[c-nsp] VLAN behavior behind FWSM
John Neiberger
John.Neiberger at efirstbank.com
Wed Jul 20 15:55:00 EDT 2005
Routed mode, no contexts. We're a few minutes away from doing some more
testing. We're going to try to recreate the behavior and then we'll
check the ARP cache on one of the machines to prove whether or not the
FWSM is answer ARP requests for other devices on the LAN.
Thanks,
John
--
>>> Greg Schwimer <gschwimer at godaddy.com> 7/20/05 1:29:32 PM >>>
Are you running transparent or routed mode on the FWSM? Any contexts?
John Neiberger wrote:
>Can you elaborate a bit more about the problem you've seen that is
>similar to this?
>
>Our problem is getting even stranger. The FWSM *is* getting involved,
>but I am at a loss to explain why or even how.
>
>Imagine two VLANS configured on the FWSM, Alpha and Beta. We have
users
>in Alpha trying to talk to other users in Alpha. The FWSM is seeing
some
>of this traffic but it is showing up in the log because the traffic
is
>being denied. The really strange thing is that the FWSM thinks the
>traffic is going from VLAN Alpha to VLAN Beta!
>
>So, to further elaborate, let's say that we have two devices in VLAN
>Alpha with IP address 10.1.1.1 and 10.1.1.2. VLAN Alpha has an
incoming
>access list applied. The FWSM logs show entries similar to this:
>
>Jul 20 2005 10:54:27: %FWSM-4-106100: access-list ALPHA-IN denied tcp
>ALPHA/10.1.1.1(3178) -> BETA/10.1.1.2(29479) hit-cnt 3 (300-second
>interval)
>
>VLAN Beta has an entirely different range of addresses, let's say
>10.2.2.0/24. There is no config on the FWSM that would make the FWSM
>think that 10.1.1.0 is in any way related to VLAN Beta. Yet, for some
>reason, the FWSM is seeing this traffic and dropping it. I can think
of
>no way that the FWSM could even be seeing this traffic. My only guess
is
>that perhaps, for example, 10.1.1.1 sends an ARP request for 10.1.1.2
>and the FWSM answers with its own MAC address. Then, when 10.1.1.1
send
>a TCP SYN to 10.1.1.2, the FWSM thinks that 10.1.1.2 resides on a
>different VLAN and drops the traffic because it isn't explicitly
allowed
>in the ALPHA-IN access list. Very weird.
>
>Any thoughts?
>
>Thanks,
>John
>--
>
>
>
>>>>Kenny Long <long.kenny at gmail.com> 7/19/05 5:39:43 PM >>>
>>>>
>>>>
>You could assume the FWSM is completely out of the loop but then you
>would eliminate finding the problem that I have occasionally seen
>cause the symptoms you describe.
>If the FWSM is doing the alias command, I would double check this
>page, and verify your configs
>http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094aee.shtml#topic1
>
>Please make sure the FWSM is not trying to "own" any of these
>problematic IP addresses, by responding to ARP requests with its own
>Mac address.
>
>Kenny
>
>
>On 7/19/05, Simon Hamilton-Wilkes <simon at jettis.com> wrote:
>
>
>>Yes the FWSM is completely out of the loop, as any other gateway
>>
>>
>device
>
>
>>would be.
>>
>>Simon
>>
>>_______________________________________________
>>cisco-nsp mailing list cisco-nsp at puck.nether.net
>>https://puck.nether.net/mailman/listinfo/cisco-nsp
>>archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list