Hello, we are seeing continuous ARP Incomplete entries (using debug ARP) which are not getting deleted on our Cisco 3640 internal interface, they are never deleted. I would appreciate any help on understanding why these requests are being made and how to stop them.
did u try clearing arp ? whts the ios code you are running in your box at present ?
usually incomplete entries points the unreachability to that particular ip which is displayed out there.
try to find out whether those incomplete entries belongs to your local subnet or different subnet altogether also if they belongs to the same local subnet then try to find out whether they are powered on.
Also would suggest to check out for any known worms or virus variants in your network which may also be a possible reason for this ..
you can do this using ip route-cache flow under the lan interface and use show ip cache flow to find out the traffic patterns getting traversed which can clear up most of the things.
If the router is attempting to route a packet to a desitionation it doesn't have an ARP entry for it will ARP for it. If the host doesn't exist it will just create an incomplete entry. Depending on how often it does this it might look like its never timing them out.
If your wide open to the internet using public IP's on your LAN port scanners could cause this type of thing.
Thanks to both of you - I will get on it on Monday. How do I make sense of the route-cache flow to see if it is a worm or port scan? The offending ARPs are coming from our internal interface, and you are right, our router is open to the world.
Thanks - is there any way I can gather stats over time for this - e.g. SNMP? Sitting at a console pressing "ip cache flow" all the time does not appeal to me. We use a brilliant SNMP/RMON package called OpManager which can pull stats off almost anything, just wondering if Cisco's MIB has the ip cache flow in it somewhere...
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...