Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2512
Views
5
Helpful
22
Replies

network connectivity issue with arp table having thousands of entries

Go to solution
Elito Haylett
Level 1
Level 1

‎05-23-2023 12:49 PM - last edited on ‎06-08-2023 12:52 AM by Community Manager

I have an issue happening in my network that at first we thought was a wireless problem because we were receiving a lot of mac flapping due to roaming clients which we thought affected the network but upon further investigation it is happening to both wired and wireless clients. I'm connected to the network with via ethernet and when i tried to browse certain sites it timed out and other sites were responsive but slow loading. Some devices at time can't connect to the network because they don't get an IP address. To get the network to be responsive again I have to issue a

clear arp

command. I tried to debug arp on the router to see if any messages would be displayed but there were none. I checked the interfaces the AP's and clients are connected to for errors and there were none. The CPU utilization on the Cisco ISR4431 router didn't even exceed User and System 10%. After I cleared the arp cache, a few seconds later every site that I couldn't browse to before started loading without any problems.

In the wireless forum this was posted by one of the Wireless VIP as possible things to look at so I'm in desperate need of help because it does impact my network.

> "it affects both wired and wireless clients"
Then it's not a wireless problem - it's a switching or routing problem.
> "I was able to check the arp cache prior to and after and there were entries in the table"
And what were those entries?

The fact that it can affect some destinations and not others is downright weird because ARP cache should only be relevant to local devices, nothing beyond the next hop. Some ideas on possible problems - pure guesswork at this point because we don't have any real detail to work with:
- Person in the middle type attack - some device is redirecting traffic via another node on the network - hair-pinning the traffic - by hijacking the ARP entries, potentially for the router

(default gateway)

IP
- Proxy ARP enabled by mistake with a bad routing design resulting in your ARP cache trying to create an entry for every device on the internet - that would explain why clearing the ARP cache temporarily helps
- If your DHCP or devices have wrong default gateway configured then resulting in ICMP redirects to the correct gateway then your devices could start filling up with /32 routes to every IP on the internet.

Here's a truncated list of devices in the arp table there thousands of these entries that it shows devices outside of my network and beyond my next hop gateway.

ECH-ISR4431-138#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 1.34.163.232 1 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 2.57.121.229 28 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 2.180.35.216 67 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.0.126 168 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.1.2 218 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.1.162 131 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.2.123 37 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.2.176 191 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.2.202 163 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.2.216 94 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.3.139 71 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.5.3.161 0 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.3.185 43 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.3.211 28 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.3.216 254 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.6.101 79 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.6.112 101 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.6.130 241 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.6.143 136 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.6.160 121 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.7.133 88 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.7.170 181 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.5.7.203 36 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.8.19 25 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.8.106 254 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.8.160 133 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.9.11 166 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.9.134 140 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.9.171 254 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.10.138 192 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.10.150 97 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.10.151 144 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.10.180 118 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.5.10.193 155 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.11.119 220 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.11.134 13 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.11.146 141 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.11.149 156 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.11.194 254 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.11.199 4 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.11.201 13 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.11.226 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.16.12 145 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.16.103 187 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.5.16.172 82 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.17.165 139 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.17.221 208 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.19.141 44 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.20.19 12 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.20.205 108 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.20.215 126 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.21.122 109 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.21.148 27 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.21.183 169 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.21.204 45 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.5.25.20 63 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.42 2 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.47 30 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.92 87 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.105 198 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.110 13 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.114 120 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.116 2 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.139 58 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.187 14 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.204 147 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.5.25.205 254 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.229 224 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.231 200 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.25.242 153 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.27.104 170 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.27.119 38 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.27.135 91 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.27.141 190 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.27.142 129 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.27.156 126 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.27.163 100 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.5.27.182 111 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.27.196 233 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.18 1 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.23 173 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.101 53 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.132 213 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.139 2 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.154 196 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.157 138 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.162 205 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.164 130 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2



This only started happening since upgrading from an ISR2921 to the ISR4335 and then the ISR4435. All I did was copied the config over from the previous 2921 to the upgraded devices....


sanitized version of the config

ECH-ISR4431-138#show runn
Building configuration...

Current configuration : 21034 bytes
!
! Last configuration change at 12:05:29 est Tue May 23 2023 by ehaylett
! NVRAM config last updated at 19:07:54 est Mon May 15 2023 by ehaylett
!
version 17.9
service timestamps debug datetime msec
service timestamps log datetime localtime
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput level 1000000
!
hostname ECH-ISR4431-138
!
boot-start-marker
boot system bootflash:isr4400-universalk9.17.09.02a.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered informational
logging console informational
aaa new-model
!
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local
!
!
aaa session-id common
clock timezone est -4 0
clock calendar-valid
!
!
!
!
ip nbar http-services
!
!
!
!
!
ip name-server 68.237.161.12 71.250.0.12
ip ddns update method dyndns
HTTP
add http://xxxxxxxxx@members.dyndns.org/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
interval maximum 0 0 5 0
!
ip dhcp excluded-address 172.168.100.0 172.168.100.24
ip dhcp excluded-address 172.168.120.0 172.168.120.1
!
ip dhcp pool ECH-NET-100
network 172.168.100.0 255.255.255.0
default-router 172.168.100.1
dns-server 68.237.161.12 71.250.0.12
lease 3
!
ip dhcp pool ECH-VOICE-NET-120
network 172.168.120.0 255.255.255.0
lease infinite
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-3693526534
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3693526534
revocation-check none
rsakeypair TP-self-signed-3693526534
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-3693526534
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363933 35323635 3334301E 170D3233 30343039 31393530
34395A17 0D333330 34303831 39353034 395A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36393335
32363533 34308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100A795 4597C3EC 40CF915E 48B27C42 BA61B5A8 B24A3E7E EFED37D8
6E47F36D 150E6532 C92C4F17 C4B628A3 3A218AD7 F458A71B 5964717F EAEA40BA
B11A7065 F62C1350 42262381 564873A2 5278A22F 5C1A6B46 70483C1D 97297847
F45454B7 D19AA687 4F760A37 F45CE895 38C02B4C A6305A7B C1C39166 6F3931C6
AE0BD754 5185EF16 CAD723C1 B1BEA4B9 1C6261F6 F571B9BD D8235C94 7ABAB454
92DC1CF0 806A1AE3 FFC08834 E8A9BC1F 59258BCF B026043F 03A0614A 76CB2A2A
329445BA E84FD4B9 DCA3ABAA 2A9F7FC0 D888CECE 5356F272 ACACD9AB BE3E020D
2D1DC9C7 CA9FAE01 9EDEDA0C CBC51BDF AE547421 9261B6E4 5B4038A8 D7DA7D7C
7E3F6242 B8350203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 148CB853 78168CFC AA6B7AB1 440168B7 C93A9C27
8D301D06 03551D0E 04160414 8CB85378 168CFCAA 6B7AB144 0168B7C9 3A9C278D
300D0609 2A864886 F70D0101 05050003 82010100 18C5D784 B651E4CB 0B50D86D
A13CB8FE 8F59E68D D92DD5E4 D2BF3DC0 BBAE1174 A7D4CD07 EE5D2E00 681DBD06
7E71B837 BAC3DB79 A9B6B391 73527FD8 993E3F3C 881DF055 03AF6320 B110FF9B
EC27BA3F 72061567 4A39C655 F2CE6AD0 CEAC86FB 04FC93C9 25CE11F2 E89D67A3
9B8CC7E9 8A186EA7 5C214C5B AA2DBA15 B749F18C D532BCF3 65F8887F B8289398
0BE343D5 F875E765 F555E5E5 88ED15C8 D7A195EB 2D186779 90450C10 C0BC51CD
52D18FD0 390BCA06 5111D00B DF2A81FD A77004C8 959D63BF 2DCE467B ED5509E4
39FAF74D 0198F99D 011DCBB3 CD9D19AA A146E090 5A27BDBE FB5A6B14 9E060C1E
E4396CDE 610B9A60 487EEC4D 8D854685 CD091677
quit
!
!
!
!
!
!
!
!
!
!
voice-card 0/4
no watchdog
!
license feature hseck9
license udi pid ISR4431/K9 sn xxxxxxxxx
license boot level uck9
license boot level securityk9
memory free low-watermark processor 62760
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
enable secret 9 $14$z3Ao$N5UHHEg.eKsgXE$Lg1fr1pDklFcA00lLhYq1TmsdRyd765ki14ofSUpiMs
!
username xxxxxxx privilege 15 password 7 xxxxxxxxxxxx
username webui privilege 15 password 7 xxxxxxxxxxxxxx
!
redundancy
mode none
!
!
!
crypto ikev2 keyring ECH-ISR4431-138
peer ECH-ISR4331-138
address 162.84.130.90
pre-shared-key local xxxxx
pre-shared-key remote xxxxx
!
!
!
crypto ikev2 profile ECH-ISR4431-138_Profile
match identity remote address 162.84.130.90 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local xxxxxxxxx
!
!
!
vlan internal allocation policy ascending
!
!
class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-DSCP
match dscp af41
class-map match-all WEBUI-BROADCAST_VIDEO-NBAR
match protocol attribute traffic-class broadcast-video
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-VOICE-NBAR
match protocol attribute traffic-class voip-telephony
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-BULK_DATA-NBAR
match protocol attribute traffic-class bulk-data
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-SIGNALING-NBAR
match protocol attribute traffic-class signaling
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-NETWORK_CONTROL-DSCP
match dscp cs6
class-map match-all WEBUI-SCAVENGER-NBAR
match protocol attribute business-relevance business-irrelevant
class-map match-all WEBUI-SCAVENGER-DSCP
match dscp cs1
class-map match-all WEBUI-NETWORK_CONTROL-NBAR
match protocol attribute traffic-class network-control
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-SIGNALING-DSCP
match dscp cs3
class-map match-all WEBUI-BULK_DATA-DSCP
match dscp af11
class-map match-all WEBUI-BROADCAST_VIDEO-DSCP
match dscp cs5
class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-NBAR
match protocol attribute traffic-class multimedia-conferencing
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-VOICE-DSCP
match dscp ef
class-map match-all WEBUI-NETWORK_MANAGEMENT-NBAR
match protocol attribute traffic-class ops-admin-mgmt
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-MULTIMEDIA_STREAMING-DSCP
match dscp af31
class-map match-all WEBUI-REALTIME_INTERACTIVE-NBAR
match protocol attribute traffic-class real-time-interactive
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-TRANSACTIONAL_DATA-DSCP
match dscp af21
class-map match-all WEBUI-REALTIME_INTERACTIVE-DSCP
match dscp cs4
class-map match-all WEBUI-TRANSACTIONAL_DATA-NBAR
match protocol attribute traffic-class transactional-data
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-NETWORK_MANAGEMENT-DSCP
match dscp cs2
class-map match-all WEBUI-MULTIMEDIA_STREAMING-NBAR
match protocol attribute traffic-class multimedia-streaming
match protocol attribute business-relevance business-relevant
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map WEBUI-MARKING-IN
class WEBUI-VOICE-NBAR
set dscp ef
class WEBUI-BROADCAST_VIDEO-NBAR
set dscp cs5
class WEBUI-REALTIME_INTERACTIVE-NBAR
set dscp cs4
class WEBUI-MULTIMEDIA_CONFERENCING-NBAR
set dscp af41
class WEBUI-MULTIMEDIA_STREAMING-NBAR
set dscp af31
class WEBUI-SIGNALING-NBAR
set dscp cs3
class WEBUI-NETWORK_CONTROL-NBAR
set dscp cs6
class WEBUI-NETWORK_MANAGEMENT-NBAR
set dscp cs2
class WEBUI-TRANSACTIONAL_DATA-NBAR
set dscp af21
class WEBUI-BULK_DATA-NBAR
set dscp af11
class WEBUI-SCAVENGER-NBAR
set dscp cs1
class class-default
set dscp default
policy-map WEBUI-QUEUING-OUT
class WEBUI-VOICE-DSCP
priority percent 10
class WEBUI-BROADCAST_VIDEO-DSCP
priority percent 10
class WEBUI-REALTIME_INTERACTIVE-DSCP
priority percent 13
class WEBUI-NETWORK_CONTROL-DSCP
bandwidth percent 2
class WEBUI-SIGNALING-DSCP
bandwidth percent 2
class WEBUI-NETWORK_MANAGEMENT-DSCP
bandwidth percent 3
class WEBUI-MULTIMEDIA_CONFERENCING-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-MULTIMEDIA_STREAMING-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-TRANSACTIONAL_DATA-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-BULK_DATA-DSCP
bandwidth percent 4
fair-queue
random-detect dscp-based
class WEBUI-SCAVENGER-DSCP
bandwidth percent 1
class class-default
bandwidth percent 25
fair-queue
random-detect dscp-based
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class class-default
drop log
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encryption aes
hash sha256
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxxx address 108.58.36.170
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set ECH esp-aes esp-sha256-hmac
mode tunnel
crypto ipsec transform-set ECH-ISR4431-138 esp-aes 256 esp-sha512-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
!
crypto map CMAP 1 ipsec-isakmp
set peer 108.58.36.170
set transform-set ECH
set pfs group5
match address VPN-TRAFFIC
!
crypto map ECH-ISR4431-138 1 ipsec-isakmp
set peer 162.84.130.90
set transform-set ECH-ISR4431-138
set ikev2-profile ECH-ISR4431-138_Profile
match address VPN-TRAFFIC
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
media-type rj45
negotiation auto
service-policy output WEBUI-QUEUING-OUT
!
interface GigabitEthernet0/0/1
no ip address
shutdown
media-type rj45
negotiation auto
service-policy output WEBUI-QUEUING-OUT
!
interface GigabitEthernet0/0/2
description WAN Outside
ip address dhcp
ip nbar protocol-discovery
ip nat outside
media-type rj45
negotiation auto
crypto map CMAP
service-policy input WEBUI-MARKING-IN
service-policy output WEBUI-QUEUING-OUT
!
interface GigabitEthernet0/0/3
no ip address
shutdown
media-type rj45
negotiation auto
service-policy output WEBUI-QUEUING-OUT
!
interface GigabitEthernet0/1/0
description ECH-CAT3560C-138
switchport trunk native vlan 100
switchport mode trunk
!
interface GigabitEthernet0/1/1
description ECH-CAP1852I-138A
switchport trunk native vlan 100
switchport mode trunk
!
interface GigabitEthernet0/1/2
description ECH-CAP1852I-138B
switchport trunk native vlan 100
switchport mode trunk
!
interface GigabitEthernet0/1/3
description ECH-CAP1815I-138C
switchport trunk native vlan 100
switchport mode trunk
!
interface GigabitEthernet0/1/4
description ECH-CAP1815I-138D
switchport trunk native vlan 100
switchport mode trunk
!
interface GigabitEthernet0/1/5
description ECH-CAP1815I-138xx
switchport access vlan 100
switchport trunk native vlan 100
switchport mode access
!
interface GigabitEthernet0/1/6
description Lutron Wireless Gateway
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/1/7
description Verizon FIOS Set Top Box Gateway
switchport access vlan 140
switchport mode access
!
interface GigabitEthernet0/2/0
switchport access vlan 100
switchport trunk native vlan 100
spanning-tree portfast
!
interface GigabitEthernet0/2/1
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/2/2
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/2/3
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/2/4
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/2/5
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/2/6
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/2/7
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/3/0
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/3/1
shutdown
!
interface GigabitEthernet0/3/2
shutdown
!
interface GigabitEthernet0/3/3
shutdown
!
interface GigabitEthernet0/3/4
shutdown
!
interface GigabitEthernet0/3/5
shutdown
!
interface GigabitEthernet0/3/6
shutdown
!
interface GigabitEthernet0/3/7
shutdown
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan100
description ECH-NET-100 (Main Network)
ip address 172.168.100.1 255.255.255.0
ip nat inside
!
interface Vlan110
description ECH-NET-110 (Family Network)
ip dhcp relay source-interface Vlan110
ip address 172.168.110.1 255.255.255.0
ip nat inside
!
interface Vlan120
description ECH-VOICE-NET (Voice Network)
ip dhcp relay source-interface Vlan120
ip address 172.168.120.1 255.255.255.0
ip nat inside
!
interface Vlan138
description ECH-GUEST-NET (Guest Network)
ip dhcp relay source-interface Vlan138
ip address 172.168.138.1 255.255.255.0
ip nat inside
!
interface Vlan140
description ECH-NET-140 (Devices Network)
ip dhcp relay source-interface Vlan140
ip address 172.168.140.1 255.255.255.0
ip nat inside
!
interface Vlan150
description ECH-VPN-NET (AnyConnect VPN Network)
ip dhcp relay source-interface Vlan150
ip address 172.168.150.1 255.255.255.0
ip nat inside
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip tftp source-interface Vlan100
ip nat inside source route-map NAT_RMAP_1 interface GigabitEthernet0/0/2 overload
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/2 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/2
!
!
ip access-list extended ECH_GUEST
10 remark Deny Guest VLAN138 access to other VLANs
10 deny ip any 172.168.100.0 0.0.0.255
20 deny ip any 172.168.101.0 0.0.0.255
30 deny ip any 172.168.102.0 0.0.0.255
40 deny ip any 172.168.103.0 0.0.0.255
50 deny ip any 172.168.110.0 0.0.0.255
60 deny ip any 172.168.120.0 0.0.0.255
70 deny ip any 172.168.140.0 0.0.0.255
80 deny ip any 172.168.150.0 0.0.0.255
90 permit ip any any
ip access-list extended NAT-ACL
10 deny ip any 172.168.140.0 0.0.0.255
ip access-list extended VPN-TRAFFIC
10 remark Site to Site VPN
10 permit ip 172.168.100.0 0.0.0.255 172.168.101.0 0.0.0.255
20 permit ip 172.168.100.0 0.0.0.255 172.168.102.0 0.0.0.255
30 permit ip 172.168.100.0 0.0.0.255 172.168.103.0 0.0.0.255
ip access-list extended Web_acl
10 permit ip any any
!
logging host 172.168.100.4
ip access-list extended 100
10 remark NAT_ACL
10 remark IPSec_Rule
10 deny ip 172.168.100.0 0.0.0.255 172.168.101.0 0.0.0.255
20 deny ip 172.168.100.0 0.0.0.255 172.168.102.0 0.0.0.255
30 deny ip any host 172.168.100.161
40 deny ip any host 172.168.100.162
50 deny ip any host 172.168.100.163
60 deny ip any host 172.168.100.164
70 deny ip any host 172.168.100.165
80 deny ip any host 172.168.100.166
90 deny ip any host 172.168.100.167
100 deny ip any host 172.168.100.168
110 deny ip any host 172.168.100.169
120 deny ip any host 172.168.100.170
130 permit ip 10.1.10.0 0.0.0.3 any
140 permit ip 172.168.100.0 0.0.0.255 any
150 permit ip 172.168.110.0 0.0.0.255 any
160 permit ip 172.168.120.0 0.0.0.255 any
170 permit ip 172.168.138.0 0.0.0.255 any
180 permit ip 172.168.140.0 0.0.0.255 any
190 permit ip 172.168.150.0 0.0.0.255 any
ip access-list extended 109
10 remark IPSec Rule
10 deny ip 172.168.100.0 0.0.0.255 172.168.110.0 0.0.0.255
20 deny ip 172.168.100.0 0.0.0.255 172.168.103.0 0.0.0.255
30 deny ip 172.168.100.0 0.0.0.255 172.168.102.0 0.0.0.255
40 deny ip 172.168.100.0 0.0.0.255 172.168.101.0 0.0.0.255
50 deny ip any 172.168.150.0 0.0.0.255
60 remark NAT Rule
60 permit ip 172.168.100.0 0.0.0.255 any
70 permit ip 172.168.110.0 0.0.0.255 any
80 permit ip 172.168.120.0 0.0.0.255 any
90 permit ip 172.168.138.0 0.0.0.255 any
100 permit ip 172.168.140.0 0.0.0.255 any
110 permit ip 172.168.150.0 0.0.0.255 any
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/2
!
route-map NAT_RMAP_1 permit 1
match ip address 100
match interface GigabitEthernet0/0/2
!
!
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
banner login ^CUnauthorized Access To This Device is Prohibited And Will Be Punishable By The Full Extent Of The Law^C
!
line con 0
stopbits 1
line aux 0
line vty 0 4
length 0
transport input ssh
line vty 5 14
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp server ip time-a-wwv.nist.gov prefer source GigabitEthernet0/0/2
ntp server ip time-d-g.nist.gov source GigabitEthernet0/0/2
ntp server ip time-a-g.nist.gov source GigabitEthernet0/0/2
ntp server ip time-b-g.nist.gov source GigabitEthernet0/0/2
ntp server ip time-c-g.nist.gov source GigabitEthernet0/0/2
!
!
!
!
!
event manager applet noshut_port
event timer cron cron-entry "0 7 * * *"
action 010 cli command "enable"
action 020 cli command "config t"
action 030 cli command "interface Vlan110"
action 040 cli command "no shut"
action 050 cli command "end"
action 060 syslog msg "interface Vlan110 has been restored"
event manager applet ClearArp-0
event timer cron cron-entry "0 7 * * *"
action 010 cli command "clear arp"
action 020 syslog msg "Clear Arp Command Issued"
event manager applet ClearArp-1
event timer cron cron-entry "0 18 * * *"
action 010 cli command "clear arp"
action 020 syslog msg "Clear Arp Command Issued"
event manager applet shutdown_port
event timer cron cron-entry "30 2 * * *"
action 010 cli command "enable"
action 020 cli command "config t"
action 030 cli command "interface Vlan110"
action 040 cli command "shut"
action 050 cli command "end"
action 060 syslog msg "interface Vlan110 has been shutdown"


!
end

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎05-30-2023 02:16 AM - last edited on ‎06-07-2023 12:26 PM by Community Manager

Hello
Your issue suggests its possibly due to your manual default static route, at present the rtr is ARP'ing for every ip address residing off your wan interface, you need to negate this from occurring.



no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/2 dhcp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Go to solution
Elito Haylett
Level 1
Level 1
In response to paul driver

‎05-30-2023 10:26 AM

Hello Paul,

I did modify the config to reflect the second line....

thanks...

ECH

View solution in original post

0 Helpful
22 Replies 22

Go to solution
Elito Haylett
Level 1
Level 1

‎05-23-2023 12:54 PM

This is the topic of discussion in the Wireless Forum:

Mac Flapping in a Cisco Mobility Express Network

https://community.cisco.com/t5/wireless/mac-flapping-in-a-cisco-mobility-express-network/m-p/4840302#M256133

0 Helpful

Go to solution
Elito Haylett
Level 1
Level 1

‎05-23-2023 01:00 PM - last edited on ‎06-07-2023 12:14 PM by Community Manager

This is the arp table in one of our other device at a branch site:

ECH-2911-138#sho arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 108.58.36.169 0 b068.e6fe.4f43 ARPA GigabitEthernet0/0
Internet 108.58.36.170 - bc16.652c.5e98 ARPA GigabitEthernet0/0
Internet 172.168.102.1 - bc16.652c.5e9b ARPA BVI2
Internet 172.168.102.2 0 ccdb.9389.3728 ARPA BVI2
Internet 172.168.102.3 0 380e.4df4.14a8 ARPA BVI2
Internet 172.168.102.4 0 380e.4df4.25d0 ARPA BVI2
Internet 172.168.102.6 0 0000.5e00.0101 ARPA BVI2
Internet 172.168.102.10 170 f000.00ab.9471 ARPA BVI2
Internet 172.168.102.12 62 000c.2913.a156 ARPA BVI2
Internet 172.168.102.13 0 0021.2972.8813 ARPA BVI2
Internet 172.168.103.1 - 0000.0c50.55a8 ARPA BVI3
Internet 172.168.103.34 22 6295.68a5.dc37 ARPA BVI3
Internet 172.168.103.52 0 22bc.af73.c536 ARPA BVI3
Internet 172.168.103.53 5 00d2.b1bf.739a ARPA BVI3
Internet 172.168.103.54 0 e070.ea6d.c0f0 ARPA BVI3
Internet 172.168.104.1 - 0000.0c50.5724 ARPA BVI4
Internet 172.168.104.60 258 1a44.78ea.3067 ARPA BVI4
Internet 172.168.104.62 260 b40e.deb7.f1c9 ARPA BVI4
Internet 172.168.104.64 141 3c22.fb41.a59c ARPA BVI4
Internet 172.168.104.65 3 169c.2165.becc ARPA BVI4
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-23-2023 01:00 PM - edited ‎05-23-2023 02:48 PM

I think it relate to NAT, 
check the IP appear in ARP table in IP nat translation 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎05-23-2023 01:13 PM - last edited on ‎06-07-2023 12:29 PM by Community Manager

Hi

  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/2

  I dont like this way to setup

default route

Can't you use the IP address of your gateway?  

You have two

route map

but one of them try to match one

Access List

197 that does not exist on the router. Remove the

route-map

or create an ACL 197 and permit ip any any and test.


route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/2
!
route-map NAT_RMAP_1 permit 1
match ip address 100
match interface GigabitEthernet0/0/2

 

0 Helpful

Go to solution
Elito Haylett
Level 1
Level 1
In response to Flavio Miranda

‎05-23-2023 01:19 PM - last edited on ‎06-07-2023 12:17 PM by Community Manager

Hi Flavio,

Thanks for the quick reply. The reason the iproute is set that way is because the IP Address from the provider is DHCP and we use dynamic DNS. I can defintely remove the

route map

for 197. 

Thanks

 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Elito Haylett

‎05-23-2023 01:21 PM - last edited on ‎06-07-2023 12:30 PM by Community Manager

Yes, you use DHCP but your ISP does not. If you run

show ip arp

on the router, you can see the IP address of your gateway and then setup your

default route

to that IP address. The IP address of the ISP will not change.

 

0 Helpful

Go to solution
Elito Haylett
Level 1
Level 1
In response to Flavio Miranda

‎05-23-2023 02:25 PM - last edited on ‎06-07-2023 12:19 PM by Community Manager

This is the

show arp

and it continues to other pages: Where can I get theh ISP address?

ECH-ISR4431-138#sho arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.5.0.173 31 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.3.216 19 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.6.134 12 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.8.173 29 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.11.105 20 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.19.138 0 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.20.195 23 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.20.216 8 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.21.110 26 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.27.147 29 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.27.150 24 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.5.28.118 33 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.177 19 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.197 3 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.28.246 4 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.29.54 8 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.29.123 1 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.29.171 14 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.5.29.226 6 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.13.73.151 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.17.231.182 35 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.33.220.150 32 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.82.72.31 4 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.129.29.114 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.132.137.144 3 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.136.24.40 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.137.131.186 3 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.140.18.238 16 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.142.102.102 3 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.144.50.134 35 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.144.50.151 15 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.144.50.153 21 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.211.174.17 25 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.212.249.142 25 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.215.224.52 29 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.216.211.54 4 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.218.26.117 21 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.220.58.77 36 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.220.103.150 17 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.221.213.189 16 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.222.92.225 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.222.157.144 36 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.224.29.28 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.224.130.34 16 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 3.225.173.193 17 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.228.62.117 32 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.229.200.198 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.231.143.17 4 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.231.143.24 26 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.232.22.131 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 3.233.22.131 0 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 5.161.213.25 2 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 8.8.4.4 8 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 8.8.8.8 35 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 8.18.45.140 32 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 8.28.7.81 17 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 8.28.7.82 17 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 8.43.72.97 17 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 8.43.72.116 17 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 8.209.240.183 7 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 8.240.53.122 16 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 8.240.54.122 16 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 8.240.143.122 16 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 10.1.1.1 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.33.60.13 33 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.33.60.69 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 13.33.60.79 34 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.33.60.112 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.35.93.9 15 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.35.93.13 31 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.35.93.19 36 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.35.93.81 31 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.35.93.101 23 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.35.93.111 24 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.68.233.9 9 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.86.221.30 36 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.89.178.26 25 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 13.107.4.50 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.107.4.52 34 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.107.6.158 27 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.107.6.163 26 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.107.21.200 35 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.107.21.239 7 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.107.42.14 29 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.107.136.8 10 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.110.24.2 16 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.110.24.13 28 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.63.10 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 13.225.63.15 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.63.35 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.63.39 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.63.43 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.63.49 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.63.69 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.63.128 25 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.66.34 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.66.110 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.66.185 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.66.221 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 13.225.210.52 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.210.182 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.214.106 10 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.214.129 28 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.223.56 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.223.62 36 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.223.117 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.225.223.129 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.226.34.34 22 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.226.34.40 5 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 13.226.34.80 33 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
--More--
0 Helpful

Go to solution
Elito Haylett
Level 1
Level 1
In response to Elito Haylett

‎05-23-2023 02:40 PM - last edited on ‎06-07-2023 12:20 PM by Community Manager

it worked... wow... your're great with your knowledge. Now I only have the routes for my network in the arp table....

ECH-ISR4431-138#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 98.113.183.1 1 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 98.113.183.177 - e00e.da48.8ff2 ARPA GigabitEthernet0/0/2
Internet 172.168.100.1 - e00e.da48.9054 ARPA Vlan100
Internet 172.168.100.2 0 c4b9.cdee.3340 ARPA Vlan100
Internet 172.168.100.3 0 f01d.2de2.86e8 ARPA Vlan100
Internet 172.168.100.4 0 1866.da4e.e23a ARPA Vlan100
Internet 172.168.100.5 0 1cd1.e0fd.2ab8 ARPA Vlan100
Internet 172.168.100.6 0 0000.5e00.0101 ARPA Vlan100
Internet 172.168.100.7 51 d050.99f8.12f8 ARPA Vlan100
Internet 172.168.100.9 0 1cd1.e0fc.3928 ARPA Vlan100
Internet 172.168.100.10 51 000c.2911.50ef ARPA Vlan100
Internet 172.168.100.11 51 000c.2913.a155 ARPA Vlan100
Internet 172.168.100.12 51 c4b3.6abe.4344 ARPA Vlan100
Internet 172.168.100.13 0 0026.3a45.20ae ARPA Vlan100
Internet 172.168.100.14 0 f000.00ab.a9c4 ARPA Vlan100
Internet 172.168.100.18 51 000c.2911.50ee ARPA Vlan100
Internet 172.168.100.20 9 d485.6440.8ca2 ARPA Vlan100
Internet 172.168.100.21 51 1060.4b19.29e8 ARPA Vlan100
Internet 172.168.100.28 0 a81b.6afc.d4a2 ARPA Vlan100
Internet 172.168.100.29 1 fcfc.4888.2b39 ARPA Vlan100
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.168.100.30 1 a288.c712.3f89 ARPA Vlan100
Internet 172.168.100.31 0 4afd.f354.34aa ARPA Vlan100
Internet 172.168.100.35 0 549f.3509.8234 ARPA Vlan100
Internet 172.168.100.43 2 d050.99f5.575b ARPA Vlan100
Internet 172.168.100.129 2 8c70.5aff.9758 ARPA Vlan100
Internet 172.168.110.1 - e00e.da48.9054 ARPA Vlan110
Internet 172.168.110.6 9 2816.ad45.8a44 ARPA Vlan110
Internet 172.168.110.7 1 925d.400d.0123 ARPA Vlan110
Internet 172.168.110.10 1 b252.664d.1a87 ARPA Vlan110
Internet 172.168.110.13 0 2c54.91aa.fa1c ARPA Vlan110
Internet 172.168.110.14 13 c869.cd8b.4288 ARPA Vlan110
Internet 172.168.110.16 0 b0be.834a.6e92 ARPA Vlan110
Internet 172.168.120.1 - e00e.da48.9054 ARPA Vlan120
Internet 172.168.138.1 - e00e.da48.9054 ARPA Vlan138
Internet 172.168.138.59 20 b28d.ce53.60e4 ARPA Vlan138
Internet 172.168.140.1 - e00e.da48.9054 ARPA Vlan140
Internet 172.168.140.37 51 b82c.a062.38b7 ARPA Vlan140
Internet 172.168.140.41 1 948f.cf28.ccdf ARPA Vlan140
Internet 172.168.140.81 0 cc75.e2a9.5e3a ARPA Vlan140
Internet 172.168.140.82 3 fcae.3471.9154 ARPA Vlan140
Internet 172.168.140.83 0 948f.cfc2.5c65 ARPA Vlan140
Internet 172.168.140.84 0 948f.cf30.5aa5 ARPA Vlan140
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.168.140.85 1 948f.cf30.5aa0 ARPA Vlan140
Internet 172.168.140.87 6 cc75.e232.5eb0 ARPA Vlan140
Internet 172.168.140.88 0 8c61.a3a5.870c ARPA Vlan140
Internet 172.168.140.107 0 40ca.63c6.47dc ARPA Vlan140
Internet 172.168.140.145 0 948f.cf3a.3444 ARPA Vlan140
Internet 172.168.140.183 14 18b4.30ed.4576 ARPA Vlan140
Internet 172.168.140.198 11 18b4.30ed.190c ARPA Vlan140
Internet 172.168.140.200 11 6416.66d0.d030 ARPA Vlan140
Internet 172.168.140.231 12 6416.66cb.6be5 ARPA Vlan140
Internet 172.168.150.1 - e00e.da48.9054 ARPA Vlan150
0 Helpful

Go to solution
Elito Haylett
Level 1
Level 1
In response to Flavio Miranda

‎05-23-2023 02:33 PM - last edited on ‎06-07-2023 12:21 PM by Community Manager

I understand what you're saying... here are the 2 addresses. mine and the

default gateway
Internet 98.113.183.1 1 f01c.2d8c.f6ce ARPA GigabitEthernet0/0/2
Internet 98.113.183.177

I'll configure it now to see what happens

Thanks.....

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Elito Haylett

‎05-23-2023 02:44 PM - last edited on ‎06-07-2023 12:22 PM by Community Manager

Did you get this from

show ip arp

?

0 Helpful

Go to solution
Elito Haylett
Level 1
Level 1
In response to Flavio Miranda

‎05-23-2023 02:52 PM - last edited on ‎06-07-2023 12:22 PM by Community Manager

both

show arp and show ip arp
0 Helpful

Go to solution
Elito Haylett
Level 1
Level 1
In response to Elito Haylett

‎05-23-2023 03:04 PM - edited ‎05-23-2023 03:05 PM

I'll test for a few days and if all goes  well I'll mark it as "Accept Solution".

Thank you very much

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Elito Haylett

‎05-23-2023 03:22 PM

Great.

0 Helpful

Go to solution
Elito Haylett
Level 1
Level 1
In response to Flavio Miranda

‎05-29-2023 02:33 PM - last edited on ‎06-07-2023 12:23 PM by Community Manager

Hi Flavio,

providing an update after several days of stability in the network. I changed the command to

ip route to 0.0.0.0 0.0.0.0 dhcp

and the external macs did not reappear and only the interfaces and clients in the network are still in the arp table. There are no more complaints or issues with network outages or browsing so again thank you very much.....

Regards,

Elito

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card