L2 Security feature failed

Tee Chin Poh · ‎08-24-2012

Hi All,

Does anyone have idea why the ip and mac address cannot store in dhcp snooping binding table? if ip address cannot store in ip dhcp snooping binding table. my pc cannot ping to gateway. The router i have configure as dhcp server so i have disable 82 options in ip dhcp snooping. attach router and switch configuration

regards,

Tee

cadet alain · ‎08-24-2012

Hi,

can we get the output of sh ip dhcp snooping database.

Regards.

Alain.

Don't forget to rate helpful posts.

Tee Chin Poh · ‎08-24-2012

Hi Alain,

inside 2960.txt have show ip dhcp snooping database, show ip dhcp snooping binding, show ip arp inspection as well. you can see the error message as below.

Aug 24 09:10:48.340: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 10.([001c.230e.2e84/10.10.10.3/0000.0000.0000/10.10.10.1/17:10:47 GMT Fri Aug 24 2012])

Aug 24 09:10:49.347: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 10.([001c.230e.2e84/10.10.10.3/0000.0000.0000/10.10.10.1/17:10:48 GMT Fri Aug 24 2012])

Aug 24 09:10:50.353: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Fa0/13, vlan 10.([001c.230e.2e84/10.10.10.3/0000.0000.0000/10.10.10.1/17:10:49 GMT Fri Aug 24 2012])

Regards,

Tee

cadet alain · ‎08-24-2012

Hi,

I'm not seeing it in the config and sorry I spelled the command wrong, it should be sh ip dhcp snooping binding

Can you post it please.

Regards.

Alain

Don't forget to rate helpful posts.

Tee Chin Poh · ‎08-26-2012

hi Alain,

the show ip dhcp snooping binding also inside the notepad. if you search the keyword binding, you should find it. the bindings are 0. i wonder why it cannot store in binding table.

Switch# sh ip dhcp snooping

Aug 24 09:11:14.520: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 10.([001c.230e.2e84/10.10.10.3/0000.0000.0000/10.10.10.1/17:11:13 GMT Fri Aug 24 2012])bi

Switch# sh ip dhcp snooping binding

Aug 24 09:11:16.542: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 10.([001c.230e.2e84/10.10.10.3/0000.0000.0000/10.10.10.1/17:11:16 GMT Fri Aug 24 2012])

Aug 24 09:11:17.549: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/13, vlan 10.([001c.230e.2e84/10.10.10.3/0000.0000.0000/10.10.10.1/17:11:17 GMT Fri Aug 24 2012])

MacAddress IpAddress Lease(sec) Type VLAN Interface

------------------ --------------- ---------- ------------- ---- --------------------

Total number of bindings: 0

Regards,

Tee

ccnpjobhunter · ‎08-24-2012

By default it would store one ip address and one mac for interface. Thats how you configure it. However if port Fa0/13 had a previous ip addres and mac and you plug another device it would cause the message you received. To fix that you need the ip arp inspection trust command on the interface the message appears. This is how I fix it when this message happend to me.

Tee Chin Poh · ‎08-26-2012

hi Pedro,

if i apply ip arp inspection trust command in the interface. it will auto bypass the interface. the objective i want to do is untrust interface get inspect before traffic send out. do you see any config or else is incorrect?

Regards,

Tee

Tee Chin Poh · ‎09-04-2012

hi all,

finally found out the problem. LAN Lite software cannot support. used LAN Base software can support

Regards,

Tee