arp table entries from non existing layer3 vlan interface

Michael KARL · ‎02-21-2014

hello community

i have a strange behavior in my switch environment..

i have a 3750x switch stack which is the core switch in my network

there are some 2960s client switches with port-channel connected to that core switch

the core switch have different vlan interfaces. vlan1 for workstations and servers, vlan506 for management.

the client switches only have an management vlan interface (id506) - the native vlan1 is shutdown.

as i say, servers and workstations are located in vlan1. when i connect from a workstation, which have an ip address from vlan1, to the client switch and take an configuration backup using tftp on that workstation, the client switch insert an arp entry for this workstation - located in vlan1 - where the client switch dosent have an ip address..

when i troubleshoot this problem, i first see the mac address from the core switch vlan 506 interface and the ip address from the client in the arp table.

after few minutes the switch change the mac address to the real mac of the client..

this is strange because of arp.. the switch should not have arp entries from a layer3 interface in which he dosent have an ip adress.. am i right??

thank you in advance for your help, best regards and stay happy!

michael

Jon Marshall · ‎02-21-2014

Michael

Does the client switch have a default gateway configured ie. an IP in vlan 506 pointing to the VLAN 506 IP on the 3750 ?

If not can you post the output of "sh ip int vlan 506" from the 3750 ?

Jon

Michael KARL · ‎02-21-2014

hi Jon

Yes he have!

config client switch:

*****************************************

interface Vlan506

ip address 172.25.6.8 255.255.255.0

!

ip default-gateway 172.25.6.254

*****************************************

config core switch:

*****************************************

interface Vlan506

ip address 172.25.6.1 255.255.255.0

standby 1 ip 172.25.6.254

standby 1 priority 115

standby 1 preempt

standby 1 authentication md5 key-string 7 xxxxxxxxxxx

*****************************************

i have also tried to deactivate proxy-arp on the core switch - but no affects..

regards - michael

Jon Marshall · ‎02-21-2014

Hi Michael

I can see we were thinking along the same lines ie. proxy arp

I'm not sure what is happening then. Your understanding is correct ie. a switch with only one SVI should only have arp entries for other devices within that vlan including it's default gateway. It should not have any arp entries for devices from remote subnets as it would simply use it's default gateway to get to them.

Jon

Michael KARL · ‎02-21-2014

ok Jon, nevertheless thank you!

Jon Marshall · ‎02-21-2014

Michael

Just one quick check.

Is the native vlan the same on both sides of the trunk link. If not STP should kick in but you never know.

Jon

Michael KARL · ‎02-21-2014

yes Jon, it is. but one particularity, i have not vlan1 set as native vlan in case of vlan hopping prevention.

i have added a dummy vlan 1001 and use this as native vlan, so all other vlans are tagged..

i am not sure if i understand how STP should cause this problems..

Jon Marshall · ‎02-21-2014

Sorry what i meant was if you had accidentally configured the 2960 end of the trunk link to have a native vlan of 506 but the 3750 end to have a native vlan of 1 this could account for the arp getting through to the client.

You still shouldn't have seen what you did but i just wanted to rule out any issues.

The bit about STP was simply to say if the native vlan doesn't match it should actually block that vlan on the link that's all.

I wasn't suggesting the issue you are seeing was down to STP.

Jon

Michael KARL · ‎02-21-2014

ok, i understand.

the native vlan configuration is on both sites the same.

the STP dont block a vlan as i see in the database

paul driver · ‎02-21-2014

Hello

possible ip.icmp.redirects?

try turning this off and test?

res
paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Michael KARL · ‎02-21-2014

hi Paul

i would like to try this but i dont know how to do.

can you tell me the commands?

regards - michael

paul driver · ‎02-21-2014

Hello

int xxx (svi)
no ip redirects

res
paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Michael KARL · ‎02-21-2014

thank you Paul, i try this on monday!

do i have interrupts after adding this command?

Jon Marshall · ‎02-21-2014

Hi Paul

I understand what you are saying about redirects but for that to work wouldn't the 2960 also need a L3 SVI in vlan 1 up/up as well. It only has an SVI in vlan 506 so even if it did get redirected it couldn't send it direct because it doesn't have an interface in that vlan,

It may be i am mssing something so not saying you are wrong.

Jon

paul driver · ‎02-21-2014

Hello

cannot see how.you would on the information you provided.

res
paul

Sent from Cisco Technical Support Android App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul