08-02-2012 02:57 PM - edited 03-07-2019 08:07 AM
We are running DAI on our access switches. All clients get static IPs so we use ACLs to define the MAC-to-IP bindings. Here is a snippet of the config:
ip arp inspection vlan 99
ip arp inspection filter vlan99arp vlan 99 static
arp access-list vlan99arp
permit ip host 172.16.0.10 mac host 0011.2233.4455
The one issue I have is when hosts send out ARP probes. In most cases, this only happens when a host is rebooted or the network settings are changed. But we have a host that sends ARP probes every minute. Each time a log is sent to our syslog server which sends an email. This is filling up my mailbox with unnecessary messages.
Is there a way to configure DAI to ignore ARP probes? It looks like you can configure DAI to explicitly log ARP probes with "logging arp-probe" but I want it to ignore these. Here is an example of what gets logged every minute:
Aug 2 17:54:58.148 EDT: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Gi0/10, vlan 99.([0011.2233.4455/0.0.0.0/ffff.ffff.ffff/172.16.0.10
Solved! Go to Solution.
08-02-2012 03:33 PM
Hello,
I am not sure if this logging can be stopped. However, the logging message actually tells you about an invalid formatted ARP Request whose contents are as follows:
If this is an ARP Probe then it violates the RFC 5227 in at least two aspects:
What is the operating system of the station that emits these probes? Can it perhaps be reconfigured to stop sending them?
Best regards,
Peter
08-02-2012 03:33 PM
Hello,
I am not sure if this logging can be stopped. However, the logging message actually tells you about an invalid formatted ARP Request whose contents are as follows:
If this is an ARP Probe then it violates the RFC 5227 in at least two aspects:
What is the operating system of the station that emits these probes? Can it perhaps be reconfigured to stop sending them?
Best regards,
Peter
08-02-2012 09:29 PM
It is an Infoblox DNS appliance. I knew that it shouldn't send probes periodically, but I overlooked the target MAC address. There doesn't appear to be a way to change this behavior. It might have something to do with the way they implement HA (even though we're not using that feature). I was hoping to find a way around this through the DAI logging options, but I guess I'll have to put in a ticket with the vendor. Thanks for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: