Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2190
Views
0
Helpful
2
Replies

arp inspection without dhcp

dreams_as_money
Level 1
Level 1

‎08-20-2011 07:47 AM - edited ‎03-07-2019 01:47 AM

Hey mates

I hope you are doing well

so i have a question could  someone  assist me?

we have  switched topology  and  I want to implement arp inspection with no-dhcp

while configuring production  topology I got several problems

I have  server that have  several interfaces

I have  servers that configured micro. NLB with virtula mac addres

I have Blade system that have several server also dns   and etc.

while  configuring arp inspection i got lots of problems

so I need to bind  several ip  to mac  in one interface and  prevent  arp spoofs  etc.

and  also  to prevent users who  can  change  its ip to server ip in other  word  prevent ip conflict

in interface  which connected to nlb  crying  abt   invalid arp also in pther server which has several interfaces

any idea? how I should manage  this  problem

Thanks

Config...

ip arp inspection vlan 8

ip arp inspection validate src-mac ip

ip arp inspection log-buffer entries 512

ip arp inspection filter av8 vlan  8

arp access-list av8

permit ip host*************     mac host********

permit ip host ****************mac host *************

permit ip host ****************mac host**************

permit ip host **************  mac host ***************

Labels:
0 Helpful
2 Replies 2

Peter Paluch
Cisco Employee
Cisco Employee

‎09-04-2011 02:41 AM

Hello,

Your idea is correct - you define a static IP-to-MAC ARP access list and use it in the Dynamic ARP Inspection configuration. Even the configuration snippet you've provided seems to be correct. Do you feel it is not working as expected for you?

Best regards,

Peter

0 Helpful

dreams_as_money
Level 1
Level 1
In response to Peter Paluch

‎09-04-2011 03:07 AM

Hi Peter

Its working good but only with end hosts

with server which has several interfaces it gives errors invalid  arp or dhcp snooping  problem

I want  to implement arp inspection with server  which has several interfaces or nlb

but it disbles it after pps  expired  I configured pps to 100 but  it gives me lots of  arp errors

How can I mange such problem I mean checkin the error types in cisco  page it says that its  an arp spoofing and how can I make sure if  there arp spoofing in my local lan

I am not sure that it should be spoofing

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card