Re: Monitoring a switched port with no span but seeing too much
Not looking to start a panic, but if you do a capture of those packets do you see the IP addresses for those ARPs incrementing sequentially? If so you may have one of those nasty worms that have been going around the Internet, Blaster or Nachi. The ARPs might be happening because of pings that these worms do, looking for other hosts to infect.
Another thing to do is check if you're seeing lots of pings from certain IP's on your network(s). And are they ping-scanning sequentially? You may have to set up a SPAN port to capture this stuff; ideally, on a port that is acting as the uplink to a Layer 3 device, so that you can see everything that's going through that uplink. (Even better, you may want to SPAN as close to the Layer 3 interfaces as you can get.)
If the switch knows where the MAC is, it won't broadcast for it because it already knows where it lives. If a Layer 3 device has already resolved valid IP address to MAC address, then it will have no reason to ARP repeatedly for that information. That stuff stays cached in a Cisco router's ARP tables for something like 4 hours by default, I think.
One of my customers had a Nachi infection on their network. A handful of machines running hundreds of pings per second each can saturate a L3 device, even a switch (theirs was a 3Com CoreBuilder 3500). We couldn't telnet it or route through it, had to console cable in and set their equivalent of a SPAN port to monitor each VLAN and identify the offending machines. A Cisco switch that can do ACLs is on order to replace the 3Com one (which can do ACL equivalents too, but it takes much longer to code them into the box; the Cisco switch is much easier).
Besides pings, some of the other identifying characteristics we saw was a lot of connection attempts looking for TCP port 135 (which Microsoft uses for Remote Procedure Calls or RPCs), but not getting replies.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...