09-16-2021 10:41 PM
Good Day,
I am facing ARP broadcast issue in my network which causes huge packet drop at endpoints. I have only way to avoid it to protect my endpoints with Antivirus with network protection enabled. I have observed Its only occurring in my single VLAN. The ARP source is not a single device its originating from various devices in my network. Need help to eliminate this issue.
I am attaching snapshot of Wireshark Packet Capture. Thanks a bunch
Solved! Go to Solution.
09-24-2021 07:28 AM
Hello @Hassan Hameed ,
find where the source unicast MAC address is located in your switches and eventually shut down the port the device is connected to.
if network 10.4.0.x is not part of your network your packet capture can be showing an attempt to perform a network discovery using ARP requests. They are coming from the same source MAC address.
However, open one frame get the source MAC address and look for it using
show mac address-table address <address>
if you find a port it is wise to shut down it.
If there are multiple MAC addresses used as source you may create a Quarantine VLAN with no L3 services, and move the ports where these source MAC addresses are learned to the quarantine VLAN then each affected device should be cleaned and recovered
Hope to help
Giuseppe
09-16-2021 11:12 PM
- As you mention , you may have a virus trying to propagate and or replicate on the network, make sure your device are protected.
M.
09-17-2021 12:26 AM
Is there any way to eliminate this issue from network side instead of endpoints?
09-16-2021 11:32 PM
Hello,
not knowing what your network looks like, you could try storm control (on at least the (trunk) interfaces connecting your switches, e.g.:
storm-control broadcast level pps 8000
09-17-2021 12:28 AM
Thank you for your response let me do RnD on this to calculate its affect on end users and applications. Will get back to you when it i implement this.
09-17-2021 09:57 AM
- As far as 'illegal-arp-broadcasting' is concerned it is always better to eliminate the cause before implementing storm-control, the latter should only be applied is the network is observed as being in a normal state.
M.
09-23-2021 10:31 PM
These IP are not pingable and not from my network
09-24-2021 07:28 AM
Hello @Hassan Hameed ,
find where the source unicast MAC address is located in your switches and eventually shut down the port the device is connected to.
if network 10.4.0.x is not part of your network your packet capture can be showing an attempt to perform a network discovery using ARP requests. They are coming from the same source MAC address.
However, open one frame get the source MAC address and look for it using
show mac address-table address <address>
if you find a port it is wise to shut down it.
If there are multiple MAC addresses used as source you may create a Quarantine VLAN with no L3 services, and move the ports where these source MAC addresses are learned to the quarantine VLAN then each affected device should be cleaned and recovered
Hope to help
Giuseppe
01-16-2022 09:01 PM
Dear Thank you for your detailed response. It helped me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide