Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5585
Views
3
Helpful
15
Replies

DHCP Sooping Binding Table doesnot clear

xishan
Visitor

‎12-01-2023 08:19 AM

Hi,

I am having C2960X Switch, causing "shut/not shut" and "%SW_DAI-4-DHCP_SNOOPING_DENY:" logs everyday:

%LINK-3-UPDOWN: Interface GigabitEthernet3/0/9, changed state to up
%LINK-3-UPDOWN: Interface GigabitEthernet3/0/9, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet3/0/9, changed state to up
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi3/0/9, vlan 20.([1628.9ad8.44df/169.254.174.73/0000.0000.0000/169.254.174.73/10:22:25 Fri Dec 1 2023])

What I have found out is that, the DHCP Snooping Binding Table is keeping the old binding even there was no user connected to port for last 12 hours. In that case, when a new user connects to a port the ARP checks the Binding table and finds that there is already an entry. So the ports goes shut.

My current Config is:

ip dhcp snooping vlan 20
no ip dhcp snooping information option
ip dhcp snooping

ip arp inspection vlan 20
ip arp inspection vlan 20 logging acl-match matchlog
ip arp inspection vlan 20 logging dhcp-bindings all

interface GigabitEthernet3/0/9
switchport access vlan 20
switchport mode access
ip arp inspection limit rate 120
ip access-group ACL-GROUP1 in
authentication control-direction in
authentication event server dead action authorize vlan 20
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication port-control auto
authentication timer reauthenticate server
mab
mls qos trust dscp
dot1x pae authenticator
service-policy input access
end

 

What else should be configured that the DHCP Snooping Binding table clear the entries so I don't get the DAI Logs?

Thanks

Labels:
0 Helpful
15 Replies 15

David Ruess
VIP
VIP
In response to xishan

‎12-06-2023 08:04 AM

That is interesting that the cleanup isnt working. You say devices are getting an IP but the Snooping table is not picking up on it? Since the ARP inspection uses the DHCP snooping table then yeah it wont allow it. If you arent able to clear the port you can also try adding a static entry in the DHCP snooping table to see if that temporarily resolves the issue. I say temporarily because that shouldnt be a permanent solution in this scenario.

 

-David

0 Helpful
Customers Also Viewed These Support Documents