Interesting Traces - ARP returns the broadcast address

Blue Bar separator

A host ARPs the address and gets back the broadcast address instead of a regular MAC address. This is a trace from the Stratus VOS packet_monitor utility.
11:25:02.081 Xmit Ether Dst ff:ff:ff:ff:ff:ff  Src 00:00:a8:80:63:01 Type 0806 (ARP)
ARP Req Target    Src    [00:00:a8:80:63:01]

11:25:02.085 Rcvd Ether Dst 00:00:a8:80:63:01  Src 00:05:00:b8:05:d7 Type 0806 (ARP)
ARP Rep Target    [00:00:a8:80:63:01] Src    [ff:ff:ff:ff:ff:ff]
A close look at the source of the ARP reply indicates that it is most likely a router (00:05:00 == Cisco). It actually is a Cisco 3000 series VPN concentrator (model unknown).

It turns out that the host sending the ARP for had the wrong subnet mask. It was set to but in reality it should have been This of course would make the IP broadcast address. The Cisco VPN concentrator had the correct subnet mask set and did a proxy ARP repling with the correct Ethernet address, which is ff:ff:ff:ff:ff:ff.

For those familar with the VOS operating system, the TCP_OS stack places the following error in the system syserr_log when it receives the above ARP reply.

          00:03:52  TCP: arp: ether address is broadcast for IP address C0A80107!
The C0A80107 is the hex value of the address

Blue Bar separator
This page was last modified on 03-07-18
mailbox Send comments and suggestions