[c-nsp] Static route withdrawal / tracking arp

fonesurj dwinkworth at wi.rr.com
Wed Apr 4 12:34:38 EDT 2007 


Duh is right.  I know TCL a tiny bit, I could hammer that out!

----- Original Message ----- 
From: "Rodney Dunn" <rodunn at cisco.com>
To: "fonesurj" <dwinkworth at wi.rr.com>
Cc: <cisco-nsp at puck.nether.net>
Sent: Wednesday, April 04, 2007 1:27 PM
Subject: Re: [c-nsp] Static route withdrawal / tracking arp


> Duh...
>
> I forgot.
>
> You can do it today.
>
> Learn EEM and TCL.
>
> Check 'sh arp' output. Look for your entry.
> If it's not there change the route.
>
> Trigger another script to watch for the arp to come back.
>
> When it does add the route back.
>
> Rodney
>
>
> On Wed, Apr 04, 2007 at 01:25:31PM -0400, Rodney Dunn wrote:
>> An arp entry doesn't guarantee transit forwarding.
>>
>> It can lead to a blackhole scenario.
>>
>> So it depends on what level of failover you want.
>>
>> Your request has validity. But given the other variants available
>> to solve the problem it's very unlikely anyone would code it.
>>
>> Rodney
>>
>> On Wed, Apr 04, 2007 at 12:06:12PM -0400, fonesurj wrote:
>> > Yes indeed, this is what is on the table at the moment.
>> >
>> > I was originally just wishing there was a way to do it on arp so that 
>> > it
>> > wouldn't require our vendor/customer/whoever to add any additional
>> > configuration and thus engage their change management process and all 
>> > of
>> > that administrative overhead and other bologne (like IS saying.. "we 
>> > can't
>> > allow that!").
>> >
>> > At the moment, there are no static one-to-one mappings in place, they 
>> > only
>> > reach out to us through the NAT on the outside of the firewall.
>> >
>> > It would just be very convenient to track arp.
>> >
>> >
>> > ----- Original Message ----- 
>> > From: "David Prall" <dcp at dcptech.com>
>> > To: "'fonesurj'" <dwinkworth at wi.rr.com>; "Rodney Dunn (rodunn)"
>> > <rodunn at cisco.com>
>> > Cc: <cisco-nsp at puck.nether.net>
>> > Sent: Wednesday, April 04, 2007 12:28 PM
>> > Subject: RE: [c-nsp] Static route withdrawal / tracking arp
>> >
>> >
>> > > So track something that is through the Firewall. Create a static host
>> > > route
>> > > to the router on the other side of the firewall. You don't want your 
>> > > ping
>> > > to
>> > > start working again, unless the firewall is working again.
>> > >
>> > > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122
>> > > t/122t15/fthsrptk.htm
>> > >
>> > > David
>> > >
>> > > --
>> > > http://dcp.dcptech.com
>> > >
>> > >
>> > >> -----Original Message-----
>> > >> From: cisco-nsp-bounces at puck.nether.net
>> > >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of fonesurj
>> > >> Sent: Wednesday, April 04, 2007 10:54 AM
>> > >> To: Rodney Dunn
>> > >> Cc: cisco-nsp at puck.nether.net
>> > >> Subject: Re: [c-nsp] Static route withdrawal / tracking arp
>> > >>
>> > >> Can't ping the outside interface of the firewall.
>> > >>
>> > >> I'm not seeing where the functionality required is available.
>> > >>
>> > >>
>> > >> ----- Original Message -----
>> > >> From: "Rodney Dunn" <rodunn at cisco.com>
>> > >> To: "fonesurj" <dwinkworth at wi.rr.com>
>> > >> Cc: <cisco-nsp at puck.nether.net>
>> > >> Sent: Wednesday, April 04, 2007 11:16 AM
>> > >> Subject: Re: [c-nsp] Static route withdrawal / tracking arp
>> > >>
>> > >>
>> > >> > You can get the same type thing with Object tracking of
>> > >> static routes.
>> > >> >
>> > >> > Search for it on CCO.
>> > >> >
>> > >> > You can monitor the state of the FW and have the route adjusted
>> > >> > accordingly.
>> > >> >
>> > >> > Rodney
>> > >> >
>> > >> > On Wed, Apr 04, 2007 at 09:57:06AM -0400, fonesurj wrote:
>> > >> >> I have a router connected to a switch on Fa0/0.  I have a
>> > >> static route
>> > >> >> pointing to another company's firewall that is out that 
>> > >> >> interface.
>> > >> >>
>> > >> >> That static route won't go away if the firewall takes a
>> > >> poop and the
>> > >> >> switch does not.
>> > >> >>
>> > >> >> So wouldn't it be sweet if we could withdraw the static
>> > >> route if the
>> > >> >> firewall stopped responding to ARPs?
>> > >> >>
>> > >> >> _______________________________________________
>> > >> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> > >>
>> > >> _______________________________________________
>> > >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> > >>
>> > >
>> >
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list