cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2156
Views
0
Helpful
5
Replies

ISR G2 ARP flood while routing to non-existent hosts.

kab00m
Level 1
Level 1

Greetings,

I have a router, which can be simplified as this:

SRV <-> (111.111.111.0/24) <-> R1 <-> (provider /30 net with BGP)

R1 is 2901 and also running ZBFW. All the setup is working.

 

If I listen to my network on SRV i see lot of ARP queries from R1 to all the non-existent hosts in this network. I think this is caused by internet traffic when someone try to ping (or connect) to random IP's. I also see these tries on ZBFW log. 

 

I am quite unpleasant of hundreds of junk ARP queries and wish to solve that, but first I have a question: I see ZBFW filtering all connections to my network, but why R1 continue generating ARP-queries?

 

Anyway I have no success disabling arp traffic to non-existent hosts. I was trying:

 

1. Disable ARP. I wanted to use static ARP records for existing hosts, but found no way to disable ARP on interface.

2. Route to Null. I tried to create static route to null0 and static host routes to existing hosts - I found no way to disable connected interface route (which was created automatically).

 

Here I have no ideas why this happens and how to disable it. If you have any idea - thanks in advance. Config parts follows:

 

ip arp proxy disable

!

class-map type inspect match-any pub-ann-cmap
  match access-group name admin-acl
  match access-group name pub-ann-acl

!

policy-map type inspect pub-ann-pmap
  class type inspect pub-ann-cmap
    inspect
  class class-default
    drop log

!

zone security public
zone security private
zone security announced

!

zone-pair security pub-ann source public destination announced
service-policy type inspect pub-ann-pmap

!

interface GigabitEthernet0/1.1190
  encapsulation dot1Q 1190
  ip address 111.111.111.15 255.255.255.0
  zone-member security announced
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 7 X

!

interface GigabitEthernet0/1.2121
  encapsulation dot1Q 2121
  ip address 9.4.4.8 255.255.255.252
  no ip redirects
  no ip unreachables
  zone-member security public
  ip ospf shutdown

ip access-list standard admin-acl
  permit 4.2.2.1
  permit 4.2.2.5
  permit 5.9.6.4
  permit 5.9.6.3
  permit 5.9.1.2
!

ip access-list extended pub-ann-acl
  permit tcp any host 111.111.111.12 eq www
  permit udp any host 111.111.111.12 eq domain
  permit tcp any host 111.111.111.12 eq domain
  permit tcp any host 111.111.111.12 eq 443

 

Sincerely yours.
1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello,

can you try to use /32 static routes to Null0 for non existing hosts IP addresses?

I am not sure you did this, my understanding is that you have tried to route to Null0 the whole subnet.

 

Hope to help

Giuseppe

 

 

View solution in original post

5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello,

can you try to use /32 static routes to Null0 for non existing hosts IP addresses?

I am not sure you did this, my understanding is that you have tried to route to Null0 the whole subnet.

 

Hope to help

Giuseppe

 

 

Thanks, as a workaround that works. Is there any explanation why ARP flooding happens?
Sincerely yours.

Hello kab00mbupu,

I am happy that the suggested workaround works for your router.

 

About the ARP activity of the router:

if the incoming sessions are to be dropped by ZBFW, the router should not even try to perform the ARP request fon an host in ther other zone.

This looks like to be either a SW bug or a side effect of the drop log option in class class-default.

I mean that the router may be trying to perform the ARP request triggered by the log option in order to get additional info about the denied flow.

 

I understand that for security reasons you want to know what you are dropping.

 

I have made a search in Bug search tool and there are 43 bugs related to ZBFW in C2901. But no one mentions issues of ZBFW with ARP in their title.

 

Hope to help

Giuseppe

 

About the ARP activity of the router:

if the incoming sessions are to be dropped by ZBFW, the router should not even try to perform the ARP request fon an host in ther other zone.

This looks like to be either a SW bug or a side effect of the drop log option in class class-default.

I mean that the router may be trying to perform the ARP request triggered by the log option in order to get additional info about the denied flow.

This seems not to be true. I have changed drop log to drop and nothing changes. I do not think its SW-bug, so I will try to inspect traffic to understand where it is generated - there are so many protocols included in 2901, I may have something configured wrong.

 

One more thing - there are only few dropped&logged connections, but lot of ARP queries, it seems not internet traffic generating them. When I remove my /25 routes - ARP's are injected into network immediately for all hosts - that is very suspicious.

Sincerely yours.

I also modified your solution - adding two /25 routes solve the problem not making you to spoil routing part of configuration with lot of /32 routes. Thank you once again!
Sincerely yours.
Review Cisco Networking for a $25 gift card