Solved: Re: DAI conflict with inter-VLAN routing

raoufesi · ‎05-13-2024

Hey community,

I have a 3-tier architecture, with 4 VLANs 10-40, I configured inter-VLAN routing on distribution switches and it's working fine, however when I pursued to configure DAI on access and distribution switches inter-VLAN routing is not working anymore, I configured the interfaces connected to switches as trusted and left those connected to end hosts on their untrusted default state, can someone help me with this issue ?

David Ruess · ‎05-14-2024

Hello,

Keep in mind the ARP inspection is based off the DHCP Snooping table. While you have DHCP snooping enabled are the hosts being assigned IP addresses from a DHCP and is the DHCP snooping table on ACC_SW1 being populated from that information? Can you show the output of the command: show ip dhcp snooping binding

Also if you can please provide the output of the command: debug arp snooping after a failed ping test. If you get output like the below then it didnt find a valid entry in the DHCP snooping table.

May 15 02:28:20.122: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi0/0, vlan 10.([5254.000e.520d/172.16.10.1/5254.0004.02f2/172.16.10.13/02:28:20 UTC Wed May 15 2024])

-David

View solution in original post

balaji.bandi · ‎05-13-2024

you need to provide more information about environment and their connectivity.

what model device ?

what IOS code running ?

how these switches connected each other ?

where did you applied DAI config ?

before DAI applied everything working between 10-40 VLAN ?

share the configuration and output as much as you can here to understand the setup.

just for reference :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

raoufesi · ‎05-14-2024

Dynamic ARP Inspection

raoufesi · ‎05-14-2024

I applied both DHCP snooping and DAI as follows (for access switches):
ip dhcp snooping vlan 10,20,30,40
ip arp inspection vlan 10,20,30,40
when configuring DHCP snooping only inter-vlan routing works fine, once issuing the "ip arp inspection vlan 10,20,30,40" command it fails...

MHM Cisco World · ‎05-13-2024

!!

MHM

MHM Cisco World · ‎05-14-2024

!!

MHM

raoufesi · ‎05-14-2024

Yes, I even deleted the DAI configuration from DIST switches and only
focused on ACC switches... also I configured The ports connected to other
switches (AKA DIST switches in this case) as trusted
...

MHM Cisco World · ‎05-14-2024

!!

MHM

raoufesi · ‎05-14-2024

I tried different values... ranging from 50 to 500

Georg Pauwen · ‎05-14-2024

Hello,

post the full running configs (sh run) of all devices involved, as well as a schematic drawing of your topology, showing how your devices are physically and logically connected...

MHM Cisco World · ‎05-14-2024

!!

MHM

MHM Cisco World · ‎05-14-2024

!!!

MHM

raoufesi · ‎05-14-2024

Here is the topology... I am running a PNETLab environment, and all of the switches are L3 switches of which the Cisco IOS version is 15.2
I configured DAI and DHCP snooping on access switches only, here are the running-config of the access and distribution (since it is the same conf for all switches so I just posted 1 access and 1 distribution)

----------------------------------------------------------------------------
ACCESS_SW1 :
Current configuration : 3549 bytes
!
! Last configuration change at 21:46:38 UTC Tue May 14 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname ACC_SW1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
no ip dhcp snooping information option
ip dhcp snooping
no ip domain-lookup
ip cef
no ipv6 cef
!
!
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause arp-inspection
errdisable recovery interval 600
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
switchport access vlan 10
switchport mode access
switchport port-security
spanning-tree portfast edge
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100
!
interface Ethernet0/1
switchport access vlan 20
switchport mode access
switchport port-security
spanning-tree portfast edge
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100
!
interface Ethernet0/2
switchport access vlan 30
switchport mode access
switchport port-security
spanning-tree portfast edge
spanning-tree guard root
ip dhcp snooping limit rate 100
!
interface Ethernet0/3
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface Ethernet1/0
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface Ethernet1/1
!
interface Ethernet1/2
!
interface Ethernet1/3

ip forward-protocol nd
!
ip tcp synwait-time 5
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
!
end

---------------------------------------------------------------

DIST_SW1 :
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname DIST_SW1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
no ip dhcp snooping information option
no ip domain-lookup
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10,20 priority 24576
spanning-tree vlan 30,40 priority 28672
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel10
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
!
interface Ethernet0/0
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet0/1
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet0/2
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet0/3
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet1/0
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet1/1
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet1/2
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet1/3
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet2/0
no switchport
ip address 10.1.1.98 255.255.255.252
!
interface Ethernet2/1
no switchport
ip address 10.1.1.109 255.255.255.252
!
interface Ethernet2/2
!
interface Ethernet2/3
!
interface Ethernet3/0
!
interface Ethernet3/1
!
interface Ethernet3/2
!
interface Ethernet3/3
!
interface Ethernet4/0
!
interface Ethernet4/1
!
interface Ethernet4/2
!
interface Ethernet4/3
!
interface Ethernet5/0
!
interface Ethernet5/1
!
interface Ethernet5/2
!
interface Ethernet5/3
!
interface Ethernet6/0
!
interface Ethernet6/1
!
interface Ethernet6/2
!
interface Ethernet6/3
!
interface Ethernet7/0
!
interface Ethernet7/1
!
interface Ethernet7/2
!
interface Ethernet7/3
!
interface Ethernet8/0
!
interface Ethernet8/1
!
interface Ethernet8/2
!
interface Ethernet8/3
!
interface Ethernet9/0
!
interface Ethernet9/1
!
interface Ethernet9/2
!
interface Ethernet9/3
!
interface Ethernet10/0
!
interface Ethernet10/1
!
interface Ethernet10/2
!
interface Ethernet10/3
!
interface Ethernet11/0
!
interface Ethernet11/1
!
interface Ethernet11/2
!
interface Ethernet11/3
!
interface Ethernet12/0
!
interface Ethernet12/1
!
interface Ethernet12/2
!
interface Ethernet12/3
!
interface Ethernet13/0
!
interface Ethernet13/1
!
interface Ethernet13/2
!
interface Ethernet13/3
!
interface Ethernet14/0
!
interface Ethernet14/1
!
interface Ethernet14/2
!
interface Ethernet14/3
!
interface Ethernet15/0
!
interface Ethernet15/1
!
interface Ethernet15/2
!
interface Ethernet15/3
!
interface Vlan10
ip address 10.1.1.1 255.255.255.224
!
interface Vlan20
ip address 10.1.1.65 255.255.255.240
!
interface Vlan30
ip address 10.1.1.81 255.255.255.240
!
interface Vlan40
ip address 10.1.1.33 255.255.255.224
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
!
ip tcp synwait-time 5
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
!
end

David Ruess · ‎05-14-2024

Hello,

Keep in mind the ARP inspection is based off the DHCP Snooping table. While you have DHCP snooping enabled are the hosts being assigned IP addresses from a DHCP and is the DHCP snooping table on ACC_SW1 being populated from that information? Can you show the output of the command: show ip dhcp snooping binding

Also if you can please provide the output of the command: debug arp snooping after a failed ping test. If you get output like the below then it didnt find a valid entry in the DHCP snooping table.

May 15 02:28:20.122: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi0/0, vlan 10.([5254.000e.520d/172.16.10.1/5254.0004.02f2/172.16.10.13/02:28:20 UTC Wed May 15 2024])

-David

raoufesi · ‎05-15-2024

It worked !
It turned out that DHCP was not configured yet, end hosts were not able to get IP addresses dynamically, after configuring DHCP on the server I re-issued the "ip arp inspection vlan 10,20,30,40" and "ip dhcp snooping vlan 10,20,30,40" commands and everything worked great !

Thank y'all for helping, best community ever ♥