Wired Intelligent Edge

CX6300F# debug arpsecurity  all         Enable all debug modules  config      Enable ARP security feature's config log  inspection  Enable ARP security inspection log  packet      Enable ARP security feature's packet logCX6300F# debug arpsecurity inspection  severity  Minimum log severity to filter debug logs  <cr>​

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2021 11:18 AM
From: Alan Scott
Subject: CX-OS arp Inspection

I have the below configured on my interfaces:

interface 1/1/3
no shutdown
qos trust dscp
description Data/Voice Port
no routing
vlan access 2900
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
aaa authentication port-access client-limit 5
aaa authentication port-access dot1x authenticator
max-eapol-requests 1
max-retries 1
quiet-period 30
enable
aaa authentication port-access mac-auth
enable

And globally I have:
dhcpv4-snooping
no dhcpv4-snooping option 82
client track ip


And VLANs I have:

vlan1000
name TRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

vlan 2000
name VOICE
voice
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

vlan 2900
name UNTRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

------------------------------
Alan Scott

Original Message:
Sent: Sep 15, 2021 10:05 AM
From: Herman Robers
Subject: CX-OS arp Inspection

What is the command you configured? What I see from documentation is that it requires port-mac-IP configuration in order to work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2021 08:45 AM
From: Alan Scott
Subject: CX-OS arp Inspection

bump - Anyone have any thoughts on this one?

------------------------------
Alan Scott

Original Message:
Sent: Sep 13, 2021 08:35 PM
From: Alan Scott
Subject: CX-OS arp Inspection

Hello,

I am using CX-OS 10.08.0001 on a 6200F switch.    I am trying to validate arp inspection is working properly.  With my AOS switches I add arp protection to a vlan and then if I add a static IP device to a port on that switch arp protection will disable the port and show in the logs that the port is disabled due to arp protection.

With CX I am not seeing anything in the logs when I add a static device and arp inspection is applied to the vlan.  I do not have any arp inspection trust configured on the switch port where the static IP device is.  

My question is what is the best way to see ARP inspection is working and preventing a statically configured device from connecting to this switch?


------------------------------
Alan Scott
------------------------------

CX6300F# debug arpsecurity  all         Enable all debug modules  config      Enable ARP security feature's config log  inspection  Enable ARP security inspection log  packet      Enable ARP security feature's packet logCX6300F# debug arpsecurity inspection  severity  Minimum log severity to filter debug logs  <cr>​

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2021 11:18 AM
From: Alan Scott
Subject: CX-OS arp Inspection

I have the below configured on my interfaces:

interface 1/1/3
no shutdown
qos trust dscp
description Data/Voice Port
no routing
vlan access 2900
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
aaa authentication port-access client-limit 5
aaa authentication port-access dot1x authenticator
max-eapol-requests 1
max-retries 1
quiet-period 30
enable
aaa authentication port-access mac-auth
enable

And globally I have:
dhcpv4-snooping
no dhcpv4-snooping option 82
client track ip


And VLANs I have:

vlan1000
name TRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

vlan 2000
name VOICE
voice
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

vlan 2900
name UNTRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

------------------------------
Alan Scott

Original Message:
Sent: Sep 15, 2021 10:05 AM
From: Herman Robers
Subject: CX-OS arp Inspection

What is the command you configured? What I see from documentation is that it requires port-mac-IP configuration in order to work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2021 08:45 AM
From: Alan Scott
Subject: CX-OS arp Inspection

bump - Anyone have any thoughts on this one?

------------------------------
Alan Scott

Original Message:
Sent: Sep 13, 2021 08:35 PM
From: Alan Scott
Subject: CX-OS arp Inspection

Hello,

I am using CX-OS 10.08.0001 on a 6200F switch.    I am trying to validate arp inspection is working properly.  With my AOS switches I add arp protection to a vlan and then if I add a static IP device to a port on that switch arp protection will disable the port and show in the logs that the port is disabled due to arp protection.

With CX I am not seeing anything in the logs when I add a static device and arp inspection is applied to the vlan.  I do not have any arp inspection trust configured on the switch port where the static IP device is.  

My question is what is the best way to see ARP inspection is working and preventing a statically configured device from connecting to this switch?


------------------------------
Alan Scott
------------------------------

CX6300F# debug arpsecurity  all         Enable all debug modules  config      Enable ARP security feature's config log  inspection  Enable ARP security inspection log  packet      Enable ARP security feature's packet logCX6300F# debug arpsecurity inspection  severity  Minimum log severity to filter debug logs  <cr>​

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2021 11:18 AM
From: Alan Scott
Subject: CX-OS arp Inspection

I have the below configured on my interfaces:

interface 1/1/3
no shutdown
qos trust dscp
description Data/Voice Port
no routing
vlan access 2900
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
aaa authentication port-access client-limit 5
aaa authentication port-access dot1x authenticator
max-eapol-requests 1
max-retries 1
quiet-period 30
enable
aaa authentication port-access mac-auth
enable

And globally I have:
dhcpv4-snooping
no dhcpv4-snooping option 82
client track ip


And VLANs I have:

vlan1000
name TRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

vlan 2000
name VOICE
voice
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

vlan 2900
name UNTRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

------------------------------
Alan Scott

Original Message:
Sent: Sep 15, 2021 10:05 AM
From: Herman Robers
Subject: CX-OS arp Inspection

What is the command you configured? What I see from documentation is that it requires port-mac-IP configuration in order to work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2021 08:45 AM
From: Alan Scott
Subject: CX-OS arp Inspection

bump - Anyone have any thoughts on this one?

------------------------------
Alan Scott

Original Message:
Sent: Sep 13, 2021 08:35 PM
From: Alan Scott
Subject: CX-OS arp Inspection

Hello,

I am using CX-OS 10.08.0001 on a 6200F switch.    I am trying to validate arp inspection is working properly.  With my AOS switches I add arp protection to a vlan and then if I add a static IP device to a port on that switch arp protection will disable the port and show in the logs that the port is disabled due to arp protection.

With CX I am not seeing anything in the logs when I add a static device and arp inspection is applied to the vlan.  I do not have any arp inspection trust configured on the switch port where the static IP device is.  

My question is what is the best way to see ARP inspection is working and preventing a statically configured device from connecting to this switch?


------------------------------
Alan Scott
------------------------------

CX6300F# debug arpsecurity  all         Enable all debug modules  config      Enable ARP security feature's config log  inspection  Enable ARP security inspection log  packet      Enable ARP security feature's packet logCX6300F# debug arpsecurity inspection  severity  Minimum log severity to filter debug logs  <cr>​

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2021 11:18 AM
From: Alan Scott
Subject: CX-OS arp Inspection

I have the below configured on my interfaces:

interface 1/1/3
no shutdown
qos trust dscp
description Data/Voice Port
no routing
vlan access 2900
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
aaa authentication port-access client-limit 5
aaa authentication port-access dot1x authenticator
max-eapol-requests 1
max-retries 1
quiet-period 30
enable
aaa authentication port-access mac-auth
enable

And globally I have:
dhcpv4-snooping
no dhcpv4-snooping option 82
client track ip


And VLANs I have:

vlan1000
name TRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

vlan 2000
name VOICE
voice
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

vlan 2900
name UNTRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

------------------------------
Alan Scott

Original Message:
Sent: Sep 15, 2021 10:05 AM
From: Herman Robers
Subject: CX-OS arp Inspection

What is the command you configured? What I see from documentation is that it requires port-mac-IP configuration in order to work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2021 08:45 AM
From: Alan Scott
Subject: CX-OS arp Inspection

bump - Anyone have any thoughts on this one?

------------------------------
Alan Scott

Original Message:
Sent: Sep 13, 2021 08:35 PM
From: Alan Scott
Subject: CX-OS arp Inspection

Hello,

I am using CX-OS 10.08.0001 on a 6200F switch.    I am trying to validate arp inspection is working properly.  With my AOS switches I add arp protection to a vlan and then if I add a static IP device to a port on that switch arp protection will disable the port and show in the logs that the port is disabled due to arp protection.

With CX I am not seeing anything in the logs when I add a static device and arp inspection is applied to the vlan.  I do not have any arp inspection trust configured on the switch port where the static IP device is.  

My question is what is the best way to see ARP inspection is working and preventing a statically configured device from connecting to this switch?


------------------------------
Alan Scott
------------------------------

Dynamic ARP Inspection

Note: Dynamic ARP Inspection is supported on the 6200, 6300, 6400, and 8400 platforms running AOS-CX 10.4 or later.

Address Resolution Protocol (ARP) allows hosts to communicate over the network by creating an IP to MAC address mapping used in the transmission of packets. Attackers can use ARP to generate bogus mappings, thereby allowing them to spoof other clients' MAC addresses and intercept traffic destined to them. Additionally, an attacker could generate an unlimited number of artificial ARP entries, filling up the caches of other clients on the network and causing a denial of service (DoS).

8400(config)# vlan 108400(config-vlan-10)# no shut8400(config-vlan-10)# arp inspectionTo un-configure arp inspection for vlan 108400(config)# vlan 108400(config-vlan-10)# no arp inspection​

8400# show arp inspection vlan -----------------------------------------------------------------VLAN   Name              		ARP Inspection -----------------------------------------------------------------1      DEFAULT_VLAN_1    	      -              10     VLAN10            		      enabled        20     VLAN20           		      -​

Interface level:
All the interfaces under ARP Inspection enabled VLAN will be in "untrusted" state by default. All interfaces connected to routing/switching devices or to any trusted stations can be classified as "trusted". ARP traffic on the "untrusted" interfaces only will be subjected to ARP Inspection checks.
Configure/Unconfigure
CLI: [no] arp inspection trust
Example:

8400(config)# int 1/3/28400(config-if)# no shutdown8400(config-if)# no routing8400(config-if)# arp inspection trust 8400(config-if)# int lag 18400(config-lag-if)# no shutdown8400(config- lag-if)# no routing8400(config-lag-if)# arp inspection trust 8400(config-lag-if)# int lag 28400(config-lag-if)# no shutdown8400(config-lag-if)# no routing8400(config-lag-if)# no arp inspection trust 

Validation:
CLI: show arp inspection interface
Example:

8400(config)# show arp inspection interface ---------------------------------------------------------------------------Interface           Trust State         ---------------------------------------------------------------------------1/3/1               Trusted             1/3/2               Untrusted           lag1                  Trusted  lag2                  Untrusted           ---------------------------------------------------------------------------    

DAI works closely with Dsnoop. For Dsnoop we must enable uplink as trust via which the DHCP-Server is reachable.

Dynamic ARP Inspection

Note: Dynamic ARP Inspection is supported on the 6200, 6300, 6400, and 8400 platforms running AOS-CX 10.4 or later.

Address Resolution Protocol (ARP) allows hosts to communicate over the network by creating an IP to MAC address mapping used in the transmission of packets. Attackers can use ARP to generate bogus mappings, thereby allowing them to spoof other clients' MAC addresses and intercept traffic destined to them. Additionally, an attacker could generate an unlimited number of artificial ARP entries, filling up the caches of other clients on the network and causing a denial of service (DoS).

Good day!

CX6300F# debug arpsecurity  all         Enable all debug modules  config      Enable ARP security feature's config log  inspection  Enable ARP security inspection log  packet      Enable ARP security feature's packet logCX6300F# debug arpsecurity inspection  severity  Minimum log severity to filter debug logs  <cr>​

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2021 11:18 AM
From: Alan Scott
Subject: CX-OS arp Inspection

I have the below configured on my interfaces:

interface 1/1/3
no shutdown
qos trust dscp
description Data/Voice Port
no routing
vlan access 2900
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
aaa authentication port-access client-limit 5
aaa authentication port-access dot1x authenticator
max-eapol-requests 1
max-retries 1
quiet-period 30
enable
aaa authentication port-access mac-auth
enable

And globally I have:
dhcpv4-snooping
no dhcpv4-snooping option 82
client track ip


And VLANs I have:

vlan1000
name TRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

vlan 2000
name VOICE
voice
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

vlan 2900
name UNTRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable

------------------------------
Alan Scott

Original Message:
Sent: Sep 15, 2021 10:05 AM
From: Herman Robers
Subject: CX-OS arp Inspection

What is the command you configured? What I see from documentation is that it requires port-mac-IP configuration in order to work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 15, 2021 08:45 AM
From: Alan Scott
Subject: CX-OS arp Inspection

bump - Anyone have any thoughts on this one?

------------------------------
Alan Scott

Original Message:
Sent: Sep 13, 2021 08:35 PM
From: Alan Scott
Subject: CX-OS arp Inspection

Hello,

I am using CX-OS 10.08.0001 on a 6200F switch.    I am trying to validate arp inspection is working properly.  With my AOS switches I add arp protection to a vlan and then if I add a static IP device to a port on that switch arp protection will disable the port and show in the logs that the port is disabled due to arp protection.

With CX I am not seeing anything in the logs when I add a static device and arp inspection is applied to the vlan.  I do not have any arp inspection trust configured on the switch port where the static IP device is.  

My question is what is the best way to see ARP inspection is working and preventing a statically configured device from connecting to this switch?


------------------------------
Alan Scott
------------------------------