ARP Flooding from Cisco Router

Basically stated I am experiencing serious ARP flooding from my Cisco Router in one of my remote facilities.  This facility is connected to the corporate network via EIGRP routed traffic.  But every hour or so, we receive an ARP flood such as the following:

10.11.x.x network
255.255.0.0 subnet

ARP flooding begins at 10.11.0.1 and enumerateds ARP requests through and including 10.11.255.254.  

We have updated all of the clients in the local subnet with all of the Microsoft Critical Updates and have run the Welchia removal tool from Symantec.  We still get these ARP Requests from our Cisco Router.

Any thoughts.  I am at my wits end.  Thanks.
mville92Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chicagoanCommented:
sure sounds like welchia or a cousin...
You could deny icmp to mitigate the problem if it's inside:

access-list 123 deny icmp any any echo
access-list 123 permit ip any any
Interface Eth 0
 ip access-group 123 in

also EIGRP in IOS 11 - 12 is vulnerable to a DOS atttack if you haven't implemented EIGRP authentication using MD5 hashes or aren't using  extended access lists to match your expected neighbors


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chucksmithCommented:
Here is something to try, I uise this all the time to see what is going on from my routers. It will eat up some resources, but believe me it is well worth it. If you are running 12.x code on the router it should be fine.

Enable ip route-cache flow on your interfaces (all of them).  Then give it some time and then from an enable promot type show ip cache flow.

You'll see a lot of data, but what you are mostly interested in will be the Source and Destination columns. Typically you see one source (listed a bunch of times) trying to talk to the world (hitting a lot of destination ip addresses). Another thing, is that typically each of those destinations will only have 1 or 2 packets that were sent to it.  Then I iusually run a scanner against that machine to tell me if it has the patches installed. If any patch is not installed on the machine or I have any reason to believe it is vulnerable, I will go in and block the ip address pending further investigation.  Of course, to do this you need your management supprt and such - which we luckily do.

If you can block the device at layer 2, that is the BEST option to contain it. Worst case scenario is to block it at layer 3 - but its better than nothing.

Hope this help you out some,
Chuck
chicagoanCommented:
made any headway?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.