Static ARP entry problem on 6500

Eli Barb · ‎12-01-2008

We've been having problems with our ARP tables either being overrun with entries or entries that don't timeout and relearn correctly. Either way it's caused us to be unable to manage some equipment until running "clear arp" on the 6500. After that the network relearns the ARP entries and you can once again communicate with the device. I mentioned this to another engineer and they said I might want to create static arp entries for all of my gear to prevent this in the future. So I tried it out first by starting with one of our VoIP phone adapters. Here's what I get, I've removed the ip address since it's public.

#arp x.x.x.x 0019.cb1c.105f arpa vlan 21

Bad ARP command - Interface may only be specified when bridging IP

But if I leave off "VLAN 21" the entry is taken without error, but there still seems to be a problem because the other learned arp entries show the correct VLAN information to the right, but my static entry does not. My VoIP adapter also seems to stop working when I configure the static ARP entry on the switch.

Internet x.x.x.x 76 001c.c465.a90e ARPA Vlan21

Internet x.x.x.x 9 0011.95bd.05c1 ARPA Vlan21

Internet x.x.x.x - 0019.cb1c.105f ARPA

Internet x.x.x.x 148 0004.f202.7780 ARPA Vlan21

Anyone have any recommendations or any clue to the behavior that I'm seeing?

Here's the configuration for the VLAN interface

interface Vlan21

description to ## Site 1 #

ip address 172.20.1.1 255.255.255.0 secondary

ip address x.x.x.x 255.255.255.128

ip helper-address x.x.x.x

no ip redirects

ip dhcp relay information trusted

Currently running version

s72033_rp Software (s72033_rp-PK9SV-M), Version 12.2(17d)SXB11a

Giuseppe Larosa · ‎12-01-2008

Hello Eli,

vlan 21 is a L3 object interface.

But it should be usable as parameter in the arp command.

This can be a platform specific issue.

However, you should verify also if the device(s) that are filling the ARP table are configured with proxy-arp enabled.

This can create problems if there are devices that answer with their MAC address instead of the legitimate devices.

find out these mac addresses and if the devices are under your control disable proxy-arp

use

int fx/y

no ip proxy-arp

Also I'm not sure that a static ARP cannot be overriden by an ARP message.

There have been other threads about this.

Hope to help

Giuseppe

Eli Barb · ‎12-01-2008

Thanks for the reply.

From what I'm reading a person only needs proxy-arp enabled if the hosts connected don't have a gateway IP configured or the devices are operating under the assumption of a flat network. Since most hosts will have the gateway information I can't find any compelling reason that Cisco would have this enabled by default. Is this something I can disable across the board without any negative repercussions?

I may be misunderstanding your last paragraph about a static arp entry being overwritten by an ARP message. Had you picked up from my question that I was asking if that was possible or were you suggesting that from your past experience you had seen or heard of a static entry being overwritten by an arp message?

Thanks again.

Eli

Giuseppe Larosa · ‎12-02-2008

Hello Eli,

in the past during a bug analysis for the versions used in a customer network I've seen some bugs that were telling a gratuitous ARP was even able to rewrite the ARP entry for the router lan interface itself !

Also there was another thread here in the forum in which in a similar issue static ARP entries were not able to avoid the entries to be overriden by dynamic entries.

So I'm not sure that static ARP entries can solve your issue: they may or they may not.

I think that some other device in the subnet has proxy-arp enabled and is answering to ARP requests instead of legitimate devices or even a PC infected with some malware that tries to make some Man in the middle attack

Hope to help

Giuseppe