cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
646
Views
5
Helpful
19
Replies

DAI conflict with inter-VLAN routing

raoufesi
Level 1
Level 1

Hey community, 

I have a 3-tier architecture, with 4 VLANs 10-40, I configured inter-VLAN routing on distribution switches and it's working fine, however when I pursued to configure DAI on access and distribution switches inter-VLAN routing is not working anymore, I configured the interfaces connected to switches as trusted and left those connected to end hosts on their untrusted default state, can someone help me with this issue ?

1 Accepted Solution

Accepted Solutions

Hello,

 

Keep in mind the ARP inspection is based off the DHCP Snooping table. While you have DHCP snooping enabled are the hosts being assigned IP addresses from a DHCP and is the DHCP snooping table on ACC_SW1 being populated from that information? Can you show the output of the command: show ip dhcp snooping binding

Also if you can please provide the output of the command: debug arp snooping after a failed ping test. If you get output like the below then it didnt find a valid entry in the DHCP snooping table.

May 15 02:28:20.122: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi0/0, vlan 10.([5254.000e.520d/172.16.10.1/5254.0004.02f2/172.16.10.13/02:28:20 UTC Wed May 15 2024])

 

-David

View solution in original post

19 Replies 19

balaji.bandi
Hall of Fame
Hall of Fame

you need to provide more information about environment and their connectivity.

what model device ?

what IOS code running ?

how these switches connected each other ?

where did you applied DAI config ?

before DAI applied everything working between 10-40 VLAN ?

share the configuration and output as much as you can here to understand the setup.

just for reference  :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Dynamic ARP Inspection

I applied both DHCP snooping and DAI as follows (for access switches): 
ip dhcp snooping vlan 10,20,30,40
ip arp inspection vlan 10,20,30,40
when configuring DHCP snooping only inter-vlan routing works fine, once issuing the "ip arp inspection vlan 10,20,30,40" command it fails...

 

!! 

MHM

!! 

MHM

Yes, I even deleted the DAI configuration from DIST switches and only
focused on ACC switches... also I configured The ports connected to other
switches (AKA DIST switches in this case) as trusted
...

!! 

MHM

I tried different values... ranging from 50 to 500

Hello,

post the full running configs (sh run) of all devices involved, as well as a schematic drawing of your topology, showing how your devices are physically and logically connected...

!! 

MHM

!!! 

MHM

raoufesi
Level 1
Level 1

Here is the topology... I am running a PNETLab environment, and all of the switches are L3 switches of which the Cisco IOS version is 15.2
I configured DAI and DHCP