Re: DAI help from Ben Hughes on 2012-01-28 (Ccielab archives 01/2012)

From: Ben Hughes <bhughes_at_imc.net.au>
Date: Sat, 28 Jan 2012 23:22:02 +0000

Hi guys,

Trunks are up and functioning fine (the DHCP snooping part is working no problem). "sh ip arp insp int" shows inter switch trunks as trusted. Packets are not taking an unexpected path (and to make doubly sure I have shut down all other paths). Spanning-tree is forwarding in both directions as expected.

cheers,
Ben.

From: Oluwagbenga Oyebande <Oluwagbenga_at_daitmail.com<mailto:Oluwagbenga_at_daitmail.com>>
Reply-To: Oluwagbenga Oyebande <Oluwagbenga_at_daitmail.com<mailto:Oluwagbenga_at_daitmail.com>>
Date: Sat, 28 Jan 2012 20:12:13 +0100
To: Dennis Worth <dennis.worth_at_gmail.com<mailto:dennis.worth_at_gmail.com>>, <ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>>
Subject: Re: DAI help

I think you have the snooping and DAI rightly configured.

Are you sure spanning tree is not forwarding through an unexpected path?

let's see the output of these show commands from Cat1 & Cat2.

sh ip arp inspect int | i Trusted
sh int trunk | i 12|forwarding
sh span vl 12 | i FWD

Your Trusted interswitch trunk should appear in all three if it is
actually forwarding in spanning tree.

On Sat, Jan 28, 2012 at 4:31 PM, Dennis Worth <dennis.worth_at_gmail.com<mailto:dennis.worth_at_gmail.com>> wrote:
What does sh ip arp inspection interfaces and sh ip arp inspection log say?

On Fri, Jan 27, 2012 at 11:05 PM, Ben Hughes <bhughes_at_imc.net.au<mailto:bhughes_at_imc.net.au>> wrote:

Hi guys,

Can anyone help me with where I'm going wrong regarding DAI? I have the
following setup:

R1 <-> Cat2 <-> Cat1 <-> R2

R1 is a DHCP server and R2 is a DHCP client.

I have configured the following on both switches:

ip dhcp snoop vlan 12
no ip dhcp snooping information option
ip dhcp snooping database flash:dhcpsnoo
ip dhcp snoop
ip arp insp vlan 12
ip arp insp validate src-mac dest-mac ip

R1's port and interswitch trunks on Cat1 have
ip dhcp snoop trust

On Cat2 I have the following for R1:
arp access-list VL12
permit ip host <R1IP> mac host <R1mac> log
ip arp inspection filter VL12 vlan 12

I can't work out why ARP is still not working. R2 gets an address fine.
If I disable ARP inspection on Cat1 everything starts to work. Given that
the interswitch trunks have "ip arp inspect trust" and Cat1 has a DHCP
snoop binding for R2 I can't see why this doesn t work.

Anyone got any ideas for me?

cheers,
Ben.

Blogs and organic groups at http://www.ccie.net
Received on Sat Jan 28 2012 - 23:22:02 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 02 2012 - 11:52:52 ART