, you can enable trust on that port with the ip arp inspection trust command.

Also, DHCP snooping must be enabled in order to permit ARP packets that have dynamically assigned IP addresses with the ip dhcp snooping command.

Refer to the Enabling Additional Validation section of Configuring Dynamic ARP Inspection in order to enable additional validation on the destination MAC address, the sender and target IP addresses, and the source MAC address,

Refer to the DHCP Snooping section of Layer 2 Security Features on Catalyst 3750 Series Switches Configuration Example for more information.

Comments
Wassim Aouadi
Level 4
Level 4

PDF version does not show text correctly.

Florin Barhala
Level 6
Level 6

Hello,

What happens if in production network both DHCP snooping and DAI are enabled the same time?

Is it going to block traffic as the moment DAI starts, DHCP snooping binding table is empty?

eclinton
Level 1
Level 1

Hi Florin,

I recently tried to enable both at the same time and the PC's lost network connectivity so based on my experience I believe the devices are being blocked because the DHCP snooping database is empty.  I am going to schedule a change, first I'm going to remove all DAI configuration, then I am going to configure DHCP snooping and let the DB populate. Lastly I'm going to add the DAI config and see what happens, hopefully this will resolve the issue.  If you've done this already, can you let me know what happened.

Thanks

Erik,,,,

hi Erik .I had similar issue last week. could u proof  that if u enable dai and dhcp snooping same time switch will block all arp and pc will not be able to get ip ? 

pimentelr1
Level 1
Level 1

Please verify you have IP ARP inspection trust enabled on the access client interface if the ARP Messages show MAC Address of 0000.0000.0000

If they show the mac address of your DHCP Leasing router/device it will need an ARP ACL permitting the traffic- I found the answer to this here and implemented it successfully today at work:

 

https://networklessons.com/switching/dai-dynamic-arp-inspection

David Beszeda
Level 1
Level 1

I just had the same issue today.
In a nutshell:

(C2960c405ex-UNIVERSALK9-M), Version 15.2(2)E9
Error message after DAI enabled:
Sep 2 04:18:26.596: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi0/1, vlan 250 ([****.****.****/172.16.250.11/0000.0000.0000/172.16.250.1/04:18:26 GMT+2 Fri Sep 2 2022])

#show ip dhcp binding
172.16.250.11 01**.****.****.** Sep 02 2022 04:21 AM Automatic Active Vlan250

#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0

#show ip arp inspection statistic
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
250 0 321 321 0

-DHCP server is running on the switch
-Relevant commands issued before DAI enabled:
  -ip dhcp snooping vlan 250
  -ip arp inspection vlan 250

The resolution was to follow switch's documentation and issue "ip dhcp snooping" command as it is. Silly me...
At the end I ran ipconfig /release Ethernet and ipconfig /renew Ethernet command on host and then the dhcp binding became populated in the snooping binding database on the switch.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking for a $25 gift card