Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ARP Broadcasts

Status
Not open for further replies.
jschweg

jschweg

IS-IT--Management
Dec 19, 2002
127
US
Quick question for you guys.

I have a small setup consisting of the following:

T1 --> Cisco 2600 Router --> (2) 24 Port HP Unmanaged Switches --> Workstations

I'm not sure if this is normal or not, but I'm seeing a huge amount of ARP broadcasts originating from the interface on the 2600. Basically with each broadcast saying "Who has this ip address" tell "interface on Cisco"

Each broadcast seems to be in sequential order of IP address and doesn't really seem to stop at all.

Is there a configuration issue, or is all of this still backwash from the blaster/welchia worm? I know for a fact that none of my workstations/servers are infected (I was patched before the whole mess began), but are these other infected internet machines that are arping for my machines?

Thanks for the info in advance.

 
Sort by date Sort by votes
Are the hosts on the 2 switches using a 1 to 1 nat? If so, then it's probably someone from the internet (or a worm) doing a port scan.
 
Upvote 0 Downvote
I figured that this was due to the worms. Thanks guys.

There is no NAT in place here, every machine has a public IP address and runs a firewall at the software/desktop level. Yes I already know how horrible that is, I haven't been here to long and it's high on my list of things to revamp.

Is there anything I can do to stop all this traffic? It seems to take a signifigant performance toll.
 
Upvote 0 Downvote
Yep, sounds like a scanner of some kind. You could add some access-lists to the 2600 to block the incoming traffic from the internet that could be causing the ARPs. (Most likely it is going ot be ICMP packets.) But in order to really figure it out you might want to setuup some accounting on the router or sniff the wire a little bit.

Here is what I use as an ACL to watch ICMPs inbound to my WAN side.

access-list 100 deny icmp any any echo log-input
access-list 100 permit ip any any

Then in the WAN interface you need to add the command:

ip access-group 100 in
ip accounting access-violations

Then if you want to see what IP's are pinging you and how many times you use the command:

show ip accounting access-violations

and it will print it out. Also it logs it to your logging buffer so that you can see it there as well, or a syslog if you have it.

This is good just to see what kind of packets are violating your access-lists, which in my case is just ICMP echos(which I bet are the culprits). Anyways, let me know if you need more information.

Burke
 
Upvote 0 Downvote
Thanks for all of your suggestions, this is great.

DX1, I really like that technote from Cisco that included the sample ACL listed below:

access-list 115 deny udp any any eq 69
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq 137
access-list 115 deny udp any any eq 138
access-list 115 deny tcp any any eq 139
access-list 115 deny udp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 deny tcp any any eq 4444
access-list 115 permit ip any any

I am actually planning on applying this ACL to my network, however I have one remaining question:

Which interface should I apply this ACL to, the WAN int or the LAN int? WAN int correct?

And also should I apply this ACL for "in" and "out" or just "in"

Thanks Guys!

 
Upvote 0 Downvote
OK, last question promise.

After I apply the ACL and everything is good and tested, I will have to do a:

copy running-config startup-config

Right? So then the config will be saved when the router is powered off.
 
Upvote 0 Downvote
First take log of serial and then log of fast ethrenet port(ip accounting).
See whether this traffic are on source or destination side of fast ethernet or serial, accordingly it should be applied.If possible sniff the packes and try to find out the UDP/TCP ports on which the spurious traffic is propagating,this will help you alot.after that the acceslist can help.
AS per the solution provided by dx1 that should help you alot and you can apply that on ethernet (ip acces-group 115 in) and on serial also(ip access-group 115 out/in).
This should solve your problem.If not pls provide the config file for better solution.

 
Upvote 0 Downvote
Yep... Save that's how you save the config.

I did a mistake... The correct syntax is "ip access-group 115 in" like HECLSUPPORT said.
 
Upvote 0 Downvote
I took a look at my config, I have a Serial 0/0 and the subinterface Serial 0/0.1 for frame relay I guess.

I apply the ACL to the subinterface? Here is the config for all my interfaces:

!
interface FastEthernet 0/0
ipaddress <ip> <subnet mask>
no ip directed broadcast
no shutdown
!
interface Serial 0/0
bandwidth 1536
encapsulation frame-relay IETF
frame-relay Lmi-type ansi
no ip address
no shutdown
no fair-queue
!
interface Serial 0/0.1 point-to-point
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 500 IETF
bandwidth 1536
no shutdown
!
ip route 0.0.0.0 0.0.0.0 Serial 0/0.1

Thanks!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Delta5
  • Locked
  • Question
Cisco setting for automatic ip arp cache refresh
Replies
3
Views
323
iggsterman
iggsterman
MrOyvind
  • Locked
  • Question
Dynamic ARP insepection question
Replies
3
Views
65
mhdbadi
mhdbadi
Almin
  • Locked
  • Question
sh ip arp 2
Replies
2
Views
57
Quadratic
Quadratic
SiSync
  • Locked
  • Question
Cisco 4006 with 4232-L3 card not resolving ARP
Replies
1
Views
42
baddos
baddos
ITBB
  • Locked
  • Question
CISCO ASA LOSING ARP
Replies
5
Views
72
ITBB
ITBB

Part and Inventory Search

Sponsor

Back
Top