[c-nsp] 3750 - duplicate arp replies on SVIs with input ACLs applied
Calin VELEA
vcalinus at hertza.ro
Mon Mar 26 18:40:59 EST 2007
Hello cisco-nsp,
Don't know if this is normal or
specific to the 3750, but here is the
problem:
interface Vlan1540
ip address 10.99.99.3 255.255.255.0
ip access-group test-acl in
no ip redirects
no ip unreachables
no ip proxy-arp
end
The acl is as simple as:
xxxx#sh access-lists test-acl
Extended IP access list test-acl
250 permit ip any any
On a Linux box in the same vlan having IP 10.99.99.1,
I run:
arping -I eth1.1540 10.99.99.3
and for each ARP request, I get duplicate ARP replies.
root at router:~# arping -I eth1.1540 10.99.99.3
ARPING 10.99.99.3 from 10.99.99.1 eth1.1540
Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58] 1.346ms
Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58] 1.586ms
Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58] 1.375ms
Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58] 1.716ms
...so on
If I remove the input acl from the interface, things are
back to normal, one ARP reply per ARP request.
I am seeing duplicate ARP replies even if I apply
a non-existent acl to the interface.
I noticed this because duplicate ARP replies caused packet
loss in normal traffic for a few seconds, when the Linux box
was renewing the ARP entry for the Cisco gateway. As soon as I set up
static ARP for it on the Linux machine, the loss was gone.
Running 'sh interface Vlan1540' shows the "packets input"
counter increasing by 2 when the acl is applied, even if
the Linux box sends only one arp request (checked this
with tcpdump). It looks like the IP acl is duplicating the
ARP requests somehow.
Can someone explain this behavior?
--
Best regards,
Calin mailto:vcalinus at hertza.ro
More information about the cisco-nsp
mailing list