Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1612
Views
5
Helpful
5
Replies

Devices that ARP reply to themselves?

lpassmore
Level 1
Level 1

‎02-21-2017 05:56 PM - edited ‎03-08-2019 09:26 AM

Hi Gurus, 

This should be easy for somebody I hope. I have implemented ARP inspection and am getting some printers that seem to be sending ARP replies to themselves.  It doesn't stop them from working but does create annoying log messages.  Any idea why they do this?

 %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Res) on Gi6/15, vlan 85.([0026.5516.835c/10.82.3.240/0026.5516.835c/10.82.3.240/09:41:00 Wed Feb 22 2017])

I think it is happening when they are in sleep mode so maybe it is just a mechanism to stop the switch port from losing the MAC address info or something. But I am curious to know if anybody knows for certain.


Ta

LP

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-21-2017 06:15 PM

Devices will often ARP for themselves to make sure no one else is using their IP address.

0 Helpful

ahakels
Level 1
Level 1

‎02-21-2017 07:45 PM

you can do the following :

1.create a "printer-only VLAN" so that the broadcasts would be contained

2. look at each printer and turn off any unused Protocols (IPX,Appletalk etc).

3. update printer firmware and see if the arp cache retention can be adjusted

4. Set printers to use a static ip

5. try to remove all the SNMP protocols that are unused

lpassmore
Level 1
Level 1

‎02-22-2017 04:37 PM

Thank you both for your prompt replies.  I will try some of the ideas from ahakels.

I do understand that devices send ARP requests to find if their IP address is being used, and this is what the printer is probably doing. This packet would have been sent successfully and would have put its own IP in the source and destination, its own MAC in the source, but would have broadcast MAC in the destination.  By rights it should never see this request packet back (basic switch loop protection - and no, we don't have a loop). So the questions I have really are:

a) why it would send a reply to itself?

b) why it would receive the ARP request in the first place in order to reply to it.?

c) why, if it was a deliberate unsolicited ARP reply for some legitimate purpose, the packet would only contain its own MAC address thus ensuring it was the only device that would ever see the packet anyway (which it wouldn't because the switch shouldn't send it back).

This is probably not the right forum for this anyway but I was hoping to see if anybody else had seen this occur and maybe had any insight.

0 Helpful

ahakels
Level 1
Level 1
In response to lpassmore

‎02-22-2017 05:18 PM

a) why it would send a reply to itself?

ANS) Well Its more of a Keep-alive/security mechanism for the Printer

b) why it would receive the ARP request in the first place in order to reply to it.?

ANS) i would assume that the printer communication are going over TCP, which means that the printer's interface needs to inform the remote PC that it received all of the packets and nothing needs to be resent...an ARP request is a broadcast by nature - it has to contact all devices on the subnet because it needs to send via MAC address and it only knows the IP address.I would update printer firmware and see if the arp cache retention can be adjusted. if you renew DHCP leases on hosts often (ex. 1 day instead of 1 week or 1 month) then the arp entries would be stale fast anyways.

c) why, if it was a deliberate unsolicited ARP reply for some legitimate purpose, the packet would only contain its own MAC address thus ensuring it was the only device that would ever see the packet anyway (which it wouldn't because the switch shouldn't send it back).

Ans)it is possible that the printer will send out these packets when the printer software needs do so to maintain network discovery or connectivity.

Please refer the following links:

https://supportforums.cisco.com/discussion/10543291/cutting-down-broadcasts-printers

http://networkengineering.stackexchange.com/questions/17087/dynamic-arp-inspection-ports-err-disable-with-sw-dai-4-packet-rate-exceeded

lpassmore
Level 1
Level 1
In response to ahakels

‎02-23-2017 05:31 PM

Thanks again.  I'm not sure it has answered the question really but thanks for trying anyway.  I guess you are sort of confirming what I thought anyway that the packet is some sort of network keepalive.  Maybe to keep the switch MAC table populated or to keep the interface alive in case the switch port gets deactivated because of lack of use. 

Cheers

LP

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card