08-25-2016 04:51 AM - edited 03-08-2019 07:08 AM
Hi Folks,
Been looking at this on one of our network switches, it seems that something is scanning the network looking for IP addresses and effectively I have the below for every unused IP.
Internet 10.172.84.101 0 Incomplete ARPA
Internet 10.172.84.102 0 Incomplete ARPA
Internet 10.172.84.103 0 Incomplete ARPA
Internet 10.172.84.104 0 Incomplete ARPA
Internet 10.172.84.105 0 Incomplete ARPA
Internet 10.172.84.106 0 Incomplete ARPA
Internet 10.172.84.107 0 Incomplete ARPA
Internet 10.172.84.108 0 Incomplete ARPA
Internet 10.172.84.109 0 Incomplete ARPA
Internet 10.172.84.110 0 Incomplete ARPA
Internet 10.172.84.111 0 Incomplete ARPA
Internet 10.172.84.112 0 Incomplete ARPA
Internet 10.172.84.113 0 Incomplete ARPA
Internet 10.172.84.114 0 Incomplete ARPA
Internet 10.172.84.115 0 Incomplete ARPA
If I clear the arp-cache the entries come back after a few minutes.
We have a few vlans on the switch and they are all the same. First thoughts are a virus on one of the PCs, so I ran wireshark, however the scource IP is (for this instance) is in fact the VLAN interface ! 10.172.82.2-vlan40.
interface Vlan40
description SERVER-PRINTER
ip address 10.172.84.2 255.255.255.128
ip helper-address xxxx
standby 40 ip 10.172.84.1
standby 40 priority 150
standby 40 preempt
end
Anyone got any ideas, not sure why a svi would be scanning in such a manner, an arp broadcast shouldnt be going between subnets so I dont suspect anything on another subnet but rather the switch.
We are using PRIME and I thought that might be trying to collect data but this isnt the case.
many thanks,
Chris.
08-25-2016 05:00 AM
Could you please try to disable proxy-arp on vlan interface and monitor.
int vlan 40
no ip proxy-arp
!
08-25-2016 06:05 AM
Hi Pawan,
Still the same.
Internet 10.172.84.88 0 Incomplete ARPA
Internet 10.172.84.89 0 Incomplete ARPA
Internet 10.172.84.90 0 Incomplete ARPA
Internet 10.172.84.91 0 Incomplete ARPA
Internet 10.172.84.92 0 Incomplete ARPA
Internet 10.172.84.93 0 Incomplete ARPA
Internet 10.172.84.94 0 Incomplete ARPA
50SPIT-CAT-01#sh run inte vlan 40
Building configuration...
Current configuration : 212 bytes
!
interface Vlan40
description SERVER-PRINTER
ip address 10.172.84.2 255.255.255.128
ip helper-address xxxx
no ip proxy-arp
standby 40 ip 10.172.84.1
standby 40 priority 150
standby 40 preempt
However after a little read on IP Proxy-arp need to point out that the VLANS effected by this do not have a DHCP scope on the ip helper-address xxxx (devices in these subnets are using static). Related ?
09-05-2016 02:46 AM
Hi Chris
My thoughts about this. A packet that is arrived to the router from anywhere, and is destined to a host in vl 40, if this host isn't in the arp table, the router itself will do the arp request. That explains why You see vl40 as the source of the packet.
You will have to find where the original packet is arrived that is triggered this arp request.
One way of doing it is to create an access-list an grab one of addresses and log the result, as an example
access-list 100 permit ip any host 10.172.84.100 log-input
access-list 100 permit ip any any
int < one at the time or all except vla 40>
ip access-group 100 in
and then look in the log to see
/Mikael
09-06-2016 11:27 AM
You can configure ARP inspection
Check this link
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide