Solved: Invalid ARP

eXPlosion · ‎02-13-2016

Offten in switch logg we see

Feb 13 12:30:21.418 GMT: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/14, vlan 159.([xxxx.9b4f.645c/xx.240.9.159/xxxx.742d.5400/xx.240.9.190/12:30:20 GMT Sat Feb 13 2016])

and dhcp snooping binding says:

1#sh ip dhcp snooping binding int f0/14
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
xx:xx:9B:4F:64:5C xx.240.9.159 3430 dhcp-snooping 159 FastEthernet0/14

It seems that client on 14 port is doing Man in the middle attack, but very often EXACTLY that client says that service is not working. And also mac and ip in binding and logging MATCH. Can anyone explain this situation?

Masoud Pourshabanian · ‎02-14-2016

The second output shows the legitimate MAC address that must be used as L2 MAC address.

Your first output is the output of ARP packet. I mean the MAC address you see in your first output is the MAC address used in ARP packet. However, you do not see with which L2 MAC address your client has sent an ARP packet. Since you are using src-mac validation, ARP MAC address must be the same as L2 MAC address, but apparently they are not the same. And one of the way you can produce ARP packet with different L2 mac address is using packet generator software.

Have you configured Port security on F0/14? if yes, check to see if there is any violation. If not, configure port-security and monitor it.

Masoud

View solution in original post

josh000014 · ‎02-13-2016

Is this a workstation connecting to port f0/14 and does it use a static Ip address? If all of the information looks correct for the PC you can issue

ip arp inspection trust

This will bypass dynamic arp inspection for that port which is blocking the traffic and logging this error.

Josh

eXPlosion · ‎02-13-2016

It uses DHCP, and it's against policy to make that interface trusted.

Masoud Pourshabanian · ‎02-13-2016

Hello,

Do you have ARP Src-mac validation? You receive that message only on fa0/14 or other interfaces as well?

Masoud

eXPlosion · ‎02-13-2016

Yes we have

ip arp inspection validate src-mac ip allow zeros

Only on f0/14

Masoud Pourshabanian · ‎02-14-2016

The second output shows the legitimate MAC address that must be used as L2 MAC address.

Your first output is the output of ARP packet. I mean the MAC address you see in your first output is the MAC address used in ARP packet. However, you do not see with which L2 MAC address your client has sent an ARP packet. Since you are using src-mac validation, ARP MAC address must be the same as L2 MAC address, but apparently they are not the same. And one of the way you can produce ARP packet with different L2 mac address is using packet generator software.

Have you configured Port security on F0/14? if yes, check to see if there is any violation. If not, configure port-security and monitor it.

Masoud

eXPlosion · ‎02-16-2016

Thanks for info

Yes we have port-security, i will check that.

But question still remains: why that client says that it's not working when on his port we see invalid arp

Masoud Pourshabanian · ‎02-16-2016

If your configuration had problem, it would not happen only on port 0/14. It means there is something wrong with the client system.

System malware or virtual machine on the system may cause this problem if he says the truth. Change port security violation to shutdown and monitor mac addresses on that port.

Masoud

eXPlosion · ‎02-26-2016

Ok here is one occuring right now

Feb 26 13:29:30.975 GMT: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Res) on Fa0/5, vlan 251.([0024.a5bc.b4xx/xxx.xxx.65.153/a46c.2ab9.0axx/255.255.255.255/13:29:30 GMT Fri Feb 26 2016])
Feb 26 13:34:30.963 GMT: %SW_DAI-4-INVALID_ARP: 1 Invalid ARPs (Res) on Fa0/5, vlan 251.([0024.a5bc.b4xx/xxx.xxx65.153/a46c.2ab9.0axx/255.255.255.255/13:34:30 GMT Fri Feb 26 2016])

2# sh ip dhcp snooping binding int f0/5
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:24:A5:BC:xx:xx xxx.xxx.65.153 426 dhcp-snooping 251 FastEthernet0/5
00:02:9B:99:xx:xx xxx.xxx.65.153 2490 dhcp-snooping 251 FastEthernet0/5

2#sh port-security int f0/5
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 20 mins
Aging Type : Inactivity
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 8
Total MAC Addresses : 2
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0024.a5bc.b4xx:251
Security Violation Count : 0

there are no security violation count, but this time destination ip is 255.255.255.255. is there someting wrong with this?