cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4565
Views
0
Helpful
10
Replies

Invalid ARP

eXPlosion
Level 1
Level 1

Hi,

in atachment there are loggs from our switch. interface g0/1 on switch is connected to our clients' router, and his ip adress is  xxx.xxx.72.32 and default gateway xxx.xxx.72.254.

Can anyone explain what happens here? According to loggs fo example:

Invalid ARPs (Req) on Gi0/1, vlan 12.([0012.0040.ab7f/xxx.xxx.72.254/0000.0000.0000/xxx.xxx.72.146/12:05:28

0012.0040.ab7f is mac adress of arp sender, xxx.xxx.72.254 ip of arp sender, ip of default gateway xxx.xxx.72.146.

Router with gateway address is scanning the network? What actions should be taken?

 

1 Accepted Solution

Accepted Solutions

Ashok Kumar
Cisco Employee
Cisco Employee

Hi, 

In the logs, we are getting below notifications:

 %SW_DAI-4-DHCP_SNOOPING_DENY:

which simply means, you have configured the DHCP snooping in the device & the ARP reply is not matching the what is in the DHCP snooping database.

DHCP Snooping database contains:

[1] Interface no.

[2] VLAN id

[3] MAC Address

[4] IP Address

 

you can check for below:-

 

[1] If the DHCP server configured on the device itself, compare the DHCP Snooping database with ARP table 

[2] Since, it's security precautions make sure the new data retrieved by ARP is legitmate

 


- Ashok

************************************************************************************************************

Please rate the useful post or mark as correct answer as it will help others looking for similar information

************************************************************************************************************

View solution in original post

10 Replies 10

Ashok Kumar
Cisco Employee
Cisco Employee

Hi, 

In the logs, we are getting below notifications:

 %SW_DAI-4-DHCP_SNOOPING_DENY:

which simply means, you have configured the DHCP snooping in the device & the ARP reply is not matching the what is in the DHCP snooping database.

DHCP Snooping database contains:

[1] Interface no.

[2] VLAN id

[3] MAC Address

[4] IP Address

 

you can check for below:-

 

[1] If the DHCP server configured on the device itself, compare the DHCP Snooping database with ARP table 

[2] Since, it's security precautions make sure the new data retrieved by ARP is legitmate

 


- Ashok

************************************************************************************************************

Please rate the useful post or mark as correct answer as it will help others looking for similar information

************************************************************************************************************

Yes, but is this some kind of scan or attack going on network? How did gateway address became source address xxx.xxx.72.254 ?

Yeah! 

there's fair possibility of this, as you said, nobody else is facing any issue pertaining to network performance etc. So, basically, we may take out situations of the network instability which might have caused this e.g. STP loops/re-convergence, IGP instability/loops etc.


- Ashok

************************************************************************************************************

Please rate the useful post or mark as correct answer as it will help others looking for similar information

************************************************************************************************************

  

But switch interface g0/1 is connected to router, which by default should not forward ARP messages from lan interfaces. Only it's wan interface should ARP for gateway.

Hi 

I didn't get the idea of exact topology, but it's Router/L3 capable device which does the ARP request, switch being a L2 device, relays/broadcast those requests, then whosoever has questioned IP address in the ARP request, unicast to the the ARP requester IP.

 


- Ashok

************************************************************************************************************

Please rate the useful post or mark as correct answer as it will help others looking for similar information

************************************************************************************************************

Topology is simple:

Our (isp) switch  --- Clients router --- many clients' pc

 

g0/1 on switch is receiving messages you saw in logg file


 

according to loggs (Req) on Gi0/1, does it mean that request packet came on interface on ingress or it can be also egress? can it be that someone is sending those arp to our client (g0/1 egress)?

eXPlosion
Level 1
Level 1

Nobody experienced similar issue with ARP?

eXPlosion
Level 1
Level 1

 Invalid ARPs (Res) on Fa0/24, vlan 196.([0016.xxxx.xxxx/xx.xx.51.3/000c.xxxx.xxxx/255.255.255.255/12:49:01 EEST Wed Jun 10 2015])

Could this mean that arp response came on untrusted port 24, or it is only invalid addresses in arp message that is sent to fa0/24 port

eXPlosion
Level 1
Level 1

It's an old topic and I don't work there anymore, but question still remains:

Invalid ARPs (Res) on Fa0/24, vlan 196.([0016.xxxx.xxxx/xx.xx.51.3/000c.xxxx.xxxx/255.255.255.255/12:49:01 EEST Wed Jun 10 2015])

This entry is genereted when invalid ARP is received only on ingress direction (Fa0/24) or it can be created by egress invalid ARP as well (Fa0/24)?

 

Review Cisco Networking for a $25 gift card