08-06-2012 03:12 PM
Hello,
I have observed strange behavior on ESW 520 switches, with ARP Inspection operation. ARP inspection is configured with static ip to mac bindings, and it work.Problem is with logs, switch generates tons of ARP inspection logs, during network normal operation, but network endpoints are working well. These logs are same witch are generated during ARP poisoning in network. This operation was observed in older and new firmware.
Here is sample log:
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e9 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:5a:85:2e SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.18
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e1 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:03 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.16
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:19:85:26 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.15
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e1 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:03 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.16
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e9 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:12:85:2e SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.18
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:11:85:26 SRC I
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.1
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e8 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:14:85:0c SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.14
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e3 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:3f SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.12
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e8 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:51:85:0c SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.14
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10
Informational %ARPINSP-I-PCKTLOG: ARP packet dropped
from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:57:85:26 SRC IP
0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.15
It seems switch dont like ARP request which are going to local network addresses., but in that vlan all host can communicate which each other.
Do you have any idea what can be the problem ?
08-06-2012 04:53 PM
Hi ngtransge,
I will first come to say I do not know the answer. But, I will suspect the log entries are indicating a MAC address that arrived on the interface that did not recognize the IP or MAC address. If the MAC or IP is not found in the inspection list, it would revert to the DHCP snooping table if that is enabled.
I would suspect these entries are coming from an untrusted interface then goes through validation.
Can you show the trusted interfaces and the MAC bindings?
Are the MAC addresses on the log entry meaningful to you in any way?
Are those MAC addresses supposed to be going to a particular destination? Or conversely, are the MAC addresses supposed to be seen on an untrusted interface?
-Tom
08-07-2012 01:24 AM
Hello Thomas,
DHCP Snooping is not enabled on switch. I have checked many times ip to mac static bindings on switch, and they are correct. Also MAC addresses from logs are correct and they belond to real host connected to switch. All interfaces on switch are untrusted only trusted interface in on uplink to core.
It seem strange that switch drops packets that are going to local subnet, but in reality this hosts can ping each other. Also there is no any logs for default gateway arps.
08-07-2012 09:07 AM
Try setting the port connecting to the router as a trusted interface.
-Tom
08-07-2012 11:24 AM
ESW is connected to 3750 switch, whitch is aggregation point. Port that is going to 3750 is trusted.
08-07-2012 11:42 AM
I think the reason you see dropped packet logging is because of the 0.0.0.0 for MAC and IP.
The source IP is 0.0.0.0 and destination MAC is 00 :00:00:00:00:00.
The real question is why is your source host residing at MAC 13:71:05:14:85:0c not showing an IP and why does the destination IP 10.0.10.10 (or any other listed) not showing a MAC address?
Is this some sort of virtual server network?
-Tom
08-08-2012 01:50 AM
Hello Thomas,
Thank you for helping.
This logs are generated only for phones and ip cameras. I think switch logs that it shows are wrong. Because same logs are generated with all zeros in source ip addresses when there real arp poisoning is happening.
08-08-2012 09:48 AM
It may be possible, a wireless camera has 2 mac address, the wireless MAC and the wired MAC. Same as the phone, the switchport has 1 MAC while phone port has a MAC as well.
Are both MAC of each device logged in the binding?
-Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide