Many times I have had to prove that the firewall was not receiving any ARP replies from the workstation / router / switch / or server here is how I did it:
Log into the CLI and create a capture looking for only ARP request:
capture [CAP_NAME] interface [INT_NAME] ethernet-type arp
//Example
ASA# capure arpcap interface servers ethernet-type arp
ASA# show capture arpcap
//This is an example of a devices that is not responding to ARP:
1: 20:26:41.822046 arp who-has 10.55.55.55 tell 10.55.55.1
2: 20:26:43.622508 arp who-has 10.55.55.55 tell 10.55.55.1
3: 20:26:44.622462 arp who-has 10.55.55.55 tell 10.55.55.1
//We can see the firewall (10.55.55.1) is requesting an ARP for 10.55.55.55 but there is no reply
//This is an example of a devices that is responding to ARP requests:
1: 20:30:59.077226 arp who-has 10.55.55.55 tell 10.55.55.1
2: 20:30:59.077562 arp reply 10.55.55.55 is-at 0:45:00:07:a7:00
//We can see the firewall (10.55.55.1) is requesting an ARP for 10.55.55.55 and gets a reply that it has mac address 0:45:00:07:a7:00
You of course and also do a show arp to see the current arp table but the capture will prove the device is not arping or it will help you find if two or multiple devices are arping for the same IP address.
No comments:
Post a Comment