Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1321
Views
5
Helpful
3
Replies

traffic from 0.1.0.4 on HSRP virtual interface mac-address

wilson_1234_2
Level 3
Level 3

‎01-25-2009 07:07 AM - edited ‎03-06-2019 03:38 AM

We have two 6509 switches running HSRP.

We have everything seperated into it's own VLAN:

router interfaces,

PC workstations,

servers,

printers

There are a total of about 40 VLANs created for everything.

We have MARS set up and it is picking up traffic originating from ip address 0.1.0.4 port 137 but using the workstation HSRP interface mac address.

The destination of the traffic is to different workstations (no pattern).

So it is is as if the HSRP virtual interface is sourcing traffic to different workstations, but using the ip address of 0.1.0.4.

One of the other network guys thinks it is a cisco bug, but if this were the case,

why wouldn't we see this on all of the HSRP interfaces?

Also, would a cisco bug source traffic on a netbios port?

Has anyone ever seen anything like this?

Labels:
0 Helpful
3 Replies 3

chuckwirth
Level 1
Level 1

‎01-26-2009 10:42 AM

If the frame came from another VLAN or the WAN (layer 3 routed), the source mac-address would be rewritten with the mac-address of the router.

On the routers:

#show ip arp 0.1.0.4

That should give you the real ip-mac address

Then

# show mac- | i "mac-address"

to see what port it's coming from. Depending on your network, that should allow you to trace it down.

You also might want to try writing an access-list for the 0.1.0.4 address and applying it to different ports to see where the traffic is really coming from.

I've read that that IP address is used by some PnP web cameras so you might want to look into that.

Try disabling IP proxy arp.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

wilson_1234_2
Level 3
Level 3
In response to chuckwirth

‎01-26-2009 05:55 PM

What is your thought about proxy-arp?

What proxy-arp scenario could be causing this?

0 Helpful

chuckwirth
Level 1
Level 1
In response to wilson_1234_2

‎01-27-2009 08:09 AM

I suggested proxy-arp since it may be a spoofing attack, but I would try the other stuff first and try to track down the real source of the traffic. From what you have said I don't believe that it is coming from the HSRP routers, but from somewhere else.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card