Antispoofing Parameters and Associated SNMP Notification Message

  • 0
  • 1
  • Problem
  • Updated 3 years ago

For the purpose of this thread I have assumed that antispoofing to be configured with a value that's default on the C series, DHCP snooping feature of 15pps.

In order to do this the configuration has been configured as follows (450 / 30 = 15):

set antispoof class 1 timeout 30
set antispoof class 1 threshold-index 1 threshold-value 450 action syslog trap
set antispoof port-class 1 <port-string>
set antispoof duplicateIP
set antispoof dhcp-snooping mac-verification enable <port-string>
set antispoof arp-inspection enable <port-string>
set antispoof ip-inspection enable <port-string>
set antispoof enable

In order for any of the antispoofing protocols to populate the antispoofing binding table there must be an entry for the mac address in the multi-auth session table. In order to do this you need to add the following config:

set auto-tracking enable
set auto-tracking port enable <port-string>

In this particular scenario 802.1x is also enabled but for forced-auth, and multi-auth has to be set to 'auth-opt' and 'mode multi' otherwise the multi-auth session table will not populate and therefore neither will the antispoof binding table.

set dot1x auth-config authcontrolled-portcontrol forced-auth ge.*.*

set multi-auth mode multi
set multi-auth port auth-opt <port-string>

set dot1x enable

Currently entries are populating in the multiauth session table via auto-tracking and the Anti-spoofing binding table is currently being populated via IP Source Guard and Dynamic ARP Inspection. This is because static IP addresses are currently being used with the
introduction of Dhcp and Dhcp snooping at a later date.

The issue experienced is that the following trap message is coming so frequent (multiple times a second for each port), that the trap log continually gets filled with the message:

etsysAntiSpoofThresholdValue = 0
etsysAntiSpoofStationBindingEntryMacAddr = xx.xx.xx.xx.xx
etsysAntiSpoofStationBindingEntryInetAddrType = INTEGER: ip4 (i)
etsysAntiSpoofStationBindingEntryInetAddr =
etsysAntiSpoofStationBindingEntryIfIndex = INTEGER: 72020
etsysAntiSpoofStationBindingEntryBindingType = INTEGER: ip(3)
etsysAntiSpoofStationBindingEntryInetCounter = Wrong Typr (Should be Counter32): INTEGER: 0

The notification interval is left as default of 60 seconds

In order to control the amount of messages I changed the timeout value from 30 to 1500 and threshold from 450 to 150, in order to give the same value of 15 (1500 / 150 = 15). Since then the messages have calmed down a lot, but still come in every now and then?
So I my questions are:

1) What exactly is the trap message telling me, as I can't decide whether to be concerned or not?
2) What figures should I use for either best practice or ratio to give the target value of 15pps.

This on K/S Series, Firmware

Photo of Martin Flammia

Martin Flammia

  • 5,108 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1

Be the first to post a reply!