DAI w/802.1x Dynamic VLAN Assignment - Logging "Issue"

gomeskiran
Just browsing

DAI w/802.1x Dynamic VLAN Assignment - Logging "Issue"

Hey folks!

We're doing 802.1x via ISE using the AnyConnect NAM supplicant with the ISE Posture module. I'm also in the initial phases of testing and rolling out Dynamic ARP Inspection. I don't *think* it's causing a problem per se, but I"m getting logs generated whenever the IP changes due to Posture successfully completing thus changing the VLAN. It looks like this:

%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/10, vlan 26.([c2c2.d2d2.ab1a/10.0.70.35/0000.0000.0000/10.0.70.1/15:49:31 EST Thu Jun 4 2020])

TAC is trying to brush it off saying it's working as intended - and I get that from the switch perspective - but I want to figure out why this is happening and see if it can be fixed. Even if it's not causing connectivity issues, it's problematic for two reasons:

  1. Although I think we can work around it, now I've got a log that's going to be popping up constantly that should indicate there's some sort of problem/attack, but I'm going to have to ignore it. And we all know what happens when we get trained to ignore alerts....

  2. This appears to be generating at least 2 logs every time someone signs into a workstation. This is going to be crazy chatty and consume unnecessary resources with our logging solution.

So, is anyone else running 802.1x w/VLAN changes alongside DAI and NOT having this problem? I'll post back if I happen to find a solution or if TAC is able to resolve this (I have another call w/them today). But in the mean time, hope you guys can help - thanks!!

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

What model switch is this on?

CptnCrnch
Kind of a big deal
Kind of a big deal

Looks very much like „legacy“ Cisco 😇

Get notified when there are additional replies to this discussion.