cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
584
Views
0
Helpful
4
Replies

CSS11503 Flooding ARP

alanwright1
Level 1
Level 1

Hi Folks,

Is anyone aware of a config or a bug which would cause a CSS11503 to 10K+ ARP per second for an IP address not even belonging to its configuration?

Software is 7.10.504.

BR

Alan

4 Replies 4

inayathulla1
Level 1
Level 1

Hi Alan,

Could you be more specific on your question :-

what i understand from the question you see 10K arp under show arp table about the ip address which is not configured am i right?

Regards

Shariff

Hi Shariff,

The CSS is sending 10K+ ARP requests onto one of the LAN segments and breaking it. A trace on the LAN segment shows this. These are broadcast ARP from CSS IP address/MAC address on the segment looking for a resolution for an IP that is not configured on the CSS itself, but belongs to a client on the LAN segment. So I can only conclude it is a bug or a DOS attack.

The way the network is configured is that no traffic on this LAN segment should hit CSS except for O&M traffic.

Alan

The only time I saw the CSS doing this was when another device was blasting the CSS with traffic to a destination not belonging to the CSS.

The CSS was then just trying to resolve arp in order to forward the traffic it was receiving.

if you do a 'show dos' on the CSS, do you see anything ?

Did you try to sniff other css interfaces and see if it is receiving weird traffic ?

Gilles.

Thanks Gilles,

That makes total sense, now i just need to work out where and why this traffic is trying probe this destination IP.

Cheers

Alan

PS. Will CSS try to arp for every packet it sees for the local destination?

Review Cisco Networking for a $25 gift card