Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Silver

Heads Up: Private VLAN Sticky-ARP DHCP Issues

Here is the scenario:

Private VLANs are configured on a 6500 Sup720 with SVIs routing for the PVLANs.

DHCP Snooping and IP ARP Inspection are also configured for the PVLAN subnets.

A DHCP Server is offering 3 day leases.

A laptop connects to the network and receives a 3-day lease. The user leaves the office and returns 4 days later. The DHCP server offers a new lease with a different IP address. Furthermore, the previous IP address leased to the laptop has been handed out in a new lease to another host. Both systems receive their DHCP lease but have no network connectivity.

The problem occurs because, by default, PVLAN SVIs use Sticky-ARP and never age out their ARP cache. Since the laptop has a different IP address to MAC address mapping than recorded in the Sticky-ARP cache, a violation occurs and the switch prevents the new IP address from populating the ARP table on the switch.

Sticky-ARP is a security feature that prevents one system from stealing another systems IP address.

Log messages show the following:

%IP-3-STCKYARPOVR: Attempt to overwrite Sticky ARP entry

The 6500 PVLAN configuration guide Restrictions and Guidlines section suggests that Sticky-ARP is fundamental to Private-VLANs, and the only work-around for this problem is to create manual arp entries for the new IP address. This is clearly not a viable workaround for this scenario.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/pvlans.htm#wp1090979

However, the 6500 Command Reference shows that Sticky ARP can be disabled, but makes no reference to PVLANs

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/cmdref/i1.htm#wp1091738

There appears to be two sensible solutions to this problem:

1) Disable Stick-ARP on the 6500 for the PVLANs. Since DHCP Snooping and IP ARP Inspection are configured, sticky-arp can be disabled without relaxing network security. This is assuming the 6500 will accept the command and will not break the existing PVLAN functionality.

2) Extend the DHCP lease longer, to 45 or 90 days perhaps. This will catch most transient activity and keep the IP address to MAC address relationships the same, wherever possible. The downside here is that DHCP address pools could collect stale entires that would take the lease time to flush, thus reducing the overall available IPs in the pool.

Has anyone else run into this problem? If so, what was your solution? Did you attempt either option above? I am planning on using solution #1 above, but I wanted to ping the NetPro community with this as I am sure we are not the first customer to run into this. Or are we??

Regards,

Brad

3 REPLIES
Silver

Re: Heads Up: Private VLAN Sticky-ARP DHCP Issues

Update:

Disabling Sticky-ARP worked very well and solved the issue. Sticky-ARP can be disabled globally or per interface.

global: 'no ip sticky-arp'

interface: 'ip sticky-arp ignore'

The 6500 PVLAN Configuration Guide 'Restrictions and Guidlines' section should be updated to mention the potential issues with DHCP and the default behavior of Sticky-ARP. The configuration guide currently suggests entering a manual CAM table entry to change an IP address. This may be OK in a static server environment, but clearly not an acceptable workaround in a DHCP user environment.

Regards,

Brad

Re: Heads Up: Private VLAN Sticky-ARP DHCP Issues

Hi Brad,

Your message above is so helpfull, I've tested it by my self, I need to know one thing from u, If IP ARP & DHCP Snooping not configured in other case (Static IP) is used, do u recommend disabling ip sticky-arp or not?

let us know ur feedback,

Thanks,

Silver

Re: Heads Up: Private VLAN Sticky-ARP DHCP Issues

Excellent question.

Sticky-ARP is NOT intended to be a pain-in-the-butt that should disabled right away, rather, it is a security mechanism that prevents a system from stealing an active IP address on the subnet and causing a lot of problems. Sticky-ARP works best on subnets that have all static IP addressing where there is no expectation that a host would frequently change its IP address.

Yes, I would recommend keeping Sticky-ARP on subnets with all static IP addresses.

In DHCP subnets with no static IP addressing, DHCP Snooping and IP ARP Inspection provide the same security coverage that Sticky-ARP does, they prevent a system from claiming an illegitimate IP and MAC address. Furthermore, in DHCP subnets, it is reasonable to expect that a host would change its IP address from time to time when its lease expires.

Sticky-ARP does not provide any addtional securtity benefits when DHCP Snooping and IP ARP Inspection are active and it only causes problems when a lease expires.

When Cisco made Stick-ARP the default behavior for Private VLANs, they certain did not have DHCP in mind.

In Summary, it should be known as a Best Practice that when using Private VLANs on user segments with DHCP that DHCP Snooping and IP ARP Inspection should be enabled and Sticky-ARP be disabled.

Brad

5821
Views
10
Helpful
3
Replies
CreatePlease to create content