ARP CACHE POISONING

  • 0
  • 1
  • Question
  • Updated 4 months ago
  • Answered
  • (Edited)
Hello Community,

I use ip mac conflict log only. AP75XX/AP65XX. WING 5.8.6+/5.9+.
Recently, in several deployments I saw a lot of this type of logs messages:

...%DATAPLANE-4-ARPPOISON: ARP CACHE POISONING:  Conflicting snoop entry found :Ethernet Src Mac: ....., Ethernet Dst Mac: FF-FF-FF-FF-FF-FF, ARP Src Mac: ...., ARP Dst Mac: 00-00-00-00-00-00, ARP Src IP: ...., ARP Target IP: ...., Snoop Table MAC = ...., Snoop Table IP = ....

It seems the router is flooding some different info about mac adress table info with AP.
Can it cause any network issues ?

Thanks,

Aviv Kedem
Photo of Aviv Kedem

Aviv Kedem

  • 1,186 Points 1k badge 2x thumb

Posted 5 months ago

  • 0
  • 1
Photo of JESUS REYES DIAZ

JESUS REYES DIAZ

  • 222 Points 100 badge 2x thumb
At this moment i dont have de document, but can you find a best practice firewall for wingx .
Photo of Aviv Kedem

Aviv Kedem

  • 1,186 Points 1k badge 2x thumb
Hello Jesus,
I would be happy to receive an answer for the question I asked.
It's not about best practice.

Regards,

Aviv
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 4,720 Points 4k badge 2x thumb
HI Aviv,

it rather depends on the source address - you see that destination is FF::FF / 00::00 which looks like Gratuitous ARP

Try to search for the source and if found, confirm you do not have IP conflict.

Regards,
Ondrej
Photo of Aviv Kedem

Aviv Kedem

  • 1,186 Points 1k badge 2x thumb
Hello Ondrej,

We do not have IP conflict but still have a lot of these messages.
It seems that router is fluding different L2 data .

Any ideas?

Thanks,

Aviv
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 4,720 Points 4k badge 2x thumb
Well, if you see those hits it mean that internal firewall detected those and took action.
I would not say this is something you'll fix on the AP.

Regards,
Ondrej
Photo of Timo

Timo

  • 3,210 Points 3k badge 2x thumb
Do you use a firewall cluster? See this offend, if two MAC address share the same IP. This is mostly, if it's a cluster.

If you use a cluster you can set "ip arp trust" to the interface or disable the check under the firewall policy:
no ip-mac conflict

no ip-mac routing conflict

Photo of Aviv Kedem

Aviv Kedem

  • 1,186 Points 1k badge 2x thumb
Many thanks guys.

Aviv
Photo of Aviv Kedem

Aviv Kedem

  • 1,186 Points 1k badge 2x thumb
Hello All,

This issue may appear if used vc for ap6532 + other vc for ap7532 on the same vlan?
We need it for configuration provosioning of these two models of ap.

Thanks,

Aviv