cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2272
Views
0
Helpful
14
Replies

APIPA

FujifilmFCB
Level 1
Level 1

Dear all,

We have an asa5525x series and 2 CISCO 10Gb switch SAG350XG-2F10,

problem in our enviroment is that new servers get apipa, we solve this by edit the register and add the dword ArpRetryCount

Problem is that we have a deep sec DSVA in our vm enviroment wich has the same APIPA problem but how do I solve this in the DSVA..?

thanks for al the reply..

best regards

Sjef

14 Replies 14

FujifilmFCB
Level 1
Level 1

I read there was a Cisco problem and  gave the command on the switch and asa

# no ip arp gratuitous

commands where not accepted by the cisco ios,..do I do something wrong

Hello,

you need to be in global configuration mode:

Switch#conf t

Switch(config)#no ip arp gratuitous

That said, and I am not sure if I understand your problem correctly, if you want to keep clients from getting an APIPA address, you could configure an arp access list (below is an example):

arp access-list VLAN_5
permit ip 169.254.0.0 0.0.255.255 mac any
ip arp inspection filter VLAN_5 vlan 5

Georg,

the switch says, unknown command

Are you shure this works on all cisco switches..

Hello,

my bad, the SG350X has a stripped down, very limited command set. Would disabling gratuitous ARP on the ASA solve your issue ? The command is:

sysopt noproxyarp inside

Thanks Georg,

Should I give the command outside production hours, or will there be no impact

thanks in advance

Sjef

Hello Sjef,

I would do this outside of production just to be sure. Keep in mind that proxy ARP is a useful defense against ARP spoofing and Man-in-the-Middle attacks, so be careful when you turn it off.

Hopefully that resolves your issue...

Georg,

I gave the command , ASA accepted , but when I connect a new server APIPA comes in again,...

Do you have any options..

best regards

Hello,

do you have Wireshark ? If so, as per the attached document, you could use the filter below to find out where the packets come from:

arp.opcode==2 && arp.dst.proto_ipv4==0.0.0.0

hello,

thanks for the info, i have installed wireshark on a vm in the network and set the filter to,

arp.opcode==2 && arp.dst.proto_ipv4==0.0.0.0

but nothing comes up,...nothing to filter as if not there...?

Hello,

not sure why you are not seeing any packets...

Back to the original problem (APIPA), do you have:

spanning-tree portfast

enabled on the switch ports where the servers are connected to ?

Georg,

I dont see anything in the config saying the spanning tree portfast is enabled.

So , no I dont think so..

Hello,

the idea is that without spanning tree portfast enabled, the port takes about 40 seconds to become active, which usually causes a timeout to the connection with the DHCP server, and might be the reason you get the APIPA address. Enable portfast on the ports and check if you still get APIPA.

hello,

Can I enable the portfast for the switch during production , ..

Or should I wait for production to finish

thanks in advance

Hello,

after hours again is recommended. Actually, configure spanning-tree portfast, then disconnect and reconnect the server, that way, you will immediately see if or not you still get APIPA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: