Showing results for 
Search instead for 
Did you mean: 

ARP Reply-to-Broadcast


Im seeing a Huge amount of events related with the signature ARP Reply-to-Broadcast 7102.

The sensor saw an ARP Reply packet with its payload Destination MAC containing a broadcast address. This is not normal traffic and can indicate an ARP poisioning attack. Note: This signature is only available in Cisco IDS versions 4.0 and greater.

Benign Triggers
No known triggers.

It says that there are not Benign triggers. Im Dropping the packets related with this signature.... Should I Drop the packets to avoid ARP Poisioning??

I do not want to drops benign packets but it seems that this signature will not fire with benign packets.  Any advise will be really appreciated.

3 Replies 3

Level 1
Level 1

Is the traffic coming from your network or the outside?  If inside, I'd track it down and investigate the device sending the packets.  If outside, contact the admin of that network and discuss with them.

Level 7
Level 7

This can be caused by devices that perform an unsolicited, or Gratuitous ARP replies.

Load balancers, High Availbility pairs (dual NICs in a host, dual firewalls, etc) will send a broad cast ARP reply to update everyones ARP table so that know what MAC to send frames for the shared IP address.

Here's some reading on the subject:

You should trace down the device by i's MAC address to determine if this is the case or not.

- Bob

Justin Teixeira
Level 1
Level 1

Bob's answer regarding gratuitous ARP from clustering/HA is spot on.  I'll look into getting the SIO entry updated to reflect the fact that these are known benign triggers.


Review Cisco Networking for a $25 gift card