WOW�.
I don�t know what pissed you off, but if you don�t have the capacity to
discuss and simply discuss, you should not participate.
The reason *I did not think* of that command is because you are receiving
errors that is generated by DAI, to be more specific an ARP reply,* if this
port was trusted*, you will NOT receive any errors, so what you stated does
not apply here. Read what you pasted.
We all know how DAI relies on DHCP snooping, there is no argument about
that, I guess we are looking at this from two angles. My statement below is
what you are saying, i am interpreting the error, you are guessing the
cause.
*DAI is telling you that the host that sent an APR request on G2/18 which
happens to be in VLAN 20, with an IP address of 10.1.1.1 and a MAC address
of "0022.5ac1.202a" was NOT in the DHCP snooping DB, but the actual message
came from DAI. *
Relax.
On Thu, Jun 16, 2011 at 8:57 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com> wrote:
> Narbik,
>
> I will not degenerate into a baseless argument here. I am just shocked at
> why you argue when you should know better.
>
> And whats below? This is not a DHCP Snooping Trust but a DAI Trust port:
>
>
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12
.2_52_se/configuration/guide/swdynarp.html#wp1039756
>
> Step 5
>
> *ip arp inspection trust*
>
> Configure the connection between the switches as trusted.
>
> By default, all interfaces are untrusted.
>
> The switch does not check ARP packets that it receives from the other
> switch on the trusted interface. It simply forwards the packets.
>
> For untrusted interfaces, the switch intercepts all ARP requests and
> responses. It verifies that the intercepted packets have valid IP-to-MAC
> address bindings before updating the local cache and before forwarding the
> packet to the appropriate destination. The switch drops invalid packets and
> logs them in the log buffer according to the logging configuration
specified
> with the *ip arp inspection vlan logging* global configuration command.
> For more information, see the "Configuring the Log Buffer"
section<http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/re
lease/12.2_52_se/configuration/guide/swdynarp.html#wp1047405>
> .
>
> Secondly, the log message below says something: this DAI works in
> combination with DHCP Snooping. If you have a host that has DHCP'd and is
> working just fine and that host's entry if somehow cleared out of the DHCP
> Snooping Binding Table, thats a scenario that would end up with the log
> message below. As we all know, there are quite a number of reasons the
> problem could be created from. With the limited information and lack of
> configuration from the initial poster of this query, one can only speculate
> what the cause is and hence a solution.
>
> Below is another excerpt from the Cisco feature documentation:
>
> "Dynamic ARP inspection determines the validity of an ARP packet based on
> valid IP-to-MAC address bindings stored in a trusted database, the DHCP
> snooping binding database." More here:
>
>
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12
.2_52_se/configuration/guide/swdynarp.html#wp1041210
>
> I will not continue participating in this discussion now since we are all
> entitled to our opinions, end of the day.
>
> Sadiq
>
>
>
> On Thu, Jun 16, 2011 at 4:26 PM, Narbik Kocharians
<narbikk_at_gmail.com>wrote:
>
>> Sadiq,
>>
>> It is NOT, i totally disagree with that. First of all there is no such
>> thing as "DAI trusted port", you can have a snooping trusted port BUT not
>> DAI trusted port. The first thing you want to do when troubleshooting is
to
>> see where the message came from which feature generated the message so you
>> can understand the problem.
>>
>> secondly if you see the message he posted you will see that the error is
>> coming from DAI:
>>
>> *%SW_DAI-4-DHCP_SNOOPING*_DENY: 1 Invalid ARPs (Req) on Gi2/18, vlan
>> 20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05 AST Sun
>> Jun 12
>> 2011])
>> Which tells me that the message is generated by DAI. NOW......DAI is
>> telling you that the host that sent an APR request on G2/18 which happens
to
>> be in VLAN 20, with an IP address of 10.1.1.1 and a MAC address of
>> "0022.5ac1.202a" was NOT in the DHCP snooping DB, but the actual message
>> came from DAI.
>> If you think the problem is DHCP snooping, just disable DAI and the
>> problem will go away. So it's DAI and not snooping.
>>
>> Maybe a static entry in the snooping DB for this host will fix the problem
>> for you.
>>
>>
>>
>> On Thu, Jun 16, 2011 at 2:31 AM, Sadiq Yakasai
<sadiqtanko_at_gmail.com>wrote:
>>
>>> By default, DAI relies on DHCP Snooping DB for operation. The exception
>>> is when things are statically defined.
>>>
>>> It is therefore errorneous to make statements like "the message has
>>> nothing to do with DHCP Snopping"!
>>>
>>> When DHCP Snooping and DAI are configured on a switch and all operations
>>> occur dynamically, then a host with static IP address connecting to a
port
>>> that is not a DAI trusted port will spew out that message. And this is
>>> because the host's information is not present in the DHCP snooping
binding
>>> table.
>>>
>>> Sadiq
>>>
>>> On Thu, Jun 16, 2011 at 6:36 AM, Narbik Kocharians
<narbikk_at_gmail.com>wrote:
>>>
>>>> I agree with Piotr, the message has nothing to do with DHCP Snopping,
>>>> they
>>>> are generated by "DAI" Dynamic Arp inspection. Do you have DAI
>>>> configured on
>>>> your switches?
>>>> On Wed, Jun 15, 2011 at 7:54 PM, Alexei Monastyrnyi <
>>>> alexeim73_at_gmail.com>wrote:
>>>>
>>>> > You can also try using arp inspection trust on that switch-port with
>>>> static
>>>> > IP.
>>>> >
>>>> > HTH
>>>> > A.
>>>> >
>>>> > On 13 June 2011 01:48, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>>>> >
>>>> > > Hi,
>>>> > >
>>>> > > This message is generated by DAI feature not DHCP Snooping. It is
>>>> caused
>>>> > by
>>>> > > device connected to port g2/18. Check this out. It seems there is
>>>> someone
>>>> > > connected to that port with static IP address of 10.1.1.1 with MAC
>>>> of
>>>> > > 0022.5ac1.202a so that DHCP Snooping has note registerd it in its
>>>> > database.
>>>> > > If this host is valid in your network and must have static IP
>>>> configured,
>>>> > > then add static binding to the DHCP Snooping database (ip dhcp
>>>> snooping
>>>> > > binding...)
>>>> > >
>>>> > > Regards,
>>>> > > --
>>>> > > Piotr Matusiak
>>>> > > CCIE #19860 (R&S, Security), CCSI #33705
>>>> > > Technical Instructor
>>>> > > website:
www.MicronicsTraining.com<http://www.micronicstraining.com/><
>>>> http://www.micronicstraining.com/> <
>>>> > http://www.micronicstraining.com/> <
>>>> > > http://www.micronicstraining.com/>
>>>> > > blog: www.ccie1.com
>>>> > >
>>>> > > If you can't explain it simply, you don't understand it well enough
>>>> -
>>>> > > Albert Einstein
>>>> > >
>>>> > >
>>>> > > 2011/6/12 <roykhan123_at_hotmail.com>
>>>> > >
>>>> > > > Dear All,
>>>> > > >
>>>> > > > I am facing problem in my network is that i am getting DHCP
>>>> snooping
>>>> > Deny
>>>> > > > log
>>>> > > > messages continue in my switches. I knows that how dhcp snooping
>>>> is
>>>> > > working
>>>> > > > but
>>>> > > > i do not knows why this is appearing in the switch, when there is
>>>> no
>>>> > dhcp
>>>> > > > server connected that ports and every thing is working fine.
>>>> > > >
>>>> > > > %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi2/18, vlan
>>>> > > >
20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05AST
>>>> > Sun
>>>> > > > Jun 12
>>>> > > > 2011])
>>>> > > >
>>>> > > > 1. Is this because of Virus. that cause the machine to generate
>>>> this
>>>> > > error.
>>>> > > > I
>>>> > > > saw this problem before there was a virus.
>>>> > > > 2. I dont knows about the servers may be some services is running
>>>> > inside
>>>> > > > the
>>>> > > > server that cause the server to generate this request Or some
>>>> thing
>>>> > else
>>>> > > >
>>>> > > > Note some there is no virus on the machine and still this error is
>>>> > occur
>>>> > > on
>>>> > > > the
>>>> > > > machine... I really do not Why this happening and how i fix this
>>>> issue.
>>>> > > >
>>>> > > > Currently I am getting this message and there is no issue with the
>>>> > > Machine
>>>> > > > it
>>>> > > > self
>>>> > > >
>>>> > > > Port configuration
>>>> > > >
>>>> > > > interface GigabitEthernet2/9
>>>> > > >
>>>> > > > switchport
>>>> > > > switchport access vlan 19
>>>> > > > switchport mode access
>>>> > > > switchport voice vlan 16
>>>> > > > ip arp inspection limit rate 128
>>>> > > > no ip address
>>>> > > > spanning-tree portfast
>>>> > > > spanning-tree bpduguard enable
>>>> > > > end
>>>> > > > !
>>>> > > > ip dhcp snooping
>>>> > > > ip dhcp snooping vlan 19,16
>>>> > > > !
>>>> > > >
>>>> > > > kindly advise
>>>> > > >
>>>> > > > Take care
>>>> > > >
>>>> > > >
>>>> > > > Blogs and organic groups at http://www.ccie.net
>>>> > > >
>>>> > > >
>>>> _______________________________________________________________________
>>>> > > > Subscription information may be found at:
>>>> > > > http://www.groupstudy.com/list/CCIELab.html
>>>> > >
>>>> > >
>>>> > > Blogs and organic groups at http://www.ccie.net
>>>> > >
>>>> > >
>>>> _______________________________________________________________________
>>>> > > Subscription information may be found at:
>>>> > > http://www.groupstudy.com/list/CCIELab.html
>>>> >
>>>> >
>>>> > Blogs and organic groups at http://www.ccie.net
>>>> >
>>>> >
>>>> _______________________________________________________________________
>>>> > Subscription information may be found at:
>>>> > http://www.groupstudy.com/list/CCIELab.html
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>>
>>>>
>>>> --
>>>> *Narbik Kocharians
>>>> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>>>> www.MicronicsTraining.com <http://www.micronicstraining.com/> <
>>>> http://www.micronicstraining.com/>
>>>> Sr. Technical Instructor
>>>> *Ask about our FREE Lab Voucher with our Boot Camps*
>>>> YES! We take Cisco Learning Credits!
>>>> Training & Remote Racks available
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> CCIEx2 (R&S|Sec) #19963
>>>
>>
>>
>>
>> --
>> *Narbik Kocharians
>> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>> www.MicronicsTraining.com <http://www.micronicstraining.com/>
>> Sr. Technical Instructor
>> *Ask about our FREE Lab Voucher with our Boot Camps*
>> YES! We take Cisco Learning Credits!
>> Training & Remote Racks available
>>
>>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
--
*Narbik Kocharians
*CCSI#30832, CCIE# 12410 (R&S, SP, Security)
www.MicronicsTraining.com <http://www.micronicstraining.com/>
Sr. Technical Instructor
*Ask about our FREE Lab Voucher with our Boot Camps*
YES! We take Cisco Learning Credits!
Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net
Received on Thu Jun 16 2011 - 09:25:43 ART