Date: Thu, 18 Jul 2002 15:15:53 -0500 From: Chris Boyd <CBoyd@apogeetelecom.com> To: 'Chris Knipe' <savage@savage.za.org>, Jim Laurenson <j.laurenson@epicmail.ca>, Craig Miller <craig@millerfam.net>, freebsd-security <freebsd-security@freebsd.org> Subject: RE: wierdness in my security report Message-ID: <5A1E91591378D243B6B6C5425F2B2B3E1DE9B3@apexch.apogeetelecom.com>
next in thread | raw e-mail | index | archive | help
Hm. I though that HSRP cloned the MAC as well, so as not to break all those retro source route bridged protocols. Time to go hit the books for me.... > -----Original Message----- > From: Chris Knipe [SMTP:savage@savage.za.org] > Sent: Thursday, July 18, 2002 1:10 PM > To: Jim Laurenson; Craig Miller; freebsd-security > Subject: Re: wierdness in my security report > > If it is Cisco, it's more than likely HSRP (Host Standby Router Protocol). > > It happens where two different routers are configured in a redundancy > scenario with a "virtual" IP. What will happen, is that x.x.x.1 is a > virtual IP, while x.x.x.2 and x.x.x.3 is assigned to the Ethernet ports. > > Router 1 which is x.x.x.2 will have the virtual IP of x.x.x.1 on .2's MAC > address, however, when the router goes down, Router 2 reclaims the virtual > IP .1, on the MAC address of .3 > > Therefore, the MAC address changes, and to my understanding that is what > causes the message to be displayed. I can however, be wrong and the > change or "switching" of one IP to another MAC address may have nothing to > do with the cause of the log message. > > -- > me > > > > ----- Original Message ----- > From: Jim Laurenson <mailto:j.laurenson@epicmail.ca> > To: Craig Miller <mailto:craig@millerfam.net> ; freebsd-security > <mailto:freebsd-security@freebsd.org> > Sent: Thursday, July 18, 2002 7:53 PM > Subject: RE: wierdness in my security report > > I have found the same logs on one of my older builds (4.3 I think). > The offending MAC address was found to be a Cisco router on my ISP's > network. I found no solution for it though. > > Jim Laurenson > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > <mailto:owner-freebsd-security@FreeBSD.ORG> > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Craig Miller > Sent: July 18, 2002 11:47 AM > To: freebsd-security > Subject: wierdness in my security report > > > Anyone have any ideas as to what might be causing the > following to appear in my security report? > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:54 to > 00:b0:64:b7:6f:a8 on dc0 > > Jul 17 05:47:56 server /kernel: arp: 12.236.220.1 moved > from 00:b0:64:b7:6f:54 to 00:b0:64:b7:6f:a8 on dc0 > > arp: 12.236.220.1 moved from 00:b0:64:b7:6f:a8 to > 00:b0:64:b7:6f:54 on dc0 > > Jul 17 05:47:57 server /kernel: arp: 12.236.220.1 moved > from 00:b0:64:b7:6f:a8 to 00:b0:64:b7:6f:54 on dc0 > > I thought those : delimited fields would be MAC addresses, > but they don't match the MAC addresses of either of the two cards in my > free-bsd box. I have not checked the MAC addresses of the other network > cards on my network. > > Also, where does the "server /kernel" name come from. > "kernel" is not the name I gave my kernel, so I am suspicious. > > Thanks, > > --Craig > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A1E91591378D243B6B6C5425F2B2B3E1DE9B3>