Re: Gratuitous ARP and HSRP [7:65633]

Fri, 21 Mar 2003 15:07:23 -0800 

Priscilla,

> The Gratuitous ARP fixes the MAC address tables on switches. Isn't that
> explained in any Cisco docs? It has to work that way it seems to me.....
>

I think you're right. I never thought about it in this way. Neither seen an
explanation in any book.

Thanks,

Eric


----- Original Message -----
From: "Priscilla Oppenheimer" 
To: 
Sent: Wednesday, March 19, 2003 1:37 AM
Subject: Re: Gratuitous ARP and HSRP [7:65633]


> ericbrouwers wrote:
> >
> > It is indeed related to the command "use-bia". Here's a section
> > from the doc
>
> An HSRP router using Gratuitous ARP isn't just related to switches that
have
> to use a BIA. Unfortunately, most descriptions of HSRP, including ones I
> have written myself, assume two routers on a shared old-style Ethernet.
> Remember HSRP has been around for a long time!
>
> But consider this typical modern campus network design that GroupStudy
> posting software hopefully won't totally munge:
>
> R1   R2
>  |   |
>  |   |
> Sw1--Sw2
>  |    |
> PC1   PC2
>
> Let's say the routers have chosen a virtual HSRP address of 10.0.0.1 for
> HSRP Group 1. The virtual MAC address is 0000.0c07.ac01.
>
> PC1 broadcasts an ARP looking for 10.0.0.1 and R1 is the active router. R1
> sends back a unicast ARP reply.
>
> Sw1 picks up that 0000.0c07.ac01 is reachable via the port at the top of
SW1
> in the drawing.
>
> When PC2 broadcast an ARP, the reply will travel from Sw1 to Sw2 to PC2.
So
> Sw2 picks up that the 0000.0c07.ac01 address is reachable via the port to
> the left of Sw2 in the drawing. Sorry, if that's too confusing, but I
don't
> want to waste time doing a good drawing with port numbers that will just
get
> munged anyway.
>
> Now R2 stops hearing from R1 and takes over as the active HSRP router. R2
> must send a Gratuitous ARP broadcast so that Sw1 and Sw2 change their MAC
> address tables. Now the virtual MAC address 0000.0c07.ac01 is reachable on
> Sw1 on its port that is shown to the right of Sw1 in the drawing.
>
> On Sw2, the 0000.0c07.ac01 address is reachable from its port at the top
of
> the drawing.
>
> The Gratuitous ARP fixes the MAC address tables on switches. Isn't that
> explained in any Cisco docs? It has to work that way it seems to me.....
>
>
> > "Hot Standby Router Protocol Features and Functionality" that
> > was suggested
> > by Daniel:
> >
> > However, the usebbia command has several disadvantages:
> > - When a router becomes active, the virtual IP address is moved
> > to a
> > different MAC address. The newly
> > active router sends a gratuitous ARP response, but not all host
> > implementations handle the gratuitous
> > ARP correctly.
>
> That may be true, but it's not meant to say that this is the only case
where
> the Gratuitous ARP is needed. It's needed for the general case too, from
> what I understand.
>
> Most host implementations do handle the Gratuitous ARP correctly, by the
> way. In fact, this is open to an infamous man-in-the-middle security
> vulnerability, sometimes misnamed as "ARP sniffing." An attacker can send
a
> Gratuitous ARP claiming to be the default gateway. Now all traffic
destined
> for another network goes to the attacker's machine! The attacker's machine
> can use the info, but also better forward the traffic, or it will also be
a
> denial-of-service attack.
>
> > > ----- Original Message -----
> > > From: ericbrouwers
> > > Date: Tuesday, March 18, 2003 1:24 am
> > > Subject: Gratuitous ARP and HSRP [7:65633]
> > >
> > > > Hello all,
> > > >
> > > > I've read in the CCNP Switching Exam Cert. Guide that a
> > standby
> > > > router that
> > > > becomes active in an HSRP group, sends a gratuitous ARP to
> > update
> > > > the ARP
> > > > cache of the end stations with the new active MAC address...
> > > >
> > > > This is strange, since the same virtual MAC address is used
> > by
> > > > active and
> > > > standby HSRP routers.
> > > >
> > > > However, maybe Cisco's implementation has once been like
> > this,
> > > > because I've
> > > > seen instances in the field that ARP caches contained the
> > real MAC
> > > > instead of
> > > > the virtual MAC address when using HSRP.
>
> Seeing the real MAC address is probably a different problem. You could see
> it if the router was at one point using the virtual address on a real
> interface. For example, when you first get HSRP up and running, you may
move
> Ethernet1's IP address to the virtual address and assign a new real
address
> to Ethernet1.
>
> The hosts will still have in their ARP cache the previous mapping. You can
> clear their cache. Or just wait a couple minutes if it's Windows and the
> users aren't doing anything. On Windows entries stay in the ARP cache for
> only 2 minutes.
> ____________________________
>
> Priscilla Oppenheimer
> www.troubleshootingnetworks.com
> www.priscilla.com
>
> > > >
> > > > Can someone give comments on this?
> > > >
> > > > Thanks,
> > > >
> > > > Eric Brouwers
> > > > [EMAIL PROTECTED]
> > > > Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65956&t=65633
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to