cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
644
Views
5
Helpful
19
Replies

DAI conflict with inter-VLAN routing

raoufesi
Level 1
Level 1

Hey community, 

I have a 3-tier architecture, with 4 VLANs 10-40, I configured inter-VLAN routing on distribution switches and it's working fine, however when I pursued to configure DAI on access and distribution switches inter-VLAN routing is not working anymore, I configured the interfaces connected to switches as trusted and left those connected to end hosts on their untrusted default state, can someone help me with this issue ?

1 Accepted Solution

Accepted Solutions

Hello,

 

Keep in mind the ARP inspection is based off the DHCP Snooping table. While you have DHCP snooping enabled are the hosts being assigned IP addresses from a DHCP and is the DHCP snooping table on ACC_SW1 being populated from that information? Can you show the output of the command: show ip dhcp snooping binding

Also if you can please provide the output of the command: debug arp snooping after a failed ping test. If you get output like the below then it didnt find a valid entry in the DHCP snooping table.

May 15 02:28:20.122: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi0/0, vlan 10.([5254.000e.520d/172.16.10.1/5254.0004.02f2/172.16.10.13/02:28:20 UTC Wed May 15 2024])

 

-David

View solution in original post

19 Replies 19

balaji.bandi
Hall of Fame
Hall of Fame

you need to provide more information about environment and their connectivity.

what model device ?

what IOS code running ?

how these switches connected each other ?

where did you applied DAI config ?

before DAI applied everything working between 10-40 VLAN ?

share the configuration and output as much as you can here to understand the setup.

just for reference  :

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Dynamic ARP Inspection

I applied both DHCP snooping and DAI as follows (for access switches): 
ip dhcp snooping vlan 10,20,30,40
ip arp inspection vlan 10,20,30,40
when configuring DHCP snooping only inter-vlan routing works fine, once issuing the "ip arp inspection vlan 10,20,30,40" command it fails...

 

!! 

MHM

!! 

MHM

Yes, I even deleted the DAI configuration from DIST switches and only
focused on ACC switches... also I configured The ports connected to other
switches (AKA DIST switches in this case) as trusted
...

!! 

MHM

I tried different values... ranging from 50 to 500

Hello,

post the full running configs (sh run) of all devices involved, as well as a schematic drawing of your topology, showing how your devices are physically and logically connected...

!! 

MHM

!!! 

MHM

raoufesi
Level 1
Level 1

Here is the topology... I am running a PNETLab environment, and all of the switches are L3 switches of which the Cisco IOS version is 15.2
I configured DAI and DHCP snooping on access switches only, here are the running-config of the access and distribution (since it is the same conf for all switches so I just posted 1 access and 1 distribution)

----------------------------------------------------------------------------
ACCESS_SW1 : 
Current configuration : 3549 bytes
!
! Last configuration change at 21:46:38 UTC Tue May 14 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname ACC_SW1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
no ip dhcp snooping information option
ip dhcp snooping
no ip domain-lookup
ip cef
no ipv6 cef
!
!
errdisable recovery cause psecure-violation
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause arp-inspection
errdisable recovery interval 600
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
switchport access vlan 10
switchport mode access
switchport port-security
spanning-tree portfast edge
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100
!
interface Ethernet0/1
switchport access vlan 20
switchport mode access
switchport port-security
spanning-tree portfast edge
spanning-tree bpduguard enable
ip dhcp snooping limit rate 100
!
interface Ethernet0/2
switchport access vlan 30
switchport mode access
switchport port-security
spanning-tree portfast edge
spanning-tree guard root
ip dhcp snooping limit rate 100
!
interface Ethernet0/3
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface Ethernet1/0
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
ip dhcp snooping trust
!
interface Ethernet1/1
!
interface Ethernet1/2
!
interface Ethernet1/3

ip forward-protocol nd
!
ip tcp synwait-time 5
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
!
end

---------------------------------------------------------------

DIST_SW1 : 
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname DIST_SW1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
no ip dhcp snooping information option
no ip domain-lookup
ip cef
no ipv6 cef
!
!
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10,20 priority 24576
spanning-tree vlan 30,40 priority 28672
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Port-channel10
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
!
interface Ethernet0/0
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet0/1
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet0/2
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet0/3
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport mode trunk
ip arp inspection trust
!
interface Ethernet1/0
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet1/1
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet1/2
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet1/3
switchport trunk allowed vlan 10,20,30,40
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
channel-group 10 mode active
!
interface Ethernet2/0
no switchport
ip address 10.1.1.98 255.255.255.252
!
interface Ethernet2/1
no switchport
ip address 10.1.1.109 255.255.255.252
!
interface Ethernet2/2
!
interface Ethernet2/3
!
interface Ethernet3/0
!
interface Ethernet3/1
!
interface Ethernet3/2
!
interface Ethernet3/3
!
interface Ethernet4/0
!
interface Ethernet4/1
!
interface Ethernet4/2
!
interface Ethernet4/3
!
interface Ethernet5/0
!
interface Ethernet5/1
!
interface Ethernet5/2
!
interface Ethernet5/3
!
interface Ethernet6/0
!
interface Ethernet6/1
!
interface Ethernet6/2
!
interface Ethernet6/3
!
interface Ethernet7/0
!
interface Ethernet7/1
!
interface Ethernet7/2
!
interface Ethernet7/3
!
interface Ethernet8/0
!
interface Ethernet8/1
!
interface Ethernet8/2
!
interface Ethernet8/3
!
interface Ethernet9/0
!
interface Ethernet9/1
!
interface Ethernet9/2
!
interface Ethernet9/3
!
interface Ethernet10/0
!
interface Ethernet10/1
!
interface Ethernet10/2
!
interface Ethernet10/3
!
interface Ethernet11/0
!
interface Ethernet11/1
!
interface Ethernet11/2
!
interface Ethernet11/3
!
interface Ethernet12/0
!
interface Ethernet12/1
!
interface Ethernet12/2
!
interface Ethernet12/3
!
interface Ethernet13/0
!
interface Ethernet13/1
!
interface Ethernet13/2
!
interface Ethernet13/3
!
interface Ethernet14/0
!
interface Ethernet14/1
!
interface Ethernet14/2
!
interface Ethernet14/3
!
interface Ethernet15/0
!
interface Ethernet15/1
!
interface Ethernet15/2
!
interface Ethernet15/3
!
interface Vlan10
ip address 10.1.1.1 255.255.255.224
!
interface Vlan20
ip address 10.1.1.65 255.255.255.240
!
interface Vlan30
ip address 10.1.1.81 255.255.255.240
!
interface Vlan40
ip address 10.1.1.33 255.255.255.224
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
!
ip forward-protocol nd
!
ip tcp synwait-time 5
ip http server
ip http secure-server
!
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
!
!
end


image.png 

Hello,

 

Keep in mind the ARP inspection is based off the DHCP Snooping table. While you have DHCP snooping enabled are the hosts being assigned IP addresses from a DHCP and is the DHCP snooping table on ACC_SW1 being populated from that information? Can you show the output of the command: show ip dhcp snooping binding

Also if you can please provide the output of the command: debug arp snooping after a failed ping test. If you get output like the below then it didnt find a valid entry in the DHCP snooping table.

May 15 02:28:20.122: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi0/0, vlan 10.([5254.000e.520d/172.16.10.1/5254.0004.02f2/172.16.10.13/02:28:20 UTC Wed May 15 2024])

 

-David

It worked !  
It turned out that DHCP was not configured yet, end hosts were not able to get IP addresses dynamically, after configuring DHCP on the server I re-issued the "ip arp inspection vlan 10,20,30,40" and "ip dhcp snooping vlan 10,20,30,40" commands and everything worked great !

Thank y'all for helping, best community ever ♥

Review Cisco Networking for a $25 gift card