[c-nsp] Static route withdrawal / tracking arp
Rodney Dunn
rodunn at cisco.com
Wed Apr 4 13:25:31 EDT 2007
An arp entry doesn't guarantee transit forwarding.
It can lead to a blackhole scenario.
So it depends on what level of failover you want.
Your request has validity. But given the other variants available
to solve the problem it's very unlikely anyone would code it.
Rodney
On Wed, Apr 04, 2007 at 12:06:12PM -0400, fonesurj wrote:
> Yes indeed, this is what is on the table at the moment.
>
> I was originally just wishing there was a way to do it on arp so that it
> wouldn't require our vendor/customer/whoever to add any additional
> configuration and thus engage their change management process and all of
> that administrative overhead and other bologne (like IS saying.. "we can't
> allow that!").
>
> At the moment, there are no static one-to-one mappings in place, they only
> reach out to us through the NAT on the outside of the firewall.
>
> It would just be very convenient to track arp.
>
>
> ----- Original Message -----
> From: "David Prall" <dcp at dcptech.com>
> To: "'fonesurj'" <dwinkworth at wi.rr.com>; "Rodney Dunn (rodunn)"
> <rodunn at cisco.com>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, April 04, 2007 12:28 PM
> Subject: RE: [c-nsp] Static route withdrawal / tracking arp
>
>
> > So track something that is through the Firewall. Create a static host
> > route
> > to the router on the other side of the firewall. You don't want your ping
> > to
> > start working again, unless the firewall is working again.
> >
> > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122
> > t/122t15/fthsrptk.htm
> >
> > David
> >
> > --
> > http://dcp.dcptech.com
> >
> >
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net
> >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of fonesurj
> >> Sent: Wednesday, April 04, 2007 10:54 AM
> >> To: Rodney Dunn
> >> Cc: cisco-nsp at puck.nether.net
> >> Subject: Re: [c-nsp] Static route withdrawal / tracking arp
> >>
> >> Can't ping the outside interface of the firewall.
> >>
> >> I'm not seeing where the functionality required is available.
> >>
> >>
> >> ----- Original Message -----
> >> From: "Rodney Dunn" <rodunn at cisco.com>
> >> To: "fonesurj" <dwinkworth at wi.rr.com>
> >> Cc: <cisco-nsp at puck.nether.net>
> >> Sent: Wednesday, April 04, 2007 11:16 AM
> >> Subject: Re: [c-nsp] Static route withdrawal / tracking arp
> >>
> >>
> >> > You can get the same type thing with Object tracking of
> >> static routes.
> >> >
> >> > Search for it on CCO.
> >> >
> >> > You can monitor the state of the FW and have the route adjusted
> >> > accordingly.
> >> >
> >> > Rodney
> >> >
> >> > On Wed, Apr 04, 2007 at 09:57:06AM -0400, fonesurj wrote:
> >> >> I have a router connected to a switch on Fa0/0. I have a
> >> static route
> >> >> pointing to another company's firewall that is out that interface.
> >> >>
> >> >> That static route won't go away if the firewall takes a
> >> poop and the
> >> >> switch does not.
> >> >>
> >> >> So wouldn't it be sweet if we could withdraw the static
> >> route if the
> >> >> firewall stopped responding to ARPs?
> >> >>
> >> >> _______________________________________________
> >> >> cisco-nsp mailing list cisco-nsp at puck.nether.net
> >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list