[f-nsp] ARP/IP-CAM strangeness with FWS4802-PREM

Gerald Krause gk at ax.tc
Fri Feb 2 13:13:55 EST 2007 

hello,

last night we have installed a foundry FWS4802-PREM l3 switch and
noticed a strange behaviour with an HAV firewall setup consist of 
2 nokia checkpoint systems (active/passive).

the setup and the configuration is quite simple:


GE-Uplinks
...  ...
 |    |
e49  e50
 |    |
+-------------+
|   FWS4802   | ve203 = 10.0.0.1/24
+-------------+
 |       |
 e5      e4
 |       |
[FW1]--[FW2]
 |       |
...     ...
   SERVER
  10.0.0.x

      FW virtual/cluster IP = 10.0.0.2,  MAC = 0000.5e00.0101
   FW1 = active          IP = 10.0.0.3,  MAC = 00a0.8e7e.db28
   FW2 = passive/backup  IP = 10.0.0.4,  MAC = 00a0.8e7e.d0f0

!
vlan 203 name XXX by port
 untagged ethe 4 to 5
 router-interface ve 203
!
interface ve 203
 port-name XXX
 ip address 10.0.0.1/24
!
interface ethernet 4
 port-name XXX
!
interface ethernet 5
 port-name XXX
!


when both ethernet ports 4 and 5 on the FWS4802 are enabled and 
up'n running, we see ARP and IP-CAM entries like this:


RSW1#sh arp
-----------
IP Address          MAC Address         Type        Age     Port
...
1     10.0.0.202     0000.5e00.0101      Dynamic     5         5
2     10.0.0.204     0000.5e00.0101      Dynamic     7         5
3     10.0.0.207     0000.5e00.0101      Dynamic     7         4
4     10.0.0.213     0000.5e00.0101      Dynamic     5         4
5     10.0.0.215     0000.5e00.0101      Dynamic     7         5
6     10.0.0.220     0000.5e00.0101      Dynamic     6         4
7     10.0.0.221     0000.5e00.0101      Dynamic     5         5
8     10.0.0.222     0000.5e00.0101      Dynamic     2         5
9     10.0.0.227     0000.5e00.0101      Dynamic     6         4
...
103   10.0.0.2       0000.5e00.0101      Dynamic     0         5
104   10.0.0.3       00a0.8e7e.db28      Dynamic     5         5
106   10.0.0.4       00a0.8e7e.d0f0      Dynamic     3         4
...

RSW1#sh cam ip 5 | inc 10.0.0
-----------------------------
Slot Index      IP_Address            MAC        Age    VLAN Port
...
1   8223   10.0.0.18/32  0000.5e00.0101     0     203     ether 5
1   8234    10.0.0.1/32  0000.0000.0000   dis     N/A  FID unused
1   8236  10.0.0.229/32  0000.5e00.0101    69     203     ether 4
1   8249  10.0.0.255/32  0000.0000.0000   dis     N/A  FID unused
1   8254  10.0.0.251/32  0000.5e00.0101     4     203     ether 5
1   8268  10.0.0.242/32  0000.5e00.0101    19     203     ether 4
1   8295  10.0.0.234/32  0000.5e00.0101    45     203     ether 5
1   8303  10.0.0.108/32  0000.5e00.0101    49     203     ether 4
1   8306    10.0.0.3/32  00a0.8e7e.db28    62     203     ether 5
1   8311  10.0.0.200/32  0000.5e00.0101    99     203     ether 4
1   8321   10.0.0.27/32  0000.5e00.0101     9     203     ether 4
1   8335  10.0.0.238/32  0000.5e00.0101     6     203     ether 4
1   8340   10.0.0.32/32  0000.5e00.0101    33     203     ether 4
1   8378  10.0.0.244/32  0000.5e00.0101    44     203     ether 5
1   8382   10.0.0.29/32  0000.5e00.0101    69     203     ether 5
...


this isn't ok because the virtual MAC and the bounded IPs should 
be reachable via the active FW on port 5 only but as you can see 
the IP's are scattered among ports 4 and 5.

i have repeatedly check the mac table on the FWS4802 and don't 
detect any hint that the virtual MAC is learned from port 4 and 
5 at any time (what *maybe* *could* couse this behaviour) so 
i'am very disturbed about the ARP/CAM etries:


RSW1#sh mac-address ethernet 4
------------------------------
Total active entries from slot/port 1/4 = 1
Type D:Dynamic  S:Static  L:Lock Address  M:Secure Mac
MAC Address    Port  Age Type DMA Valid Flags  VLAN DMA:CAM Index
00a0.8e7e.d0f0     4    0    D 00000000-00000001   203   0:22565

RSW1#sh mac-address ethernet 5
------------------------------
Total active entries from slot/port 1/5 = 2
Type D:Dynamic  S:Static  L:Lock Address  M:Secure Mac
MAC Address    Port  Age Type DMA Valid Flags  VLAN DMA:CAM Index
0000.5e00.0101     5    0    D 00000000-00000001   203   0:22554
00a0.8e7e.db28     5    0    D 00000000-00000001   203   0:22553

RSW1#sh cam ethernet 5 | inc 0000.5e00.0101
-------------------------------------------
Slot Index        MAC        Age   Source Port    VLAN    OutPort
1  22554  0000.5e00.0101     1     ether 5      203      ether 5
  
RSW1#sh cam ethernet 4 | inc 0000.5e00.0101
-------------------------------------------
Slot Index        MAC        Age   Source Port    VLAN    OutPort
1  22554  0000.5e00.0101     0     ether 5      203      ether 5

RSW1#sh cam ethernet 50 | inc 0000.5e00.0101
--------------------------------------------
[empty]

RSW1#sh cam ethernet 49 | inc 0000.5e00.0101
--------------------------------------------
Slot Index        MAC        Age   Source Port    VLAN    OutPort
1  22554  0000.5e00.0101     1     ether 5      203      ether 5


bacause the passive/backup firewall does not recognize packets 
for the virtual MAC 0000.5e00.0101 until it's become 'active' we 
have to shut down port 4 in order to make the servers behind 
accessible but the HAV setup is broken now :(.

why does the FWS4802 generate those (wrong) ARP and IP CAM 
entries? can i influence this in any way?

btw: we are using software 09.3.00cT53 with BGP, OSPF, 
dr-aggregate and load-sharing enabled.


thx in advance for every hint to catch this issue,
-- 
Gerald    (ax/tc)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20070202/84aaf44a/attachment.sig>

More information about the foundry-nsp mailing list