Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CSS11503 Flooding ARP

Hi Folks,

Is anyone aware of a config or a bug which would cause a CSS11503 to 10K+ ARP per second for an IP address not even belonging to its configuration?

Software is 7.10.504.

BR

Alan

4 REPLIES
Community Member

Re: CSS11503 Flooding ARP

Hi Alan,

Could you be more specific on your question :-

what i understand from the question you see 10K arp under show arp table about the ip address which is not configured am i right?

Regards

Shariff

Community Member

Re: CSS11503 Flooding ARP

Hi Shariff,

The CSS is sending 10K+ ARP requests onto one of the LAN segments and breaking it. A trace on the LAN segment shows this. These are broadcast ARP from CSS IP address/MAC address on the segment looking for a resolution for an IP that is not configured on the CSS itself, but belongs to a client on the LAN segment. So I can only conclude it is a bug or a DOS attack.

The way the network is configured is that no traffic on this LAN segment should hit CSS except for O&M traffic.

Alan

Cisco Employee

Re: CSS11503 Flooding ARP

The only time I saw the CSS doing this was when another device was blasting the CSS with traffic to a destination not belonging to the CSS.

The CSS was then just trying to resolve arp in order to forward the traffic it was receiving.

if you do a 'show dos' on the CSS, do you see anything ?

Did you try to sniff other css interfaces and see if it is receiving weird traffic ?

Gilles.

Community Member

Re: CSS11503 Flooding ARP

Thanks Gilles,

That makes total sense, now i just need to work out where and why this traffic is trying probe this destination IP.

Cheers

Alan

PS. Will CSS try to arp for every packet it sees for the local destination?

151
Views
0
Helpful
4
Replies
CreatePlease to create content