Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
4
Helpful
2
Replies

ARP Inspection issue

stephendrkw
Level 3
Level 3

‎03-28-2015 09:51 AM - edited ‎03-07-2019 11:17 PM

3 switches in the same broadcast domain (transparent mode), approx 200 vlans. Trunk links between switches allow all vlans 1-4096

 

I setup arp inspection for 1 particular vlan to troubleshoot an arp server issue, possibly an unintentionally arp MITM. Setup as follows:

 

ip arp inspection vlan 100

!
arp access-list DAI
permit ip any mac any
!
!
ip arp inspection filter DAI vlan 100
!
ip arp inspection vlan 100 logging acl-match matchlog

 

Once enabled some of the servers in each switch on vlan100 went into error disable mode and the Port channel between switches went into error disabled status, once I removed "no ip inspection vlan 100" and shut/no shut on the Port channel the Port channel came back up and I had to wade through and shut/no shut on all the error disabled server ports everything was back to normal.

Am I right saying the problem was caused by not setting the Port Channels between switches to "arp inspection trust" and should I just leave all the server ports to untrusted (default). i.e for all inter switch links

conf t

int Po200

ip arp inspection trust

end

 

then leave everything else is? Would this make the problem go away. I can't try now as Production kit, don't really have an ideal UAT lab as such yet.

 

 

Labels:
0 Helpful
2 Replies 2

Charles Hill
VIP Alumni
VIP Alumni

‎03-28-2015 12:35 PM

Hello

would be configured as untrusted and all switchports connected to other switches would be trusted.  Configuring a port as untrusted when it should be trusted, can cause an  outage. 

 

If you suspect a MITM attack, you can go to a pc that you think may be sending the ip traffic to the wrong mac and at the command prompt, type "arp -a 192.168.1.1" and verify it has the correct mac address mapped to the ip address.  If it has the wrong mac, you can login to the switch then "show mac address-table address xxxx.xxxx.xxxx to locate the source of the MITM attack.

 

On the switch side, you can type "show arp | i 192.168.1.1" and "show arp | i "mac address" to verify what mac is binded to the ip address. 

 

Hope this helps....

stephendrkw
Level 3
Level 3
In response to Charles Hill

‎03-29-2015 01:59 PM

Thanks, I give the Port channel command a try I did think this was the case (switch inter links - trust) but wanted to share, the other suggestion I was aware but most servers are bonding on these switches not easy to identify, 400 odd hosts on vlanx.

Thanks.

 

 

0 Helpful
Customers Also Viewed These Support Documents