05-13-2024 03:38 PM
Hey community,
I have a 3-tier architecture, with 4 VLANs 10-40, I configured inter-VLAN routing on distribution switches and it's working fine, however when I pursued to configure DAI on access and distribution switches inter-VLAN routing is not working anymore, I configured the interfaces connected to switches as trusted and left those connected to end hosts on their untrusted default state, can someone help me with this issue ?
Solved! Go to Solution.
05-14-2024 07:43 PM - edited 05-14-2024 07:51 PM
Hello,
Keep in mind the ARP inspection is based off the DHCP Snooping table. While you have DHCP snooping enabled are the hosts being assigned IP addresses from a DHCP and is the DHCP snooping table on ACC_SW1 being populated from that information? Can you show the output of the command: show ip dhcp snooping binding
Also if you can please provide the output of the command: debug arp snooping after a failed ping test. If you get output like the below then it didnt find a valid entry in the DHCP snooping table.
May 15 02:28:20.122: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi0/0, vlan 10.([5254.000e.520d/172.16.10.1/5254.0004.02f2/172.16.10.13/02:28:20 UTC Wed May 15 2024])
-David
05-13-2024 06:48 PM
you need to provide more information about environment and their connectivity.
what model device ?
what IOS code running ?
how these switches connected each other ?
where did you applied DAI config ?
before DAI applied everything working between 10-40 VLAN ?
share the configuration and output as much as you can here to understand the setup.
just for reference :
05-14-2024 01:03 AM
05-14-2024 03:02 PM
I applied both DHCP snooping and DAI as follows (for access switches):
ip dhcp snooping vlan 10,20,30,40
ip arp inspection vlan 10,20,30,40
when configuring DHCP snooping only inter-vlan routing works fine, once issuing the "ip arp inspection vlan 10,20,30,40" command it fails...
05-13-2024 11:10 PM - edited 05-15-2024 11:52 AM
!!
MHM
05-14-2024 01:07 AM - edited 05-15-2024 11:52 AM
!!
MHM
05-14-2024 01:11 AM
05-14-2024 01:21 AM - edited 05-15-2024 11:52 AM
!!
MHM
05-14-2024 01:26 AM
05-14-2024 01:40 AM
Hello,
post the full running configs (sh run) of all devices involved, as well as a schematic drawing of your topology, showing how your devices are physically and logically connected...
05-14-2024 02:45 AM - edited 05-15-2024 11:53 AM
!!
MHM
05-14-2024 07:15 AM - edited 05-15-2024 11:53 AM
!!!
MHM
05-14-2024 02:50 PM
Here is the topology... I am running a PNETLab environment, and all of the switches are L3 switches of which the Cisco IOS version is 15.2
I configured DAI and DHCP snooping on access switches only, here are the running-config of the access and distribution (since it is the same conf for all switches so I just posted 1 access and 1 distribution)
----------------------------------------------------------------------------
ACCESS_SW1 :
Current configuration : 3549 bytes
!
! Last configuration change at 21:46:38 UTC Tue May 14 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname ACC_SW1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
no ip dhcp snooping information option
ip dhcp snooping
no ip domain-lookup
ip cef
no ipv6 cef
!
!
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause arp-inspection
errdisable recovery interval 600
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
switchport access vlan 10
switchport mode access
switchport port-security
spanning-tree portfast edge
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100
!
interface Ethernet0/1
switchport access vlan 20
switchport mode access
switchport port-security
spanning-tree portfast edge
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100
!
interface Ethernet0/2
switchport access vlan 30
switchport mode access
switchport port-security
spanning-tree portfast edge
spanning-tree guard root
ip dhcp snooping limit rate 100
!
interface Ethernet0/3
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface Ethernet1/0
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface Ethernet1/1
!
interface Ethernet1/2
!
interface Ethernet1/3
ip forward-protocol nd
!
ip tcp synwait-time 5
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
!
end
---------------------------------------------------------------
DIST_SW1 :
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname DIST_SW1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
no ip dhcp snooping information option
no ip domain-lookup
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10,20 priority 24576
spanning-tree vlan 30,40 priority 28672
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel10
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
!
interface Ethernet0/0
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet0/1
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet0/2
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet0/3
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet1/0
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet1/1
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet1/2
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet1/3
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet2/0
no switchport
ip address 10.1.1.98 255.255.255.252
!
interface Ethernet2/1
no switchport
ip address 10.1.1.109 255.255.255.252
!
interface Ethernet2/2
!
interface Ethernet2/3
!
interface Ethernet3/0
!
interface Ethernet3/1
!
interface Ethernet3/2
!
interface Ethernet3/3
!
interface Ethernet4/0
!
interface Ethernet4/1
!
interface Ethernet4/2
!
interface Ethernet4/3
!
interface Ethernet5/0
!
interface Ethernet5/1
!
interface Ethernet5/2
!
interface Ethernet5/3
!
interface Ethernet6/0
!
interface Ethernet6/1
!
interface Ethernet6/2
!
interface Ethernet6/3
!
interface Ethernet7/0
!
interface Ethernet7/1
!
interface Ethernet7/2
!
interface Ethernet7/3
!
interface Ethernet8/0
!
interface Ethernet8/1
!
interface Ethernet8/2
!
interface Ethernet8/3
!
interface Ethernet9/0
!
interface Ethernet9/1
!
interface Ethernet9/2
!
interface Ethernet9/3
!
interface Ethernet10/0
!
interface Ethernet10/1
!
interface Ethernet10/2
!
interface Ethernet10/3
!
interface Ethernet11/0
!
interface Ethernet11/1
!
interface Ethernet11/2
!
interface Ethernet11/3
!
interface Ethernet12/0
!
interface Ethernet12/1
!
interface Ethernet12/2
!
interface Ethernet12/3
!
interface Ethernet13/0
!
interface Ethernet13/1
!
interface Ethernet13/2
!
interface Ethernet13/3
!
interface Ethernet14/0
!
interface Ethernet14/1
!
interface Ethernet14/2
!
interface Ethernet14/3
!
interface Ethernet15/0
!
interface Ethernet15/1
!
interface Ethernet15/2
!
interface Ethernet15/3
!
interface Vlan10
ip address 10.1.1.1 255.255.255.224
!
interface Vlan20
ip address 10.1.1.65 255.255.255.240
!
interface Vlan30
ip address 10.1.1.81 255.255.255.240
!
interface Vlan40
ip address 10.1.1.33 255.255.255.224
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
!
ip tcp synwait-time 5
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
!
end
05-14-2024 07:43 PM - edited 05-14-2024 07:51 PM
Hello,
Keep in mind the ARP inspection is based off the DHCP Snooping table. While you have DHCP snooping enabled are the hosts being assigned IP addresses from a DHCP and is the DHCP snooping table on ACC_SW1 being populated from that information? Can you show the output of the command: show ip dhcp snooping binding
Also if you can please provide the output of the command: debug arp snooping after a failed ping test. If you get output like the below then it didnt find a valid entry in the DHCP snooping table.
May 15 02:28:20.122: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi0/0, vlan 10.([5254.000e.520d/172.16.10.1/5254.0004.02f2/172.16.10.13/02:28:20 UTC Wed May 15 2024])
-David
05-15-2024 11:33 AM - edited 05-15-2024 11:33 AM
It worked !
It turned out that DHCP was not configured yet, end hosts were not able to get IP addresses dynamically, after configuring DHCP on the server I re-issued the "ip arp inspection vlan 10,20,30,40" and "ip dhcp snooping vlan 10,20,30,40" commands and everything worked great !
Thank y'all for helping, best community ever ♥
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide