There’s a customer owned device (Cisco isr Router) connected to one of our 3850’s that’s constantly answering arp requests for other devices on the same lan segment and stealing their arp both from other hosts and our firewall.
The customer will not turn proxy arp off and will not tell us what subnet mask they have configured on the interface. Basically they’re being a rude tenant.
This has caused a lot of outages for us over the past 20 days, the worst one got me called in on Holliday just this week that at least 3/4th the hosts on that segment had the tenants MAC address for almost every arp entry in their table WTF!
So we put a layer 2 pacl on the port to block arp. Now this broke the tenant because our firewall somehow lost arp for their router and didn’t get it back, so I got called New Year’s Eve last night just before midnight to work a priority one for the tenant being down!
So my question is there a way to write a better pacl that allows their router to arp reply for itself but not for anyone else? Call it... an arpccess list?
I know DAI is a commonly used solution but my understanding is that DAI requires dhcp snooping to work. Well we don’t use dhcp on that particular segment, so no dhcp snooping.
Thanks all!
No comments:
Post a Comment