Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

DAI - Ignore ARP Probes?

We are running DAI on our access switches. All clients get static IPs so we use ACLs to define the MAC-to-IP bindings. Here is a snippet of the config:

ip arp inspection vlan 99

ip arp inspection filter vlan99arp vlan  99 static

arp access-list vlan99arp

permit ip host 172.16.0.10 mac host 0011.2233.4455

The one issue I have is when hosts send out ARP probes. In most cases, this only happens when a host is rebooted or the network settings are changed. But we have a host that sends ARP probes every minute. Each time a log is sent to our syslog server which sends an email. This is filling up my mailbox with unnecessary messages.

Is there a way to configure DAI to ignore ARP probes? It looks like you can configure DAI to explicitly log ARP probes with "logging arp-probe" but I want it to ignore these. Here is an example of what gets logged every minute:

Aug  2 17:54:58.148 EDT: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Gi0/10, vlan 99.([0011.2233.4455/0.0.0.0/ffff.ffff.ffff/172.16.0.10

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

DAI - Ignore ARP Probes?

Hello,

I am not sure if this logging can be stopped. However, the logging message actually tells you about an invalid formatted ARP Request whose contents are as follows:

  • Source MAC: 0011.2233.4455 (acceptable)
  • Source IP: 0.0.0.0 (acceptable)
  • Target MAC: ffff.ffff.ffff (unacceptable)
  • Target IP: 172.16.0.10 (acceptable)

If this is an ARP Probe then it violates the RFC 5227 in at least two aspects:

  • The Target MAC should be set to all-zero (Section 2.1.1)
  • The host must not perform this check periodically (Section 2.1)

What is the operating system of the station that emits these probes? Can it perhaps be reconfigured to stop sending them?

Best regards,

Peter

2 REPLIES
Cisco Employee

DAI - Ignore ARP Probes?

Hello,

I am not sure if this logging can be stopped. However, the logging message actually tells you about an invalid formatted ARP Request whose contents are as follows:

  • Source MAC: 0011.2233.4455 (acceptable)
  • Source IP: 0.0.0.0 (acceptable)
  • Target MAC: ffff.ffff.ffff (unacceptable)
  • Target IP: 172.16.0.10 (acceptable)

If this is an ARP Probe then it violates the RFC 5227 in at least two aspects:

  • The Target MAC should be set to all-zero (Section 2.1.1)
  • The host must not perform this check periodically (Section 2.1)

What is the operating system of the station that emits these probes? Can it perhaps be reconfigured to stop sending them?

Best regards,

Peter

New Member

DAI - Ignore ARP Probes?

It is an Infoblox DNS appliance. I knew that it shouldn't send probes periodically, but I overlooked the target MAC address. There doesn't appear to be a way to change this behavior. It might have something to do with the way they implement HA (even though we're not using that feature). I was hoping to find a way around this through the DAI logging options, but I guess I'll have to put in a ticket with the vendor. Thanks for your help.

972
Views
5
Helpful
2
Replies
CreatePlease to create content