Questions to Determine

• Is there a duplicate IP address on the network (two hosts responding to ARP for 10.30.1.100)?
• What MAC addresses are appearing in the ARP table for 10.30.1.100, and which one is legitimate?
• Can arping -D (duplicate address detection) confirm the conflict?
• What does the DHCP lease table show for 10.30.1.100?
• Which switch port is the rogue MAC (00:ff:aa:bb:cc:11) connected to?
• Was the rogue device assigned the IP statically or via DHCP?
• Is DHCP snooping or Dynamic ARP Inspection (DAI) enabled on the network?
• Could this be an ARP spoofing attack rather than an accidental duplicate?
• What is the ARP cache timeout, and does it correlate with the intermittent outage duration?