You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fenrir working nicely, doing MITM for my 802.1x session: Raspberry Pi connected as 802.1x supplicant to hostIface of Fenrir (and Fenrir itself is actually another Raspberry Pi).
I was troubelshooting why i see multiple sessions/mac addresses on my switch:
Those mac addresses starting with 0050* were VM hosts in my network sending multicast/broadcast traffic into netIface (net vlan). So my 802.1x should be able to receive that traffic but never respond with such source mac addresses. As a result switch should never try to build a session for such mac addresses on that port. Gig1/0/13 is having Fenrir connected with 802.1x Raspbery Pi behind - that is all. We should see only one 802.1x session, nothing more (just a bit more if Fenrir is leaking some traffic sometimes).
And found out that Fenrir is sending back more multicast traffic back.
First we do see traffic on netIface where multicast frames are received (from host 00:50:56:a5:0b:e8 which is VM machine in my network). Then i see my switch trying to send EAPOL frames for that mac, which suggest that some packets from that mac had to be received on this switchport:
Now when sniffing at the same time on hostIface of Fenrir i could confirm those multicast frames where never forwarded to my 802.1x supplicant:
root@rpi3:~# tcpdump -i eth2 -en ether host 00:50:56:a5:0b:e8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
Now looking closely at netIface again (eth1) i have found out that Fenrir is actually sending back those multicast frames via the same interface (sniffing only traffic sent out via netIface):
So for me it looks like traffic which is not supported by Fenrir - in this case multicast traffic is send back via the same netIface (instead of being forwarded out via hostIface). Is that expected ?
Also - what would be your recommendation ? Would it be reasonable to use iptables and filter out incoming multicast traffic received on netIface ?
Update, my workaround (for testing) was to block multicast traffic via ACL on the switch (iptables on Fenrir did not work):
9200-1#sh ip access-lists DROP_MULTICAST
Extended IP access list DROP_MULTICAST
10 deny ip any 224.0.0.0 15.255.255.255
20 permit ip any any
9200-1#sh run int g1/0/13
Building configuration...
Current configuration : 641 bytes
!
interface GigabitEthernet1/0/13
ip access-group DROP_MULTICAST out
Thanks,
Michal
The text was updated successfully, but these errors were encountered:
Hello Team,
Fenrir working nicely, doing MITM for my 802.1x session: Raspberry Pi connected as 802.1x supplicant to hostIface of Fenrir (and Fenrir itself is actually another Raspberry Pi).
I was troubelshooting why i see multiple sessions/mac addresses on my switch:
Those mac addresses starting with 0050* were VM hosts in my network sending multicast/broadcast traffic into netIface (net vlan). So my 802.1x should be able to receive that traffic but never respond with such source mac addresses. As a result switch should never try to build a session for such mac addresses on that port. Gig1/0/13 is having Fenrir connected with 802.1x Raspbery Pi behind - that is all. We should see only one 802.1x session, nothing more (just a bit more if Fenrir is leaking some traffic sometimes).
And found out that Fenrir is sending back more multicast traffic back.
First we do see traffic on netIface where multicast frames are received (from host 00:50:56:a5:0b:e8 which is VM machine in my network). Then i see my switch trying to send EAPOL frames for that mac, which suggest that some packets from that mac had to be received on this switchport:
Now when sniffing at the same time on hostIface of Fenrir i could confirm those multicast frames where never forwarded to my 802.1x supplicant:
Now looking closely at netIface again (eth1) i have found out that Fenrir is actually sending back those multicast frames via the same interface (sniffing only traffic sent out via netIface):
So for me it looks like traffic which is not supported by Fenrir - in this case multicast traffic is send back via the same netIface (instead of being forwarded out via hostIface). Is that expected ?
Also - what would be your recommendation ? Would it be reasonable to use iptables and filter out incoming multicast traffic received on netIface ?
Update, my workaround (for testing) was to block multicast traffic via ACL on the switch (iptables on Fenrir did not work):
Thanks,
Michal
The text was updated successfully, but these errors were encountered: