ARP packets with duplicated IP are received frequently

229 0 4 3

Hello, today I'd like to share with you a case in which the switch interface frequently receives ARP packets with duplicate IP addresses.

Issue Description

Customer periodically see this message in logs:

Aug 20 2019 12:05:09 DS-HUAWEI-L3-stack%%01ARP/4/ARP_DUPLICATE_IPADDR(l)[795]:Received an ARP packet with a duplicate IP address from the interface. (IpAddress=10.xx.41.100, InterfaceName=Vlanif114, MacAddress=f84f-xxxx-9289)

What is the cause of this?

Handling Process

Possible Causes:

1. The source IP address of the ARP packet was the same as the IP address of the interface that received the ARP packet.

2. The device receives a probe ARP packet.

The source IP address is 0.0.0.0, the destination IP address is the same as the IP address of the inbound interface that receives the packet, but the source MAC address is different from the MAC address of the inbound interface.

The process is as follows:

1. Check and confirm that no other interfaces on the network are configured with the same IP address.

2. Confirm that the interface is not attacked.

3. Check the terminal mac address f84f-xxxx-9289, It is found that the MAC address belongs to Cisco Sw3 interface gig0/1.

4. According to the captured packets, Cisco switch sends a large number of ARP probe packets (source IP address is 0.0.0.0).

The Cisco switch sends gratuitous-arp to detect the physical link, and the source IP is 0.0.0.0. The source IP is not in use, so the Huawei switch shows alarms. 

Root Cause

When the Huawei switch receives the conflicting ARP probe packets, it records logs and informs the administrator(by reporting alarms). This meets the requirements of RFC 5227.

1


And according to the RFC, the device is not allowed to send detection messages periodically. Cisco switches frequently send detection packets, which does not meet the RFC requirements.


2

So we think the Cisco device must not use the probe packets as the keepalive packets.

The RFC link:

http://www.ietf.org/rfc/rfc5227.txt

Solution

1. If vlanif1 is used to communicate with Cisco device, deny vlan 1 on the interface which connects to the cisco.

  interface XGigabitEthernetx/x/x

    undo port trunk allow-pass vlan 1

2. If vlanif1 is communicating with the Cisco device, disable the alarm on Huawei switch as follows commands.

3
3. This may be caused by special commands on Cisco devices. It is recommended that the customer check the Cisco device later.


  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login