Displaying ARP inspection deny interface number in system logg
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2018 01:26 AM - edited 03-08-2019 01:27 PM
Hi everyone!
Using the ASR920 (3.18.01.S) we have both DHCP Snooping and ARP Inspection running and we often get these kind of entries in the system log:
Jan 18 07:28:02 gmt: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on BD262, vlan 262.([0011.d83a.xxxx/0.0.0.0/0000.0000.0000/xx.xx.xx.xx/07:28:02 gmt Thu Jan 18 2018])
(I masked the MAC and IP with x).
We can ofcourse use the command:
#show bridge-domain | include 0011.d83a.xxxx
...to find the physical interface it belongs to, but i see that others can also get the port number displayed directly within the system log message, not just the MAC address. How can we do this?
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2018 01:30 AM
Hi,
Please go to this blog:
Regards,
Deepak Kumar
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2018 01:38 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2018 01:42 AM
Original Error Massage is:
%SW_DAI-4-DHCP_SNOOPING_DENY: [dec] Invalid ARPs ([chars]) on [chars], vlan [dec].([[enet]/[chars]/[enet]/[chars]/[time-of-day]])
Resolution:
You receive this message when the MAC address does not match the binding. In order to display the DHCP snooping binding entries, use the show ip dhcp snooping binding command.
If the device does not use DHCP or the information is correct and you trust the device on the port, you can enable trust on that port with the ip arp inspection trust command.
Also, DHCP snooping must be enabled in order to permit ARP packets that have dynamically assigned IP addresses with the ip dhcp snooping command.
Refer to the Enabling Additional Validation section of Configuring Dynamic ARP Inspection in order to enable additional validation on the destination MAC address, the sender and target IP addresses, and the source MAC address.
Regards,
Deepak Kumar
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2018 04:50 AM - edited 01-18-2018 04:51 AM
I may be missing something, but what i need help with is that the source port number of the switch should be displayed in the system log when a snooping deny is logged.
Example:
Now i get:
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on BD262, vlan 262.([0011.d83a.xxxx/0.0.0.0/0000.0000.0000/xx.xx.xx.xx
But i want something like this:
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Interface GigabitEthernet0/0/1. BD262, vlan 262.([0011.d83a.xxxx/0.0.0.0/0000.0000.0000/xx.xx.xx.xx
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2018 03:53 PM
Have you tried the following command "ip arp inspection validate ip allow zeros".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-18-2018 11:22 PM
Unfortunately the command does not exist on the ASR920.
#ip arp inspection validate ip ?
<cr>
#ip arp inspection validate ?
dst-mac Validate destination MAC address
ip Validate IP addresses
src-mac Validate source MAC address
