Excessive Arp Traffic

Unanswered Question
johnspaulding Fri, 08/21/2009 - 06:40
User Badges:

Does the IP address come back in DNS? anyway to trace what this is on the subnet?

Peter Paluch Fri, 08/21/2009 - 06:54
User Badges:
  • Cisco Employee,

Hello,


Who is the sender of the ARP requests? I assume it is the router to which the network is connected.


From watching the ARPs coming to your network using a packet sniffer, can you say if they appear as if somebody was trying to connect to each IP address in turn?


I am seeing this phenomenon quite often on publicly accessible networks. Apparently some infected computers out there are trying to check which IPs are alive. They do it by sending some packets to those IPs. The router to which the destination network is connected has to send an ARP request for each particular destination IP but if that IP is not alive, the request will go unanswered.


If this is the case then there is no simple solution. The problem is caused by external machines trying to contact your internal devices. Thus, cautiously filtering the traffic using ACLs and/or other filtering mechanisms would help a lot.


Best regards,

Peter


a.cruea1980 Mon, 08/24/2009 - 13:39
User Badges:
  • Bronze, 100 points or more

If you're seeing repeated arps for the same address, then it's possible your ARP cache timer and your MAC table timer aren't aligned.

Peter Paluch Mon, 08/24/2009 - 13:47
User Badges:
  • Cisco Employee,

Hello,


I am perhaps mistaken here but I do not see how "misaligned" MAC aging and ARP requests go together. ARP requests are generated by end hosts regardlessly of when and how switches age their MAC tables and switches can't do anything about it. Correct me please if I'm wrong...


Best regards,

Peter


a.cruea1980 Thu, 10/15/2009 - 09:29
User Badges:
  • Bronze, 100 points or more

If your ARP cache timer and MAC aging are not properly aligned, your router will ARP for addresses that don't have a MAC address associated for them. You'll see a lot of ARPs in this case for addresses that simply do not exist.


We see this a lot in our network when computers fall off the network. The Supervisors in our Cat6500s ARP like crazy because their default timer is 4 hours, but the MAC table timer is only 5 minutes. When I stick a sniffer on our network here, I get large amounts of ARPs for addresses that simply don't exist.


Sorry for the late reply.

Richard Burts Thu, 10/15/2009 - 10:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Another factor that can generate excessive ARP requests is to have a static route point to an Ethernet interface rather than to the next hop address. This is especially the case when the static route is a static default route.


Is it possible that the original poster had a static route pointed to an Ethernet interface?


HTH


Rick

Actions

This Discussion