Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1040
Views
0
Helpful
3
Replies

ARP Tables vs MAC address tables

Czupryniak1981
Level 1
Level 1

‎09-17-2007 03:48 AM - edited ‎03-05-2019 06:31 PM

Hello,

I have faced strange problem recently. In arp table of active hsrp router (cisco WS-C6509-E (R7000)) there was unknown mac-address found(which was overwriting mac-address of the firewall within the vlan). On the standby router everything was ok. Moreover, that specific mac address couldn't be found within mac-address table of the active or standby switch (aggregation layer). Temporary work around has been applied by setting static arp entry on both routers. However we still cannot define how is that possible.

Please help.

Labels:
0 Helpful
3 Replies 3

Kevin Dorrell
Level 10
Level 10

‎09-17-2007 03:57 AM

THere are a few possibilities I can think of:

1. A straightforward IP address conflict. But I would have expected to see the MAC address in the switch forwarding tables.

2. A malicious gratuitous ARP, and the forwarding table entry has already aged out.

3. A malicious gratuitous ARP sourced from a MAC address that is not the same as the one indicated in the gratuitous ARP.

4. Another router on the VLAN that is configured with a narrower mask and that is doing proxy ARP.

Is there anything special about the MAC address, e.g. HSRP address, multicast, etc. Have you tried looking for the manufacturer ID in the first 3 octets?

Kevin Dorrell

Luxembourg

0 Helpful

Czupryniak1981
Level 1
Level 1
In response to Kevin Dorrell

‎09-17-2007 04:36 AM

Thanks for quick reply.

00:07:72:20:c4:bc Alcatel Shanghai Bell Co., Ltd.

But I forgot to mention that only 2 nodes are connected within this vlan. First is the firewall (which mac was overwritten) and the second is ISA server.

We have checked the arp tables of the firewall and didn't find that mac. I don't know about the ISA server since it is managed by other company.

0 Helpful

Kevin Dorrell
Level 10
Level 10
In response to Czupryniak1981

‎09-17-2007 04:45 AM

The fact that the MAC address belongs to Alcatel should be sounding alarm bells by now, especially if the ISA server does not have an Alcatel NIC.

I would be looking for rogue routers, Wireless APs, and similar. If you want to nail down your security, make sure that the VLAN goes to the two nodes and only to the two nodes. The static ARP entry for the firewall is already a excellent move. Try sniffing the VLAN for broadcasts or floods from the rogue MAC address.

Kevin Dorrell

Luxembourg

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card