10-21-2024 10:51 PM
Our VLAN Gateway IP is 172.16.0.3. Its MAC address is 6c-b2-ae-41-23-d6. Suddenly, the internet stops working. When I run arp -a, the following MAC address is shown: "172.16.0.3 3e-12-1f-aa-d0-de dynamic." When tracing the MAC address 3e-12-1f-aa-d0-de, it shows the MAC address of a mobile device.
Is there a solution to identify the real problem and how to solve it permanently?
Solved! Go to Solution.
10-22-2024 12:18 AM
Hello @IrfanKhan4904
Please trace the mac address to determine which network port or access point the device is connected to and investigate whether it obtained the IP address via DHCP or was manually configured. Next, temporarily disconnecting the mobile device from the network should restore proper connectivity, and clearing the ARP cache on affected devices will help ensure they update to the correct gateway MAC address (6c-b2-ae-41-23-d6).
To prevent future occurrences, if your network equipment supports it, enable Dynamic ARP Inspection on switches. This will help prevent ARP spoofing or IP conflicts by ensuring only valid ARP requests and replies are processed.
10-22-2024 12:18 AM
Hello @IrfanKhan4904
Please trace the mac address to determine which network port or access point the device is connected to and investigate whether it obtained the IP address via DHCP or was manually configured. Next, temporarily disconnecting the mobile device from the network should restore proper connectivity, and clearing the ARP cache on affected devices will help ensure they update to the correct gateway MAC address (6c-b2-ae-41-23-d6).
To prevent future occurrences, if your network equipment supports it, enable Dynamic ARP Inspection on switches. This will help prevent ARP spoofing or IP conflicts by ensuring only valid ARP requests and replies are processed.
10-22-2024 12:42 AM
Hello M02@rt37
note - DAI can work on its own but only statically, if you wish to use it dynamically then DHCP snooping needs to be also enabled so its D/B can be called upon.
10-22-2024 12:54 AM
To go Further...
DAI can indeed function in a static mode where you manually configure ARP entries to validate ARP packets. However, if you want DAI to operate dynamically, you need to enable DHCP snooping as well. DHCP snooping builds a trusted database of IP-to-MAC address bindings from DHCP transactions, which DAI then uses to verify the legitimacy of ARP requests and responses on the network. Without DHCP snooping, DAI lacks the necessary dynamic information and relies solely on manually configured ARP ACLs for packet inspection...
10-22-2024 12:44 AM
I investigated and found that it was connected to an access point. When I blocked it, the internet was fine. He obtained the IP via DHCP. Should the commands be configured only on the core switch or on all the switches?"
Can you share the command to block ARP spoofing on my Cisco 3650 switch? There is one core switch and 36 other Cisco switches.
10-22-2024 12:39 AM - edited 10-22-2024 12:58 AM
Hello
You need to enable dhcp snooping on all access switches making sure you trust the trunk interconnects' and the interface towards your ISP
Also suggest you append a mac acl to drop the rouge dhcp server/host.
Example
mac address-table static 33e1.21fa.ad0d vlan 1 drop
mac address-table static 33e1.21fa.ad0d vlan 2 drop
etc..
ip dhcp snooping
ip dhcp snooping vlan1,2,....
int x/x
ip dhcp snooping trust
DAI STATIC
ip arp inspection filter-list vlan X static DIA-HOST
arp access-list DIA-HOST
permit ip host 172.16.0.3 mac host 33e1.21fa.ad0d
clear ip dhcp snoop binding *
no ip dhcp snooping
no ip dhcp snooping vlan x
DAI with Dhcp snooping
ip arp inspection filter list DIA-HOST vlan x
arp access-list DIA-HOST
permit ip host 172.16.0.3 mac host 33e1.21fa.ad0d
10-22-2024 02:08 AM
Our network is Cisco core switch 3650
All Other switches are cisco 3560.
Firewall is Fortigate and Access Points are Fortigate FAP 421E.
All access Points supported multiple VLAN and Multiple SSID's. All Access points connected with Trunk Port.
So how we can prevent arp snooping.
10-22-2024 03:16 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide