Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Router and ARP flooding

  1. #1

    Router and ARP flooding

    Hi Folks,
    I have a Cisco Cat3550 router, and 5 subnets, one of which is a rather large 172.16.0.0/16 subnet. Of late, I've seen this backbone router sending out ARP floods on this 65,000+ hosts network, effectively flooding it. Anyone have an idea why? Is this normal, and what purpose would it serve?

    Thanks a lot for your input,

    _Scim_
    _scimitar_

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    When you say ARP floods what kind of transmissions are they?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Well, I used Ethereal to capture traffic, and the router was broadcasting ARP requests incrementally for the entire Network like

    Who has 172.16.131.1 tell 172.16.0.253
    Who has 172.16.131.2 tell 172.16.0.253
    Who has 172.16.131.3 tell 172.16.0.253
    ...

    _Scim_
    _scimitar_

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Sounds like it is updating it's own tables. What protocols do you have running on the router?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    it supposed to arp on that network (ethernet perhaps?) to find mac addresses of the hosts on that subnet. but "fllooding" the subnet.... its odd
    router only does that when its a "new ip" and its mac isnt on router' arp table.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  6. #6
    Only have RIPv1 running on the router. Regarding updating its arp tables, it wouldn't go about polling every ip on that net for an arp response would it? I would've thought building the Mac/port table would be just as in L2 switches, as and when frames are received on that port.

    Cacosapo, I didn't get what you meant by 'router only does that [flooding] when its a "new ip" and its mac isnt on router' arp table.'

    Thanks for the responses

    Scim
    _scimitar_

  7. #7
    Senior Member
    Join Date
    Dec 2001
    Posts
    291
    I've seen this happen when router memory is going bad and it has a tough time keeping track of whats going on, it's possible that it's answering queries from another device, in other words, something is going through the subnet an IP at a time and asking the router where each ip is this will cause the router to arp for an answer and of course send it on off. What other stuff you got going on in ethereal there? a good dump would be handy
    ~THEJRC~
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

  8. #8
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    Scimitar,

    As you know arp's only come , and are used in a layer 2 environment. Maybe you need so segment up your network more. Maybe install some more routers and definitely use more divided subnets.
    As a understand you have effectively /16 subnets without being segmented by layer3 devices ? IMHO a cisco 3550 ( http://www.cisco.com/en/US/products/hw/switches/ps646/ )
    is a switch ( a gigabit-root-switch ), which would explain you have that big subnets get flooded.
    Also if you really have that big subnets your bandwiths will get slow due to requests like for.ex. ARP.
    You can stop ARP-requests or layer2 - protocols by dividing networks with a layer3 device, most namely routers. This can also be achieved with implementing VLAN's if you have only a switched environment, but you definetely need routers. Did you implemented VLAN's ? etc etc ...

    Maybe a scheme of your networks would help us to solve your problem. More input on your backbone might be helpful too.

    Cheers
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  9. #9
    Senior Member
    Join Date
    Dec 2001
    Posts
    291
    Shrekkie does have a point, and after reading it I noticed I mistook your catalyst 3500 for a 3800 series router... eh... go finger. Either way, the 3500 is capable of layer 3 routing between Vlans, if your stuck in a budget rut you may want to look at using that feature to cut the traffic. I would in either case, follow shrekkies advice and segment up a bit.

    If your subnets really need to be as large as they seem I assume you have other switches in your topology that may be misconfigured or need a configuration change as well. The incrimental requests definately point to something odd (a scan going on somewhere) as switches typically learn pathing by examining traffic and not asking whats where.

    Could it be that some device is looking for something? whether it be someone running printer software that's scanning the subnet for a printer, or even something so odd as a box running as a honeynet (these will scan around to see what is and isnt in use)? Typically in brodcast storms and arp cache updates the requests are not so sequential.
    ~THEJRC~
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

  10. #10
    - back -

    Sorry, I couldn't get back to this thread earlier. Needed to give some attention to my academics over the end of the week.

    Regarding the router flooding, its not doing that regularly, but at what would seem random intervals of time. Maybe I can script ethereal to run at certain intervals, parse the results for ARPs from the router, and record/graph it. Or would anyone have an idea about a tool that does just that?

    Regarding the network scheme, I've a Cisco Cat3550, which provides routing between 4 different networks, 196.1.64.0/24, 196.1.65.0/24, 196.1.67.0/24 and 172.16.0.0/16. No Vlans are used, as the network has grown adhoc. I do realize the network has not only to be segmented further, but also undergo a major redesign, but that'd be the senior admin's decision. Me, I'm just the graduate student trying to make money and get experience .. and loving it.

    I'll see what I can find with periodic network sniffing. Again, thanx a lot for your feedback.

    Scim
    _scimitar_

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •