No ARP entries for VLAN X
I have a question about ARP. I have a number of VLANs configured on a 6500 switch most of the vlans routing interfaces are also on the 6500. One of the VLANS use a static route pointing to a remote router for the routing interface. My question is: APP works fine for all vlans that are reouted localy by the 6500, but there are no arp entries for VLAN X that is routed remotely. I thought ARP was a L2 not L3. If someone could clear this up for me it would be great. Thanks
If you have a route to another router on the same VLAN, then the 6500 will ignore any incoming ARP requests for IP addresses on the VLAN except its own address.
I presume that the hosts on the VLAN have been configured with the other router as default gateway. In that case, the traffic from that VLAN would never go near the 6500.
However, if a host did send a packet to the 6500 destined for an address that is off the VLAN, then the 6500 would forward it in the normal way. It would then depend whether you have ICMP re-directs enabled on that VLAN interface. If you do not, then the 6500 would have no reason to put the host in its ARP cache. But if you have ICMP re-directs enabled, then the 6500 would have to ARP to find the MAC address of the host in order to send its ICMP re-direct.
In fact, the 6500 will only make an ARP table entry if it has a packet to send to the host, either because it has to forward a packet that came from outside VLAN, or because it needs to send an ICMP re-direct to the host to tell it to use the other router.
Does that make sense?
Kevin Dorrell
Luxembourg
Similar Messages
-
Static Arp Entry for Exchange 2010
Hello All,
I was hoping someone could assist with an issue that our Exchange team are having, specifically with replication traffic traversing our DC to DR site.
The infrastructure consists of a Layer 3 data centre and a disaster recovery site, so essentially its a live/backup environment. Both the DC and DR site are connected with a LES using routed interfaces.
The Exchange cluster at the DC is associated with the following subnets:
MAPI - 10.1.30.X
Replication: 10.1.230.X
DR site has the following subnets associated with the exhange cluster :
MAPI - 192.168.4.X
Replication - 192.168.230.X
When an attempt is made to create a database/mailbox on an exchange server at the DC and copy it using the replication subnet source: 10.1.230.X to destination subnet: 192.168.230.X, the copy process fails.
Replication traffic in general going from DC to DR or vice-versa is subject to constant problems and seems unreliable. Our exchange team have to manually copy mailboxes from one cluster to the other using Windows explorer which works fine.
The Exchange cluster at both sites reside within a VMWare ESX enclosure and connect to Cisco 6500 switches. Would the Cisco switches require a static arp entry for their respective Exchange clusters, which should be configured on each switch? If this was missing could this be the root cause of the replication problems we're experiencing? Or does this depend on whether the exchange cluster is using NLB Unicast or Multicast mode?
Any assistance would be most appreciated.
Regards,
JamieJamie,
Have a look at this link:-
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
It depends on how the team NLB is set up.
You may need static mac & static arp as well as disabling igmp snooping if multicasting is bein used.
Regards,
Alex.
Please rate useful posts. -
Slow ARP response for dial-in clients
I’ve been experiencing an intermittent issue with remote PC’s connecting to a Cisco AS5350 Universal Gateway - basically, a RAS server.
The issue as far as I’ve been able to pinpoint seems to be related to the amount of time it takes the dial-in client to register an ARP entry on the local network where the RAS server and other servers are connected. If I start an extend ping to one of the servers on the local network (not to the RAS server) once my dial-up connection has been established, I typically see anywhere between 3 and 18 ICMP request timeouts before I start receiving replies. And if at the same time I start an extended ping to the IP address of the RAS server, ICMP replies are received immediately with no request timeouts.
Topology:
Dial-in Client <===> AS5350 RAS <===> L2 Switch <===> Server
192.168.240.131 240.5 240.1 240.21
The switch that the AS5350 and the servers are connected to is a WS-C2960G-8TC-L layer-2 switch with a very basic config. Basically they only thing I’ve changed during the course of my troubleshooting is the STP mode, STP forward time and to enabled STP portfast on the uplinks to the AS5350 and the server… see configuration below:
Current configuration : 2721 bytes
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Switch
boot-start-marker
boot-end-marker
no aaa new-model
system mtu routing 1500
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 1 forward-time 5
vlan internal allocation policy ascending
interface GigabitEthernet0/1
description Uplink to Server
spanning-tree portfast
interface GigabitEthernet0/2
description Uplink to CLE-AS5350 RAS
speed 100
duplex full
spanning-tree portfast
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface GigabitEthernet0/8
interface Vlan1
ip address 192.168.240.1 255.255.255.0
ip http server
ip http secure-server
line con 0
exec-timeout 0 0
logging synchronous
line vty 0 4
login
line vty 5 15
login
end
For troubleshooting, I enabled “debug arp” on the switch and attempted a dial-up connection to the AS5350. Once the call was established and I received a DHCP lease (192.168.240.131), I started an extended ping to a server (192.168.240.21) on the network… see below:
Host Details:
192.168.240.1 (b4e9.b006.9e40) = Vlan1 on L2 switch.
192.168.240.21 (5cf9.dd48.76dd) = Server.
192.168.240.5 (000d.280c.fe1b) = Cisco AS5350 RAS server.
192.168.240.131 (0000.0000.0000) = PPP dial-in client on RAS server.
000292: *Mar 1 00:21:22.819 UTC: IP ARP: creating incomplete entry for IP address: 192.168.240.131 interface Vlan1
000293: *Mar 1 00:21:22.819 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000298: *Mar 1 00:21:27.013 UTC: IP ARP: rcvd req src 192.168.240.21 5cf9.dd48.76dd, dst 192.168.240.131 Vlan1
000299: *Mar 1 00:21:27.441 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000306: *Mar 1 00:21:32.441 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000314: *Mar 1 00:21:37.449 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000323: *Mar 1 00:21:42.440 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000329: *Mar 1 00:21:47.440 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000334: *Mar 1 00:21:52.439 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000344: *Mar 1 00:21:57.447 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000350: *Mar 1 00:22:02.447 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000358: *Mar 1 00:22:07.430 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000364: *Mar 1 00:22:12.438 UTC: IP ARP: creating incomplete entry for IP address: 192.168.240.131 interface Vlan1
000365: *Mar 1 00:22:12.438 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40,dst 192.168.240.131 0000.0000.0000 Vlan1
000372: *Mar 1 00:22:17.437 UTC: IP ARP: sent req src 192.168.240.1 b4e9.b006.9e40, dst 192.168.240.131 0000.0000.0000 Vlan1
000373: *Mar 1 00:22:17.446 UTC: IP ARP: rcvd rep src 192.168.240.131 000d.280c.fe1b, dst 192.168.240.1 Vlan1
The first line of the debug shows the switch creating an “incomplete entry” for the dial-in client (192.168.240.131).
For all subsequent ICMP requests, you can see that the dial-in client has a MAC address of 0000.0000.0000 – I guess you would call this an incomplete entry.
On the last line of the debug output, you can see that the dial-in client (192.168.240.131) finally gets the MAC address of the AS5350 (000d.280c.fe1b) assigned to it – this is when we start getting ICMP replies.
So during this capture, there were 12 ICMP request timeouts before the dial-in client started receiving replies.
Below is the current config on my Cisco AS5350 RAS server:
Current configuration : 6741 bytes
version 12.3
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
hostname AS5350
boot-start-marker
no boot startup-test
boot-end-marker
logging buffered 2048000 debugging
enable secret 5 *********************
resource-pool disable
calltracker enable
spe country usa
spe call-record modem
spe default-firmware spe-firmware-1
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authentication enable default group tacacs+ enable
aaa authentication ppp dialin if-needed local
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local none
aaa authorization commands 1 default group tacacs+ local none
aaa authorization commands 15 default group tacacs+ local none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common
ip subnet-zero
ip cef
ip dhcp excluded-address 192.168.240.1 192.168.240.127
ip dhcp excluded-address 192.168.240.150 192.168.240.254
ip dhcp pool LOCAL
network 192.168.240.0 255.255.255.0
default-router 192.168.240.1
lease 0 1
ip ssh time-out 10
ip ssh version 2
isdn switch-type primary-4ess
fax interface-type fax-mail
controller T1 3/0
shutdown
controller T1 3/1
framing esf
linecode b8zs
pri-group timeslots 1-24
description PRI on Copper
no crypto isakmp ccm
interface FastEthernet0/0
no ip address
shutdown
interface FastEthernet0/1
description Uplink to Switch – Gi0/2
ip address 192.168.240.5 255.255.255.0
duplex full
speed 100
interface Serial0/0
no ip address
shutdown
interface Serial0/1
no ip address
shutdown
interface Serial3/0:23
no ip address
shutdown
interface Serial3/1:23
description PRI on Copper
no ip address
encapsulation ppp
dialer rotary-group 2
dialer-group 2
isdn switch-type primary-4ess
isdn incoming-voice modem
isdn T306 60000
fair-queue
no cdp enable
interface Dialer2
ip unnumbered FastEthernet0/1
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer-group 2
peer default ip address dhcp-pool LOCAL
fair-queue
no cdp enable
ppp authentication chap pap callin
ppp multilink
interface Group-Async0
no ip address
no group-range
interface Group-Async1
description Dial-up PRI modem lines
ip unnumbered FastEthernet0/1
encapsulation ppp
dialer in-band
dialer idle-timeout 0
async mode interactive
peer default ip address dhcp-pool LOCAL
fair-queue
ppp authentication chap pap callin
group-range 1/00 1/59
router eigrp 100
network 192.168.240.0
auto-summary
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.240.1
ip tacacs source-interface FastEthernet0/1
no ip http server
no ip http secure-server
logging history debugging
logging trap debugging
logging x.x.x.x
access-list 101 deny eigrp any any
access-list 101 permit ip any any
access-list 101 remark dialer-list used for dialer-list 1
access-list 182 remark *** PERMIT SSH TO THIS DEVICE ***
access-list 182 permit tcp any any eq 22
access-list 182 deny ip any any log
dialer-list 1 protocol ip permit
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key 7 *******************
control-plane
voice-port 3/0:D
voice-port 3/1:D
dial-peer cor custom
ss7 mtp2-variant Bellcore 0
ss7 mtp2-variant Bellcore 1
ss7 mtp2-variant Bellcore 2
ss7 mtp2-variant Bellcore 3
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
no exec
line vty 0 4
access-class 182 in
exec-timeout 30 0
logging synchronous
transport input ssh
escape-character BREAK
line 1/00 1/59
no modem callout
modem Dialin
rotary 1
transport input all
transport output all
autoselect during-login
autoselect ppp
scheduler allocate 10000 400
ntp clock-period 17180055
ntp server x.x.x.x
end
Cisco AS5350 IOS: c5350-ik9s-mz.123-11.T11.bin
Is anyone aware of an IOS bug or an error in my configurations that could be causing the delay in creating an ARP entry for the dial-in client?
I am open to any suggestions.
BTW, if I add static arp entries on the server, ICMP replies are typically received after one or two request timeouts.
However, I feel this is not a solution to the problem, only a band-aid fix.
arp -s 192.168.240.128 00-0d-28-0c-fe-1b
arp -s 192.168.240.129 00-0d-28-0c-fe-1b
arp -s 192.168.240.130 00-0d-28-0c-fe-1b
arp -s 192.168.240.131 00-0d-28-0c-fe-1b
arp -s 192.168.240.132 00-0d-28-0c-fe-1b
arp -s 192.168.240.133 00-0d-28-0c-fe-1b
arp -s 192.168.240.134 00-0d-28-0c-fe-1b
arp -s 192.168.240.135 00-0d-28-0c-fe-1b
arp -s 192.168.240.136 00-0d-28-0c-fe-1b
arp -s 192.168.240.137 00-0d-28-0c-fe-1b
arp -s 192.168.240.138 00-0d-28-0c-fe-1b
arp -s 192.168.240.139 00-0d-28-0c-fe-1b
arp -s 192.168.240.140 00-0d-28-0c-fe-1b
arp -s 192.168.240.141 00-0d-28-0c-fe-1b
arp -s 192.168.240.142 00-0d-28-0c-fe-1b
arp -s 192.168.240.143 00-0d-28-0c-fe-1b
arp -s 192.168.240.144 00-0d-28-0c-fe-1b
arp -s 192.168.240.145 00-0d-28-0c-fe-1b
arp -s 192.168.240.146 00-0d-28-0c-fe-1b
arp -s 192.168.240.147 00-0d-28-0c-fe-1b
arp -s 192.168.240.148 00-0d-28-0c-fe-1b
arp -s 192.168.240.149 00-0d-28-0c-fe-1b
Thank you for taking the time to read my post.
-BradHi Krishnamraj,
How many records are you gettnig from server..?? Are they very huge..??
Thanks,
Bhasker -
How to setup a static multicast ARP entry with Cisco SF300-08?
We're running a cluster in multicast mode as a loadbalancer.
We have Cisco SF300-08 and when we adding a static ARP entry results in an error message telling the user that the hardware address needs to be a valid unicast MAC address.
So how to setup a static multicast in Cisco SF300 or maybe someone know other solution to setup multicastes mode in Cisco SF300.Hi, Tom!
We have two watchguard xtm505(cluster active-active) in our network. Watchguard interfaces have one ip and one mac adresses. IP 192.168.111.1(Unicast) and MAC 01:00:5e:02:02:03(multicast). Cisco SF300 is router to outside networks(to internet). Cisco IP adresss is 192.168.111.254. There are another some hosts in this network.
Ping from hosts to 192.168.111.254 works well. Ping from hosts to 192.168.111.1 works well too. But there is no ping from watchguard cluster(192.168.111.1) to Cisco(192.168.111.254). And there is no routing to internet
This is well-known situation. We need to do following(example for cisco 3750):
1. Start the Cisco 3750 command line interface.
2. Add a static ARP entry for the multicast MAC address of the FireCluster interface.
Type this command:
arp arpa
For this example, type:
arp 192.168.111.1 01:00:5e:02:02:03 arpa
3. Add an entry to the MAC address table.
Type this command:
mac-address-table static vlan interface <#>
For this example, type:
mac-address-table static 01:00:5e:02:02:03 vlan 1 interface gi1/0/11
But we can't add arp entry on Cisco SF300. CLI tells us "MAC address illegal"!
We tried enable igmp snooping, but is not helps.
Could you tell more detailed about MAC groups? -
On my 3850 (running 3.3.1) i have 1600+ entries in the arp table for a given vlan but I'm not acting as the gateway for the devices connecting to it (i'm trunked to the core which is acting as the gateway but I do have ip routing enabled on my 3850). I've put the nmsp attachment suppress command on all physical interfaces to resolve another issue I was having.
Is having all these arp entries expected behavior? I've tried to delete 1 ip in the table which I knew wasn't valid but my switch seems to ignore it as the entry is still there.
The reason I ask was due to a small unicast flooding issue I seemed to have (since gone away). I was told it may have been due to the switch having an arp entry for a mac addresses it didn't know and hence was flooding the switch. The person was surprised to see so many arp entries given i wasn't a gateway for this vlan.
ThanksHi,
If you issue "show running config all" command you can see all configuration lines of this switch including the default settings. Here is an example for one of the vlan interface configuration. As you can see "proxy-arp" is enabled globally & interface level by default.
3850-2#sh running-config all | in proxy
no ip arp proxy disable
3850-2#sh running-config all | be interface Vlan1410
interface Vlan1410
ip address 10.141.103.242 255.255.248.0
ip redirects
ip unreachables
ip proxy-arp
ip mtu 1500
ip load-sharing per-destination
ip cef accounting non-recursive internal
ip pim dr-priority 1
ip pim query-interval 30
ip mfib forwarding input
ip mfib forwarding output
ip mfib cef input
ip mfib cef output
ip route-cache cef
ip route-cache
ip split-horizon
ip igmp last-member-query-interval 1000
ip igmp last-member-query-count 2
ip igmp query-max-response-time 10
ip igmp version 2
ip igmp query-interval 60
ip igmp tcn query count 2
ip igmp tcn query interval 10
load-interval 300
carrier-delay 2
no shutdown
ipv6 nd reachable-time 0
ipv6 nd ns-interval 0
ipv6 nd dad attempts 1
ipv6 nd prefix framed-ipv6-prefix
ipv6 nd nud igp
ipv6 nd ra lifetime 1800
ipv6 nd ra interval 200
ipv6 redirects
ipv6 unreachables
snmp trap link-status
cts role-based enforcement
arp arpa
arp timeout 14400
spanning-tree port-priority 128
spanning-tree cost 0
hold-queue 75 in
hold-queue 40 out
no bgp-policy accounting input
no bgp-policy accounting output
no bgp-policy accounting input source
no bgp-policy accounting output source
no bgp-policy source ip-prec-map
no bgp-policy source ip-qos-map
no bgp-policy destination ip-prec-map
no bgp-policy destination ip-qos-map
This post explain "proxy-arp" behaviour well.
http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/13718-5.html
In your case all the SVI defined & end host gets default-gateway IP correctly, there is no need for "proxy-arp" enabled on SVI. You can safely disable it (globally or interface level) and check if that help to mitigate your arp cache issue.
3850-2(config)#ip arp proxy disable
or
3850-2(config)#int vlan 1410
3850-2(config-if)#no ip proxy-arp
HTH
Rasika
**** Pls rate all useful responses **** -
Hi,
We have Sun 1280 servers running in our lab. We observe that sometime arp entries for some interfaces become zero suddenly.
Here is the warning we observe in /var/adm/messages :-
09:53:50 ca-a ip: [ID 903730 kern.warning] WARNING: IP: Hardware address '00:00:00:00:00:00' trying to be our address 024.094.103.069!
14:32:17 ca-a ip: [ID 903730 kern.warning] WARNING: IP: Hardware address '08:00:20:ad:37:18' trying to be our address 024.094.103.068!
Any help ?
Thanks
Akhil JainHello,
the default ARP timeout on the MSFC is 14400 seconds, or 4 hours. The CAM (MAC address table) default timeout is 300 seconds.
You actually might want to set the CAM agingtime to 4 hours as well, in order to avoid possible IP unicast traffic flooding...
HTH,
GP -
Hi
I'm aware of, and experiencing the problem with my arp table being poisoned. I'm working on updating the Broadcom drivers but in the meantime need to set some static entries in arp. My setup has the global zone configured on e1000g0, with a second interface e1000g1 used by a non-global-zone, alll interfaces are shared. The global zone has no ip and neither is it up on e1000g1, only plumbed. My point being this, when I create a static arp entry for my the non-global-zones default gateway, which can only be done in the global zone, it is assigned to the e1000g0 device. There is a learnt entry for the same gateway (same ip) but on the e1000g1 interface. Ideally I want the learnt entry removed and the static entry assigned to the e1000g1 interface.
Is this possible, and if not am I worrying about a problem that doesn't exist. My fear is that the non-global-zone only being aware of the e1000g1 device will only use the learnt arp entry which is in danger of changing.
If any of this made sense, please can you advise whether there is a potential problem and if it can be rectified.
Thanks813137 wrote:
Hi
I'm aware of, and experiencing the problem with my arp table being poisoned. I'm working on updating the Broadcom drivers but in the meantime need to set some static entries in arp. My setup has the global zone configured on e1000g0, with a second interface e1000g1 used by a non-global-zone, alll interfaces are shared. The global zone has no ip and neither is it up on e1000g1, only plumbed. My point being this, when I create a static arp entry for my the non-global-zones default gateway, which can only be done in the global zone, it is assigned to the e1000g0 device. There is a learnt entry for the same gateway (same ip) but on the e1000g1 interface. Ideally I want the learnt entry removed and the static entry assigned to the e1000g1 interface.
Is this possible, and if not am I worrying about a problem that doesn't exist. My fear is that the non-global-zone only being aware of the e1000g1 device will only use the learnt arp entry which is in danger of changing.
If any of this made sense, please can you advise whether there is a potential problem and if it can be rectified.Unless your global zone gets an address on the same subnet as the NGZ for e1000g1, it can't add
a static arp entry in the shared IP configuration..
OTOH, you can do this with exclusive IP zones, which is really a much cleaner config/administrative model.
I'd suggest: set up the NGZ as ip-type exclusive, assign it e1000g1, and let the NGZ itself add the static arp entry
--Sowmini -
We have about 20 solaris 10u7 installations built from identical templates that run oracle databases with windows 2k3 2k8 front end on dell poweredge servers with Broadcom teamed nics. The problem affects only some connections. dell1 can ping 100% solaris1 but drops packets against solaris2 where dell2 can ping 100% solaris1 but drops packets against solaris2 and dell3 and solaris3 can ping everyone 100%. All the servers are on the same subnet. When the dell box cannot ping the solaris box I run an arp -a on the solaris box and it returns the wrong mac address for the dell box. The mac address can be a duplicate address from another server / gateway. When the mac address is correct the pings return. I have now changed the ip address on one of the solaris boxes and everyones happy for now...... I have tried setting static mac addresses with arp -s but these are overwritten. We are starting to see arp entries for computers no longer on our network.
We have tried to packet sniffing. I do not know how you can get the source from the prying eyes of the ARP I tried to find the information. Just like the firewire device, you need to make sure that your [sata dock station|http://www.espow.com/wholesale-sata-hdd-docking-station-for-mac-support-1394b-1394a-firewire-port.html] is ok, and then we raise all in the same subnet Dell Broadcom hard drivers and firmware of most issues. There is a new Solaris operating system 10u4 hdd dock and Broadcom network card problem. Adhere to the old drivers close rfc86 Solaris version 4.1 does not run upto Broadcom to the same level. We are still looking into more than 2 Boos from the ARP table entry. We think this is Broadcom's problem, not the existence of Solaris seems to be a re-entries on the Internet a lot of the problem.
Edited by: jackdrogba on Apr 1, 2010 12:58 AM -
Static ARP entry command no worky with vlan
Anyone know why this happens? I'm trying to enter a static arp entry and assign it to a specific vlan, for example:
arp 192.168.200.1 aaaa.bbbb.cccc arpa vlan 15
% Invalid input detected at '^' marker
When this is entered it errors out and marks the word vlan like it is invalid, though it is a valid option when inching forward using the ? help character. I tried multiple iterations and the only other response I get is if I enter vlan 1. To that the router responds with:
Bad ARP command - Interface may only be specified when bridging IP
Is one to assume that the vlan need not be specified? I opted to enter the vlan only for uniformity, but then when it behaved strangely I became curious. I wonder in what scenario adding the vlan to an arp entry would be valid and acceptable.
Thanks, MikeHello,
What you experienced is the normal behavior. The L3 device does not allow
you to specify the interface when you are operating in routed mode. Based on
the address you have configured, it will automatically allocate the static
ARP entry to appropriate interface. If you have entered an IP that does not
belong to any subnet, then all interfaces will consider that ARP entry. Only
if you configure two interfaces in bridge mode (like in the case of PPPoE
scenarios), then you can specify the interface ID.
Hope this helps.
Regards,
NT -
Seeing ARP entries on shut down VLAN interface.
Hi,
As you can see below I see a mac address picked up on VLAN 1 on this switch, however vlan 1 interface is shut down? This is causing connectivity issues so does any one know why it is happening?
Cheers
DP1-West#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.198 11 0050.56ae.0aab ARPA Vlan1
Internet 20.20.20.1 0 4403.a754.8300 ARPA Vlan666
Internet 20.20.20.54 - 34db.fd2e.6d41 ARPA Vlan666
DP1-West#
DP1-West#
DP1-West#sh ru int vlan 1
Building configuration...
Current configuration : 65 bytes
interface Vlan1
no ip address
no ip proxy-arp
shutdown
end
DP1-West#sh ru int vlan 666
Building configuration...
Current configuration : 82 bytes
interface Vlan666
ip address 20.20.20.54 255.255.255.0
no ip proxy-arp
end
DP1-West#sh ver
Cisco IOS Software, C2960X Software (C2960X-UNIVERSALK9-M), Version 15.0(2)EX5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 21-Feb-14 05:54 by prod_rel_team
ROM: Bootstrap program is C2960X boot loader
BOOTLDR: C2960X Boot Loader (C2960X-HBOOT-M) Version 15.0(2r)EX, RELEASE SOFTWARE (fc1)Thanks for helping actually i was reading this part from book
There are no SVIs active on the MSFC-not even VLAN 1. Let's add an SVI for VLAN 20 and see what happens:
Code View: Scroll / Show All
MSFC-6509# conf t
Enter configuration commands, one per line. End with CNTL/Z.
MSFC-6509(config)# int vlan 20
MSFC-6509(config-if)# ip address 10.20.20.1 255.255.255.0
MSFC-6509(config-if)# no shut
MSFC-6509(config-if)# ^Z
MSFC-6509#
17w2d: %LINK-3-UPDOWN: Interface Vlan20, changed state to down
17w2d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to down
MSFC-6509#
MSFC-6509# sho ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan20 10.20.20.1 YES manual down down
The SVI is now there, but it won't come up. The SVI will not come up unless there is an active port in the VLAN in layer two. I often forget this fact and, after adding the SVIs, go off to create my VLANs only to find that none of them will come up. To illustrate the point, I'll assign an IP address to the CatOS management interface SC0, and place it in VLAN 20. This will put an active device in the VLAN:
CatOS-6509: (enable) set int sc0 20 10.20.20.20 255.255.255.0
Interface sc0 vlan set, IP address and netmask set.
Now, with something active in VLAN 20, the VLAN 20 SVI comes up in the MSFC:
Code View: Scroll / Show All
MSFC-6509# sho ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan20 10.20.20.1 YES manual up up
Now i know that Sc0 management IP of Cat OS is assigned at switching side.and we can assign only 1 ip at switching side which is using CatOS right? -
DHCP for VLAN on 4507; IP Conflicts too often
I have seen a few similar posts, but nothing so far that fits my scenario, I think.
I keep getting random users in this VLAN reporting IP conflicts. These desktop systems are left on 24/7. Right now, we only have one VLAN DHCP being served from this core switch.
There are only 29 computers pulling DHCP on this VLAN, but I have a large range allocated to them for growth. These are desktop systems, so they don't swap network ports, and they don't have dual NICs, nor do they have WiFi. So I am at a lose as to why we would be seeing IP conflicts with such an obvious open pool of IPs, and with MAC addresses not changing. It has been my experience that pretty much unless something happens(offline for several days, NIC replacement, etc.) to the MAC every IP renewal gives the same IP back.
Core#sho ip dhcp pool OUR-Workstations
Pool OUR-Workstations :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 28
Excluded addresses : 49
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased/Excluded/Total
10.1.32.183 10.1.32.1 - 10.1.32.254 28 / 49 / 254
Core#sho ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type State Interface
Hardware address/
User name
10.1.32.50 0180.1f02.5f5e.b6 Dec 18 2013 11:34 PM Automatic Active Vlan32
10.1.32.51 01f0.4da2.2e9f.06 Dec 19 2013 07:57 AM Automatic Active Vlan32
10.1.32.54 01b8.ac6f.45b4.27 Dec 19 2013 09:54 AM Automatic Active Vlan32
10.1.32.55 0100.2564.c8bd.ea Dec 19 2013 09:33 AM Automatic Active Vlan32
10.1.32.58 01b8.ac6f.45c4.97 Dec 19 2013 04:18 AM Automatic Active Vlan32
10.1.32.61 01b8.ac6f.3693.05 Dec 19 2013 05:12 AM Automatic Active Vlan32
10.1.32.62 01b8.ac6f.35f0.eb Dec 19 2013 05:18 AM Automatic Active Vlan32
10.1.32.63 0100.2564.c8c7.ae Dec 19 2013 12:26 AM Automatic Active Vlan32
10.1.32.65 01f0.4da2.2fba.66 Dec 19 2013 01:44 AM Automatic Active Vlan32
10.1.32.66 01b8.ac6f.46eb.b8 Dec 19 2013 01:05 AM Automatic Active Vlan32
10.1.32.67 01b8.ac6f.45c9.7a Dec 18 2013 10:54 PM Automatic Active Vlan32
10.1.32.68 01b8.ac6f.45c3.dc Dec 19 2013 07:12 AM Automatic Active Vlan32
10.1.32.70 01b8.ac6f.35f1.48 Dec 19 2013 05:15 AM Automatic Active Vlan32
10.1.32.88 01b8.ac6f.37bc.3e Dec 19 2013 06:37 AM Automatic Active Vlan32
10.1.32.97 01b8.ac6f.368f.f5 Dec 19 2013 06:42 AM Automatic Active Vlan32
10.1.32.101 01b8.ac6f.45bb.9e Dec 19 2013 06:17 AM Automatic Active Vlan32
10.1.32.110 01f0.4da2.2d47.5a Dec 19 2013 06:17 AM Automatic Active Vlan32
10.1.32.118 01f0.1faf.1d37.97 Dec 19 2013 07:19 AM Automatic Active Vlan32
10.1.32.121 0100.2564.c95a.c1 Dec 19 2013 06:53 AM Automatic Active Vlan32
10.1.32.144 01b8.ac6f.1d37.34 Dec 19 2013 09:16 AM Automatic Active Vlan32
10.1.32.167 0100.2564.c94e.f0 Dec 19 2013 07:34 AM Automatic Active Vlan32
10.1.32.170 01e0.db55.e9d7.01 Dec 19 2013 07:38 AM Automatic Active Vlan32
10.1.32.171 0100.03ff.2eba.66 Dec 18 2013 01:20 PM Automatic Active Vlan32
10.1.32.178 0124.7703.f1c2.e5 Dec 18 2013 10:02 AM Automatic Selecting Vlan32
10.1.32.235 01f0.4da2.2c92.33 Dec 19 2013 09:53 AM Automatic Active Vlan32
10.1.32.238 01b8.ac6f.3649.aa Dec 19 2013 05:21 AM Automatic Active Vlan32
10.1.32.241 01b8.ac6f.1d2a.2f Dec 18 2013 10:08 PM Automatic Active Vlan32
10.1.32.247 01b8.ac6f.45b5.8f Dec 19 2013 05:15 AM Automatic Active Vlan32
Not sure what the SELECTING status is for 10.1.32.178, but I assume I caught this at a point IP renewal.
Core#sho ip dhcp server stat
Memory usage 22449
Address pools 1
Database agents 0
Automatic bindings 28
Manual bindings 0
Expired bindings 1178
Malformed messages 294
Secure arp entries 0
Renew messages 2368
Relay bindings 0
Relay bindings active 10
Relay bindings terminated 0
Relay bindings selecting 10
Message Received
BOOTREQUEST 171602
DHCPDISCOVER 2931675
DHCPREQUEST 2680462
DHCPDECLINE 271
DHCPRELEASE 26
DHCPINFORM 951950
DHCPVENDOR 0
BOOTREPLY 0
DHCPOFFER 126
DHCPACK 0
DHCPNAK 0
Message Sent
BOOTREPLY 0
DHCPOFFER 8196
DHCPACK 353198
DHCPNAK 12769
Message Forwarded
BOOTREQUEST 0
DHCPDISCOVER 0
DHCPREQUEST 0
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
DHCPVENDOR 0
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0Hi,
Cisco IOS DHCP service doesn't reallocate the same IP to a client that is renewing its binding, it will try to offer the next IP available that is not excluded manually or that either didn't receive a DHCPDECLINE or a positive reply to an icmp echo test or ARP test.It will circle like this upto end of pool and starting at start of pool again.
Regards
Alain
Don't forget to rate helpful posts. -
How Cisco represent Arp entry's aging time in SNMP MIB
Hi there,
I found : when a laptop roamed between an office and a meeting room and used two different IP addressed in these two places, there are two active IP arp entry in Cisco with different aging time.
Please see the screenshot for "sh ip arp". My question is how Cisco represent the aging time in SNMP MIB. Is there any cisco proprieatry MIB to represent the aging. I want find the latest arp entry from SNMP. I can't see any useful field in ipNetToMediaEntry, ipNetToPhysicalEntry and cInetNetToMediaEntry.
Not sure if cInetNetToMediaLastUpdated is related, but I have never get any snmpwalk result from this oid yet.
LiamThis value is not available via SNMP.
This information comes via IP-MIB and the IP-MIB's ipNetToMedia table will just give you the hardware address, network address, associated interface, and entry type (e.g. static, dynamic, etc.).
-Thanks
Vinod -
Creating arp entry within stream module
HI all.
I'm tying to create an arp entry from within a stream modules stacked between eri and ip. My module is loaded on two interface (eri0 and eri1) and is use as a mangler for packet flowing through it. It take a packet on one interface do some processing on it if neccessary and put it on the other. My two interface are set in promiscious mode using dlpi promisc on message. This way the server become transparent to the network if placed in the critical path. My problem is the server must have only one ip address configured.
Ex:
Here there my two stream.
(1)
arp
ip -- 192.168.0.10
me
eri0
(2)
arp
ip -- 1.1.1.1
me
eri1
I got some host on the network on both side of my server which is in the critical path between the two segment of the same network. ( hope i'm clear). host on segment can talk to other on the other side perfectly. host on the side of the interface with the valid ip address can communicate with service running on the server but the one on the side with the dummy ip can't. This is because there is no arp entry in the table for this ip with the valid interface (eri0). If i add one myself it work fine. I must mention that there is an entry in the arp table for the host ip with the invalid interface and that i respond myself to the arp request comming from the side of the invalid interface. When a connection is tried to the eri1side i see arp request from my server on the read queue of my module comming from eri0 because of promiscious mode data feedback. I send this request on the other queue and when i get the reply I tried to sending M_PROTO DL_UNITDATA_IND on the queue of the valide interface. Whitout success as you could see.
I read on other post. That's was because of the fastpath routing. I actually see ioctl message comming downstream when i load my module ont both interface. I tried founding info about these but couldn't. Could i just respond to this ioctl with IOCNACK with the same data to disable? Is this a request to enable fast routing? (the first two byte are 0x4050 if i remember)
If you know what i'm trying to do is impossible please tell me.
Thank's.
Seb.It is possible. I effectivly have to disable fast path for it to work. to disable you have to intercept M_IOCTL msg and qreply with M_IOCNAK - EINVAL if it's a DL_IOC_HDR_INFO ioc_cmd. This ioctl isn't the 0x4050???? one but is 0x0000440a.
-
802.1x router loses ARP entry
Firs of all, Hello All. In new to this community.
A have a strange problem i want to share with you. Possibly a bug but maybe it is me who does something wrong.
My network looks like this:
[RADIUS] --- [C881] --- [SG200 Switch] ---[WinXP]
One of SG200 interfaces is set as a Supplicant ant it authenticates in RADIUS (FreeRADIUS) server via C881 router. WinXP and other PC clients authenticate in RADIUS via SG200.
Now: Authentication works perfectly. Ports open as they're supposed to. I'm able to reach RADIUS from SG200 and vice versa but there is a problem with WinXP. When i connect it to SG200 it authenticates, port opens and I'm able to reach RADIUS or any host on the left hand side but only for 300 seconds. After that period of time C881 looses WinXP from its ARP table and any communication fails. I cant even reach C881's interface facing SG200. Then i type:
c881(config-if)#dot1x port-control force-authorized
C881 learns WinXP's MAC and IP again and all gets back to normal. When I type
c881(config-if)#dot1x port-control auto
after 300 seconds C881 forgets WinXP again and communication brakes down.
How is it possible that a router forgets MAC of host its continuously "talking" with?
Have you ever seen this kind of behaviour? I tried with two other software revisions on C881 and resoult is always the same. Bug or feature?Hi.
Are you sending the session-attribute from the free radius server?
To be honest im not sure what you mean, but i have strong suspicion that my problem has nothing with freeradius.
Host authentication works perfectly. When i connect WinXP directly to routers switch ports everything works fine. Either the switch itself has a connection to the router all the time - even when WinXP and C881 dont see each other.
Furthermore - All ports are authenticated and open all the time, its' state doesn't change. Reauthentiction is turned off.
When the problem occurs i see no traffic to radius server. hre is how it looks:
When i connect WinXP to the switch it works at the begining.
I check ARP table on the router - WinXP is there.
I periodically check ARP table and after ap. 300 seconds (default arp entry timeout) WinXP disappears and communication brakes down.
Additionally when i change ARP timeout value to shorter or longer communication breaks earlier or later respectivly -
Q: What is the maximum number of ARP entries (IPv4) and ND entries (IPv6) supported in Aruba controllers?
A: The maximum number of static ARP entries supported is about 2048 for M3/72xx/70xx platforms.
The maximum number of static ARP entries supported is about 128 for 6xx platforms.
The maximum number of static ND entries supported is about 2048 for M3/72xx/70xx platforms.
The maximum number of static ND entries supported is about 128 for 6xx platforms.a)It depends upon software level. b) 16,000 per card, With release 9.3:
60K Connections Support on BXM-E—Provides the ability to support a maximum of 60K per card for VSI applications for the BPX 8600, for example, PNNI or MPLS, used on enhanced BXM-E cards.
Maybe you are looking for
-
Help pls
-
JSP Portlet posting information to another JSP
Hi, I have a JSP portlet that needs to submit form information to another JSP that is not a portlet. I'm not sure how to do this. The parameter passing examples pass information from one JSP portlet to another JSP portlet. I want to pass information
-
Help with doing SELECT sub query within the SET of an UPDATE statement
After doing some research, it appears as if it's possible to use a SELECT subquery in the SET of an UPDATE statement. i did find some examples and here is my code, however when I click the "check" button it's saying the field (my entire select subqu
-
What software do I need to print from Ipad2
what software do I need to print from Ipad2 and do i need to add software to my laptop computer?
-
IPod won't do ANYTHING, and isn't recognized by ibook
I have a brand new iPod mini. I installed the software, plugged it into my iBook G4, and the icon popped up in iTunes and everything seemed to be working...except that it said "Do Not Disconnect" on the screen and wouldn't go away...it was like that