Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Gold

7102-0, arp reply to broadcast

I've investigated this alarm before, and I think there are times when this occurs normally. I can't pinpoint an exact reason a device might use this normally though. I'm assuming it would have something to do with high availability...like a heartbeat. Any ideas why a device, in particular a Cisco device, would send an arp reply to a layer 2 broadcast address (and no previous arp request was sent)?

2 REPLIES
Bronze

Re: 7102-0, arp reply to broadcast

Tools such as dsniff and ettercap can perform a brute force flood of the ARP cache and win a race condition to overwrite the MAC-to-IP address mapping. This situation causes the dedicated segment for each port on the switch to relax and the

unicast packets can be seen on other ports. It has been described as making a switch behave like a hub.

Gold

Re: 7102-0, arp reply to broadcast

Thanks. I am actually aware of many of the nefarious reasons one might see this. I'm as close to 100% confident as you can be that this is non-malicious activity.

247
Views
0
Helpful
2
Replies
CreatePlease to create content