hehe, after 80 I sure will have a completely different mind-set It will
be year 2053 and ticket prices for route Earth-Mars-Earthshould just
drop low enough to become affordable for a retired person. :-)
A.
On 6/17/2011 12:39 PM, Narbik Kocharians wrote:
> Hey it can happen to the BEST of us, i should have thought a little
> deeper before posting what i posted.
> hahahahahaha
> I guess after 80 you begin to forget some of the commands.
>
> On Thu, Jun 16, 2011 at 7:35 PM, Alexei Monastyrnyi
> <alexeim73_at_gmail.com <mailto:alexeim73_at_gmail.com>> wrote:
>
> Then I have just misread your mind for which I owe you an apology :-)
>
> A.
>
>
> On 6/17/2011 11:46 AM, Narbik Kocharians wrote:
>> MATE,
>> *I was looking at the symptoms (The error message that roykhan123
>> posted) and the last thing that was going through my mind was
>> that command, i guess i did not even think about it, because if
>> it was configured, you would not see the error message.*
>> Cheers
>> N.
>>
>>
>> On Thu, Jun 16, 2011 at 6:29 PM, Alexei Monastyrnyi
>> <alexeim73_at_gmail.com <mailto:alexeim73_at_gmail.com>> wrote:
>>
>> Mate,
>> are you sure about "there is no such thing as "DAI trusted
>> port""?
>>
>> Please check it out. I reckon I may have misinterpreted your
>> mail on that matter.
>>
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_sea/command/reference/cli1.html#wp4287676
>>
>> Also here is some output from my customer production network
>>
>> c35as01#sh run in gi 0/42
>> Building configuration...
>> Current configuration : 513 bytes
>> !
>> interface GigabitEthernet0/42
>> description abc
>> switchport access vlan xyz
>> switchport mode access
>> switchport port-security
>> switchport port-security violation restrict
>> ip arp inspection trust
>> no logging event link-status
>> load-interval 30
>> srr-queue bandwidth share 5 15 30 50
>> priority-queue out
>> mls qos vlan-based
>> no snmp trap link-status
>> storm-control broadcast level 10.00
>> no cdp enable
>> spanning-tree portfast
>> spanning-tree bpduguard enable
>> spanning-tree guard root
>> end
>> c35as01#sh ip arp inspection ?
>> interfaces Interface status
>> log Log Buffer
>> statistics Packet statistics on DAI configured vlans
>> vlan Selected vlan range
>> | Output modifiers
>> <cr>
>> c35as01#sh ip arp inspection in gi 0/42
>> Interface Trust State Rate (pps) Burst Interval
>> --------------- ----------- ---------- --------------
>> Gi0/42 Trusted None N/A
>>
>>
>> Cheers
>> A.
>>
>> On 6/17/2011 1:26 AM, Narbik Kocharians wrote:
>>> Sadiq,
>>> It is NOT, i totally disagree with that. First of all there
>>> is no such thing as "DAI trusted port", you can have a
>>> snooping trusted port BUT not DAI trusted port. The first
>>> thing you want to do when troubleshooting is to see where
>>> the message came from which feature generated the message so
>>> you can understand the problem.
>>> secondly if you see the message he posted you will see that
>>> the error is coming from DAI:
>>> *_%SW_DAI-4-DHCP_SNOOPING_*_DENY: 1 Invalid ARPs (Req) on
>>> Gi2/18, vlan
>>> 20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05
>>> <http://10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05> AST
>>> Sun Jun 12
>>> 2011])
>>> Which tells me that the message is generated by DAI.
>>> NOW......DAI is telling you that the host that sent an APR
>>> request on G2/18 which happens to be in VLAN 20, with an IP
>>> address of 10.1.1.1 and a MAC address of "0022.5ac1.202a"
>>> was NOT in the DHCP snooping DB, but the actual message came
>>> from DAI.
>>> If you think the problem is DHCP snooping, just disable DAI
>>> and the problem will go away. So it's DAI and not snooping.
>>> Maybe a static entry in the snooping DB for this host will
>>> fix the problem for you.
>>> On Thu, Jun 16, 2011 at 2:31 AM, Sadiq Yakasai
>>> <sadiqtanko_at_gmail.com <mailto:sadiqtanko_at_gmail.com>> wrote:
>>>
>>> By default, DAI relies on DHCP Snooping DB for
>>> operation. The exception is when things are statically
>>> defined.
>>>
>>> It is therefore errorneous to make statements like "the
>>> message has nothing to do with DHCP Snopping"!
>>>
>>> When DHCP Snooping and DAI are configured on a switch
>>> and all operations occur dynamically, then a host with
>>> static IP address connecting to a port that is not a DAI
>>> trusted port will spew out that message. And this is
>>> because the host's information is not present in the
>>> DHCP snooping binding table.
>>>
>>> Sadiq
>>>
>>> On Thu, Jun 16, 2011 at 6:36 AM, Narbik Kocharians
>>> <narbikk_at_gmail.com <mailto:narbikk_at_gmail.com>> wrote:
>>>
>>> I agree with Piotr, the message has nothing to do
>>> with DHCP Snopping, they
>>> are generated by "DAI" Dynamic Arp inspection. Do
>>> you have DAI configured on
>>> your switches?
>>> On Wed, Jun 15, 2011 at 7:54 PM, Alexei Monastyrnyi
>>> <alexeim73_at_gmail.com <mailto:alexeim73_at_gmail.com>>wrote:
>>>
>>> > You can also try using arp inspection trust on
>>> that switch-port with static
>>> > IP.
>>> >
>>> > HTH
>>> > A.
>>> >
>>> > On 13 June 2011 01:48, Piotr Matusiak
>>> <pitt2k_at_gmail.com <mailto:pitt2k_at_gmail.com>> wrote:
>>> >
>>> > > Hi,
>>> > >
>>> > > This message is generated by DAI feature not
>>> DHCP Snooping. It is caused
>>> > by
>>> > > device connected to port g2/18. Check this out.
>>> It seems there is someone
>>> > > connected to that port with static IP address of
>>> 10.1.1.1 with MAC of
>>> > > 0022.5ac1.202a so that DHCP Snooping has note
>>> registerd it in its
>>> > database.
>>> > > If this host is valid in your network and must
>>> have static IP configured,
>>> > > then add static binding to the DHCP Snooping
>>> database (ip dhcp snooping
>>> > > binding...)
>>> > >
>>> > > Regards,
>>> > > --
>>> > > Piotr Matusiak
>>> > > CCIE #19860 (R&S, Security), CCSI #33705
>>> > > Technical Instructor
>>> > > website: www.MicronicsTraining.com
>>> <http://www.micronicstraining.com/>
>>> <http://www.micronicstraining.com/> <
>>> > http://www.micronicstraining.com/> <
>>> > > http://www.micronicstraining.com/>
>>> > > blog: www.ccie1.com <http://www.ccie1.com/>
>>> > >
>>> > > If you can't explain it simply, you don't
>>> understand it well enough -
>>> > > Albert Einstein
>>> > >
>>> > >
>>> > > 2011/6/12 <roykhan123_at_hotmail.com
>>> <mailto:roykhan123_at_hotmail.com>>
>>> > >
>>> > > > Dear All,
>>> > > >
>>> > > > I am facing problem in my network is that i am
>>> getting DHCP snooping
>>> > Deny
>>> > > > log
>>> > > > messages continue in my switches. I knows that
>>> how dhcp snooping is
>>> > > working
>>> > > > but
>>> > > > i do not knows why this is appearing in the
>>> switch, when there is no
>>> > dhcp
>>> > > > server connected that ports and every thing is
>>> working fine.
>>> > > >
>>> > > > %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs
>>> (Req) on Gi2/18, vlan
>>> > > >
>>> 20.([0022.5ac1.202a/10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05
>>> <http://10.1.1.1/0000.0000.0000/10.0.176.16/17:38:05> AST
>>> > Sun
>>> > > > Jun 12
>>> > > > 2011])
>>> > > >
>>> > > > 1. Is this because of Virus. that cause the
>>> machine to generate this
>>> > > error.
>>> > > > I
>>> > > > saw this problem before there was a virus.
>>> > > > 2. I dont knows about the servers may be some
>>> services is running
>>> > inside
>>> > > > the
>>> > > > server that cause the server to generate this
>>> request Or some thing
>>> > else
>>> > > >
>>> > > > Note some there is no virus on the machine and
>>> still this error is
>>> > occur
>>> > > on
>>> > > > the
>>> > > > machine... I really do not Why this happening
>>> and how i fix this issue.
>>> > > >
>>> > > > Currently I am getting this message and there
>>> is no issue with the
>>> > > Machine
>>> > > > it
>>> > > > self
>>> > > >
>>> > > > Port configuration
>>> > > >
>>> > > > interface GigabitEthernet2/9
>>> > > >
>>> > > > switchport
>>> > > > switchport access vlan 19
>>> > > > switchport mode access
>>> > > > switchport voice vlan 16
>>> > > > ip arp inspection limit rate 128
>>> > > > no ip address
>>> > > > spanning-tree portfast
>>> > > > spanning-tree bpduguard enable
>>> > > > end
>>> > > > !
>>> > > > ip dhcp snooping
>>> > > > ip dhcp snooping vlan 19,16
>>> > > > !
>>> > > >
>>> > > > kindly advise
>>> > > >
>>> > > > Take care
>>> > > >
>>> > > >
>>> > > > Blogs and organic groups at
>>> http://www.ccie.net <http://www.ccie.net/>
>>> > > >
>>> > > >
>>> _______________________________________________________________________
>>> > > > Subscription information may be found at:
>>> > > > http://www.groupstudy.com/list/CCIELab.html
>>> > >
>>> > >
>>> > > Blogs and organic groups at http://www.ccie.net
>>> <http://www.ccie.net/>
>>> > >
>>> > >
>>> _______________________________________________________________________
>>> > > Subscription information may be found at:
>>> > > http://www.groupstudy.com/list/CCIELab.html
>>> >
>>> >
>>> > Blogs and organic groups at http://www.ccie.net
>>> <http://www.ccie.net/>
>>> >
>>> >
>>> _______________________________________________________________________
>>> > Subscription information may be found at:
>>> > http://www.groupstudy.com/list/CCIELab.html
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>>
>>>
>>> --
>>> *Narbik Kocharians
>>> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>>> www.MicronicsTraining.com
>>> <http://www.micronicstraining.com/>
>>> <http://www.micronicstraining.com/>
>>> Sr. Technical Instructor
>>> *Ask about our FREE Lab Voucher with our Boot Camps*
>>> YES! We take Cisco Learning Credits!
>>> Training & Remote Racks available
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>> <http://www.ccie.net/>
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> --
>>> CCIEx2 (R&S|Sec) #19963
>>>
>>>
>>>
>>>
>>> --
>>> *Narbik Kocharians
>>> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>>> www.MicronicsTraining.com <http://www.micronicstraining.com/>
>>> Sr. Technical Instructor
>>> _Ask about our FREE Lab Voucher with our Boot Camps_
>>> YES! We take Cisco Learning Credits!
>>> Training & Remote Racks available
>>>
>>
>>
>>
>> --
>> *Narbik Kocharians
>> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
>> www.MicronicsTraining.com <http://www.micronicstraining.com/>
>> Sr. Technical Instructor
>> _Ask about our FREE Lab Voucher with our Boot Camps_
>> YES! We take Cisco Learning Credits!
>> Training & Remote Racks available
>>
>
>
>
> --
> *Narbik Kocharians
> *CCSI#30832, CCIE# 12410 (R&S, SP, Security)
> www.MicronicsTraining.com <http://www.micronicstraining.com/>
> Sr. Technical Instructor
> _Ask about our FREE Lab Voucher with our Boot Camps_
> YES! We take Cisco Learning Credits!
> Training & Remote Racks available
Blogs and organic groups at http://www.ccie.net
Received on Fri Jun 17 2011 - 21:43:54 ART
This archive was generated by hypermail 2.2.0 : Fri Jul 01 2011 - 06:24:28 ART