cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1130
Views
0
Helpful
14
Replies
Highlighted
Beginner

APIPA

Dear all,

We have an asa5525x series and 2 CISCO 10Gb switch SAG350XG-2F10,

problem in our enviroment is that new servers get apipa, we solve this by edit the register and add the dword ArpRetryCount

Problem is that we have a deep sec DSVA in our vm enviroment wich has the same APIPA problem but how do I solve this in the DSVA..?

thanks for al the reply..

best regards

Sjef

14 REPLIES 14
Highlighted
Beginner

I read there was a Cisco problem and  gave the command on the switch and asa

# no ip arp gratuitous

commands where not accepted by the cisco ios,..do I do something wrong

Highlighted

Hello,

you need to be in global configuration mode:

Switch#conf t

Switch(config)#no ip arp gratuitous

That said, and I am not sure if I understand your problem correctly, if you want to keep clients from getting an APIPA address, you could configure an arp access list (below is an example):

arp access-list VLAN_5
permit ip 169.254.0.0 0.0.255.255 mac any
ip arp inspection filter VLAN_5 vlan 5

Highlighted

Georg,

the switch says, unknown command

Are you shure this works on all cisco switches..

Highlighted

Hello,

my bad, the SG350X has a stripped down, very limited command set. Would disabling gratuitous ARP on the ASA solve your issue ? The command is:

sysopt noproxyarp inside

Highlighted

Thanks Georg,

Should I give the command outside production hours, or will there be no impact

thanks in advance

Sjef

Highlighted

Hello Sjef,

I would do this outside of production just to be sure. Keep in mind that proxy ARP is a useful defense against ARP spoofing and Man-in-the-Middle attacks, so be careful when you turn it off.

Hopefully that resolves your issue...

Highlighted

Georg,

I gave the command , ASA accepted , but when I connect a new server APIPA comes in again,...

Do you have any options..

best regards

Highlighted

Hello,

do you have Wireshark ? If so, as per the attached document, you could use the filter below to find out where the packets come from:

arp.opcode==2 && arp.dst.proto_ipv4==0.0.0.0

Highlighted

hello,

thanks for the info, i have installed wireshark on a vm in the network and set the filter to,

arp.opcode==2 && arp.dst.proto_ipv4==0.0.0.0

but nothing comes up,...nothing to filter as if not there...?

Highlighted

Hello,

not sure why you are not seeing any packets...

Back to the original problem (APIPA), do you have:

spanning-tree portfast

enabled on the switch ports where the servers are connected to ?

Highlighted

Georg,

I dont see anything in the config saying the spanning tree portfast is enabled.

So , no I dont think so..

Highlighted

Hello,

the idea is that without spanning tree portfast enabled, the port takes about 40 seconds to become active, which usually causes a timeout to the connection with the DHCP server, and might be the reason you get the APIPA address. Enable portfast on the ports and check if you still get APIPA.

Highlighted

hello,

Can I enable the portfast for the switch during production , ..

Or should I wait for production to finish

thanks in advance

Highlighted

Hello,

after hours again is recommended. Actually, configure spanning-tree portfast, then disconnect and reconnect the server, that way, you will immediately see if or not you still get APIPA.

Content for Community-Ad