7102-0, arp reply to broadcast

Unanswered Question
Apr 6th, 2007

I've investigated this alarm before, and I think there are times when this occurs normally. I can't pinpoint an exact reason a device might use this normally though. I'm assuming it would have something to do with high availability...like a heartbeat. Any ideas why a device, in particular a Cisco device, would send an arp reply to a layer 2 broadcast address (and no previous arp request was sent)?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gmarogi Thu, 04/12/2007 - 10:55

Tools such as dsniff and ettercap can perform a brute force flood of the ARP cache and win a race condition to overwrite the MAC-to-IP address mapping. This situation causes the dedicated segment for each port on the switch to relax and the

unicast packets can be seen on other ports. It has been described as making a switch behave like a hub.

mhellman Thu, 04/12/2007 - 11:08

Thanks. I am actually aware of many of the nefarious reasons one might see this. I'm as close to 100% confident as you can be that this is non-malicious activity.


This Discussion