cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8022
Views
4
Helpful
6
Replies

Excessive Arp Traffic

harry.hambi
Level 1
Level 1

Hi, All

Just looking at a pk capture of the network...lots of arp going to ip addresses that dont respond to a ping.

This is causing memory on the switch to deplete. I have jumbo frames enabled.

Any idea on these Arps?.

Rgds.

6 Replies 6

johnspaulding
Level 1
Level 1

Does the IP address come back in DNS? anyway to trace what this is on the subnet?

Peter Paluch
Cisco Employee
Cisco Employee

Hello,

Who is the sender of the ARP requests? I assume it is the router to which the network is connected.

From watching the ARPs coming to your network using a packet sniffer, can you say if they appear as if somebody was trying to connect to each IP address in turn?

I am seeing this phenomenon quite often on publicly accessible networks. Apparently some infected computers out there are trying to check which IPs are alive. They do it by sending some packets to those IPs. The router to which the destination network is connected has to send an ARP request for each particular destination IP but if that IP is not alive, the request will go unanswered.

If this is the case then there is no simple solution. The problem is caused by external machines trying to contact your internal devices. Thus, cautiously filtering the traffic using ACLs and/or other filtering mechanisms would help a lot.

Best regards,

Peter

a.cruea1980
Level 3
Level 3

If you're seeing repeated arps for the same address, then it's possible your ARP cache timer and your MAC table timer aren't aligned.

Hello,

I am perhaps mistaken here but I do not see how "misaligned" MAC aging and ARP requests go together. ARP requests are generated by end hosts regardlessly of when and how switches age their MAC tables and switches can't do anything about it. Correct me please if I'm wrong...

Best regards,

Peter

If your ARP cache timer and MAC aging are not properly aligned, your router will ARP for addresses that don't have a MAC address associated for them. You'll see a lot of ARPs in this case for addresses that simply do not exist.

We see this a lot in our network when computers fall off the network. The Supervisors in our Cat6500s ARP like crazy because their default timer is 4 hours, but the MAC table timer is only 5 minutes. When I stick a sniffer on our network here, I get large amounts of ARPs for addresses that simply don't exist.

Sorry for the late reply.

Another factor that can generate excessive ARP requests is to have a static route point to an Ethernet interface rather than to the next hop address. This is especially the case when the static route is a static default route.

Is it possible that the original poster had a static route pointed to an Ethernet interface?

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: