Solved: Multi-MAC Address to One IP Attack?

jfraasch · ‎04-14-2011

I had posted something earlier but have more information.

Earlier I asked if you could have multiple IP addresses mapped to the same MAC-Address in the ARP table.

Based on wire captures I have found that it is no problem for the WGB1310 or for the Cisco 6500 to have this. However, I am hearing that there is a special security feature in the WiSM or WLC that sees this as an attempted ATTACK on the network. I would see a ping come through the 6500, over the wireless network and hit my virtual IP address and I would see the virtual IP address respond. However, the response did not make it back to the sending PC because of this issue.

And so now my application fails.

Does anyone know of this feature or if I can disable it on the WiSM? This is crushing my deployment.

Nicolas Darchis · ‎04-14-2011

It's not really a "feature" or "Sees this as an attack".

The WLC works on a state machine that prevents multiple mac addresses behind one ip address. Before passing all client traffic, it has to learn the client ip through ARP or DHCP and the binding mac-ip has to be unique.

There is no way around this. IOS APs didn't behave like this, but WLC have this design since day 1 and it's impossible to change (you're not the first one to ask)

View solution in original post

Nicolas Darchis · ‎04-14-2011

Is the PC having multiple MACs for one IP a wireless client ? or a random PC on the wired network ?

Nicolas

jfraasch · ‎04-14-2011

Sorry, my post wasn't clear.

A server connected to switch connected to a 1310 in WGB mode has a real and virtual ip address that share the same mac-address.

The WLC sees this as an attack I believe.

James

Nicolas Darchis · ‎04-14-2011

It's not really a "feature" or "Sees this as an attack".

The WLC works on a state machine that prevents multiple mac addresses behind one ip address. Before passing all client traffic, it has to learn the client ip through ARP or DHCP and the binding mac-ip has to be unique.

There is no way around this. IOS APs didn't behave like this, but WLC have this design since day 1 and it's impossible to change (you're not the first one to ask)

jfraasch · ‎04-15-2011

Not the answer I wanted to hear, but the answer nonetheless.

The only way around this is either to change to a router instead of a bridge where my client is plugged into (which will cost too much money) or to reprogram the virtual IP address to have a virtual MAC address as well.

Is there any other way you know of to get around this? Wow, I can't tell you what a blocking issue this is going to be.

Thanks though.

James

jfraasch · ‎04-18-2011

Nicolas

If I had a layer 3 switch behind the radio, wouldn't I just be able to set up a VLAN and route it through the WGB?

I'd just have to have a subinterface on the WLC that corresponds to the IP address/VLAN of the mobile router (behind the WGB).

Nicolas Darchis · ‎04-18-2011

Correct. For the WLC, the only client would be the layer 3 interface behind the WGB and all traffic behind, being routed, that's the only mac/ip the WLC will ever see.

Regards,

Nicolas

jfraasch · ‎04-28-2011

Ok, an update on this.

I have a layer 3 switch on every train.

I am thinking I can just keep the 1310 in WGB mode near my end user and keep the other 1310 in AP mode for the link back to the WiSM, plug the ethernet interface of my WGB into the layer 3 switch then on the other side of the switch I will have a /28 network.

On the WLC/WiSM I would then create a static route for each /28 to the external interface (by which I mean the interface on the same subnet as the WLC) of the layer 3 switch.

I think I would also have to create a static route on the 6500 for these networks as well since it needs to know that they exist on the other side of the WiSM.

Make sense?

Can't wait to test it out.
James