Ethernet Switching
Highlighted
Ethernet Switching

DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

[ Edited ]
‎03-10-2019 11:37 PM

Hello! I have such configuration of network the Host <-> EX2300 access switch  <-> EX4600 core switch <-> EX2300 web server access switch <-> DHCP-server. I wanted to apply dhcp snooping and dynamic arp inspection on the access switch EX2300. And web server access switch without additional security settings.

 

The problem is that the user on access switch are periodically disconnected and cannot be connected to network and receive the IP address. In the table dhcp binding they are blocked, but for this purpose there are no reasons. Tell please, whether the correct my configuration of the equipment and in what there can be a problem?

 

Following configuration:

HOST - >

Acces Switch

EX2300 version 18.1R3.3

set vlans USERS-26 vlan-id 26
set vlans USERS-26 forwarding-options dhcp-security arp-inspection
set vlans USERS-26 forwarding-options dhcp-security group TRUST-DHCP overrides trusted
set vlans USERS-26 forwarding-options dhcp-security group TRUST-DHCP interface ae0.0

->

Core Switch

EX4600:

JUNOS 14.1X53-D27.3 built 2015-06-17

set forwarding-options dhcp-relay forward-snooped-clients all-interfaces
set forwarding-options dhcp-relay overrides allow-snooped-clients
set forwarding-options dhcp-relay overrides bootp-support
set forwarding-options dhcp-relay overrides delete-binding-on-renegotiation
set forwarding-options dhcp-relay server-group DHCP-RELAY-GROUP 192.168.22.6
set forwarding-options dhcp-relay server-group DHCP-RELAY-GROUP 192.168.22.5
set forwarding-options dhcp-relay active-server-group DHCP-RELAY-GROUP
set forwarding-options dhcp-relay group DHCP-RELAY-GROUP interface irb.25
set forwarding-options dhcp-relay group DHCP-RELAY-GROUP interface irb.26

-> EX2300 -> DHCP-server

 

 

Help please in what a problem of shutdown of clients?

 

7 REPLIES 7
Ethernet Switching

Re: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

‎03-11-2019 03:42 AM

Hi Dmitriy,

 

Please remove if you have any other port-security feature configured on the access switch? Please get the log messages around the time any clients disconnected for better clues.

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

Ethernet Switching

Re: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

[ Edited ]
‎03-11-2019 05:02 AM

On access switch EX2300 configured yet
set switch-options interface-mac-limit 10
set switch-options interface-mac-limit packet-action drop-and-log
set switch-options interface ae0.0 interface-mac-limit 16383
set switch-options interface ae0.0 interface-mac-limit disable

No more security settings. Unfortunately, I can not remove the logs.

Is there a proven DAI configuration for the EX2300 and EX4600?

Ethernet Switching
Solution
Accepted by topic author Dmitriy MT
‎03-14-2019 12:42 AM

Re: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

‎03-11-2019 05:12 AM
Hi Dmitiry,

What's the error log when the client is blocked? If port-security feature is blocking it, the log messages might tell you the reason.

Enable traces if you can't find anything from regular log messages:
set system services dhcp traceoptions file dhcp.log files 5 size 10m
set system services dhcp traceoptions flag all

Later note the time the client gets dropped and check "show log dhcp.log".

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.
Ethernet Switching

Re: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

[ Edited ]
‎03-14-2019 12:42 AM

This is the output of the messages log:

 

Mar 14 09:14:17  ex2300 dc-pfe: DAI FAILED: ARP REPLY received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
Mar 14 09:14:17  ex2300 fpc0 DAI FAILED: ARP REPLY received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
Mar 14 09:14:17  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
Mar 14 09:14:17  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
Mar 14 09:14:18  ex2300 dc-pfe: DAI FAILED: ARP REPLY received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
Mar 14 09:14:18  ex2300 fpc0 DAI FAILED: ARP REPLY received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
Mar 14 09:14:18  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
Mar 14 09:14:18  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
Mar 14 09:14:51  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
Mar 14 09:14:51  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
Mar 14 09:14:52  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
Mar 14 09:14:52  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
Mar 14 09:14:52  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
Mar 14 09:14:52  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
Mar 14 09:14:52  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
Mar 14 09:14:52  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/0
Ethernet Switching

Re: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

[ Edited ]
‎03-14-2019 01:17 AM

Hello, !

Attached dhcp_logfile with Juniper EX2300, can you look why is it that DAI is blocking users?

Can you point out where the problem please?

 

 

show dhcp-security arp inspection statistics
Interface      Packets received   ARP inspection pass   ARP inspection fail
ae0.0          19000758           19000758              0
ge-0/0/0.0     135628             70841                 64787
ge-0/0/1.0     103003             89374                 13629
ge-0/0/10.0    0                  0                     0
ge-0/0/11.0    0                  0                     0
ge-0/0/12.0    0                  0                     0
ge-0/0/13.0    0                  0                     0
ge-0/0/14.0    0                  0                     0
ge-0/0/15.0    0                  0                     0
ge-0/0/16.0    0                  0                     0
ge-0/0/17.0    0                  0                     0
ge-0/0/2.0     55884              47878                 8006
ge-0/0/3.0     574003             259568                314435
ge-0/0/4.0     0                  0                     0
ge-0/0/5.0     0                  0                     0
ge-0/0/6.0     0                  0                     0
ge-0/0/7.0     0                  0                     0
ge-0/0/8.0     0                  0                     0
ge-0/0/9.0     0                  0                     0
Ethernet Switching

Re: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

‎03-14-2019 01:39 AM

Hi Dmitriy,

 

Nice.  These logs indicate the ARP request/response received on this port ge-0/0/3 cannot be linked to any of the IPs assigned by DHCP.

 

a) Please check this to confirm if there's a DHCP binding for the client seen by the switch:

show dhcp snooping binding | grep 10.193.18.61
show dhcp snooping binding | grep e0:d5:5e:02:68:e6

 

b) If there is no binding, then:

(i) Check this client is assigned this IP (10.193.18.61). Need to clear it out or block the port if client isn't in your control etc. and observe if that stabilizes.

(ii) If client uses DHCP, then check there's a low lease time configured for the scope. It could be the DHCP server unreachable/unresponsive during renew attempt by the client. And we see these logs during the time.

 

c) If there is a valid DHCP binding and still the DAI fails, that calls for a JTAC ticket to explain.

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

 

Ethernet Switching

Re: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

‎03-14-2019 01:50 AM
Hi Dmitriy,

Also, you can check CLI command "show arp inspection statistics" for the ports and count of such packets received.

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.