Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1622
Views
10
Helpful
8
Replies

DHCP snooping with DAI issues

vlad0
Level 1
Level 1

‎12-11-2017 11:11 PM - edited ‎03-08-2019 01:04 PM

Hello, I have som problem with DHCP snooping working with DAI. Can anyone explain to me, why I am getting those invalid ARP req?

ARP inspection is configured like this:

Source Mac Validation      : Enabled
Destination Mac Validation : Disabled
IP Address Validation      : Enabled

 

 

I set arp inspection limit rate to 25. but this value was pretty low, so I rised it up to 50. It was a way better, but there were still some errdisable ports due to much arp req, so I set it to 100. When I rised it to 100pps, I was getting much more errdisabled ports, like when I had it at 50. Can anyone explain this behavior?

Labels:
0 Helpful
8 Replies 8

Ton V Engelen
Level 3
Level 3

‎12-12-2017 05:23 AM - edited ‎12-12-2017 05:24 AM

Check the logs on your switches to see if the rate limit is exceeded on the ports that are err-disabled

 

If its set to 100 there probably will be logs stating the limit is exceeded by 101 requests

 

In the end I have set the rate limit to 250 which solved the issue. 

 

Esp. Apple computers fire arp like crazy

 

 

 

 

vlad0
Level 1
Level 1
In response to Ton V Engelen

‎12-12-2017 05:44 AM

because I red some articles and they said rate limit should be set max to 100, but I still had problem with exceeded rate limit, so I decided to ask for a help. So, is it normal? I have never done configuration about DAI, so I am pretty new at it. will I try to rise it up in increment of 25? so I try to set it up to 125.

We have windows 7 only (I read that LLPD is responsible for generating much ARP req because of discovery devices on network)

 

Second question: Why am I getting those invalid ARPS?

%SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Res) on Fa0/19, vlan 40.([9c93.4e65.5927/10.1.43.81/9c93.4e65.5927/10.1.43.81/13:24:35 CET Tue Dec 12 2017])

 

output from DHCP snooping bind table


9C:93:4E:65:59:27   10.1.43.81       600852      dhcp-snooping   40    FastEthernet0/19

 

But I am still able to reach 10.1.43.81, can u pls explain this behavior?

0 Helpful

Ton V Engelen
Level 3
Level 3
In response to vlad0

‎12-12-2017 05:51 AM - edited ‎12-12-2017 05:51 AM

I d just set it to 250 right away

 

Or start with 150 and increase with steps of 25. 

 

About the log: 

%SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Res) on Fa0/19, vlan 40.([9c93.4e65.5927/10.1.43.81/9c93.4e65.5927/10.1.43.81/13:24:35 CET Tue Dec 12 2017])

 

Probably just one or two for each port right? 

 

I see the same thing and I think this is a sort of in between log, while DAI starts operating for that port

 

After the mapping (port/mac/ip) is build all is fine and the device on that port is reachable

 

 

paul driver
VIP
VIP
In response to vlad0

‎12-12-2017 05:58 AM

Hello

Where is the location of the dhcp server?

 

DAI/snooping should be only applied on the access layer switches, do you have dhcp service and snooping enabled on the L3 switch by any chance?

 

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Steven Williams
Level 4
Level 4
In response to paul driver

‎12-12-2017 08:24 AM

DAI is sometimes a pain in the butt. Things you need to understand is DAI relies on the DHCP snooping database, which should be offloaded to tftp. Also If you have static addresses you need to create basically a DAI exception list for those statics. Also from a previous environment we have HP printers on DHCP that were crazy with ARP requests so we had to increase the limit on a per port basis. 

0 Helpful

vlad0
Level 1
Level 1
In response to paul driver

‎12-12-2017 12:26 PM - edited ‎12-12-2017 12:33 PM

Hi, DHCP server is located on another subnet where L3 switch points to DHCP as dhcp helper.

DHCP snooping and ARP inspection is configured only on access switches, where trunks links pointing to DHCP are configures as trust ports.

thx for advise, I am going to experiment with rates limits of arp inspection. I will let u know about results.

 

//for now my dhcp snooping database is located in flash memory. I will move it later to tftp

//we have some devices which have static addresses becasuce of lack of DHCP services, but I did bind them manualy do dhcp snooping database by "ip dhcp snooping binding xxxxxx" command

0 Helpful

vlad0
Level 1
Level 1
In response to vlad0

‎12-13-2017 05:28 AM

I set arp inspection limit rate to 200 and everything runs smoothly, no err-disabled ports. I was just affraid of so "high" value, cuz sa I said i read it should be set the lower value as possible eg 25pps. Anyway, thx for your assistance guys
0 Helpful

Ton V Engelen
Level 3
Level 3
In response to vlad0

‎12-13-2017 06:24 AM

Super!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card