×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Unwanted ARP entries

Unanswered Question
Aug 22nd, 2006
User Badges:

Hi Friends,


Wanted a clarification.


I have given a ip address of a /24 subnet on the physcial interface of the router. However I am seeing many arp entries from that subnet in the router which are not physcially allocated to any devices.


I was told by sum1 that the router will show all the arp entries of ips belonging to the subnet used on the router. If thats the case I should be seeing all the 255 as its a /24...which is not the case. Am seeing around 40-50 entries. Can you please comment on the same as to how to avoid these entries

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vijayasankar Tue, 08/22/2006 - 03:15
User Badges:
  • Silver, 250 points or more

Hi,


How are you sure that those ips are not assigned to any device.

Can you check ping one of those ip addresses that you see in th ARP table.?

Can you provide the "show arp" output?

Do you observe that for all those ip addresses same MAC address is shown?


It could be possible that if static nat is configured on a firewall in your network on that subnet, the firewall will ARP for the static NAT'ed ip addresss on that segment.



Please provide your replies for the above queries.


-VJ


gpulos Tue, 08/22/2006 - 03:29
User Badges:
  • Blue, 1500 points or more

first off, you would not see 255 arp entries in a router arp table just because you have a /24 subnet.


you will only see an arp entry in a router arp table if that MAC address was routed/switched through the router.


if two hosts on the same subnet communicated directly with each other, you would not see an arp entry in the router.


if the router was part of the transmission between hostA and hostB then it would require an arp to determine what the MAC address of hostB system was. (likewise if the router needed to know hostA MAC address) this arp would then be stored in the routers arp table.


second, how many hosts do you have connected to your /24 subnet? from the sounds of it, you have at least 40-50 hosts.


in order to 'avoid' getting ARPs you would need to create accessList(s) allowing or denying the specific traffic from/to specific hosts or subnets.

(you might not want to deny ARPs since they are a key process in ip communications; verify first this is what you need or users might lose connectivity to network resources)


see this link for ACL configuration in IOS:

switches -

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml


routers -

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a0080238b70.html#wp1116011

Richard Burts Tue, 08/22/2006 - 04:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I agree that seeing the output of show ARP would be helpful.


I recently had the experience of doing show arp and seeing about 60 entries when I thought that there were not that many connected machines. When we looked further we discovered that one machine that was connected was doing address translation and responded to ARP for every address in its pool. When we looked at the 60 entries in the ARP table about 55 of them had exactly the same MAC address - quite a clue :)


HTH


Rick

vickyp183 Wed, 08/23/2006 - 02:27
User Badges:

Thanks to everyone for their valuable replies.


Am pasting the snapshot for the sh arp output. As you can see it shows ' incomplete' entries for the ips which are not assigned to any host. So working on the MAC address seems to be out of question.


I read on cisco that this can happen if u enable route-caching on the router. Have asked the customer to disbale it & check And also to enable cef at the interface level..as it was a suggested workaround on the site.


Will get back to you all once i have an reply


Regards,

Vicky

HCIL_ILL1#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 59.163.58.160 0 Incomplete ARPA

Internet 59.163.58.161 0 Incomplete ARPA

Internet 59.163.58.174 0 Incomplete ARPA

Internet 59.163.58.172 0 Incomplete ARPA

Internet 59.163.58.173 0 Incomplete ARPA

Internet 59.163.58.189 0 Incomplete ARPA

Internet 59.163.58.142 0 Incomplete ARPA

Internet 59.163.58.148 0 Incomplete ARPA

Internet 59.163.58.157 0 Incomplete ARPA

Internet 59.163.58.226 0 Incomplete ARPA

Internet 59.163.58.231 0 Incomplete ARPA

Internet 59.163.58.235 0 Incomplete ARPA

Internet 59.163.58.233 0 Incomplete ARPA

Internet 59.163.58.249 0 Incomplete ARPA

Internet 59.163.58.202 0 Incomplete ARPA

Internet 59.163.58.223 0 Incomplete ARPA

Internet 59.163.58.220 0 Incomplete ARPA

Internet 59.163.58.35 0 Incomplete ARPA

Internet 59.163.58.38 0 Incomplete ARPA

Internet 59.163.58.2 - 0017.59f3.7680 ARPA FastEthernet0/0

Internet 59.163.58.1 - 0000.0c07.ac00 ARPA FastEthernet0/0

Internet 59.163.58.10 7 0000.5e00.0103 ARPA FastEthernet0/0

mmorris11 Wed, 08/23/2006 - 05:07
User Badges:
  • Silver, 250 points or more

It looks like something is sweeping the range from another routed interface of the router. I would get busy!



mdouglasx Wed, 08/23/2006 - 08:10
User Badges:

Your router is recieving traffic destined to hosts that don't exist on a directly connected network, so when the router arps, it's unanswered. Those incomplete entries will age out in a couple of minutes. This is a non issue. If you're really paranoid you could null route the unused hosts.

Richard Burts Wed, 08/23/2006 - 09:30
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It is helpful to see the ARP table. I agree with the other comments that the incomplete entries are the result of the router ARPing for the address and not getting a reply. If this is happening very much I think it would be good to wonder where the traffic is coming from. It sounds like someone is sweeping the subnet. That kind of behavior might be a benign thing but it might represent someone who is infected and is probing for other devices. This is a fairly common behavior with many of the worms.


As a side note, while it may be good to be sure that CEF is enabled, I do not see any way that CEF presence or absence has anything to do with these symptoms.


HTH


Rick

s.gosar Tue, 09/26/2006 - 03:47
User Badges:

Is there any way to find the real culprit? The IP that is scaning the LAN - Subnet?

Will CEF help?


We have a similler problem. Sniffer shows several ARPs, Router shows the incomplete ARP,

BUT is there a way to lay hands on the packet that was dropped due to no ARP entry and identify the 'Source' IP that sent the packet in the first place?

Actions

This Discussion