Solved: VLAN Mac address

IrfanKhan4904 · ‎10-21-2024

Our VLAN Gateway IP is 172.16.0.3. Its MAC address is 6c-b2-ae-41-23-d6. Suddenly, the internet stops working. When I run arp -a, the following MAC address is shown: "172.16.0.3 3e-12-1f-aa-d0-de dynamic." When tracing the MAC address 3e-12-1f-aa-d0-de, it shows the MAC address of a mobile device.
Is there a solution to identify the real problem and how to solve it permanently?

M02@rt37 · ‎10-22-2024

Hello @IrfanKhan4904

Please trace the mac address to determine which network port or access point the device is connected to and investigate whether it obtained the IP address via DHCP or was manually configured. Next, temporarily disconnecting the mobile device from the network should restore proper connectivity, and clearing the ARP cache on affected devices will help ensure they update to the correct gateway MAC address (6c-b2-ae-41-23-d6).

To prevent future occurrences, if your network equipment supports it, enable Dynamic ARP Inspection on switches. This will help prevent ARP spoofing or IP conflicts by ensuring only valid ARP requests and replies are processed.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎10-22-2024

Hello @IrfanKhan4904

Please trace the mac address to determine which network port or access point the device is connected to and investigate whether it obtained the IP address via DHCP or was manually configured. Next, temporarily disconnecting the mobile device from the network should restore proper connectivity, and clearing the ARP cache on affected devices will help ensure they update to the correct gateway MAC address (6c-b2-ae-41-23-d6).

To prevent future occurrences, if your network equipment supports it, enable Dynamic ARP Inspection on switches. This will help prevent ARP spoofing or IP conflicts by ensuring only valid ARP requests and replies are processed.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

paul driver · ‎10-22-2024

Hello M02@rt37
note - DAI can work on its own but only statically, if you wish to use it dynamically then DHCP snooping needs to be also enabled so its D/B can be called upon.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

M02@rt37 · ‎10-22-2024

To go Further...

DAI can indeed function in a static mode where you manually configure ARP entries to validate ARP packets. However, if you want DAI to operate dynamically, you need to enable DHCP snooping as well. DHCP snooping builds a trusted database of IP-to-MAC address bindings from DHCP transactions, which DAI then uses to verify the legitimacy of ARP requests and responses on the network. Without DHCP snooping, DAI lacks the necessary dynamic information and relies solely on manually configured ARP ACLs for packet inspection...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

IrfanKhan4904 · ‎10-22-2024

I investigated and found that it was connected to an access point. When I blocked it, the internet was fine. He obtained the IP via DHCP. Should the commands be configured only on the core switch or on all the switches?"
Can you share the command to block ARP spoofing on my Cisco 3650 switch? There is one core switch and 36 other Cisco switches.

paul driver · ‎10-22-2024

Hello
You need to enable dhcp snooping on all access switches making sure you trust the trunk interconnects' and the interface towards your ISP

Also suggest you append a mac acl to drop the rouge dhcp server/host.

Example
mac address-table static 33e1.21fa.ad0d vlan 1 drop
mac address-table static 33e1.21fa.ad0d vlan 2 drop
etc..

ip dhcp snooping
ip dhcp snooping vlan1,2,....

int x/x
ip dhcp snooping trust

DAI STATIC
ip arp inspection filter-list vlan X static DIA-HOST

arp access-list DIA-HOST
permit ip host 172.16.0.3 mac host 33e1.21fa.ad0d

clear ip dhcp snoop binding *
no ip dhcp snooping
no ip dhcp snooping vlan x

DAI with Dhcp snooping

ip arp inspection filter list DIA-HOST vlan x

arp access-list DIA-HOST
permit ip host 172.16.0.3 mac host 33e1.21fa.ad0d

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

IrfanKhan4904 · ‎10-22-2024

Our network is Cisco core switch 3650
All Other switches are cisco 3560.
Firewall is Fortigate and Access Points are Fortigate FAP 421E.
All access Points supported multiple VLAN and Multiple SSID's. All Access points connected with Trunk Port.
So how we can prevent arp snooping.

IrfanKhan4904 · ‎10-22-2024

Access points connected with switch through trunk port.(Access points are multiple VLAN's supported)
Switch to Switch connected with Trunk port.
So in this scenario how we can configure core switch and access switch to prevent arp snooping.