Then I have just misread your mind for which I owe you an apology :-)
A.
On 6/17/2011 11:46 AM, Narbik Kocharians wrote:
> MATE,
> *I was looking at the symptoms (The error message that roykhan123
> posted) and the last thing that was going through my mind was that
> command, i guess i did not even think about it, because if it was
> configured, you would not see the error message.*
> Cheers
> N.
>
>
> On Thu, Jun 16, 2011 at 6:29 PM, Alexei Monastyrnyi
> <alexeim73_at_gmail.com <mailto:alexeim73_at_gmail.com>> wrote:
>
> Mate,
> are you sure about "there is no such thing as "DAI trusted port""?
>
> Please check it out. I reckon I may have misinterpreted your mail
> on that matter.
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_sea/command/reference/cli1.html#wp4287676
>
> Also here is some output from my customer production network
>
> c35as01#sh run in gi 0/42
> Building configuration...
> Current configuration : 513 bytes
> !
> interface GigabitEthernet0/42
> description abc
> switchport access vlan xyz
> switchport mode access
> switchport port-security
> switchport port-security violation restrict
> ip arp inspection trust
> no logging event link-status
> load-interval 30
> srr-queue bandwidth share 5 15 30 50
> priority-queue out
> mls qos vlan-based
> no snmp trap link-status
> storm-control broadcast level 10.00
> no cdp enable
> spanning-tree portfast
> spanning-tree bpduguard enable
> spanning-tree guard root
> end
> c35as01#sh ip arp inspection ?
> interfaces Interface status
> log Log Buffer
> statistics Packet statistics on DAI configured vlans
> vlan Selected vlan range
> | Output modifiers
> <cr>
> c35as01#sh ip arp inspection in gi 0/42
> Interface Trust State Rate (pps) Burst Interval
> --------------- ----------- ---------- --------------
> Gi0/42 Trusted None N/A
>
>
> Cheers
> A.
>
> On 6/17/2011 1:26 AM, Narbik Kocharians wrote:
>> Sadiq,
>> It is NOT, i totally disagree with that. First of all there is no
>> such thing as "DAI trusted port", you can have a snooping trusted
>> port BUT not DAI trusted port. The first thing you want to do
>> when troubleshooting is to see where the message came from which
>> feature generated the message so you can understand the problem.
>> secondly if you see the message he posted you will see that the
>> error is coming from DAI:
>> *_%SW_DAI-4-DHCP_SNOOPING_*_DENY: 1 Invalid ARPs (Req) on Gi2/18,
>> vlan
>> 20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05
>> <http://10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05> AST Sun Jun 12
>> 2011])
>> Which tells me that the message is generated by DAI. NOW......DAI
>> is telling you that the host that sent an APR request on G2/18
>> which happens to be in VLAN 20, with an IP address of 10.1.1.1
>> and a MAC address of "0022.5ac1.202a" was NOT in the DHCP
>> snooping DB, but the actual message came from DAI.
>> If you think the problem is DHCP snooping, just disable DAI and
>> the problem will go away. So it's DAI and not snooping.
>> Maybe a static entry in the snooping DB for this host will fix
>> the problem for you.
>> On Thu, Jun 16, 2011 at 2:31 AM, Sadiq Yakasai
>> <sadiqtanko_at_gmail.com <mailto:sadiqtanko_at_gmail.com>> wrote:
>>
>> By default, DAI relies on DHCP Snooping DB for operation. The
>> exception is when things are statically defined.
>>
>> It is therefore errorneous to make statements like "the
>> message has nothing to do with DHCP Snopping"!
>>
>> When DHCP Snooping and DAI are configured on a switch and all
>> operations occur dynamically, then a host with static IP
>> address connecting to a port that is not a DAI trusted port
>> will spew out that message. And this is because the host's
>> information is not present in the DHCP snooping binding table.
>>
>> Sadiq
>>
>> On Thu, Jun 16, 2011 at 6:36 AM, Narbik Kocharians
>> <narbikk_at_gmail.com <mailto:narbikk_at_gmail.com>> wrote:
>>
>> I agree with Piotr, the message has nothing to do with
>> DHCP Snopping, they
>> are generated by "DAI" Dynamic Arp inspection. Do you
>> have DAI configured on
>> your switches?
>> On Wed, Jun 15, 2011 at 7:54 PM, Alexei Monastyrnyi
>> <alexeim73_at_gmail.com <mailto:alexeim73_at_gmail.com>>wrote:
>>
>> > You can also try using arp inspection trust on that
>> switch-port with static
>> > IP.
>> >
>> > HTH
>> > A.
>> >
>> > On 13 June 2011 01:48, Piotr Matusiak <pitt2k_at_gmail.com
>> <mailto:pitt2k_at_gmail.com>> wrote:
>> >
>> > > Hi,
>> > >
>> > > This message is generated by DAI feature not DHCP
>> Snooping. It is caused
>> > by
>> > > device connected to port g2/18. Check this out. It
>> seems there is someone
>> > > connected to that port with static IP address of
>> 10.1.1.1 with MAC of
>> > > 0022.5ac1.202a so that DHCP Snooping has note
>> registerd it in its
>> > database.
>> > > If this host is valid in your network and must have
>> static IP configured,
>> > > then add static binding to the DHCP Snooping database
>> (ip dhcp snooping
>> > > binding...)
>> > >
>> > > Regards,
>> > > --
>> > > Piotr Matusiak
>> > > CCIE #19860 (R&S, Security), CCSI #33705
>> > > Technical Instructor
>> > > website: www.MicronicsTraining.com
>> <http://www.micronicstraining.com/>
>> <http://www.micronicstraining.com/> <
>> > http://www.micronicstraining.com/> <
>> > > http://www.micronicstraining.com/>
>> > > blog: www.ccie1.com <http://www.ccie1.com/>
>> > >
>> > > If you can't explain it simply, you don't understand
>> it well enough -
>> > > Albert Einstein
>> > >
>> > >
>> > > 2011/6/12 <roykhan123_at_hotmail.com
>> <mailto:roykhan123_at_hotmail.com>>
>> > >
>> > > > Dear All,
>> > > >
>> > > > I am facing problem in my network is that i am
>> getting DHCP snooping
>> > Deny
>> > > > log
>> > > > messages continue in my switches. I knows that how
>> dhcp snooping is
>> > > working
>> > > > but
>> > > > i do not knows why this is appearing in the switch,
>> when there is no
>> > dhcp
>> > > > server connected that ports and every thing is
>> working fine.
>> > > >
>> > > > %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req)
>> on Gi2/18, vlan
>> > > >
>> 20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05
>> <http://10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05> AST
>> > Sun
>> > > > Jun 12
>> > > > 2011])
>> > > >
>> > > > 1. Is this because of Virus. that cause the machine
>> to generate this
>> > > error.
>> > > > I
>> > > > saw this problem before there was a virus.
>> > > > 2. I dont knows about the servers may be some
>> services is running
>> > inside
>> > > > the
>> > > > server that cause the server to generate this
>> request Or some thing
>> > else
>> > > >
>> > > > Note some there is no virus on the machine and
>> still this error is
>> > occur
>> > > on
>> > > > the
>> > > > machine... I really do not Why this happening and
>> how i fix this issue.
>> > > >
>> > > > Currently I am getting this message and there is no
>> issue with the
>> > > Machine
>> > > > it
>> > > > self
>> > > >
>> > > > Port configuration
>> > > >
>> > > > interface GigabitEthernet2/9
>> > > >
>> > > > switchport
>> > > > switchport access vlan 19
>> > > > switchport mode access
>> > > > switchport voice vlan 16
>> > > > ip arp inspection limit rate 128
>> > > > no ip address
>> > > > spanning-tree portfast
>> > > > spanning-tree bpduguard enable
>> > > > end
>> > > > !
>> > > > ip dhcp snooping
>> > > > ip dhcp snooping vlan 19,16
>> > > > !
>> > > >
>> > > > kindly advise
>> > > >
>> > > > Take care
>> > > >
>> > > >
>> > > > Blogs and organic groups at http://www.ccie.net
>> <http://www.ccie.net/>
>> > > >
>> > > >
>> _______________________________________________________________________
>> > > > Subscription information may be found at:
>> > > > http://www.groupstudy.com/list/CCIELab.html
>> > >
>> > >
>> > > Blogs and organic groups at http://www.ccie.net
>> <http://www.ccie.net/>
>> > >
>> > >
>> _______________________________________________________________________
>> > > Subscription information may be found at:
>> > > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> <http://www.ccie.net/>
>> >
>> >
>> _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>>
>> --
>> *Narbik Kocharians
>> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>> www.MicronicsTraining.com
>> <http://www.micronicstraining.com/>
>> <http://www.micronicstraining.com/>
>> Sr. Technical Instructor
>> *Ask about our FREE Lab Voucher with our Boot Camps*
>> YES! We take Cisco Learning Credits!
>> Training & Remote Racks available
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>> <http://www.ccie.net/>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> CCIEx2 (R&S|Sec) #19963
>>
>>
>>
>>
>> --
>> *Narbik Kocharians
>> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>> www.MicronicsTraining.com <http://www.micronicstraining.com/>
>> Sr. Technical Instructor
>> _Ask about our FREE Lab Voucher with our Boot Camps_
>> YES! We take Cisco Learning Credits!
>> Training & Remote Racks available
>>
>
>
>
> --
> *Narbik Kocharians
> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining.com <http://www.micronicstraining.com/>
> Sr. Technical Instructor
> _Ask about our FREE Lab Voucher with our Boot Camps_
> YES! We take Cisco Learning Credits!
> Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 17 2011 - 12:35:59 ART
This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:28 ART