Invalid ARP

eXPlosion · ‎10-20-2015

In switch loggs we see:

EEST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/21, vlan 196.([0022.3334.xxxx/192.168.1.254/00a0.d196.xxxx/xxx.xxx.57.52/11:45:23 EEST Mon Oct 19 2015])
EEST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/21, vlan 196.([0022.3334.xxxx/192.168.1.254/00a0.d196.xxxx/xxx.xxx.57.52/11:45:24 EEST Mon Oct 19 2015])
EEST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/21, vlan 196.([0022.3334.xxxx/192.168.1.254/00a0.d196.xxxx/xxx.xxx.57.52/11:45:25 EEST Mon Oct 19 2015])

Does this mean that ARP's are comming inbound on fa0/21, or they are outbound on fa0/21? Is this an attack of spoofed ARP?

Similarly there are:

EEST: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Res) on Fa0/24, vlan 196.([0016.01fb.74xx/xxx.xxx.51.3/a46c.2ab9.0axx/255.255.255.255/14:48:42 EEST Tue Oct 20 2015])
EEST: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Res) on Fa0/24, vlan 196.([0016.01fb.74xx/xxx.xxx.51.3/a46c.2ab9.0axx/255.255.255.255/15:18:42 EEST Tue Oct 20 2015])

0016.01fb.74xx is the computer's on fa0/24 mac. If it is response ARP from computer and it's answering with mac a46c.2ab9.0axx, which is Default Gateway, is this some kind of scanning from other computer in different port?

Ganesh Hariharan · ‎10-20-2015



In switch loggs we see:

EEST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/21, vlan 196.([0022.3334.xxxx/192.168.1.254/00a0.d196.xxxx/xxx.xxx.57.52/11:45:23 EEST Mon Oct 19 2015])
EEST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/21, vlan 196.([0022.3334.xxxx/192.168.1.254/00a0.d196.xxxx/xxx.xxx.57.52/11:45:24 EEST Mon Oct 19 2015])
 EEST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/21, vlan 196.([0022.3334.xxxx/192.168.1.254/00a0.d196.xxxx/xxx.xxx.57.52/11:45:25 EEST Mon Oct 19 2015])

Does this mean that ARP's are comming inbound on fa0/21, or they are outbound on fa0/21? Is this an attack of spoofed ARP?


Similarly there are:

EEST: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Res) on Fa0/24, vlan 196.([0016.01fb.74xx/xxx.xxx.51.3/a46c.2ab9.0axx/255.255.255.255/14:48:42 EEST Tue Oct 20 2015])
EEST: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Res) on Fa0/24, vlan 196.([0016.01fb.74xx/xxx.xxx.51.3/a46c.2ab9.0axx/255.255.255.255/15:18:42 EEST Tue Oct 20 2015])

0016.01fb.74xx is the computer's on fa0/24 mac. If it is response ARP it should be mac of default gateway there?

Hi,

This message means that the switch has received Address Resolution Protocol (ARP) packets considered invalid by ARP inspection. The packets are erroneous, and their presence can show attempted man-in-the-middle attacks in the network.

This log message appears when the IP and MAC address of the sender binding for the received VLAN is not present in the DHCP snooping database

In order to resolve the above try configuring show ip dhcp snooping bindings , As this messages are received when the MAC address does not match the bindings.

Try ip arp inspection trust if the device does not use DHCP and you trust the device on the port.

and make sure DHCP snooping enables in order to permit ARP packet that have dynamically got ip assigned.

Hope it Helps..

-GI

Rate if it Helps..

eXPlosion · ‎10-21-2015

Ok,

when it shows (Res) on Fa0/21 it seems it is comming inbound on that interface.

This ip:

192.168.1.254

is ip of gateway. So it seems that client on F0/21 is actually doing some kind of attack or cable plugged into home routers lan port instead of wan? His true mac and IP actually is :

00a0.d196.xxxx/xxx.xxx.57.52

Also is there some kind of difference between:

%SW_DAI-4-DHCP_SNOOPING_DENY

%SW_DAI-4-INVALID_ARP

eXPlosion · ‎01-04-2016

an entry

EEST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/21, vlan 196.([0022.3334.xxxx/192.168.1.254/00a0.d196.xxxx/xxx.xxx.57.52/11:45:23 EEST Mon Oct 19 2015])

means the arp request was for private ip adress right ? (who has 192.168.1.254?)