cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1457
Views
8
Helpful
7
Replies

strange arp problem

Sebastian Helmer
Contributor
Contributor

Dear all,

I have an host who hits the CPU of the core switch almost once a week. Do you have any ideas how I can prevent that.           

I see at the core in the debug arp this:

Aug 25 06:31:50: IP ARP: arp_process_request: 0.0.0.0, hw: 0019.9974.c20a; rc: 3

Aug 25 06:31:50: IP ARP: rcvd rep src 0.0.0.0 0019.9974.c20a, dst 10.0.0.1 Vlan10

Aug 25 06:31:50: IP ARP: ignored gratuitous arp src 0.0.0.0 0019.9974.c20a, dst 10.0.0.1 c464.132d.d4c3, interface Vlan10

Aug 25 06:31:50: IP ARP: sent rep src 10.0.0.1 c464.132d.d4c3,

                 dst 0.0.0.0 0019.9974.c20a Vlan10

      

I see followd the mac by sho mac add add 0019.9974.c20a and see it on the Port 1/0/10 on Switch XYZ..

her I configured some strom-control but they are not working as I hoped. I also played with lower levels like 1% and no pps as I configured here, but also no match.

Port config where I found the mac addr.

switchport access vlan 10

switchport mode access

switchport port-security violation protect

storm-control broadcast level pps 100

storm-control multicast level 50.00

storm-control action trap

no cdp enable

no cdp tlv server-location

no cdp tlv app

spanning-tree portfast

Any comments or ideas would be nice..

regards,
Sebastian

7 Replies 7

Rolf Fischer
Engager
Engager

Hi Sebastian,

two approaches come to my mind:

1) DAI (Dynamic ARP Inspection) which prevents ARP-spoofing and limits ARP traffic on a switchport-level (enabled per VLAN). It requires DHCP snooping because it uses the binding table to decect ARP spoofing.

2) CoPP (Control Plane Policing) which is configured at the core and limits the amount of traffic destined to the control plane (ICMP, ARP, Routing-Protocol traffic, etc.).

I wonder what exactly the host 0019.9974.c20a does, would it be possible to do a trace on that switchport?

Regards

Rolf

christiano.tsuma
Beginner
Beginner

Sebastian,

As mentioned above CoPP would be a good choice to limit ARP traffic to the router. You need to trace down that MAC Address and figure out whether its a rogue or perhaps node with micsonfiguration.

CoPP or rate limiting will hide the symptoms but will not cure whatever host is causing your issues.

Thank you both, i agree but I want to secure the business on that remote location so CoPP is an option until I found the problem in deep.

thanks

regards,

Sebastian