Incomplete ARPA on switch 2960x

Chris McCann · ‎08-25-2016

Hi Folks,

Been looking at this on one of our network switches, it seems that something is scanning the network looking for IP addresses and effectively I have the below for every unused IP.

Internet 10.172.84.101           0   Incomplete      ARPA
Internet 10.172.84.102           0   Incomplete      ARPA
Internet 10.172.84.103           0   Incomplete      ARPA
Internet 10.172.84.104           0   Incomplete      ARPA
Internet 10.172.84.105           0   Incomplete      ARPA
Internet 10.172.84.106           0   Incomplete      ARPA
Internet 10.172.84.107           0   Incomplete      ARPA
Internet 10.172.84.108           0   Incomplete      ARPA
Internet 10.172.84.109           0   Incomplete      ARPA
Internet 10.172.84.110           0   Incomplete      ARPA
Internet 10.172.84.111           0   Incomplete      ARPA
Internet 10.172.84.112           0   Incomplete      ARPA
Internet 10.172.84.113           0   Incomplete      ARPA
Internet 10.172.84.114           0   Incomplete      ARPA
Internet 10.172.84.115           0   Incomplete      ARPA

If I clear the arp-cache the entries come back after a few minutes.

We have a few vlans on the switch and they are all the same. First thoughts are a virus on one of the PCs, so I ran wireshark, however the scource IP is (for this instance) is in fact the VLAN interface ! 10.172.82.2-vlan40.

interface Vlan40
description SERVER-PRINTER
ip address 10.172.84.2 255.255.255.128
ip helper-address xxxx
standby 40 ip 10.172.84.1
standby 40 priority 150
standby 40 preempt
end

Anyone got any ideas, not sure why a svi would be scanning in such a manner, an arp broadcast shouldnt be going between subnets so I dont suspect anything on another subnet but rather the switch.

We are using PRIME and I thought that might be trying to collect data but this isnt the case.

many thanks,

Chris.

Pawan Raut · ‎08-25-2016

Could you please try to disable proxy-arp on vlan interface and monitor.

int vlan 40

no ip proxy-arp

!

Chris McCann · ‎08-25-2016

Hi Pawan,

Still the same.

Internet 10.172.84.88            0   Incomplete      ARPA
Internet 10.172.84.89            0   Incomplete      ARPA
Internet 10.172.84.90            0   Incomplete      ARPA
Internet 10.172.84.91            0   Incomplete      ARPA
Internet 10.172.84.92            0   Incomplete      ARPA
Internet 10.172.84.93            0   Incomplete      ARPA
Internet 10.172.84.94            0   Incomplete      ARPA

50SPIT-CAT-01#sh run inte vlan 40
Building configuration...

Current configuration : 212 bytes
!
interface Vlan40
description SERVER-PRINTER
ip address 10.172.84.2 255.255.255.128
ip helper-address xxxx
no ip proxy-arp
standby 40 ip 10.172.84.1
standby 40 priority 150
standby 40 preempt

However after a little read on IP Proxy-arp need to point out that the VLANS effected by this do not have a DHCP scope on the ip helper-address xxxx (devices in these subnets are using static). Related ?

mlund · ‎09-05-2016

Hi Chris

My thoughts about this. A packet that is arrived to the router from anywhere, and is destined to a host in vl 40, if this host isn't in the arp table, the router itself will do the arp request. That explains why You see vl40 as the source of the packet.

You will have to find where the original packet is arrived that is triggered this arp request.

One way of doing it is to create an access-list an grab one of addresses and log the result, as an example

access-list 100 permit ip any host 10.172.84.100 log-input

access-list 100 permit ip any any

int < one at the time or all except vla 40>

ip access-group 100 in

and then look in the log to see

/Mikael

dmuinoorallo · ‎09-06-2016

You can configure ARP inspection

Check this link

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html