Solved: Flood of arp entries on management vlan..

johnelliot6 · ‎10-02-2011

Hi,

Got a strange problem - We have vlan11 as mngmt vlan on cisco 2960s switch, 2960g switch and 7200.

7200 has trunk -> 2960g, 2960g has portchan -> 2960s

2960s

#sh vlan id 11

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
11 CORE_MANAGEMENT active Po2

#sh arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet xxx.xxx.79.193          0   000c.cf73.7c1b ARPA   Vlan11
Internet xxx.xxx.79.197          -   a0cf.5b87.ec41 ARPA   Vlan11

2960g

#sh vlan id 11

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
11 CORE_MANAGEMENT active Gi0/2, Gi0/46, Po2

#sh arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet xxx.xxx.119.71         57   000c.cf73.7c1b ARPA   Vlan11
Internet xxx.xxx.153.190         195   000c.cf73.7c1b ARPA   Vlan11
Internet xxx.xxx.157.153          61   000c.cf73.7c1b ARPA   Vlan11
Internet xxx.xxx.76.14         121   000c.cf73.7c1b ARPA   Vlan11
Internet xxx.xxx.195.94         203   000c.cf73.7c1b ARPA   Vlan11
...
(Over a thousand entries show up, each with the 7200's mac(which connects via Gi0/46), but the IP's are ones learnt from BGP and ospf(the ip's do not seem to have any pattern...i.e. some of the ip's are learnt from our internal ospf, some from bgp peering sessions with upstreams....none of the interfaces associated are in vlan 11)

If I do a sh arp on the 7200 for the dot1q(vlan11) int, there are only the ip's/macs from our switches...certainly not 1000+entries?

The only difference I can see between the 2 switches setup is the vlan interface:

2960s

interface Vlan11
description _MANAGEMENT
ip address xxx.xxx.79.197 255.255.255.240
end

vs

2960g

interface Vlan11
description _MANAGEMENT
ip address xxx.xxx.79.196 255.255.255.240
no ip route-cache

i.e. 2960g has "no ip route-cache" - Could this possible cause the issue Im seeing?

Richard Burts · ‎10-02-2011

I do not believe that no ip route-cache is causing this issue. I believe that the problem is that the 2960g does not have a default-gateway configured. Without a default gateway the 2960g will ARP for every remote destination address - and if the 7200 has proxy arp enabled then it will respond to each of these arp requests using its own MAC address as the destination MAC.

My suggestion is to check the 2960g for a default gateway, and assuming that you find that one is not configured then configure a default gateway pointing at the 7200.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎10-02-2011

I do not believe that no ip route-cache is causing this issue. I believe that the problem is that the 2960g does not have a default-gateway configured. Without a default gateway the 2960g will ARP for every remote destination address - and if the 7200 has proxy arp enabled then it will respond to each of these arp requests using its own MAC address as the destination MAC.

My suggestion is to check the 2960g for a default gateway, and assuming that you find that one is not configured then configure a default gateway pointing at the 7200.

HTH

Rick

HTH

Rick

johnelliot6 · ‎10-02-2011

Rick - You are a legend!! That was it...no default gw on the 2960g

The existing arp entries on the 2960g will timeout I assume, and dissappear?

Richard Burts · ‎10-02-2011

I am glad that my suggestion did lead you to the cause of the problem. Thank you for using the rating system to mark the question as answered - and thanks for the points.

It is possible that the ARP entries on the 2960g will just go away since they are no longer needed. But I am not sure that they will. In most Cisco devices the Cisco will clear an ARP entry when it expires (usually every 4 hours) but it will issue a new ARP request for the address and if it receives a response it will create a new entry in the ARP table. I am guessing that this may happen with the 2960g. If that is the case then I have two suggestions that will clear it up.

1) on the 7200 change the configuration to remove proxy arp (at least temporarily). If the 7200 is no longer responding to the ARP requests for remote addresses then the ARP table on the 2960g will clear up in about 4 hours. (this would work assuming that there is not anything else that needs proxy arp on the 7200 to work.

2) shut down (briefly) the interface connecting the 2960g and the 7200. If the interface goes down the ARP table will be flushed and can not be re-learned. Then bring the interface back up and things will be back to normal with a very small arp table. This is quicker but a bit more intrusive than turning off proxy arp.

HTH

Rick

HTH

Rick

johnelliot6 · ‎10-02-2011

Thanks Rick - The 7200 has a number of dot1q subints....will disabling proxy arp on the physical gig int, "apply" the setting to all the dot1q ints, or must I disable proxy arp on all the dot1q subints?

Richard Burts · ‎10-02-2011

no ip proxy-arp is an interface level command. So you only need to apply it on the interface connecting the 7200 to the 2960g. There is no need to put it on all the interfaces - unless you have decided to change your general policy and to not have it enabled on all interfaces. But if you do want it to apply to every interface then you must configure it on every interface.

HTH

Rick

HTH

Rick

johnelliot6 · ‎10-02-2011

Thanks again for your assistance Rick

Richard Burts · ‎10-02-2011

I am glad that I was able to help to resolve your issue. It was an interesting question to figure out and a fairly unusual issue. I am glad that you brought it up in the forum and hope that other users will benefit from reading this thread.

HTH

Ric

HTH

Rick