Hey guys,
I had this weird DHCP issue happening on all our access switches (3850) after upgrading our core Nexus switches (7k). I upgraded our core on a Sunday morning and went smoothly. But then on Monday morning we received calls from users that their network is down.
All attempts on renewing DHCP was failing and when I had a look at 3850 logs and there were heaps of logs like below :
1 Invalid ARPs (Res) on Gi2/0/4, vlan 100 ([847b.XXXX/169.254.0.55/501c.bXX/0.0.0.0/09:19:17 ])
1 Invalid ARPs (Req) on Gi3/0/8, vlan 100.([a44cxxxx/10.30.112.210/0000.0c9f.XXX/10.30.112.1/)
As soon as turned off DHCP snooping and DAI for VLAN 100 then the issue was resolved and I could renew DHCP almost on all affected PCs.
Anyone has had similar issues with DAI before? I read somewhere that I have to add below command to fix the issue:
ip arp inspection validate src-mac dst-mac ip allow zeros
I have also seen this as suggested solution to allow APIPA in DAI:
arp access-list VLAN_100
permit ip 169.254.0.0 0.0.255.255 mac any
ip arp inspection filter VLAN_10 vlan 100
Cisco TAC could not find an issue on the switches and are asking to re-enable DAC to troubleshoot further. But given the huge impact of this, I wanted to see if there a fix for this issue before turning it back on.
I'd appreciate any suggestions.
Thanks.
No comments:
Post a Comment