Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ARP Inspection on SF-300-24 switch?

I'm having an issue where two PCs are responding to ARP requests "Who is 192.168.0.1". 

The real 192.168.0.1 is on port 1 of the switch, and has a MAC address of 00:24:a5:c7:e0:a8.   I can't seem to setup ARP Inspection properly as the rogue device continues to respond.   Can somebody provide the proper steps?  I've enabled DHCP Snooping, enabled ARP Inspection, enabled IP source guard, added FE1 as a trusted interface and all others untrusted, yet this continues to be an issue.  Not sure what I'm doing wrong and can't find any documentation on the web to help out.  I know where the offending piece of hardware is, unfortunately due to its location I can't fix it for several weeks so just looking to bandaid this for the time being.

Thanks for any help!

Ryan

  • Small Business Switches
Everyone's tags (4)
7 REPLIES
Green

ARP Inspection on SF-300-24 switch?

Hello Ryan,

When a packet arrives on the untrusted inferface, a search for the ARP access control rules for the IP/MAC addresses.If the IP address is found and the MAC address in the list matches the packet's MAC address, then the packet is valid; otherwise it is not.

If the packet's IP is not found, the DHCP snooping is enabled for that packet's vlan, a search in the DHCP snooping binding database for the packet VLAN and IP address pair. If it is not found, then the packet is invalid. If the packet IP address is not found in the ARP access control rules or DHCP binding database, the packet is invalid and dropped.

So with all this being said, is it not working as intended?

-Tom

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

ARP Inspection on SF-300-24 switch?

Thanks for your reply.  No, it does not seem to be working as intended.  Please see my screen attachments. 

I am still getting multiple responses to "WHO HAS 192.168.0.1" from the clients.   Should just be from the trusted host on port 1.

Any other hints are appreciated. Thank you!

Green

ARP Inspection on SF-300-24 switch?

Ryan,

Try adding the vlan 1 to the enabled vlans under the vlan settings of arp inspection. Right now it is not applied to any interfaces it seems.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

ARP Inspection on SF-300-24 switch?

Oddly when I add VLAN1 to the enabled side no hosts can access anything.  It cripples the network, cant ping the default gateway, cant even reconnect to the switch to disable it; I've found it requires a hard reset.   I've tried it 3x just to confirm.   Strange. 

Green

ARP Inspection on SF-300-24 switch?

Correct, that is because there is nothing to be trusted. Which is the point. You need to add the mac addresses that you want to be trusted on the untrusted interfaces. So when the ingress packet hits, if it's not on the bind tables, that entry is dropped.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

ARP Inspection on SF-300-24 switch?

This is not practical to add all of the MAC addresses that I want to trust.   I just want all connected hosts, regardless of MAC address, to know the DHCP server is 192.168.0.1 on interface1 of the switch, along with the correct MAC address.  I must not be doing something right. 

New Member

ARP Inspection on SF-300-24 switch?

Any other ideas?   Seems like it sure be a fairly easy feature to verify that 192.168.0.1 is coming from the right port, and right mac address.   Thats the only IP/MAC I care about.     Is there another way to go about this?  Thank you

1441
Views
0
Helpful
7
Replies
This widget could not be displayed.