Re: arp table overflow due to windows worm
On Sat, Oct 16, 2004 at 01:39:29PM +0200, Benjamin Goedeke wrote:
> Henrique de Moraes Holschuh wrote:
>
> >Well, I have seen ARP overflows on very big flat networks (e.g.
> >172.16.0.0/16) for example. Is any of yours that big? Otherwise, why
> >would
> >the firewall be trying to resolve so many ARP addresses, instead of
> >forwarding the packets to its default gateway, or rejecting the IP packets
> >as unrouteable?
>
> My net has netmask /24 and the firewall is connected to an upstream
> router which sits in 134.102.0.0/16. The other gateway sits between my
> site and two /24 nets but this gateway doesn't seem to be affected.
So the gateway with the problem is the only one with a connection
to the outside world and they other is just to 2 other internal
nets?
The only reason it should do ARP is in case it wants to resolv an
address which he thinks is directly connected. Which should mean
all your internal IP addresses (or atleast those he tried to send
something to) your gateway.
> I noticed that the arp cache contains the very IP addresses the windows
> machines are trying to connect to. (And they all resolve to the same
> ethernet address, namely the one of the upstream router.)
This shouldn't happen and looks like a configuration error. For
external IP addresses it should only have the gateway in the arp
cache.
Kurt
Reply to: