Hi David, On Mon, Jun 9, 2008 at 5:25 AM, David Coulson <[EMAIL PROTECTED]> wrote: > I am looking at implementing some IP takeover services on a network behind > Pixs (I think it's a pair of 535s running 7.2 - I don't control it, but I > can request config changes). It would appear that Pix does not handle > gratuitous arp responses in any useful way, which as a security appliance I > would consider to be reasonable.
This is the behaviour in my lab with one of the interims of 8.0 with "debug arp" and syslog enabled: 1) the entry for TPA/SPA IP address of GARP is not present in the arp cache: do nothing. ciscoasa(config)# arp-in: request at inside from 123.123.123.1 000c.0102.0305 for 123.123.123.1 0000.0000.0000 2) the entry for the TPA/SPA IP address of GARP is one of the interface addresses (123.123.123.123 in this case): %ASA-4-405001: Received ARP request collision from 123.123.123.123/000c.0102.0305 on interface inside arp-in: request at inside from 123.123.123.123 000c.0102.0305 for 123.123.123.123 0000.0000.0000 arp-send: arp request built from 123.123.123.123 001b.d594.e4c6 for 123.123.123.123 at 741830 arp-defense: Sent gratuitous arp in response to arp collision on interface inside 3) the entry for the TPA/SPA already exists and is a different mac address - yell in a syslog, but update the arp cache: ciscoasa(config)# sh arp inside 123.123.123.1 0060.6e20.0ae6 3 %ASA-7-111009: User 'enable_15' executed cmd: show arp ciscoasa(config)# %ASA-4-405001: Received ARP request collision from 123.123.123.1/000c.0102.0305 on interface inside arp-in: request at inside from 123.123.123.1 000c.0102.0305 for 123.123.123.1 0000.0000.0000 arp-in: collision request received at inside from 123.123.123.1/000c.0102.0305 for 123.123.123.1 0000.0000.0000 arp-in: updating gratuitous ARP 123.123.123.1 - 000c.0102.0305 arp-set: added arp inside 123.123.123.1 000c.0102.0305 and updating NPs at 934820 ciscoasa(config)# sh arp inside 123.123.123.1 000c.0102.0305 5 %ASA-7-111009: User 'enable_15' executed cmd: show arp ciscoasa(config)# it looks like your IP takeover scenario should be precisely the same as (3) above ? thanks, andrew _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/