Mate,
are you sure about "there is no such thing as "DAI trusted port""?
Please check it out. I reckon I may have misinterpreted your mail on
that matter.
Also here is some output from my customer production network
c35as01#sh run in gi 0/42
Building configuration...
Current configuration : 513 bytes
!
interface GigabitEthernet0/42
description abc
switchport access vlan xyz
switchport mode access
switchport port-security
switchport port-security violation restrict
ip arp inspection trust
no logging event link-status
load-interval 30
srr-queue bandwidth share 5 15 30 50
priority-queue out
mls qos vlan-based
no snmp trap link-status
storm-control broadcast level 10.00
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
spanning-tree guard root
end
c35as01#sh ip arp inspection ?
interfaces Interface status
log Log Buffer
statistics Packet statistics on DAI configured vlans
vlan Selected vlan range
| Output modifiers
<cr>
c35as01#sh ip arp inspection in gi 0/42
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi0/42 Trusted None N/A
Cheers
A.
On 6/17/2011 1:26 AM, Narbik Kocharians wrote:
> Sadiq,
> It is NOT, i totally disagree with that. First of all there is no such
> thing as "DAI trusted port", you can have a snooping trusted port BUT
> not DAI trusted port. The first thing you want to do when
> troubleshooting is to see where the message came from which feature
> generated the message so you can understand the problem.
> secondly if you see the message he posted you will see that the error
> is coming from DAI:
> *_%SW_DAI-4-DHCP_SNOOPING_*_DENY: 1 Invalid ARPs (Req) on Gi2/18, vlan
> 20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05
> <http://10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05> AST Sun Jun 12
> 2011])
> Which tells me that the message is generated by DAI. NOW......DAI is
> telling you that the host that sent an APR request on G2/18 which
> happens to be in VLAN 20, with an IP address of 10.1.1.1 and a MAC
> address of "0022.5ac1.202a" was NOT in the DHCP snooping DB, but the
> actual message came from DAI.
> If you think the problem is DHCP snooping, just disable DAI and the
> problem will go away. So it's DAI and not snooping.
> Maybe a static entry in the snooping DB for this host will fix the
> problem for you.
> On Thu, Jun 16, 2011 at 2:31 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com
> <mailto:sadiqtanko_at_gmail.com>> wrote:
>
> By default, DAI relies on DHCP Snooping DB for operation. The
> exception is when things are statically defined.
>
> It is therefore errorneous to make statements like "the message
> has nothing to do with DHCP Snopping"!
>
> When DHCP Snooping and DAI are configured on a switch and all
> operations occur dynamically, then a host with static IP address
> connecting to a port that is not a DAI trusted port will spew out
> that message. And this is because the host's information is not
> present in the DHCP snooping binding table.
>
> Sadiq
>
> On Thu, Jun 16, 2011 at 6:36 AM, Narbik Kocharians
> <narbikk_at_gmail.com <mailto:narbikk_at_gmail.com>> wrote:
>
> I agree with Piotr, the message has nothing to do with DHCP
> Snopping, they
> are generated by "DAI" Dynamic Arp inspection. Do you have DAI
> configured on
> your switches?
> On Wed, Jun 15, 2011 at 7:54 PM, Alexei Monastyrnyi
> <alexeim73_at_gmail.com <mailto:alexeim73_at_gmail.com>>wrote:
>
> > You can also try using arp inspection trust on that
> switch-port with static
> > IP.
> >
> > HTH
> > A.
> >
> > On 13 June 2011 01:48, Piotr Matusiak <pitt2k_at_gmail.com
> <mailto:pitt2k_at_gmail.com>> wrote:
> >
> > > Hi,
> > >
> > > This message is generated by DAI feature not DHCP
> Snooping. It is caused
> > by
> > > device connected to port g2/18. Check this out. It seems
> there is someone
> > > connected to that port with static IP address of 10.1.1.1
> with MAC of
> > > 0022.5ac1.202a so that DHCP Snooping has note registerd it
> in its
> > database.
> > > If this host is valid in your network and must have static
> IP configured,
> > > then add static binding to the DHCP Snooping database (ip
> dhcp snooping
> > > binding...)
> > >
> > > Regards,
> > > --
> > > Piotr Matusiak
> > > CCIE #19860 (R&S, Security), CCSI #33705
> > > Technical Instructor
> > > website: www.MicronicsTraining.com
> <http://www.micronicstraining.com/>
> <http://www.micronicstraining.com/> <
> > http://www.micronicstraining.com/> <
> > > http://www.micronicstraining.com/>
> > > blog: www.ccie1.com <http://www.ccie1.com/>
> > >
> > > If you can't explain it simply, you don't understand it
> well enough -
> > > Albert Einstein
> > >
> > >
> > > 2011/6/12 <roykhan123_at_hotmail.com
> <mailto:roykhan123_at_hotmail.com>>
> > >
> > > > Dear All,
> > > >
> > > > I am facing problem in my network is that i am getting
> DHCP snooping
> > Deny
> > > > log
> > > > messages continue in my switches. I knows that how dhcp
> snooping is
> > > working
> > > > but
> > > > i do not knows why this is appearing in the switch, when
> there is no
> > dhcp
> > > > server connected that ports and every thing is working fine.
> > > >
> > > > %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on
> Gi2/18, vlan
> > > >
> 20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05
> <http://10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05> AST
> > Sun
> > > > Jun 12
> > > > 2011])
> > > >
> > > > 1. Is this because of Virus. that cause the machine to
> generate this
> > > error.
> > > > I
> > > > saw this problem before there was a virus.
> > > > 2. I dont knows about the servers may be some services
> is running
> > inside
> > > > the
> > > > server that cause the server to generate this request Or
> some thing
> > else
> > > >
> > > > Note some there is no virus on the machine and still
> this error is
> > occur
> > > on
> > > > the
> > > > machine... I really do not Why this happening and how i
> fix this issue.
> > > >
> > > > Currently I am getting this message and there is no
> issue with the
> > > Machine
> > > > it
> > > > self
> > > >
> > > > Port configuration
> > > >
> > > > interface GigabitEthernet2/9
> > > >
> > > > switchport
> > > > switchport access vlan 19
> > > > switchport mode access
> > > > switchport voice vlan 16
> > > > ip arp inspection limit rate 128
> > > > no ip address
> > > > spanning-tree portfast
> > > > spanning-tree bpduguard enable
> > > > end
> > > > !
> > > > ip dhcp snooping
> > > > ip dhcp snooping vlan 19,16
> > > > !
> > > >
> > > > kindly advise
> > > >
> > > > Take care
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> <http://www.ccie.net/>
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> <http://www.ccie.net/>
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> <http://www.ccie.net/>
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> *Narbik Kocharians
> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining.com <http://www.micronicstraining.com/>
> <http://www.micronicstraining.com/>
> Sr. Technical Instructor
> *Ask about our FREE Lab Voucher with our Boot Camps*
> YES! We take Cisco Learning Credits!
> Training & Remote Racks available
>
>
> Blogs and organic groups at http://www.ccie.net
> <http://www.ccie.net/>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
> --
> CCIEx2 (R&S|Sec) #19963
>
>
>
>
> --
> *Narbik Kocharians
> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining.com <http://www.micronicstraining.com/>
> Sr. Technical Instructor
> _Ask about our FREE Lab Voucher with our Boot Camps_
> YES! We take Cisco Learning Credits!
> Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 17 2011 - 11:29:30 ART
This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:28 ART