show arp

Unanswered Question
Aug 4th, 2008

when i do a show arp on my pix 501 i get this back:

AB01-BM-PIX(config)# show arp

outside 0002.cf0f.7109

outside 0002.cf0f.710e

outside 0002.cf0f.7109

inside 0080.6469.418c

inside 0080.6421.29f9

inside 0080.6469.4061

inside 001e.0b17.8990

inside 0080.6421.29fa

inside 0001.e679.b0c1

inside 0080.641c.32d5

inside 0080.6467.9dbb

inside 0080.641e.100b

inside 0008.8320.5840

I should only see:


witch is my default gateway (route outside 1


so why i am seeing these others and how do i take them out!

any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Mon, 08/04/2008 - 09:05

No it should not 'disconnect' them, but it might cause a slight delay (to re-learn the ARPs)



Farrukh Haroon Mon, 08/04/2008 - 08:57

It is normal to find the ARP entries of LAN hosts in the arp table of the ASA/PIX/FWSM.

Have a look at this:

"Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces."

It is also populated when clients connect through the firewall to other zones. And as others pointed out, you can do 'clear arp' if you wish.



Danny Guillory Jr Mon, 08/04/2008 - 09:58

ok i cleared the arp and the ips were gone! i checked show arp again 10 min later and those ip's are back!!!!!

any ideas?

dhananjoy chowdhury Mon, 08/04/2008 - 10:15


Is the outside interface connected to a Switch with default VLAN or an unmanaged switch ?

And other systems/devices are also connected on this switch?

Danny Guillory Jr Mon, 08/04/2008 - 10:20

at this location there should BE NOTHING else plugged in the switch! We have 1 modem 1 switch 1 501 and a few wyse thin clients

the pix has a VPN tunnel to my main network! and my usered use terminal services to connect to the RDP session of the servers!

these 2 outside connection conncern me because i and looking at this and understanding that outside 0002.cf0f.7109 and outside 0002.cf0f.710e ate connected to my pix 501! *am i correct?*

any ideas?

dhananjoy chowdhury Mon, 08/04/2008 - 10:29

From the MAC address it seems it is a Modem or similar device.

MAC Address

Prefix Vendor

0002CF ZyGate Communications

Farrukh Haroon Mon, 08/04/2008 - 10:31

If you observe closely you will find that all three MACs belong to "ZyGate Communications" which seems to be a Wi-FI equipment manufacturer, are you using wireless?

Also two of the MACs are same (so also seems to be your ISPs address)

outside 0002.cf0f.7109

outside 0002.cf0f.710e

outside 0002.cf0f.7109

This kind of stuff happens frequently due to ISP misconfigurations/wireless bridging etc.

I would not worry too much about it, just secure the access-list on the outside interface and make sure management to your firewall is properly logged/monitored/secured.



JORGE RODRIGUEZ Mon, 08/04/2008 - 10:33

There must be something other than router connected to that switch,

MAC addresses 0002.cf0f.710e is manufactured by ZyGate Communications, Inc. Do you have any equipment connected to the external switch with this brand? perhaps the outside switch itself what type of switch is it? how about the modem? can you connect to that switch and do to see whatelse connects there?

mac address lookup


This Discussion