10-30-2003 01:52 AM - edited 03-02-2019 11:21 AM
I have two Catalyst 4006 w SupIII modules running IOS 12.1(19)EW. I use them as routers for my network and I use BGP and OSPF as routing protocols.
When I run sh ip arp I get a lot of addresses marked as incomplete.
Even on networks that only have 5 hosts the sh ip arp shows ip-addresses marked with incomplete mac-address even if the adress is not active and never have been.
Anybody knows anything that can cause this or why the arp-table shows this?
Regards
Fredrik Månsson
10-30-2003 05:47 AM
Someone is sending traffic to the ip adresses, so your router need to arp for it. You can try to debug ip (with care!!) or add a outbound acl w/log-input to see what traffic this is. You can also try ip accounting if possible.
10-30-2003 08:45 AM
It's probably either some legitimate device probing for active addresses, or it's an attack, probing for active addresses. It must be fairly consistent, since arp cache entries generally time out after four hours. Running debug arp isn't really going to help pin down where the packets are coming from that are causing all of these addresses to be probed...
What you need is debug ip packet with an acces list, and then make certain you can see the traffic that's coming through causing the arp requests. So, say you have some ethernet segment that has 10.1.1.1, 10.1.1.2, 10.1.1.3, and 10.1.1.4 on it, and you keep getting a bunch of incomplete arp's in the table. The way to catch the packets causing these incomplete arp's being built is:
access-list 101 deny any host 10.1.1.1
access-list 101 deny any host 10.1.1.2
access-list 101 deny any host 10.1.1.3
access-list 101 deny any host 10.1.1.4
access-list 101 permit any 10.1.1.0 0.0.0.255
debug ip packet 101
Now, this should work with cef enabled (I just tried it in the lab, and it worked on a 2600 and a 7200), since packets with no adjacency table entry in the cef table should be punted for processing, and then fail encap. They should look like this:
1w0d: IP: s=208.0.10.4 (Serial0/0), d=208.0.6.101 (FastEthernet0/0), g=208.0.6.101, len 100, forward
1w0d: IP: s=208.0.10.4 (Serial0/0), d=208.0.6.101 (FastEthernet0/0), len 100, encapsulation failed
Note the second ecnap failed. The access list should prevent you from seeing any legitimate traffic to known hosts on the network. Once you know what the source of the traffic it, you can try to figure out what sort of traffic it is, and if you need to try and keep it from continuing to come into your network.
Russ.W
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide