cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2812
Views
0
Helpful
10
Replies

Computer ARP -a display 00-00-00-00-00-00

donglei888999
Spotlight
Spotlight

Hi Friends,

I encounter a big problem is that all computers cannot access network on the same VLAN, So after I show arp in computers, it display arp -a : 00-00-00-00-00-00.

SO I enable the Switch command: IP arp Inspection Vlan X, get many ARP errors:

May 25 15:13:37: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/6, vlan

11.([0022.641e.984e/10.114.240.56/0000.0000.0000/10.114.240.1/15:13:36 gmt Fri May 25

2012])

May 25 15:13:38: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/4, vlan

11.([4437.e648.fb9d/10.114.240.50/0000.0000.0000/10.114.240.1/15:13:37 gmt Fri May 25

2012])

May 25 15:13:38: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/3, vlan

11.([4437.e64d.72c5/10.114.240.39/0000.0000.0000/10.114.240.1/15:13:37 gmt Fri May 25

2012])

May 25 15:13:38: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/5, vlan

11.([4437.e650.f964/10.114.240.53/0000.0000.0000/10.114.240.1/15:13:37 gmt Fri May 25

2012])

May 25 15:13:38: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/26, vlan

11.([4437.e664.e870/10.114.240.36/0000.0000.0000/10.114.240.1/15:13:37 gmt Fri May 2

5 2012])

May 25 15:13:38: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/10, vlan

11.([4437.e662.3734/10.114.240.47/0000.0000.0000/10.114.240.1/15:13:37 gmt Fri May 2

5 2012])

May 25 15:13:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/48, vlan

11.([0018.7185.3c21/10.114.240.46/0000.0000.0000/10.114.240.31/15:13:38 gmt Fri May

25 2012])

May 25 15:13:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/6, vlan

11.([0022.641e.984e/10.114.240.56/0000.0000.0000/10.114.240.1/15:13:38 gmt Fri May 25

2012])

May 25 15:13:39: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/11, vlan

11.([e839.3548.6d9a/10.114.240.52/0000.0000.0000/10.114.240.1/15:13:39 gmt Fri May 2

5 2012])

May 25 15:13:40: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/5, vlan

11.([4437.e650.f964/10.114.240.53/0000.0000.0000/10.114.240.1/15:13:39 gmt Fri May 25

2012])

So I restart the Switch, and issues fix, but after one more day, it happen again.  ( when I use IP arp Inspection commands, it will get this switch all port network down, I don;t know why, when I disabled this command, network is active).

I scanning all computers in the LAN, but no any arp Attacking found, So I doubt that's Switch problem?

10 Replies 10

John Blakley
VIP Alumni
VIP Alumni

Are the hosts that are getting the ARP inspection errors statically set? If they're not in the dhcp database on your device, it will deny the incoming arp request. For example, check the host 10.114.240.52 to see if it's statically set at the box. You have 2 choices if it is: you can create a static arp acl and apply that as a filter to your arp inspection OR you can trust the ports that these hosts are off of. I would do the latter if these are end hosts ports though because then they'd be able to run a dhcp server and not be subjected to dhcp snooping.

HTH,

John

HTH, John *** Please rate all useful posts ***

it has record in dhcp server pool. But I am not sure if this command will cause all interface down

have you checked if its a BUG on cisco bug toolkit?

No, I don't know how to check? Can you tell me the link?

Look for cisco bug toolkit on google. I dont have the link on me now.  Onve you go onto it its self explanatory. You choose ypur platform and IOS and igt will show you if there are any related bugs

Cheers

I have checked , not this bug, and I open TAC to cisco , who advice me no need any action.  but I am still confused why ARP still send "0" packets continuously.

Hi,

The switch received ARP packets that are considered invalid by ARP inspection. The packets are invalid, and their presence may be an indication of "man-in-the-middle" attacks that are attempted in the network. This message is logged when the IP address and MAC address binding for the sender on the received VLAN is not listed in the DHCP snooping database.

DHCP snooping builds a table as the hosts acquire IP address from DHCP server, and then on uses this table as reference to allow or deny packets based on the lookup it performs against source MAC and source IP for the incoming ARP packets. When a host boots and comes up on the network, the first thing it does is to get an IP/mask/gateway and additional information like DNS from an available DHCP server.

Once the hosts gets an identify for itself in the network, then it would send an ARP for the gateway and other hosts in the network before it can communicate with other hosts, as the host needs to destination MAC address (ARP resolves from IP to MAC address). So, even before ARP occurs, IP assignment by DHCP is the first step and the DHCP snooping feature tracks these DHCP discovery/offer/request/acknowledgement messages between end hosts and DHCP server and builds the DHCP snooping binding table in this process.

May 25 15:13:37: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/6, vlan 11.([0022.641e.984e/10.114.240.56/0000.0000.0000/10.114.240.1/15:13:36 gmt Fri May 25 2012])

The above message indicates the switch has received an ARP request from host with source IP 10.114.240.56 and source MAC 0022.641e.984e located on Gi1/0/6 in vlan 11 to the host (Interface vlan 11 IP) 10.114.240.1 (destination IP) requesting the MAC address of the host (destination MAC). At this point the source does not know the destination MAC, so the ARP packet would have 0000.0000.0000 in the destination MAC field.

This ARP is not consistent with the DHCP snooping binding table that the switch already built, the IP 10.114.240.56 is likely not existing yet or already registered by another host with different MAC address on different interface. You can check by using "sh ip dhcp snooping binding vlan 11" command (please send it). This inconsistency causes the switch believe that the above ARP request has come from an unauthorized host and could be malicious from DHCP snooping point of view.

Possible reasons for this behavior could be hosts with manually configured IP addresses or acquired from another DHCP server. If you have hosts with static IPs, you can configure the following for them to stop triggerring this messages (enable trusting on the interfaces that have static IP enabled):

      ip arp inspection trust

      ip dhcp snooping trust

Also, do ensure the DHCP snooping is enabled on your switch.

Kind Regards,
Ivan

**Please grade this post if you find it useful.

Kind Regards,
Ivan

it will be caused network issues when enable DHCP snooping in Access switch- 2960, I have tried enable the DHCP snooping, but the network will be down. So when i removed the DHCP snooping, the network resumed.

Enabling DHCP snooping/DAI where you have the right ports trusted should not call an outage.  Should it?   I have not used that command alot  but from what I learned in SWITCH you need to enable it there, enable it on all the say up the chain to the DHCP server, configue your trust/untrusted ports (important!) correctly.

Cisco has alot of articles plus this one was useful:

http://itknowledgeexchange.techtarget.com/network-technologies/how-to-configure-dhcp-snooping-in-a-cisco-catalyst-switches/

When you say network is down, do you mean have no access any the switch management IP?, end users show slowness?, you can release/renew?

DAI info:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html#wp1039207

Hello Donglei,

I am not sure if you follow the perfect explanation that Ivan provided you but that is basically what you need to do!

If you wanna keep the ARP inspection enabled you will need to do what Ivan told you this to make everything work!

I think what you can do now is to read the following 2 links, try to understand them and afterwards you will now what we are talking about I used them to learn and understand DHCP snooping and DAI so this is definetely going to help you

http://cciesecure.blogspot.com/2010/01/dhcp-snooping-on-cisco-switches.html

http://packetpushers.net/yes-we-really-need-dynamic-arp-inspection/

Rate all the helpful posts

Julio

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco