10-07-2021 02:38 AM
While reviewing some syslog messages, I noticed the following entry:
%SW_DAI-4-DHCP_SNOOPING_DENY 1 Invalid ARPs (Req) on Gi1/0/13, vlan 10.([0011.3221.5503/10.10.40.10/0000.0000.0000/10.10.10.42/23:15:39 JST Sun Oct 3 2021])
It repeats 27 times before clearing up.
10.10.40.10 is on vlan 40, while 10.10.10.42 is on vlan 10.
Unless if I am misreading it, this output indicates that a host on vlan 40 is trying to ARP a host on vlan 10, which seems like nonsense to me. As they are on separate subnets, as I understand it it should ARP the local vlan 40 default gateway and then route to vlan 10.
Let me share some configuration.
ip routing ip arp inspection vlan 10,20 ! ip dhcp snooping vlan 10,20 no ip dhcp snooping information option ip dhcp snooping vlan 10 name lan ! vlan 40 name servers interface GigabitEthernet1/0/13 switchport access vlan 10 switchport mode access ! interface GigabitEthernet1/0/21 description DHCP/DNS switchport access vlan 40 switchport mode access ip arp inspection trust ip dhcp snooping trust end interface Vlan10 ip address 10.10.10.254 255.255.255.0 ip helper-address 10.10.40.203 ! interface Vlan40 ip address 10.10.40.254 255.255.255.0
Could proxy ARP explain this?
Could someone please help clear my confusion?
Thank you.
Solved! Go to Solution.
10-10-2021 02:56 AM
My apologies. I found the cause. I must have over thought this because to my embarrassment, the answer was all there right in front of me the whole time.
%SW_DAI-4-DHCP_SNOOPING_DENY 1 Invalid ARPs (Req) on Gi1/0/13, vlan 10.([0011.3221.5503/10.10.40.10/0000.0000.0000/10.10.10.42/23:15:39 JST Sun Oct 3 2021])
As shown in the error message, Gi1/0/13 (10.10.40.10) is on VLAN 10. And indeed...
#show mac address-table add 0011.3221.5503 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 10 0011.3221.5503 DYNAMIC Gi1/0/13 Total Mac Addresses for this criterion: 1
This is a mistake and it really should have been on VLAN 40. So in conclusion, it really was just two hosts trying to ARP each other on the same VLAN. That's enough embarrassments for me...
10-07-2021 05:54 AM - edited 10-07-2021 01:32 PM
Hello
@Cadeyrn wrote:
While reviewing some syslog messages, I noticed the following entry:
- %SW_DAI-4-DHCP_SNOOPING_DENY 1 Invalid ARPs (Req) on Gi1/0/13, vlan 10
- ([0011.3221.5503/10.10.40.10/0000.0000.0000/10.10.10.42/23:15:39 JST Sun Oct 3 2021])
The switch is informing that arp inspection is seeing in invalid arp, basically the original mac address of this host registered in the snooping/inspection tables has changed as such it is now being denied.
10-09-2021 02:47 AM
Thank you for the response.
However, perhaps my question was not clear.
I understand what an ARP violation. Rather, my question is how a host in VLAN 40 (10.10.40.10) could try to ARP a host in VLAN 10 (10.10.10.42). ARP is a process to identify a MAC address from an IP address. It should only work on a single subnet (VLAN). When a host needs to communicate with a host on another subnet, it needs to send the request to its local gateway to be forwarded. As such, an ARP table for a particular VLAN should only ever container entries for hosts on the same VLAN.
And yet the above ARP violation indicates that there was an ARP request over two separate VLANs. How does this happen? Could proxy ARP be the cause?
Thank you.
10-09-2021 06:45 AM
Hello
You have DAI enabled hence the violation -I believe ip arp request from the router /l3 switch isn’t the problem,it’s due to the fact what the registered mac/arp entry’s in the snooping and inspection table have changed relating to the original hosts entry.
So host to host between different vlan is performed via the routing device -
hosts dhcp allocations
host 1/2<arp) to its default gateway(rtr)
rtr <arp> to host 1/2
swixh/rtr will register the replies in their tables so if you have DAI enabled and that original registration has changed without the snooping/inspection table not updating then you will see that violation
10-10-2021 12:12 AM
Hello,
on a side note, what device is connected to this interface ?
interface GigabitEthernet1/0/21
description DHCP/DNS
switchport access vlan 40
switchport mode access
ip arp inspection trust
ip dhcp snooping trust
I would at least check if that device is trying to do some sort of ARP spoofing, or somebody is using some sort of traffic/packet generator.
10-10-2021 02:56 AM
My apologies. I found the cause. I must have over thought this because to my embarrassment, the answer was all there right in front of me the whole time.
%SW_DAI-4-DHCP_SNOOPING_DENY 1 Invalid ARPs (Req) on Gi1/0/13, vlan 10.([0011.3221.5503/10.10.40.10/0000.0000.0000/10.10.10.42/23:15:39 JST Sun Oct 3 2021])
As shown in the error message, Gi1/0/13 (10.10.40.10) is on VLAN 10. And indeed...
#show mac address-table add 0011.3221.5503 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 10 0011.3221.5503 DYNAMIC Gi1/0/13 Total Mac Addresses for this criterion: 1
This is a mistake and it really should have been on VLAN 40. So in conclusion, it really was just two hosts trying to ARP each other on the same VLAN. That's enough embarrassments for me...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide