[c-nsp] C2950G sh arp

[Shaun]

edge-138.12#sh mac-address-table | inc 0012.dada.0f42
   2    0012.dada.0f42    DYNAMIC     Fa0/1

The mac points to the port that uplinks/trunks to the 3750

The netmask on vlan2 is correct, i dont have a ip default-gateway set on 
these however.

~Shaun
----- Original Message ----- 
From: "Gert Doering" <gert at greenie.muc.de>
To: "Shaun" <mailinglists at unix-scripts.com>
Cc: "Gert Doering" <gert at greenie.muc.de>; <cisco-nsp at puck.nether.net>
Sent: Thursday, June 08, 2006 3:04 PM
Subject: Re: [c-nsp] C2950G sh arp


> Hi,
>
> On Thu, Jun 08, 2006 at 01:15:17PM -0700, Shaun wrote:
>> edge-138.12#sh arp | exc 204.10 | exc 204.15 | exc 208.67
>> Protocol  Address          Age (min)  Hardware Addr   Type   Interface
>> Internet  222.171.23.98         125   0012.dada.0f42  ARPA   Vlan2
>> Internet  202.65.141.6          115   0012.dada.0f42  ARPA   Vlan2
>> Internet  62.166.210.74          70   0012.dada.0f42  ARPA   Vlan2
>> Internet  204.10.115.181        222   0012.dada.0f42  ARPA   Vlan2
>
> The fact that all of them point to the *same* MAC address suggests that
> this device indeed has turned on proxy-arp.
>
> As for why ARP requests for these addresses are seen?  I'd guess that
> the netmask on your switch is set wrongly, and thus the switch isn't
> sending packets to its default gateway, but ARPing for the destinations
> (assuming on-lan connectivity) - and the reason for the switch sending
> packets at all is "portscans coming from those IPs, reply packets being
> sent".
>
> You really want to make sure that no packets "from the Internet" can ever
> reach your switches management IP addresses.
>
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
> 
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany 
> gert at greenie.muc.de
> fax: +49-89-35655025 
> gert at net.informatik.tu-muenchen.de
>