We have deployed ARP inspection within
our access switches (Cisco 3750's w/ IOS 12.2
(35)). We had no issues running ARP inspection with no modification to the standard thresholds, until we started deploying Window 7.
When a employee does searches within Active Directory or file transfers the port will become err-disabled.
Has anyone else run into this issue and what was the resolution?
To my understanding, putting the ARP inspection to
no limit, is the same as not using it at all. I work for a large company that has regular audits
done and this is tested to make sure if someone was to use this against us that it
triggers and shuts down the switch port. There must be something in the middle, that
will not disable the port while using a Win7 configured PC and still will shut the port
down if a possible attack would happen. I have not been able to find anything in CLI
for 12.2(35) that I can use to monitor the amount of requests that are happening. If this
would be possible, I would do various functions with a Win7 PC to find the upper (peak)
possible request from Win7 PC and use that number to configure ARP inspection. I am
looking for someone that might have possible done a similar process (possibly manually)
to find this magical number that stops Win7 from disabling the port, but still protects
from an ARP attack.
We have seen the ports become disable with search within the Active Directory space. like
searching for a printer queue. We have seen this issue with opening or transferring large
files. We also have scans done on PC to make sure software level are kept up to date and
patch applied that could also disable ports.
Currently the default setting Cisco has for the Cat 3750 under IOS 12.2(35) has been working
well when a WinXP PC is attached. Because of the new protocol stacks within Win7, this has
become an issue. My concern currently, is we have few Win7 PC in use and have already
seen an increase of shut ports being disabled. The current company directive is to use
Win7 for any new PC being deployed. It is estimated about 1/4 to 1/3 to be replaced in the
next year, which is thousands of possible ports being disabled.
This looks like a possible solution to my problem. I had started looking for possible Cisco bug.
I had not found this one yet and you forward this information is greatly appreciated. I will need to
do some testing on this, so it meets audit requirements. I'll most likely start with the bug
recommendation to change the burst timer from one second to three seconds. Once my testing is
completed, I'll deploy it at one of the office that seems to be most affected to see how well it
works in the office environment. I'll keep this string updated on the results to help out an
one else that might have a similar issue.