03-28-2015 03:40 AM - edited 03-07-2019 11:17 PM
Hi,
in atachment there are loggs from our switch. interface g0/1 on switch is connected to our clients' router, and his ip adress is xxx.xxx.72.32 and default gateway xxx.xxx.72.254.
Can anyone explain what happens here? According to loggs fo example:
Invalid ARPs (Req) on Gi0/1, vlan 12.([0012.0040.ab7f/xxx.xxx.72.254/0000.0000.0000/xxx.xxx.72.146/12:05:28
0012.0040.ab7f is mac adress of arp sender, xxx.xxx.72.254 ip of arp sender, ip of default gateway xxx.xxx.72.146.
Router with gateway address is scanning the network? What actions should be taken?
Solved! Go to Solution.
03-28-2015 07:07 AM
Hi,
In the logs, we are getting below notifications:
%SW_DAI-4-DHCP_SNOOPING_DENY:
which simply means, you have configured the DHCP snooping in the device & the ARP reply is not matching the what is in the DHCP snooping database.
DHCP Snooping database contains:
[1] Interface no.
[2] VLAN id
[3] MAC Address
[4] IP Address
you can check for below:-
[1] If the DHCP server configured on the device itself, compare the DHCP Snooping database with ARP table
[2] Since, it's security precautions make sure the new data retrieved by ARP is legitmate
- Ashok
************************************************************************************************************
Please rate the useful post or mark as correct answer as it will help others looking for similar information
************************************************************************************************************
03-28-2015 07:07 AM
Hi,
In the logs, we are getting below notifications:
%SW_DAI-4-DHCP_SNOOPING_DENY:
which simply means, you have configured the DHCP snooping in the device & the ARP reply is not matching the what is in the DHCP snooping database.
DHCP Snooping database contains:
[1] Interface no.
[2] VLAN id
[3] MAC Address
[4] IP Address
you can check for below:-
[1] If the DHCP server configured on the device itself, compare the DHCP Snooping database with ARP table
[2] Since, it's security precautions make sure the new data retrieved by ARP is legitmate
- Ashok
************************************************************************************************************
Please rate the useful post or mark as correct answer as it will help others looking for similar information
************************************************************************************************************
03-28-2015 07:30 AM
Yes, but is this some kind of scan or attack going on network? How did gateway address became source address xxx.xxx.72.254 ?
03-28-2015 07:36 AM
Yeah!
there's fair possibility of this, as you said, nobody else is facing any issue pertaining to network performance etc. So, basically, we may take out situations of the network instability which might have caused this e.g. STP loops/re-convergence, IGP instability/loops etc.
- Ashok
************************************************************************************************************
Please rate the useful post or mark as correct answer as it will help others looking for similar information
************************************************************************************************************
03-28-2015 08:45 AM
But switch interface g0/1 is connected to router, which by default should not forward ARP messages from lan interfaces. Only it's wan interface should ARP for gateway.
03-28-2015 09:17 AM
Hi
I didn't get the idea of exact topology, but it's Router/L3 capable device which does the ARP request, switch being a L2 device, relays/broadcast those requests, then whosoever has questioned IP address in the ARP request, unicast to the the ARP requester IP.
- Ashok
************************************************************************************************************
Please rate the useful post or mark as correct answer as it will help others looking for similar information
************************************************************************************************************
03-28-2015 11:28 PM
Topology is simple:
Our (isp) switch --- Clients router --- many clients' pc
g0/1 on switch is receiving messages you saw in logg file
04-10-2015 02:07 AM
according to loggs (Req) on Gi0/1, does it mean that request packet came on interface on ingress or it can be also egress? can it be that someone is sending those arp to our client (g0/1 egress)?
04-23-2015 07:20 AM
Nobody experienced similar issue with ARP?
06-10-2015 03:08 AM
Invalid ARPs (Res) on Fa0/24, vlan 196.([0016.xxxx.xxxx/xx.xx.51.3/000c.xxxx.xxxx/255.255.255.255/12:49:01 EEST Wed Jun 10 2015])
Could this mean that arp response came on untrusted port 24, or it is only invalid addresses in arp message that is sent to fa0/24 port
10-02-2024 03:13 AM - edited 10-02-2024 03:33 AM
It's an old topic and I don't work there anymore, but question still remains:
Invalid ARPs (Res) on Fa0/24, vlan 196.([0016.xxxx.xxxx/xx.xx.51.3/000c.xxxx.xxxx/255.255.255.255/12:49:01 EEST Wed Jun 10 2015])
This entry is genereted when invalid ARP is received only on ingress direction (Fa0/24) or it can be created by egress invalid ARP as well (Fa0/24)?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide