To my understanding, putting the ARP inspection to
no limit, is the same as not using it at all. I work for a large company that has regular audits
done and this is tested to make sure if someone was to use this against us that it
triggers and shuts down the switch port. There must be something in the middle, that
will not disable the port while using a Win7 configured PC and still will shut the port
down if a possible attack would happen. I have not been able to find anything in CLI
for 12.2(35) that I can use to monitor the amount of requests that are happening. If this
would be possible, I would do various functions with a Win7 PC to find the upper (peak)
possible request from Win7 PC and use that number to configure ARP inspection. I am
looking for someone that might have possible done a similar process (possibly manually)
to find this magical number that stops Win7 from disabling the port, but still protects
from an ARP attack.
We have seen the ports become disable with search within the Active Directory space. like
searching for a printer queue. We have seen this issue with opening or transferring large
files. We also have scans done on PC to make sure software level are kept up to date and
patch applied that could also disable ports.
Currently the default setting Cisco has for the Cat 3750 under IOS 12.2(35) has been working
well when a WinXP PC is attached. Because of the new protocol stacks within Win7, this has
become an issue. My concern currently, is we have few Win7 PC in use and have already
seen an increase of shut ports being disabled. The current company directive is to use
Win7 for any new PC being deployed. It is estimated about 1/4 to 1/3 to be replaced in the
next year, which is thousands of possible ports being disabled.
