Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
939
Views
0
Helpful
1
Replies

Trying to understand origin of this unusual IP on ARP table

Go to solution
news2010a
Level 3
Level 3

‎02-22-2010 07:34 AM - edited ‎03-06-2019 09:50 AM

Hi, can you help me clarify this:

I am just trying to understand the origin of the IP 203.35.171.92 since on my access layer switches I never saw that type of address range before in the arp table. The 203.35.171.92 belongs to an address space on a separate network department in my organization.

The topology is:

Servers connected to----2950-----L34507--->firewall->Upstream to corporate network.

Important:the 2950 switch was missing the default-gateway IP config (vlan 30 is routed on the L34507). Then I did a 'clear arp', I input the default-gateway IP and in the last 3 days I have never seen such 203.35.171.92 or other unusual IP there again.

That said, my understanding is that when  a device connected to the 2950 switch attempts to reach a given destination IP address, since there was no default-gateway configured, the 2950 will broadcast trying to get a response from any device which has such IP address.

Then you can see that the 10.2.1.1 device, which is on my internal network, responded OK.

The part that I am not sure if I understand is how this 203.35.171.92 (which is external to my network, beyound the layer 3 4507) also responded? Also, if I go the L34507 I saw the respective MAC 0000.0x07.ac03 there but I did not see external IP addresses 203.35.171.92. There were also at least 20 more different IP's (both internal and external IP's) in the arp table in the 2950 which responded to same 0000.0x07.ac03. Was the reason of these multiple arp entries caused by the fact that the 2950 was missing the default-gateway info?

2950#show arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  203.35.171.92           3   0000.0x07.ac03  ARPA   Vlan30

Internet  10.2.1.1                    230  0000.0x07.ac03  ARPA   Vlan30

Note:IP addresses and MAC's have been edited and modified due to privacy reasons.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-22-2010 10:10 AM

Hello Marlon,

the key point is that the default-gateway was missing on the L2 switch C2950.

Missing the default-gateway the C2950 could talk to other IP subnets by relying on proxy ARP: for each possible IP address it was sending an ARP request for it. A cooperating router with proxy ARP enabled on it answered to an ARP request to that IP address with its own MAC address.

Your addition of ip default-gateway changed the scenario: now the C2950 performs only one ARP request for the default gateway and uses that MAC address as destination MAC for all packets with an IP address destination out of its subnet.

Now no ARP entry for that IP address is present in the ARP cache.

To be honest there was recently a similar thread in which another colleague had observed the same behaviour.

So this should be the explanation of the strange "out of context" ARP entry you had noticed and why  you don't see it anymore.

Edit:

>> 0000.0x07.ac03. Was the reason of these multiple arp entries caused by the fact that the 2950 was missing the default-gateway info?

absolutely yes that HSRP VIP MAC address was sent as answer to each ARP request this is clearly proxy ARP in action.

Hope to help

Giuseppe

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎02-22-2010 10:10 AM

Hello Marlon,

the key point is that the default-gateway was missing on the L2 switch C2950.

Missing the default-gateway the C2950 could talk to other IP subnets by relying on proxy ARP: for each possible IP address it was sending an ARP request for it. A cooperating router with proxy ARP enabled on it answered to an ARP request to that IP address with its own MAC address.

Your addition of ip default-gateway changed the scenario: now the C2950 performs only one ARP request for the default gateway and uses that MAC address as destination MAC for all packets with an IP address destination out of its subnet.

Now no ARP entry for that IP address is present in the ARP cache.

To be honest there was recently a similar thread in which another colleague had observed the same behaviour.

So this should be the explanation of the strange "out of context" ARP entry you had noticed and why  you don't see it anymore.

Edit:

>> 0000.0x07.ac03. Was the reason of these multiple arp entries caused by the fact that the 2950 was missing the default-gateway info?

absolutely yes that HSRP VIP MAC address was sent as answer to each ARP request this is clearly proxy ARP in action.

Hope to help

Giuseppe

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card