Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Too many ARP broadcasts

Hi all. We have encountered a weird ARP broadcast problem.

The problem is that we have a range of hosts that do ARP broadcasts requesting who has an IP address in their LAN segment. Those hosts send a new broadcast cca. every 4 seconds to another address whose value is greater by 1 than the previous IP. Something like this:

1. broadcast: x.x.x.x

2. broadcast: x.x.x.x+1

3. broadcast: x.x.x.x+2

.

.

.

It looks like a malware or a virus is doing the scan of the LAN segment. Can anyone tell me if they have encountered this before and more importantly how to beat it?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Too many ARP broadcasts

If you want to be nice - configure broadcast storm-control, and when the amount of broadcast per second are reached send a snmp trap/log.

If you want to be nasty and really track it down, configure broadcast storm-control and when the amount of broadcast per second are reached.....it's a security violation and automatically shut the port!!

7 REPLIES

Re: Too many ARP broadcasts

That does not look good, but it might not be malware or a virus, an IT person could be scanning the local IP subnet to see if hosts are alive etc.

What you need to do, is packet sniff the MAC address of the requester and track that device or devices down and see what's on that machine.

New Member

Re: Too many ARP broadcasts

It isn't an administrator we have already checked. The PC's are used by regular users in the network.

We have tracked some machines and we are checking what's on those machines. I'll post any progress.

Any more advice is greatly appreciated.

Re: Too many ARP broadcasts

If you want to be nice - configure broadcast storm-control, and when the amount of broadcast per second are reached send a snmp trap/log.

If you want to be nasty and really track it down, configure broadcast storm-control and when the amount of broadcast per second are reached.....it's a security violation and automatically shut the port!!

New Member

Re: Too many ARP broadcasts

Hi,

Also make sure the proxy arp is disabled.

Proxy arp is only used when no gateway is configured on the client. So the arp broadcasts stay local on the segment.

Proxy arp is enabled by default on cisco.

On vlan interface configure

no ip proxy arp

Cheers

Jorg

New Member

Re: Too many ARP broadcasts

I'll try with the storm-control first so we will see what's going on.

We have also detected a new virus in the network so I don't if there is connection between the two.

New Member

Re: Too many ARP broadcasts

Sorry for not posting for a while. Anyhow the problem with ARP broadcast was a virus that spread through the network and a few zombie computers.

We have managed to contain and eliminate the virus since then. Thanks everyone for help.

Hall of Fame Super Silver

Re: Too many ARP broadcasts

Igor

Thank you for posting back to this thread and indicating that you had resolved the issue and expalining what the issue was. It makes the forum more useful when people can read about an issue and can get confirmation of what the issue turned out to be and how it was resolved.

HTH

Rick

2333
Views
10
Helpful
7
Replies
CreatePlease to create content