Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
4
Replies

ARP Inspection 4500

martin.sweeney
Level 1
Level 1

‎12-18-2006 05:58 PM - edited ‎03-14-2019 07:16 PM

Hi

IP ARP inspection has being disabling ports when ip phones arp the default gateway. Phones have been stable for months. This problem may have something to do with DHCP leasing. I have attached the log from a 4500 switch. Is anyone aware what the 0000.0000.0000 represents - I was of the opinion that if a device mac address was unknown then this address was issued (broadcast)? Why then is the port being disabled?

any advice

Dec 19 09:04:05 AEST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa4/

23, vlan 811.([0019.06dc.0578/10.80.1.88/0000.0000.0000/10.80.1.21/09:04:04 AEST

Tue Dec 19 2006])

Labels:
0 Helpful
4 Replies 4

paolo bevilacqua
Hall of Fame
Hall of Fame

‎12-18-2006 06:45 PM

Hi Martin,

No device should ever send packets to all zero address and the switch is right to be upset about it.

Either you relax the check on thie switch or check the phones firmware, perhaps updating to the latest load would fix these spurious packets.

0 Helpful

martin.sweeney
Level 1
Level 1
In response to paolo bevilacqua

‎12-18-2006 07:12 PM

Sorry Paolo but why is an all zero address considered invalid - the arp packet I believed contained all zeros in it's destination when an ip address was unknown?

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to martin.sweeney

‎12-18-2006 08:11 PM

Martin,

in an ethernet header, in the destination field, you can find three types of address: unicast, multicast and broadcast. An all zero address is technically an unicast, but also is an invalid destination.

But as you say, inside an ARP packet, fields that are unknown are filled with zeros, and this is perfectly valid.

0 Helpful

eloy.chio
Level 1
Level 1

‎12-19-2006 09:18 PM

I ran into a simular issue a couple weeks ago. I found a bug ID explaining the problem your having. This is what I did to fix the problem. Apply this command on the untrusted ports.

ip arp inspection limit rate 15 burst interval 3

0 Helpful
Customers Also Viewed These Support Documents