Switching

 View Only
last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

    Posted 03-10-2019 23:37

    Hello! I have such configuration of network the Host <-> EX2300 access switch  <-> EX4600 core switch <-> EX2300 web server access switch <-> DHCP-server. I wanted to apply dhcp snooping and dynamic arp inspection on the access switch EX2300. And web server access switch without additional security settings.

     

    The problem is that the user on access switch are periodically disconnected and cannot be connected to network and receive the IP address. In the table dhcp binding they are blocked, but for this purpose there are no reasons. Tell please, whether the correct my configuration of the equipment and in what there can be a problem?

     

    Following configuration:

    HOST - >

    Acces Switch

    EX2300 version 18.1R3.3

    set vlans USERS-26 vlan-id 26
    set vlans USERS-26 forwarding-options dhcp-security arp-inspection
    set vlans USERS-26 forwarding-options dhcp-security group TRUST-DHCP overrides trusted
    set vlans USERS-26 forwarding-options dhcp-security group TRUST-DHCP interface ae0.0

    ->

    Core Switch

    EX4600:

    JUNOS 14.1X53-D27.3 built 2015-06-17

    set forwarding-options dhcp-relay forward-snooped-clients all-interfaces
    set forwarding-options dhcp-relay overrides allow-snooped-clients
    set forwarding-options dhcp-relay overrides bootp-support
    set forwarding-options dhcp-relay overrides delete-binding-on-renegotiation
    set forwarding-options dhcp-relay server-group DHCP-RELAY-GROUP 192.168.22.6
    set forwarding-options dhcp-relay server-group DHCP-RELAY-GROUP 192.168.22.5
    set forwarding-options dhcp-relay active-server-group DHCP-RELAY-GROUP
    set forwarding-options dhcp-relay group DHCP-RELAY-GROUP interface irb.25
    set forwarding-options dhcp-relay group DHCP-RELAY-GROUP interface irb.26

    -> EX2300 -> DHCP-server

     

     

    Help please in what a problem of shutdown of clients?

     


    #EX2300
    #EX4600EX2300DAIdhcp-snoopingport-security
    #DAI
    #dhcp-snooping
    #EX4600


  • 2.  RE: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

     
    Posted 03-11-2019 03:43

    Hi Dmitriy,

     

    Please remove if you have any other port-security feature configured on the access switch? Please get the log messages around the time any clients disconnected for better clues.

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).



  • 3.  RE: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

    Posted 03-11-2019 05:03

    On access switch EX2300 configured yet
    set switch-options interface-mac-limit 10
    set switch-options interface-mac-limit packet-action drop-and-log
    set switch-options interface ae0.0 interface-mac-limit 16383
    set switch-options interface ae0.0 interface-mac-limit disable

    No more security settings. Unfortunately, I can not remove the logs.

    Is there a proven DAI configuration for the EX2300 and EX4600?



  • 4.  RE: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.
    Best Answer

     
    Posted 03-11-2019 05:13
    Hi Dmitiry,

    What's the error log when the client is blocked? If port-security feature is blocking it, the log messages might tell you the reason.

    Enable traces if you can't find anything from regular log messages:
    set system services dhcp traceoptions file dhcp.log files 5 size 10m
    set system services dhcp traceoptions flag all

    Later note the time the client gets dropped and check "show log dhcp.log".

    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).


  • 5.  RE: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

    Posted 03-14-2019 00:43

    This is the output of the messages log:

     

    Mar 14 09:14:17  ex2300 dc-pfe: DAI FAILED: ARP REPLY received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
    Mar 14 09:14:17  ex2300 fpc0 DAI FAILED: ARP REPLY received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
    Mar 14 09:14:17  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
    Mar 14 09:14:17  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
    Mar 14 09:14:18  ex2300 dc-pfe: DAI FAILED: ARP REPLY received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
    Mar 14 09:14:18  ex2300 fpc0 DAI FAILED: ARP REPLY received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
    Mar 14 09:14:18  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
    Mar 14 09:14:18  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/44:aa:50:0e:56:00
    Mar 14 09:14:51  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
    Mar 14 09:14:51  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
    Mar 14 09:14:52  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
    Mar 14 09:14:52  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
    Mar 14 09:14:52  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
    Mar 14 09:14:52  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
    Mar 14 09:14:52  ex2300 dc-pfe: DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/00:00:00:00:00:00
    Mar 14 09:14:52  ex2300 fpc0 DAI FAILED: ARP REQUEST received, interface ge-0/0/3.0 [index 566], vlan-id 26, sender ip/mac 10.193.18.61/e0:d5:5e:02:68:e6, receiver ip/mac 10.193.18.1/0


  • 6.  RE: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

    Posted 03-14-2019 01:18

    Hello, !

    Attached dhcp_logfile with Juniper EX2300, can you look why is it that DAI is blocking users?

    Can you point out where the problem please?

     

     

    show dhcp-security arp inspection statistics
    Interface      Packets received   ARP inspection pass   ARP inspection fail
    ae0.0          19000758           19000758              0
    ge-0/0/0.0     135628             70841                 64787
    ge-0/0/1.0     103003             89374                 13629
    ge-0/0/10.0    0                  0                     0
    ge-0/0/11.0    0                  0                     0
    ge-0/0/12.0    0                  0                     0
    ge-0/0/13.0    0                  0                     0
    ge-0/0/14.0    0                  0                     0
    ge-0/0/15.0    0                  0                     0
    ge-0/0/16.0    0                  0                     0
    ge-0/0/17.0    0                  0                     0
    ge-0/0/2.0     55884              47878                 8006
    ge-0/0/3.0     574003             259568                314435
    ge-0/0/4.0     0                  0                     0
    ge-0/0/5.0     0                  0                     0
    ge-0/0/6.0     0                  0                     0
    ge-0/0/7.0     0                  0                     0
    ge-0/0/8.0     0                  0                     0
    ge-0/0/9.0     0                  0                     0
    


  • 7.  RE: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

     
    Posted 03-14-2019 01:40

    Hi Dmitriy,

     

    Nice.  These logs indicate the ARP request/response received on this port ge-0/0/3 cannot be linked to any of the IPs assigned by DHCP.

     

    a) Please check this to confirm if there's a DHCP binding for the client seen by the switch:

    show dhcp snooping binding | grep 10.193.18.61
    show dhcp snooping binding | grep e0:d5:5e:02:68:e6

     

    b) If there is no binding, then:

    (i) Check this client is assigned this IP (10.193.18.61). Need to clear it out or block the port if client isn't in your control etc. and observe if that stabilizes.

    (ii) If client uses DHCP, then check there's a low lease time configured for the scope. It could be the DHCP server unreachable/unresponsive during renew attempt by the client. And we see these logs during the time.

     

    c) If there is a valid DHCP binding and still the DAI fails, that calls for a JTAC ticket to explain.

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).

     



  • 8.  RE: DHCP ARP inspection does not allow to register new clients on DHCP. Disconnects clients.

     
    Posted 03-14-2019 01:51
    Hi Dmitriy,

    Also, you can check CLI command "show arp inspection statistics" for the ports and count of such packets received.

    Hope this helps.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).