cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3335
Views
0
Helpful
7
Replies

ESW 520 ARP Inspection Problem

ngtransge
Level 1
Level 1

Hello,

I have observed strange behavior on ESW 520 switches, with ARP Inspection operation.  ARP inspection is configured with static ip to mac bindings, and it work.Problem is with logs, switch generates tons of ARP inspection logs, during network normal operation, but network endpoints are working well. These logs are same witch are generated during ARP poisoning in network. This operation was observed in older and new firmware.

Here is sample log:

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e9 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:5a:85:2e SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.18

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e1 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:03 SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.16

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:19:85:26 SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.15

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e1 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:03 SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.16

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e9 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:12:85:2e SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.18

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:11:85:26 SRC I

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.1

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e8 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:14:85:0c SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.14

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e3 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:3f SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.12

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e8 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:51:85:0c SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.14

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e5 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:80:f5:10 SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.10

Informational %ARPINSP-I-PCKTLOG: ARP packet dropped

from port e6 with VLAN tag 10 and reason: packet verification failed SRC MAC 13:71:05:57:85:26 SRC IP

0.0.0.0 DST MAC 00 :00:00:00:00:00 DST IP 10.0.10.15

It seems switch dont like ARP request which are going to local network addresses., but in that vlan all host can communicate which each other.

Do you have any idea what can be the problem ?

7 Replies 7

Tom Watts
VIP Alumni
VIP Alumni

Hi ngtransge,

I will first come to say I do not know the answer. But, I will suspect the log entries are indicating a MAC address that arrived on the interface that did not recognize the IP or MAC address. If the MAC or IP is not found in the inspection list, it would revert to the DHCP snooping table if that is enabled.

I would suspect these entries are coming from an untrusted interface then goes through validation.

Can you show the trusted interfaces and the MAC bindings?

Are the MAC addresses on the log entry meaningful to you in any way?

Are those MAC addresses supposed to be going to a particular destination? Or conversely, are the MAC addresses supposed to be seen on an untrusted interface?

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hello Thomas,

DHCP Snooping is not enabled on switch. I have checked many times ip to mac static bindings on switch, and they are correct. Also MAC addresses from logs are correct and they belond to real host connected to switch. All interfaces on switch are untrusted only trusted interface in on uplink to core. 

It seem strange that switch drops packets that are going to local subnet, but in reality this hosts can ping each other. Also there is no any logs for default gateway arps.

Try setting the port connecting to the router as a trusted interface.

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

ESW is connected to 3750 switch, whitch is aggregation point. Port that is going to 3750 is trusted.

I think the reason you see dropped packet logging is because of the 0.0.0.0 for MAC and IP.

The source IP is 0.0.0.0 and destination MAC is 00 :00:00:00:00:00.

The real question is why is your source host residing at MAC 13:71:05:14:85:0c not showing an IP and why does the destination IP 10.0.10.10 (or any other listed) not showing a MAC address?

Is this some sort of virtual server network?

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Hello Thomas,

Thank you for helping.

This logs are generated only for phones and ip cameras. I think switch logs that it shows are wrong. Because same logs are generated with all zeros in source ip addresses when there real arp poisoning is happening.

It may be possible, a wireless camera has 2 mac address, the wireless MAC and the wired MAC. Same as the phone, the switchport has 1 MAC while phone port has a MAC as well.

Are both MAC of each device logged in the binding?

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X