[c-nsp] ME3600X arp inspection issue
Claes Jansson
claes at gastabud.com
Thu Aug 30 11:09:32 EDT 2012
Hi All,
we seem to have discovered an issue with ME3600X and arp inspection. It
seems to be affecting traffic flowing through the box.
The test setup is like this... An "access switch" is connected at
gi0/24, with a management interface on vlan2 (tagged).
! ME3600X
! me360x-universalk9-mz.152-4.S.bin
! License Level: AdvancedMetroIPAccess
!
! Will break ARP on vlan2!
! if removed everything works as expected
!
ip arp inspection vlan 10
!
ip route 0.0.0.0 0.0.0.0 10.0.16.1
!
int te0/1
description UPLINK
switchport mode trunk
!
int gi0/24
description ACCESS_Switch
switchport mode trunk
!
interface Vlan2
ip address 10.0.16.166 255.255.255.0
no ip route-cache
end
!
! ME3400 Access switch
!
ip route 0.0.0.0 0.0.0.0 10.0.16.1
!
interface Vlan2
ip address 10.0.16.222 255.255.255.0
no ip route-cache
!
A core switch / default gateway is connected to the ME3600X at te0/1. IP
10.0.16.1.
If we on the ME3600X enable arp inspection on *ANY* vlan it will block
arp traffic on vlan2. The only workaround we have found is to disable
"ip arp inspection" on all vlans. Setting "ip arp inspection trust" on
*all* interfaces does not solve the problem.
ME3600X-test#sh ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
1 Disabled Inactive
2 Disabled Inactive
10 Enabled Active
What does work with "ip arp inspection" enabled is this.
###
ME3600X -- can ping default gateway 10.0.16.1
ME3600X -- can ping access-switch 10.0.16.200
ME3400 -- can ping ME3600 switch 10.0.16.166
ME3400 -- cannot ping core switch 10.0.16.1 (arp record listed as
<incomplete>)
Core switch -- cannot ping ME3400 switch 10.0.16.200 (although a correct
arp-record is visible in the core switch)
Core switch -- can ping ME3600X
Also, we have another switch in production running
"me360x-universalk9-mz.151-2.EY.bin, MetroIPAccess" that does not seem
to be affected by this problem.
I'm quite interested to hear if anyone else has come across this?
//Claes
More information about the cisco-nsp
mailing list