We have an asa5525x series and 2 CISCO 10Gb switch SAG350XG-2F10,
problem in our enviroment is that new servers get apipa, we solve this by edit the register and add the dword ArpRetryCount
Problem is that we have a deep sec DSVA in our vm enviroment wich has the same APIPA problem but how do I solve this in the DSVA..?
thanks for al the reply..
you need to be in global configuration mode:
Switch(config)#no ip arp gratuitous
That said, and I am not sure if I understand your problem correctly, if you want to keep clients from getting an APIPA address, you could configure an arp access list (below is an example):
arp access-list VLAN_5
permit ip 169.254.0.0 0.0.255.255 mac any
ip arp inspection filter VLAN_5 vlan 5
my bad, the SG350X has a stripped down, very limited command set. Would disabling gratuitous ARP on the ASA solve your issue ? The command is:
sysopt noproxyarp inside
I would do this outside of production just to be sure. Keep in mind that proxy ARP is a useful defense against ARP spoofing and Man-in-the-Middle attacks, so be careful when you turn it off.
Hopefully that resolves your issue...
thanks for the info, i have installed wireshark on a vm in the network and set the filter to,
arp.opcode==2 && arp.dst.proto_ipv4==0.0.0.0
but nothing comes up,...nothing to filter as if not there...?
not sure why you are not seeing any packets...
Back to the original problem (APIPA), do you have:
enabled on the switch ports where the servers are connected to ?
the idea is that without spanning tree portfast enabled, the port takes about 40 seconds to become active, which usually causes a timeout to the connection with the DHCP server, and might be the reason you get the APIPA address. Enable portfast on the ports and check if you still get APIPA.
after hours again is recommended. Actually, configure spanning-tree portfast, then disconnect and reconnect the server, that way, you will immediately see if or not you still get APIPA.