Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
5
Helpful
2
Replies

Inappropriate arp requests

rob
Level 1
Level 1

‎06-28-2004 02:09 PM - edited ‎03-02-2019 04:41 PM

Hi - I have a gsr12012 with a GigE interface divided into two logical networks using 802.1q

Recently On one of the networks Ive started seeing 30pps of outbound broadcast traffic originating from this router address 81.x.x.x to non existent address which are in the 10.x.x.x (rfc1918)range

see example-

Internet 10.26.209.198 0 Incomplete ARPA

Internet 10.26.210.202 0 Incomplete ARPA

Internet 10.26.211.202 0

If I debug the arp the interface sends the request out-Jun 28 22:04:36.518: IP ARP: sent req src 81.6.205.3 0002.17ed.68aa,

dst 10.26.242.162 0000.0000.0000 GigabitEthernet2/0.2

But I dont have any networks of this range on this router. Ive upgraded the IOS and can only suspect a dodgy interface but was wondering if anyone had seen anything like this before

Interface config

interface GigabitEthernet2/0.2

description transit-xchange

encapsulation dot1Q 1045

ip address 81x.x.x x.x.x.x

ip access-group 2010 in

ip access-group 147 out

no ip redirects

no ip directed-broadcast

no ip proxy-arp

no cdp enable

!

Any help as always gratefully appreciated

Thanks

Labels:
0 Helpful
2 Replies 2

aretana
Level 1
Level 1

‎06-28-2004 02:55 PM

Hi!

In general, the only time a router will ARP for something not on the local interface is when it thinks the destination is on the local interface. ;-)

This usually means that you have a misconfigured mask on the interface (which you didn't include in the config)...or maybe that a default (in this case) static route is pointing to the interface.

In any case, I would probably concentrate more on finding out why this router is trying to ARP for things not in your network -- looks like the router may be trying to answer to those addresses...maybe a sign of someone scanning your network, some type of attempt to break into the router, etc..

Alvaro.

alvaro@cisco.com

rob
Level 1
Level 1
In response to aretana

‎06-29-2004 12:47 AM

Hi Alvaro,thanks for your response

You got me thinking when you said about the static route to the interface so I checked the static table and yep someones decided to put on my fully meshed bgp router a default route to the interface!

large sigh

thanks again

0 Helpful
Customers Also Viewed These Support Documents