Possible ARP Problem - Packet Life

11 posts

19 Apr 2011 at 4:43 p.m. UTC

This week I ran into a problem with ARP and strange MAC addresses. Here is output from a 2960. I didn't get the routers (sh arp) when this was happening, sorry about that. What I find strange is the MAC address: 0011.1111.1111. Can anyone explain if this is an ARP spoofing/broadcast issue, or some other problem? Please let me know if anyone needs more info. I am just trying to understand this in more detail.

Vlan Mac Address Type Ports

All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
1 0010.8373.4f34 DYNAMIC Fa0/11
1 0011.1111.1111 DYNAMIC Fa0/10
1 0015.638e.c900 DYNAMIC Fa0/1
1 0030.c160.f0e5 DYNAMIC Fa0/4
1 0080.645d.6061 DYNAMIC Fa0/2
1 0080.6463.fa51 DYNAMIC Fa0/8
1 0080.6465.7eab DYNAMIC Fa0/7
1 0080.6465.a7e7 DYNAMIC Fa0/6
1 0080.914e.77b0 DYNAMIC Fa0/9
Total Mac Addresses for this criterion: 29

phaze01

13 posts

19 Apr 2011 at 8:23 p.m. UTC

Possibly manually configured. It seems to be used all over in demo scenarios.

rgallop

11 posts

20 Apr 2011 at 10:36 a.m. UTC

Thanks for looking. In the router's sh arp there were several entries like the one I noted. Also, DHCP addresses where being taken up quickly (few seconds) and some devices were not able to connect. Maybe this is just an anomaly, but I wanted to check if someone in the forum has experienced a similar event. Sorry for not capturing the sh arp. I know it would tell us more.

netcowboy

1 post

4 May 2011 at 8:29 a.m. UTC

Hi
This looks very mutch like an nmap dhcp-discover script scanning.

usage:
nmap -sV --script=dhcp-discover
nmap -sV --script=dhcp-DHCPOFFER
nmap -sV --script=dhcp-DHCPREQUEST
nmap -sV --script=dhcp-DHCPDECLINE
nmap -sV --script=dhcp-DHCPACK
nmap -sV --script=dhcp-DHCPRELEASE
nmap -sV --script=dhcp-DHCPINFORM

more info here:
http://nmap.org/nsedoc/scripts/dhcp-discover.html

Netcowboy

rato269

15 posts

11 May 2011 at 1:36 p.m. UTC

Need some info regarding the scenario
1 0011.1111.1111 DYNAMIC Fa0/10

is this a trunk port?
is there any switch connect to that port ?
is GLPB runing on the ?

rgallop 11 posts	19 Apr 2011 at 4:43 p.m. UTC This week I ran into a problem with ARP and strange MAC addresses. Here is output from a 2960. I didn't get the routers (sh arp) when this was happening, sorry about that. What I find strange is the MAC address: 0011.1111.1111. Can anyone explain if this is an ARP spoofing/broadcast issue, or some other problem? Please let me know if anyone needs more info. I am just trying to understand this in more detail. Vlan Mac Address Type Ports All 0100.0ccc.cccc STATIC CPU All 0100.0ccc.cccd STATIC CPU All 0180.c200.0000 STATIC CPU All 0180.c200.0001 STATIC CPU All 0180.c200.0002 STATIC CPU All 0180.c200.0003 STATIC CPU All 0180.c200.0004 STATIC CPU All 0180.c200.0005 STATIC CPU All 0180.c200.0006 STATIC CPU All 0180.c200.0007 STATIC CPU All 0180.c200.0008 STATIC CPU All 0180.c200.0009 STATIC CPU All 0180.c200.000a STATIC CPU All 0180.c200.000b STATIC CPU All 0180.c200.000c STATIC CPU All 0180.c200.000d STATIC CPU All 0180.c200.000e STATIC CPU All 0180.c200.000f STATIC CPU All 0180.c200.0010 STATIC CPU All ffff.ffff.ffff STATIC CPU 1 0010.8373.4f34 DYNAMIC Fa0/11 1 0011.1111.1111 DYNAMIC Fa0/10 1 0015.638e.c900 DYNAMIC Fa0/1 1 0030.c160.f0e5 DYNAMIC Fa0/4 1 0080.645d.6061 DYNAMIC Fa0/2 1 0080.6463.fa51 DYNAMIC Fa0/8 1 0080.6465.7eab DYNAMIC Fa0/7 1 0080.6465.a7e7 DYNAMIC Fa0/6 1 0080.914e.77b0 DYNAMIC Fa0/9 Total Mac Addresses for this criterion: 29
phaze01 13 posts	19 Apr 2011 at 8:23 p.m. UTC Possibly manually configured. It seems to be used all over in demo scenarios.
rgallop 11 posts	20 Apr 2011 at 10:36 a.m. UTC Thanks for looking. In the router's sh arp there were several entries like the one I noted. Also, DHCP addresses where being taken up quickly (few seconds) and some devices were not able to connect. Maybe this is just an anomaly, but I wanted to check if someone in the forum has experienced a similar event. Sorry for not capturing the sh arp. I know it would tell us more.
netcowboy 1 post	4 May 2011 at 8:29 a.m. UTC Hi This looks very mutch like an nmap dhcp-discover script scanning. usage: nmap -sV --script=dhcp-discover nmap -sV --script=dhcp-DHCPOFFER nmap -sV --script=dhcp-DHCPREQUEST nmap -sV --script=dhcp-DHCPDECLINE nmap -sV --script=dhcp-DHCPACK nmap -sV --script=dhcp-DHCPRELEASE nmap -sV --script=dhcp-DHCPINFORM more info here: http://nmap.org/nsedoc/scripts/dhcp-discover.html Netcowboy
rato269 15 posts	11 May 2011 at 1:36 p.m. UTC Need some info regarding the scenario 1 0011.1111.1111 DYNAMIC Fa0/10 is this a trunk port? is there any switch connect to that port ? is GLPB runing on the ?