Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3375
Views
0
Helpful
1
Replies

Dynamic ARP Inspection - Windows 7

Rodrigo Gurriti
Level 3
Level 3

‎03-03-2011 06:33 PM - edited ‎03-09-2019 11:25 PM

Hello,

I  have a network of 3750's configured for DAI with DHCP Snooping  implanted and working with windows XP for around a year. Now we've  changed a couple machines for windows 7. I have a floor with around  200  workstations on XP and about 4 on Seven.

Two  of these WIN7 are triggering the err-disable for arp inspection  (configured by default to block interfaces sending over 15 arp pps)

I  noticed that when I go on windows -> network and I do a refresh,  sometimes (most of the time after boot up or idle time) it will trigger  the massive arp response on the network.

With  help of  wirewhark  I noticed that all hosts on the network updated  their arp entry for that computer(win7) at the same time, for some  reason I don't know. The  windows 7 tries to reply over fifty arp  requests for its IP which caused the port to be put on err-disable.


There were no applications running on the windows7 computer at the time of the tests, only wireshark and its default services.

This computer has configured:

DHCP with WINS

Its on a windows domain

has netbios over TCP (which i think is the problem, but I cant figure out since I don't really know how it normally behaves)

Sorry but I cant upload the Pcap file since it has lots of confidential information.

Thank you

Labels:
0 Helpful
1 Reply 1

Rodrigo Gurriti
Level 3
Level 3

‎03-15-2011 04:49 PM

Responding my own question, my dhcp was giving out the primary wins server as secondary and vice-versa. My secondary wins server was not synchronizing with the primary because I had a problem on the configuration.


My wins works as H-mode, the clients consult the wins server, if not successfully then broadcasts itself over the network .  Since my secondary wins was configured as my primary and it was not synchronized the queries failed therefore the clients were broadcasting itself over the network.

Once everyone learned about this client broadcasting itself, everyone tried to established a unicast communication and everyone sent at the same time a ARP Request, and then the client replied with a ARP Response for every single Request at the same time, causing the switch to put the client's port in err-disable

0 Helpful
Customers Also Viewed These Support Documents