ARP CACHE POISONING

  • 0
  • 1
  • Question
  • Updated 3 months ago
  • Answered
  • (Edited)
Hello Community,

I use ip mac conflict log only. AP75XX/AP65XX. WING 5.8.6+/5.9+.
Recently, in several deployments I saw a lot of this type of logs messages:

...%DATAPLANE-4-ARPPOISON: ARP CACHE POISONING:  Conflicting snoop entry found :Ethernet Src Mac: ....., Ethernet Dst Mac: FF-FF-FF-FF-FF-FF, ARP Src Mac: ...., ARP Dst Mac: 00-00-00-00-00-00, ARP Src IP: ...., ARP Target IP: ...., Snoop Table MAC = ...., Snoop Table IP = ....

It seems the router is flooding some different info about mac adress table info with AP.
Can it cause any network issues ?

Thanks,

Aviv Kedem
Photo of Aviv Kedem

Aviv Kedem

  • 1,714 Points 1k badge 2x thumb

Posted 10 months ago

  • 0
  • 1
Photo of JESUS REYES DIAZ

JESUS REYES DIAZ

  • 222 Points 100 badge 2x thumb
At this moment i dont have de document, but can you find a best practice firewall for wingx .
Photo of Aviv Kedem

Aviv Kedem

  • 1,614 Points 1k badge 2x thumb
Hello Jesus,
I would be happy to receive an answer for the question I asked.
It's not about best practice.

Regards,

Aviv
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 5,650 Points 5k badge 2x thumb
HI Aviv,

it rather depends on the source address - you see that destination is FF::FF / 00::00 which looks like Gratuitous ARP

Try to search for the source and if found, confirm you do not have IP conflict.

Regards,
Ondrej
Photo of Aviv Kedem

Aviv Kedem

  • 1,714 Points 1k badge 2x thumb
Hello Ondrej,

We do not have IP conflict but still have a lot of these messages.
It seems that router is fluding different L2 data .

Any ideas?

Thanks,

Aviv
Photo of Ondrej Lepa

Ondrej Lepa, Employee

  • 5,650 Points 5k badge 2x thumb
Well, if you see those hits it mean that internal firewall detected those and took action.
I would not say this is something you'll fix on the AP.

Regards,
Ondrej
Photo of Timo

Timo

  • 3,210 Points 3k badge 2x thumb
Do you use a firewall cluster? See this offend, if two MAC address share the same IP. This is mostly, if it's a cluster.

If you use a cluster you can set "ip arp trust" to the interface or disable the check under the firewall policy:
no ip-mac conflict

no ip-mac routing conflict

Photo of Aviv Kedem

Aviv Kedem

  • 1,714 Points 1k badge 2x thumb
Many thanks guys.

Aviv
Photo of Aviv Kedem

Aviv Kedem

  • 1,714 Points 1k badge 2x thumb
Hello All,

This issue may appear if used vc for ap6532 + other vc for ap7532 on the same vlan?
We need it for configuration provosioning of these two models of ap.

Thanks,

Aviv
Photo of Joffre Flores

Joffre Flores

  • 70 Points
With best practice all its ok
Photo of Richard Augusto

Richard Augusto

  • 612 Points 500 badge 2x thumb

Hello,

These Firewall (L2) Logs occur when the controller is running on the same data VLAN of an environment (which has servers, cameras, printers, and so on). 

In my case, when I segmented the controller network into a separate VLAN (where it only has L2 traffic from the APs and controller), the problems have stopped.

I recommend doing a rework on the internal network, creating native / untagged VLANs to exchange traffic between controller and access point. The problems will disappear.
Photo of Aviv Kedem

Aviv Kedem

  • 1,714 Points 1k badge 2x thumb
Hello Richard Augusto,

Do you mean a have to separate the controller vlan and the wlan traffic vlan?

Thanks,

Aviv
Photo of Richard Augusto

Richard Augusto

  • 612 Points 500 badge 2x thumb

Exactly. Put the Access Points with port configuration in hybrid mode. The Untagged VLAN is where the L2 traffic of the controller will pass. SSID traffic must pass through specific tagged VLANs.

These ARP Poisoning (and many others) errors occur here and are only in places where my network is flat.
Photo of Aviv Kedem

Aviv Kedem

  • 1,714 Points 1k badge 2x thumb
Hello Richard,

Thank you for your support.

Aviv