ARP Tables vs MAC address tables

Unanswered Question
Sep 17th, 2007
User Badges:

Hello,


I have faced strange problem recently. In arp table of active hsrp router (cisco WS-C6509-E (R7000)) there was unknown mac-address found(which was overwriting mac-address of the firewall within the vlan). On the standby router everything was ok. Moreover, that specific mac address couldn't be found within mac-address table of the active or standby switch (aggregation layer). Temporary work around has been applied by setting static arp entry on both routers. However we still cannot define how is that possible.


Please help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kevin Dorrell Mon, 09/17/2007 - 03:57
User Badges:
  • Green, 3000 points or more

THere are a few possibilities I can think of:


1. A straightforward IP address conflict. But I would have expected to see the MAC address in the switch forwarding tables.


2. A malicious gratuitous ARP, and the forwarding table entry has already aged out.


3. A malicious gratuitous ARP sourced from a MAC address that is not the same as the one indicated in the gratuitous ARP.


4. Another router on the VLAN that is configured with a narrower mask and that is doing proxy ARP.


Is there anything special about the MAC address, e.g. HSRP address, multicast, etc. Have you tried looking for the manufacturer ID in the first 3 octets?


Kevin Dorrell

Luxembourg


Czupryniak1981 Mon, 09/17/2007 - 04:36
User Badges:

Thanks for quick reply.


00:07:72:20:c4:bc Alcatel Shanghai Bell Co., Ltd.


But I forgot to mention that only 2 nodes are connected within this vlan. First is the firewall (which mac was overwritten) and the second is ISA server.


We have checked the arp tables of the firewall and didn't find that mac. I don't know about the ISA server since it is managed by other company.

Kevin Dorrell Mon, 09/17/2007 - 04:45
User Badges:
  • Green, 3000 points or more

The fact that the MAC address belongs to Alcatel should be sounding alarm bells by now, especially if the ISA server does not have an Alcatel NIC.


I would be looking for rogue routers, Wireless APs, and similar. If you want to nail down your security, make sure that the VLAN goes to the two nodes and only to the two nodes. The static ARP entry for the firewall is already a excellent move. Try sniffing the VLAN for broadcasts or floods from the rogue MAC address.


Kevin Dorrell

Luxembourg


Actions

This Discussion