Solved: Incomplete ARP

Mero Cisco · ‎01-21-2012

Hi,

I have connected my router to a switch and I have connected some PC in the same LAN. But when I issue show ip arp commands I am getting the incomplete arps, I have not such type of IP address in any of the computer. But I am getting those IP with incomplete ARP. What would be the problem ?

Router

int fa0/1

connected to branch 1

ip address 100.100.100.1 255.255.255.0

int fa0/0

connected to branch 2

ip address 100.100.108.1 255.255.255.0

Router#sh ip arp | in Inc

Internet 100.100.100.39 0 Incomplete ARPA

Internet 100.100.100.40 0 Incomplete ARPA

Internet 100.100.100.51 0 Incomplete ARPA

Internet 100.100.100.52 0 Incomplete ARPA

Internet 100.100.108.188 0 Incomplete ARPA

Internet 100.100.108.189 0 Incomplete ARPA

Internet 100.100.108.194 0 Incomplete ARPA

Internet 100.100.108.195 0 Incomplete ARPA

Internet 100.100.108.196 0 Incomplete ARPA

Internet 100.100.108.197 0 Incomplete ARPA

Internet 100.100.108.198 0 Incomplete ARPA

Internet 100.100.108.199 0 Incomplete ARPA

Waiting for response,

Mero

rsimoni · ‎01-22-2012

well, it is not a problem but just and indication that some host is trying to send trying to all those IP's which don't exist. You see them as your router received traffic with those IP in the destination field and triggered a ARP request for them in order to learn the L2 info (mac). Since those IP's don't exist you get incomplete entries.

There might be a legitimate application trying to connect to all host in those given subnets, or some malicious user trying to scan those subnets looking for something...

If you are worried and you wanto to know more try to deploy some strategies to see where those requests are coming from... i'e enable netflow on the WAN interface, or ip accounting, the IOS embedded packet capture or some smart ACL which logs traffic sent to those address. The actual strategy and tool to be used depends on the platform you use and the features available on the given patform/sw combination you have.

Riccardo

View solution in original post

johnlloyd_13 · ‎01-21-2012

hi mero,

this could mean your router is not receiving any ARP reply to those devices on your LAN. try to check your cabling and post your router and switch config.

Mero Cisco · ‎01-21-2012

Dear Johnlloyd,

I have no any computer or device with such ip's then how the ip is coming ?

Mero

johnlloyd_13 · ‎01-22-2012

Hi Mero,

Could you perform a clear arp and see if the same is still observed? Have you checked your Layer 1 connectivity?

Sent from Cisco Technical Support iPhone App

rsimoni · ‎01-22-2012

well, it is not a problem but just and indication that some host is trying to send trying to all those IP's which don't exist. You see them as your router received traffic with those IP in the destination field and triggered a ARP request for them in order to learn the L2 info (mac). Since those IP's don't exist you get incomplete entries.

There might be a legitimate application trying to connect to all host in those given subnets, or some malicious user trying to scan those subnets looking for something...

If you are worried and you wanto to know more try to deploy some strategies to see where those requests are coming from... i'e enable netflow on the WAN interface, or ip accounting, the IOS embedded packet capture or some smart ACL which logs traffic sent to those address. The actual strategy and tool to be used depends on the platform you use and the features available on the given patform/sw combination you have.

Riccardo