08-28-2019 03:35 AM
Hi all,
On a Cisco 887 DHCP handsout adresses. At this moment only one device is connected to the Cisco, but it still handsout multiple IP with no mac. Is this normal?
Router#sh arp vrf INTERNET
Protocol Address Age (min) Hardware Addr Type Interface
Internet x.x.59.177 - xxxx.ae44.ffdc ARPA Vlan1
Internet x.x.59.178 0 Incomplete ARPA
Internet x.x.59.179 0 xxxx.1699.dc5f ARPA Vlan1
Internet x.x.59.180 0 Incomplete ARPA
Internet x.x.59.182 0 Incomplete ARPA
ip dhcp excluded-address x.x.59.177
ip dhcp excluded-address x.x.59.233
ip dhcp excluded-address vrf INTERNET x.x.59.177
!
ip dhcp pool INTERNET
vrf INTERNET
network x.x.59.176 255.255.255.248
default-router x.x.59.177
dns-server 8.8.8.8 4.4.4.4
Can anyone tell me why this happens? Is this a standard procedure or did i do something wrong?
Thanks in advance
Solved! Go to Solution.
08-28-2019 06:05 AM
Hello m.x.,
if
>> network x.x.59.176 255.255.255.248
is a public network someone from internet is attempting to see what IP addresses are alive,
the router will try to make an ARP request and if no host answers you see an incomplete entry.
As noted the show arp vrf INTERNET is not the same as the DHCP binding entries.
Hope to help
Giuseppe
08-28-2019 05:23 AM
This is not normal, you need to look into this.
it could be the dhcp request/response is too slow for the client.
but the arp-table is not the same as dhcp leases
do a "so ip dhcp bindings" to see the dhcp leases .
08-28-2019 06:05 AM
Hello m.x.,
if
>> network x.x.59.176 255.255.255.248
is a public network someone from internet is attempting to see what IP addresses are alive,
the router will try to make an ARP request and if no host answers you see an incomplete entry.
As noted the show arp vrf INTERNET is not the same as the DHCP binding entries.
Hope to help
Giuseppe
08-28-2019 07:21 AM
Thank you all for replying.
The 'show IP DHCP binding' showed the leased IP.
It's indeed possible thet te Internet was looking for the adresses in te /29 range of subnet. Some appliences use these IP's
So I think the case is closed!
Thanks all!
08-28-2019 07:38 AM
Perhaps the case is closed. But I still want to make a comment about it. What you were seeing is entirely normal and does not reflect any mistake on your part. The most significant thing about those entries in the arp table is that they are marked as incomplete. When a router receives an IP packet that it will attempt to forward to a locally connected subnet it checks its arp table to see if it has an entry for that address. If there is not an existing entry in the arp table for that address then the router sends an arp request for that address, and creates an entry for that address in the arp table (essentially it is creating a place holder for that address) and it marks the entry as incomplete (because it does not yet have a mac address for the entry). If that device exists and responds to the arp request then the router inserts the mac address into the entry and that entry becomes a regular part of the arp table. If there is no response to the arp request after a timeout interval then the router removes the incomplete entry.
So what you were seeing is that the router had received several IP packets to several addresses in the local subnet and had created incomplete entries for them. It is possible that the IP packets came from outside and are attempts to discover what addresses are used. It is also possible that the IP packets came from the device that is connected in the Lan (it might have some addresses in the PC configuration for printers, for DNS, or for other services that it is attempting to contact). In any case what you were seeing is normal operation for a router and is not anything to be concerned about.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: