[c-nsp] ARP oddness

David Prall dcp at dcptech.com
Fri Aug 19 18:36:40 EDT 2011


Sorry missed that it was a ARP reply. Are you getting any mac move messages
on the switch, showing that spanning tree topology changes could possibly be
happening on a downstream switch.

--
http://dcp.dcptech.com


> -----Original Message-----
> From: Chuck Church [mailto:chuckchurch at gmail.com]
> Sent: Friday, August 19, 2011 6:16 PM
> To: David Prall
> Cc: NSP - Cisco
> Subject: Re: RE: [c-nsp] ARP oddness
> 
> The ARP request would have had to have been spoofed then.  I'll have to
> check Monday.  I've got no reason to believe its malicious.  It's
> factory gear, I would believe anything with that stuff.
> 
> Chuck
> 
> On Aug 19, 2011 5:44 PM, "David Prall" <dcp at dcptech.com> wrote:
> > Are you just getting Unicast flooding because the switch doesn't know
> where
> > the destination is?
> >
> >
> http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_not
> e0918
> > 6a00801d0808.shtml
> >
> > --
> > http://dcp.dcptech.com
> >
> >
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> >> bounces at puck.nether.net] On Behalf Of Chuck Church
> >> Sent: Friday, August 19, 2011 4:24 PM
> >> To: NSP - Cisco
> >> Subject: [c-nsp] ARP oddness
> >>
> >> Anyone,
> >>
> >> Researching some issues at a remote site, seeing something I
> >> don't
> >> think should happen. A packet capture on this remote server using
> >> wireshark
> >> and focusing in on ARP is seeing all the requests (as I'd expect),
> but
> >> I'm
> >> also seeing unicast replies that I shouldn't. The MAC address table
> on
> >> the
> >> switch I'm attached to shows only the MAC of this remote server on
> that
> >> port. There are no SPAN sessions on the switch either. The
> >> destination
> >> addresses aren't multicast, they're true unicast. Yet I'm seeing all
> >> these
> >> unicasts that aren't my mac address. Is there some function built
> into
> >> a
> >> Cisco switch that broadcasts these to make them act like gratuitous
> >> ARPs, or
> >> am I really seeing something that shouldn't happen? It's on a Sup2+
> >> 4500,
> >> running 12.2(25)EWA10 (I know it's ancient, vendor owns it...)
> >>
> >> Thanks,
> >>
> >> Chuck
> >> _______________________________________________
> >> cisco-nsp mailing list cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >




More information about the cisco-nsp mailing list