Hi, can you help me clarify this:
I am just trying to understand the origin of the IP 22.214.171.124 since on my access layer switches I never saw that type of address range before in the arp table. The 126.96.36.199 belongs to an address space on a separate network department in my organization.
The topology is:
Servers connected to----2950-----L34507--->firewall->Upstream to corporate network.
Important:the 2950 switch was missing the default-gateway IP config (vlan 30 is routed on the L34507). Then I did a 'clear arp', I input the default-gateway IP and in the last 3 days I have never seen such 188.8.131.52 or other unusual IP there again.
That said, my understanding is that when a device connected to the 2950 switch attempts to reach a given destination IP address, since there was no default-gateway configured, the 2950 will broadcast trying to get a response from any device which has such IP address.
Then you can see that the 10.2.1.1 device, which is on my internal network, responded OK.
The part that I am not sure if I understand is how this 184.108.40.206 (which is external to my network, beyound the layer 3 4507) also responded? Also, if I go the L34507 I saw the respective MAC 0000.0x07.ac03 there but I did not see external IP addresses 220.127.116.11. There were also at least 20 more different IP's (both internal and external IP's) in the arp table in the 2950 which responded to same 0000.0x07.ac03. Was the reason of these multiple arp entries caused by the fact that the 2950 was missing the default-gateway info?
Protocol Address Age (min) Hardware Addr Type Interface
Internet 18.104.22.168 3 0000.0x07.ac03 ARPA Vlan30
Internet 10.2.1.1 230 0000.0x07.ac03 ARPA Vlan30
Note:IP addresses and MAC's have been edited and modified due to privacy reasons.
the key point is that the default-gateway was missing on the L2 switch C2950.
Missing the default-gateway the C2950 could talk to other IP subnets by relying on proxy ARP: for each possible IP address it was sending an ARP request for it. A cooperating router with proxy ARP enabled on it answered to an ARP request to that IP address with its own MAC address.
Your addition of ip default-gateway changed the scenario: now the C2950 performs only one ARP request for the default gateway and uses that MAC address as destination MAC for all packets with an IP address destination out of its subnet.
Now no ARP entry for that IP address is present in the ARP cache.
To be honest there was recently a similar thread in which another colleague had observed the same behaviour.
So this should be the explanation of the strange "out of context" ARP entry you had noticed and why you don't see it anymore.
>> 0000.0x07.ac03. Was the reason of these multiple arp entries caused by the fact that the 2950 was missing the default-gateway info?
absolutely yes that HSRP VIP MAC address was sent as answer to each ARP request this is clearly proxy ARP in action.
Hope to help