Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ARP Tables vs MAC address tables


I have faced strange problem recently. In arp table of active hsrp router (cisco WS-C6509-E (R7000)) there was unknown mac-address found(which was overwriting mac-address of the firewall within the vlan). On the standby router everything was ok. Moreover, that specific mac address couldn't be found within mac-address table of the active or standby switch (aggregation layer). Temporary work around has been applied by setting static arp entry on both routers. However we still cannot define how is that possible.

Please help.


Re: ARP Tables vs MAC address tables

THere are a few possibilities I can think of:

1. A straightforward IP address conflict. But I would have expected to see the MAC address in the switch forwarding tables.

2. A malicious gratuitous ARP, and the forwarding table entry has already aged out.

3. A malicious gratuitous ARP sourced from a MAC address that is not the same as the one indicated in the gratuitous ARP.

4. Another router on the VLAN that is configured with a narrower mask and that is doing proxy ARP.

Is there anything special about the MAC address, e.g. HSRP address, multicast, etc. Have you tried looking for the manufacturer ID in the first 3 octets?

Kevin Dorrell


New Member

Re: ARP Tables vs MAC address tables

Thanks for quick reply.

00:07:72:20:c4:bc Alcatel Shanghai Bell Co., Ltd.

But I forgot to mention that only 2 nodes are connected within this vlan. First is the firewall (which mac was overwritten) and the second is ISA server.

We have checked the arp tables of the firewall and didn't find that mac. I don't know about the ISA server since it is managed by other company.

Re: ARP Tables vs MAC address tables

The fact that the MAC address belongs to Alcatel should be sounding alarm bells by now, especially if the ISA server does not have an Alcatel NIC.

I would be looking for rogue routers, Wireless APs, and similar. If you want to nail down your security, make sure that the VLAN goes to the two nodes and only to the two nodes. The static ARP entry for the firewall is already a excellent move. Try sniffing the VLAN for broadcasts or floods from the rogue MAC address.

Kevin Dorrell