Hi Alan,
Do you still have problem or you have required clarification ?
Dynamic ARP Inspection
Note: Dynamic ARP Inspection is supported on the 6200, 6300, 6400, and 8400 platforms running AOS-CX 10.4 or later.
Address Resolution Protocol (ARP) allows hosts to communicate over the network by creating an IP to MAC address mapping used in the transmission of packets. Attackers can use ARP to generate bogus mappings, thereby allowing them to spoof other clients' MAC addresses and intercept traffic destined to them. Additionally, an attacker could generate an unlimited number of artificial ARP entries, filling up the caches of other clients on the network and causing a denial of service (DoS).
ARP Security Basic Configuration Steps:
Vlan Level:
ARP inspection is enabled on a switch by configuring it in the required VLANs
Configure/Unconfigure
CLI: [no ]arp inspection
To configure arp inspection for vlan 10
8400(config)# vlan 10
8400(config-vlan-10)# no shut
8400(config-vlan-10)# arp inspection
To un-configure arp inspection for vlan 10
8400(config)# vlan 10
8400(config-vlan-10)# no arp inspection
Validation:
CLI: show arp inspection vlan
Example:
8400# show arp inspection vlan
-----------------------------------------------------------------
VLAN Name ARP Inspection
-----------------------------------------------------------------
1 DEFAULT_VLAN_1 -
10 VLAN10 enabled
20 VLAN20 -
Interface level:
All the interfaces under ARP Inspection enabled VLAN will be in "untrusted" state by default. All interfaces connected to routing/switching devices or to any trusted stations can be classified as "trusted". ARP traffic on the "untrusted" interfaces only will be subjected to ARP Inspection checks.
Configure/Unconfigure
CLI: [no] arp inspection trust
Example:
8400(config)# int 1/3/2
8400(config-if)# no shutdown
8400(config-if)# no routing
8400(config-if)# arp inspection trust
8400(config-if)# int lag 1
8400(config-lag-if)# no shutdown
8400(config- lag-if)# no routing
8400(config-lag-if)# arp inspection trust
8400(config-lag-if)# int lag 2
8400(config-lag-if)# no shutdown
8400(config-lag-if)# no routing
8400(config-lag-if)# no arp inspection trust
Validation:
CLI: show arp inspection interface
Example:
8400(config)# show arp inspection interface
---------------------------------------------------------------------------
Interface Trust State
---------------------------------------------------------------------------
1/3/1 Trusted
1/3/2 Untrusted
lag1 Trusted
lag2 Untrusted
---------------------------------------------------------------------------
DAI works closely with Dsnoop. For Dsnoop we must enable uplink as trust via which the DHCP-Server is reachable.
Dynamic ARP Inspection
Note: Dynamic ARP Inspection is supported on the 6200, 6300, 6400, and 8400 platforms running AOS-CX 10.4 or later.
Address Resolution Protocol (ARP) allows hosts to communicate over the network by creating an IP to MAC address mapping used in the transmission of packets. Attackers can use ARP to generate bogus mappings, thereby allowing them to spoof other clients' MAC addresses and intercept traffic destined to them. Additionally, an attacker could generate an unlimited number of artificial ARP entries, filling up the caches of other clients on the network and causing a denial of service (DoS).
Good day!
------------------------------
Yash NN
------------------------------
Original Message:
Sent: Sep 17, 2021 03:49 AM
From: Herman Robers
Subject: CX-OS arp Inspection
This is what I found for ArubaOS Switch that suggests adding bindings for static IPs. This seems to be the equivalent command on AOS-CX.
Have not tested it, just combining information that may make sense at some point.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 16, 2021 03:55 PM
From: Alan Scott
Subject: CX-OS arp Inspection
@Herman Robers - early you mentioned "from documentation is that it requires port-mac-IP configuration in order to work."
I searched CLI guide and google and I can not find any similar command. Would you be able to assist me with the link to the guide you were looking at? I am also opening a case.
------------------------------
Alan Scott
Original Message:
Sent: Sep 16, 2021 05:58 AM
From: Herman Robers
Subject: CX-OS arp Inspection
I have not tested, but from the documentation, there is the 'show arp inspection interface' and 'show arp inspection statistics' that display the interface status and number of forwarded/dropped ARP packets.
To see more, I would go for the 'debug arpsecurity inspection' debug logs:
CX6300F# debug arpsecurity all Enable all debug modules config Enable ARP security feature's config log inspection Enable ARP security inspection log packet Enable ARP security feature's packet logCX6300F# debug arpsecurity inspection severity Minimum log severity to filter debug logs <cr>
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 15, 2021 11:18 AM
From: Alan Scott
Subject: CX-OS arp Inspection
I have the below configured on my interfaces:
interface 1/1/3
no shutdown
qos trust dscp
description Data/Voice Port
no routing
vlan access 2900
spanning-tree bpdu-guard
spanning-tree port-type admin-edge
aaa authentication port-access client-limit 5
aaa authentication port-access dot1x authenticator
max-eapol-requests 1
max-retries 1
quiet-period 30
enable
aaa authentication port-access mac-auth
enable
And globally I have:
dhcpv4-snooping
no dhcpv4-snooping option 82
client track ip
And VLANs I have:
vlan1000
name TRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 2000
name VOICE
voice
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable
vlan 2900
name UNTRUSTED
client track ip
dhcpv4-snooping
arp inspection
ip igmp snooping enable
------------------------------
Alan Scott
Original Message:
Sent: Sep 15, 2021 10:05 AM
From: Herman Robers
Subject: CX-OS arp Inspection
What is the command you configured? What I see from documentation is that it requires port-mac-IP configuration in order to work.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 15, 2021 08:45 AM
From: Alan Scott
Subject: CX-OS arp Inspection
bump - Anyone have any thoughts on this one?
------------------------------
Alan Scott
Original Message:
Sent: Sep 13, 2021 08:35 PM
From: Alan Scott
Subject: CX-OS arp Inspection
Hello,
I am using CX-OS 10.08.0001 on a 6200F switch. I am trying to validate arp inspection is working properly. With my AOS switches I add arp protection to a vlan and then if I add a static IP device to a port on that switch arp protection will disable the port and show in the logs that the port is disabled due to arp protection.
With CX I am not seeing anything in the logs when I add a static device and arp inspection is applied to the vlan. I do not have any arp inspection trust configured on the switch port where the static IP device is.
My question is what is the best way to see ARP inspection is working and preventing a statically configured device from connecting to this switch?
------------------------------
Alan Scott
------------------------------