Solved: Re: %SW_DAI-4-DHCP_SNOOPING_DENY -- Strange ARP between VLANs

Cadeyrn · ‎10-07-2021

While reviewing some syslog messages, I noticed the following entry:

%SW_DAI-4-DHCP_SNOOPING_DENY 1 Invalid ARPs (Req) on Gi1/0/13, vlan 10.([0011.3221.5503/10.10.40.10/0000.0000.0000/10.10.10.42/23:15:39 JST Sun Oct 3 2021])

It repeats 27 times before clearing up.

10.10.40.10 is on vlan 40, while 10.10.10.42 is on vlan 10.
Unless if I am misreading it, this output indicates that a host on vlan 40 is trying to ARP a host on vlan 10, which seems like nonsense to me. As they are on separate subnets, as I understand it it should ARP the local vlan 40 default gateway and then route to vlan 10.

Let me share some configuration.

ip routing
ip arp inspection vlan 10,20
!
ip dhcp snooping vlan 10,20
no ip dhcp snooping information option
ip dhcp snooping

vlan 10
name lan
!
vlan 40
name servers

interface GigabitEthernet1/0/13
switchport access vlan 10
switchport mode access
!
interface GigabitEthernet1/0/21
description DHCP/DNS
switchport access vlan 40
switchport mode access
ip arp inspection trust
ip dhcp snooping trust
end

interface Vlan10
ip address 10.10.10.254 255.255.255.0
ip helper-address 10.10.40.203
!
interface Vlan40
ip address 10.10.40.254 255.255.255.0

Could proxy ARP explain this?
Could someone please help clear my confusion?

Thank you.

Cadeyrn · ‎10-10-2021

My apologies. I found the cause. I must have over thought this because to my embarrassment, the answer was all there right in front of me the whole time.

%SW_DAI-4-DHCP_SNOOPING_DENY 1 Invalid ARPs (Req) on Gi1/0/13, vlan 10.([0011.3221.5503/10.10.40.10/0000.0000.0000/10.10.10.42/23:15:39 JST Sun Oct 3 2021])

As shown in the error message, Gi1/0/13 (10.10.40.10) is on VLAN 10. And indeed...

#show mac address-table add 0011.3221.5503
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0011.3221.5503    DYNAMIC     Gi1/0/13
Total Mac Addresses for this criterion: 1

This is a mistake and it really should have been on VLAN 40. So in conclusion, it really was just two hosts trying to ARP each other on the same VLAN. That's enough embarrassments for me...

View solution in original post

paul driver · ‎10-07-2021

Hello

@Cadeyrn wrote:

While reviewing some syslog messages, I noticed the following entry:

%SW_DAI-4-DHCP_SNOOPING_DENY 1 Invalid ARPs (Req) on Gi1/0/13, vlan 10

([0011.3221.5503/10.10.40.10/0000.0000.0000/10.10.10.42/23:15:39 JST Sun Oct 3 2021])

The switch is informing that arp inspection is seeing in invalid arp, basically the original mac address of this host registered in the snooping/inspection tables has changed as such it is now being denied.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Cadeyrn · ‎10-09-2021

Thank you for the response.

However, perhaps my question was not clear.

I understand what an ARP violation. Rather, my question is how a host in VLAN 40 (10.10.40.10) could try to ARP a host in VLAN 10 (10.10.10.42). ARP is a process to identify a MAC address from an IP address. It should only work on a single subnet (VLAN). When a host needs to communicate with a host on another subnet, it needs to send the request to its local gateway to be forwarded. As such, an ARP table for a particular VLAN should only ever container entries for hosts on the same VLAN.

And yet the above ARP violation indicates that there was an ARP request over two separate VLANs. How does this happen? Could proxy ARP be the cause?

Thank you.

paul driver · ‎10-09-2021

Hello
You have DAI enabled hence the violation -I believe ip arp request from the router /l3 switch isn’t the problem,it’s due to the fact what the registered mac/arp entry’s in the snooping and inspection table have changed relating to the original hosts entry.

So host to host between different vlan is performed via the routing device -
hosts dhcp allocations
host 1/2<arp) to its default gateway(rtr)
rtr <arp> to host 1/2

swixh/rtr will register the replies in their tables so if you have DAI enabled and that original registration has changed without the snooping/inspection table not updating then you will see that violation

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎10-10-2021

Hello,

on a side note, what device is connected to this interface ?

interface GigabitEthernet1/0/21
description DHCP/DNS
switchport access vlan 40
switchport mode access
ip arp inspection trust
ip dhcp snooping trust

I would at least check if that device is trying to do some sort of ARP spoofing, or somebody is using some sort of traffic/packet generator.

Cadeyrn · ‎10-10-2021

My apologies. I found the cause. I must have over thought this because to my embarrassment, the answer was all there right in front of me the whole time.

%SW_DAI-4-DHCP_SNOOPING_DENY 1 Invalid ARPs (Req) on Gi1/0/13, vlan 10.([0011.3221.5503/10.10.40.10/0000.0000.0000/10.10.10.42/23:15:39 JST Sun Oct 3 2021])

As shown in the error message, Gi1/0/13 (10.10.40.10) is on VLAN 10. And indeed...

#show mac address-table add 0011.3221.5503
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0011.3221.5503    DYNAMIC     Gi1/0/13
Total Mac Addresses for this criterion: 1

This is a mistake and it really should have been on VLAN 40. So in conclusion, it really was just two hosts trying to ARP each other on the same VLAN. That's enough embarrassments for me...