Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3511
Views
0
Helpful
1
Replies

IP Spoofing Issue in Cisco ACI Leaf Switches

Go to solution
LakshmiPrabu
Level 1
Level 1

‎04-19-2017 10:23 PM - edited ‎03-01-2019 05:12 AM

Issue description

We have a Bridge Domain for a /21 subnet which hosts a lot of VMs, Monitoring hosts, Jump Servers and so on.

The servers in the subnet were reported with inconsistency while pinging and all the other servers monitored by the monitoring hosts in this subnet seems be failing.

ACI support team figured out this to be an IP spoofing issue. One of the VM Mac was found to be reporting with multiple IP address (even from other Bridge Domains)

The fix provided was clearing the MAC cache with the command : vsh -c 'clear system internal epm endpoint key vrf NAME ip 10.X.X.X and by enabling Enforce Subnet Check for IP learning

My questions for this discussion are

1. How would that IP spoofing be identified in the APIC

2. On a command perspective how was the IP address corresponding to the MAC be found

3. In the command vsh -c 'clear system internal epm endpoint key vrf NAME ip 10.X.X.X - 10.x.x.x would be all the 100+ IPs found on this MAC be cleared or is it the EPG that is being referred.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Joseph Young
Cisco Employee
Cisco Employee

‎04-20-2017 04:54 AM

I don't think this would actually be considered spoofing. Usually spoofing would refer to a device that is actually configured with another device's address. In your scenario (correct me if I'm wrong) it sounds like we just learned an IP address in an EPG and BD that it shouldn't appear in. A BD with unicast routing enabled and 'enforce subnet check' NOT enabled will learn every single source IP address for each packet that it receives. So, let's say you have a load-balancer or firewall that receives traffic and sends it back to the fabric to the final destination in the same bridge domain...you would now overwrite the original mac address for the endpoint with the load-balancer/firewall mac. This is a pretty common problem and can be avoided most commonly by doing things like...

1. enforce subnet check

2. disable unicast routing for bridge domains that don't actually need to route traffic

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Joseph Young
Cisco Employee
Cisco Employee

‎04-20-2017 04:54 AM

I don't think this would actually be considered spoofing. Usually spoofing would refer to a device that is actually configured with another device's address. In your scenario (correct me if I'm wrong) it sounds like we just learned an IP address in an EPG and BD that it shouldn't appear in. A BD with unicast routing enabled and 'enforce subnet check' NOT enabled will learn every single source IP address for each packet that it receives. So, let's say you have a load-balancer or firewall that receives traffic and sends it back to the fabric to the final destination in the same bridge domain...you would now overwrite the original mac address for the endpoint with the load-balancer/firewall mac. This is a pretty common problem and can be avoided most commonly by doing things like...

1. enforce subnet check

2. disable unicast routing for bridge domains that don't actually need to route traffic

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License