[nsp] HSRP and Netscreen Firewalls

Stephen Gill gillsr at yahoo.com
Fri Jan 10 10:31:24 EST 2003


Hi Larry,
The full command is actually 'set arp always-on-dest'.  

This is required when in route mode (not as important in transparent
mode since it's not routing) so that the Netscreen firewall doesn't get
confused as to which MAC address to send packets back to.  It tells the
Netscreen "to send an arp request and obtain a mac address for any
incoming packet whose heading contains a MAC address not yet listed in
the device's MAC address table."

It can get confused in HSRP/VRRP environments because the default
behavior is to learn ARP entries from the source MAC address of frames
as they enter the firewall.  There is likely a minor performance
improvement with this behavior but in my experience it causes much more
grief than pain to not enable this flag by default on every firewall I
administer.

Cheers,
-- steve

-----Original Message-----
From: Larry Rosenman [mailto:ler at lerctr.org] 
Sent: Friday, January 10, 2003 9:59 AM
To: Stephen Gill; 'Ian Terry'; cisco-nsp at puck.nether.net
Subject: RE: [nsp] HSRP and Netscreen Firewalls

Steve,
   What is set arp always for?  The routers? or something else?

I've never heard of it, but occasionally have seen wierdness with my
HSRP 
between
some routers of mine.

Please enlighten me/us.

Thanks,
LER


--On Friday, January 10, 2003 09:42:20 -0600 Stephen Gill 
<gillsr at yahoo.com> wrote:

> Also make sure 'set arp always' is enabled - key for HSRP
environments.
>
> -- steve
>
> -----Original Message-----
> From: Stephen Gill [mailto:gillsr at yahoo.com]
> Sent: Friday, January 10, 2003 9:40 AM
> To: 'Ian Terry'; 'cisco-nsp at puck.nether.net'
> Subject: RE: [nsp] HSRP and Netscreen Firewalls
>
> A few things you might wish to check:
>
> 1.  Check what OS version you are running.  May require an upgrade.
> 2.  Ensure that 'set flow mac-flooding' is enabled.
> 3.  Ensure that you have created a policy that matches the traffic to
> allow it through.
>
> -- steve
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ian Terry
> Sent: Friday, January 10, 2003 9:06 AM
> To: cisco-nsp at puck.nether.net
> Subject: [nsp] HSRP and Netscreen Firewalls
>
> Hello,
>
> We have a customer who has dual peering links with two different
> providers that are maintained via Cisco 7500 routers
>
> Behind the routers the customer has Netscreen Firewalls that are
> configured to operate in transparent mode.
>
> The routers are running HSRP and unfortunately the multicasting of
HSRP
> does not appear to be allowed through the Firewall - even though
> Netscreen claim that it should. If the Firewall is removed, then HSRP
> works fine.
>
> Does anybody have an experiences similar to this ?
>
> regards, Ian
>
> tel:   44 (0)7970 499187
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Larry Rosenman                     http://www.lerctr.org/~ler
Phone: +1 972-414-9812                 E-Mail: ler at lerctr.org
US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749




More information about the cisco-nsp mailing list