[f-nsp] ARP/IP-CAM strangeness with FWS4802-PREM (solved)

[Gerald Krause]

On Friday 02 February 2007 19:13, Gerald Krause wrote:
> i have repeatedly check the mac table on the FWS4802 and don't
> detect any hint that the virtual MAC is learned from port 4
> and 5 at any time (what *maybe* *could* couse this behaviour)
> so i'am very disturbed about the ARP/CAM etries:

Ok, the problem was that the primary FW *and* the backup FW 
generate ARP replies for all the virtual IPs: the primary FW use 
the virtual MAC as Source for the Ethernet-ARP packet and also 
within the ARP-reply portion but the backup FW is sending the 
ARP reply from his native MAC (but mentioned the virtual MAC 
within ARP reply also).
It seems that the FWS4802-PREM take those ARP replies to program 
his forwarding table/cache but use only the ARP data portion and 
not the source MAC the packet is coming from.
Depending on from which port/FW the last ARP reply was seen, this 
port will be used as destination for all other packets for this 
IP.

> can i influence this in any way?

Our solution: we have moved from the plain layer 2 setup between 
our FWS4802-PREM and the customers FWs (the whole /24 net on the 
ethernet) to a (partial) routed setup in order to avoid further 
ARP mystify and this works now.

-- 
Gerald    (ax/tc)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20070302/73071168/attachment.sig>