Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1339
Views
0
Helpful
6
Replies

Displaying ARP inspection deny interface number in system logg

RedFarmer
Level 1
Level 1

‎01-18-2018 01:26 AM - edited ‎03-08-2019 01:27 PM

Hi everyone!

 

Using the ASR920 (3.18.01.S) we have both DHCP Snooping and ARP Inspection running and we often get these kind of entries in the system log:

 

Jan 18 07:28:02 gmt: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on BD262, vlan 262.([0011.d83a.xxxx/0.0.0.0/0000.0000.0000/xx.xx.xx.xx/07:28:02 gmt Thu Jan 18 2018])

 

(I masked the MAC and IP with x).

 

We can ofcourse use the command:

 

#show bridge-domain | include 0011.d83a.xxxx

 

...to find the physical interface it belongs to, but i see that others can also get the port number displayed directly within the system log message, not just the MAC address. How can we do this?

Labels:
0 Helpful
6 Replies 6

Deepak Kumar
VIP Alumni
VIP Alumni

‎01-18-2018 01:30 AM

Hi,

Please go to this blog:

 

https://supportforums.cisco.com/t5/network-infrastructure-documents/the-quot-sw-dai-4-dhcp-snooping-deny-quot-error-message-is/ta-p/3132652

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

RedFarmer
Level 1
Level 1
In response to Deepak Kumar

‎01-18-2018 01:38 AM

Thank you for replying. However, i may be blind, but i cannot find the information i'm looking for in the post you linked to.
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to RedFarmer

‎01-18-2018 01:42 AM

Hi,
Original Error Massage is:
%SW_DAI-4-DHCP_SNOOPING_DENY: [dec] Invalid ARPs ([chars]) on [chars], vlan [dec].([[enet]/[chars]/[enet]/[chars]/[time-of-day]])

Resolution:
You receive this message when the MAC address does not match the binding. In order to display the DHCP snooping binding entries, use the show ip dhcp snooping binding command.

If the device does not use DHCP or the information is correct and you trust the device on the port, you can enable trust on that port with the ip arp inspection trust command.

Also, DHCP snooping must be enabled in order to permit ARP packets that have dynamically assigned IP addresses with the ip dhcp snooping command.

Refer to the Enabling Additional Validation section of Configuring Dynamic ARP Inspection in order to enable additional validation on the destination MAC address, the sender and target IP addresses, and the source MAC address.


Regards,
Deepak Kumar
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

RedFarmer
Level 1
Level 1
In response to Deepak Kumar

‎01-18-2018 04:50 AM - edited ‎01-18-2018 04:51 AM

I may be missing something, but what i need help with is that the source port number of the switch should be displayed in the system log when a snooping deny is logged.

Example:
Now i get:
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on BD262, vlan 262.([0011.d83a.xxxx/0.0.0.0/0000.0000.0000/xx.xx.xx.xx

But i want something like this:
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Interface GigabitEthernet0/0/1. BD262, vlan 262.([0011.d83a.xxxx/0.0.0.0/0000.0000.0000/xx.xx.xx.xx

 

Thanks!

0 Helpful

johndesgarennes
Level 4
Level 4

‎01-18-2018 03:53 PM

Have you tried the following command "ip arp inspection validate ip allow zeros".

0 Helpful

RedFarmer
Level 1
Level 1
In response to johndesgarennes

‎01-18-2018 11:22 PM

Unfortunately the command does not exist on the ASR920.

 

#ip arp inspection validate ip ?
  <cr>

 

#ip arp inspection validate ?
  dst-mac  Validate destination MAC address
  ip       Validate IP addresses
  src-mac  Validate source MAC address

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card