Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
2
Replies

7102-0, arp reply to broadcast

mhellman
Level 7
Level 7

‎04-06-2007 10:50 AM - edited ‎03-10-2019 03:33 AM

I've investigated this alarm before, and I think there are times when this occurs normally. I can't pinpoint an exact reason a device might use this normally though. I'm assuming it would have something to do with high availability...like a heartbeat. Any ideas why a device, in particular a Cisco device, would send an arp reply to a layer 2 broadcast address (and no previous arp request was sent)?

Labels:
0 Helpful
2 Replies 2

gmarogi
Level 5
Level 5

‎04-12-2007 10:55 AM

Tools such as dsniff and ettercap can perform a brute force flood of the ARP cache and win a race condition to overwrite the MAC-to-IP address mapping. This situation causes the dedicated segment for each port on the switch to relax and the

unicast packets can be seen on other ports. It has been described as making a switch behave like a hub.

0 Helpful

mhellman
Level 7
Level 7
In response to gmarogi

‎04-12-2007 11:08 AM

Thanks. I am actually aware of many of the nefarious reasons one might see this. I'm as close to 100% confident as you can be that this is non-malicious activity.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card