From owner-freebsd-net@FreeBSD.ORG Thu Jun 26 20:06:19 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 42271106567A for ; Thu, 26 Jun 2008 20:06:19 +0000 (UTC) (envelope-from auryn@zirakzigil.org) Received: from aurynhome1sv1.zirakzigil.org (mail.zirakzigil.org [82.63.178.63]) by mx1.freebsd.org (Postfix) with SMTP id 62F878FC0A for ; Thu, 26 Jun 2008 20:06:17 +0000 (UTC) (envelope-from auryn@zirakzigil.org) Received: (qmail 62420 invoked by uid 98); 26 Jun 2008 20:06:16 -0000 Received: from 192.168.229.11 by aurynhome1sv1.zirakzigil.org (envelope-from , uid 89) with qmail-scanner-1.25 ( Clear:RC:1(192.168.229.11):. Processed in 0.038011 secs); 26 Jun 2008 20:06:16 -0000 X-Qmail-Scanner-Mail-From: auryn@zirakzigil.org via aurynhome1sv1.zirakzigil.org X-Qmail-Scanner: 1.25 (Clear:RC:1(192.168.229.11):. Processed in 0.038011 secs) Received: from unknown (HELO aurynhome1ws2.zirakzigil.org) (postmaster@zirakzigil.org@192.168.229.11) by 0 with SMTP; 26 Jun 2008 20:06:16 -0000 Message-ID: <4863F6B3.4020308@zirakzigil.org> Date: Thu, 26 Jun 2008 22:06:11 +0200 From: Giulio Ferro User-Agent: Thunderbird 2.0.0.0 (X11/20070513) MIME-Version: 1.0 To: Steve Bertrand References: <486000B5.9090703@zirakzigil.org> <4862B2AF.70202@zirakzigil.org> <48630AA3.3000800@ibctech.ca> In-Reply-To: <48630AA3.3000800@ibctech.ca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: SOLVED (was Re: Problem clarification (was: Problems with vlan + carp + alias)) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2008 20:06:19 -0000 Steve Bertrand wrote: > Thank you Giulio (is it Gio?) No, it's Giulio (english Julius) :-) > >> For some reason when I >> plugged in the new firewall, only the base non-aliased address was >> updated in >> the ISP switch arp cache (if someone can throw a guess at why, I'm >> eager to listen). > > Well, you need to know what type of switch they had upstream, and why > they weren't updating their ARP cache dynamically properly. Perhaps > because their cache ttl was too long (due to the type of hardware, or > administrative setting). > The strange thing is that they actually updated their arp entry for the base (non aliased) address, but not the others. I guess what I could do was to "poison" their arp cache for each address with a "is-at" message. Is there a way to force the sending of these messages for all the addresses of an interface? > I almost have to assume it wasn't a Cisco... only because I would have > expected different behavior (less administrative setting) (this is my > personal experience...I'm not trying to favour a brand in any way). > > Perhaps you could ask them to provide the command they issued to > determine how they found the problem. Better yet, ask what type of > device your box is connected to at their end of the VLAN. It was me who finally realized what the problem was. All I asked them to do was to reset the arp cache of the interface, and I guess they did that by ios (or cli or whatever), not something I could do without logging in into their switch... > > If you can find out what device they have at their end, it may almost > be possible to non-destructively, and non-corruptively 'force' them to > clear arp-cache remotely, and at the same time provide advice to the > non-unscrupulous people who may run into this in the future. I guess I could have used utilities like ettercap to set their arp table right, and this is what another person should do, if they have no other way to operate that change... > > I'd be just as interested to know what they had at their end for > hardware, as I have been waiting to hear what your resolution was > throughout your time consuming troubleshooting... Thanks for your support :-) I've seen many cisco devices in that farm, so I guess that's the answer. I image (since I don't really know) that every ip interface should periodically issue "who-has" messages for the directly-connected addresses, so maybe the problem would have solved itself, but I didn't really know how long that would have taken, and I couldn't stop the services provided by my customer too long... Anyway all is well as it ends well.. Giulio.