N7k sends ARP reply with BIA on Layer2 instead of Virtual MAC running HSRPv2

rhgtyink · ‎01-06-2011

Hi Guy's

I have the following issue;

Previous config was Cat 6k's running HSRPv1.

PC would ARP for Gateway, MSFC would reply with Virtual-MAC in Layer2 AND in ARP reply.

Now we swapped the Cat 6k's for 7k18's and are running HSRPv2.

From there my PC security software alarms me that I'm under ARP spoofing attack.

Doing a packet capture shows the 7k sends the ARP reply with it's BIA at Layer2 and only has the Virtual-MAC in the ARP Reply.

==

IOS ARP reply:

Ethernet Source: All-HSRP-routers_00 (00:00:0c:07:ac:00)

ARP Sender MAC address: All-HSRP-routers_00 (00:00:0c:07:ac:00)

NXOS ARP reply:

Ethernet Source: Cisco_08:c9:c1 (00:26:98:08:c9:c1)

ARP Sender MAC address: Cisco_9f:f0:00 (00:00:0c:9f:f0:00)

==

NXOS 5.1.1a, "use BIA" is not configured.

Any ideas?

Kind Regards,

Ronny

Matthew Blanshard · ‎01-10-2011

Hello Ronny,

This is expected behavior. The only packets which should be sent with the source mac of the virtual mac address are the hello packets from the active router. All of the rest will be sourced from the physical mac address of the interface.

-Matt

rhgtyink · ‎01-11-2011

Hi Matthew,

Thanks for you response.

So basically if I understand you correctly this is by design that the 7k sends spoofed packets?

In our case we can't protect the clients against ARP spoofing with our security setup because of this "feature".

I'd really like to see the "old" IOS behavior return, so we can protect our environment against ARP spoofing again, any idea on what's next, TAC Case + RFC?