cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
702
Views
21
Helpful
12
Replies

4 devices using the same mac address in ARP Table. Explanation

Eric Boadu
Level 1
Level 1

Please tell me why four devices connected to the router sharing the same mac address showed on the arp table? I know this has to do with the firewall and listening devices but why all using the same mac address instead of it own? I'm trying to understand this scenerio. Please advice.

Internet 16x.1x.2x.1x - 0050.5486.5f60 ARPA Ethernet0/0

Internet 16x.1x.2x.1x 1 0040.1017.2d64 ARPA Ethernet0/0

Internet 16x.1x.2x.1x 11 0040.1017.2d64 ARPA Ethernet0/0

Internet 16x.1x.2x.2x 216 0040.1017.2d64 ARPA Ethernet0/0

Internet 16x.1x.2x.2x 88 0040.1017.2d64 ARPA Ethernet0/0

Internet 16x.1x.2x.2x 166 0040.1017.2d64 ARPA Ethernet0/0

1 Accepted Solution

Accepted Solutions

No problems at all... I guess it's given us an opportunity to learn a bit about proxy-ARP and the potential issues it can cause.

Paresh

View solution in original post

12 Replies 12

pkhatri
Level 11
Level 11

One possible reason could be that you have a route pointing to the Ethernet interface without a next-hop IP specified. Therefore, your PIX is sending out ARPs for addresses that are not locally connected. In such a case, you may have a router with proxy-ARP enabled that is responding to all of these addresses with its own IP address.

Hope that helps - pls rate the post if it does.

Paresh

Thank you Paresh. There is a route pointing to the Ethernet0/0 interface. Do you think this type of traffic could cause network congestions?

Eric

Well, it does result in unnecessary ARP traffic and is not a good thing for the router that is responding to it. I would change the router to point to a next-hop IP address, if I were you.

Pls do remember to rate posts.

Paresh

Should neighbor x.x.x.x next-hop statement be added? Current config. Please advice if additional statement should be add or remove.

Eric

router eigrp 1

passive-interface Ethernet0/0

network 10.0.0.0

network 16x.1x.0.0

metric weights 0 0 0 1 0 0

distribute-list 90 out

no auto-summary

eigrp log-neighbor-changes

Eric,

You should really be looking for a stic route in the following form:

ip route x.x.x.x y.y.y.y Ethernet0/0

Do you have something like the above configured ? If you do, that is the culprit...

Paresh

Issuing show run and found no ip route pointing to the Ethernet0/0. But show ip route came as see below. So it look like pointing traffic by ip route x.x.x.x y.y.y.y to the Ethernet0/0 will help eleviate network congestions. Your thought please.

Eric

Gateway of last resort is 16x.1x.2x.1x to network 0.0.0.0

16x.1x.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 16x.19x.254.1x/30 is directly connected, Serial0/0.111

C 16x.19x.232.1x/26 is directly connected, Ethernet0/0

D*EX 0.0.0.0/0 [170/514560] via 16x.19x.254.1x, 11:52:57, Serial0/0.111

Hmmm.. it seems that you might have a different issue here. That issue I was referring to is caused by the presence of a route pointing to an Ethernet interface. In this case, you don't have such a thing.

Is there anything common at all about those devices that are returning the same MAC address ?

Paresh

This router is connected to the main hub (Cisco 7500 serial)via serial0/0.111. Behind the 2600 serial router possible Pix firewall and the rest I don't know. customer complaining about drop packets and this is why arp table with same mac address cought my attention. This is one of US state agency network. Very complex and thought that might be an issue. But we are on right track I think. Your thought

Eric

Eric,

Just to get an idea of the extent of the problem, how many of these entries do you see in the ARP cache. If it's not a huge number, then your congestion problem lies elsewhere. I mean, the ARP thing needs to be investigated, but I don't believe that's the cause of any serious congestion.

On what link are you experiencing the congestion ?

Paresh

Paresh,

You know what, sorry for the confusing. I used wrong network for our discussing. This particular customer network is on Bellsouth MPLS network. I don't have an access to it but Bellsouth support confirmed seeing about 6 public IP address sharing the same mac address. Customer have firewall and I just confirmed that customer is using VoIP. I do know some VoIP devices do causes firewall or the router to drop packets unless the Voice ports are open. So this might be the issue. I was trying to understand the arp table and you put me in the right direct. I will verify with Bellsouth support if those ports are open on the router/firewall. Sorry for confusing you in earlier discussing.

Eric

No problems at all... I guess it's given us an opportunity to learn a bit about proxy-ARP and the potential issues it can cause.

Paresh

Yes, I've refresh proxy-arp. Thank you Paresh for all of your help and support for this forum. Have a great week!!

Thx

Eric

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: