Cisco: Dynamic ARP inspection(DAI)
Blueprint
Dynamic ARP inspection Lab(DHCP Environment)
Base Configuration
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
switchport mode access
switchport access vlan 128
exit
interface FastEthernet 1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 128
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address dhcp
no shutdown
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.102 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
configure terminal
!
interface FastEthernet 0/0
no shutdown
!
end
Dynamic ARP inspection Configuration
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
interface FastEthernet 1/0/24
ip dhcp snooping trust
ip arp inspection trust
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.10 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
Verification
monitor session 1 source interface FastEthernet 1/0/3
monitor session 1 destination interface FastEthernet 1/0/12
SW1 Console Log
SW1(config-if)#
*Mar 1 00:54:52.771: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
*Mar 1 00:54:53.778: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
SW1(config-if)#
*Mar 1 00:54:58.610: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
*Mar 1 00:54:59.616: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
SW1(config-if)#
*Mar 1 01:03:21.448: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:03:21 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:03:23.461: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:03:23 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:03:25.475: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:03:25 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:03:54.675: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/ffff.ffff.ffff/10.0.128.103/01:03:54 UTC Mon Mar 1 1993])
SW1(config-if)#end
SW1#sh ip dh
SW1#sh ip dhcp
*Mar 1 01:04:56.164: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh ip dhcp sno
SW1#sh ip dhcp snooping bin
SW1#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 302 dhcp-snooping 128 FastEthernet1/0/1
00:24:C4:31:12:6E 10.0.128.14 571 dhcp-snooping 128 FastEthernet1/0/2
Total number of bindings: 2
SW1#sh ip sour
SW1#sh ip source bin
SW1#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 592 dhcp-snooping 128 FastEthernet1/0/1
00:24:C4:31:12:6E 10.0.128.14 560 dhcp-snooping 128 FastEthernet1/0/2
Total number of bindings: 2
SW1#
*Mar 1 01:05:44.398: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:05:43 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:05:46.412: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:05:45 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:05:48.425: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:05:47 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:05:50.438: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:05:49 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:05:52.451: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:05:51 UTC Mon Mar 1 1993])
SW1#
ARP Request is reachable if trust, or untrust port anyway.
but ARP reply dropped by switch if dhcp snooping binding not found.
Dynamic ARP inspection Lab(None DHCP Environment)
Base Configuration
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
switchport mode access
switchport access vlan 128
exit
interface FastEthernet 1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 128
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address dhcp
no shutdown
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.102 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
configure terminal
!
interface FastEthernet 0/0
no shutdown
!
end
Dynamic ARP inspection Configuration
configure terminal
!
ip arp inspection vlan 128
!
arp access-list ARP-VLAN128
permit ip host 10.0.128.101 mac host 001b.2a77.66d2 log
permit ip host 10.0.128.102 mac host 0024.c431.126e log
exit
!
ip arp inspection filter ARP-VLAN128 vlan 128
!
interface FastEthernet 1/0/24
ip arp inspection trust
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.10 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
Verification
monitor session 1 source interface FastEthernet 1/0/3
monitor session 1 destination interface FastEthernet 1/0/12
SW1 Console Log
SW1(config-if)#
*Mar 1 00:06:16.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
*Mar 1 00:06:17.730: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
SW1(config-if)#
*Mar 1 00:06:22.965: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:06:22 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:06:24.978: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:06:24 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:06:26.991: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:06:26 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:06:29.004: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:06:28 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:06:31.018: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:06:30 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:06:54.808: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
*Mar 1 00:06:55.814: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
SW1(config-if)#
*Mar 1 00:06:56.183: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/ffff.ffff.ffff/10.0.128.13/00:06:55 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:06:59.203: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/ffff.ffff.ffff/10.0.128.13/00:06:58 UTC Mon Mar 1 1993])
*Mar 1 00:06:59.203: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.1/00:06:58 UTC Mon Mar 1 1993])
*Mar 1 00:07:00.210: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/001b.2131.139b/10.0.128.2
SW1(config-if)#54/00:06:59 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:07:01.217: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/001b.2131.139b/10.0.128.254/00:07:00 UTC Mon Mar 1 1993])
*Mar 1 00:07:02.223: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/001b.2131.139b/10.0.128.254/00:07:01 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:07:31.466: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:07:31 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:07:33.479: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:07:33 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:07:35.493: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:07:35 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:07:37.506: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:07:37 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 00:07:39.519: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:07:39 UTC Mon Mar 1 1993])
SW1(config-if)#monitor session 1 source interface FastEthernet 1/0/3
SW1(config)#monitor session 1 destination interface FastEthernet 1/0/12
SW1(config)#monitor session 1 source interface FastEthernet 1/0/3
SW1(config)#monitor session 1 destination interface FastEthernet 1/0/12
SW1(config)#
*Mar 1 00:08:24.834: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:24 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:08:26.848: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:26 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:08:28.861: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:28 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:08:30.874: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:30 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:08:32.887: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:32 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:11:20.030: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.102/00:11:19 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:11:22.044: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.102/00:11:21 UTC Mon Mar 1 1993])
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
*Mar 1 00:11:24.057: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.102/00:11:23 UTC Mon Mar 1 1993])
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
*Mar 1 00:11:26.070: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.102/00:11:25 UTC Mon Mar 1 1993])
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
*Mar 1 00:11:28.083: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.102/00:11:27 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:12:00.296: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/001b.2131.139b/10.0.128.254/00:11:59 UTC Mon Mar 1 1993])
*Mar 1 00:12:01.302: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/001b.2131.139b/10.0.128.254/00:12:00 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:12:02.309: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/001b.2131.139b/10.0.128.254/00:12:01 UTC Mon Mar 1 1993])
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#ip add
SW1(config)#int f0/0
^
% Invalid input detected at '^' marker.
SW1(config)#
*Mar 1 00:12:59.712: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.101/ffff.ffff.ffff/10.0.128.101/00:12:59 UTC Mon Mar 1 1993])
*Mar 1 00:12:59.712: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.101/0000.0000.0000/10.0.128.1/00:12:59 UTC Mon Mar 1 1993])
SW1(config)#arp access-list ARP-VLAN128
SW1(config-arp-nacl)#permi
SW1(config-arp-nacl)#permit ip hos
SW1(config-arp-nacl)#permit ip host 10.0.128.101 ma
SW1(config-arp-nacl)#permit ip host 10.0.128.101 mac ho
SW1(config-arp-nacl)#permit ip host 10.0.128.101 mac host 001b.2a77.66d2 log
SW1(config-arp-nacl)#permi
SW1(config-arp-nacl)#permit ip
SW1(config-arp-nacl)#permit ip hos
SW1(config-arp-nacl)#permit ip host 10.0.128.102 mac
SW1(config-arp-nacl)#permit ip host 10.0.128.102 mac hos
SW1(config-arp-nacl)#permit ip host 10.0.128.102 mac host 0024.c431.126e log
SW1(config-arp-nacl)#exit
SW1(config)#ip arp
SW1(config)#ip arp in
SW1(config)#ip arp ins
SW1(config)#ip arp inspection fil
SW1(config)#ip arp inspection filter ARP-VLAN128 vla
SW1(config)#ip arp inspection filter ARP-VLAN128 vlan 128
SW1(config)#
*Mar 1 00:16:23.136: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/ffff.ffff.ffff/10.0.128.101/00:16:22 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:35.216: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:16:35 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:37.229: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:16:37 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:39.242: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:16:39 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:41.255: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:16:41 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:43.269: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:16:43 UTC Mon Mar 1 1993])
SW1(config)#do sh run | i monitor
monitor session 1 source interface Fa1/0/3
monitor session 1 destination interface Fa1/0/12
SW1(config)#no monitor session 1 source interface Fa1/0/3
SW1(config)#monitor session 1 source interface Fa1/0/24
SW1(config)#
*Mar 1 00:18:41.087: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:18:41 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:18:43.100: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:18:43 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:18:45.113: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:18:45 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:18:47.126: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:18:47 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:18:49.140: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:18:49 UTC Mon Mar 1 1993])
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#end
SW1#sh ip
*Mar 1 00:19:10.900: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh ip dhcp
SW1#sh ip dhcp sn
SW1#sh ip dhcp snooping bind
SW1#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0
SW1#sh ip sou
SW1#sh ip source bin
SW1#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
Total number of bindings: 0
SW1#sh ip ar
SW1#sh ip arp ins
SW1#sh ip arp inspection ?
interfaces Interface status
log Log Buffer
statistics Packet statistics on DAI configured vlans
vlan Selected vlan range
| Output modifiers
<cr>
SW1#sh ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 5 entries per 1 seconds.
Smartlog is not enabled
No entries in log buffer.
SW1#sh ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 5 entries per 1 seconds.
Smartlog is not enabled
No entries in log buffer.
SW1#
*Mar 1 00:22:18.561: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:22:18 UTC Mon Mar 1 1993])
SW1#sh ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 5 entries per 1 seconds.
Smartlog is not enabled
No entries in log buffer.
SW1#
*Mar 1 00:22:20.575: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:22:20 UTC Mon Mar 1 1993])
SW1#sh ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 5 entries per 1 seconds.
Smartlog is not enabled
No entries in log buffer.
SW1#sh ip arp inspection l
*Mar 1 00:22:22.588: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:22:22 UTC Mon Mar 1 1993])
SW1#sh ip arp inspection
SW1#sh ip arp inspection
SW1#sh ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
128 Enabled Active ARP-VLAN128 No
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
128 Deny Deny Off
Vl
*Mar 1 00:22:24.601: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:22:24 UTC Mon Mar 1 1993])an Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
128 20 47 47 0
Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
128 0 9 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
128 0 0 0
SW1#
*Mar 1 00:22:26.631: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.101/0000.0000.0000/10.0.128.254/00:22:26 UTC Mon Mar 1 1993])
SW1#sh ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
128 Enabled Active ARP-VLAN128 No
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
128 Deny Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
128 20 47 47 0
Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
128 0 9 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
128 0 0 0
SW1#sh ip arp inspection
SW1#sh ip arp inspection ?
interfaces Interface status
log Log Buffer
statistics Packet statistics on DAI configured vlans
vlan Selected vlan range
| Output modifiers
<cr>
SW1#sh ip arp inspection inter
SW1#sh ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa1/0/1 Untrusted 15 1
Fa1/0/2 Untrusted 15 1
Fa1/0/3 Untrusted 15 1
Fa1/0/4 Untrusted 15 1
Fa1/0/5 Untrusted 15 1
Fa1/0/6 Untrusted 15 1
Fa1/0/7 Untrusted 15 1
Fa1/0/8 Untrusted 15 1
Fa1/0/9 Untrusted 15 1
Fa1/0/10 Untrusted 15 1
Fa1/0/11 Untrusted 15 1
Fa1/0/12 Untrusted 15 1
Fa1/0/13 Untrusted 15 1
Fa1/0/14 Untrusted 15 1
Fa1/0/15 Untrusted 15 1
Fa1/0/16 Untrusted 15 1
Fa1/0/17 Untrusted 15 1
Fa1/0/18 Untrusted 15 1
Fa1/0/19 Untrusted 15 1
Fa1/0/20 Untrusted 15 1
SW1#sh ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa1/0/1 Untrusted 15 1
Fa1/0/2 Untrusted 15 1
Fa1/0/3 Untrusted 15 1
Fa1/0/4 Untrusted 15 1
Fa1/0/5 Untrusted 15 1
Fa1/0/6 Untrusted 15 1
Fa1/0/7 Untrusted 15 1
Fa1/0/8 Untrusted 15 1
Fa1/0/9 Untrusted 15 1
Fa1/0/10 Untrusted 15 1
Fa1/0/11 Untrusted 15 1
Fa1/0/12 Untrusted 15 1
Fa1/0/13 Untrusted 15 1
Fa1/0/14 Untrusted 15 1
Fa1/0/15 Untrusted 15 1
Fa1/0/16 Untrusted 15 1
Fa1/0/17 Untrusted 15 1
Fa1/0/18 Untrusted 15 1
Fa1/0/19 Untrusted 15 1
Fa1/0/20 Untrusted 15 1
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa1/0/21 Untrusted 15 1
Fa1/0/22 Untrusted 15 1
Fa1/0/23 Untrusted 15 1
Fa1/0/24 Trusted None N/A
Gi1/0/1 Untrusted 15 1
Gi1/0/2 Untrusted 15 1
SW1#
ARP request also untrust port not binding found is blocked
R3#ping 10.0.128.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW1(config)#
*Mar 1 00:08:24.834: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:24 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:08:26.848: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:26 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:08:28.861: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:28 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:08:30.874: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:30 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:08:32.887: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:32 UTC Mon Mar 1 1993])
SW1(config)#
DAI x IP source-guard Lab
Base Configuration
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
switchport mode access
switchport access vlan 128
exit
interface FastEthernet 1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 128
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address dhcp
no shutdown
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.102 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
configure terminal
!
interface FastEthernet 0/0
no shutdown
!
end
Dynamic ARP inspection Configuration
monitor session 1 source interface FastEthernet 1/0/3
monitor session 1 destination interface FastEthernet 1/0/12
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
ip source binding 0024.c431.126e vlan 128 10.0.128.102 interface FastEthernet 1/0/2
!
arp access-list ARP-VLAN128
permit ip host 10.0.128.102 mac host 0024.c431.126e log
exit
!
ip arp inspection filter ARP-VLAN128 vlan 128
!
interface range FastEthernet 1/0/1 - 3
ip verify source
exit
interface FastEthernet 1/0/24
ip dhcp snooping trust
ip arp inspection trust
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.10 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
Verification
SW1 Console Log
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip dh
SW1(config)#ip dhcp sno
SW1(config)#ip dhcp snooping
SW1(config)#ip dh
SW1(config)#ip dhcp sno
SW1(config)#ip dhcp snooping vlan
SW1(config)#ip dhcp snooping vlan 128
SW1(config)#ip arp
SW1(config)#ip arp ins
SW1(config)#ip arp inspection vlan 128
SW1(config)#
*Mar 1 00:08:26.747: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.101/001b.2a77.66d2/10.0.128.101/00:08:26 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:08:44.799: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed state to down
*Mar 1 00:08:45.806: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to down
SW1(config)#ip dhcp
SW1(config)#ip dhcpsno
SW1(config)#ip dhc
SW1(config)#ip dhcp sno
SW1(config)#ip dhcp snooping info
SW1(config)#ip dhcp snooping information o
SW1(config)#ip dhcp snooping information option
SW1(config)#ip sour
SW1(config)#ip source bin
SW1(config)#$4.c431.126e vlan 128 10.0.128.102 interface FastEthernet 1/0/2
SW1(config)#arp acc
SW1(config)#arp access-list ARP-VLAN128
SW1(config-arp-nacl)#permi
SW1(config-arp-nacl)#permit ip host 10.0.128.102 mac host 0024.c431.126e log
SW1(config-arp-nacl)#exit
SW1(config)#ip arp
SW1(config)#ip arp ins
SW1(config)#ip arp inspection fil
SW1(config)#ip arp inspection filter ARP-VLAN128 vlan 128
SW1(config)#int range f1/0/1-3
SW1(config-if-range)#ip veri
SW1(config-if-range)#ip verify sou
SW1(config-if-range)#ip verify source
SW1(config-if-range)#exit
SW1(config)#int f1/0/24
SW1(config-if)#ip dh
SW1(config-if)#ip dhcp sno
SW1(config-if)#ip dhcp snooping tru
SW1(config-if)#ip dhcp snooping trust
SW1(config-if)#ip dh
SW1(config-if)#ip arp
SW1(config-if)#ip arp ins
SW1(config-if)#ip arp inspection tru
SW1(config-if)#ip arp inspection trust
SW1(config-if)#end
SW1#
*Mar 1 00:12:28.481: %SYS-5-CONFIG_I: Configured from console by console
SW1#
*Mar 1 00:12:43.505: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.101/0000.0000.0000/10.0.128.254/00:12:42 UTC Mon Mar 1 1993])
SW1#
*Mar 1 00:12:45.519: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.101/0000.0000.0000/10.0.128.254/00:12:44 UTC Mon Mar 1 1993])
SW1#
*Mar 1 00:12:47.532: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.101/0000.0000.0000/10.0.128.254/00:12:46 UTC Mon Mar 1 1993])
SW1#
*Mar 1 00:12:49.545: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.101/0000.0000.0000/10.0.128.254/00:12:48 UTC Mon Mar 1 1993])
SW1#
*Mar 1 00:12:51.558: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.101/0000.0000.0000/10.0.128.254/00:12:50 UTC Mon Mar 1 1993])
SW1#
SW1#
SW1#
SW1#
SW1#
SW1#
SW1#
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#no ip arp inspection filter ARP-VLAN128 vlan 128
SW1(config)#do sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1(config)#no arp access-list ARP-VLAN128
SW1(config)#no ip arp inspection vlan 128
SW1(config)#int f1/0/1-3
^
% Invalid input detected at '^' marker.
SW1(config)#int ra f1/0/1-3
SW1(config-if-range)#no ip arp inspection trust
% Range command terminated because it failed on FastEthernet1/0/1
SW1(config-if-range)#exit
SW1(config)#int f1/0/1
SW1(config-if)#no ip arp inspection trust
SW1(config-if)#int f1/0/2
SW1(config-if)#no ip arp inspection trust
SW1(config-if)#int f1/0/3
SW1(config-if)#no ip arp inspection trust
SW1(config-if)#int f1/0/24
SW1(config-if)#no ip arp inspection trust
SW1(config-if)#int ra f1/0/1-3
SW1(config-if-range)#no ip verify source
SW1(config-if-range)#^Z
SW1#sh
*Mar 1 00:21:32.155: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh ip dhcp
SW1#sh ip dhcp bin
SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1#sh ip sou
SW1#sh ip source bin
SW1#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 370 dhcp-snooping 128 FastEthernet1/0/1
00:24:C4:31:12:6E 10.0.128.102 infinite static 128 FastEthernet1/0/2
Total number of bindings: 2
SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1#
*Mar 1 00:22:33.476: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to down
SW1#
*Mar 1 00:22:34.474: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to down
SW1#
SW1#
SW1#
SW1#sh ip dhcp binding
*Mar 1 00:22:39.122: %LINK-3-UPDOWN: Interface FastEthernet1/0/1, changed state to up
*Mar 1 00:22:40.128: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/1, changed state to up
SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
SW1#sh ip dhcp sno
SW1#sh ip dhcp snooping bin
SW1#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 585 dhcp-snooping 128 FastEthernet1/0/1
Total number of bindings: 1
SW1#sh ip sour
SW1#sh ip source bin
SW1#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 580 dhcp-snooping 128 FastEthernet1/0/1
00:24:C4:31:12:6E 10.0.128.102 infinite static 128 FastEthernet1/0/2
Total number of bindings: 2
SW1#
*Mar 1 00:25:41.482: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to up
*Mar 1 00:25:42.488: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed state to up
SW1#
SW1#
SW1#
SW1#
SW1#sh ip dh
SW1#sh ip dhcp sno
SW1#sh ip dhcp snooping bin
SW1#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 372 dhcp-snooping 128 FastEthernet1/0/1
Total number of bindings: 1
SW1#sh ip sou
SW1#sh ip source bin
SW1#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 369 dhcp-snooping 128 FastEthernet1/0/1
00:24:C4:31:12:6E 10.0.128.102 infinite static 128 FastEthernet1/0/2
Total number of bindings: 2
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int f1/0/3
SW1(config-if)#ip ver
SW1(config-if)#ip verify so
SW1(config-if)#ip verify source
SW1(config-if)#end
SW1#
*Mar 1 00:26:52.298: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh ip dhcp sno
SW1#sh ip dhcp snooping bi
SW1#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 330 dhcp-snooping 128 FastEthernet1/0/1
Total number of bindings: 1
SW1#sh ip dhc
SW1#sh ip sou
SW1#sh ip source bin
SW1#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 325 dhcp-snooping 128 FastEthernet1/0/1
00:24:C4:31:12:6E 10.0.128.102 infinite static 128 FastEthernet1/0/2
Total number of bindings: 2
SW1#
*Mar 1 00:27:40.843: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed state to down
*Mar 1 00:27:41.850: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to down
SW1#
*Mar 1 00:28:41.526: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to up
SW1#
*Mar 1 00:28:42.533: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed state to up
SW1#
I think anti IP spoofing problem, DAI is satisfied requirements…
DAI prevents arp timing spoofing
IP source-guard prevents IP level traffic
Both configuration enhance Layer2, Layer3 security.(May be…)
Dynamic ARP inspection Lab(DHCP & Static Environment)
Base Configuration
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
switchport mode access
switchport access vlan 128
exit
interface FastEthernet 1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 128
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address dhcp
no shutdown
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.102 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
configure terminal
!
interface FastEthernet 0/0
no shutdown
!
end
Dynamic ARP inspection Configuration
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
arp access-list ARP-VLAN128
permit ip host 10.0.128.102 mac host 0024.c431.126e log
exit
!
ip arp inspection filter ARP-VLAN128 vlan 128
!
interface FastEthernet 1/0/24
ip dhcp snooping trust
ip arp inspection trust
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.10 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
SW1 Console Log
SW1#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 514 dhcp-snooping 128 FastEthernet1/0/1
Total number of bindings: 1
SW1#sh ip dhcp
SW1#sh ip dhcp bin
SW1#sh ip dhcp sno
SW1#sh ip dhcp snooping bin
SW1#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 505 dhcp-snooping 128 FastEthernet1/0/1
Total number of bindings: 1
SW1#
*Mar 1 01:24:04.799: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:24:04 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:24:06.812: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:24:06 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:24:08.826: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:24:08 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:24:10.839: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:24:10 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:24:12.852: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:24:12 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:29:21.947: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/ffff.ffff.ffff/10.0.128.102/01:29:21 UTC Mon Mar 1 1993])
SW1#ping 10.0.128.102
% Unrecognized host or address, or protocol not running.
SW1#
*Mar 1 01:30:09.293: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:30:08 UTC Mon Mar 1 1993])
*Mar 1 01:30:09.293: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:30:08 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:30:11.306: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:30:10 UTC Mon Mar 1 1993])
*Mar 1 01:30:11.306: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:30:10 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:30:13.319: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:30:12 UTC Mon Mar 1 1993])
*Mar 1 01:30:13.319: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:30:12 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:30:15.332: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:30:14 UTC Mon Mar 1 1993])
*Mar 1 01:30:15.332: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:30:14 UTC Mon Mar 1 1993])
SW1#
*Mar 1 01:30:17.346: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:30:16 UTC Mon Mar 1 1993])
*Mar 1 01:30:17.346: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:30:16 UTC Mon Mar 1 1993])
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#moni
SW1(config)#monitor se
SW1(config)#monitor session 1 sou
SW1(config)#monitor session 1 source in
SW1(config)#monitor session 1 source interface f1/0/3
SW1(config)#monitor session 1 desti interface f1/0/3
SW1(config)#monitor session 1 desti interface f1/0/12
SW1(config)#
*Mar 1 01:35:19.428: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:35:19 UTC Mon Mar 1 1993])
*Mar 1 01:35:19.428: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:35:19 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 01:35:21.441: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:35:21 UTC Mon Mar 1 1993])
*Mar 1 01:35:21.441: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:35:21 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 01:35:23.454: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:35:23 UTC Mon Mar 1 1993])
*Mar 1 01:35:23.454: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:35:23 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 01:35:25.468: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:35:25 UTC Mon Mar 1 1993])
*Mar 1 01:35:25.468: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:35:25 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 01:35:27.481: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:35:27 UTC Mon Mar 1 1993])
*Mar 1 01:35:27.481: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/2, vlan 128.([0024.c431.126e/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:35:27 UTC Mon Mar 1 1993])
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#arp acc
SW1(config)#arp access-list insp
SW1(config)#arp access-list inspe
SW1(config)#arp access-list ARP-VLAN128
SW1(config-arp-nacl)#permi
SW1(config-arp-nacl)#permit ip hos
SW1(config-arp-nacl)#permit ip host 10.0.128.102 ma
SW1(config-arp-nacl)#permit ip host 10.0.128.102 mac 0024.c431.126e l
SW1(config-arp-nacl)#permit ip host 10.0.128.102 mac 0024.c431.126e smar
SW1(config-arp-nacl)#permit ip host 10.0.128.102 mac 0024.c431.126e log
SW1(config-arp-nacl)#permit ip host 10.0.128.102 mac 0024.c431.126e lo?
% Unrecognized command
SW1(config-arp-nacl)#permit ip host 10.0.128.102 mac host 0024.c431.126e ?
log Log on match
<cr>
SW1(config-arp-nacl)#permit ip host 10.0.128.102 mac host 0024.c431.126e log
SW1(config-arp-nacl)#exit
SW1(config)#ip arp
SW1(config)#ip arp ins
SW1(config)#ip arp inspection fil
SW1(config)#ip arp inspection filter ARP-VLAN128 vlan 128
SW1(config)#
*Mar 1 01:37:38.377: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.102/001b.2a77.66d2/10.0.128.13/01:37:38 UTC Mon Mar 1 1993])
SW1(config)#end
SW1#
*Mar 1 01:38:13.508: %SYS-5-CONFIG_I: Configured from console by console
SW1#sh ip vlan 128
*Mar 1 01:38:31.779: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/ffff.ffff.ffff/10.0.128.103/01:38:31 UTC Mon Mar 1 1993])
SW1#sh ip vlan 128
*Mar 1 01:38:44.865: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:38:44 UTC Mon Mar 1 1993])
SW1#sh ip vlan 128
*Mar 1 01:38:46.878: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:38:46 UTC Mon Mar 1 1993])
SW1#sh ip vlan 128
*Mar 1 01:38:48.891: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:38:48 UTC Mon Mar 1 1993])
SW1#sh ip vlan 128
*Mar 1 01:38:50.905: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:38:50 UTC Mon Mar 1 1993])
SW1#sh ip vlan 128
*Mar 1 01:38:52.918: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:38:52 UTC Mon Mar 1 1993])
SW1#sh ip dhcp sno
SW1#sh ip dhcp snooping bi
SW1#sh ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 457 dhcp-snooping 128 FastEthernet1/0/1
Total number of bindings: 1
SW1#sh dhcp sno
SW1#sh ip sou
SW1#sh ip source bin
SW1#sh ip source binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1B:2A:77:66:D2 10.0.128.13 449 dhcp-snooping 128 FastEthernet1/0/1
Total number of bindings: 1
SW1#sh ip ar
SW1#sh ip arp ins
SW1#sh ip arp inspection ?
interfaces Interface status
log Log Buffer
statistics Packet statistics on DAI configured vlans
vlan Selected vlan range
| Output modifiers
<cr>
SW1#sh ip arp inspection sta
SW1#sh ip arp inspection statistics
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
128 45 33 33 0
Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
128 32 1 7 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
128 0 0 0
SW1#sh ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
128 Enabled Active ARP-VLAN128 No
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
128 Deny Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
128 45 33 33 0
Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
128 32 1 7 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
128 0 0 0
SW1#
Dynamic ARP inspection Lab(Misc Topics)
Base Configuration
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
switchport mode access
switchport access vlan 128
exit
interface FastEthernet 1/0/24
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 128
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address dhcp
no shutdown
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.102 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
configure terminal
!
interface FastEthernet 0/0
no shutdown
!
end
Dynamic ARP inspection Configuration
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
arp access-list ARP-VLAN128
permit ip host 10.0.128.102 mac host 0024.c431.126e log
exit
!
ip arp inspection filter ARP-VLAN128 vlan 128
!
interface FastEthernet 1/0/24
ip dhcp snooping trust
ip arp inspection trust
exit
!
end
configure terminal
!
interface FastEthernet 0/0
ip address 10.0.128.103 255.255.255.0
no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
rate limitting
-
interface configuration mode.
configure terminal
!
interface FastEthernet 1/0/3
ip arp inspection limit rate 1 burst interval 1
!
end
SW1(config)#ip arp
SW1(config)#ip arp inspe
SW1(config)#ip arp inspection li
SW1(config)#ip arp inspection limi
SW1(config)#ip arp inspection limi
SW1(config)#ip arp inspection limi
SW1(config)#ip arp inspection limi
SW1(config)#ip arp inspection li
SW1(config)#ip arp inspection
SW1(config)#ip arp inspection ?
filter Specify ARP acl to be applied
log-buffer Log Buffer Configuration
smartlog Smartlog all the logged pkts
validate Validate addresses
vlan Enable/Disable ARP Inspection on vlans
SW1(config)#ip arp inspection vlan 128 ?
logging Configure type of packets to be logged
<cr>
SW1(config)#ip arp inspection
SW1(config)#ip arp inspection
SW1(config)#ip arp inspection ?
filter Specify ARP acl to be applied
log-buffer Log Buffer Configuration
smartlog Smartlog all the logged pkts
validate Validate addresses
vlan Enable/Disable ARP Inspection on vlans
SW1(config)#int f1/0/3
SW1(config-if)#ip arp
SW1(config-if)#ip arp ins
SW1(config-if)#ip arp inspection li
SW1(config-if)#ip arp inspection limit ra
SW1(config-if)#ip arp inspection limit rate ?
<0-2048> Packets per second
SW1(config-if)#ip arp inspection limit no
SW1(config-if)#ip arp inspection limit ra
SW1(config-if)#ip arp inspection limit rate 2
SW1(config-if)#ip arp inspection limit rate 2 burs
SW1(config-if)#ip arp inspection limit rate 2 burst inter
SW1(config-if)#ip arp inspection limit rate 2 burst interval ?
<1-15> Burst interval in seconds
SW1(config-if)#ip arp inspection limit rate 2 burst interval 1
SW1(config-if)#
*Mar 1 01:06:27.818: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/ffff.ffff.ffff/10.0.128.103/01:06:27 UTC Mon Mar 1 1993])
SW1(config-if)#ping 10.0.128.103
^
% Invalid input detected at '^' marker.
SW1(config-if)#
*Mar 1 01:07:01.053: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:00 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:03.067: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:02 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:05.080: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:04 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:07.093: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:06 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:09.107: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:08 UTC Mon Mar 1 1993])
SW1(config-if)#ip arp inspection limit rate 1 burst interval 1
SW1(config-if)#ping 10.0.128.103
^
% Invalid input detected at '^' marker.
SW1(config-if)#
*Mar 1 01:07:32.259: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:31 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:34.272: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:33 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:36.286: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:35 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:38.299: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:37 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:40.312: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:39 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:48.365: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/01:07:48 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:50.378: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/01:07:50 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:52.400: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/01:07:52 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:54.413: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/01:07:54 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar 1 01:07:56.225: %SW_DAI-4-PACKET_RATE_EXCEEDED: 2 packets received in 117 milliseconds on Fa1/0/3.
*Mar 1 01:07:56.225: %PM-4-ERR_DISABLE: arp-inspection error detected on Fa1/0/3, putting Fa1/0/3 in err-disable state
*Mar 1 01:07:56.427: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:56 UTC Mon Mar 1 1993])
*Mar 1 01:07:57.232: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed sta
SW1(config-if)#te to down
SW1(config-if)#
*Mar 1 01:07:58.239: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to down
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is down, line protocol is down (err-disabled)
SW1(config-if)#shut
SW1(config-if)#shut
*Mar 1 01:17:22.515: %LINK-5-CHANGED: Interface FastEthernet1/0/3, changed state to administratively down
SW1(config-if)#shut
SW1(config-if)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is administratively down, line protocol is down (disabled)
SW1(config-if)#no shut
SW1(config-if)#
*Mar 1 01:17:33.630: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to up
*Mar 1 01:17:34.637: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed state to up
SW1(config-if)#
*Mar 1 01:17:36.423: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/ffff.ffff.ffff/10.0.128.103/01:17:35 UTC Mon Mar 1 1993])
SW1(config-if)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is up, line protocol is up (connected)
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
configure terminal
!
errdisable detect cause arp-inspection
errdisable recovery cause arp-inspection
errdisable recovery interval 30
!
end
SW1(config)#errdisable detect cause arp-inspection
SW1(config)#errdisable recovery cause arp-inspection
SW1(config)#errdisable recovery interval 30
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#sh int f1/0/3 | i 1/0/3
^
% Invalid input detected at '^' marker.
SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is up, line protocol is up (connected)
SW1(config)#de
SW1(config)#debu
SW1(config)#
*Mar 1 01:23:38.987: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:23:38 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 01:23:40.732: %SW_DAI-4-PACKET_RATE_EXCEEDED: 2 packets received in 419 milliseconds on Fa1/0/3.
*Mar 1 01:23:40.732: %PM-4-ERR_DISABLE: arp-inspection error detected on Fa1/0/3, putting Fa1/0/3 in err-disable state
*Mar 1 01:23:41.017: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:23:40 UTC Mon Mar 1 1993])
*Mar 1 01:23:41.739: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed sta
SW1(config)#te to down
SW1(config)#
*Mar 1 01:23:42.746: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to down
SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is down, line protocol is down (err-disabled)
SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is down, line protocol is down (err-disabled)
SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is down, line protocol is down (err-disabled)
SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is down, line protocol is down (err-disabled)
SW1(config)#
*Mar 1 01:24:10.738: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Fa1/0/3
SW1(config)#
*Mar 1 01:24:14.471: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to up
SW1(config)#
*Mar 1 01:24:15.243: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/ffff.ffff.ffff/10.0.128.103/01:24:14 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 01:24:15.478: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed state to up
SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is up, line protocol is up (connected)
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
validate arp
configure terminal
!
interface FastEthernet 1/0/3
ip arp inspection validate src-mac dst-mac ip
!
end
I can't understand validate arp….
how to verify this command lab…
log-buffer
configure terminal
!
! log buffer configuration
ip arp inspection log-buffer logs 10 interval 10
ip arp inspection log-buffer entries 100
!
! packet type definition
ip arp inspection vlan 128 logging acl-match matchlog
ip arp inspection vlan 128 logging dhcp-bindings all
!
end
SW1#sh run | i arp inspection
ip arp inspection vlan 128
ip arp inspection vlan 128 logging acl-match matchlog
ip arp inspection vlan 128 logging dhcp-bindings all
ip arp inspection log-buffer entries 100
ip arp inspection log-buffer logs 10 interval 2
ip arp inspection filter ARP-VLAN128 vlan 128
ip arp inspection trust
SW1(config)#
*Mar 1 00:10:14.566: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:10:14 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:10:16.579: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:10:16 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:10:18.592: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:10:18 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:10:20.605: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:10:20 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:10:22.619: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:10:22 UTC Mon Mar 1 1993])
SW1(config)#ip arp
SW1(config)#ip arp
SW1(config)#ip arp inse
SW1(config)#ip arp insp
SW1(config)#ip arp inspection log
SW1(config)#ip arp inspection log-buffer entri
SW1(config)#ip arp inspection log-buffer entries ?
<0-1024> Number of entries for log buffer
SW1(config)#ip arp inspection log-buffer entries 100
SW1(config)#ip arp
SW1(config)#ip arp inspe
SW1(config)#ip arp inspection log
SW1(config)#ip arp inspection log-buffer log
SW1(config)#ip arp inspection log-buffer logs 10 inter
SW1(config)#ip arp inspection log-buffer logs 10 interval 2
SW1(config)#ip arp
SW1(config)#ip arp ins
SW1(config)#ip arp inspection vla
SW1(config)#ip arp inspection vlan 128 logg
SW1(config)#ip arp inspection vlan 128 logging ?
acl-match Logging of packets that match ACLs
arp-probe Log ARP probe packets with zero sender IP addr
dhcp-bindings Logging of packet that match DHCP bindings
SW1(config)#ip arp inspection vlan 128 logging acl
SW1(config)#ip arp inspection vlan 128 logging acl-match ?
matchlog Log packets on ACE logging configuration
none Do not log packets that match ACLs
SW1(config)#ip arp inspection vlan 128 logging acl-match mat
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog dhcp
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog dhcp
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog dhcp
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog dhcp-bi
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog dhcp-bi
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog ?
<cr>
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog
SW1(config)#ip arp
SW1(config)#ip arp inspe
SW1(config)#ip arp inspection vla
SW1(config)#ip arp inspection vlan 128 logg
SW1(config)#ip arp inspection vlan 128 logging ac
SW1(config)#ip arp inspection vlan 128 logging dhc
SW1(config)#ip arp inspection vlan 128 logging dhcp-bindings ?
all Log all packets that match DHCP bindings
none Do not log packets that match DHCP bindings
permit Log DHCP Binding Permitted packets
SW1(config)#ip arp inspection vlan 128 logging dhcp-bindings all
SW1(config)#
*Mar 1 00:13:51.034: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.1/00:13:50 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:13:56.067: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/001b.2131.139b/10.0.128.254/00:13:55 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:00.915: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.103/00:16:00 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:00.915: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:16:00 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:02.928: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.103/00:16:02 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:02.928: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:16:02 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:04.941: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.103/00:16:04 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:04.941: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:16:04 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:06.954: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.103/00:16:05 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:06.954: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:16:06 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:08.968: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.103/00:16:08 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:08.968: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:16:08 UTC Mon Mar 1 1993])
SW1(config)#
*Mar 1 00:16:35.165: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/001b.2131.139b/10.0.128.254/00:16:35 UTC Mon Mar 1 1993])
SW1(config)#
I can't understand log buffer means….
References