Re: DAI and DHCP snooping issue after C2960X reboot

alex1988 · ‎02-14-2023

Hi all,

we encountered a dhcp snooping issue after a reboot on a C2960X stack. After a reboot, some of the IP Phones would not register, unless a shut/no shut was issued in the access port. The logs on the switch were numerous:

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi4/0/23, vlan 4 [xxxx.xxxx.xxxx/10.10.4.24/0000.0000.0000/10.10.4.1

It affected the majority of the 7800 series IP Phones, not the 3905.

The config of the switch is:

ip arp inspection vlan 4
ip dhcp snooping vlan 4
ip dhcp snooping

The config of the access port has the commands:

ip arp inspection limit rate 100 and ip dhcp snooping limit rate 100

From my understanding, there was a mismatch between the ARP request and the DHCP snooping database, but I cannot understand the reason. After the reboot, shouldn't the DHCP snooping database be empty and no mismatch occur?

Also note that on our environment we have deployed many C2960X switches and we haven't faced again such an issue after reboot.

Thank you,

Alex

MHM Cisco World · ‎02-14-2023

I think it bug check below bug

DHCP SNOOPING DATABASE IS NOT REFRESHED AFTER RELOAD
CSCvp49518

alex1988 · ‎02-14-2023

The model and version is not the same (we have C2960X with 15.2(7)E5) but the behavior is similar. Maybe we should open a TAC for further investigation

MHM Cisco World · ‎02-14-2023

I know it not same model and version but since there is bug with similar behaviour then you can face same bug to.
open TAC is very good
because it sure confirm that it bug or not.

Karsten Iwen · ‎02-14-2023

If this is your complete DHCP snooping configuration, you have no database configuration configured. You should have this to make sure the switch starts with a populated database after a reboot. Not having the database location would result in your symptoms.

alex1988 · ‎02-14-2023

Hi Karsten,

Thank's for your response. What do you mean by no database configuration?

MHM Cisco World · ‎02-14-2023

he mean you specify other location for database like URL.
if you not config other location then it save in your SW memory and must be clear after reboot (like you mention what happened for other SW). but I think because bug this database not clear.

Karsten Iwen · ‎02-14-2023

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01101.html#ID674

alex1988 · ‎02-14-2023

Ok, that's helpful and we might use it as workaround, however the default location shouldn't be the switch and not an external location?

MHM Cisco World · ‎02-14-2023

it copy, the default is in SW and SW will writing the DB to external.

ip dhcp snooping database write-delay xx <<- this time is DB delay writing.

Karsten Iwen · ‎02-14-2023

It's not a workaround. It's part of a DHCP-Snooping implementation. A stable remote location is certainly the best, but often I use the local flash because there I am not dependant on external systems. Constantly writing (ok, there is the write-delay) onto local flash is nothing I really like, but up to now the systems didn't complain even after some years in operation.

alex1988 · ‎02-14-2023

I will try to reproduce the issue and use this configuration. We have also opened a TAC to examine whether this is a bug. Anyway, I will update this thread with the results. Thank you both for the very helpful support!

MHM Cisco World · ‎02-14-2023

You are so so welcome