Computer and IT knowledge - things to know - All
Clearpass - strangle looking vrrp wireshark entries
if you have a look on a VRRP packet in wireshark you see things like:
- IP Address: 76.88.122.33
- IP Address: 47.71.87.38
- IP Adress: 236.6.230.89
.. and so an ..
>> this ip addresses are a miss interpretation since Clearpass uses it's own implementation
Scope:
- All ClearPass boxes, v6.1 and up
- Only if Virtual IP (VIP) is set up
Key facts:
- ClearPass does NOT use VRRP
- It uses UCARP (see ucarp.org)
- UCARP = tool for redundancy, like VRRP but not same
Addressing:
- Normal VRRP/UCARP uses multicast MAC
- ClearPass does NOT do this
- ClearPass uses broadcast MAC: ff:ff:ff:ff:ff:ff
- Target IP stays multicast
- Target MAC (L2) is broadcast, not multicast
- UCARP uses the host's own MAC for the VIP
Wireshark note:
- Wireshark shows these as "VRRP" packets
- This is WRONG / misleading
- Cause: VRRP and UCARP share same protocol number
- So Wireshark can't tell them apart
- Real protocol in use: UCARP, not VRRP
https://airheads.hpe.com/community-home/librarydocuments/viewdocument?DocumentKey=126466a0-218d-401d-a13b-2cef9b60167c&CommunityKey=3dd64143-3ac3-4152-9abd-06dc0b4ecdd1&tab=librarydocuments computer2know :: thank you for your visit :: have a nice day :: © 2026