[c-nsp] 3750 - duplicate arp replies on SVIs with input ACLs applied

Calin VELEA vcalinus at hertza.ro
Wed Mar 28 15:05:04 EST 2007


Hello Siva,

Below, you can find the results of an arping to an
ip on a SVI with an acl applied. The acl doesn't exist,
if I try with an existing acl it's the same.


interface Vlan1507
 ip address 89.165.149.81 255.255.255.252
 ip access-group uuu in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
end


xxxxxxx ~ # arping -I eth0 89.165.149.81
ARPING 89.165.149.81 from 89.165.149.82 eth0
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  1.389ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  1.950ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  1.701ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  2.287ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  2.082ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  2.332ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  1.911ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  2.661ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  1.520ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  2.151ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  2.613ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  3.356ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  1.562ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  2.282ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  1.600ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  2.177ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  2.427ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  2.698ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  1.485ms
Unicast reply from 89.165.149.81 [00:18:B9:15:D5:C6]  1.788ms
Sent 10 probes (1 broadcast(s))
Received 20 response(s)

Notice that arping reports 10 probes sent and 20 responses received.


Here is a part of a tcpdump capture:

22:38:48.046540 00:02:a5:e1:42:4c > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 89.165.149.81 (ff:ff:ff:ff:ff:ff) tell 89.165.149.82
22:38:48.047362 00:18:b9:15:d5:c6 > 00:02:a5:e1:42:4c, ethertype ARP (0x0806), length 60: arp reply 89.165.149.81 is-at 00:18:b9:15:d5:c6
22:38:48.047929 00:18:b9:15:d5:c6 > 00:02:a5:e1:42:4c, ethertype ARP (0x0806), length 60: arp reply 89.165.149.81 is-at 00:18:b9:15:d5:c6

22:38:49.046697 00:02:a5:e1:42:4c > 00:18:b9:15:d5:c6, ethertype ARP (0x0806), length 42: arp who-has 89.165.149.81 (00:18:b9:15:d5:c6) tell 89.165.149.82
22:38:49.047704 00:18:b9:15:d5:c6 > 00:02:a5:e1:42:4c, ethertype ARP (0x0806), length 60: arp reply 89.165.149.81 is-at 00:18:b9:15:d5:c6
22:38:49.048274 00:18:b9:15:d5:c6 > 00:02:a5:e1:42:4c, ethertype ARP (0x0806), length 60: arp reply 89.165.149.81 is-at 00:18:b9:15:d5:c6

22:38:50.056696 00:02:a5:e1:42:4c > 00:18:b9:15:d5:c6, ethertype ARP (0x0806), length 42: arp who-has 89.165.149.81 (00:18:b9:15:d5:c6) tell 89.165.149.82
22:38:50.057707 00:18:b9:15:d5:c6 > 00:02:a5:e1:42:4c, ethertype ARP (0x0806), length 60: arp reply 89.165.149.81 is-at 00:18:b9:15:d5:c6
22:38:50.058284 00:18:b9:15:d5:c6 > 00:02:a5:e1:42:4c, ethertype ARP (0x0806), length 60: arp reply 89.165.149.81 is-at 00:18:b9:15:d5:c6

22:38:51.066817 00:02:a5:e1:42:4c > 00:18:b9:15:d5:c6, ethertype ARP (0x0806), length 42: arp who-has 89.165.149.81 (00:18:b9:15:d5:c6) tell 89.165.149.82
22:38:51.067945 00:18:b9:15:d5:c6 > 00:02:a5:e1:42:4c, ethertype ARP (0x0806), length 60: arp reply 89.165.149.81 is-at 00:18:b9:15:d5:c6
22:38:51.068544 00:18:b9:15:d5:c6 > 00:02:a5:e1:42:4c, ethertype ARP (0x0806), length 60: arp reply 89.165.149.81 is-at 00:18:b9:15:d5:c6


Again, look at the timestamps and you can see one request and two replies.




Finally, debug arp:

001319: Mar 28 20:38:50: IP ARP: rcvd req src 89.165.149.82 0002.a5e1.424c, dst 89.165.149.81 Vlan1507
001320: Mar 28 20:38:50: IP ARP: sent rep src 89.165.149.81 0018.b915.d5c6,
                 dst 89.165.149.82 0002.a5e1.424c Vlan1507
001321: Mar 28 20:38:50: IP ARP: rcvd req src 89.165.149.82 0002.a5e1.424c, dst 89.165.149.81 Vlan1507
001322: Mar 28 20:38:50: IP ARP: sent rep src 89.165.149.81 0018.b915.d5c6,
                 dst 89.165.149.82 0002.a5e1.424c Vlan1507
001323: Mar 28 20:38:51: IP ARP: rcvd req src 89.165.149.82 0002.a5e1.424c, dst 89.165.149.81 Vlan1507
001324: Mar 28 20:38:51: IP ARP: sent rep src 89.165.149.81 0018.b915.d5c6,
                 dst 89.165.149.82 0002.a5e1.424c Vlan1507
001325: Mar 28 20:38:51: IP ARP: rcvd req src 89.165.149.82 0002.a5e1.424c, dst 89.165.149.81 Vlan1507
001326: Mar 28 20:38:51: IP ARP: sent rep src 89.165.149.81 0018.b915.d5c6,
                 dst 89.165.149.82 0002.a5e1.424c Vlan1507
001327: Mar 28 20:38:52: IP ARP: rcvd req src 89.165.149.82 0002.a5e1.424c, dst 89.165.149.81 Vlan1507
001328: Mar 28 20:38:52: IP ARP: sent rep src 89.165.149.81 0018.b915.d5c6,
                 dst 89.165.149.82 0002.a5e1.424c Vlan1507
001329: Mar 28 20:38:52: IP ARP: rcvd req src 89.165.149.82 0002.a5e1.424c, dst 89.165.149.81 Vlan1507
001330: Mar 28 20:38:52: IP ARP: sent rep src 89.165.149.81 0018.b915.d5c6,
                 dst 89.165.149.82 0002.a5e1.424c Vlan1507


   Here, there are duplicate requests also (two requests in the same
second, which is impossible since arping by default makes one req each
second).


   The above test was made with a C3560G-24TS, 12.2(25)SEE.

   Same behavior was noticed on a C3750-24PS, same IOS version,
standalone box. (I did't want to debug on it though).


Wednesday, March 28, 2007, 12:36:12 AM, you wrote:

> Hi Calin,

>     there is no way the IP ACL would be duplicating the packet.  However,
> the ACL may count the packet more then once if the packet is software 
> switched as the ACLs are applied at each switching path.  The reason
> for the ACL count is described in - CSCdv12330.

>     the output of "debug ip arp" on the 3k would be interesting to
> see what is actually happening.  can you enable packet sniffing on the
> linux box to see how many ARP requests are actually going out and how
> many coming back?

>     also what version of code are you running?  and is this a stacked
> configuration or are you using the C3750 as a standalone box?

> cheers
> .siva



> On Tue, 27 Mar 2007, Calin VELEA wrote:

>> Hello cisco-nsp,
>>
>>  Don't know if this is normal or
>> specific to the 3750, but here is the
>> problem:
>>
>> interface Vlan1540
>> ip address 10.99.99.3 255.255.255.0
>> ip access-group test-acl in
>> no ip redirects
>> no ip unreachables
>> no ip proxy-arp
>> end
>>
>> The acl is as simple as:
>>
>> xxxx#sh access-lists test-acl
>> Extended IP access list test-acl
>>    250 permit ip any any
>>
>>
>>  On a Linux box in the same vlan having IP 10.99.99.1,
>> I run:
>>
>> arping -I eth1.1540 10.99.99.3
>>
>> and for each ARP request, I get duplicate ARP replies.
>>
>> root at router:~# arping -I eth1.1540 10.99.99.3
>> ARPING 10.99.99.3 from 10.99.99.1 eth1.1540
>> Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58]  1.346ms
>> Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58]  1.586ms
>>
>>
>> Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58]  1.375ms
>> Unicast reply from 10.99.99.3 [00:11:93:4D:C8:58]  1.716ms
>>
>>
>> ...so on
>>
>>
>> If I remove the input acl from the interface, things are
>> back to normal, one ARP reply per ARP request.
>>  I am seeing duplicate ARP replies even if I apply
>> a non-existent acl to the interface.
>>
>>  I noticed this because duplicate ARP replies caused packet
>> loss in normal traffic for a few seconds, when the Linux box
>> was renewing the ARP entry for the Cisco gateway. As soon as I set up
>> static ARP for it on the Linux machine, the loss was gone.
>>
>>  Running 'sh interface Vlan1540' shows  the "packets input"
>> counter increasing by 2 when the acl is applied, even if
>> the Linux box sends only one arp request (checked this
>> with tcpdump). It looks like the IP acl is duplicating the
>> ARP requests somehow.
>>
>>
>>  Can someone explain this behavior?
>>
>>
>>
>> -- 
>> Best regards,
>> Calin                          mailto:vcalinus at hertza.ro
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>


-- 
Best regards,
 Calin                            mailto:vcalinus at hertza.ro



More information about the cisco-nsp mailing list