cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1256
Views
0
Helpful
2
Replies

dynamic arp inspection failure

t.fiala
Level 1
Level 1

Hi all.

I've introduced dynamic arp inspection in accordance with arp access-list (s) and experienced the following trouble:

The inspection sometimes (three times a week) fails. Well formed arp responses are denied. The workaround is to load the same access-list again.

I have two similarly configured nets. The first has a C3560G in core, the second two C3750G in stack. Failures occurs only on the slave in stack.

IOS is Version 12.2(25)SEE2 in both cases.

Is it something known about this issue, or seems to be rather a HW failure on the slave?

Regards,

Tomas

2 Replies 2

owillins
Level 6
Level 6

You could be hitting the bug - CSCsg18176 (Catalyst 3750 and 3560 switches).

When dynamic ARP inspection is enabled and IP validation is disabled, the switch drops ARP requests that have a source address of 0.0.0.0. The workaround is to configure an ARP access control list (ACL) that permits IP packets with a source IP address of 0.0.0.0 (and any MAC) address) and apply the ARP ACL to the desired DAI VLANs.

Thaks for your reply and CSCsg18176 bug description. It may help in the future, but I am afraid it does not match my present case. My 3750 stack sudenly starts filtering well formed ARP responses, e.g.:

25.9.2007 12:25 ss-s01-1.fzu.cz Warning 13023: Sep 25 12:25:38.743 CEST: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Res) on Gi2/0/26, vlan 200.([0050.fc8d.f4fa/147.231.26.205/0006.5b0f.5dad/147.231.26.31/12:25:38 CEST Tue Sep 25 2007])

If I load the same arp access-list again, the failure disappears.

Regards, Tomas

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: