This is how the "big boys" do it too - Cisco holds incomplete ARP for a while before dropping from the table.
I logged into one of our public routers and did show ip arp just now: (IPs / MACs hidden of course)
cisco-router>show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 198.51.100.121 5 xxxx.xxxx.xxx9 ARPA GigabitEthernet0/1
Internet 198.51.100.122 - xxxx.xxxx.xxx1 ARPA GigabitEthernet0/1
Internet 192.0.2.18 - xxxx.xxxx.xxx2 ARPA GigabitEthernet0/2
Internet 192.0.2.129 - xxxx.xxxx.xxxa ARPA GigabitEthernet0/0.1
Internet 192.0.2.131 - xxxx.xxxx.xxx0 ARPA GigabitEthernet0/0.1
Internet 192.0.2.135 0 Incomplete ARPA
Internet 192.0.2.145 0 Incomplete ARPA
Internet 192.0.2.146 0 Incomplete ARPA
Internet 192.0.2.152 0 Incomplete ARPA
Internet 192.0.2.158 0 Incomplete ARPA
Internet 192.0.2.170 0 Incomplete ARPA
Internet 192.0.2.171 0 Incomplete ARPA
Internet 192.0.2.178 0 Incomplete ARPA
Internet 192.0.2.180 0 Incomplete ARPA
Internet 192.0.2.183 0 Incomplete ARPA
Internet 192.0.2.184 0 Incomplete ARPA
Internet 192.0.2.185 0 Incomplete ARPA
Internet 192.0.2.186 0 Incomplete ARPA
Internet 192.0.2.188 0 Incomplete ARPA
Internet 192.0.2.196 0 Incomplete ARPA
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.0.2.197 0 Incomplete ARPA
Internet 192.0.2.200 0 Incomplete ARPA
Internet 192.0.2.201 0 Incomplete ARPA
Internet 192.0.2.212 0 Incomplete ARPA
Internet 192.0.2.231 0 Incomplete ARPA
Internet 192.0.2.237 0 Incomplete ARPA
Internet 192.0.2.243 0 Incomplete ARPA
Internet 192.0.2.249 63 xxxx.xxxx.xxxe ARPA GigabitEthernet0/0.1
Internet 192.0.2.250 248 xxxx.xxxx.xxxe ARPA GigabitEthernet0/0.1
Internet 192.0.2.254 90 xxxx.xxxx.xxxe ARPA GigabitEthernet0/0.1
That's 22 "Incomplete" entries.
as you can see, there's always scanning going on to cause this sort of thing on a public router.
00:00:00:00:00:00 MAC in ARP table is Mikrotik's version of this behavior.
In fact, if you look at the ARP table from the terminal window, it doesn't show all-zeroes MAC addresses, but these entries are shown with a missing "complete" flag:
[admin@CHR-1] /ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete
# ADDRESS MAC-ADDRESS INTERFACE
0 DC 10.1.1.3 CA:01:26:14:00:08 ether1
1 DC 10.1.2.2 08:00:27:07:AB:81 ether2
2 DC 10.1.1.254 02:00:4C:4F:4F:50 ether1
3 D 10.1.2.6 ether2
I timed this entry 10.1.2.6 to see how long it stays in the ARP cache, and it removed itself after 7min:43sec - not quick, but not that long either in the grand scheme... The only real difference I can see is that Cisco deletes Incomplete ARP entries mere seconds after they're created, so maybe Mikrotik could shorten the lifetime of incomplete ARP entries.
If these entries are staying there and never going away, then I assure you that it's because SOMETHING is trying to reach those unused addresses... chances are good that it's zombie-hosts doing scans for their evil botnet herders. If you have an "inside" router interface that's showing these entries, then it's because some internal host is doing a scan. The only time the router creates such an entry is if it has a packet to deliver to that IP address and it's sending an ARP request to find out what MAC address it is.
In short...
dontpanic.jpg
Instead, use this information as an indication that there's something strange on your network (if it's a private interface) and that you might need to do some investigation as to the source of the scans. If it's a public IP interface, then that's just a fact of life.
Of course there are always exceptions, but unless you have a /16 network on an interface, or if you're forwarding a default GW to a proxy-arp-enabled router, you shouldn't get a giant flood of incomplete arps in your table.
You do not have the required permissions to view the files attached to this post.