Our LAN consists of a few subnets which are routed.
A few days ago, when looking at the firewall log files I noticed that our radio controlled clock sends NTP responses to a private IP address10.0.41.1. Curious: this IP address is not part of our LAN, nor do we route any 10.X.X.X subnet. Thus, the packet is routed from our internal router (Cisco C6509/Sup720) to the firewall where it is blocked.
I've created a monitoring session on the switch (C2950) to which the radio controlled clock is connected. Ethereal told me that the Cisco router is source or destination of the 10.0.41.1 NTP requests/responses.10.0.41.1 ---> Cisco router ---> ntp clock [ 192.168.1.X ] ---> back to Cisco router ---> to firewall ---> [udp packet is blocked ]
I connected to the router and looked at the ARP table. But "sh arp" gives me only addresses from our regular internal subnets. I want to know the MAC address to locate the switch port for 10.0.41.1 within our LAN. I don't know how to determine the MAC address from the 10.0.4.1 address as "sh arp" did not give me the MAC address.
How do I debug this issue?
Another question is: why does the Cisco router even route the NTP request packets originating from a subnet in which the Cisco router has no ip address configured to act as a gateway? As far as I know, a client's default gateway must always be in the same subnet as the client. On the way back (NTP response packets), the Cisco router has no route to 10.X.X.X, and it uses the default route to the internet. This is clear to me, but how about the way forth?
Any help would be appreciated
Greetings from Germany Georg