[c-nsp] Static route withdrawal / tracking arp

Rodney Dunn rodunn at cisco.com
Wed Apr 4 13:35:07 EDT 2007 

Post it on Cisco Beyond if you get it to work for others to use.

On Wed, Apr 04, 2007 at 12:34:38PM -0400, fonesurj wrote:
> 
> 
> Duh is right.  I know TCL a tiny bit, I could hammer that out!
> 
> ----- Original Message ----- 
> From: "Rodney Dunn" <rodunn at cisco.com>
> To: "fonesurj" <dwinkworth at wi.rr.com>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Wednesday, April 04, 2007 1:27 PM
> Subject: Re: [c-nsp] Static route withdrawal / tracking arp
> 
> 
> >Duh...
> >
> >I forgot.
> >
> >You can do it today.
> >
> >Learn EEM and TCL.
> >
> >Check 'sh arp' output. Look for your entry.
> >If it's not there change the route.
> >
> >Trigger another script to watch for the arp to come back.
> >
> >When it does add the route back.
> >
> >Rodney
> >
> >
> >On Wed, Apr 04, 2007 at 01:25:31PM -0400, Rodney Dunn wrote:
> >>An arp entry doesn't guarantee transit forwarding.
> >>
> >>It can lead to a blackhole scenario.
> >>
> >>So it depends on what level of failover you want.
> >>
> >>Your request has validity. But given the other variants available
> >>to solve the problem it's very unlikely anyone would code it.
> >>
> >>Rodney
> >>
> >>On Wed, Apr 04, 2007 at 12:06:12PM -0400, fonesurj wrote:
> >>> Yes indeed, this is what is on the table at the moment.
> >>>
> >>> I was originally just wishing there was a way to do it on arp so that 
> >>> it
> >>> wouldn't require our vendor/customer/whoever to add any additional
> >>> configuration and thus engage their change management process and all 
> >>> of
> >>> that administrative overhead and other bologne (like IS saying.. "we 
> >>> can't
> >>> allow that!").
> >>>
> >>> At the moment, there are no static one-to-one mappings in place, they 
> >>> only
> >>> reach out to us through the NAT on the outside of the firewall.
> >>>
> >>> It would just be very convenient to track arp.
> >>>
> >>>
> >>> ----- Original Message ----- 
> >>> From: "David Prall" <dcp at dcptech.com>
> >>> To: "'fonesurj'" <dwinkworth at wi.rr.com>; "Rodney Dunn (rodunn)"
> >>> <rodunn at cisco.com>
> >>> Cc: <cisco-nsp at puck.nether.net>
> >>> Sent: Wednesday, April 04, 2007 12:28 PM
> >>> Subject: RE: [c-nsp] Static route withdrawal / tracking arp
> >>>
> >>>
> >>> > So track something that is through the Firewall. Create a static host
> >>> > route
> >>> > to the router on the other side of the firewall. You don't want your 
> >>> > ping
> >>> > to
> >>> > start working again, unless the firewall is working again.
> >>> >
> >>> > 
> >>http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122
> >>> > t/122t15/fthsrptk.htm
> >>> >
> >>> > David
> >>> >
> >>> > --
> >>> > http://dcp.dcptech.com
> >>> >
> >>> >
> >>> >> -----Original Message-----
> >>> >> From: cisco-nsp-bounces at puck.nether.net
> >>> >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of fonesurj
> >>> >> Sent: Wednesday, April 04, 2007 10:54 AM
> >>> >> To: Rodney Dunn
> >>> >> Cc: cisco-nsp at puck.nether.net
> >>> >> Subject: Re: [c-nsp] Static route withdrawal / tracking arp
> >>> >>
> >>> >> Can't ping the outside interface of the firewall.
> >>> >>
> >>> >> I'm not seeing where the functionality required is available.
> >>> >>
> >>> >>
> >>> >> ----- Original Message -----
> >>> >> From: "Rodney Dunn" <rodunn at cisco.com>
> >>> >> To: "fonesurj" <dwinkworth at wi.rr.com>
> >>> >> Cc: <cisco-nsp at puck.nether.net>
> >>> >> Sent: Wednesday, April 04, 2007 11:16 AM
> >>> >> Subject: Re: [c-nsp] Static route withdrawal / tracking arp
> >>> >>
> >>> >>
> >>> >> > You can get the same type thing with Object tracking of
> >>> >> static routes.
> >>> >> >
> >>> >> > Search for it on CCO.
> >>> >> >
> >>> >> > You can monitor the state of the FW and have the route adjusted
> >>> >> > accordingly.
> >>> >> >
> >>> >> > Rodney
> >>> >> >
> >>> >> > On Wed, Apr 04, 2007 at 09:57:06AM -0400, fonesurj wrote:
> >>> >> >> I have a router connected to a switch on Fa0/0.  I have a
> >>> >> static route
> >>> >> >> pointing to another company's firewall that is out that 
> >>> >> >> interface.
> >>> >> >>
> >>> >> >> That static route won't go away if the firewall takes a
> >>> >> poop and the
> >>> >> >> switch does not.
> >>> >> >>
> >>> >> >> So wouldn't it be sweet if we could withdraw the static
> >>> >> route if the
> >>> >> >> firewall stopped responding to ARPs?
> >>> >> >>
> >>> >> >> _______________________________________________
> >>> >> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> >> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> >> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>> >>
> >>> >> _______________________________________________
> >>> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>> >>
> >>> >
> >>>
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list