cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

DAI - Ignore ARP Probes?

rsjordan00
Beginner
Beginner

We are running DAI on our access switches. All clients get static IPs so we use ACLs to define the MAC-to-IP bindings. Here is a snippet of the config:

ip arp inspection vlan 99

ip arp inspection filter vlan99arp vlan  99 static

arp access-list vlan99arp

permit ip host 172.16.0.10 mac host 0011.2233.4455

The one issue I have is when hosts send out ARP probes. In most cases, this only happens when a host is rebooted or the network settings are changed. But we have a host that sends ARP probes every minute. Each time a log is sent to our syslog server which sends an email. This is filling up my mailbox with unnecessary messages.

Is there a way to configure DAI to ignore ARP probes? It looks like you can configure DAI to explicitly log ARP probes with "logging arp-probe" but I want it to ignore these. Here is an example of what gets logged every minute:

Aug  2 17:54:58.148 EDT: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Gi0/10, vlan 99.([0011.2233.4455/0.0.0.0/ffff.ffff.ffff/172.16.0.10

1 ACCEPTED SOLUTION

Accepted Solutions

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hello,

I am not sure if this logging can be stopped. However, the logging message actually tells you about an invalid formatted ARP Request whose contents are as follows:

  • Source MAC: 0011.2233.4455 (acceptable)
  • Source IP: 0.0.0.0 (acceptable)
  • Target MAC: ffff.ffff.ffff (unacceptable)
  • Target IP: 172.16.0.10 (acceptable)

If this is an ARP Probe then it violates the RFC 5227 in at least two aspects:

  • The Target MAC should be set to all-zero (Section 2.1.1)
  • The host must not perform this check periodically (Section 2.1)

What is the operating system of the station that emits these probes? Can it perhaps be reconfigured to stop sending them?

Best regards,

Peter

View solution in original post

2 REPLIES 2

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hello,

I am not sure if this logging can be stopped. However, the logging message actually tells you about an invalid formatted ARP Request whose contents are as follows:

  • Source MAC: 0011.2233.4455 (acceptable)
  • Source IP: 0.0.0.0 (acceptable)
  • Target MAC: ffff.ffff.ffff (unacceptable)
  • Target IP: 172.16.0.10 (acceptable)

If this is an ARP Probe then it violates the RFC 5227 in at least two aspects:

  • The Target MAC should be set to all-zero (Section 2.1.1)
  • The host must not perform this check periodically (Section 2.1)

What is the operating system of the station that emits these probes? Can it perhaps be reconfigured to stop sending them?

Best regards,

Peter

It is an Infoblox DNS appliance. I knew that it shouldn't send probes periodically, but I overlooked the target MAC address. There doesn't appear to be a way to change this behavior. It might have something to do with the way they implement HA (even though we're not using that feature). I was hoping to find a way around this through the DAI logging options, but I guess I'll have to put in a ticket with the vendor. Thanks for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: