01-06-2011 12:39 PM - edited 03-06-2019 02:51 PM
Hi Guy's
I have the following issue;
Previous config was Cat 6k's running HSRPv1.
PC would ARP for Gateway, MSFC would reply with Virtual-MAC in Layer2 AND in ARP reply.
Now we swapped the Cat 6k's for 7k18's and are running HSRPv2.
From there my PC security software alarms me that I'm under ARP spoofing attack.
Doing a packet capture shows the 7k sends the ARP reply with it's BIA at Layer2 and only has the Virtual-MAC in the ARP Reply.
==
IOS ARP reply:
Ethernet Source: All-HSRP-routers_00 (00:00:0c:07:ac:00)
ARP Sender MAC address: All-HSRP-routers_00 (00:00:0c:07:ac:00)
NXOS ARP reply:
Ethernet Source: Cisco_08:c9:c1 (00:26:98:08:c9:c1)
ARP Sender MAC address: Cisco_9f:f0:00 (00:00:0c:9f:f0:00)
==
NXOS 5.1.1a, "use BIA" is not configured.
Any ideas?
Kind Regards,
Ronny
01-10-2011 11:11 AM
Hello Ronny,
This is expected behavior. The only packets which should be sent with the source mac of the virtual mac address are the hello packets from the active router. All of the rest will be sourced from the physical mac address of the interface.
-Matt
01-11-2011 12:01 AM
Hi Matthew,
Thanks for you response.
So basically if I understand you correctly this is by design that the 7k sends spoofed packets?
In our case we can't protect the clients against ARP spoofing with our security setup because of this "feature".
I'd really like to see the "old" IOS behavior return, so we can protect our environment against ARP spoofing again, any idea on what's next, TAC Case + RFC?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide