At 01:33 PM 8/15/01, Jim Dixon wrote:
>I wonder if what you suspect to be true, IS; that if you play with the
>arp cache timeouts a bit could you get a workaround?
>
>What do you think?
I didn't mean to imply that the temporary entries stay in the ARP cache for
the full (default) four hours. But they could fill up the cache long enough
to cause problems. Plus, in a lot of cases when Code Red is happening, the
entries aren't temporary. The TCP SYNs are going to stations behind the
router that do in fact respond to the ARP. So the entries stay in the ARP
cache the full time or they get bumped because the cache is full and
"thrashing" occurs.
I don't think reducing the ARP cache timeout would help since the cache is
full and thrashing is occurring, according to the original poster. ARP
thrashing is probably a symptom of a more serious problem that needs to be
isolated. It may be Code Red. Or, not. He mentioned a lot of hubs. Perhaps
the solution is to segment the network and add some router content (Layer-3
switching) to the design.
Please do not send messages to my e-mail. I will forward them anyway.
Priscilla
>-----Original Message-----
>From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, August 15, 2001 12:49 PM
>To: [EMAIL PROTECTED]
>Subject: Re: ARP Thrashing [7:16147]
>
>
>Could this be a symptom of Code Red or some other attack?? Others in the
>list know a lot about Code Red and could comment hopefully. My thinking is
>that the router is getting overwhelmed not so much by the TCP SYNs to port
>80 but by the need to ARP for the targets. I believe the ARP cache could be
>affected by temporary entries (where the MAC address isn't yet known) and
>could fill up even if there are no responses to the ARPs.
>
>Priscilla
>
>At 06:13 AM 8/15/01, Muhammad Shakeel Shamsi wrote:
> >I am having an ARP trashing error on a Cisco 2501 router, read about it on
> >www.cisco.com. Summary is that router has a queue length of 16 to store
> >ARP's, a new request kicks out old ARP already in the queue thus causing
> >thrashing of ARP, the concerned network is crowded with HUBs, Any idea how
> >to solve this problem.
> >
> >Here is what i am getting on the router.
> >
> >Traceback= 317B062 317B30E 31A08E6
> >03:55:04: %SCHED-3-THRASHING: Process thrashing on watched queue 'ARP
>queue'
> >(count 52).
> >-Process= "ARP Input", ipl= 6, pid= 6
> >-Traceback= 317B062 317B30E 31A08E6
>________________________
>
>Priscilla Oppenheimer
>http://www.priscilla.com
________________________
Priscilla Oppenheimer
http://www.priscilla.com
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16219&t=16147
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
