Question on Proxy Arp messages

oukpaka · ‎03-25-2009

Hi,

Thnaks for prompt responses yesterday.

I am currently having an issue on the network, i have a Cisco 3560 switch connected to two 4507Rs. the two 4507R are connected such that one is active and the other is standby using HSRP for all vlans. the following logs keep on appearing and the CPU on my 4507Rs are at 90%.

3w6d: SB10: Vl203 Allow proxy ARP, src 172.16.251.224 tgt 172.16.8.186 mac 0000.0c07.ac0a

Is the above message ok or could this be the reason for the high CPU process on the 4507

Br

Giuseppe Larosa · ‎03-25-2009

Hello Obiora,

please disable proxy ARP with

int vlan 203

no ip proxy-arp

on both 4507R they are answering to ARP requests with the HSRP well known mac address mac 0000.0c07.ac0a (last a=group 10) to whatever IP address.

I suppose 172.16.8.186 is not an HSRP VIP and it is in another subnet because source address is 172.16.251.224.

This can have an impact on cpu usage

to see the processes that use more cpu do:

sh proc cpu sorted 1min

clients have to use the HSRP VIP as their default gateway.

This way they do a single ARP request for all ip addresses out of their own IP subnet

Hope to help

Giuseppe

lamav · ‎03-25-2009

Giuseppe:

I wouldn't recommend telling the OP to disable proxy ARP without first investigating why its on. It may be on for a reason, even though that reason may be simply to act as a band-aid to fix a network misconfiguration in the subnet masks or default gateway information.

Whatever the reason, it may be the only thing holding his network together right now.

Victor

lamav · ‎03-25-2009

Br:

The above message is "OK" if you want to have proxy arp enabled on your 4507 switches.

Is this causing the high CPU utilization? We would have to investigate further by, say, running the "show proc cpu" command to see which process(es) is/are monopolizing the CPU.

Before you disable proxy arp, you need to make sure that it can be done without disrupting communication on your network. I believe Cisco IOS has proxy ARP enabled by default (it may depend on platform and IOS version, not sure).

HTH

Victor

Thotsaphon Lueangwattanaphong · ‎03-25-2009

BR,

You may have to investigate why CPU got high. I'm not sure why you got this error. If I was in 172.16.251.X then I have to use the default gateway to get 172.16.8.X.

Let's take a look at 172.16.251.224. Is he/she using mask 255.255.0.0? If yes,I would do ARP for 172.16.8.186. (grin)

HTH,

Toshi

Giuseppe Larosa · ‎03-25-2009

Hello Victor,

you are right it is better to see what is using the cpu with sh proc cpu sorted 1min and to find all devices that are relying on proxy-arp.

However, unless he/she is using a single /16 subnet this shouldn't be an arp response that should be sent if proxy-arp is disabled.

A /16 subnet would be a nightmare just only with standard ARP.

Note2:

the message clearly states the request is processed because proxy arp is enabled so my guess is that destination address is in a different vlan

note:

the original poster has probably used Br to stand for Best Regards if you access his/her profile you can see his/her name

Hope to help

Giuseppe

lamav · ‎03-25-2009

G-money:

I can dig where you're coming from, and we do have to make certain assumptions sometimes to be able to help people, but I honestly wouldnt receommend to anyone that they make changes to their production network given the fact that the only thing I know about their network is what they have told me in a few sentences. Maybe that's just me :-)

I thought Br meant "brutha" ;-)

Thotsaphon Lueangwattanaphong · ‎03-25-2009

Giuseppe,

Actually I always love to see what his/her name is. But this time I followed what Victor did. heheh..

We are here to help. We can have different opinions though! (grin)

You guys are doing good jobs!

To Obiora, How are you doing?

Toshi

Giuseppe Larosa · ‎03-25-2009

Hello Toshi,

actually Victor is right: it is better to wait a moment before suggesting something that can cause loss of connectivity to one or many users/servers!

sometimes I'm too fast in answering I admit this

I made a note about something without any real impact (the name)

I like too to see names at first I was not able then I discovered.

Best Regards

Giuseppe

oukpaka · ‎03-25-2009

Thanks a million Guys!!!

Its quite interesting that after a restart of the two 4507Rs, the network seems to stablize.

Please find attached some Show output commands before the restart of the boxes.

Please find attached some more information,I guess this might be helpful to finding the root cause of the problem

thanks guys!!

Best Regards,

Obiora

Giuseppe Larosa · ‎03-25-2009

Hello Obiora,

a bridging loop that you solved by shutting g3/6.

well done.

Thanks for your feedback

Best Regards

Giuseppe

oukpaka · ‎03-25-2009

thanks Guiseppe,

Feel really good!!

By the way, will be waiting for your opinion on the show output i just sent

obiora