traffic from on HSRP virtual interface mac-address

Unanswered Question
Jan 25th, 2009
User Badges:

We have two 6509 switches running HSRP.

We have everything seperated into it's own VLAN:

router interfaces,

PC workstations,



There are a total of about 40 VLANs created for everything.

We have MARS set up and it is picking up traffic originating from ip address port 137 but using the workstation HSRP interface mac address.

The destination of the traffic is to different workstations (no pattern).

So it is is as if the HSRP virtual interface is sourcing traffic to different workstations, but using the ip address of

One of the other network guys thinks it is a cisco bug, but if this were the case,

why wouldn't we see this on all of the HSRP interfaces?

Also, would a cisco bug source traffic on a netbios port?

Has anyone ever seen anything like this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
chuckwirth Mon, 01/26/2009 - 10:42
User Badges:

If the frame came from another VLAN or the WAN (layer 3 routed), the source mac-address would be rewritten with the mac-address of the router.

On the routers:

#show ip arp

That should give you the real ip-mac address


# show mac- | i "mac-address"

to see what port it's coming from. Depending on your network, that should allow you to trace it down.

You also might want to try writing an access-list for the address and applying it to different ports to see where the traffic is really coming from.

I've read that that IP address is used by some PnP web cameras so you might want to look into that.

Try disabling IP proxy arp.

wilson_1234_2 Mon, 01/26/2009 - 17:55
User Badges:

What is your thought about proxy-arp?

What proxy-arp scenario could be causing this?

chuckwirth Tue, 01/27/2009 - 08:09
User Badges:

I suggested proxy-arp since it may be a spoofing attack, but I would try the other stuff first and try to track down the real source of the traffic. From what you have said I don't believe that it is coming from the HSRP routers, but from somewhere else.


This Discussion