问

S5560S-52S-EI+交换机频繁主动向全网发起ARP请求

ARP攻击防御

2025-03-20提问

0关注
0收藏，577浏览

zhiliao_HQqLRk

zhiliao_HQqLRk 二段

粉丝：0人关注：0人

问题描述：

一台H3C5560交换机做二层交换机用，只在interface vlan下配置了地址10.135.15.88做管理地址用，抓包发现该交换机每隔一秒钟就会向同网段内的其他IP地址发送大量ARP请求，该网段只做二层交换机的管理地址用，不同交换机之间也无通信需求，且查看交换机的ARP表项，也都有相关IP地址的ARP信息，请求专家解释一下

最佳答案

已采纳

无名之辈

无名之辈九段

粉丝：109人关注：0人

您好，根据你的描述，H3C5560交换机每隔一秒钟向同网段内的其他IP地址发送大量ARP请求，虽然该网段只做二层交换机的管理地址用，且不同交换机之间也无通信需求，但交换机的ARP表项中已有相关IP地址的ARP信息。以下是一些可能的原因及检查建议：

1. ARP Snooping功能问题

H3C5560交换机支持ARP Snooping功能，该功能会侦听ARP报文并建立ARP Snooping表项。如果配置不当，可能会导致频繁的ARP请求。可以检查交换机是否启用了ARP Snooping功能，并确认其配置是否正确。

2. 配置问题

检查交换机的配置，确认是否存在某些策略或配置项导致了频繁的ARP请求。例如，某些安全策略或流量控制策略可能会影响ARP请求的发送频率。

3. 网络环境问题

虽然整体网络稳定，但偶尔的网络波动或干扰可能导致交换机频繁发送ARP请求以维护其ARP表项。可以尝试在不同的网络环境下观察该现象是否依然存在。

4. 设备问题

检查交换机的软件版本是否为最新版本，旧版本可能存在已知的漏洞或问题。如果软件版本较旧，建议升级到最新版本。同时，也可以考虑是否存在硬件故障或性能问题，影响了交换机的正常工作。

5. ARP请求的正常行为

在某些情况下，交换机可能会定期发送ARP请求来维护其ARP表项，确保网络的连通性。如果ARP请求的频率在可接受范围内，且不影响网络性能，可能属于正常现象。

查看交换机没有多余配置，也没有手动启用ARP snooping功能，且网络环境为大二层环境，该ARP请求会在全网同网段的二层交换机之间发送广播，导致全网的同网段二层交换机都产生了广播风暴告警，目前不影响业务，但存在很大的二层隐患

zhiliao_HQqLRk 发表时间：2025-03-20 更多>>

zhiliao_HQqLRk 发表时间：2025-03-20

3 个回答

按时间按赞数

zhiliao_sEUyB

zhiliao_sEUyB 九段

粉丝：116人关注：9人

上配置看下

交换机业务有影响吗

<5F-WAIwang>dis cu # version 7.1.070, Release 6126P20 # sysname 5F-WAIwang # clock timezone beijing add 08:00:00 clock protocol none # telnet server enable # irf mac-address persistent timer irf auto-update enable undo irf link-delay irf member 1 priority 1 # lldp global enable # password-recovery enable # vlan 1 # vlan 7 to 10 # vlan 12 # vlan 16 # vlan 21 # stp global enable # interface NULL0 # interface Vlan-interface16 ip address 10.135.15.88 255.255.255.0 # interface GigabitEthernet1/0/1 port access vlan 16 shutdown stp edged-port # interface GigabitEthernet1/0/2 port access vlan 7 # interface GigabitEthernet1/0/3 port access vlan 12 # interface GigabitEthernet1/0/4 port access vlan 12 # interface GigabitEthernet1/0/5 port access vlan 12 # interface GigabitEthernet1/0/6 port access vlan 12 # interface GigabitEthernet1/0/7 port access vlan 21 # interface GigabitEthernet1/0/8 port access vlan 12 # interface GigabitEthernet1/0/9 port access vlan 21 # interface GigabitEthernet1/0/10 port access vlan 12 # interface GigabitEthernet1/0/11 port access vlan 12 # interface GigabitEthernet1/0/12 port access vlan 12 # interface GigabitEthernet1/0/13 port access vlan 12 # interface GigabitEthernet1/0/14 port access vlan 12 # interface GigabitEthernet1/0/15 port access vlan 7 # interface GigabitEthernet1/0/16 port access vlan 12 # interface GigabitEthernet1/0/17 description yjh port access vlan 12 # interface GigabitEthernet1/0/18 port access vlan 7 # interface GigabitEthernet1/0/19 description to D29 port access vlan 12 # interface GigabitEthernet1/0/20 description to D30 port access vlan 12 # interface GigabitEthernet1/0/21 description to D31 port access vlan 12 # interface GigabitEthernet1/0/22 description to D32 port access vlan 12 # interface GigabitEthernet1/0/23 description to D34 port access vlan 21 speed 1000 duplex full # interface GigabitEthernet1/0/24 description to D35 port access vlan 12 # interface GigabitEthernet1/0/25 description to D36 port access vlan 12 # interface GigabitEthernet1/0/26 description to D20 port access vlan 12 # interface GigabitEthernet1/0/27 description to D2 port access vlan 21 # interface GigabitEthernet1/0/28 description to D11 port access vlan 12 # interface GigabitEthernet1/0/29 port access vlan 12 # interface GigabitEthernet1/0/30 port access vlan 16 # interface GigabitEthernet1/0/31 description to D80 port access vlan 21 # interface GigabitEthernet1/0/32 description to hejingling port access vlan 21 # interface GigabitEthernet1/0/33 description to D9 port access vlan 12 # interface GigabitEthernet1/0/34 description TO N65 port access vlan 12 # interface GigabitEthernet1/0/35 description to D104 port access vlan 12 # interface GigabitEthernet1/0/36 description to D15 port access vlan 12 # interface GigabitEthernet1/0/37 description to D105 port access vlan 12 # interface GigabitEthernet1/0/38 description D27-LvJJ port access vlan 12 # interface GigabitEthernet1/0/39 port access vlan 12 # interface GigabitEthernet1/0/40 port access vlan 8 # interface GigabitEthernet1/0/41 port access vlan 12 # interface GigabitEthernet1/0/42 port access vlan 16 # interface GigabitEthernet1/0/43 port access vlan 12 # interface GigabitEthernet1/0/44 port access vlan 12 # interface GigabitEthernet1/0/45 port access vlan 21 # interface GigabitEthernet1/0/46 port access vlan 12 # interface GigabitEthernet1/0/47 port access vlan 7 # interface GigabitEthernet1/0/48 port access vlan 7 # interface M-GigabitEthernet0/0/0 # interface Ten-GigabitEthernet1/0/49 port link-type trunk port trunk permit vlan all # interface Ten-GigabitEthernet1/0/50 # interface Ten-GigabitEthernet1/0/51 # interface Ten-GigabitEthernet1/0/52 # scheduler logfile size 16 # line class aux user-role network-admin # line class usb user-role network-admin # line class vty user-role network-operator # line aux 0 user-role network-admin # line vty 0 4 authentication-mode scheme user-role network-operator # line vty 5 63 user-role network-operator # ip route-static 0.0.0.0 0 10.135.15.10 # snmp-agent snmp-agent local-engineid 800063A28004D7A5E5421A00000001 snmp-agent community read JSEGC%() snmp-agent sys-info version all # ssh server enable ssh user admin service-type stelnet authentication-type password # ntp-service enable ntp-service unicast-server 10.135.15.10 # radius scheme system user-name-format without-domain # domain system # domain default enable system # role name level-0 description Predefined level-0 role # role name level-1 description Predefined level-1 role # role name level-2 description Predefined level-2 role # role name level-3 description Predefined level-3 role # role name level-4 description Predefined level-4 role # role name level-5 description Predefined level-5 role # role name level-6 description Predefined level-6 role # role name level-7 description Predefined level-7 role # role name level-8 description Predefined level-8 role # role name level-9 description Predefined level-9 role # role name level-10 description Predefined level-10 role # role name level-11 description Predefined level-11 role # role name level-12 description Predefined level-12 role # role name level-13 description Predefined level-13 role # role name level-14 description Predefined level-14 role # user-group system # local-user admin class manage password hash $h$6$wi+2zi9+yKRrIpQm$wVGUy1hVOl40Xb1D4NkUeJm6fQds8kWcOrjLLC6ZODXDnYLW9yzIpA7hjLVXZ1APCV6zUdAEuppj2yushcL6rg== service-type telnet ssh authorization-attribute user-role network-admin authorization-attribute user-role network-operator # return

zhiliao_HQqLRk 发表时间：2025-03-20 更多>>

zhiliao_HQqLRk 发表时间：2025-03-20