[c-nsp] DAI (arp inspection) Issue on 6500 [SXH2a,SUP720-3b]

Paul paul at gtcomm.net
Tue Jul 28 03:38:52 EDT 2009 

I am attempting to use statically configured arp inspection on a vlan on 
our 6500.
Here's an example, we have , say, vlan500, vlan 500 is assigned to ports 
gi11/1-48
The configuration on the ports are as follows:
 switchport
 switchport access vlan 500
 switchport mode access
 switchport block unicast
 switchport port-security
 switchport port-security maximum 4
 switchport port-security aging time 60
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 switchport port-security mac-address sticky
 ip arp inspection limit rate 25 burst interval 5
 storm-control broadcast level 0.50
 storm-control multicast level 0.50
 no cdp enable
 spanning-tree bpduguard enable

I created, arp access-list vlan500 and then i did ip arp inspection 
filter vlan500 vlan 500
I made the arp access-list simply permit ip any mac any so it should 
allow everything.

The problem is, none of the machines on vlan 500 can talk to each 
other.  They can talk to the gateway address which is on interface vlan 500
interface Vlan500
 ip address 10.0.0.1 255.255.255.192
 ip helper-address 10.10.10.10
 no ip redirects
 no ip unreachables
 ip sticky-arp
 no ip proxy-arp
 arp timeout 3200

So what am I doing wrong that nothing on this vlan can send arp requests 
to each other?? If i disable arp inspection they can send/receive arp 
responses
fine.. say 10.0.0.5 can arp 10.0.0.6 (10.0.0.5 would be on say gi11/5 
and 10.0.0.6 be on gi11/6) but when i enable it,   arps don't make it.

Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), 
Version 12.2(33)SXH2a, RELEASE SOFTWARE (fc2)
cisco WS-C6513 (R7000) processor (revision 1.0) with 458720K/65536K 
bytes of memory.
This is SUP720-3B

My understanding is that this should work, so I am thinking this is a 
bug in the code? I tried this on two 6500's both with the same code. I 
will try it on
a test in the lab with SXH5. If anoyne has any idea feel free to chime 
in and cc my email in the reply.

Thanks!!

-- 
GloboTech Communications
Phone: 1-514-907-0050 x 215
Toll Free: 1-(888)-GTCOMM1
Fax: 1-(514)-907-0750
paul at gtcomm.net
http://www.gtcomm.net

More information about the cisco-nsp mailing list