[c-nsp] 3750 - duplicate arp replies on SVIs with input ACLs applied

Siva Valliappan svalliap at cisco.com
Tue Mar 27 16:36:12 EST 2007 

Hi Calin,

    there is no way the IP ACL would be duplicating the packet.  However,
the ACL may count the packet more then once if the packet is software 
switched as the ACLs are applied at each switching path.  The reason
for the ACL count is described in - CSCdv12330.

    the output of "debug ip arp" on the 3k would be interesting to
see what is actually happening.  can you enable packet sniffing on the
linux box to see how many ARP requests are actually going out and how
many coming back?

    also what version of code are you running?  and is this a stacked
configuration or are you using the C3750 as a standalone box?

cheers
.siva



On Tue, 27 Mar 2007, Calin VELEA wrote:

> Hello cisco-nsp,
>
>  Don't know if this is normal or
> specific to the 3750, but here is the
> problem:
>
> interface Vlan1540
> ip address 10.99.99.3 255.255.255.0
> ip access-group test-acl in
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> end
>
> The acl is as simple as:
>
> xxxx#sh access-lists test-acl
> Extended IP access list test-acl
>    250 permit ip any any
>
>
>  On a Linux box in the same vlan having IP 10.99.99.1,
> I run:
>
> arping -I eth1.1540 10.99.99.3
>
> and for each ARP request, I get duplicate ARP replies.
>
> root at router:~# arping -I eth1.1540 10.99.99.3
> ARPING 10.99.99.3 from 10.99.99.1 eth1.1540
> Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58]  1.346ms
> Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58]  1.586ms
>
>
> Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58]  1.375ms
> Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58]  1.716ms
>
>
> ...so on
>
>
> If I remove the input acl from the interface, things are
> back to normal, one ARP reply per ARP request.
>  I am seeing duplicate ARP replies even if I apply
> a non-existent acl to the interface.
>
>  I noticed this because duplicate ARP replies caused packet
> loss in normal traffic for a few seconds, when the Linux box
> was renewing the ARP entry for the Cisco gateway. As soon as I set up
> static ARP for it on the Linux machine, the loss was gone.
>
>  Running 'sh interface Vlan1540' shows  the "packets input"
> counter increasing by 2 when the acl is applied, even if
> the Linux box sends only one arp request (checked this
> with tcpdump). It looks like the IP acl is duplicating the
> ARP requests somehow.
>
>
>  Can someone explain this behavior?
>
>
>
> -- 
> Best regards,
> Calin                          mailto:vcalinus at hertza.ro
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list