Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

repetative arps

Status
Not open for further replies.
jimfixit

jimfixit

MIS
Aug 5, 2003
116
US
what would make a switch or a router arp over and over, 6 - 10 seconds apart, for the same IP address?

Using wireshark I see my core switch arping for say, 10.1.3.117 and it will do so about a dozen times in a row in rapid succession then quit. Later I'll see the same thing for another IP address then another...and in between, normal arps...arp once for an IP and move on.

I see the same thing out of my router on the MPLS network...
Just odd I think.

 
Sort by date Sort by votes
Routing loop, proxy arping maybe, static one-way route only...does the MAC for the IP for which it is arping show up in sh mac-address-table or sh arp?

Burt
 
Upvote 0 Downvote
I assume your 'Core' switch is a router with an IP Interface in the particular VLAN? It will only do this if it hasn't got an ARP entry for a host it is attempting to forward traffic to - this is normal behaviour. What you need to find out is what host(s) is attempting to communicate with the host that isn't there.
If you have lots of Incomplete ARP entries on routers that interface directly with servers/workstations then it is likely to be some IP sweeping application - possibly legitimate, possibly malicious - that is sequentially going through IP addresses.
Do some investigation, get a network sniffer on and see if NetFlow is supported on your switches.

There are various NetFlow applications out there but have a look here for what sort of information you can get:


HTH

Andy
 
Upvote 0 Downvote
Thank you all. The entries are in the arp and mac table both. They don't have netflow turned on here because, at some point way back in the past when they turned it on, the network died from the stress (hard to imagine with 6513 sup 720's but...) Since then I've updated IOS on that box a time or two so hopefully whatever they encountered when they turned on netflow has been dealt with...or maybe there really is a loop but I would expect to see duplicate ip address errors or worse..really poor performance and we don't see those in evidence...

I will work on netflow and see what I can see.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mober
  • Locked
  • Question
alot of arps 1
Replies
8
Views
64
Mober
Mober

Part and Inventory Search

Sponsor

Back
Top