We have an OP who hasn't fully described the problem in a coherent way and a bunch of people who are trying to help arguing about why each other's guesses aren't valid. I would suggest setting up ARPwatch on a computer and see how the reports look over a few days. We won't know shit until Hypoluxa shows up again, though. But unless they bought something like this, it won't magically show up.
That is the only device I have ever seen that could do something like this. In reality, half the time it responded before the real device on the network, which made it a real expensive piece of crap. If there was a device, it should respond first and populate the requestor's ARP table, otherwise this device would do it. It did this by responding to all ARP requests 5 seconds after it saw them. I cannot remember the name, but there was a product a few years ago that was supposed to be a captive portal for hotel wifi that would ensure that whatever the customer's local settings, it would work. I think this must be something broken or misconfigured at Layer 3, or the machine is hacked.īasically, everyone seems to be focused on layers 1 and 2, and I'm just having a hard time imagining how those layers would be generating spurious IP addresses. If it were garbled ARP replies, you'd think the IPs would be random crap, but he hasn't mentioned seeing IPs that look weird. Doing that, it would be invisible from the control panel, and from light-duty snoop tools.īasically, everyone seems to be focused on layers 1 and 2, and I'm just having a hard time imagining how those layers would be generating spurious IP addresses. Hell, it could be sending raw packets out the interface, in effect creating those phantom IPs itself, using a custom TCP/IP stack. But if that machine is the one that's actually hacked, it could be talking with the mothership, or scanning/attacking the local network. for one of those, I'd expect the wrong MAC for the good IP address, not a flood of spurious IPs with that MAC. And ARP entries should time out after, what, ten minutes on most machines? So that means that MAC has been ARPed as having those IP addresses very recently, so it's an ongoing network problem of some kind. From what the OP is saying, it's supposed to have just one, and he's seeing a bunch. It's okay to have multiple IPs on a MAC, but only if it's been deliberately configured that way. Unable to understand the reason for such behavior.How would that cause multiple IPs for the same MAC, though? The switch-ports that connect to the server are trunk ports.
The working server ports too do not have the default gateway not set on them but it works fine.
Unfortunately, i do not have access to the server to confirm if the static ip address is indeed set ? But the vendor tells me the default gateway is not set. I am not able to understand why the server is behaving so. Had initiated a Wireshark capture during the ping and observed that the server is not responding to ARP request itself. Tried a direct ping to the static ip but get request timed out. The interface is showing physically up on the Cisco 3750 switch, but ARP is not being learnt.Īnother server with the same port level configuration on the same Cisco 3750 switch is working fine.Īs a test i disconnected the server from the switch totally and connected a laptop directly to the ports on the server and configured the ip address of the laptop to be in the range of the static ip address of the server and default gateway was set to server ports static ip address. The server vendor claims to have put a static ip address without gateway on both these ports and the ip's do match the subnet range of the vlans under which the ports are access ports. A dell 240 server is connected on two different switch ports with proper vlan configurations on the switch end.
0 kommentar(er)
