topic RE: ARP CACHE POISONING in ExtremeWireless (WiNG)

ARP CACHE POISONING

Aviv_Kedem — Sat, 09 Dec 2017 23:39:00 GMT

Hello Community,

I use ip mac conflict log only. AP75XX/AP65XX. WING 5.8.6+/5.9+.
Recently, in several deployments I saw a lot of this type of logs messages:

...%DATAPLANE-4-ARPPOISON: ARP CACHE POISONING: Conflicting snoop entry found :Ethernet Src Mac: ....., Ethernet Dst Mac: FF-FF-FF-FF-FF-FF, ARP Src Mac: ...., ARP Dst Mac: 00-00-00-00-00-00, ARP Src IP: ...., ARP Target IP: ...., Snoop Table MAC = ...., Snoop Table IP = ....

It seems the router is flooding some different info about mac adress table info with AP.
Can it cause any network issues ?

Thanks,

Aviv Kedem

RE: ARP CACHE POISONING

JESUS_REYES_DIA — Sun, 10 Dec 2017 03:14:00 GMT

At this moment i dont have de document, but can you find a best practice firewall for wingx .

RE: ARP CACHE POISONING

Aviv_Kedem — Sun, 10 Dec 2017 03:14:00 GMT

Hello Jesus,
I would be happy to receive an answer for the question I asked.
It's not about best practice.

Regards,

Aviv

RE: ARP CACHE POISONING

Ondrej_Lepa — Mon, 11 Dec 2017 18:11:00 GMT

HI Aviv,

it rather depends on the source address - you see that destination is FF::FF / 00::00 which looks like Gratuitous ARP

Try to search for the source and if found, confirm you do not have IP conflict.

Regards,
Ondrej

RE: ARP CACHE POISONING

Aviv_Kedem — Mon, 11 Dec 2017 18:11:00 GMT

Hello Ondrej,

We do not have IP conflict but still have a lot of these messages.
It seems that router is fluding different L2 data .

Any ideas?

Thanks,

Aviv

RE: ARP CACHE POISONING

Ondrej_Lepa — Mon, 11 Dec 2017 18:11:00 GMT

Well, if you see those hits it mean that internal firewall detected those and took action.
I would not say this is something you'll fix on the AP.

Regards,
Ondrej

RE: ARP CACHE POISONING

Timo1 — Mon, 11 Dec 2017 18:11:00 GMT

Do you use a firewall cluster? See this offend, if two MAC address share the same IP. This is mostly, if it's a cluster.

If you use a cluster you can set "ip arp trust" to the interface or disable the check under the firewall policy:
no ip-mac conflict

no ip-mac routing conflict

RE: ARP CACHE POISONING

Aviv_Kedem — Mon, 11 Dec 2017 18:11:00 GMT

Many thanks guys.

Aviv

RE: ARP CACHE POISONING

Aviv_Kedem — Sun, 28 Jan 2018 14:21:00 GMT

Hello All,

This issue may appear if used vc for ap6532 + other vc for ap7532 on the same vlan?
We need it for configuration provosioning of these two models of ap.

Thanks,

Aviv

RE: ARP CACHE POISONING

Joffre_Flores — Thu, 26 Jul 2018 22:45:00 GMT

With best practice all its ok

RE: ARP CACHE POISONING

Richard_Augusto — Fri, 27 Jul 2018 17:19:00 GMT

Hello,

These Firewall (L2) Logs occur when the controller is running on the same data VLAN of an environment (which has servers, cameras, printers, and so on).

In my case, when I segmented the controller network into a separate VLAN (where it only has L2 traffic from the APs and controller), the problems have stopped.

I recommend doing a rework on the internal network, creating native / untagged VLANs to exchange traffic between controller and access point. The problems will disappear.

RE: ARP CACHE POISONING

Aviv_Kedem — Fri, 27 Jul 2018 17:19:00 GMT

Hello Richard Augusto,

Do you mean a have to separate the controller vlan and the wlan traffic vlan?

Thanks,

Aviv

RE: ARP CACHE POISONING

Richard_Augusto — Fri, 27 Jul 2018 17:19:00 GMT

Exactly. Put the Access Points with port configuration in hybrid mode. The Untagged VLAN is where the L2 traffic of the controller will pass. SSID traffic must pass through specific tagged VLANs.

These ARP Poisoning (and many others) errors occur here and are only in places where my network is flat.

RE: ARP CACHE POISONING

Aviv_Kedem — Fri, 27 Jul 2018 17:19:00 GMT

Hello Richard,

Thank you for your support.

Aviv