Seeing IP addess in ARP table dispite interface shut down

Hi,

Can Any one tell me why I would see an IP address in the ARP table that is in a subnet to which the device has no active ports (Cisco Switch running IOS 15.x)?

Protocol  Address          Age (min)  Hardware Addr   Type   InterfaceInternet  10.44.45.99          1   0050.5683.61ce  ARPA   Vlan1
Internet  172.20.255.1            0   4403.a754.8300  ARPA   Vlan666
Internet  172.20.255.6            -   7010.5c73.9a41  ARPA   Vlan666
Internet  172.20.255.28         165   b4e9.b04c.8141  ARPA   Vlan666
Internet  172.20.255.254         10   20fd.f14b.af81  ARPA   Vlan666

Switch#sh ru int vlan 1Building configuration...


Current configuration : 48 bytes
!
interface Vlan1
 no ip address
 shutdown
end

I can understand if the interface is up but with out an IP address, but in this case it is shutdown?

Cheers

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

FloOz

If my memory serves me correctly but isn't the arp cache expiration time something like 4 hours long? Try clearing your arp table and I am sure it won't be there anymore.

DevilWAH

I clears this friday night and port has been shut down ever since. was there again this morning

FloOz

I'm slightly confused. Your showing that vlan 1 is shutdown but your arp entries show vlan 666

CodeBlox

DevilWAH wrote: »
Hi,

Can Any one tell me why I would see an IP address in the ARP table that is in a subnet to which the device has no active ports (Cisco Switch running IOS 15.x)?
Protocol  Address          Age (min)  Hardware Addr   Type   Interface

[B]Internet  10.44.45.99          1   0050.5683.61ce  ARPA   Vlan1[/B]
Internet  172.20.255.1            0   4403.a754.8300  ARPA   Vlan666
Internet  172.20.255.6            -   7010.5c73.9a41  ARPA   Vlan666
Internet  172.20.255.28         165   b4e9.b04c.8141  ARPA   Vlan666
Internet  172.20.255.254         10   20fd.f14b.af81  ARPA   Vlan666
Switch#sh ru int vlan 1Building configuration...


Current configuration : 48 bytes
!
interface Vlan1
 no ip address
 shutdown
end
I can understand if the interface is up but with out an IP address, but in this case it is shutdown?

Cheers

FloOz,

There is indeed an entry for VLAN one, the format of his post was just broken. As for why it's there, I'm not so sure. Does this IP belong to the interface itself? I take it that it doesn't looking at the config you posted. I'm not sure if the rules of ARP say that something wouldn't be added to ARP cache if said interface was shutdown. What has that IP address anyway? It could be something that is gratuitously ARPing. You could probably put another workstation in VLAN1 and do a wireshark sniff to see if that is the case.

DevilWAH

sorry didn't realise the formatting got mucked up, cheers for fixing it.

the IP address that appears is that of a config back up appliance that log in to download the configs.

mayhem87

what is the IP address you use to log into the switch? Wondering since your seeing the arp if you might have an IP on that switch in that subnet.

DevilWAH

The workstation is in the same range as the 10.44.49.99 one. But as I said the 10.44.49.99 the only IP address on the switch and active vlan is under vlan 666 which is

172.20.255.6

the default gateway is

172.20.255.254

what happens is that while the ARP entry is not there they switch can talk to the server on 10.44.45.99, however when it getws added the switch can no longer talk to the server. This is as I would expect as it thinks the server is on a local subnet but there is no interface configured.

This also seems to happen randomly, other switchs with the same config (i use config templates) are OK, although I have seen this happen on 3 different switches so far. Its not a big issue as if I get alerted a backup config has failed I can get the management tools to send a clear arp and retry. Some times week goes past with out it happening and then it will occur out of the blue.

networker050184

Hmm sounds odd. Have you opened a TAC case? Might be a bug in your code.

DevilWAH

I mentioned it to our support company (or more one of there CCIE engineers I know quite well). he has a copy of all the logs and is talking to CISCO as a favor. If it gets an issue I will raise a case but of on holiday in a few days so not going to get in to it to much right now.

These interfaces are in a shut down state and have been since the day it was built. however I am right in thinking that even if there where enabled unless they have an IP address assigned they should not pick up ARP entries as they would have no way of knowing what subnet an interface is in?

Strangle enough the two switches that did have the interface in vlan 1 up but with out an IP address assign have never had this issue

DevilWAH

Well after getting clear last night that IP address is back again

, so have raised a case to see what is what.