[c-nsp] ARP oddness

Chuck Church chuckchurch at gmail.com
Fri Aug 19 18:15:49 EDT 2011


The ARP request would have had to have been spoofed then.  I'll have to
check Monday.  I've got no reason to believe its malicious.  It's factory
gear, I would believe anything with that stuff.

Chuck
On Aug 19, 2011 5:44 PM, "David Prall" <dcp at dcptech.com> wrote:
> Are you just getting Unicast flooding because the switch doesn't know
where
> the destination is?
>
>
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note0918
> 6a00801d0808.shtml
>
> --
> http://dcp.dcptech.com
>
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
>> bounces at puck.nether.net] On Behalf Of Chuck Church
>> Sent: Friday, August 19, 2011 4:24 PM
>> To: NSP - Cisco
>> Subject: [c-nsp] ARP oddness
>>
>> Anyone,
>>
>> Researching some issues at a remote site, seeing something I
>> don't
>> think should happen. A packet capture on this remote server using
>> wireshark
>> and focusing in on ARP is seeing all the requests (as I'd expect), but
>> I'm
>> also seeing unicast replies that I shouldn't. The MAC address table on
>> the
>> switch I'm attached to shows only the MAC of this remote server on that
>> port. There are no SPAN sessions on the switch either. The
>> destination
>> addresses aren't multicast, they're true unicast. Yet I'm seeing all
>> these
>> unicasts that aren't my mac address. Is there some function built into
>> a
>> Cisco switch that broadcasts these to make them act like gratuitous
>> ARPs, or
>> am I really seeing something that shouldn't happen? It's on a Sup2+
>> 4500,
>> running 12.2(25)EWA10 (I know it's ancient, vendor owns it...)
>>
>> Thanks,
>>
>> Chuck
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list