ARP Inspection with Win7

Unanswered Question
Aug 4th, 2010
User Badges:

We have deployed ARP inspection within

our access switches (Cisco 3750's w/ IOS 12.2

(35)). We had no issues running ARP inspection with no modification to the standard thresholds, until we started deploying Window 7.

When a employee does searches within Active Directory or file transfers the port will become err-disabled.

Has anyone else run into this issue and what was the resolution?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jeff.sadowski_2 Thu, 08/05/2010 - 04:41
User Badges:

To my understanding, putting the ARP inspection to

no limit, is the same as not using it at all. I work for a large company that has regular audits

done and this is tested to make sure if someone was to use this against us that it

triggers and shuts down the switch port. There must be something in the middle, that

will not disable the port while using a Win7 configured PC and still will shut the port

down if a possible attack would happen. I have not been able to find anything in CLI

for 12.2(35) that I can use to monitor the amount of requests that are happening. If this

would be possible, I would do various functions with a Win7 PC to find the upper (peak)

possible request from Win7 PC and use that number to configure ARP inspection. I am

looking for someone that might have possible done a similar process (possibly manually)

to find this magical number that stops Win7 from disabling the port, but still protects

from an ARP attack.


We have seen the ports become disable with search within the Active Directory space. like

searching for a printer queue. We have seen this issue with opening or transferring large

files. We also have scans done on PC to make sure software level are kept up to date and

patch applied that could also disable ports.


Currently the default setting Cisco has for the Cat 3750 under IOS 12.2(35) has been working

well when a WinXP PC is attached. Because of the new protocol stacks within Win7, this has

become an issue. My concern currently, is we have few Win7 PC in use and have already

seen an increase of shut ports being disabled. The current company directive is to use

Win7 for any new PC being deployed. It is estimated about 1/4 to 1/3 to be replaced in the

next year, which is thousands of possible ports being disabled.

Jon Marshall Thu, 08/05/2010 - 04:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jeff


What burst value are you using ? - there is a bugid  CSCse06827 which may be causing your problems -


Bug CSCse06827


Jon

jeff.sadowski_2 Thu, 08/05/2010 - 05:51
User Badges:

Jon,


This looks like a possible solution to my problem. I had started looking for possible Cisco bug.

I had not found this one yet and you forward this information is greatly appreciated. I will need to

do some testing on this, so it meets audit requirements. I'll most likely start with the bug

recommendation to change the burst timer from one second to three seconds. Once my testing is

completed, I'll deploy it at one of the office that seems to be most affected to see how well it

works in the office environment. I'll keep this string updated on the results to help out an

one else that might have a similar issue.

craig.eyre Thu, 11/22/2012 - 09:15
User Badges:

Jeff,


Did you ever figure out a solution/explaination for this issue?



Regards,


Craig

Actions

This Discussion