Good afternoon Timothy, I was wondering if you could help me with understanding how you were able to locate the source of the problem as we may be experiencing the same issue at our campus.
Thanks. Cesar A. Nau Help Desk Manager Fordham University / Fordham IT 718.817.4598 [email protected] www.fordham.edu/ITHelp "Byrnes, Timothy A." <[email protected] To DU> [email protected] Sent by: Cisco cc Clean Access Users and Subject Administrators Re: Dynamic ARP Inspection anyone? <cleanacc...@list SERV.MUOHIO.EDU> 03/30/2009 02:10 PM Please respond to Cisco Clean Access Users and Administrators <cleanacc...@list SERV.MUOHIO.EDU> We recently had similar log messages and behavior which turned out to be the DNS Changer Trojan messing w/ DHCP and ARP. Not sure how we located the exact source, but we shut it down, and all was quiet again. TimB -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Hall, Rand Sent: Monday, March 30, 2009 12:33 PM To: [email protected] Subject: Dynamic ARP Inspection anyone? While battling what looks to be a broadcast storm of some sort I recently turned on Dynamic ARP Inspection. The enclosed logs contain the correct IP (10.0.106.106) and MAC (001e.334b.9355) from the DHCP Snoop Bindings. I'm having a hard time wrapping my head around the all zero IP and MAC. I seem to remember a post a while back about Managed Subnets and all zero MAC addresses. Any thoughts? Mar 30 16:16:54: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa3/0/2, vlan 11.([001e.334b.9355/0.0.0.0/0000.0000.0000/169.254.134.236/12:16:54 EDT Mon Mar 30 2009]) Mar 30 16:16:55: %SYS-5-CONFIG_I: Configured from console by vty1 (10.0.96.5) Mar 30 16:16:55: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa3/0/2, vlan 11.([001e.334b.9355/0.0.0.0/0000.0000.0000/169.254.134.236/12:16:55 EDT Mon Mar 30 2009]) Mar 30 16:16:57: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa3/0/2, vlan 11.([001e.334b.9355/0.0.0.0/0000.0000.0000/10.0.106.106/12:16:56 EDT Mon Ma r 30 2009]) Mar 30 16:16:58: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa3/0/2, vlan 11.([001e.334b.9355/0.0.0.0/0000.0000.0000/10.0.106.106/12:16:57 EDT Mon Ma r 30 2009]) Mar 30 16:16:59: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa3/0/2, vlan 11.([001e.334b.9355/0.0.0.0/0000.0000.0000/10.0.106.106/12:16:58 EDT Mon Ma r 30 2009]) Deegan_EAST#show ip dhcp snoop bind | inc 93:55 00:1E:33:4B:93:55 10.0.106.106 172651 dhcp-snooping 11 FastEther net3/0/2 Cheers, Rand -- Rand P. Hall * Director, Network Services Merrimack College * SunGard Higher Education 315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000 Fax 978-837-5383 * [email protected] * www.sungardhe.com CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the sender and delete this e-mail from your system.
