ericbrouwers wrote: > > snip > I've > seen instances in the field that ARP caches contained the real > MAC instead of > the virtual MAC address when using HSRP.
One more comment on seeing the router's real MAC address. It might interest you to know that, at least on my routers, the ARP reply from the router, after a host tries to find its default gateway (the virtual router), does actually come from the router's real MAC address at the data-link layer. At the ARP layer, the virtual router puts the virtual MAC address in the ARP reply, but at the Ethernet layer it puts its real address. This could cause the real MAC address to end up in the ARP cache, at least temporarily. In the following example 00:00:0C:05:3E:80 is the router's real MAC address. Note that the router uses it as the source address. However, the ARP payload of the frame shows the virtual MAC address, 00:00:0C:07:AC:00. 10.10.0.3 is the virtual IP. It was PC 00:00:0E:D5:C7:E7 (10.10.0.10) who sent the ARP looking for the default gateway that resulted in this ARP reply: Ethernet Header Destination: 00:00:0E:D5:C7:E7 Source: 00:00:0C:05:3E:80 Protocol Type: 0x0806 IP ARP ARP - Address Resolution Protocol Hardware: 1 Ethernet (10Mb) Protocol: 0x0800 IP Hardware Address Length:6 Protocol Address Length:4 Operation: 2 ARP Response Sender Hardware Address:00:00:0C:07:AC:00 Sender Internet Address:10.10.0.3 Target Hardware Address:00:00:0E:D5:C7:E7 Target Internet Address:10.10.0.10 Isn't that weird? The PC does the right thing though and sends the actual packet (after the ARP) to 00:00:0C:07:AC:00. A reply comes back through the router and the router uses the virtual MAC address 00:00:0C:07:AC:00 in the source Ethernet address of that reply. Good thing. Otherwise switches wouldn't ever pick up the port to use for 00:00:0C:07:AC:00. HSRP is much more complicated than the simple descriptions make it sound! Do some sniffing of it to see how it really works (and how easy it is to hack, by the way.) _______________________________ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com > > Can someone give comments on this? > > Thanks, > > Eric Brouwers > [EMAIL PROTECTED] > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65710&t=65633 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
