Date: Thu, 26 Jun 2008 22:06:11 +0200 From: Giulio Ferro <auryn@zirakzigil.org> To: Steve Bertrand <steve@ibctech.ca> Cc: freebsd-net@freebsd.org Subject: Re: SOLVED (was Re: Problem clarification (was: Problems with vlan + carp + alias)) Message-ID: <4863F6B3.4020308@zirakzigil.org> In-Reply-To: <48630AA3.3000800@ibctech.ca> References: <486000B5.9090703@zirakzigil.org> <4862B2AF.70202@zirakzigil.org> <48630AA3.3000800@ibctech.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Steve Bertrand wrote: > Thank you Giulio (is it Gio?) No, it's Giulio (english Julius) :-) > >> For some reason when I >> plugged in the new firewall, only the base non-aliased address was >> updated in >> the ISP switch arp cache (if someone can throw a guess at why, I'm >> eager to listen). > > Well, you need to know what type of switch they had upstream, and why > they weren't updating their ARP cache dynamically properly. Perhaps > because their cache ttl was too long (due to the type of hardware, or > administrative setting). > The strange thing is that they actually updated their arp entry for the base (non aliased) address, but not the others. I guess what I could do was to "poison" their arp cache for each address with a "is-at" message. Is there a way to force the sending of these messages for all the addresses of an interface? > I almost have to assume it wasn't a Cisco... only because I would have > expected different behavior (less administrative setting) (this is my > personal experience...I'm not trying to favour a brand in any way). > > Perhaps you could ask them to provide the command they issued to > determine how they found the problem. Better yet, ask what type of > device your box is connected to at their end of the VLAN. It was me who finally realized what the problem was. All I asked them to do was to reset the arp cache of the interface, and I guess they did that by ios (or cli or whatever), not something I could do without logging in into their switch... > > If you can find out what device they have at their end, it may almost > be possible to non-destructively, and non-corruptively 'force' them to > clear arp-cache remotely, and at the same time provide advice to the > non-unscrupulous people who may run into this in the future. I guess I could have used utilities like ettercap to set their arp table right, and this is what another person should do, if they have no other way to operate that change... > > I'd be just as interested to know what they had at their end for > hardware, as I have been waiting to hear what your resolution was > throughout your time consuming troubleshooting... Thanks for your support :-) I've seen many cisco devices in that farm, so I guess that's the answer. I image (since I don't really know) that every ip interface should periodically issue "who-has" messages for the directly-connected addresses, so maybe the problem would have solved itself, but I didn't really know how long that would have taken, and I couldn't stop the services provided by my customer too long... Anyway all is well as it ends well.. Giulio.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4863F6B3.4020308>