03-17-2010 01:07 AM - edited 03-06-2019 10:10 AM
Hi,
One of the Cat 6500 VSS switches have been experiencing high cpu peaks for sometime. On analysis it was observed that it was due to high 'ARP Input' process. There are no static routes configured in this switch, no incomplete ARP entries or any inferences of DoS attack.
DIST_SW>sh proc cpu
CPU utilization for five seconds: 98%/31%; one minute: 79%; five minutes: 37%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
5 39583544 2366177 16728 0.00% 0.24% 0.36% 0 Check heaps
8 234378596 161314924 1452 61.43% 45.63% 17.09% 0 ARP Input
20 1373772961296358745 105 0.00% 0.53% 0.53% 0 IPC Seat Manager
I suspect it could be due to "proxy-arp" turned on by default under the interfaces and arranging to disable it. I've also started engaging server teams to verify if the subnet mask & default-gateway are configured correctly in all the servers along with any static routes configured pointing to a NIC as next-hop.
UK_PR_DIST_02>sh ip traffic | b ARP
ARP statistics:
Rcvd: 1752882295 requests, 30808911 replies, 3228 reverse, 0 other
Sent: 4517117 requests, 1450623731 replies (1437736195 proxy), 0 reverse
Drop due to input queue full: 0
Apart from proxy-arp is there anything that I need to check?
03-17-2010 02:42 AM
Hi
Maybe try a packet cap to see what is generating all the ARP packets...
Aaron
03-17-2010 05:24 AM
Hi, thanks for your reply. I had already sniffed the traffic and shared ip /mac addr of hosts innolved in ARP broadcasts. However server admin didnt find any anamoly with the NIC settings. Disabling proxy ARP is more of protecting switches from being hit by ARP storm.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide