Re: DHCP Snooping Issue

MATE,

*I was looking at the symptoms (The error message that roykhan123 posted)
and the last thing that was going through my mind was that command, i guess
i did not even think about it, because if it was configured, you would not
see the error message.*

Cheers
N.

On Thu, Jun 16, 2011 at 6:29 PM, Alexei Monastyrnyi <alexeim73_at_gmail.com>wrote:

> Mate,
> are you sure about "there is no such thing as "DAI trusted port""?
>
> Please check it out. I reckon I may have misinterpreted your mail on that
> matter.
>
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_sea/command/reference/cli1.html#wp4287676
>
> Also here is some output from my customer production network
>
> c35as01#sh run in gi 0/42
> Building configuration...
>
> Current configuration : 513 bytes
> !
> interface GigabitEthernet0/42
> description abc
> switchport access vlan xyz
> switchport mode access
> switchport port-security
> switchport port-security violation restrict
> ip arp inspection trust
> no logging event link-status
> load-interval 30
> srr-queue bandwidth share 5 15 30 50
> priority-queue out
> mls qos vlan-based
> no snmp trap link-status
> storm-control broadcast level 10.00
> no cdp enable
> spanning-tree portfast
> spanning-tree bpduguard enable
> spanning-tree guard root
> end
>
> c35as01#sh ip arp inspection ?
> interfaces Interface status
> log Log Buffer
> statistics Packet statistics on DAI configured vlans
> vlan Selected vlan range
> | Output modifiers
> <cr>
>
> c35as01#sh ip arp inspection in gi 0/42
>
> Interface Trust State Rate (pps) Burst Interval
> --------------- ----------- ---------- --------------
> Gi0/42 Trusted None N/A
>
>
> Cheers
> A.
>
> On 6/17/2011 1:26 AM, Narbik Kocharians wrote:
>
> Sadiq,
>
> It is NOT, i totally disagree with that. First of all there is no such
> thing as "DAI trusted port", you can have a snooping trusted port BUT not
> DAI trusted port. The first thing you want to do when troubleshooting is to
> see where the message came from which feature generated the message so you
> can understand the problem.
>
> secondly if you see the message he posted you will see that the error is
> coming from DAI:
>
> *%SW_DAI-4-DHCP_SNOOPING*_DENY: 1 Invalid ARPs (Req) on Gi2/18, vlan
> 20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05 AST Sun
> Jun 12
> 2011])
> Which tells me that the message is generated by DAI. NOW......DAI is
> telling you that the host that sent an APR request on G2/18 which happens to
> be in VLAN 20, with an IP address of 10.1.1.1 and a MAC address of
> "0022.5ac1.202a" was NOT in the DHCP snooping DB, but the actual message
> came from DAI.
> If you think the problem is DHCP snooping, just disable DAI and the problem
> will go away. So it's DAI and not snooping.
>
> Maybe a static entry in the snooping DB for this host will fix the problem
> for you.
>
>
>
> On Thu, Jun 16, 2011 at 2:31 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>
>> By default, DAI relies on DHCP Snooping DB for operation. The exception is
>> when things are statically defined.
>>
>> It is therefore errorneous to make statements like "the message has
>> nothing to do with DHCP Snopping"!
>>
>> When DHCP Snooping and DAI are configured on a switch and all operations
>> occur dynamically, then a host with static IP address connecting to a port
>> that is not a DAI trusted port will spew out that message. And this is
>> because the host's information is not present in the DHCP snooping binding
>> table.
>>
>> Sadiq
>>
>> On Thu, Jun 16, 2011 at 6:36 AM, Narbik Kocharians <narbikk_at_gmail.com>wrote:
>>
>>> I agree with Piotr, the message has nothing to do with DHCP Snopping,
>>> they
>>> are generated by "DAI" Dynamic Arp inspection. Do you have DAI configured
>>> on
>>> your switches?
>>> On Wed, Jun 15, 2011 at 7:54 PM, Alexei Monastyrnyi <alexeim73_at_gmail.com
>>> >wrote:
>>>
>>> > You can also try using arp inspection trust on that switch-port with
>>> static
>>> > IP.
>>> >
>>> > HTH
>>> > A.
>>> >
>>> > On 13 June 2011 01:48, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>>> >
>>> > > Hi,
>>> > >
>>> > > This message is generated by DAI feature not DHCP Snooping. It is
>>> caused
>>> > by
>>> > > device connected to port g2/18. Check this out. It seems there is
>>> someone
>>> > > connected to that port with static IP address of 10.1.1.1 with MAC of
>>> > > 0022.5ac1.202a so that DHCP Snooping has note registerd it in its
>>> > database.
>>> > > If this host is valid in your network and must have static IP
>>> configured,
>>> > > then add static binding to the DHCP Snooping database (ip dhcp
>>> snooping
>>> > > binding...)
>>> > >
>>> > > Regards,
>>> > > --
>>> > > Piotr Matusiak
>>> > > CCIE #19860 (R&S, Security), CCSI #33705
>>> > > Technical Instructor
>>> > > website: www.MicronicsTraining.com<http://www.micronicstraining.com/><
>>> http://www.micronicstraining.com/> <
>>> > http://www.micronicstraining.com/> <
>>> > > http://www.micronicstraining.com/>
>>> > > blog: www.ccie1.com
>>> > >
>>> > > If you can't explain it simply, you don't understand it well enough
>>> -
>>> > > Albert Einstein
>>> > >
>>> > >
>>> > > 2011/6/12 <roykhan123_at_hotmail.com>
>>> > >
>>> > > > Dear All,
>>> > > >
>>> > > > I am facing problem in my network is that i am getting DHCP
>>> snooping
>>> > Deny
>>> > > > log
>>> > > > messages continue in my switches. I knows that how dhcp snooping is
>>> > > working
>>> > > > but
>>> > > > i do not knows why this is appearing in the switch, when there is
>>> no
>>> > dhcp
>>> > > > server connected that ports and every thing is working fine.
>>> > > >
>>> > > > %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi2/18, vlan
>>> > > > 20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05AST
>>> > Sun
>>> > > > Jun 12
>>> > > > 2011])
>>> > > >
>>> > > > 1. Is this because of Virus. that cause the machine to generate
>>> this
>>> > > error.
>>> > > > I
>>> > > > saw this problem before there was a virus.
>>> > > > 2. I dont knows about the servers may be some services is running
>>> > inside
>>> > > > the
>>> > > > server that cause the server to generate this request Or some thing
>>> > else
>>> > > >
>>> > > > Note some there is no virus on the machine and still this error is
>>> > occur
>>> > > on
>>> > > > the
>>> > > > machine... I really do not Why this happening and how i fix this
>>> issue.
>>> > > >
>>> > > > Currently I am getting this message and there is no issue with the
>>> > > Machine
>>> > > > it
>>> > > > self
>>> > > >
>>> > > > Port configuration
>>> > > >
>>> > > > interface GigabitEthernet2/9
>>> > > >
>>> > > > switchport
>>> > > > switchport access vlan 19
>>> > > > switchport mode access
>>> > > > switchport voice vlan 16
>>> > > > ip arp inspection limit rate 128
>>> > > > no ip address
>>> > > > spanning-tree portfast
>>> > > > spanning-tree bpduguard enable
>>> > > > end
>>> > > > !
>>> > > > ip dhcp snooping
>>> > > > ip dhcp snooping vlan 19,16
>>> > > > !
>>> > > >
>>> > > > kindly advise
>>> > > >
>>> > > > Take care
>>> > > >
>>> > > >
>>> > > > Blogs and organic groups at http://www.ccie.net
>>> > > >
>>> > > >
>>> _______________________________________________________________________
>>> > > > Subscription information may be found at:
>>> > > > http://www.groupstudy.com/list/CCIELab.html
>>> > >
>>> > >
>>> > > Blogs and organic groups at http://www.ccie.net
>>> > >
>>> > >
>>> _______________________________________________________________________
>>> > > Subscription information may be found at:
>>> > > http://www.groupstudy.com/list/CCIELab.html
>>> >
>>> >
>>> > Blogs and organic groups at http://www.ccie.net
>>> >
>>> > _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
>>>
>>> --
>>> *Narbik Kocharians
>>> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>>> www.MicronicsTraining.com <http://www.micronicstraining.com/> <
>>> http://www.micronicstraining.com/>
>>> Sr. Technical Instructor
>>> *Ask about our FREE Lab Voucher with our Boot Camps*
>>> YES! We take Cisco Learning Credits!
>>> Training & Remote Racks available
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> CCIEx2 (R&S|Sec) #19963
>>
>
>
>
> --
> *Narbik Kocharians
> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining.com <http://www.micronicstraining.com/>
> Sr. Technical Instructor
> *Ask about our FREE Lab Voucher with our Boot Camps*
> YES! We take Cisco Learning Credits!
> Training & Remote Racks available
>
>

-- 
*Narbik Kocharians
*CCSI#30832, CCIE# 12410 (R&S, SP, Security)
www.MicronicsTraining.com <http://www.micronicstraining.com/>
Sr. Technical Instructor
*Ask about our FREE Lab Voucher with our Boot Camps*
YES! We take Cisco Learning Credits!
Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net