[c-nsp] [Forum] show arp hardware type INCOMPLETE

[Andy Furnell]

> Hi all,
>
> All of our box at that specific lan get the network connection lost
> and we get a lot of entries in the arp table in the routers, just like
> you posted at that forum.... Soes anyone know's a solution for this
> problem?
>
> Thanks in advance.
>
> Luis Tiani
>
> P.S.: We've got this arp table:
>
> Protocol  Address          Age (min)  Hardware Addr   Type   Interface
> Internet  10.30.0.40              0   Incomplete      ARPA
> Internet  10.30.1.40              0   Incomplete      ARPA
> Internet  10.30.0.41              0   Incomplete      ARPA

<snip>

The unresolved entries in your ARP table (probably) mean that your
router is receiving traffic for the 10.30.0.x and 10.30.1.x IPs on
another interface. The hosts don't exist, so the ARP never resolves
and your hw-addr shows as 'Incomplete'.

Try applying an access-list inbound on your other (non-10.30.0/23)
interfaces with a log-input statement to determine exactly where this
traffic is coming from. Something along the lines of..

access-list 101 permit ip any host 10.30.0.40 log-input
access-list 101 permit ip any any

(apply with caution, as access-lists (especially those with log
commands) will stress the CPU on your router.)

This will create a log entry for every packet received with a
destination IP address of 10.30.0.40 and tell you which interface that
packet was received on, and any relevant layer 2 source information
about the sender (MAC address, etc).

If you do have a compromised machine on your network these steps
should help you track it down without having to resort to unplugging
NICs.

Andy