Thursday, January 31, 2019

This Cisco Switch is keeping ARPs from different subnets

I am a bit puzzled by the operation of this one particular cisco switch in my infrastructure.

The switch (with the weird behavior) lets say has an IP of 192.168.1.254/24 on int vlan 1. I am using another box to access it via that IP. Let's say the IP of that box is:192.168.2.254/24. My infrastructure routes the traffic between a couple subnets (going through a L3 switch and a firewall), to arrive to the 192.168.1.0/24 subnet.

Now the weird part is that the switch itself has ARP entries (shown with the sh arp command) of devices on the 192.168.2.0/24 subnet. The device only has an IP address of 192.168.1.254. Since the 192.168.2.254 is on a different subnet it should not arp it... at all. It should arp its gateway. Makes sense right? Well I look at the MACs associating with the remote subnet and they are all have the MAC address of the default gateway (which is a asa firewall). I know the ASA does proxy ARP, but the ASA is NOT directly attached to the 192.168.2.0/24 subnet. There is another network inbetween until it gets to the 192.168.2.0/24 subnet.

Now, the connection to the switch is fine. It is routing as intended. I am just perplexed why the hell this switch 1: does an ARP for an IP on a different subnet and 2: why the hell does ASA respond to the arp, for an IP address it doesn't even have an arp entry for?



No comments:

Post a Comment