ARP entries in Windows7, cisco 2651 gateway?

A

Alexander Kryuchkov2013-08-07 16:23:49

Windows

Alexander Kryuchkov, 2013-08-07 16:23:49

Small office, central gateway cisco 2651.
Today I noticed that on some computers on the network there were “left” entries in the arp table:
******
10.21.132.104 my_cisco_mac_address dynamic
10.21.132.106 my_cisco_mac_address dynamic
10.21.132.170 my_cisco_mac_address dynamic
** ****
10.1.1.86 my_cisco_mac_address dynamic
10.88.213.135 my_cisco_mac_address dynamic
******
There are no such records and addresses on the cisco itself.
When cleaning tables on windows7, they no longer appeared.
Local network 10.0.0.0/24, proxy arp is disabled on all interfaces.
Why the hell does a tsiska generally relay left private addresses to me in the local network?
If there is little information for mediums, I'm ready to show the config of the tsiska.
Thank you.
upd:
I have the arp proxy turned off forcibly - no ip proxy arp on all interfaces.
Cisco config without extra lines (passwords) and gateway addresses !
hostname Cisco Router
!
boot-start-marker
boot-end-marker
!
no logging console
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
!
!
no ip domain lookup
ip name-server
ip dhcp excluded-address 10.0.0.1 10.0.0.59
ip dhcp excluded-address 10.0.0.99 10.0.0.254
!
ip dhcp pool LOCAL_NET
network 10.0.0.0 255.255.255.0
dns-server 10.0.0.2
default-router 10.0.0.1
!
no ip bootp server
!
username root privilege 15 password 0 root
!
!
interface Tunnel1
ip address 10.1.0.1 255.255.255.0
tunnel source
tunnel destination
!
interface FastEthernet0/0
ip address 255.255.255.248
no ip proxy-arp
ip nat outside
duplex auto
speed auto
!
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0/1
ip address 10.200.200.1 255.255.255.0 secondary
ip address 10.0.0.1 255.255.255.0
no ip proxy-arp
ip accounting output-packets
ip nat inside
load-interval 30
duplex auto
speed auto
!
interface FastEthernet0/1.1
!
ip nat translation timeout 300
ip nat translation tcp-timeout 1200
ip nat translation udp-timeout 30
ip nat translation icmp-timeout 5
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 interface FastEthernet0/0 overload
ip nat inside source list 3 interface FastEthernet0/0 overload
ip nat inside source list 4 interface FastEthernet0/0 overload
ip nat inside source list 5 interface FastEthernet0/0 overload
ip nat inside source list 6 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.0.0.225 80 interface FastEthernet0/0 11111
ip nat inside source static tcp 10.0.0.4 8080 interface FastEthernet0/0 8080 ip nat inside source static tcp 10.0.0.4
110 interface FastEthernet0/0 110
ip nat
.0.49 22 interface FastEthernet0/0 11022
ip nat inside source static tcp 10.0.0.4 53 interface FastEthernet0/0 53
ip nat inside source static tcp 10.0.0.4 1723 interface FastEthernet0/0 1723
ip nat inside source static tcp 10.0.0.74 5900 interface FastEthernet0/0 5958 ip nat
inside source static tcp 10.0.0.50 5900 interface FastEthernet0/0 5959 tcp 10.0.0.225 22 interface FastEthernet0/0 11122 ip nat inside source static tcp interface FastEthernet0/0 143 ip nat inside source static tcp 10.0.0.4 993 interface FastEthernet0/0 993 ip nat inside source static tcp 10.0.0.4 2525 interface FastEthernet0/0 2525
ip nat inside source static udp 10.0.0.4 53 interface FastEthernet0/0 53
ip nat inside source static tcp 10.0.0.4 25 interface FastEthernet0/0 25
ip nat inside source static tcp 10.0.0.50 50000 interface FastEthernet0/0 50000
no ip http server
ip HTTP Authentication Local
IP Classless IP Route
0.0.0.0 0.0.0.0
ip Route 10.0.2.0 255.255.255.0 10.0.0.231
IP ROUTE 10.0.10.0 255.255.255.0 10.0.0.10
ip Route 10.200.69.0 255.255.255.0 192.168.168.1
IP ROUTE 172.16. 16.0 255.255.255.0 10.0.0.4
ip route 172.16.75.0 255.255.255.0 10.0.0.4
ip route 192.168.0.0
255.255.255.0
ip route 192.168.5.0 255.255.255.0 10.0.0.41
ip route 192.168.6.0 255.255.255.0 10.0.0.221
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit 172.16.16.0 0.0.0.255 access
-list 3 permit 172.16.75.0 0.0.0.255 .5.0 0.0.0.255 access-list 6 permit 192.168.6.0 0.0.0.255 ! end CiscoRouter#

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

J

JDima, 2013-08-07
@JDima

Why the hell does a tsiska generally relay left private addresses to me in the local network?

The question is slightly wrong.
The correct question is: "why the hell does Windows send arp requests to hosts that do not match the local interfaces?".
For example, I have no confidence that those records are caused by cisco. If the problem persists, try debug arp for a while... Well, in principle, the piece of iron is ancient, the software is probably even more ancient, try on the interfaces:
ip proxy-arp
no ip proxy-arp
Maybe something didn’t suck in somewhere. But it still doesn't explain why Windows send requests in the first place.

S

stavinsky, 2013-08-13
@stavinsky

1. I did not see any assumptions about viruses in the comments. From what OS climbs on the left addresses in a network?
Maybe start with WireShark on these machines?
2. for an office of 15 people, I would put pfsense, monowall and the like. But certainly not a cat whose power supply costs more in Russia than this router from the garbage. I have more than once had BPs from cats, and fortunately there were spare pieces for replacement. You have? If not, then an asus or a dlink for 5000r will be 100 times more reliable, since having a config backup you just go to the store and buy a new router.