DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.
[ Edited ]
Hello! I have such configuration of network the Host <-> EX2300 access switch <-> EX4600 core switch <-> EX2300 web server access switch <-> DHCP-server. I wanted to apply dhcp snooping and dynamic arp inspection on the access switch EX2300. And web server access switch without additional security settings.
The problem is that the user on access switch are periodically disconnected and cannot be connected to network and receive the IP address. In the table dhcp binding they are blocked, but for this purpose there are no reasons. Tell please, whether the correct my configuration of the equipment and in what there can be a problem?
HOST - >
EX2300 version 18.1R3.3
set vlans USERS-26 vlan-id 26 set vlans USERS-26 forwarding-options dhcp-security arp-inspection set vlans USERS-26 forwarding-options dhcp-security group TRUST-DHCP overrides trusted set vlans USERS-26 forwarding-options dhcp-security group TRUST-DHCP interface ae0.0
JUNOS 14.1X53-D27.3 built 2015-06-17
set forwarding-options dhcp-relay forward-snooped-clients all-interfaces set forwarding-options dhcp-relay overrides allow-snooped-clients set forwarding-options dhcp-relay overrides bootp-support set forwarding-options dhcp-relay overrides delete-binding-on-renegotiation set forwarding-options dhcp-relay server-group DHCP-RELAY-GROUP 192.168.22.6 set forwarding-options dhcp-relay server-group DHCP-RELAY-GROUP 192.168.22.5 set forwarding-options dhcp-relay active-server-group DHCP-RELAY-GROUP set forwarding-options dhcp-relay group DHCP-RELAY-GROUP interface irb.25 set forwarding-options dhcp-relay group DHCP-RELAY-GROUP interface irb.26
-> EX2300 -> DHCP-server
Help please in what a problem of shutdown of clients?
Re: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.
Nice. These logs indicate the ARP request/response received on this port ge-0/0/3 cannot be linked to any of the IPs assigned by DHCP.
a) Please check this to confirm if there's a DHCP binding for the client seen by the switch:
show dhcp snooping binding | grep 10.193.18.61 show dhcp snooping binding | grep e0:d5:5e:02:68:e6
b) If there is no binding, then:
(i) Check this client is assigned this IP (10.193.18.61). Need to clear it out or block the port if client isn't in your control etc. and observe if that stabilizes.
(ii) If client uses DHCP, then check there's a low lease time configured for the scope. It could be the DHCP server unreachable/unresponsive during renew attempt by the client. And we see these logs during the time.
c) If there is a valid DHCP binding and still the DAI fails, that calls for a JTAC ticket to explain.