12-11-2017 11:11 PM - edited 03-08-2019 01:04 PM
Hello, I have som problem with DHCP snooping working with DAI. Can anyone explain to me, why I am getting those invalid ARP req?
ARP inspection is configured like this:
Source Mac Validation : Enabled
Destination Mac Validation : Disabled
IP Address Validation : Enabled
I set arp inspection limit rate to 25. but this value was pretty low, so I rised it up to 50. It was a way better, but there were still some errdisable ports due to much arp req, so I set it to 100. When I rised it to 100pps, I was getting much more errdisabled ports, like when I had it at 50. Can anyone explain this behavior?
12-12-2017 05:23 AM - edited 12-12-2017 05:24 AM
Check the logs on your switches to see if the rate limit is exceeded on the ports that are err-disabled
If its set to 100 there probably will be logs stating the limit is exceeded by 101 requests
In the end I have set the rate limit to 250 which solved the issue.
Esp. Apple computers fire arp like crazy
12-12-2017 05:44 AM
because I red some articles and they said rate limit should be set max to 100, but I still had problem with exceeded rate limit, so I decided to ask for a help. So, is it normal? I have never done configuration about DAI, so I am pretty new at it. will I try to rise it up in increment of 25? so I try to set it up to 125.
We have windows 7 only (I read that LLPD is responsible for generating much ARP req because of discovery devices on network)
Second question: Why am I getting those invalid ARPS?
%SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Res) on Fa0/19, vlan 40.([9c93.4e65.5927/10.1.43.81/9c93.4e65.5927/10.1.43.81/13:24:35 CET Tue Dec 12 2017])
output from DHCP snooping bind table
9C:93:4E:65:59:27 10.1.43.81 600852 dhcp-snooping 40 FastEthernet0/19
But I am still able to reach 10.1.43.81, can u pls explain this behavior?
12-12-2017 05:51 AM - edited 12-12-2017 05:51 AM
I d just set it to 250 right away
Or start with 150 and increase with steps of 25.
About the log:
%SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Res) on Fa0/19, vlan 40.([9c93.4e65.5927/10.1.43.81/9c93.4e65.5927/10.1.43.81/13:24:35 CET Tue Dec 12 2017])
Probably just one or two for each port right?
I see the same thing and I think this is a sort of in between log, while DAI starts operating for that port
After the mapping (port/mac/ip) is build all is fine and the device on that port is reachable
12-12-2017 05:58 AM
Hello
Where is the location of the dhcp server?
DAI/snooping should be only applied on the access layer switches, do you have dhcp service and snooping enabled on the L3 switch by any chance?
res
Paul
12-12-2017 08:24 AM
DAI is sometimes a pain in the butt. Things you need to understand is DAI relies on the DHCP snooping database, which should be offloaded to tftp. Also If you have static addresses you need to create basically a DAI exception list for those statics. Also from a previous environment we have HP printers on DHCP that were crazy with ARP requests so we had to increase the limit on a per port basis.
12-12-2017 12:26 PM - edited 12-12-2017 12:33 PM
Hi, DHCP server is located on another subnet where L3 switch points to DHCP as dhcp helper.
DHCP snooping and ARP inspection is configured only on access switches, where trunks links pointing to DHCP are configures as trust ports.
thx for advise, I am going to experiment with rates limits of arp inspection. I will let u know about results.
//for now my dhcp snooping database is located in flash memory. I will move it later to tftp
//we have some devices which have static addresses becasuce of lack of DHCP services, but I did bind them manualy do dhcp snooping database by "ip dhcp snooping binding xxxxxx" command
12-13-2017 05:28 AM
12-13-2017 06:24 AM
Super!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide