[c-nsp] Set a L3 routed interface on a 6500 + SUP2 to 'promiscuous'mode?

David Prall dcp at dcptech.com
Thu May 15 23:13:28 EDT 2008


The only time I've seen products like this, they had to be on a layer 2
subnet. Typically a hub was placed between the Internet Router or Firewall
Internal Interface, and the switch. Everything just magically happened
there. The software appears to think they are on the same L2 subnet. It is
spoofing both the L3 and L2 address, when it should only be spoofing L3.
What happens when you change the interface it is on to be a switchport in
the same vlan that traffic is being received from, and put the default
gateway address as a secondary.

David

--
http://dcp.dcptech.com
  

> -----Original Message-----
> From: Rafael Rodriguez [mailto:Rafael.Rodriguez at msmc.com] 
> Sent: Thursday, May 15, 2008 10:57 PM
> To: david at davidcoulson.net; Ryan.Otis at WebTrends.com; 
> jmaimon at ttec.com; dcp at dcptech.com; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] Set a L3 routed interface on a 6500 + 
> SUP2 to 'promiscuous'mode?
> 
> Thanks for the replies.  Post below is a bit long but easy to read,
> please let me know if you guys have any advice.
> 
> >What mac is it sending too? where does it get the arp entry from?
> 
> Unfortunately this server does not attempt to 'arp' for the remote
> address, proxy-arp would be the solution in that case.
> 
> Let me give some more details on what this server does:
> 
> The server (just windows 2003 with software) is a content filter.  It
> has two phy interfaces, one interface is the sniffer interface, the
> other/regular interface is were you manage the server and were the
> server sends its 'block' and tcp rst messages to end users.
> 
> The sniffer interface just listens for traffic, it does not TX on this
> interface at all.
> The sniffer interface is being fed by rspan.
> 
> The other/regular interface is were everything else happens.  On this
> interface, any locally traffic generated by server works as one would
> expect... Oh, im trying to get to a remote network, let me send packet
> with dst mac address of my default gateway, let my default gateway
> figure out the rest.  The part of locally generated traffic works
> perfectly.
> 
> Now the problem.
> 
> When the content filter makes a decision of 'blocking' 
> someones web/http
> traffic based on traffic it sees on its sniifer interface, the server
> sends a 'block' message out the other/regular interface.
> 
> The server sets the src IP of the packet to the 'bad' website and sets
> the dst IP to that of the offending end user.  The server also sends a
> tcp rst to offending end user.
> ALL of that is perfectly fine.
> 
> Problem comes down to how the server sends the data-link address part.
> 
> Server is using the wrong dst MAC Address to send packets 
> that reside on
> remote subnets.  By wrong dst MAC Address I mean NOT the MAC 
> Address of
> the servers default gateway.
> The server uses the src MAC Address of the 'offending' 
> traffic from the
> sniffer interface as the dst MAC Address of the 'block' 
> message.  Why is
> this a problem?  Well, dst MAC Address is not the MAC Address of the
> default gateway router - packet just gets dropped in hardware, never
> makes it up to L3 for processing.  The information contained in this
> paragraph was confirmed/figured out with the help of wireshark.
> 
> I am looking for a way to have router interface process all data-link
> packets regardless if the dst MAC Address is for the router interface.
> 
> Thanks for reading, please reply with any info.
> 
> 
> Cheers,
>  
> RR
> 
> -----Original Message-----
> From: David Coulson [mailto:blackberry at davidcoulson.net] 
> Sent: Thursday, May 15, 2008 19:43
> To: Rafael Rodriguez; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to
> 'promiscuous'mode?
> 
> What mac is it sending too? where does it get the arp entry from?
> 
> --
> David Coulson <david at davidcoulson.net>
> Sent from my BlackBerry
> 
> -----Original Message-----
> From: "Rafael Rodriguez" <Rafael.Rodriguez at msmc.com>
> 
> Date: Thu, 15 May 2008 19:34:25
> To:<cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to
> 'promiscuous'
> 	mode?
> 
> 
> Hello all,
> 
> Here is the issue I am facing:
> 
> We have a server that need to send lots of data to IP addresses not on
> its local subnet.  Server will be directly connected to 
> router interface
> via ethernet.
> The server SHOULD set ALL packets with a dst MAC Address of the router
> (its default gateway) so the packets get delivered to the remote
> subnets.
> The server DOES NOT do this... grr.
> 
> Is there a way to have router interface process all packets 
> that arrive
> on this interface (includes packets that don't have interface MAC
> Address as dst MAC Address)?
> 
> All of these packets are destined for remote networks.  Thanks.
> 
> Cheers,
>  
> RR
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list