Re: DHCP Snooping Issue

Hey it can happen to the BEST of us, i should have thought a little deeper
before posting what i posted.

hahahahahaha

I guess after 80 you begin to forget some of the commands.

On Thu, Jun 16, 2011 at 7:35 PM, Alexei Monastyrnyi <alexeim73_at_gmail.com>wrote:

> Then I have just misread your mind for which I owe you an apology :-)
>
> A.
>
>
> On 6/17/2011 11:46 AM, Narbik Kocharians wrote:
>
> MATE,
>
> *I was looking at the symptoms (The error message that roykhan123 posted)
> and the last thing that was going through my mind was that command, i guess
> i did not even think about it, because if it was configured, you would not
> see the error message.*
>
> Cheers
> N.
>
>
>
> On Thu, Jun 16, 2011 at 6:29 PM, Alexei Monastyrnyi <alexeim73_at_gmail.com>wrote:
>
>> Mate,
>> are you sure about "there is no such thing as "DAI trusted port""?
>>
>> Please check it out. I reckon I may have misinterpreted your mail on that
>> matter.
>>
>>
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_sea/command/reference/cli1.html#wp4287676
>>
>> Also here is some output from my customer production network
>>
>> c35as01#sh run in gi 0/42
>> Building configuration...
>>
>> Current configuration : 513 bytes
>> !
>> interface GigabitEthernet0/42
>> description abc
>> switchport access vlan xyz
>> switchport mode access
>> switchport port-security
>> switchport port-security violation restrict
>> ip arp inspection trust
>> no logging event link-status
>> load-interval 30
>> srr-queue bandwidth share 5 15 30 50
>> priority-queue out
>> mls qos vlan-based
>> no snmp trap link-status
>> storm-control broadcast level 10.00
>> no cdp enable
>> spanning-tree portfast
>> spanning-tree bpduguard enable
>> spanning-tree guard root
>> end
>>
>> c35as01#sh ip arp inspection ?
>> interfaces Interface status
>> log Log Buffer
>> statistics Packet statistics on DAI configured vlans
>> vlan Selected vlan range
>> | Output modifiers
>> <cr>
>>
>> c35as01#sh ip arp inspection in gi 0/42
>>
>> Interface Trust State Rate (pps) Burst Interval
>> --------------- ----------- ---------- --------------
>> Gi0/42 Trusted None N/A
>>
>>
>> Cheers
>> A.
>>
>> On 6/17/2011 1:26 AM, Narbik Kocharians wrote:
>>
>> Sadiq,
>>
>> It is NOT, i totally disagree with that. First of all there is no such
>> thing as "DAI trusted port", you can have a snooping trusted port BUT not
>> DAI trusted port. The first thing you want to do when troubleshooting is to
>> see where the message came from which feature generated the message so you
>> can understand the problem.
>>
>> secondly if you see the message he posted you will see that the error is
>> coming from DAI:
>>
>> *%SW_DAI-4-DHCP_SNOOPING*_DENY: 1 Invalid ARPs (Req) on Gi2/18, vlan
>> 20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05 AST Sun
>> Jun 12
>> 2011])
>> Which tells me that the message is generated by DAI. NOW......DAI is
>> telling you that the host that sent an APR request on G2/18 which happens to
>> be in VLAN 20, with an IP address of 10.1.1.1 and a MAC address of
>> "0022.5ac1.202a" was NOT in the DHCP snooping DB, but the actual message
>> came from DAI.
>> If you think the problem is DHCP snooping, just disable DAI and the
>> problem will go away. So it's DAI and not snooping.
>>
>> Maybe a static entry in the snooping DB for this host will fix the problem
>> for you.
>>
>>
>>
>> On Thu, Jun 16, 2011 at 2:31 AM, Sadiq Yakasai <sadiqtanko_at_gmail.com>wrote:
>>
>>> By default, DAI relies on DHCP Snooping DB for operation. The exception
>>> is when things are statically defined.
>>>
>>> It is therefore errorneous to make statements like "the message has
>>> nothing to do with DHCP Snopping"!
>>>
>>> When DHCP Snooping and DAI are configured on a switch and all operations
>>> occur dynamically, then a host with static IP address connecting to a port
>>> that is not a DAI trusted port will spew out that message. And this is
>>> because the host's information is not present in the DHCP snooping binding
>>> table.
>>>
>>> Sadiq
>>>
>>> On Thu, Jun 16, 2011 at 6:36 AM, Narbik Kocharians <narbikk_at_gmail.com>wrote:
>>>
>>>> I agree with Piotr, the message has nothing to do with DHCP Snopping,
>>>> they
>>>> are generated by "DAI" Dynamic Arp inspection. Do you have DAI
>>>> configured on
>>>> your switches?
>>>> On Wed, Jun 15, 2011 at 7:54 PM, Alexei Monastyrnyi <
>>>> alexeim73_at_gmail.com>wrote:
>>>>
>>>> > You can also try using arp inspection trust on that switch-port with
>>>> static
>>>> > IP.
>>>> >
>>>> > HTH
>>>> > A.
>>>> >
>>>> > On 13 June 2011 01:48, Piotr Matusiak <pitt2k_at_gmail.com> wrote:
>>>> >
>>>> > > Hi,
>>>> > >
>>>> > > This message is generated by DAI feature not DHCP Snooping. It is
>>>> caused
>>>> > by
>>>> > > device connected to port g2/18. Check this out. It seems there is
>>>> someone
>>>> > > connected to that port with static IP address of 10.1.1.1 with MAC
>>>> of
>>>> > > 0022.5ac1.202a so that DHCP Snooping has note registerd it in its
>>>> > database.
>>>> > > If this host is valid in your network and must have static IP
>>>> configured,
>>>> > > then add static binding to the DHCP Snooping database (ip dhcp
>>>> snooping
>>>> > > binding...)
>>>> > >
>>>> > > Regards,
>>>> > > --
>>>> > > Piotr Matusiak
>>>> > > CCIE #19860 (R&S, Security), CCSI #33705
>>>> > > Technical Instructor
>>>> > > website: www.MicronicsTraining.com<http://www.micronicstraining.com/><
>>>> http://www.micronicstraining.com/> <
>>>> > http://www.micronicstraining.com/> <
>>>> > > http://www.micronicstraining.com/>
>>>> > > blog: www.ccie1.com
>>>> > >
>>>> > > If you can't explain it simply, you don't understand it well enough
>>>> -
>>>> > > Albert Einstein
>>>> > >
>>>> > >
>>>> > > 2011/6/12 <roykhan123_at_hotmail.com>
>>>> > >
>>>> > > > Dear All,
>>>> > > >
>>>> > > > I am facing problem in my network is that i am getting DHCP
>>>> snooping
>>>> > Deny
>>>> > > > log
>>>> > > > messages continue in my switches. I knows that how dhcp snooping
>>>> is
>>>> > > working
>>>> > > > but
>>>> > > > i do not knows why this is appearing in the switch, when there is
>>>> no
>>>> > dhcp
>>>> > > > server connected that ports and every thing is working fine.
>>>> > > >
>>>> > > > %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi2/18, vlan
>>>> > > > 20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05AST
>>>> > Sun
>>>> > > > Jun 12
>>>> > > > 2011])
>>>> > > >
>>>> > > > 1. Is this because of Virus. that cause the machine to generate
>>>> this
>>>> > > error.
>>>> > > > I
>>>> > > > saw this problem before there was a virus.
>>>> > > > 2. I dont knows about the servers may be some services is running
>>>> > inside
>>>> > > > the
>>>> > > > server that cause the server to generate this request Or some
>>>> thing
>>>> > else
>>>> > > >
>>>> > > > Note some there is no virus on the machine and still this error is
>>>> > occur
>>>> > > on
>>>> > > > the
>>>> > > > machine... I really do not Why this happening and how i fix this
>>>> issue.
>>>> > > >
>>>> > > > Currently I am getting this message and there is no issue with the
>>>> > > Machine
>>>> > > > it
>>>> > > > self
>>>> > > >
>>>> > > > Port configuration
>>>> > > >
>>>> > > > interface GigabitEthernet2/9
>>>> > > >
>>>> > > > switchport
>>>> > > > switchport access vlan 19
>>>> > > > switchport mode access
>>>> > > > switchport voice vlan 16
>>>> > > > ip arp inspection limit rate 128
>>>> > > > no ip address
>>>> > > > spanning-tree portfast
>>>> > > > spanning-tree bpduguard enable
>>>> > > > end
>>>> > > > !
>>>> > > > ip dhcp snooping
>>>> > > > ip dhcp snooping vlan 19,16
>>>> > > > !
>>>> > > >
>>>> > > > kindly advise
>>>> > > >
>>>> > > > Take care
>>>> > > >
>>>> > > >
>>>> > > > Blogs and organic groups at http://www.ccie.net
>>>> > > >
>>>> > > >
>>>> _______________________________________________________________________
>>>> > > > Subscription information may be found at:
>>>> > > > http://www.groupstudy.com/list/CCIELab.html
>>>> > >
>>>> > >
>>>> > > Blogs and organic groups at http://www.ccie.net
>>>> > >
>>>> > >
>>>> _______________________________________________________________________
>>>> > > Subscription information may be found at:
>>>> > > http://www.groupstudy.com/list/CCIELab.html
>>>> >
>>>> >
>>>> > Blogs and organic groups at http://www.ccie.net
>>>> >
>>>> >
>>>> _______________________________________________________________________
>>>> > Subscription information may be found at:
>>>> > http://www.groupstudy.com/list/CCIELab.html
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>>
>>>>
>>>> --
>>>> *Narbik Kocharians
>>>> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>>>> www.MicronicsTraining.com <http://www.micronicstraining.com/> <
>>>> http://www.micronicstraining.com/>
>>>> Sr. Technical Instructor
>>>> *Ask about our FREE Lab Voucher with our Boot Camps*
>>>> YES! We take Cisco Learning Credits!
>>>> Training & Remote Racks available
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> CCIEx2 (R&S|Sec) #19963
>>>
>>
>>
>>
>> --
>> *Narbik Kocharians
>> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>> www.MicronicsTraining.com <http://www.micronicstraining.com/>
>> Sr. Technical Instructor
>> *Ask about our FREE Lab Voucher with our Boot Camps*
>> YES! We take Cisco Learning Credits!
>> Training & Remote Racks available
>>
>>
>
>
> --
> *Narbik Kocharians
> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining.com <http://www.micronicstraining.com/>
> Sr. Technical Instructor
> *Ask about our FREE Lab Voucher with our Boot Camps*
> YES! We take Cisco Learning Credits!
> Training & Remote Racks available
>
>

-- 
*Narbik Kocharians
*CCSI#30832, CCIE# 12410 (R&S, SP, Security)
www.MicronicsTraining.com <http://www.micronicstraining.com/>
Sr. Technical Instructor
*Ask about our FREE Lab Voucher with our Boot Camps*
YES! We take Cisco Learning Credits!
Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net