Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

arp-inspection error & err-disable state

                   Hi ,

We have a serious issue in our environment with arp inspection feature , we are enabling this feature on all our sites switches and we are even increasing the limit rate to 100 but still the ports are going to error disable state !! Sometimes we are put the command (ip arp inspection trust) but still some ports are going to err-disable state . We are getting  some logs like :

%SW_DAI-4-PACKET_RATE_EXCEEDED: 128 packets received in 139 milliseconds on Fa2/9.

%PM-4-ERR_DISABLE: arp-inspection error detected on Fa2/9, putting Fa2/9 in err-disable state

So what is the causes of increasing this limit rate to 200 or 300 for example

Note : The issue is happening on different switches models and different IOS versions .

5 REPLIES

arp-inspection error & err-disable state

128 ARP packets in 139 ms is a lot in my experience, we had our limit at 20 per second and that was ample.

Are these on end user switches or data centre switches?

Can you post the config of an example switch?

Personally, I would be SPANning a port which has the issue to see whats going on.

New Member

Re: arp-inspection error & err-disable state

Hi devils ,

Actually these are normal end user switches & we are connecting IP phones , PCs and printers . Please find the configuration of one of our switches and the logs we are getting .

New Member

arp-inspection error & err-disable state

We run a university campus, and we see a big increase in arp-traffic the last year.

A few years ago we implemented dynamic arp inspection on our student-networks.

The default rate-limit of 15pps was initially enough.

Last year we had a lot of cases where the rate-limit was triggered, and by default we set it now to 100.

This year the students are starting to come in again, and we notice quite a few connections where the limit of 100 is triggered,

even 300 often does not seem to be enough.

The "problem" seems to be client side by things like bonjour-service or network-discovery services that cause massive amounts of arp's.

The amount of devices that cause high rate's of arp-packets increases, as well as the amount they send.

So either we go for a lot of work for us to find out which all of these programs are, then a lot of work for our helpdesk to help students to disable them all or we increase the limit rate to 2000 or something, perhaps even unlimited.

If anyone else is experiencing this, i would be interested to know how you decided to handle this.

Re: arp-inspection error & err-disable state

This is interesting. We saw similar increases after the rollout of new windows clients in our /22 subnets a couple of years ago.

We had to set the rate-limit value to 500 pps in order to achieve an acceptable amount of "false positives".

I couldn't spend much time on it, but it looked like DAI took send and also received ARP traffic into account. In any case I saw ports beeing err-disabled that didn't send not nearly as much as the port's rate-limit was configured to.

Meanwhile the security officer decided not longer to use DAI.

New Member

arp-inspection error & err-disable state

That does seem like an unusual amount for end user devices.

Are you able to run a sniffer on the devices to see which service is causing all the ARP requests? e.g. what it is ARPing for would be a clue.

Could potentially possibly be a malicious application.

3401
Views
0
Helpful
5
Replies
CreatePlease to create content