[c-nsp] Proxy-arp on ASA 5520 running 7.2

Joseph Jackson JJackson at aninetworks.com
Thu Jul 13 20:49:16 EDT 2006


All,

	I am seeing some odd arp entries on Show arp on our asa.  The
addresses for the three switches that are used as the DMZ switches are
being shown on all interfaces based on a show arp.  These switches all
have the same Vlans (3 vlans for the 3 dmz's) and are trunked together.
I had to reset one of the switches uplink ports today and when I tried
to access the switch by ssh I got a time out.  I remote desktoped to a
machine that is local on the switches subnet and was able to access it.
I just happened to be running a syslog on another monitor next to me
that was collecting for the ASA.  When I tried to SSH to the switch it
would show a deny being done on an interface that isn't in the subnet
that the switches ip is in.  Thinking that was odd I logged into the ASA
and did a show arp and noticed that all the switches were being shown as
on all 3 interfaces.  I've been looking at cisco.com and I only see
articles about proxy-arp on the ASA when they are talking about dns
inspect's.
Anyone heard or seen this before?

Heres a snip from the show arp


Show Arp 

inside 172.17.3.250 0012.f201.5b40

ark-dmz 172.17.3.250 0012.f201.5b40

ark-web 172.17.3.250 0012.f201.5b40


The inside interface is the interface that is in the same subnet as that
switches ip address.



Thanks

Joseph



More information about the cisco-nsp mailing list