[c-nsp] Gratuitous arp and Pix

Andrew Yourtchenko ayourtch at gmail.com
Wed Jun 11 07:49:05 EDT 2008


Hi David,

On Mon, Jun 9, 2008 at 5:25 AM, David Coulson <david at davidcoulson.net> wrote:
> I am looking at implementing some IP takeover services on a network behind
> Pixs (I think it's a pair of 535s running 7.2 - I don't control it, but I
> can request config changes). It would appear that Pix does not handle
> gratuitous arp responses in any useful way, which as a security appliance I
> would consider to be reasonable.

This is the behaviour in my lab with one of the interims of 8.0 with
"debug arp" and syslog enabled:

1) the entry for TPA/SPA IP address of GARP is not present in the arp
cache: do nothing.

ciscoasa(config)# arp-in: request at inside from 123.123.123.1
000c.0102.0305 for 123.123.123.1 0000.0000.0000


2) the entry for the TPA/SPA IP address of GARP is one of the interface
addresses (123.123.123.123 in this case):

%ASA-4-405001: Received ARP request collision from
123.123.123.123/000c.0102.0305 on interface inside
arp-in: request at inside from 123.123.123.123 000c.0102.0305 for
123.123.123.123 0000.0000.0000
arp-send: arp request built from 123.123.123.123 001b.d594.e4c6 for
123.123.123.123 at 741830
arp-defense: Sent gratuitous arp in response to arp collision on
interface inside

3) the entry for the TPA/SPA already exists and is a different mac
address - yell in a syslog, but update the arp cache:

ciscoasa(config)# sh arp
        inside 123.123.123.1 0060.6e20.0ae6 3
%ASA-7-111009: User 'enable_15' executed cmd: show arp
ciscoasa(config)# %ASA-4-405001: Received ARP request collision from
123.123.123.1/000c.0102.0305 on interface inside
arp-in: request at inside from 123.123.123.1 000c.0102.0305 for
123.123.123.1 0000.0000.0000
arp-in: collision request received at inside from
123.123.123.1/000c.0102.0305 for 123.123.123.1 0000.0000.0000
arp-in: updating gratuitous ARP 123.123.123.1 - 000c.0102.0305
arp-set: added arp inside 123.123.123.1 000c.0102.0305 and updating
NPs at 934820

ciscoasa(config)# sh arp
        inside 123.123.123.1 000c.0102.0305 5
%ASA-7-111009: User 'enable_15' executed cmd: show arp
ciscoasa(config)#

it looks like your IP takeover scenario should be precisely the same
as (3) above ?

thanks,
andrew


More information about the cisco-nsp mailing list