Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2656
Views
0
Helpful
5
Replies

Detect Proxy ARP Connection and Get Interface Down by EEM

Go to solution
Daehee Seo
Level 1
Level 1

‎07-02-2015 01:43 AM

if proxy arp exist in network, I want to detect Proxy ARP on Catalyst to shutdown interface.

I use sla to detect proxy arp reply for unknown IP address.

And I put in ARP Inspection to print Log.

I would like to get port own which is printed in log.

If anyone have better idea, Please let me have help.

 

====To Detect Proxy ARP====

ip sla 1
 icmp-echo 192.168.0.254
 timeout 340
 threshold 250
 frequency 5
ip sla schedule 1 life forever start-time now
ip sla enable reaction-alerts
!

 

====To Create Log====
ip arp inspection vlan 1
ip arp inspection filter test vlan  1 static
arp access-list test
 deny ip host 192.168.0.254 mac any log
 permit ip any mac any

 

====Log Created by DAI===

08:59:55.259: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan 1.([58bc.2756.d4c0/192.168.0.254/0024.13fc.aac0/192.168.0.2/08:59:55 UTC Mon Mar 1 1993])

 

Thanks

 

SEO

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎07-03-2015 08:12 AM

Something like this should work:

 

event manager applet kill-proxy-arp

 event syslog pattern "SW_DAI-4-ACL_DENY:.*on [a-zA-Z0-9/]+,"

 action 1.0 regexp "SW_DAI-4-ACL_DENY:.*on ([a-zA-Z0-9/]+)," $_syslog_msg match intf

 action 2.0 cli command "enable"

 action 3.0 cli command "config t"

 action 4.0 cli command "int $intf"

 action 5.0 cli command "shut"

 action 6.0 cli command "end"

View solution in original post

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to Daehee Seo

‎07-06-2015 07:17 AM

Just expand the regexp to:

 

event syslog pattern "SW_DAI-4-ACL_DENY:.*on [a-zA-Z0-9/]+,.*\(\[[0-9a-fA-F\.]+/192.168.0.254/"

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee

‎07-03-2015 08:12 AM

Something like this should work:

 

event manager applet kill-proxy-arp

 event syslog pattern "SW_DAI-4-ACL_DENY:.*on [a-zA-Z0-9/]+,"

 action 1.0 regexp "SW_DAI-4-ACL_DENY:.*on ([a-zA-Z0-9/]+)," $_syslog_msg match intf

 action 2.0 cli command "enable"

 action 3.0 cli command "config t"

 action 4.0 cli command "int $intf"

 action 5.0 cli command "shut"

 action 6.0 cli command "end"

0 Helpful

Go to solution
Daehee Seo
Level 1
Level 1
In response to Joe Clarke

‎07-06-2015 12:01 AM

Hi Joseph,

 

I appreciate that you help me solve my problem with your perfect answer.

I have a question about scrip.

If I want to disable port which specific IP address(ex:192.168.0.254) comes up,

How do I need to change your script?

Can you help one more time?

 

Thanks

 

SEO

 

0 Helpful

Go to solution
Joe Clarke
Cisco Employee
Cisco Employee
In response to Daehee Seo

‎07-06-2015 07:17 AM

Just expand the regexp to:

 

event syslog pattern "SW_DAI-4-ACL_DENY:.*on [a-zA-Z0-9/]+,.*\(\[[0-9a-fA-F\.]+/192.168.0.254/"

0 Helpful

Go to solution
Daehee Seo
Level 1
Level 1
In response to Joe Clarke

‎07-06-2015 07:12 PM

Hi Joseph,

 

Your answer is perfect.

I did lab with your script.

It works like what I want.

I appreciate for your great help.

 

Thanks

 

SEO

0 Helpful

Go to solution
dichvufpttelecom
Level 1
Level 1

‎04-30-2020 08:35 AM

I appreciate for your great help.

 Click my site

Thanks

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card