12-10-2008 07:02 AM
Hi Folks,
Is anyone aware of a config or a bug which would cause a CSS11503 to 10K+ ARP per second for an IP address not even belonging to its configuration?
Software is 7.10.504.
BR
Alan
12-11-2008 01:20 AM
Hi Alan,
Could you be more specific on your question :-
what i understand from the question you see 10K arp under show arp table about the ip address which is not configured am i right?
Regards
Shariff
12-11-2008 01:32 AM
Hi Shariff,
The CSS is sending 10K+ ARP requests onto one of the LAN segments and breaking it. A trace on the LAN segment shows this. These are broadcast ARP from CSS IP address/MAC address on the segment looking for a resolution for an IP that is not configured on the CSS itself, but belongs to a client on the LAN segment. So I can only conclude it is a bug or a DOS attack.
The way the network is configured is that no traffic on this LAN segment should hit CSS except for O&M traffic.
Alan
12-11-2008 03:59 AM
The only time I saw the CSS doing this was when another device was blasting the CSS with traffic to a destination not belonging to the CSS.
The CSS was then just trying to resolve arp in order to forward the traffic it was receiving.
if you do a 'show dos' on the CSS, do you see anything ?
Did you try to sniff other css interfaces and see if it is receiving weird traffic ?
Gilles.
12-11-2008 04:32 AM
Thanks Gilles,
That makes total sense, now i just need to work out where and why this traffic is trying probe this destination IP.
Cheers
Alan
PS. Will CSS try to arp for every packet it sees for the local destination?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide