Ethernet Switching
Highlighted
Ethernet Switching

DAI (arp inspection) and ARP probes

‎06-10-2013 07:42 AM

hi,

 

it's not new topic, just discovered I reported it already ~3 years ago  Smiley Wink (http://forums.juniper.net/t5/Ethernet-Switching/EX-4200-DHCP-snooping-dai-ip-source-guard-with-AE-ag...

I'm interested if it's only me who does not like Junos behavior or I miss something here ?

 

EX2200 11.4R5.7 with dhcp snooping and arp inspection. Junos reports ARP probes (http://tools.ietf.org/html/rfc5227) as incorrect packets (ARP inspection failed)

 

ARP probe event logged:

 

Jun 10 13:15:37  XYZ-EX eswd[1028]: ESWD_DAI_FAILED: 3 ARP_REQUEST received, interface ge-0/0/44.0[index 110], vlan XYZ[index 2], sender ip/mac 0.0.0.0/dc:0e:a1:5f:xx:yy, receiver ip/mac 10.33.2.162/00:00:00:00:00:00

admin@XYZ-EX> show dhcp snooping binding | match dc:0e:a1:5f:xx:yy
DC:0E:A1:5F:xx:yy  10.33.2.162                  7171  dynamic  XYZ   ge-0/0/44.0

 

On a busy EX2200 we have a lot of DAI logs, statistics is crazy and we may miss real problems. All 'failed' entries below come from ARP probes.

 

admin@XYZ-EX> show arp inspection statistics
Interface     Packets received     ARP inspection pass  ARP inspection failed
  ge-0/0/0                    0                      0                      0
  ge-0/0/1                    0                      0                      0
  ge-0/0/2                    0                      0                      0
  ge-0/0/3                 8004                   7850                    154
  ge-0/0/4                    0                      0                      0
  ge-0/0/5                    0                      0                      0
  ge-0/0/6                    0                      0                      0
  ge-0/0/7                  623                    618                      5
  ge-0/0/8                17261                  17260                      1
  ge-0/0/9                 3030                   2796                    234
 ge-0/0/10                 6281                   1503                   4778
 ge-0/0/11                 5328                   5228                    100
 ge-0/0/12                48397                  48336                     61
 ge-0/0/13                 1726                   1684                     42
 ge-0/0/14                    0                      0                      0
 ge-0/0/15                 5788                   5611                    177
 ge-0/0/16                 8271                   8138                    133
 ge-0/0/17                   52                      0                     52
 ge-0/0/18                    0                      0                      0
 ge-0/0/19                 5563                   5408                    155
 ge-0/0/20                    0                      0                      0
[...]

 

In case of Cisco IOS, it will not report ARP probes unless we ask for it (ip arp inspection validate  - see http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html...). No such knob exists in Junos.

 

Anyone using DAI and (un)happy with current Junos behavior ? Or you don't care about DAI logs once it's enabled and works ...

jtb

2 REPLIES 2
Highlighted
Ethernet Switching

Re: DAI (arp inspection) and ARP probes

‎03-06-2014 03:04 PM

I found this PR874106, the problem might get resolve using the workaround exposed in the PR.

 

Workaround.

Service Restoration: * Deactivate/activate DAI; or * Do DHCP renew on clients.
Highlighted
Ethernet Switching

Re: DAI (arp inspection) and ARP probes

‎03-07-2014 01:16 PM

I think a nice cleaner solution is to simply instruct the system not log those events in the messages file and then create  separate file to log them just in case you need them This articles explains how to do just that

http://kb.juniper.net/InfoCenter/index?page=content&id=KB9382&smlogin=true

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]