我最近遇到了奇怪的问题,我的CentOS机器(让我们称之为服务器)。服务器的IP地址为10.150.39.5。问题在于它回复了具有两个MAC地址的ARP请求,而最后一个请求中断了与服务器的所有通信。
镜像交换机端口上的tcpdump输出:
18:02:01.388595 00:00:00:e5:64:32 > 00:00:00:67:1d:ea, ethertype ARP (0x0806), length 60: Request who-has 10.150.39.5 (00:00:00:67:1d:ea) tell 10.150.39.116, length 46
18:02:01.388600 00:00:00:67:1d:ea > 00:00:00:e5:64:32, ethertype ARP (0x0806), length 60: Reply 10.150.39.5 is-at 00:00:00:67:1d:ea, length 46
18:02:01.388743 00:00:00:67:1d:ec > 00:00:00:e5:64:32, ethertype ARP (0x0806), length 60: Reply 10.150.39.5 is-at 00:00:00:67:1d:ec, length 46
最有趣的是当我在服务器NIC上进行捕获时 - 我只看到前两个数据包(正常ARP请求和ARP resp)。所以我创建了一个网络SPAN(镜像来自交换机接口的所有流量,其中服务器连接到其他机器),在该镜像端口上,我看到我之前粘贴的数据包。
我100%确定它不是MiTM攻击,因为它是连接到接口的一个物理服务器,并且在我在该端口上实现端口安全性之后(只允许正确的MAC进入)问题就消失了。所以基本上我不再有问题了,但我非常希望找到原因。
以下是您想要帮助我的两个输出可能会派上用场:
[root@server ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:00:00:67:1d:ea brd ff:ff:ff:ff:ff:ff
inet 10.150.39.5/24 brd 10.150.39.255 scope global enp0s25
valid_lft forever preferred_lft forever
inet6 fe80::219:d1ff:fe67:1dea/64 scope link
valid_lft forever preferred_lft forever
3: enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:00:00:e3:ca:82 brd ff:ff:ff:ff:ff:ff
4: enp1s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:00:00:e3:ca:83 brd ff:ff:ff:ff:ff:ff
[root@server ~]# tail -vn +1 /etc/sysconfig/network-scripts/ifcfg-*
==> /etc/sysconfig/network-scripts/ifcfg-enp0s25 <==
TYPE="Ethernet"
BOOTPROTO="static"
UUID="a04fb9bd-0543-4ba6-bd17-72cc3d9f54cc"
DEVICE="enp0s25"
ONBOOT="yes"
IPADDR=10.150.39.5
NETMASK=255.255.255.0
GATEWAY=10.150.39.1
==> /etc/sysconfig/network-scripts/ifcfg-enp1s0f0 <==
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=enp1s0f0
UUID=64e7544d-54b9-40cc-83f0-7e10acbcdeaa
DEVICE=enp1s0f0
ONBOOT=no
==> /etc/sysconfig/network-scripts/ifcfg-enp1s0f1 <==
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME=enp1s0f1
UUID=c3085e08-1e14-4098-b77a-b512a2c99e75
DEVICE=enp1s0f1
ONBOOT=no
==> /etc/sysconfig/network-scripts/ifcfg-lo <==
DEVICE=lo
IPADDR=127.0.0.1
NETMASK=255.0.0.0
NETWORK=127.0.0.0
# If you're having problems with gated making 127.0.0.0/8 a martian,
# you can change this to something else (255.255.255.255, for example)
BROADCAST=127.255.255.255
ONBOOT=yes
NAME=loopback
两个MAC地址00:00:00:67:1d:ea
和00:00:00:67:1d:ec
几乎是连续的(我假设您已经混淆了前三个八位字节,因为00:00:00
没有有效的OUI) - 这表示多端口NIC,多个逻辑接口等。检查交换机的MAC表以查找“错误”MAC源自的端口。
如果你已经绑定/组合了多个接口,你必须确保一切都按预期工作。需要使用单MAC绑定相应地设置交换机端口。