网络工程 - 来自 Cisco ASA 5510 的大量 ARP 请求 - 吾爱随笔录

ISP 的一名员工写信给我说我们的很多 ARP 请求都发给了他们。

ISP设备日志：

07:47:27.732242 ARP, Request who-has AAA.BBB.CCC.213 tell AAA.BBB.CCC.53, length 46
07:47:27.732318 ARP, Request who-has AAA.BBB.CCC.201 tell AAA.BBB.CCC.53, length 46
07:47:27.732323 ARP, Request who-has AAA.BBB.CCC.250 tell AAA.BBB.CCC.53, length 46
07:47:27.732392 ARP, Request who-has AAA.BBB.CCC.185 tell AAA.BBB.CCC.53, length 46
07:47:27.732441 ARP, Request who-has AAA.BBB.CCC.218 tell AAA.BBB.CCC.53, length 46
07:47:27.732491 ARP, Request who-has AAA.BBB.CCC.128 tell AAA.BBB.CCC.53, length 46
07:47:27.732541 ARP, Request who-has AAA.BBB.CCC.119 tell AAA.BBB.CCC.53, length 46
07:47:27.732591 ARP, Request who-has AAA.BBB.CCC.88 tell AAA.BBB.CCC.53, length 46
07:47:27.732641 ARP, Request who-has AAA.BBB.CCC.192 tell AAA.BBB.CCC.53, length 46
07:47:27.732691 ARP, Request who-has AAA.BBB.CCC.23 tell AAA.BBB.CCC.53, length 46
07:47:27.732741 ARP, Request who-has AAA.BBB.CCC.166 tell AAA.BBB.CCC.53, length 46
07:47:27.732745 ARP, Request who-has AAA.BBB.CCC.131 tell AAA.BBB.CCC.53, length 46
07:47:27.732841 ARP, Request who-has AAA.BBB.CCC.38 tell AAA.BBB.CCC.53, length 46
07:47:27.732845 ARP, Request who-has AAA.BBB.CCC.74 tell AAA.BBB.CCC.53, length 46
07:47:27.732899 ARP, Request who-has AAA.BBB.CCC.164 tell AAA.BBB.CCC.53, length 46
07:47:27.732942 ARP, Request who-has AAA.BBB.CCC.10 tell AAA.BBB.CCC.53, length 46
07:47:27.732991 ARP, Request who-has AAA.BBB.CCC.105 tell AAA.BBB.CCC.53, length 46
07:47:27.733062 ARP, Request who-has AAA.BBB.CCC.154 tell AAA.BBB.CCC.53, length 46
07:47:27.733092 ARP, Request who-has AAA.BBB.CCC.66 tell AAA.BBB.CCC.53, length 46
07:47:27.733140 ARP, Request who-has AAA.BBB.CCC.31 tell AAA.BBB.CCC.53, length 46
07:47:27.733190 ARP, Request who-has AAA.BBB.CCC.196 tell AAA.BBB.CCC.53, length 46
07:47:27.733285 ARP, Request who-has AAA.BBB.CCC.55 tell AAA.BBB.CCC.53, length 46
07:47:27.733298 ARP, Request who-has AAA.BBB.CCC.156 tell AAA.BBB.CCC.53, length 46
07:47:27.733341 ARP, Request who-has AAA.BBB.CCC.161 tell AAA.BBB.CCC.53, length 46
07:47:27.733390 ARP, Request who-has AAA.BBB.CCC.152 tell AAA.BBB.CCC.53, length 46
07:47:27.733741 ARP, Request who-has AAA.BBB.CCC.98 tell AAA.BBB.CCC.53, length 46
07:47:27.733840 ARP, Request who-has AAA.BBB.CCC.143 tell AAA.BBB.CCC.53, length 46
07:47:27.733905 ARP, Request who-has AAA.BBB.CCC.20 tell AAA.BBB.CCC.53, length 46
07:47:27.771681 ARP, Request who-has AAA.BBB.CCC.92 tell AAA.BBB.CCC.53, length 46
07:47:27.855905 ARP, Request who-has AAA.BBB.CCC.224 tell AAA.BBB.CCC.53, length 46
07:47:27.872221 ARP, Request who-has AAA.BBB.CCC.130 tell AAA.BBB.CCC.53, length 46
07:47:27.930621 ARP, Request who-has AAA.BBB.CCC.248 tell AAA.BBB.CCC.53, length 46
07:47:27.936899 ARP, Request who-has AAA.BBB.CCC.220 tell AAA.BBB.CCC.53, length 46
07:47:27.937428 ARP, Request who-has AAA.BBB.CCC.136 tell AAA.BBB.CCC.53, length 46
07:47:27.940523 ARP, Request who-has AAA.BBB.CCC.234 tell AAA.BBB.CCC.53, length 46
07:47:27.944966 ARP, Request who-has AAA.BBB.CCC.57 tell AAA.BBB.CCC.53, length 46
07:47:27.950973 ARP, Request who-has AAA.BBB.CCC.181 tell AAA.BBB.CCC.53, length 46
07:47:27.951954 ARP, Request who-has AAA.BBB.CCC.109 tell AAA.BBB.CCC.53, length 46
07:47:28.731936 ARP, Request who-has AAA.BBB.CCC.174 tell AAA.BBB.CCC.53, length 46
07:47:28.732036 ARP, Request who-has AAA.BBB.CCC.83 tell AAA.BBB.CCC.53, length 46
07:47:28.732090 ARP, Request who-has AAA.BBB.CCC.225 tell AAA.BBB.CCC.53, length 46
07:47:28.732140 ARP, Request who-has AAA.BBB.CCC.81 tell AAA.BBB.CCC.53, length 46
07:47:28.732145 ARP, Request who-has AAA.BBB.CCC.41 tell AAA.BBB.CCC.53, length 46
07:47:28.732215 ARP, Request who-has AAA.BBB.CCC.245 tell AAA.BBB.CCC.53, length 46
07:47:28.732285 ARP, Request who-has AAA.BBB.CCC.179 tell AAA.BBB.CCC.53, length 46
07:47:28.732290 ARP, Request who-has AAA.BBB.CCC.48 tell AAA.BBB.CCC.53, length 46
07:47:28.732336 ARP, Request who-has AAA.BBB.CCC.230 tell AAA.BBB.CCC.53, length 46
07:47:28.732419 ARP, Request who-has AAA.BBB.CCC.183 tell AAA.BBB.CCC.53, length 46

一秒钟有很多请求。正常吗？如果没有，我该如何解决这个问题？

ASA 配置：

ASA Version 9.1(7)32 
!
hostname asa5510-cheb
domain-name 
enable password  encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd  encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address AAA.BBB.CCC.53 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.20.16.1 255.255.254.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 security-level 100
 no ip address
!
interface Ethernet0/3
 nameif reserve
 security-level 0
 ip address XXX.YYY.ZZZ.XXX 255.255.255.252 
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa917-32-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 
 name-server 
 domain-name 

access-list 198 extended permit ip 10.20.16.0 255.255.254.0 object-group MSKNET 
access-list spbACL extended permit ip object insideNET object spbNET 
access-list VoIP-Traffic extended permit ip any4 object-group PRIORITY 
access-list VoIP-Traffic extended permit ip object-group PRIORITY any4 
access-list yoshka_ipsec extended permit ip 10.20.16.0 255.255.254.0 10.20.12.0 255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
mtu reserve 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static 10.20.16.0_inside 10.20.16.0_inside destination static MSKNET MSKNET no-proxy-arp route-lookup
nat (inside,any) source static insideNET insideNET destination static spbNET spbNET no-proxy-arp route-lookup
nat (inside,any) source static 10.20.16.0_inside 10.20.16.0_inside destination static YOSHKA YOSHKA no-proxy-arp route-lookup
!
object network 10.20.16.0_inside
 nat (inside,outside) dynamic interface
object network 10.20.16.212_host_12322
 nat (inside,outside) static interface service tcp ssh 12322 
object network 10.20.16.0_inside_reserve
 nat (inside,reserve) dynamic interface
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 AAA.BBB.CCC.1 1 track 1
route reserve 0.0.0.0 0.0.0.0 XXX.YYY.ZZZ.XXX 2 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
aaa authentication serial console LOCAL 
snmp-server host inside 10.20.16.10 community  version 2c
snmp-server host inside 172.31.4.194 community 
no snmp-server location
no snmp-server contact
snmp-server community 
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt noproxyarp reserve
sla monitor 1
 type echo protocol ipIcmpEcho interface outside
 num-packets 5
 timeout 3000
 frequency 10
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set DESSHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set 3DESMD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map IPSec 10 match address 198
crypto map IPSec 10 set pfs 
crypto map IPSec 10 set peer 
crypto map IPSec 10 set ikev1 transform-set DESSHA
crypto map IPSec 10 set security-association lifetime seconds 86400
crypto map IPSec 20 match address yoshka_ipsec
crypto map IPSec 20 set pfs group5
crypto map IPSec 20 set peer 
crypto map IPSec 20 set ikev1 transform-set ESP-AES-256-SHA
crypto map IPSec 20 set security-association lifetime seconds 86400
crypto map IPSec 30 set peer 
crypto map IPSec 50 match address spbACL
crypto map IPSec 50 set pfs 
crypto map IPSec 50 set peer
crypto map IPSec 50 set ikev1 transform-set DESSHA 3DESMD5
crypto map IPSec 50 set security-association lifetime seconds 86400
crypto map IPSec interface outside
crypto map IPSec interface reserve
crypto ca trustpool policy
crypto isakmp identity address 
crypto ikev1 enable outside
crypto ikev1 enable reserve
crypto ikev1 policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 333
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 1 reachability
telnet timeout 5
ssh stricthostkeycheck
ssh  outside
ssh 0.0.0.0 0.0.0.0 inside
ssh  reserve
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
priority-queue outside
  tx-ring-limit 256
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
username prit password 
username radmin password 
username penguin password 
username dadmin password 
tunnel-group type ipsec-l2l
tunnel-group  ipsec-attributes
 ikev1 pre-shared-key 
tunnel-group  type ipsec-l2l
tunnel-group  ipsec-attributes
 ikev1 pre-shared-key 
tunnel-group  type ipsec-l2l
tunnel-group  ipsec-attributes
 ikev1 pre-shared-key 
tunnel-group  type ipsec-l2l
tunnel-group ipsec-attributes
 ikev1 pre-shared-key 
!
class-map inspection_default
 match default-inspection-traffic
class-map Voice-ACL
 match access-list VoIP-Traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect http allow-url-policy
 parameters
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect pptp 
  inspect icmp 
  inspect icmp error 
policy-map VoicePolicy
 class Voice-ACL
  priority
!
service-policy global_policy global
service-policy VoicePolicy interface outside
prompt hostname context 
Cryptochecksum:
: end