[c-nsp] [Forum] show arp hardware type INCOMPLETE
Andy Furnell
andy.furnell at gmail.com
Fri Jan 6 10:11:49 EST 2006
> Hi all,
>
> All of our box at that specific lan get the network connection lost
> and we get a lot of entries in the arp table in the routers, just like
> you posted at that forum.... Soes anyone know's a solution for this
> problem?
>
> Thanks in advance.
>
> Luis Tiani
>
> P.S.: We've got this arp table:
>
> Protocol Address Age (min) Hardware Addr Type Interface
> Internet 10.30.0.40 0 Incomplete ARPA
> Internet 10.30.1.40 0 Incomplete ARPA
> Internet 10.30.0.41 0 Incomplete ARPA
<snip>
The unresolved entries in your ARP table (probably) mean that your
router is receiving traffic for the 10.30.0.x and 10.30.1.x IPs on
another interface. The hosts don't exist, so the ARP never resolves
and your hw-addr shows as 'Incomplete'.
Try applying an access-list inbound on your other (non-10.30.0/23)
interfaces with a log-input statement to determine exactly where this
traffic is coming from. Something along the lines of..
access-list 101 permit ip any host 10.30.0.40 log-input
access-list 101 permit ip any any
(apply with caution, as access-lists (especially those with log
commands) will stress the CPU on your router.)
This will create a log entry for every packet received with a
destination IP address of 10.30.0.40 and tell you which interface that
packet was received on, and any relevant layer 2 source information
about the sender (MAC address, etc).
If you do have a compromised machine on your network these steps
should help you track it down without having to resort to unplugging
NICs.
Andy
More information about the cisco-nsp
mailing list