CSS11503 Flooding ARP

Unanswered Question
Dec 10th, 2008

Hi Folks,

Is anyone aware of a config or a bug which would cause a CSS11503 to 10K+ ARP per second for an IP address not even belonging to its configuration?

Software is 7.10.504.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
inayathulla1 Thu, 12/11/2008 - 01:20

Hi Alan,

Could you be more specific on your question :-

what i understand from the question you see 10K arp under show arp table about the ip address which is not configured am i right?



alanwright1 Thu, 12/11/2008 - 01:32

Hi Shariff,

The CSS is sending 10K+ ARP requests onto one of the LAN segments and breaking it. A trace on the LAN segment shows this. These are broadcast ARP from CSS IP address/MAC address on the segment looking for a resolution for an IP that is not configured on the CSS itself, but belongs to a client on the LAN segment. So I can only conclude it is a bug or a DOS attack.

The way the network is configured is that no traffic on this LAN segment should hit CSS except for O&M traffic.


Gilles Dufour Thu, 12/11/2008 - 03:59

The only time I saw the CSS doing this was when another device was blasting the CSS with traffic to a destination not belonging to the CSS.

The CSS was then just trying to resolve arp in order to forward the traffic it was receiving.

if you do a 'show dos' on the CSS, do you see anything ?

Did you try to sniff other css interfaces and see if it is receiving weird traffic ?


alanwright1 Thu, 12/11/2008 - 04:32

Thanks Gilles,

That makes total sense, now i just need to work out where and why this traffic is trying probe this destination IP.



PS. Will CSS try to arp for every packet it sees for the local destination?


This Discussion