- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2015 03:40 AM - edited 03-07-2019 11:17 PM
Hi,
in atachment there are loggs from our switch. interface g0/1 on switch is connected to our clients' router, and his ip adress is xxx.xxx.72.32 and default gateway xxx.xxx.72.254.
Can anyone explain what happens here? According to loggs fo example:
Invalid ARPs (Req) on Gi0/1, vlan 12.([0012.0040.ab7f/xxx.xxx.72.254/0000.0000.0000/xxx.xxx.72.146/12:05:28
0012.0040.ab7f is mac adress of arp sender, xxx.xxx.72.254 ip of arp sender, ip of default gateway xxx.xxx.72.146.
Router with gateway address is scanning the network? What actions should be taken?
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2015 07:07 AM
Hi,
In the logs, we are getting below notifications:
%SW_DAI-4-DHCP_SNOOPING_DENY:
which simply means, you have configured the DHCP snooping in the device & the ARP reply is not matching the what is in the DHCP snooping database.
DHCP Snooping database contains:
[1] Interface no.
[2] VLAN id
[3] MAC Address
[4] IP Address
you can check for below:-
[1] If the DHCP server configured on the device itself, compare the DHCP Snooping database with ARP table
[2] Since, it's security precautions make sure the new data retrieved by ARP is legitmate
- Ashok
************************************************************************************************************
Please rate the useful post or mark as correct answer as it will help others looking for similar information
************************************************************************************************************

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2015 07:07 AM
Hi,
In the logs, we are getting below notifications:
%SW_DAI-4-DHCP_SNOOPING_DENY:
which simply means, you have configured the DHCP snooping in the device & the ARP reply is not matching the what is in the DHCP snooping database.
DHCP Snooping database contains:
[1] Interface no.
[2] VLAN id
[3] MAC Address
[4] IP Address
you can check for below:-
[1] If the DHCP server configured on the device itself, compare the DHCP Snooping database with ARP table
[2] Since, it's security precautions make sure the new data retrieved by ARP is legitmate
- Ashok
************************************************************************************************************
Please rate the useful post or mark as correct answer as it will help others looking for similar information
************************************************************************************************************
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2015 07:30 AM
Yes, but is this some kind of scan or attack going on network? How did gateway address became source address xxx.xxx.72.254 ?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2015 07:36 AM
Yeah!
there's fair possibility of this, as you said, nobody else is facing any issue pertaining to network performance etc. So, basically, we may take out situations of the network instability which might have caused this e.g. STP loops/re-convergence, IGP instability/loops etc.
- Ashok
************************************************************************************************************
Please rate the useful post or mark as correct answer as it will help others looking for similar information
************************************************************************************************************
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2015 08:45 AM
But switch interface g0/1 is connected to router, which by default should not forward ARP messages from lan interfaces. Only it's wan interface should ARP for gateway.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2015 09:17 AM
Hi
I didn't get the idea of exact topology, but it's Router/L3 capable device which does the ARP request, switch being a L2 device, relays/broadcast those requests, then whosoever has questioned IP address in the ARP request, unicast to the the ARP requester IP.
- Ashok
************************************************************************************************************
Please rate the useful post or mark as correct answer as it will help others looking for similar information
************************************************************************************************************
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-28-2015 11:28 PM
Topology is simple:
Our (isp) switch --- Clients router --- many clients' pc
g0/1 on switch is receiving messages you saw in logg file
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2015 02:07 AM
according to loggs (Req) on Gi0/1, does it mean that request packet came on interface on ingress or it can be also egress? can it be that someone is sending those arp to our client (g0/1 egress)?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-23-2015 07:20 AM
Nobody experienced similar issue with ARP?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-10-2015 03:08 AM
Invalid ARPs (Res) on Fa0/24, vlan 196.([0016.xxxx.xxxx/xx.xx.51.3/000c.xxxx.xxxx/255.255.255.255/12:49:01 EEST Wed Jun 10 2015])
Could this mean that arp response came on untrusted port 24, or it is only invalid addresses in arp message that is sent to fa0/24 port
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2024 03:13 AM - edited 10-02-2024 03:33 AM
It's an old topic and I don't work there anymore, but question still remains:
Invalid ARPs (Res) on Fa0/24, vlan 196.([0016.xxxx.xxxx/xx.xx.51.3/000c.xxxx.xxxx/255.255.255.255/12:49:01 EEST Wed Jun 10 2015])
This entry is genereted when invalid ARP is received only on ingress direction (Fa0/24) or it can be created by egress invalid ARP as well (Fa0/24)?
