From owner-freebsd-questions Wed Mar 14 14:36:41 2001 Delivered-To: freebsd-questions@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 9DD7137B719 for ; Wed, 14 Mar 2001 14:36:33 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA01156; Thu, 15 Mar 2001 09:36:08 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id JAA23422; Thu, 15 Mar 2001 09:36:07 +1100 (EST) Message-Id: <200103142236.JAA23422@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: David Preece Cc: Lowell Gilbert , freebsd-questions@FreeBSD.ORG Subject: Re: Adding route using mac address In-Reply-To: Message from David Preece of "Thu, 15 Mar 2001 09:08:09 +1300." <5.0.2.1.1.20010315085251.02281748@pop3.paradise.net.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 15 Mar 2001 09:36:07 +1100 From: Tony Landells Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG davep@afterswish.com said: > Okay, I realise I'm on shaky ground here, but would like to disagree. > Routes - next hop ones at least - have everything to do with layer 2. Say > my machine is 1.2.3.8 on a class C, and my default router is 1.2.3.1. What > we are effectively saying here is that I am layer 2 connected to > 1.2.3.everything, and that if I want to get a packet outside of that I have > to use the machine at 1.2.3.1. So when a packet goes off to 3.4.5.6, on > layer 2 the packet is addressed over to the router. There's actually no reason why at layer 2 you might not be connected to 3.4.5.6. > Conceptually it may be truer to describe a default route in terms of mac > address. "The route out of the layer 2 network is at this address". > However, it would be a pain in the arse, so we give routers an IP address > and rely on arp to convert it to a mac address for us. No, we do that because layer 2 may not even have a MAC address. Not all the world runs on Ethernet. In fact, if you took out all the non-Ethernet you wouldn't have an Internet. I don't suppose you've heard of things like ISDN, Frame Relay, ATM, Token Ring, or even modems? > > > Because on the LAN some ppl are changing IPs to skip the traffic counters > > > for them. > > Oh. This isn't really a routing question then. Perhaps go to a dhcp network > and set up the dhcpd.config (or whatever it's called) with very very long > leases so everyone gets the same IP every time. Hmmm, no, I guess that > wouldn't help. If the people are changing them manually, then their desktop should be set up so they can't do that. If you mean they're renewing their DHCP leases, then either change to static mappings or use smarter accounting that looks at the DHCP logs as well. And if they're supposed to be using fixed IP addresses, you could put in server/gateway systems that permit you to enter static ARP entries so that they can't do anything if they change IP addresses. And I've gotta say, if they're changing IP addresses I'm surprised they haven't trashed your network due to duplicate IP addresses, etc. > Perhaps we need a mac layer accounting daemon that could sit off a tee > socket. This wouldn't be too hard, and yes, I might be volunteering. Is > this something the community in general might find useful? It would certainly be one step better in situations like this. And for catching accidental duplicate IP addresses. Of course, if the people have sufficient control of their desktop it will only work until they start changing their MAC address, but that's usually a bit harder to get to... > >You should also, in my opinion, consider non-technical solutions, like > >terminating these people's accounts, firing them, failing them in your > >course, slapping their wrists with #6 linguine, whatever's appropriate > >in your environment. > Might also prove appropriate. However, you're still facing the ultimate > problem of catching the bastards. Perhaps we need something that just > correlates mac addresses to IP's? Maybe just leaving running for 24hrs off > a bpf then compare the answers to what you should've seen. That's a good approach, but in a switched environment will require setting up additional options on the switch so that the logging system sees all the traffic. Cheers, Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message