08-02-2012 02:57 PM - edited 03-07-2019 08:07 AM
We are running DAI on our access switches. All clients get static IPs so we use ACLs to define the MAC-to-IP bindings. Here is a snippet of the config:
ip arp inspection vlan 99
ip arp inspection filter vlan99arp vlan 99 static
arp access-list vlan99arp
permit ip host 172.16.0.10 mac host 0011.2233.4455
The one issue I have is when hosts send out ARP probes. In most cases, this only happens when a host is rebooted or the network settings are changed. But we have a host that sends ARP probes every minute. Each time a log is sent to our syslog server which sends an email. This is filling up my mailbox with unnecessary messages.
Is there a way to configure DAI to ignore ARP probes? It looks like you can configure DAI to explicitly log ARP probes with "logging arp-probe" but I want it to ignore these. Here is an example of what gets logged every minute:
Aug 2 17:54:58.148 EDT: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Gi0/10, vlan 99.([0011.2233.4455/0.0.0.0/ffff.ffff.ffff/172.16.0.10
Solved! Go to Solution.
08-02-2012 03:33 PM
Hello,
I am not sure if this logging can be stopped. However, the logging message actually tells you about an invalid formatted ARP Request whose contents are as follows:
If this is an ARP Probe then it violates the RFC 5227 in at least two aspects:
What is the operating system of the station that emits these probes? Can it perhaps be reconfigured to stop sending them?
Best regards,
Peter
08-02-2012 03:33 PM
Hello,
I am not sure if this logging can be stopped. However, the logging message actually tells you about an invalid formatted ARP Request whose contents are as follows:
If this is an ARP Probe then it violates the RFC 5227 in at least two aspects:
What is the operating system of the station that emits these probes? Can it perhaps be reconfigured to stop sending them?
Best regards,
Peter
08-02-2012 09:29 PM
It is an Infoblox DNS appliance. I knew that it shouldn't send probes periodically, but I overlooked the target MAC address. There doesn't appear to be a way to change this behavior. It might have something to do with the way they implement HA (even though we're not using that feature). I was hoping to find a way around this through the DAI logging options, but I guess I'll have to put in a ticket with the vendor. Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide