Wanted a clarification.
I have given a ip address of a /24 subnet on the physcial interface of the router. However I am seeing many arp entries from that subnet in the router which are not physcially allocated to any devices.
I was told by sum1 that the router will show all the arp entries of ips belonging to the subnet used on the router. If thats the case I should be seeing all the 255 as its a /24...which is not the case. Am seeing around 40-50 entries. Can you please comment on the same as to how to avoid these entries
How are you sure that those ips are not assigned to any device.
Can you check ping one of those ip addresses that you see in th ARP table.?
Can you provide the "show arp" output?
Do you observe that for all those ip addresses same MAC address is shown?
It could be possible that if static nat is configured on a firewall in your network on that subnet, the firewall will ARP for the static NAT'ed ip addresss on that segment.
Please provide your replies for the above queries.
first off, you would not see 255 arp entries in a router arp table just because you have a /24 subnet.
you will only see an arp entry in a router arp table if that MAC address was routed/switched through the router.
if two hosts on the same subnet communicated directly with each other, you would not see an arp entry in the router.
if the router was part of the transmission between hostA and hostB then it would require an arp to determine what the MAC address of hostB system was. (likewise if the router needed to know hostA MAC address) this arp would then be stored in the routers arp table.
second, how many hosts do you have connected to your /24 subnet? from the sounds of it, you have at least 40-50 hosts.
in order to 'avoid' getting ARPs you would need to create accessList(s) allowing or denying the specific traffic from/to specific hosts or subnets.
(you might not want to deny ARPs since they are a key process in ip communications; verify first this is what you need or users might lose connectivity to network resources)
see this link for ACL configuration in IOS:
I agree that seeing the output of show ARP would be helpful.
I recently had the experience of doing show arp and seeing about 60 entries when I thought that there were not that many connected machines. When we looked further we discovered that one machine that was connected was doing address translation and responded to ARP for every address in its pool. When we looked at the 60 entries in the ARP table about 55 of them had exactly the same MAC address - quite a clue :)
Thanks to everyone for their valuable replies.
Am pasting the snapshot for the sh arp output. As you can see it shows ' incomplete' entries for the ips which are not assigned to any host. So working on the MAC address seems to be out of question.
I read on cisco that this can happen if u enable route-caching on the router. Have asked the customer to disbale it & check And also to enable cef at the interface level..as it was a suggested workaround on the site.
Will get back to you all once i have an reply
Protocol Address Age (min) Hardware Addr Type Interface
Internet 220.127.116.11 0 Incomplete ARPA
Internet 18.104.22.168 0 Incomplete ARPA
Internet 22.214.171.124 0 Incomplete ARPA
Internet 126.96.36.199 0 Incomplete ARPA
Internet 188.8.131.52 0 Incomplete ARPA
Internet 184.108.40.206 0 Incomplete ARPA
Internet 220.127.116.11 0 Incomplete ARPA
Internet 18.104.22.168 0 Incomplete ARPA
Internet 22.214.171.124 0 Incomplete ARPA
Internet 126.96.36.199 0 Incomplete ARPA
Internet 188.8.131.52 0 Incomplete ARPA
Internet 184.108.40.206 0 Incomplete ARPA
Internet 220.127.116.11 0 Incomplete ARPA
Internet 18.104.22.168 0 Incomplete ARPA
Internet 22.214.171.124 0 Incomplete ARPA
Internet 126.96.36.199 0 Incomplete ARPA
Internet 188.8.131.52 0 Incomplete ARPA
Internet 184.108.40.206 0 Incomplete ARPA
Internet 220.127.116.11 0 Incomplete ARPA
Internet 18.104.22.168 - 0017.59f3.7680 ARPA FastEthernet0/0
Internet 22.214.171.124 - 0000.0c07.ac00 ARPA FastEthernet0/0
Internet 126.96.36.199 7 0000.5e00.0103 ARPA FastEthernet0/0
Your router is recieving traffic destined to hosts that don't exist on a directly connected network, so when the router arps, it's unanswered. Those incomplete entries will age out in a couple of minutes. This is a non issue. If you're really paranoid you could null route the unused hosts.
It is helpful to see the ARP table. I agree with the other comments that the incomplete entries are the result of the router ARPing for the address and not getting a reply. If this is happening very much I think it would be good to wonder where the traffic is coming from. It sounds like someone is sweeping the subnet. That kind of behavior might be a benign thing but it might represent someone who is infected and is probing for other devices. This is a fairly common behavior with many of the worms.
As a side note, while it may be good to be sure that CEF is enabled, I do not see any way that CEF presence or absence has anything to do with these symptoms.
Is there any way to find the real culprit? The IP that is scaning the LAN - Subnet?
Will CEF help?
We have a similler problem. Sniffer shows several ARPs, Router shows the incomplete ARP,
BUT is there a way to lay hands on the packet that was dropped due to no ARP entry and identify the 'Source' IP that sent the packet in the first place?