ESW 520 ARP Inspection Problem

Similar Messages

• ESW 520 802.1x MAB authentication problem

  Hello,
  I am having problem with 802.1x MAB authentication on ESW 520 switch, the authentication server is ACS 5.3.
  The Authentication method on ESW is 802.1x & MAC, and Host Authentication mode is Multi Session. When i plug ip phone it never authenticate the phone, and on ACS I get following error message:
  Radius authentication failed for USER: aa1effbb8fd4  MAC: aa-1E-FF-bb-8F-D4  AUTHTYPE:  Radius authentication failed
  RADIUS Status:Authentication failed    : 11509 Access Service does not allow any EAP protocols
  15004  Matched rule
  15012  Selected Access Service - MAB
  11507  Extracted EAP-Response/Identity
  11509  Access Service does not allow any EAP protocols
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  For that Access Service I have configured only Host Lookup.
  The same ACS configuration is working perfectly on Catalyst 3560G switche.
  It seems that ESW switch is not telling ACS that authentication is going to be by MAC address.
  Do you have any idea what can be the problem.

  Are you hitting the same selection rule? Also is "mab eap" configured globally on the switch, or on the port itself?
  Also can you post the port configuration and the show ver of the ESW?
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ESW 520 802.1x re authentication problem

  Hello
  I have problem with ESW 520, on 802.1x authentication. The problem is when host authenticates successfully it works about couple of minutes, after it truest too authenticate again but it lags. On network interface it shows notification that if Failed authentication. On ACS I see only one authentication attempt which is successful. This problem is happening on Win7 and Win XP. If I unplug and plug cable it authenticates successfully, but then about couple of minutes it again lags. Switch sees port as authenticated. On Win7 event viewer I have following error:
                  Reason: 0x70004
                  Reason Text: The network stopped answering authentication requests
                  Error Code: 0x0
  If I connect same hosts on Catalyst 2960 switch, they work successfully.

  Hi  ngtransge
  There are  tree possible explanations about  why the authentications  fails.
  A)the network interface is shut down after failed computer authentication. You can see this on the switch as line protocol down for that port.
  To verify the client has a domain certificate:
  1. Click Start and click Run.
  2. Type mmc, and then press ENTER.
  3. On the File menu, click Add/Remove Snap-in.
  4. Click Certificates, click Add, select Computer account, and then click Next.
  5. Verify that Local computer: (the computer this console is running on) is selected, click Finish, and then click OK.
  6. In the console tree, double-click Certificates (Local Computer), double-click Personal, and then click Certificates.
  On a domain joined client, you should see a certificate here with Intended Purposes of Client Authentication. Make sure this certificate is not expired. If it is expired, you will need to regain connection to your CA to request a new one.
  B) You should check your switch's configuration, perhaps a port or some ports could be blocked by an access-list and interrupt the re authentication.
  C) If this two solutions don't work, you have to try to change the authentication method (PEAP-MSCHAPv2 or PEAP-EAP-TLS)
  Greetings, Johnnatn Rodriguez Miranda

• Problem in connecting ESW 520 POE switches

  Hi
  New on ESW 520 switches
  Need help to configure the ESW 520  24 POE switches
  How can i configure the last port of 24 to oonnect to another ESW 520 24 port switches ?

  Why not use the GE ports at the far right to chain the switches one to the other from the UC540/UC560?  They are best for this and gives you an extra port on the switch this way.  Use straight thru ethernet cables.

• ESW 520 8-port PoE switch cannot ping

  Hello
  I have an ESW 520 8-Port switch with a management ip address of 192.168.10.2 /24
  After I reboot it, I can successfully ping it from a pc with an ip of 192.168.10.123 for about 50 consecutive times.
  After that, I get a "Destination host unreachable" (this icmp message is sent by my pinging pc (192.168.10.123).
  This obviously seems like a bug.
  Has anybody seen this before.
  Whenever I reboot it, it goes through the same sequence.
  Thanksj

  Hi David,
  I figured out what the problem was.
  The switch was obtaining an ip via dhcp, as it is a DCHP client by default.
  I am used to working with Enterprise level Cisco equipment, so this simple oversight was the cause of the problem.
  The ip that was obtained via dhcp was obviously different than the default ip of 192.168.10.2
  So when the switch was rebooted, it would start off with its default ip of 192.168.10.2.
  As soon as it obtained an ip via dhcp, I could not ping it of course
  Thanks for the  input though

• Arp inspection limit

  Can anyone help explain to me the way that arp inspection packet per second limiting works when enabling burst. For example, if my config is "ip arp inspection limit rate 25 burst 3", does the switch check every three seconds to see if arp packets were beyond the threshold every second of that interval? Is it simply checking every three seconds to see if the total arp packets are above 75 for the entire interval? Is it checking every three seconds or every second for the prior three second interval?
  I am having a consistent issue with multiple devices in one building violating our arp packet per second limit.  Is anyone else using a burst interval, and have you come across any client hardware that consistently violates the pps limit? What is your pps limit?

  Initially we used the default settings, ie 15 pps, but since the migration of the park in Win7 we had problems (probably Windows network discovery):
  % SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 855 milliseconds on Fa0/1.
  So we set the threshold at 64 pps with a burst of three seconds (ip arp inspection limit rate 64 burst interval 3)
  Recently I had a user who exceeded the threshold:
  % SW_DAI-4-PACKET_BURST_RATE_EXCEEDED: 279 packets received in 3 seconds on Fa0/35.
  The message in the logs, suggests that if the threshold is exceeded per second, you can expect to see the value of 3 seconds. The threshold would be your value multiplied by the duration of the burst threshold (ie 64x3 = 192?). I'm not sure.

• Jumbo frame caveat on 3750 - dynamic arp inspection

  i want to enable jumbo frame on a stacked 3750 running 12.2.25(SEB2).
  any caveats - the only caveat i found is dynamic arp inspection.

  Hello,
  There is no know problem with Jumbo/Giant frame support on 3750 platform other than the bug you reported.
  I have verified that Jumbo/Giant frame support works on 12.2(25)SED in stack configuration.
  Facts
  - The 12.2(25)SEB2 release has been deferred. Cisco advises you to upgrade to to (at least) 12.2(25)SEB3.
  http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/printdefer.pl?platform=CAT3750&majorRel=12.2&release=12.2.25-SEB2&data_from=&file=12.2.25-SEB2.CAT3750.c.html
  - Jumbo/Giant frame support
  http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml#3750
  HTH

• About the Maximum of Source Ports to ONE Destination Port on ESW 520 24P

  Does the ESW 520 24P Support Mirroring 20 Ports Traffic to 1 Destination Port?

  Hi Andy
  No the ESW supports mirroring groups that can each mirror  8 ports to a destination port.
  This is great for normal problem determination purposes. I can guess at your application.
  regards dave

• CAM-Table over SNMP(ESW-520-48P)

  Hi everyone,
  I could need some help with our Cisco ESW-520-48P Switches. I want to read the CAM-Table over SNMP and assign each interface the appropiate client device. The problem is that I don't really know how to achive that. I've tested some different MIBs but I can't get the infos which I need.
  Thank you very much in forward!

  I need to decide on few things
  regarding this switch before recommending this switch to my customer. I
  have the following questions that i need some expert advice.
  Questions
  1.)
  Does this switch support POE 15.4W on all 48 10/100 ports
  (ESW-520-48P-K9). The total power rating of this switch is only 370W
  and if this divided with 48 ports, each port can only drive 7W. So thus
  the confusion.
  2.) Can the ESW Series be Monitored and Managed using Ciscoworks LMS?
  3.) Is MGBSX1 compatible with GLC-SX-MM
  Thanks.
  Hi,
  Please see the attached document for your queries !!
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• Slow dhcp with ESW 520

  Hi ,
  it's probably a setting to do on ESW 520 but all my DHCP is slow when I use ESW 520.
  With an other switch, I haev no problem.
  Any Idea?
  Thanks

  Hi Thomas,
  I have already define the Profile type (Desktop, Switch,...) with the VLAN for all the port.
  But before make something wrong with the spanning tree configuration, I have one question, I learn that port fast negotiation shouln't be use with Switch Port Role but Only with Desktop Port Role. Can you say me if it's right?
  Thanks for your answer.

• Can't Console into ESW-520-24P Switch, Need help.

  Hi,
  We have 3 ESW-520-24P series switches.
  I can not console them because by default they have a security profile attached into it for "Console Only" and It is set as "Deny".
  I can't modify or delete it because it's a default security policy.
  We can do console into ESW-540-24P series switches without any problems.
  Can someone share any solutions to gain console access for these switches?
  Any one from Cisco TAC support?
  Thanks in advance.
  Mansur.

  Hi Devicarr,
  Thanks for your reply.
  I can set the VLAN and Management IP address using the web interfaces.
  But when I am trying to connect it via console it is not responding. I reset it to factory default and then found from the web control panel/interface that the switch has an "Access Authentication" under that it has a "Access Profile" and the profile has a default or built in profile attached says "Console Only" and it has a rule like "IP Source = 0.0.0.0/32 Permit = Deny".
  I tried to delete or modify it even I tried to add a new rule to allow the console access but failed.
  Does this switch series "ESW-520-24P" by default Console disabled when manufactured or ELSE? Please provide me your valuable suggestions.
  Thanks in advance.
  Mansur.

• ARP Inspection issue

  3 switches in the same broadcast domain (transparent mode), approx 200 vlans. Trunk links between switches allow all vlans 1-4096
  I setup arp inspection for 1 particular vlan to troubleshoot an arp server issue, possibly an unintentionally arp MITM. Setup as follows:
  ip arp inspection vlan 100
  arp access-list DAI
  permit ip any mac any
  ip arp inspection filter DAI vlan 100
  ip arp inspection vlan 100 logging acl-match matchlog
  Once enabled some of the servers in each switch on vlan100 went into error disable mode and the Port channel between switches went into error disabled status, once I removed "no ip inspection vlan 100" and shut/no shut on the Port channel the Port channel came back up and I had to wade through and shut/no shut on all the error disabled server ports everything was back to normal.
  Am I right saying the problem was caused by not setting the Port Channels between switches to "arp inspection trust" and should I just leave all the server ports to untrusted (default). i.e for all inter switch links
  conf t
  int Po200
  ip arp inspection trust
  end
  then leave everything else is? Would this make the problem go away. I can't try now as Production kit, don't really have an ideal UAT lab as such yet.

  Hello stephendrkw,
  I believe you are right about the port channel causing the outage.
  Typically all host ports would be configured as untrusted and all switchports connected to other switches would be trusted.  Configuring a port as untrusted when it should be trusted, can cause an  outage. 
  If you suspect a MITM attack, you can go to a pc that you think may be sending the ip traffic to the wrong mac and at the command prompt, type "arp -a 192.168.1.1" and verify it has the correct mac address mapped to the ip address.  If it has the wrong mac, you can login to the switch then "show mac address-table address xxxx.xxxx.xxxx to locate the source of the MITM attack.
  On the switch side, you can type "show arp | i 192.168.1.1" and "show arp | i "mac address" to verify what mac is binded to the ip address. 
  Hope this helps....

• Dynamic ARP inspection rate limit issues with Windows Vista Systems

  Good Day to everybody.
  I had implemented DHCP Snooping & Dynamic ARP inspection feature to mitigate ARP spoofing attacks to one of customer location where we have mix of Windows vista & XP systems. By default DAI feature rate limit ARP packets on un-trusted ports to 15 Packets per second. With this value I was facing some issue to access file shares where port will go in error-disabled state due to ARP broadcast from system was crossing 15 PPS limit of DAI. For the same, I had increased the DAI limit to 64 & after that we had not facing this problem from windows XP systems, but windows vista systems are still giving problem. Also this probem is very random in nature & not all the windows Vista system will face same issue even though they are accessing same file share & are configured with same DAI rate limit.
  That's why I am not able to figure out baseline values for DAI rate limits. I had already search microsoft documentation for limiting this ARP broadcast from Windows Vista system, but no luck.
  Is there any way to find out correct settings for this DAI packet rate limiting in Windows Vista enviorement ?

  Hello bensyseng,
  check out this thread.
  As topmahof said already it could correlate with a wrong Intel driver.
  Follow @LenovoForums on Twitter! Try the forum search, before first posting: Forum Search Option
  Please insert your type, model (not S/N) number and used OS in your posts.
  I´m a volunteer here using New X1 Carbon, ThinkPad Yoga, Yoga 11s, Yoga 13, T430s,T510, X220t, IdeaCentre B540.
  TIP: If your computer runs satisfactorily now, it may not be necessary to update the system.
   English Community       Deutsche Community       Comunidad en Español

• Dynamic ARP Inspections on Wifi Routers?

  Is Dynamic ARP inspection possible to be done on wifi routers? I'm asking because I can't find any model with that feature. I would especially be interested in some cheaper models for home or small business use (maybe Linksys).

  You could be better served posting this on the SOHO forum. Speaking to enterprise gear like the cisco WLC yes.
  DAI for Wireless Access
  The WLC protects against MIM attacks by performing a similar function as DAI on the WLC itself. DAI should not be enabled on the access switch for those VLANs connecting directly to the WLCs because the WLC uses GARP to support Layer 3 client roaming.
  It is possible to enable DAI for each VLAN configured on a trunk between a FlexConnect and access point. Therefore, DAI is useful in wireless deployments where multiple SSIDs/VLANs exist on an FlexConnect. However, in an FlexConnect WLC deployment, there are two topologies that impact the effectiveness of the DAI feature. Both topologies assume that the attacker is associated to a FlexConnect WLC and is Layer 2-adjacent to the targets:
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch4_Secu.html#pgfId-1019449

• ARP Inspection on SF-300-24 switch?

  I'm having an issue where two PCs are responding to ARP requests "Who is 192.168.0.1". 
  The real 192.168.0.1 is on port 1 of the switch, and has a MAC address of 00:24:a5:c7:e0:a8.   I can't seem to setup ARP Inspection properly as the rogue device continues to respond.   Can somebody provide the proper steps?  I've enabled DHCP Snooping, enabled ARP Inspection, enabled IP source guard, added FE1 as a trusted interface and all others untrusted, yet this continues to be an issue.  Not sure what I'm doing wrong and can't find any documentation on the web to help out.  I know where the offending piece of hardware is, unfortunately due to its location I can't fix it for several weeks so just looking to bandaid this for the time being.
  Thanks for any help!
  Ryan

  Thanks for your reply.  No, it does not seem to be working as intended.  Please see my screen attachments. 
  I am still getting multiple responses to "WHO HAS 192.168.0.1" from the clients.   Should just be from the trusted host on port 1.
  Any other hints are appreciated. Thank you!