Steve Bertrand wrote:
Thank you Giulio (is it Gio?)
No, it's Giulio (english Julius) :-)
For some reason when I
plugged in the new firewall, only the base non-aliased address was
updated in
the ISP switch arp cache (if someone can throw a guess at why, I'm
eager to listen).
Well, you need to know what type of switch they had upstream, and why
they weren't updating their ARP cache dynamically properly. Perhaps
because their cache ttl was too long (due to the type of hardware, or
administrative setting).
The strange thing is that they actually updated their arp entry for the base
(non aliased) address, but not the others.
I guess what I could do was to "poison" their arp cache for each address
with
a "is-at" message. Is there a way to force the sending of these messages for
all the addresses of an interface?
I almost have to assume it wasn't a Cisco... only because I would have
expected different behavior (less administrative setting) (this is my
personal experience...I'm not trying to favour a brand in any way).
Perhaps you could ask them to provide the command they issued to
determine how they found the problem. Better yet, ask what type of
device your box is connected to at their end of the VLAN.
It was me who finally realized what the problem was. All I asked them to
do was to
reset the arp cache of the interface, and I guess they did that by ios
(or cli or
whatever), not something I could do without logging in into their switch...
If you can find out what device they have at their end, it may almost
be possible to non-destructively, and non-corruptively 'force' them to
clear arp-cache remotely, and at the same time provide advice to the
non-unscrupulous people who may run into this in the future.
I guess I could have used utilities like ettercap to set their arp table
right, and this
is what another person should do, if they have no other way to operate
that change...
I'd be just as interested to know what they had at their end for
hardware, as I have been waiting to hear what your resolution was
throughout your time consuming troubleshooting...
Thanks for your support :-) I've seen many cisco devices in that farm,
so I guess
that's the answer.
I image (since I don't really know) that every ip interface should
periodically issue "who-has" messages for the directly-connected
addresses, so maybe
the problem would have solved itself, but I didn't really know how long
that would have taken, and I couldn't stop the services provided by my
customer
too long...
Anyway all is well as it ends well..
Giulio.
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
