Re: Gratuitous ARP and HSRP [7:65633]

Tue, 18 Mar 2003 18:18:18 -0800 

ericbrouwers wrote:
> 
> It is indeed related to the command "use-bia". Here's a section
> from the doc

An HSRP router using Gratuitous ARP isn't just related to switches that have
to use a BIA. Unfortunately, most descriptions of HSRP, including ones I
have written myself, assume two routers on a shared old-style Ethernet.
Remember HSRP has been around for a long time!

But consider this typical modern campus network design that GroupStudy
posting software hopefully won't totally munge:

R1   R2
 |   |
 |   |
Sw1--Sw2
 |    |
PC1   PC2

Let's say the routers have chosen a virtual HSRP address of 10.0.0.1 for
HSRP Group 1. The virtual MAC address is 0000.0c07.ac01.

PC1 broadcasts an ARP looking for 10.0.0.1 and R1 is the active router. R1
sends back a unicast ARP reply.

Sw1 picks up that 0000.0c07.ac01 is reachable via the port at the top of SW1
in the drawing.

When PC2 broadcast an ARP, the reply will travel from Sw1 to Sw2 to PC2. So
Sw2 picks up that the 0000.0c07.ac01 address is reachable via the port to
the left of Sw2 in the drawing. Sorry, if that's too confusing, but I don't
want to waste time doing a good drawing with port numbers that will just get
munged anyway.

Now R2 stops hearing from R1 and takes over as the active HSRP router. R2
must send a Gratuitous ARP broadcast so that Sw1 and Sw2 change their MAC
address tables. Now the virtual MAC address 0000.0c07.ac01 is reachable on
Sw1 on its port that is shown to the right of Sw1 in the drawing.

On Sw2, the 0000.0c07.ac01 address is reachable from its port at the top of
the drawing.

The Gratuitous ARP fixes the MAC address tables on switches. Isn't that
explained in any Cisco docs? It has to work that way it seems to me.....


> "Hot Standby Router Protocol Features and Functionality" that
> was suggested
> by Daniel:
> 
> However, the usebbia command has several disadvantages:
> - When a router becomes active, the virtual IP address is moved
> to a
> different MAC address. The newly
> active router sends a gratuitous ARP response, but not all host
> implementations handle the gratuitous
> ARP correctly.

That may be true, but it's not meant to say that this is the only case where
the Gratuitous ARP is needed. It's needed for the general case too, from
what I understand.

Most host implementations do handle the Gratuitous ARP correctly, by the
way. In fact, this is open to an infamous man-in-the-middle security
vulnerability, sometimes misnamed as "ARP sniffing." An attacker can send a
Gratuitous ARP claiming to be the default gateway. Now all traffic destined
for another network goes to the attacker's machine! The attacker's machine
can use the info, but also better forward the traffic, or it will also be a
denial-of-service attack.

> > ----- Original Message -----
> > From: ericbrouwers
> > Date: Tuesday, March 18, 2003 1:24 am
> > Subject: Gratuitous ARP and HSRP [7:65633]
> >
> > > Hello all,
> > >
> > > I've read in the CCNP Switching Exam Cert. Guide that a
> standby
> > > router that
> > > becomes active in an HSRP group, sends a gratuitous ARP to
> update
> > > the ARP
> > > cache of the end stations with the new active MAC address...
> > >
> > > This is strange, since the same virtual MAC address is used
> by
> > > active and
> > > standby HSRP routers.
> > >
> > > However, maybe Cisco's implementation has once been like
> this,
> > > because I've
> > > seen instances in the field that ARP caches contained the
> real MAC
> > > instead of
> > > the virtual MAC address when using HSRP.

Seeing the real MAC address is probably a different problem. You could see
it if the router was at one point using the virtual address on a real
interface. For example, when you first get HSRP up and running, you may move
Ethernet1's IP address to the virtual address and assign a new real address
to Ethernet1.

The hosts will still have in their ARP cache the previous mapping. You can
clear their cache. Or just wait a couple minutes if it's Windows and the
users aren't doing anything. On Windows entries stay in the ARP cache for
only 2 minutes.
____________________________

Priscilla Oppenheimer
www.troubleshootingnetworks.com
www.priscilla.com

> > >
> > > Can someone give comments on this?
> > >
> > > Thanks,
> > >
> > > Eric Brouwers
> > > [EMAIL PROTECTED]
> > > Nondisclosure violations to [EMAIL PROTECTED]
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65704&t=65633
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to