Community discussions

MikroTik App
 
aguntukk
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Thu Jul 10, 2014 2:37 pm

HELP !!!!! How to protect Router automatic Mac generate

Mon Jan 18, 2016 7:09 pm

In my router automatically mac address generating . I need forum help. please check the image.Automatically
00:00:00:00:00:00 mac address are comming in several ip address in which ip i am not using. Require urgent concern.
000.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Mon Jan 18, 2016 7:31 pm

Someone on the Internet is scanning your network.
(it happens all day every day)

What you're seeing in the ARP list is completely normal behavior. These entries are not MAC generations. There's no need to panic.

What's happening is that whenever a packet comes along whose destination IP is one of the host IPs that doesn't exist on your LAN, the router doesn't know that the host doesn't exist - it just knows that it needs to learn the MAC address for the destination IP, so it sends an ARP request. Until an ARP reply is heard from the LAN, the router will use 00:00:00:00:00:00 as a place-holder MAC address. These un-answerd ARP requests will timeout very quickly.

Watch what happens when you remove one of your static ARP entries and then ping the host - you'll see the same MAC address there, but with the 'D' flag (dynamic), which means that the router used ARP to learn the host's MAC address.

If you want to prevent your router from sending ARP requests on this interface, then go into VLAN 5 interface configuration, and set arp = reply-only

This will stop the dynamic entries from forming, including hosts that really do have an IP address but aren't in your ARP configuration as a static entry.
 
Polky
newbie
Posts: 35
Joined: Fri Sep 17, 2010 11:19 am

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Jan 26, 2016 5:25 pm

Hi I have the same problem on RB2011iL, several ports in the bridge. The client can not access until you clear the ARP table the MAC. RB at no extra rules.
Some idea ?
THX
 
mdahkhan
just joined
Posts: 1
Joined: Mon Feb 08, 2016 2:45 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Mon Feb 08, 2016 2:59 pm

I also faced this when I upgrade Router OS 6.33.5 and then this problem Occurred at my CCR 1009. After Downgrade at 6.33 now it looks ok.. After New Releases 6.34.1 and again I tried to upgrade my RB1100AHx2 I faced same issue and I go back to 6.33. It seems there is bug exist at new releases. Hope Mikrotik will solve this as early as possible.
2016-02-08.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
CoMMyz
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Fri Dec 04, 2015 10:56 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Feb 09, 2016 7:11 pm

Hi,

I have the same issue. Once you ping an ip IP that is invalid the router will add to the ARP table an entry with zeroes 00 00 00 00 00 00. Removing that entry manually does not help - the entries re-appear automatically and never expire. Only with a reboot they go away eventually to re-appear if someone attempts to access again invalid IPs.

Running CCR 1009 with version 6.34

This seems to be a problem in the latest releases

Does anyone have a solution?

Thanks
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Wed Feb 10, 2016 6:35 pm

This isn't a problem.

It's just reflecting the fact that the router has tried to ARP for these IP addresses, but hasn't received any replies.
Cisco does this too - it just gives the value of "incomplete"
R1#show ip arp f0/1
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.16.19.10            1   000c.2934.3e46  ARPA   FastEthernet0/1
Internet  172.16.19.1             -   ca01.3f78.0006  ARPA   FastEthernet0/1
Internet  172.16.19.21            0   Incomplete      ARPA  <----------------------------- here
Internet  172.16.19.100          12   000c.29fa.156b  ARPA   FastEthernet0/1
This has always been happening in the background - you just didn't see it previously.
There is nothing wrong, so don't panic.
 
User avatar
CoMMyz
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Fri Dec 04, 2015 10:56 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Wed Feb 10, 2016 6:42 pm

The arp entries do not expire though

And i once had 10k entries because of a large subnet being scanned....

Make an option to at least not display those!
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Wed Feb 10, 2016 6:48 pm

Display or not - they're still in the router's brain.

If you really really hate seeing them, then just use the filter at the top of the ARP List window-
arpfilter.png
You do not have the required permissions to view the files attached to this post.
 
ghitone
just joined
Posts: 5
Joined: Fri Oct 11, 2013 3:36 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Feb 16, 2016 6:34 pm

Hi all,

I'm seeing the same weird behavior for addresses that are not part of the local subnets, and the IPs should be forwarded through the default gateway. The only thing that I think it's important to be mentioned, is the source routing decision by the use of Mangle tables and route rules.

The only workaround found so far is to set ARP in "reply-only" mode and set a static MAC for the gateway of that interface. Still there are interesting behaviors on the ARP on other interfaces as seen in the picture.
You do not have the required permissions to view the files attached to this post.
 
rememberme
just joined
Posts: 23
Joined: Fri Nov 13, 2015 10:13 pm
Location: Chicago, USA

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Feb 16, 2016 11:00 pm

I have the same issue on CCR1009-8G-1S-1S+ with RouterOS v6.34.1 on it. I see a lot of ARPs belonging to IP address space on the internet.
Yesterday I saw a bunch of logs saying I've hit max ARP table size and I should increase it.
ARP-bug.png
The ONLY subnet on ether6 is 172.16.4.104/29.
You do not have the required permissions to view the files attached to this post.
 
User avatar
CoMMyz
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Fri Dec 04, 2015 10:56 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Wed Feb 17, 2016 12:11 am

Thats exactly what i was trying to explain but some people seem to not understand that a big arp table helps no one
 
cobausque
just joined
Posts: 5
Joined: Mon Feb 22, 2016 8:55 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Mon Feb 22, 2016 8:59 pm

any news?
I'm having the same problem...
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Mon Feb 22, 2016 9:09 pm

If you're seeing public IPs in your ARP cache, it's because whatever your default GW route is, it's using the interface as the next hop, and not using the IP of the default GW router - this forces your Mikrotik to ARP for the IP address directly on the interface, and fortunately for you, your ISP is configured for proxy-arp or else you wouldn't be reaching the Internet.

EDIT: Actually, whatever interface you've routed the default GW to is NOT sending ARP replies (or else you wouldn't be seeing all zeros)
 
User avatar
CoMMyz
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Fri Dec 04, 2015 10:56 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Mon Feb 22, 2016 10:02 pm

@zerobyte Thanks for the explanation. Please note that this subnet (/24) has a dynamic route as it is declared on the WAN interface. On my side ARP is enabled on the interface.
MikroTik automatically adds that dynamic route - what can i do?
 
rememberme
just joined
Posts: 23
Joined: Fri Nov 13, 2015 10:13 pm
Location: Chicago, USA

Re: HELP !!!!! How to protect Router automatic Mac generate

Mon Feb 22, 2016 10:21 pm

@ZeroByte, you're right and you're not : )

It is true that in case you use an interface as a next-hop instead of IP address, router will try to resolve gateway's MAC to build an ARP entry and to forward the packet, as defined in Ethernet.
But, in case you have proxy-arp on the other side of the link, you will see all ARP entries resolved to one MAC - proxied one. Which in our case is not like that, you are seeing INCOMPLETEs (zeroes) but packets are still forwarded.
On the other hand, you can reproduce this problem by implementing MPLS and forward traffic onto LSPs.
As you know, LSPs are not broadcast domains and they cannot give you any ARP reply...
So, after MikroTik have introduced "*) arp - show incomplete ARP entries;" in v6.33.5 ROS, i'm hitting max ARP table entries.

It is a workaround to increase max entries but not a solution.
Last edited by rememberme on Mon Feb 22, 2016 10:46 pm, edited 1 time in total.
 
User avatar
CoMMyz
Frequent Visitor
Frequent Visitor
Posts: 54
Joined: Fri Dec 04, 2015 10:56 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Mon Feb 22, 2016 10:45 pm

Thanks @rememberme

As many have said incorrectly "it is ok do not worry about it" or even "filter it out" I have yet to see a routers arp table being larger to not being a problem ;)
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Feb 23, 2016 12:04 am

@ZeroByte, you're right and you're not : )

It is true that in case you use an interface as a next-hop instead of IP address, router will try to resolve gateway's MAC to build an ARP entry and to forward the packet, as defined in Ethernet.
But, in case you have proxy-arp on the other side of the link, you will see all ARP entries resolved to one MAC - proxied one. Which in our case is not like that, you are seeing INCOMPLETEs (zeroes) but packets are still forwarded.
Yeah - I'd noticed that and added the little EDIT part noting that I'd noticed the difference. (whoops)

I've used proxy arp / interface-hops in some interesting ways myself....
On the other hand, you can reproduce this problem by implementing MPLS and forward traffic onto LSPs.
As you know, LSPs are not broadcast domains and they cannot give you any ARP reply...
So, after MikroTik have introduced "*) arp - show incomplete ARP entries;" in v6.33.5 ROS, i'm hitting max ARP table entries.
I doubt that most of the people on this thread are in that boat.... almost certainly it's the result of some host doing a ping sweep / port scan of the network (which must either be blocked or tolerated), and/or an unusual routing configuration that leads to lots of ARPing where host-address-forwarding would clear things up.
 
rememberme
just joined
Posts: 23
Joined: Fri Nov 13, 2015 10:13 pm
Location: Chicago, USA

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Feb 23, 2016 12:24 am

I doubt that most of the people on this thread are in that boat.... almost certainly it's the result of some host doing a ping sweep / port scan of the network (which must either be blocked or tolerated), and/or an unusual routing configuration that leads to lots of ARPing where host-address-forwarding would clear things up.
Don't be so rude, who knows who is silently reading this post and laughing : )

I think we should wait for an official resolution from MikroTik team, maybe we are missing something important and this is not a BUG but a feature. Isn't it, MikroTik? ; )
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Feb 23, 2016 12:45 am


Don't be so rude, who knows who is silently reading this post and laughing : )
I wasn't being rude... or at least I wasn't meaning to be anyway.

And fwiw, I think your situation is definitely one that is in the 'bug' category.
 
cobausque
just joined
Posts: 5
Joined: Mon Feb 22, 2016 8:55 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Feb 23, 2016 1:44 pm

Indeed
because, when I create rules in firewall to have a log.
I see that ARP packets come into the router to an unknown destination with mac 00: 00: 00: 00: 00: 00.
Even if I put one second router in sequence with a sniffer I capture packets destined for 00: 00: 00: 00: 00 being sent by the router 1

I even think it is a service or application on your own mikrotik shooting these requests.

Certainly a bug.

sorry my English is bad :)
 
bakula
just joined
Posts: 14
Joined: Sun Jul 03, 2005 11:09 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Thu Feb 25, 2016 6:18 am

I'm use script to automatically write static arp.
:foreach i in [/ip arp find dynamic=yes interface=vlanXXX] do={
/ip arp add copy-from=$i
}
Now i have full arp table ip's with mac 00:00:00:00:00:00
How to disable this feature?
 
jorgb
just joined
Posts: 19
Joined: Wed Jun 18, 2014 12:33 am

Re: HELP !!!!! How to protect Router automatic Mac generate

Thu Mar 03, 2016 11:21 pm

We have several CCR routers in place and I can confirm that the 00:00:00:00:00:00 arp issue started with 6.34. Downgrading to 6.33 fixes the issue.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Fri Mar 04, 2016 12:29 am

This is how the "big boys" do it too - Cisco holds incomplete ARP for a while before dropping from the table.

I logged into one of our public routers and did show ip arp just now: (IPs / MACs hidden of course)
cisco-router>show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  198.51.100.121            5   xxxx.xxxx.xxx9  ARPA   GigabitEthernet0/1
Internet  198.51.100.122            -   xxxx.xxxx.xxx1  ARPA   GigabitEthernet0/1
Internet  192.0.2.18            -   xxxx.xxxx.xxx2  ARPA   GigabitEthernet0/2
Internet  192.0.2.129           -   xxxx.xxxx.xxxa  ARPA   GigabitEthernet0/0.1
Internet  192.0.2.131           -   xxxx.xxxx.xxx0  ARPA   GigabitEthernet0/0.1
Internet  192.0.2.135           0   Incomplete      ARPA
Internet  192.0.2.145           0   Incomplete      ARPA
Internet  192.0.2.146           0   Incomplete      ARPA
Internet  192.0.2.152           0   Incomplete      ARPA
Internet  192.0.2.158           0   Incomplete      ARPA
Internet  192.0.2.170           0   Incomplete      ARPA
Internet  192.0.2.171           0   Incomplete      ARPA
Internet  192.0.2.178           0   Incomplete      ARPA
Internet  192.0.2.180           0   Incomplete      ARPA
Internet  192.0.2.183           0   Incomplete      ARPA
Internet  192.0.2.184           0   Incomplete      ARPA
Internet  192.0.2.185           0   Incomplete      ARPA
Internet  192.0.2.186           0   Incomplete      ARPA
Internet  192.0.2.188           0   Incomplete      ARPA
Internet  192.0.2.196           0   Incomplete      ARPA
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.0.2.197           0   Incomplete      ARPA
Internet  192.0.2.200           0   Incomplete      ARPA
Internet  192.0.2.201           0   Incomplete      ARPA
Internet  192.0.2.212           0   Incomplete      ARPA
Internet  192.0.2.231           0   Incomplete      ARPA
Internet  192.0.2.237           0   Incomplete      ARPA
Internet  192.0.2.243           0   Incomplete      ARPA
Internet  192.0.2.249          63   xxxx.xxxx.xxxe  ARPA   GigabitEthernet0/0.1
Internet  192.0.2.250         248   xxxx.xxxx.xxxe  ARPA   GigabitEthernet0/0.1
Internet  192.0.2.254          90   xxxx.xxxx.xxxe  ARPA   GigabitEthernet0/0.1
That's 22 "Incomplete" entries.
as you can see, there's always scanning going on to cause this sort of thing on a public router.

00:00:00:00:00:00 MAC in ARP table is Mikrotik's version of this behavior.
In fact, if you look at the ARP table from the terminal window, it doesn't show all-zeroes MAC addresses, but these entries are shown with a missing "complete" flag:
[admin@CHR-1] /ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete 
 #    ADDRESS         MAC-ADDRESS       INTERFACE                                      
 0 DC 10.1.1.3        CA:01:26:14:00:08 ether1                                         
 1 DC 10.1.2.2        08:00:27:07:AB:81 ether2                                         
 2 DC 10.1.1.254      02:00:4C:4F:4F:50 ether1                                         
 3 D  10.1.2.6                          ether2   
 
I timed this entry 10.1.2.6 to see how long it stays in the ARP cache, and it removed itself after 7min:43sec - not quick, but not that long either in the grand scheme... The only real difference I can see is that Cisco deletes Incomplete ARP entries mere seconds after they're created, so maybe Mikrotik could shorten the lifetime of incomplete ARP entries.

If these entries are staying there and never going away, then I assure you that it's because SOMETHING is trying to reach those unused addresses... chances are good that it's zombie-hosts doing scans for their evil botnet herders. If you have an "inside" router interface that's showing these entries, then it's because some internal host is doing a scan. The only time the router creates such an entry is if it has a packet to deliver to that IP address and it's sending an ARP request to find out what MAC address it is.

In short...
dontpanic.jpg
Instead, use this information as an indication that there's something strange on your network (if it's a private interface) and that you might need to do some investigation as to the source of the scans. If it's a public IP interface, then that's just a fact of life.

Of course there are always exceptions, but unless you have a /16 network on an interface, or if you're forwarding a default GW to a proxy-arp-enabled router, you shouldn't get a giant flood of incomplete arps in your table.
You do not have the required permissions to view the files attached to this post.
 
rachmadona
just joined
Posts: 1
Joined: Mon Mar 07, 2016 5:56 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Mon Mar 07, 2016 6:01 pm

same case with me with ROS v6.34.2 :(

and now try to downgrade back into v6.28
 
hngjared
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Thu Dec 01, 2011 8:36 pm
Location: NYC USA

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Mar 08, 2016 8:13 pm

Same problem on 6.34.2. I downgraded to 6.33.5 which still had the same problem. I downgraded again to 6.33.1 and problem is resolved.
ARP.GIF
You do not have the required permissions to view the files attached to this post.
 
soamz
Member
Member
Posts: 430
Joined: Thu Mar 19, 2015 7:19 am

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Jun 07, 2016 12:43 pm

same issue here.
ARP shows many 000000000 entries.

How to fix ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Jun 07, 2016 6:21 pm

It is not "an issue" and not "a reason to downgrade".
Your ARP table does not have to increase because of this! Those entries were not shown before,
but they still were in your table, waiting for a response. So when your ARP table size is not enough, it
will not help to not have these entries.

What you need to do if you have very many entries like this: make sure that incoming traffic from internet
to a large network that you are routing is filtered so that traffic to hosts that do not exist on your ethernet
is filtered in the router (in the FORWARD chain) as much as possible.
 
rememberme
just joined
Posts: 23
Joined: Fri Nov 13, 2015 10:13 pm
Location: Chicago, USA

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Jun 14, 2016 8:48 pm

@pe1chl, you're wrong...

Those aren't incomplete ARPs from a subnet whose requested hosts are unreachable, those are incompletes for destinations that should be routed.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Wed Jun 15, 2016 1:03 am

@pe1chl, you're wrong...

Those aren't incomplete ARPs from a subnet whose requested hosts are unreachable, those are incompletes for destinations that should be routed.
From looking at that screenshot, my takeaway is that there is load-balancing going on, and that there are routes in the tables which have gateway=WAN2-ether2, WAN3-ether3, etc.
 
bestefan
just joined
Posts: 17
Joined: Fri Nov 21, 2008 9:23 am

Re: HELP !!!!! How to protect Router automatic Mac generate

Fri Jun 24, 2016 9:29 pm

Hi,
This "feature" since v6.33.6: "mikrotik arp - show incomplete ARP entries;" is for us also a very, very unpleasant bug.

We have a script on a lot of routers, that sends all active and inactive connected dhcp or fixed IP clients IP addresses to an central server periodically, or in a case if happens something changes. We have to makes in the script an IP scan, to see also an inactive, but existing hosts. It worked nice until 6.33.3, but after that the ARP - filled with trash - does not fit in the variable.

Can I print anyhow with command only the complete ARP entries? Something like this:
/ip arp print where mac-address!="00:00:00:00:00:00" (but this not works)
 
bestefan
just joined
Posts: 17
Joined: Fri Nov 21, 2008 9:23 am

Re: HELP !!!!! How to protect Router automatic Mac generate

Fri Jun 24, 2016 9:43 pm

Sorry, meanwhile I have find out the very simple solution myself, but maybe it can be useful for others:
/ip arp print terse where complete
 
mmethw2003
just joined
Posts: 18
Joined: Wed Jan 05, 2011 6:33 am

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Aug 09, 2016 8:55 am

Hi Guys,
We have the same issue with one of our CCR routers and it's affecting our day to day operations. Following is the simplest setup we have.
Mikrotik --- SWITCH ---> UNIT / Unit ARP entry shows as all 0s. But if we connected that unit directly to another router port it shows the correct entry.

Router Model # CCR 1036 -12G - 4S
Router OS # 6.35.1

Here I attached a screen shot with how it's look.

Image
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Wed Sep 28, 2016 11:39 am

We have the same issue
What issue? There are at least 3 different "issues" described by others in this topic, as far as I can see all of
them caused by misconfiguration or other misunderstanding.
 
borisbahes
just joined
Posts: 9
Joined: Sat Nov 19, 2016 1:39 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Sat Nov 19, 2016 1:49 pm

Hi Guys,
We have the same issue with one of our CCR routers and it's affecting our day to day operations. Following is the simplest setup we have.
Mikrotik --- SWITCH ---> UNIT / Unit ARP entry shows as all 0s. But if we connected that unit directly to another router port it shows the correct entry.

Router Model # CCR 1036 -12G - 4S
Router OS # 6.35.1

Here I attached a screen shot with how it's look.

Image
I have same problem but with hEX, ROS: 6.37.1. and different configuration.
When connected over Dynadish 5 L2 bridge it gets 00:00:00:00:00:00 MAC on ether1 and routing fails.
When connected directly via LAN cable to Cyberoam it gets Cyberoam PortG MAC on ether1 and routing works.
mikrotik_0.PNG
You do not have the required permissions to view the files attached to this post.
 
phendry
Member Candidate
Member Candidate
Posts: 259
Joined: Fri May 28, 2004 4:42 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Feb 14, 2017 6:49 am

What issue? There are at least 3 different "issues" described by others in this topic, as far as I can see all of them caused by misconfiguration or other misunderstanding.
Our routers have default routes via IP address next hop (not interface) and yet we have loads of 00:00:00:00:00:00 entries for hundreds of ip addresses not on the router or even our network. Our routers should be sending packets destined to these addresses via the next hop IP addresses, not ARPing. How is this misconfiguration or misunderstanding?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Feb 14, 2017 10:56 am

How is this misconfiguration or misunderstanding?
Please post your configuration!
 
phendry
Member Candidate
Member Candidate
Posts: 259
Joined: Fri May 28, 2004 4:42 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Feb 14, 2017 12:28 pm

Please post your configuration!
These have very large configs. What parts in particular are you after?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Tue Feb 14, 2017 6:53 pm

There must be something that causes this.
It could be IPsec policies for very large networks.
Avoid that. Use a tunnel with IPsec policies for the endpoints and route the network traffic over that tunnel
interface using static routes or an automatic routing protocol (BGP, OSPF).
 
phendry
Member Candidate
Member Candidate
Posts: 259
Joined: Fri May 28, 2004 4:42 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Wed Feb 15, 2017 12:37 am

We don't run IPSEC. These routers run static internal routes for MPLS-TE tunnels, iBGP for internal distribution of client public addresses and eBGP for external peering. We also run EoIP to some end clients.
 
tangram
Member Candidate
Member Candidate
Posts: 132
Joined: Wed Nov 16, 2016 9:55 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Mon May 08, 2017 10:59 am

Hi,

If you set route with interface as gateway it's normal that the source does arp for all destinations out that interface.
Intefaces with dhcp-client act like this. So, as stated by others, there are a couple of ways to make things working:

1. your dhcp-server has proxy-arp so all those destinations map to his mac
2. you set the dhcp-server ip as gateway manually or by script(latest ros i think has that option built-in)
3. you set reply-only on your client and set gateway manually or by script - you can also set arp entry manually but you have to be careful

It's normal for your gateways to have some incomplete arp but you should check why that happens. For instance you can have clients that seek a server that isn't there or you have people scanning your network. Also you can go further and see who's requesting those ips.
 
omawnakw
just joined
Posts: 6
Joined: Thu Nov 26, 2015 12:23 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Fri Jun 09, 2017 1:37 pm

CCR-1016-12S-1S+RM
6.35.4
I have an issue with this zero arp entries. When someone scan or if you just ping address xxx.xxx.xxx.xxx
when it's not on the net the arp table filled with 00:00:00:00:00:00 arp entry.
Then, when host is up router steel stuck with this dynamic entry and do not try to send new arp request
until you delete zero entry manually. It does not when you try to ping it from the other network.
If you delete this zero entry and then retry ping, router sends arp request and arp table filled with the correct entry.
ARP on the target bridge is set to "enabled". Target network has an automatic route entry added with ip address xxx.xxx.xxx.xxx/24
in the main table and the static entries in other routing tables.
Updated to v6.39.2 (stable) today. Will see if it's fixed.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: HELP !!!!! How to protect Router automatic Mac generate

Fri Jun 09, 2017 4:04 pm

This is not normal behavior. Probably during your "investigation" you have clicked on the entry and done "make static".
Don't do that. Just leave it operating and don't worry about the 00:00:00:00:00:00 entries. They are not an issue,
they are normal behavior.

Who is online

Users browsing this forum: BioMax, itvisionpk, tjanas94 and 34 guests