We recently had similar log messages and behavior which turned out to be the DNS Changer Trojan messing w/ DHCP and ARP. Not sure how we located the exact source, but we shut it down, and all was quiet again.
TimB -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Hall, Rand Sent: Monday, March 30, 2009 12:33 PM To: [email protected] Subject: Dynamic ARP Inspection anyone? While battling what looks to be a broadcast storm of some sort I recently turned on Dynamic ARP Inspection. The enclosed logs contain the correct IP (10.0.106.106) and MAC (001e.334b.9355) from the DHCP Snoop Bindings. I'm having a hard time wrapping my head around the all zero IP and MAC. I seem to remember a post a while back about Managed Subnets and all zero MAC addresses. Any thoughts? Mar 30 16:16:54: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa3/0/2, vlan 11.([001e.334b.9355/0.0.0.0/0000.0000.0000/169.254.134.236/12:16:54 EDT Mon Mar 30 2009]) Mar 30 16:16:55: %SYS-5-CONFIG_I: Configured from console by vty1 (10.0.96.5) Mar 30 16:16:55: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa3/0/2, vlan 11.([001e.334b.9355/0.0.0.0/0000.0000.0000/169.254.134.236/12:16:55 EDT Mon Mar 30 2009]) Mar 30 16:16:57: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa3/0/2, vlan 11.([001e.334b.9355/0.0.0.0/0000.0000.0000/10.0.106.106/12:16:56 EDT Mon Ma r 30 2009]) Mar 30 16:16:58: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa3/0/2, vlan 11.([001e.334b.9355/0.0.0.0/0000.0000.0000/10.0.106.106/12:16:57 EDT Mon Ma r 30 2009]) Mar 30 16:16:59: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa3/0/2, vlan 11.([001e.334b.9355/0.0.0.0/0000.0000.0000/10.0.106.106/12:16:58 EDT Mon Ma r 30 2009]) Deegan_EAST#show ip dhcp snoop bind | inc 93:55 00:1E:33:4B:93:55 10.0.106.106 172651 dhcp-snooping 11 FastEther net3/0/2 Cheers, Rand -- Rand P. Hall * Director, Network Services Merrimack College * SunGard Higher Education 315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000 Fax 978-837-5383 * [email protected] * www.sungardhe.com CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the sender and delete this e-mail from your system.
