[c-nsp] Set a L3 routed interface on a 6500 + SUP2 to 'promiscuous'mode?

Rafael Rodriguez Rafael.Rodriguez at msmc.com
Thu May 15 22:57:08 EDT 2008


Thanks for the replies.  Post below is a bit long but easy to read,
please let me know if you guys have any advice.

>What mac is it sending too? where does it get the arp entry from?

Unfortunately this server does not attempt to 'arp' for the remote
address, proxy-arp would be the solution in that case.

Let me give some more details on what this server does:

The server (just windows 2003 with software) is a content filter.  It
has two phy interfaces, one interface is the sniffer interface, the
other/regular interface is were you manage the server and were the
server sends its 'block' and tcp rst messages to end users.

The sniffer interface just listens for traffic, it does not TX on this
interface at all.
The sniffer interface is being fed by rspan.

The other/regular interface is were everything else happens.  On this
interface, any locally traffic generated by server works as one would
expect... Oh, im trying to get to a remote network, let me send packet
with dst mac address of my default gateway, let my default gateway
figure out the rest.  The part of locally generated traffic works
perfectly.

Now the problem.

When the content filter makes a decision of 'blocking' someones web/http
traffic based on traffic it sees on its sniifer interface, the server
sends a 'block' message out the other/regular interface.

The server sets the src IP of the packet to the 'bad' website and sets
the dst IP to that of the offending end user.  The server also sends a
tcp rst to offending end user.
ALL of that is perfectly fine.

Problem comes down to how the server sends the data-link address part.

Server is using the wrong dst MAC Address to send packets that reside on
remote subnets.  By wrong dst MAC Address I mean NOT the MAC Address of
the servers default gateway.
The server uses the src MAC Address of the 'offending' traffic from the
sniffer interface as the dst MAC Address of the 'block' message.  Why is
this a problem?  Well, dst MAC Address is not the MAC Address of the
default gateway router - packet just gets dropped in hardware, never
makes it up to L3 for processing.  The information contained in this
paragraph was confirmed/figured out with the help of wireshark.

I am looking for a way to have router interface process all data-link
packets regardless if the dst MAC Address is for the router interface.

Thanks for reading, please reply with any info.


Cheers,
 
RR

-----Original Message-----
From: David Coulson [mailto:blackberry at davidcoulson.net] 
Sent: Thursday, May 15, 2008 19:43
To: Rafael Rodriguez; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to
'promiscuous'mode?

What mac is it sending too? where does it get the arp entry from?

--
David Coulson <david at davidcoulson.net>
Sent from my BlackBerry

-----Original Message-----
From: "Rafael Rodriguez" <Rafael.Rodriguez at msmc.com>

Date: Thu, 15 May 2008 19:34:25
To:<cisco-nsp at puck.nether.net>
Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to
'promiscuous'
	mode?


Hello all,

Here is the issue I am facing:

We have a server that need to send lots of data to IP addresses not on
its local subnet.  Server will be directly connected to router interface
via ethernet.
The server SHOULD set ALL packets with a dst MAC Address of the router
(its default gateway) so the packets get delivered to the remote
subnets.
The server DOES NOT do this... grr.

Is there a way to have router interface process all packets that arrive
on this interface (includes packets that don't have interface MAC
Address as dst MAC Address)?

All of these packets are destined for remote networks.  Thanks.

Cheers,
 
RR
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list