[c-nsp] Arp flood?

Rodney Dunn rodunn at cisco.com
Fri Nov 5 08:14:00 EST 2004


A couple things:

 turn off proxy arp everywhere unless you know you need
 Most likely if the machines you are seeing incompletes for
   are valid machines you are probably dropping the packets
   on the input queue.  Check it with 'sh int'.  You can bump
   that input queue up via "hold-queue" command on the interface.

To get a more accurate answer you need to draw an ascii or jpeg
diagram and explain what the subnets are, what arps you are seeing
where, and the devices attached.

Others have given you typical things it could be but without
more data nobody can say for sure.

A router will never generate an arp request out an interface
unless the routing table points out that interface (other than
proxy arp).

Rodney

On Thu, Nov 04, 2004 at 09:20:29AM -0500, FXCM - Brandon Palmer wrote:
> I'm seeing some rather devastating traffic on my network at the moment.  The symptoms are that my ARP cache keeps getting filled with "Incomplete" entries (even for IP addresses that are up).  In debug mode,  the ARP requests are coming from the switch itself (6506,  sup2,  12.1.22 native).  Goggling for it suggest that maybe this is a nmap flood somehow?  If that were the case, I could understand my ARP table filling w/ Inc entries for IPs that are not up,  but what about the ones that are?  Memory use is normal,  CPU use is normal.  I've tried to tcpdump on a span port for my uplinks and don't see traffic destin for the empty IP addresses so i'm not sure where the requests are coming from.  Network is clean of all other devices that could be conflicting IP.
> 
> Any suggestions?
> 
> Thanks folks.
> 
> - Brandon
> 
> _____________________________________________________________________________________________________________________________
> FXCM, L.L.C.® assumes no responsibility for errors, inaccuracies or omissions in these materials. FXCM, L.L.C.® does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. FXCM, L.L.C.® shall not be liable for any special, indirect, incidental, or consequential damages, including without limitation losses, lost revenues, or lost profits that may result from these materials. All information contained in this e-mail is strictly confidential and is only intended for use by the recipient.
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list