Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1904
Views
0
Helpful
2
Replies

DAI invalid arp request

alex.vagner1995@gmail.com
Level 1
Level 1

‎06-24-2018 10:46 AM - edited ‎03-08-2019 03:28 PM

DAI invalid arp request

Hello everybody!
Faced a problem that I can not solve on my own. And on the Internet there is nothing on this issue. I hope for your help.

So,

In my network there are 5 switches with the same L2 security settings. There is a problem in the work of ip arp inspection on some devices. On the 1st switch everything works perfectly (the dhcp snooping binding table is full,), On the second switch 2 there is no dhcp snooping binding table, but everything also works. Just do not understand why? Other devices also do not have an binding table, but when you turn on DAI (ip arp snooping vlan ****,****), some ports are blocked. and the message

% SW_DAI-4-DHCP_SNOOPING_DENY appears: 1 Invalid ARPs (Res) on Fa0 / 17, vlan 252. ([xxxx.xxxx.xxxx / 10.10.252.4 / xxxx.xxxx.xxxx / 10.10.252.254] All devices work on DHCP.

My settings

Global

#ip dhcp snooping
#ip dhco snooping vlan ****,****
#ip arp instection vlan ****

On trunk interface to dhcp server

#ip dhcp snooping trust 
#ip arp inspection trust

On access interface 

#ip arp inspection limit rate 25 burst interval 3
#ip dhcp snooping limit rate 20

 

The only thing that distinguishes these switches is the software version. Can she influence the work of the DAI? Or maybe I'm doing something wrong? Thank you for your help.

Labels:
0 Helpful
2 Replies 2

Seb Rupik
VIP Alumni
VIP Alumni

‎06-24-2018 12:19 PM

Hi there,

DIA requires a DHCP snooping database to determine valid IP to MAC address bindings. On your second switch it will always have issues with DIA if DHCP snooping has not been enabled on the VLANs.

 

If possible please provide the running configs of a DHCP snooping/ DIA working switch and the config from a switch with the DIA errors.

 

cheers,

Seb.

0 Helpful

alex.vagner1995@gmail.com
Level 1
Level 1
In response to Seb Rupik

‎06-24-2018 07:59 PM

Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
2121,2131
DHCP snooping is operational on following VLANs:
2121,2131
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is disabled
circuit-id default format: vlan-mod-port
remote-id: e089.9dbe.5400 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is disabled


Verification of giaddr field is enabled

 MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0

The dhcp snooping binding table is empty, but when you turn on the arp inspection all devices are connected to the network using DHCP. Except one at port 4.

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/4, vlan 2136.([305a.3a56.900a/**.***.***.*/0000.0000.0000/**.***.***.**/

I do not understand why the address table does not want to be filled. And how to solve this problem

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card