traffic from 0.1.0.4 on HSRP virtual interface mac-address

Unanswered Question
Jan 25th, 2009

We have two 6509 switches running HSRP.

We have everything seperated into it's own VLAN:

router interfaces,

PC workstations,

servers,

printers

There are a total of about 40 VLANs created for everything.

We have MARS set up and it is picking up traffic originating from ip address 0.1.0.4 port 137 but using the workstation HSRP interface mac address.

The destination of the traffic is to different workstations (no pattern).

So it is is as if the HSRP virtual interface is sourcing traffic to different workstations, but using the ip address of 0.1.0.4.

One of the other network guys thinks it is a cisco bug, but if this were the case,

why wouldn't we see this on all of the HSRP interfaces?

Also, would a cisco bug source traffic on a netbios port?

Has anyone ever seen anything like this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
chuckwirth Mon, 01/26/2009 - 10:42

If the frame came from another VLAN or the WAN (layer 3 routed), the source mac-address would be rewritten with the mac-address of the router.

On the routers:

#show ip arp 0.1.0.4

That should give you the real ip-mac address

Then

# show mac- | i "mac-address"

to see what port it's coming from. Depending on your network, that should allow you to trace it down.

You also might want to try writing an access-list for the 0.1.0.4 address and applying it to different ports to see where the traffic is really coming from.

I've read that that IP address is used by some PnP web cameras so you might want to look into that.

Try disabling IP proxy arp.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

wilson_1234_2 Mon, 01/26/2009 - 17:55

What is your thought about proxy-arp?

What proxy-arp scenario could be causing this?

chuckwirth Tue, 01/27/2009 - 08:09

I suggested proxy-arp since it may be a spoofing attack, but I would try the other stuff first and try to track down the real source of the traffic. From what you have said I don't believe that it is coming from the HSRP routers, but from somewhere else.

Actions

This Discussion