SOLVED (was Re: Problem clarification (was: Problems with vlan
+ carp + alias))
Giulio Ferro
auryn at zirakzigil.org
Thu Jun 26 20:06:19 UTC 2008
Steve Bertrand wrote:
> Thank you Giulio (is it Gio?)
No, it's Giulio (english Julius) :-)
>
>> For some reason when I
>> plugged in the new firewall, only the base non-aliased address was
>> updated in
>> the ISP switch arp cache (if someone can throw a guess at why, I'm
>> eager to listen).
>
> Well, you need to know what type of switch they had upstream, and why
> they weren't updating their ARP cache dynamically properly. Perhaps
> because their cache ttl was too long (due to the type of hardware, or
> administrative setting).
>
The strange thing is that they actually updated their arp entry for the base
(non aliased) address, but not the others.
I guess what I could do was to "poison" their arp cache for each address
with
a "is-at" message. Is there a way to force the sending of these messages for
all the addresses of an interface?
> I almost have to assume it wasn't a Cisco... only because I would have
> expected different behavior (less administrative setting) (this is my
> personal experience...I'm not trying to favour a brand in any way).
>
> Perhaps you could ask them to provide the command they issued to
> determine how they found the problem. Better yet, ask what type of
> device your box is connected to at their end of the VLAN.
It was me who finally realized what the problem was. All I asked them to
do was to
reset the arp cache of the interface, and I guess they did that by ios
(or cli or
whatever), not something I could do without logging in into their switch...
>
> If you can find out what device they have at their end, it may almost
> be possible to non-destructively, and non-corruptively 'force' them to
> clear arp-cache remotely, and at the same time provide advice to the
> non-unscrupulous people who may run into this in the future.
I guess I could have used utilities like ettercap to set their arp table
right, and this
is what another person should do, if they have no other way to operate
that change...
>
> I'd be just as interested to know what they had at their end for
> hardware, as I have been waiting to hear what your resolution was
> throughout your time consuming troubleshooting...
Thanks for your support :-) I've seen many cisco devices in that farm,
so I guess
that's the answer.
I image (since I don't really know) that every ip interface should
periodically issue "who-has" messages for the directly-connected
addresses, so maybe
the problem would have solved itself, but I didn't really know how long
that would have taken, and I couldn't stop the services provided by my
customer
too long...
Anyway all is well as it ends well..
Giulio.
More information about the freebsd-net
mailing list