ARP Inspection on SF-300-24 switch?

ryankey123 · ‎08-22-2012

I'm having an issue where two PCs are responding to ARP requests "Who is 192.168.0.1".

The real 192.168.0.1 is on port 1 of the switch, and has a MAC address of 00:24:a5:c7:e0:a8. I can't seem to setup ARP Inspection properly as the rogue device continues to respond. Can somebody provide the proper steps? I've enabled DHCP Snooping, enabled ARP Inspection, enabled IP source guard, added FE1 as a trusted interface and all others untrusted, yet this continues to be an issue. Not sure what I'm doing wrong and can't find any documentation on the web to help out. I know where the offending piece of hardware is, unfortunately due to its location I can't fix it for several weeks so just looking to bandaid this for the time being.

Thanks for any help!

Ryan

Tom Watts · ‎08-23-2012

Hello Ryan,

When a packet arrives on the untrusted inferface, a search for the ARP access control rules for the IP/MAC addresses.If the IP address is found and the MAC address in the list matches the packet's MAC address, then the packet is valid; otherwise it is not.

If the packet's IP is not found, the DHCP snooping is enabled for that packet's vlan, a search in the DHCP snooping binding database for the packet VLAN and IP address pair. If it is not found, then the packet is invalid. If the packet IP address is not found in the ARP access control rules or DHCP binding database, the packet is invalid and dropped.

So with all this being said, is it not working as intended?

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

ryankey123 · ‎08-27-2012

Thanks for your reply. No, it does not seem to be working as intended. Please see my screen attachments.

I am still getting multiple responses to "WHO HAS 192.168.0.1" from the clients. Should just be from the trusted host on port 1.

Any other hints are appreciated. Thank you!

Tom Watts · ‎08-27-2012

Ryan,

Try adding the vlan 1 to the enabled vlans under the vlan settings of arp inspection. Right now it is not applied to any interfaces it seems.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

ryankey123 · ‎08-27-2012

Oddly when I add VLAN1 to the enabled side no hosts can access anything. It cripples the network, cant ping the default gateway, cant even reconnect to the switch to disable it; I've found it requires a hard reset. I've tried it 3x just to confirm. Strange.

Tom Watts · ‎08-27-2012

Correct, that is because there is nothing to be trusted. Which is the point. You need to add the mac addresses that you want to be trusted on the untrusted interfaces. So when the ingress packet hits, if it's not on the bind tables, that entry is dropped.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

ryankey123 · ‎08-27-2012

This is not practical to add all of the MAC addresses that I want to trust. I just want all connected hosts, regardless of MAC address, to know the DHCP server is 192.168.0.1 on interface1 of the switch, along with the correct MAC address. I must not be doing something right.

ryankey123 · ‎08-29-2012

Any other ideas? Seems like it sure be a fairly easy feature to verify that 192.168.0.1 is coming from the right port, and right mac address. Thats the only IP/MAC I care about. Is there another way to go about this? Thank you