I have a Cisco Aironet 1140 series access point connected to a port on a Ca talyst 2960-S switch. The port on the switch is set up with these options ip arp inspection trust ip arp inspection limit rate 256 So it is trusted, but limits the number of ARPs per second to 256. Every fe w months something will happen where an ARP storm comes from the AP and the switch will turn off the port. Here is what I see in the switch logs:
Oct 17 16:57:18.492: %SW_DAI-4-PACKET_RATE_EXCEEDED: 257 packets received in 922 milliseconds on Gi3/0/28. Oct 17 16:57:18.492: %PM-4-ERR_DISABLE: arp-inspection error detected on G i3/0/28, putting Gi3/0/28 in err-disable state Oct 17 16:57:19.524: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gigab itEthernet3/0/28, changed state to down Oct 17 16:57:20.578: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/28, chan ged state to down Oct 17 16:57:20.688: %AUTOSMARTPORT-5-REMOVE: Device removed on interface GigabitEthernet3/0/28, executed CISCO_WIRELESS_AP_EVENT | CISCO_WIRELESS_AP _EVENT to remove the configuration Oct 17 16:57:48.572: %PM-4-ERR_RECOVER: Attempting to recover from arp-ins pection err-disable state on Gi3/0/28 Oct 17 16:57:50.832: %ILPOWER-5-POWER_GRANTED: Interface Gi3/0/28: Power g ranted Oct 17 16:57:57.805: %LINK-3-UPDOWN: Interface GigabitEthernet3/0/28, chan ged state to up Oct 17 16:57:58.807: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gigab itEthernet3/0/28, changed state to up
This happens fairly infrequently (it's been several months since the last t ime), but when it does it happens 4-5 times during a 15 minutes span. So we see the wifi go up and down several times. There are several VLANs on the AP so I haven't been able to narrow down which wifi network the ARPs are co ming from.
My questions are:
- Is there any way to add some debugging so I can see what VLAN/IP the ARPs are coming from?
- Should I just remove the ARP limiting from this port? i.e. Is it normal t o see this many ARPs per second from the AP?