There is a known issue on the Dell firmware for the 6248. We experienced a similar issue that ARP entries were not being populated in the L3 ARP table. Sometimes they would work and other times they wouldn't.
If we did static ARP entries (MAC/IP) traffic would flow just fine.
Version 3.2.0.7 is what Dell indicated was the 'stable' version to back rev to. We are currently running 3.2.1.3 which has the symptoms mentioned above.
Hope that helps someone who may come across this!
If you have a router in the middle, you're working across broadcast domains. ARP/Layer-2 communication is done explicitly between mac-addresses.
What happens in typical situation:
PC 1 (ip X.X.X.X, mac XX:XX:XX:XX:XX:XX) wants to connect to PC 2 (ip Y.Y.Y.Y, mac YY:YY:YY:YY:YY:YY)
PC 1 notices that IP Y.Y.Y.Y is not "locally route-able" so it sends the packet to the router (ip Z.Z.Z.Z, mac ZZ:ZZ:ZZ:ZZ:ZZ:ZZ)
At this point, the packet leaving PC1 looks like this
src ip = X.X.X.X src mac = XX:XX:XX:XX:XX:XX, dst ip = Y.Y.Y.Y, dst mac = ZZ:ZZ:ZZ:ZZ:ZZ:ZZ
the switch "switches" the packet to the router (because it already knows what port ZZ:ZZ:ZZ:ZZ:ZZ:ZZ is plugged into) the router knows that the IP Y.Y.Y.Y is on it's other interface, and routes the packet to PC2 accordingly.
at this point, the packet leaving the router looks like this:
src ip = X.X.X.X src mac = ZZ:ZZ:ZZ:ZZ:ZZ:ZZ, dst ip = Y.Y.Y.Y, dst mac = YY:YY:YY:YY:YY:YY
PC2 accepts packets on it's mac address... and also notes that the IP is destined for itself... and then does whatever with the packet.
At no point in time did PC1 know the mac address. There is no direct way to know the mac address of devices that aren't in the same broadcast domain... because the "physical address" (or mac) is only used to talk locally to locally connected devices.
Best Answer
You can configure a single machine with a static IP address matching the ARP request and a proper netmask. The netmask has to be short enough to cover both the requested IP and the IP of the machine sending the requests. Most likely a netmask of
255.255.255.0
or255.255.0.0
will work.Once you have configured that static IP address on a machine it will start responding to the ARP requests. That should make the rate of the ARP requests drop. This machine will now be able to exchange IP packets with the rogue machine, and you can use other tools like for example
nmap
to identify what it may be running.