Solved: ISR G2 ARP flood while routing to non-existent hosts.

kab00m · ‎05-28-2019

Greetings,

I have a router, which can be simplified as this:

SRV <-> (111.111.111.0/24) <-> R1 <-> (provider /30 net with BGP)

R1 is 2901 and also running ZBFW. All the setup is working.

If I listen to my network on SRV i see lot of ARP queries from R1 to all the non-existent hosts in this network. I think this is caused by internet traffic when someone try to ping (or connect) to random IP's. I also see these tries on ZBFW log.

I am quite unpleasant of hundreds of junk ARP queries and wish to solve that, but first I have a question: I see ZBFW filtering all connections to my network, but why R1 continue generating ARP-queries?

Anyway I have no success disabling arp traffic to non-existent hosts. I was trying:

1. Disable ARP. I wanted to use static ARP records for existing hosts, but found no way to disable ARP on interface.

2. Route to Null. I tried to create static route to null0 and static host routes to existing hosts - I found no way to disable connected interface route (which was created automatically).

Here I have no ideas why this happens and how to disable it. If you have any idea - thanks in advance. Config parts follows:

ip arp proxy disable

!

class-map type inspect match-any pub-ann-cmap
match access-group name admin-acl
match access-group name pub-ann-acl

!

policy-map type inspect pub-ann-pmap
class type inspect pub-ann-cmap
inspect
class class-default
drop log

!

zone security public
zone security private
zone security announced

!

zone-pair security pub-ann source public destination announced
service-policy type inspect pub-ann-pmap

!

interface GigabitEthernet0/1.1190
encapsulation dot1Q 1190
ip address 111.111.111.15 255.255.255.0
zone-member security announced
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 X

!

interface GigabitEthernet0/1.2121
encapsulation dot1Q 2121
ip address 9.4.4.8 255.255.255.252
no ip redirects
no ip unreachables
zone-member security public
ip ospf shutdown

ip access-list standard admin-acl
permit 4.2.2.1
permit 4.2.2.5
permit 5.9.6.4
permit 5.9.6.3
permit 5.9.1.2
!

ip access-list extended pub-ann-acl
permit tcp any host 111.111.111.12 eq www
permit udp any host 111.111.111.12 eq domain
permit tcp any host 111.111.111.12 eq domain
permit tcp any host 111.111.111.12 eq 443

Sincerely yours.

Giuseppe Larosa · ‎05-29-2019

Hello,

can you try to use /32 static routes to Null0 for non existing hosts IP addresses?

I am not sure you did this, my understanding is that you have tried to route to Null0 the whole subnet.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-29-2019

Hello,

can you try to use /32 static routes to Null0 for non existing hosts IP addresses?

I am not sure you did this, my understanding is that you have tried to route to Null0 the whole subnet.

Hope to help

Giuseppe

kab00m · ‎05-29-2019

Thanks, as a workaround that works. Is there any explanation why ARP flooding happens?

Sincerely yours.

Giuseppe Larosa · ‎05-29-2019

Hello kab00mbupu,

I am happy that the suggested workaround works for your router.

About the ARP activity of the router:

if the incoming sessions are to be dropped by ZBFW, the router should not even try to perform the ARP request fon an host in ther other zone.

This looks like to be either a SW bug or a side effect of the drop log option in class class-default.

I mean that the router may be trying to perform the ARP request triggered by the log option in order to get additional info about the denied flow.

I understand that for security reasons you want to know what you are dropping.

I have made a search in Bug search tool and there are 43 bugs related to ZBFW in C2901. But no one mentions issues of ZBFW with ARP in their title.

Hope to help

Giuseppe

kab00m · ‎05-29-2019

About the ARP activity of the router:
if the incoming sessions are to be dropped by ZBFW, the router should not even try to perform the ARP request fon an host in ther other zone.
This looks like to be either a SW bug or a side effect of the drop log option in class class-default.
I mean that the router may be trying to perform the ARP request triggered by the log option in order to get additional info about the denied flow.

This seems not to be true. I have changed drop log to drop and nothing changes. I do not think its SW-bug, so I will try to inspect traffic to understand where it is generated - there are so many protocols included in 2901, I may have something configured wrong.

One more thing - there are only few dropped&logged connections, but lot of ARP queries, it seems not internet traffic generating them. When I remove my /25 routes - ARP's are injected into network immediately for all hosts - that is very suspicious.

Sincerely yours.

kab00m · ‎05-29-2019

I also modified your solution - adding two /25 routes solve the problem not making you to spoil routing part of configuration with lot of /32 routes. Thank you once again!

Sincerely yours.