cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5267
Views
0
Helpful
7
Replies

2 Identical Mac addresses in ARP Table

mutley-ab
Level 1
Level 1

Hi,

I am trying identify a port that has a particular IP attached to it. I am using 5 x Cisco c3750X in a stack. The device responds to Ping, but I am unable to identify it via HTTP, Telnet etc...

 

A sh arp command returns...

 

Internet 10.1.1.241   0     0000.5e00.0101 ARPA Vlan1
Internet 10.1.1.242   0     9818.8874.0a4c ARPA Vlan1
Internet 10.1.1.252   131 643e.8cf1.3715 ARPA Vlan1
Internet 10.1.1.253   0     1051.72f8.2804 ARPA Vlan1
Internet 10.1.1.254   0     0000.5e00.0101 ARPA Vlan1

 

The rouge IP is 10.1.1.241 with a MAC address of 0000.5e00.0101. Unfortunately there is another IP address with the same MAC 10.1.1.254.

 

10.1.1.254 is a known VRRP address.

 

If i issue a sh mac address-table address 0000.5e00.0101 the switch only returns one result

Vlan   Mac Address        Type           Ports
---- -----------          --------    -----
1       0000.5e00.0101   DYNAMIC   Gi2/0/48
Total Mac Addresses for this criterion: 1

The returned result is for the known VRRP Mac address.

 

My question, Is how can i identify the port the second MAC is connected to?

 

Many Thanks

Andrew

 

 

 

 

7 Replies 7

pieterh
VIP
VIP

I'm not sure I understand your question.

VRRP is a redundancy protocol so it is by design that multiple devices participate in this VRRP 
Over Ethernet, VRRP routers use a common MAC address -> it need not be a rogue device, just the other vrrp member

do "show CDP neighbors" to see if Gi2/0/48 is connected to another switch,

then use the same commands follow the mac-address.

 

Hi,

Gi2/0/48 is connect to our Router. The router is advertising the VRRP address which is correct.

 

The problem i have is there is another VRRP address 0000.5e00.0101 associated with IP address 10.1.1.241.

It is this Mac / IP that i am trying to locate and find the port it is attached to.

 

Vlan 1, 10.1.1.0/24 only exists on this switch stack so I assume the device is connected to one of the ports. It is a stack of 5 x 48p switches.

 

Andrew

 

 

 

This document describes why you cannot connect to that address.

By default, the master VRRP router drops the packets addressed directly to the virtual IP address because the VRRP master is only intended as a next-hop router to forward packets.

 

if your only components are the switch and the router,

then it may be the switch/stack itself that is the other VRRP member? which could explain you cannot find a physical port

try "show ip interfaces brief" on the stack to see if the ip-address resides there

 

 

Hi,

 

The switch is not a VRRP member.

 

Are you implying that the sh mac address-table address 0000.5e00.0101 command would have returned 2 interfaces if that MAC was present on two different interfaces?

I was assuming that it was only returning the first as it would not expect duplicate MAC's on different ports.

 

Thanks

Andrew

 

Cristian Matei
VIP Alumni
VIP Alumni

Hi,

 

    Based on the MAC address of "0000.5e00.0101" it means you run VRRP group number 1, in VLAN 1 based on the provided output. The fact that you have 2 ARP entries, 2 different IP addresses resolving to the same virtual MAC address, it means one of the following:

        - you have configured both a primary VIP and secondary VIP for group 1, namely 10.1.1.241 and 10.1.1.254

        - you have misconfigured VRRP, and each VRRP group member uses a different VIP, namely 10.1.1.241 and 10.1.1.254

 

If one of the IP's does not reply to ping, in general it means that the VIP is the same as the IP address configured at the interface level. The easy way to identity those MAC's location would be to know which devices run VRRP and in which ports are those connected. Otherwise you can hunt hop-by-hop by looking on the MAC address, out which port is it reachable, or you could use the layer 2 traceroute feature.

 

Regards,

Cristian Matei.

Hi,

 

That's the problem, is suspect someone has configured another VRRP connected to the Switch.

Both 10.1.1.254 (know VRRP on GI2/0/48) and 10.1.1.241(unknown VRRP) both ping.

 

I have no idea how to find the port the unknown VRRP address is connected to. The one that resolves to 10.1.1.241.

 

Andrew

 

Hi,

 

   Use the layer 2 trace route feature, the link is above on my other post, or go switch-by-switch with "show mac address-table address"  to discover the port and "show cap neighbors" to identify what other switch o connected to that port, connect to that other switch and so on.

 

Regards,

Cristian Matei.