Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
5
Helpful
2
Replies

ip arp inspection how to

Bekzod Fakhriddinov
Level 4
Level 4

‎01-25-2015 03:29 PM - edited ‎03-07-2019 10:22 PM

Hi guys. We have a large network based on Catalyst 2900, 3600, 6500 series switches. they all are was set up as L2 and only 1 core switch  Nexus 7k on the top as L3 for all vlans . The problem is when we deploy DAI on those L2  switches end users have a problem to get ip from Windows DHCP server connected to Nexus 7K .  something like this : 

Windows DNS/DHCPservers--------[Nexus ] -----------l2switch ----------l2switch--------------l2switch 

all ports/computers on L2 switches are in vlan 1 . router for them is interface vlan 4  on core Nexus switch . DAI is enabled on L2 switches and on vlan 1  only . 

1) I see L2 switches doesn't have IPs of computers connected to them on ARp cache , So IS IT RIGHT  that  DAI can't do ARP to IP bind and block  dhcp request on untrusted ports?    if DAI use arp to ip bind to allow trusted hosts but switch doesn't have IP so nothing is allowed ?? 

Ports of those users aren't in error-disable state , but they can't get ip, if i give static ip they work fine. 

2)how can i resolve this problem ? 

also is it possible to eliminate problem of getting new ip if I have second dhcp server as a backup server  with second half of ip range , when first dhcp server will fail down second dhcp server will give new ips and DAI will probably block those users ... right ? 

Thank you 

 

 

Labels:
0 Helpful
2 Replies 2

Bekzod Fakhriddinov
Level 4
Level 4

‎01-29-2015 07:46 AM

looks like i found out what is problem. we programmed DAI and dhcp snooping at the same time , because of dai uses dhcp snooping database which was not ready yet , dai block everything.  So in order to dai works fine we need to have dhcp snooping database ready for all connected users. Also if switch reboots it loose that table and dai will probably block all users again . i got ip then enable  dai  I can't ping anything  , dhcp snooping database is  empty  after 24 hours.

Anybody knows how dhcp table is filling out, how long ? 

 

looks like its a bug ,  Version 12.2(55)SE5

0 Helpful

Bekzod Fakhriddinov
Level 4
Level 4
In response to Bekzod Fakhriddinov

‎01-30-2015 06:38 AM

ok , it was resolved after upgrade IOS to Version 15.0(2)SE7.   so dhcp snooping didn't collect arp -to-ip table and DAI blocks everything because of that. I hope it may helps someone .

Customers Also Viewed These Support Documents