[c-nsp] ME3600X arp inspection issue

Waris Sagheer (waris) waris at cisco.com
Sun Sep 2 06:33:12 EDT 2012 

Hi Claes,
Did you open a TAC case to track this issue?

Regards,
Waris


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Claes Jansson
Sent: Thursday, August 30, 2012 8:10 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ME3600X arp inspection issue

Hi All,

we seem to have discovered an issue with ME3600X and arp inspection. It seems to be affecting traffic flowing through the box.

The test setup is like this... An "access switch" is connected at gi0/24, with a management interface on vlan2 (tagged).


! ME3600X
! me360x-universalk9-mz.152-4.S.bin
! License Level: AdvancedMetroIPAccess
!
! Will break ARP on vlan2!
! if removed everything works as expected
!
ip arp inspection vlan 10
!
ip route 0.0.0.0 0.0.0.0 10.0.16.1
!
int te0/1
  description UPLINK
  switchport mode trunk
!
int gi0/24
  description ACCESS_Switch
  switchport mode trunk
!
interface Vlan2
  ip address 10.0.16.166 255.255.255.0
  no ip route-cache
end
!


! ME3400 Access switch
!
ip route 0.0.0.0 0.0.0.0 10.0.16.1
!
interface Vlan2
  ip address 10.0.16.222 255.255.255.0
  no ip route-cache
!


A core switch / default gateway is connected to the ME3600X at te0/1. IP 
10.0.16.1.

If we on the ME3600X enable arp inspection on *ANY* vlan it will block 
arp traffic on vlan2. The only workaround we have found is to disable 
"ip arp inspection" on all vlans. Setting "ip arp inspection trust" on 
*all* interfaces does not solve the problem.

ME3600X-test#sh ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled

  Vlan     Configuration Operation   ACL Match Static ACL
  ----     ------------- ---------   --------- ----------
     1 Disabled Inactive
     2     Disabled Inactive
    10     Enabled Active

What does work with "ip arp inspection" enabled is this.
###

ME3600X -- can ping default gateway 10.0.16.1
ME3600X -- can ping access-switch 10.0.16.200

ME3400 -- can ping ME3600 switch 10.0.16.166
ME3400 -- cannot ping core switch 10.0.16.1 (arp record listed as 
<incomplete>)

Core switch -- cannot ping ME3400 switch 10.0.16.200 (although a correct 
arp-record is visible in the core switch)
Core switch -- can ping ME3600X


Also, we have another switch in production running 
"me360x-universalk9-mz.151-2.EY.bin, MetroIPAccess" that does not seem 
to be affected by this problem.

I'm quite interested to hear if anyone else has come across this?

   //Claes

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list