Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Unwanted ARP entries

Hi Friends,

Wanted a clarification.

I have given a ip address of a /24 subnet on the physcial interface of the router. However I am seeing many arp entries from that subnet in the router which are not physcially allocated to any devices.

I was told by sum1 that the router will show all the arp entries of ips belonging to the subnet used on the router. If thats the case I should be seeing all the 255 as its a /24...which is not the case. Am seeing around 40-50 entries. Can you please comment on the same as to how to avoid these entries

8 REPLIES

Re: Unwanted ARP entries

Hi,

How are you sure that those ips are not assigned to any device.

Can you check ping one of those ip addresses that you see in th ARP table.?

Can you provide the "show arp" output?

Do you observe that for all those ip addresses same MAC address is shown?

It could be possible that if static nat is configured on a firewall in your network on that subnet, the firewall will ARP for the static NAT'ed ip addresss on that segment.

Please provide your replies for the above queries.

-VJ

Blue

Re: Unwanted ARP entries

first off, you would not see 255 arp entries in a router arp table just because you have a /24 subnet.

you will only see an arp entry in a router arp table if that MAC address was routed/switched through the router.

if two hosts on the same subnet communicated directly with each other, you would not see an arp entry in the router.

if the router was part of the transmission between hostA and hostB then it would require an arp to determine what the MAC address of hostB system was. (likewise if the router needed to know hostA MAC address) this arp would then be stored in the routers arp table.

second, how many hosts do you have connected to your /24 subnet? from the sounds of it, you have at least 40-50 hosts.

in order to 'avoid' getting ARPs you would need to create accessList(s) allowing or denying the specific traffic from/to specific hosts or subnets.

(you might not want to deny ARPs since they are a key process in ip communications; verify first this is what you need or users might lose connectivity to network resources)

see this link for ACL configuration in IOS:

switches -

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

routers -

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_command_reference_chapter09186a0080238b70.html#wp1116011

Hall of Fame Super Gold

Re: Unwanted ARP entries

I agree that seeing the output of show ARP would be helpful.

I recently had the experience of doing show arp and seeing about 60 entries when I thought that there were not that many connected machines. When we looked further we discovered that one machine that was connected was doing address translation and responded to ARP for every address in its pool. When we looked at the 60 entries in the ARP table about 55 of them had exactly the same MAC address - quite a clue :)

HTH

Rick

Community Member

Re: Unwanted ARP entries

Thanks to everyone for their valuable replies.

Am pasting the snapshot for the sh arp output. As you can see it shows ' incomplete' entries for the ips which are not assigned to any host. So working on the MAC address seems to be out of question.

I read on cisco that this can happen if u enable route-caching on the router. Have asked the customer to disbale it & check And also to enable cef at the interface level..as it was a suggested workaround on the site.

Will get back to you all once i have an reply

Regards,

Vicky

HCIL_ILL1#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 59.163.58.160 0 Incomplete ARPA

Internet 59.163.58.161 0 Incomplete ARPA

Internet 59.163.58.174 0 Incomplete ARPA

Internet 59.163.58.172 0 Incomplete ARPA

Internet 59.163.58.173 0 Incomplete ARPA

Internet 59.163.58.189 0 Incomplete ARPA

Internet 59.163.58.142 0 Incomplete ARPA

Internet 59.163.58.148 0 Incomplete ARPA

Internet 59.163.58.157 0 Incomplete ARPA

Internet 59.163.58.226 0 Incomplete ARPA

Internet 59.163.58.231 0 Incomplete ARPA

Internet 59.163.58.235 0 Incomplete ARPA

Internet 59.163.58.233 0 Incomplete ARPA

Internet 59.163.58.249 0 Incomplete ARPA

Internet 59.163.58.202 0 Incomplete ARPA

Internet 59.163.58.223 0 Incomplete ARPA

Internet 59.163.58.220 0 Incomplete ARPA

Internet 59.163.58.35 0 Incomplete ARPA

Internet 59.163.58.38 0 Incomplete ARPA

Internet 59.163.58.2 - 0017.59f3.7680 ARPA FastEthernet0/0

Internet 59.163.58.1 - 0000.0c07.ac00 ARPA FastEthernet0/0

Internet 59.163.58.10 7 0000.5e00.0103 ARPA FastEthernet0/0

Silver

Re: Unwanted ARP entries

It looks like something is sweeping the range from another routed interface of the router. I would get busy!

Community Member

Re: Unwanted ARP entries

Your router is recieving traffic destined to hosts that don't exist on a directly connected network, so when the router arps, it's unanswered. Those incomplete entries will age out in a couple of minutes. This is a non issue. If you're really paranoid you could null route the unused hosts.

Hall of Fame Super Gold

Re: Unwanted ARP entries

It is helpful to see the ARP table. I agree with the other comments that the incomplete entries are the result of the router ARPing for the address and not getting a reply. If this is happening very much I think it would be good to wonder where the traffic is coming from. It sounds like someone is sweeping the subnet. That kind of behavior might be a benign thing but it might represent someone who is infected and is probing for other devices. This is a fairly common behavior with many of the worms.

As a side note, while it may be good to be sure that CEF is enabled, I do not see any way that CEF presence or absence has anything to do with these symptoms.

HTH

Rick

Community Member

Re: Unwanted ARP entries

Is there any way to find the real culprit? The IP that is scaning the LAN - Subnet?

Will CEF help?

We have a similler problem. Sniffer shows several ARPs, Router shows the incomplete ARP,

BUT is there a way to lay hands on the packet that was dropped due to no ARP entry and identify the 'Source' IP that sent the packet in the first place?

332
Views
0
Helpful
8
Replies
CreatePlease to create content