Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2167
Views
0
Helpful
5
Replies

Cisco Nexus 9K - Behavior Duplicate Address

Go to solution
Netmart
Level 1
Level 1

‎05-09-2020 07:04 PM

Hello,

Running a capture on Cisco 9K, duplicate use of VIP 10.1.1.1 has been detected.

How does Nexus 9K treat this duplicate entries - is it going to drop these packets; sender does receive any ARP reply from Nexus N9K.

 

Please advise.

 

! Incoming ARP BCAST Request

2020-05-09 21:37:42.745870 00:11:22:00:00:34 -> ff:ff:ff:ff:ff:ff ARP Who has 10.1.1.20?  Tell 10.1.1.1

 

!N9K detects duplicate use

2020-05-09 21:37:45.795852 00:00:0c:9f:fa:93 -> ff:ff:ff:ff:ff:ff ARP Gratuitous ARP for 10.1.1.1 (Request) (duplicate use of 10.1.1.1 detected!)

 

N9K# sh mac address-table | i 100

G 100    0000.0c9f.fa93   static   -         F      F    sup-eth1(R)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to Netmart

‎05-10-2020 12:11 PM

Hi @Netmart 

Sorry for the confusion. Allow me to rephrase it. Traffic generated by the rouge IP will be forwarded as any other traffic. Also, L2 traffic destined to the rouge mac address will be forwarded (as the MAC address will be present in mac table). When will there be L2 traffic destined to the MAC address, you may ask? Well, when servers/devices will want to send traffic HSRP VIP, but they will receive an ARP from the rouge device. Ofc this will happen for a very short period of time, until the legit GARP is received from Nexus, but this period is enough to disrupt the communication.

On the other hand, since ARP cannot be installed in ARP table, routed traffic will not be forwarded to the rouge device, If there is any traffic destined to the VIP, it will be consumed by the nexus.

Let me know what other questions you have.

Regards,

Sergiu

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎05-10-2020 12:40 AM

Is this new configuration you try to configure on nexus and having issue ?

 

1. Do you running any HSPR between nexus vPC pair, make sure both the HSRP running same version v2

2. if not the abvoe case, Find out what is the MAC address and what port connected to verify by turn off or remove from the network.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎05-10-2020 12:57 AM

Hi,

Looking at the source MAC which generates the ARP requests:

2020-05-09 21:37:42.745870 00:11:22:00:00:34 -> ff:ff:ff:ff:ff:ff ARP Who has 10.1.1.20?  Tell 10.1.1.1

This looks like a non-cisco device. Meaning that this is an incorrect IP address configured on a device in the network, considering that 10.1.1.1 is the HSRP VIP for group 2707 (00:00:0c:9f:fa:93).

The behavior/response of N9K in this scenarios is pretty simple:

  • N9K detects and informs the administrator & network about the duplicate (syslog + GARP).
  • It will not update the ARP table with the 10.1.1.1 / 00:11:22:00:00:34 (rouge mac)

The 9K switch will NOT drop packets generated by the rouge source 10.1.1.1. It will forward them as any other traffic.

 

Best regards,

Sergiu

 

0 Helpful

Go to solution
Netmart
Level 1
Level 1
In response to Sergiu.Daniluk

‎05-10-2020 10:24 AM

Hello Sergiu,

Thank you for sharing with me your thoughts on this incident.

So on the one hand Cisco Nexus 9K will not update the ARP table with the 10.1.1.1 / 00:11:22:00:00:34 (rouge mac), but on the other hand you are saying "it will forward it as any other traffic." If this is the case, where does it forwarding to and should N9K respond to this rouge MAC with an ARP reply as it does with any other ARP request?

 

Please advise.

 

Thanks,

Netmart

 

 

0 Helpful

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni
In response to Netmart

‎05-10-2020 12:11 PM

Hi @Netmart 

Sorry for the confusion. Allow me to rephrase it. Traffic generated by the rouge IP will be forwarded as any other traffic. Also, L2 traffic destined to the rouge mac address will be forwarded (as the MAC address will be present in mac table). When will there be L2 traffic destined to the MAC address, you may ask? Well, when servers/devices will want to send traffic HSRP VIP, but they will receive an ARP from the rouge device. Ofc this will happen for a very short period of time, until the legit GARP is received from Nexus, but this period is enough to disrupt the communication.

On the other hand, since ARP cannot be installed in ARP table, routed traffic will not be forwarded to the rouge device, If there is any traffic destined to the VIP, it will be consumed by the nexus.

Let me know what other questions you have.

Regards,

Sergiu

0 Helpful

Go to solution
Netmart
Level 1
Level 1
In response to Sergiu.Daniluk

‎05-10-2020 04:02 PM

Thank you Sergio. Yes that makes things clearer.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card