[c-nsp] 6500 ARPing behaviour
Rodney Dunn
rodunn at cisco.com
Mon Jul 27 13:05:42 EDT 2009
PW wrote:
> Hi All,
>
> Recently we are seeing some unusual behaviour with one of our 6500 switches,
> where it is broadcasting ARPs for every IP address sequentially within the
> subnet of one of the SVIs every now and then.
>
> There are two streams of sequential broadcasts that I can see, with one
> starts a few minutes later than the other. Not all IPs in the subnet can be
> resolved as those IPs are not used.
Do you see arps go out for machines that have a valid arp already.
If so, those are unicast refreshes probably.
If it's the ones that are not existing them most likely it's a traffic
sweep and we punt one packet to trigger the arp to go out.
>
> I have captured the ARP traffic for an actual host within the subnet, and
> apart from an ARP response from the host back to the 6500 switch, there is
> really nothing else happening after that.
Probably not if it's a one packet per host sweep. You'd never see it on
the lan if the traffic came in another port on the device.
>
> Any one have an idea of why the switch is behaving this way? I initially
> thought some external hosts is trying to ping every address on the subnet,
> but after I found out apart from the ARP traffic there's nothing else, I'm
> not so sure.
>
Try getting a trace of the port 15/1 I thin it is going to the RP when
the event happens to see if you can catch the punt traffic.
Or look at 'sh ip cache flow' with "ip route-cache flow" enabled on all
interfaces in the box.
Rodney
> Thanks in advance!
>
> cheers,
> Patrick
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list