[c-nsp] ARP on ASR9k 4.3.2

Andrew Koch andrew.koch at gawul.net
Thu Jan 16 11:48:11 EST 2014 

On Thu, Jan 16, 2014 at 2:35 AM, Florian Lohoff <f at zz.de> wrote:

>
> Hi,
>
> we made some upgrade from 4.1.1 to 4.3.2 tonight and discovery new and
> strange ARP behaviour.
>
> The ASR9k seems to store arbitrary ARP responses in its MAC Address
> table.
>

We ran into similar trouble when swapping out our router for an ASR9k
running 4.2.3.  Cisco scrambled a SMU for that release (sorta).  From their
information it is not entirely arbitrary.  Any IP that is routed down that
link can have an ARP stored.

Our trouble became a bit worse when we removed the route and the ARP was
still present; the router was then black-holing traffic by trying to send
it via the stale ARP.



> I know linux has some bad behaviour concerning ARP (default proxy arp
> etc) but still i wouldnt expect a decent networking device polluting
> their ARP table with entries for ip address not directly connected
> or better - not reachable in any directly connected ip segment.
>

We thought so to.  We opened a case - Cisco DDTS CSCty06696 was the
result.  Cisco did not agree that this was faulty behavior: they insisted
that it was correct.  The DDTS and SMU are for an option to disable the
ability to learn out of subnet ARPs.  Under the interface you can configure
"arp learning local" to block out-of-subnet ARPs.



> PS: I made some sysctl tweaks on the linux machine to behave a little
> more nice but still i see a bug here.
>

We did the same while waiting for the SMU.  The SMU should not be needed
for 4.3.2 - the "arp learning local" interface command should be built-in,
so hopefully you are good to go.

Our biggest concern over this incident was receiving malicious ARPs on
transit and peering links that have routes to large swaths of the network.
If the route goes away, the ARP will be retained for long periods and the
router will black-hole traffic until that clears.  Cisco PSIRT evaluated
the concern but evaluated it as a fairly concern.



> --
> Florian Lohoff                                                 f at zz.de


Best Regards,
Andrew Koch

More information about the cisco-nsp mailing list