ericbrouwers wrote: > > It is indeed related to the command "use-bia". Here's a section > from the doc
An HSRP router using Gratuitous ARP isn't just related to switches that have to use a BIA. Unfortunately, most descriptions of HSRP, including ones I have written myself, assume two routers on a shared old-style Ethernet. Remember HSRP has been around for a long time! But consider this typical modern campus network design that GroupStudy posting software hopefully won't totally munge: R1 R2 | | | | Sw1--Sw2 | | PC1 PC2 Let's say the routers have chosen a virtual HSRP address of 10.0.0.1 for HSRP Group 1. The virtual MAC address is 0000.0c07.ac01. PC1 broadcasts an ARP looking for 10.0.0.1 and R1 is the active router. R1 sends back a unicast ARP reply. Sw1 picks up that 0000.0c07.ac01 is reachable via the port at the top of SW1 in the drawing. When PC2 broadcast an ARP, the reply will travel from Sw1 to Sw2 to PC2. So Sw2 picks up that the 0000.0c07.ac01 address is reachable via the port to the left of Sw2 in the drawing. Sorry, if that's too confusing, but I don't want to waste time doing a good drawing with port numbers that will just get munged anyway. Now R2 stops hearing from R1 and takes over as the active HSRP router. R2 must send a Gratuitous ARP broadcast so that Sw1 and Sw2 change their MAC address tables. Now the virtual MAC address 0000.0c07.ac01 is reachable on Sw1 on its port that is shown to the right of Sw1 in the drawing. On Sw2, the 0000.0c07.ac01 address is reachable from its port at the top of the drawing. The Gratuitous ARP fixes the MAC address tables on switches. Isn't that explained in any Cisco docs? It has to work that way it seems to me..... > "Hot Standby Router Protocol Features and Functionality" that > was suggested > by Daniel: > > However, the usebbia command has several disadvantages: > - When a router becomes active, the virtual IP address is moved > to a > different MAC address. The newly > active router sends a gratuitous ARP response, but not all host > implementations handle the gratuitous > ARP correctly. That may be true, but it's not meant to say that this is the only case where the Gratuitous ARP is needed. It's needed for the general case too, from what I understand. Most host implementations do handle the Gratuitous ARP correctly, by the way. In fact, this is open to an infamous man-in-the-middle security vulnerability, sometimes misnamed as "ARP sniffing." An attacker can send a Gratuitous ARP claiming to be the default gateway. Now all traffic destined for another network goes to the attacker's machine! The attacker's machine can use the info, but also better forward the traffic, or it will also be a denial-of-service attack. > > ----- Original Message ----- > > From: ericbrouwers > > Date: Tuesday, March 18, 2003 1:24 am > > Subject: Gratuitous ARP and HSRP [7:65633] > > > > > Hello all, > > > > > > I've read in the CCNP Switching Exam Cert. Guide that a > standby > > > router that > > > becomes active in an HSRP group, sends a gratuitous ARP to > update > > > the ARP > > > cache of the end stations with the new active MAC address... > > > > > > This is strange, since the same virtual MAC address is used > by > > > active and > > > standby HSRP routers. > > > > > > However, maybe Cisco's implementation has once been like > this, > > > because I've > > > seen instances in the field that ARP caches contained the > real MAC > > > instead of > > > the virtual MAC address when using HSRP. Seeing the real MAC address is probably a different problem. You could see it if the router was at one point using the virtual address on a real interface. For example, when you first get HSRP up and running, you may move Ethernet1's IP address to the virtual address and assign a new real address to Ethernet1. The hosts will still have in their ARP cache the previous mapping. You can clear their cache. Or just wait a couple minutes if it's Windows and the users aren't doing anything. On Windows entries stay in the ARP cache for only 2 minutes. ____________________________ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com > > > > > > Can someone give comments on this? > > > > > > Thanks, > > > > > > Eric Brouwers > > > [EMAIL PROTECTED] > > > Nondisclosure violations to [EMAIL PROTECTED] > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65704&t=65633 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]