Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9343
Views
21
Helpful
24
Replies

Dynamic ARP Inspection: no binding on interface

Wassim Aouadi
Level 4
Level 4

‎04-12-2011 12:37 AM - edited ‎03-06-2019 04:33 PM

IP DHCP snooping and Dynamic ARP Inspection are correctly configured on switch for vlan11. One host was unplugged from the network, then plugged back. I receive a syslog DAI message indicating that ip address 169.254.97.238 is denied access:

WACCS01A1#

Apr 11 11:03:39.692 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/12, vlan 11.([0024.8154.2aca/169.254.97.238/0000.0000.0000/169.254.97.238/11:03:39 UTC Mon Apr 11 2011])

TNSWACCS01A1#

Apr 11 11:03:40.699 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/12, vlan 11.([0024.8154.2aca/169.254.97.238/0000.0000.0000/169.254.97.238/11:03:40 UTC Mon Apr 11 2011])

TNSWACCS01A1#

Apr 11 11:03:41.714 UTC: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/12, vlan 11.([0024.8154.2aca/169.254.97.238/0000.0000.0000/169.254.97.238/11:03:41 UTC Mon Apr 11 2011])

TNSWACCS01A1#

I cleared the DHCP snooping binding table with no success. No binding could be created on interface fa1/0/12 unless we reboot the PC.

Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
Labels:
84724-show ip dhcp snooping.txt.zip
84725-show ip arp inspection.txt.zip
0 Helpful
24 Replies 24

Wassim Aouadi
Level 4
Level 4
In response to Wassim Aouadi

‎04-15-2011 12:42 AM

I checked the interface and there's no port-security in it.

I had a similar situation with another user. His port is denied access by ARP-inspection, because an ARP packet is sent with IP address = APIPA:

- I checked DHCP snooping binding database and found an entry.

-I cleared it with "clear ip dhcp snooping binding interface fa1/0/14"

- waited a minute or so, then heard the user telling me he's got an IP address.

Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

Harrie Hendriks
Level 1
Level 1
In response to Wassim Aouadi

‎04-18-2011 12:52 AM

Do you have

authentication mac-move permit

used in the configuration?

Greetings Harrie

0 Helpful

Wassim Aouadi
Level 4
Level 4
In response to Harrie Hendriks

‎04-18-2011 02:22 AM

Harrie,

No I don't have it.

Here's an output of "debug ip dhcp snooping event" and "debug ip dhcp snooping packet". Host is removed from fa1/0/12 (mobile worker) then put back in the same interface. It could not get an IP address from DHCP server.

Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
85035-debug lassaad.txt.zip
0 Helpful

Kasiraman S
Level 1
Level 1
In response to Wassim Aouadi

‎04-18-2011 03:14 AM

Hi Waas,

Client requested two times and both the time it did not request for the APIPA IP and I believe this time you did not reproduce the same issue again. Looks like debugs are good. First time it took the IP 10.100.0.9 and second time also DHCP offered the same IP to the client.

Debugs looks clean:

-------------------------------------------------------

Apr 18 09:10:32.317 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/12, MAC da: ffff.ffff.ffff, MAC sa: 0024.8154.2aca, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0024.8154.2aca

Apr 18 09:10:33.307 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Po1, MAC da: ffff.ffff.ffff, MAC sa: 0008.e3ff.fc28, IP da: 255.255.255.255, IP sa: 10.100.0.126, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.100.0.9, DHCP siaddr: 172.16.5.29, DHCP giaddr: 10.100.0.126, DHCP chaddr: 0024.8154.2aca

TNSWACCS01A1#sh ip dhcp snooping bind int fa1/0/12
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:24:81:54:2A:CA   10.100.0.9       598869      dhcp-snooping   11    FastEthernet1/0/12

Apr 18 09:16:20.329 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER, input interface: Fa1/0/12, MAC da: ffff.ffff.ffff, MAC sa: 0024.8154.2aca, IP da: 255.255.255.255, IP sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0, DHCP chaddr: 0024.8154.2aca

Apr 18 09:16:20.337 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Po1, MAC da: ffff.ffff.ffff, MAC sa: 0008.e3ff.fc28, IP da: 255.255.255.255, IP sa: 10.100.0.126, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.100.0.9, DHCP siaddr: 172.16.5.14, DHCP giaddr: 10.100.0.126, DHCP chaddr: 0024.8154.2aca

Apr 18 09:16:33.323 UTC: DHCP_SNOOPING: process new DHCP packet, message type: DHCPOFFER, input interface: Po1, MAC da: ffff.ffff.ffff, MAC sa: 0008.e3ff.fc28, IP da: 255.255.255.255, IP sa: 10.100.0.126, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 10.100.0.9, DHCP siaddr: 172.16.5.29, DHCP giaddr: 10.100.0.126, DHCP chaddr: 0024.8154.2aca

Question:

Also based on the debug output I see two offer coming from two different DHCP server ip. Do you have two DHCP server?

DHCP siaddr: 172.16.5.14

DHCP siaddr: 172.16.5.29

Thanks,

Kasi

Wassim Aouadi
Level 4
Level 4
In response to Kasiraman S

‎04-19-2011 09:39 AM

Kasi,

172.16.5.14 is an SCCM server. There are two DHCP server in the network: 172.16.5.28 and 172.16.5.29.

Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

Harrie Hendriks
Level 1
Level 1
In response to Wassim Aouadi

‎04-19-2011 11:30 PM

Hello Wass,

I have a question.

Is this problem with PC's with an SSD?

PC's with a SSD starting mutch faster than a PC with a standard hard disk.

Maybe a sniffer can help you to  analyse the dataflow.

Greetings

0 Helpful

Kasiraman S
Level 1
Level 1
In response to Wassim Aouadi

‎04-20-2011 03:15 AM

Hi Wass,

Could you please reproduce the same Issue once again by having APIPA IP in the PC? Please provide the debugs also.

Thanks,

Kasi

0 Helpful

dotansplus
Level 1
Level 1

‎05-24-2016 02:33 AM

Hello Wass,

I know this is an old question, but I´m experimenting the same issue with windows clients, did you resolve this?, please let me know.

cheers!

0 Helpful

Networks_Ish
Level 1
Level 1

‎01-14-2020 05:09 AM

I'd also be interested in the fix for this (if found) as I'm seeing on my office network too - sometimes quite frequently with clients sending what seem to be invalid ARPs to the switch with APIPA addresses, when they've already received IP addresses.

0 Helpful

indogtheytrust
Level 1
Level 1

‎04-26-2023 11:00 PM

Hi!

Any updates about the problem? Actually the PC's are working well, but syslog is oveloaded with this messages.

0 Helpful
Customers Also Viewed These Support Documents