subject:"Re\: Gratuitous ARP and HSRP \[7\:65633\]"

Re: Gratuitous ARP and HSRP [7:65633]

2003-03-21 Thread ericbrouwers

Priscilla,

 The Gratuitous ARP fixes the MAC address tables on switches. Isn't that
 explained in any Cisco docs? It has to work that way it seems to me.


I think you're right. I never thought about it in this way. Neither seen an
explanation in any book.

Thanks,

Eric


- Original Message -
From: Priscilla Oppenheimer 
To: 
Sent: Wednesday, March 19, 2003 1:37 AM
Subject: Re: Gratuitous ARP and HSRP [7:65633]


 ericbrouwers wrote:
 
  It is indeed related to the command use-bia. Here's a section
  from the doc

 An HSRP router using Gratuitous ARP isn't just related to switches that
have
 to use a BIA. Unfortunately, most descriptions of HSRP, including ones I
 have written myself, assume two routers on a shared old-style Ethernet.
 Remember HSRP has been around for a long time!

 But consider this typical modern campus network design that GroupStudy
 posting software hopefully won't totally munge:

 R1   R2
  |   |
  |   |
 Sw1--Sw2
  ||
 PC1   PC2

 Let's say the routers have chosen a virtual HSRP address of 10.0.0.1 for
 HSRP Group 1. The virtual MAC address is .0c07.ac01.

 PC1 broadcasts an ARP looking for 10.0.0.1 and R1 is the active router. R1
 sends back a unicast ARP reply.

 Sw1 picks up that .0c07.ac01 is reachable via the port at the top of
SW1
 in the drawing.

 When PC2 broadcast an ARP, the reply will travel from Sw1 to Sw2 to PC2.
So
 Sw2 picks up that the .0c07.ac01 address is reachable via the port to
 the left of Sw2 in the drawing. Sorry, if that's too confusing, but I
don't
 want to waste time doing a good drawing with port numbers that will just
get
 munged anyway.

 Now R2 stops hearing from R1 and takes over as the active HSRP router. R2
 must send a Gratuitous ARP broadcast so that Sw1 and Sw2 change their MAC
 address tables. Now the virtual MAC address .0c07.ac01 is reachable on
 Sw1 on its port that is shown to the right of Sw1 in the drawing.

 On Sw2, the .0c07.ac01 address is reachable from its port at the top
of
 the drawing.

 The Gratuitous ARP fixes the MAC address tables on switches. Isn't that
 explained in any Cisco docs? It has to work that way it seems to me.


  Hot Standby Router Protocol Features and Functionality that
  was suggested
  by Daniel:
 
  However, the usebbia command has several disadvantages:
  - When a router becomes active, the virtual IP address is moved
  to a
  different MAC address. The newly
  active router sends a gratuitous ARP response, but not all host
  implementations handle the gratuitous
  ARP correctly.

 That may be true, but it's not meant to say that this is the only case
where
 the Gratuitous ARP is needed. It's needed for the general case too, from
 what I understand.

 Most host implementations do handle the Gratuitous ARP correctly, by the
 way. In fact, this is open to an infamous man-in-the-middle security
 vulnerability, sometimes misnamed as ARP sniffing. An attacker can send
a
 Gratuitous ARP claiming to be the default gateway. Now all traffic
destined
 for another network goes to the attacker's machine! The attacker's machine
 can use the info, but also better forward the traffic, or it will also be
a
 denial-of-service attack.

   - Original Message -
   From: ericbrouwers
   Date: Tuesday, March 18, 2003 1:24 am
   Subject: Gratuitous ARP and HSRP [7:65633]
  
Hello all,
   
I've read in the CCNP Switching Exam Cert. Guide that a
  standby
router that
becomes active in an HSRP group, sends a gratuitous ARP to
  update
the ARP
cache of the end stations with the new active MAC address...
   
This is strange, since the same virtual MAC address is used
  by
active and
standby HSRP routers.
   
However, maybe Cisco's implementation has once been like
  this,
because I've
seen instances in the field that ARP caches contained the
  real MAC
instead of
the virtual MAC address when using HSRP.

 Seeing the real MAC address is probably a different problem. You could see
 it if the router was at one point using the virtual address on a real
 interface. For example, when you first get HSRP up and running, you may
move
 Ethernet1's IP address to the virtual address and assign a new real
address
 to Ethernet1.

 The hosts will still have in their ARP cache the previous mapping. You can
 clear their cache. Or just wait a couple minutes if it's Windows and the
 users aren't doing anything. On Windows entries stay in the ARP cache for
 only 2 minutes.
 

 Priscilla Oppenheimer
 www.troubleshootingnetworks.com
 www.priscilla.com

   
Can someone give comments on this?
   
Thanks,
   
Eric Brouwers
[EMAIL PROTECTED]
Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65956t=65633
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report

RE: Gratuitous ARP and HSRP [7:65633]

2003-03-18 Thread Daniel Cotts

On CCO check out under IP Routing Protocols the doc Hot Standby Router
Protocol Features and Functionality
www.cisco.com/en/US/tech/tk648/tk365/technologies_tech_note09186a0080094a91.
shtml

 -Original Message-
 From: ericbrouwers [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, March 18, 2003 12:25 AM
 To: [EMAIL PROTECTED]
 Subject: Gratuitous ARP and HSRP [7:65633]

 Hello all,

 I've read in the CCNP Switching Exam Cert. Guide that a 
 standby router that
 becomes active in an HSRP group, sends a gratuitous ARP to 
 update the ARP
 cache of the end stations with the new active MAC address...

 This is strange, since the same virtual MAC address is used 
 by active and
 standby HSRP routers.

 However, maybe Cisco's implementation has once been like 
 this, because I've
 seen instances in the field that ARP caches contained the 
 real MAC instead of
 the virtual MAC address when using HSRP.

 Can someone give comments on this?

 Thanks,

 Eric Brouwers
 [EMAIL PROTECTED]

Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65664t=65633
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Gratuitous ARP and HSRP [7:65633]

2003-03-18 Thread garrett allen

eric,

i can only comment in a limited way and only based on what i have 
read.  the lower end cisco products (like the 2500's i've been 
deploying in remote offices) can only associate one virtual mac address 
to an interface and so can only belong to a single hsrp group.  if you 
have a need to support more than one hsrp group on an interface one way 
around that limitation it is to use the bia of the interface as the 
virtual address and to issue a gratuitous arp whenever the interface 
takes over - the command is standby use-bia i recall.  higher end 
products don't have the limitation and some end stations don't really 
respond well to it.

i haven't actually used this before for money, so there is the 
possibility of being wrong and your mileage may vary will use.  but it 
should start the ball rolling to hear from others.

cheers.
garrett

- Original Message -
From: ericbrouwers 
Date: Tuesday, March 18, 2003 1:24 am
Subject: Gratuitous ARP and HSRP [7:65633]

 Hello all,
 
 I've read in the CCNP Switching Exam Cert. Guide that a standby 
 router that
 becomes active in an HSRP group, sends a gratuitous ARP to update 
 the ARP
 cache of the end stations with the new active MAC address...
 
 This is strange, since the same virtual MAC address is used by 
 active and
 standby HSRP routers.
 
 However, maybe Cisco's implementation has once been like this, 
 because I've
 seen instances in the field that ARP caches contained the real MAC 
 instead of
 the virtual MAC address when using HSRP.
 
 Can someone give comments on this?
 
 Thanks,
 
 Eric Brouwers
 [EMAIL PROTECTED]
 Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65673t=65633
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Gratuitous ARP and HSRP [7:65633]

2003-03-18 Thread ericbrouwers

It is indeed related to the command use-bia. Here's a section from the doc
Hot Standby Router Protocol Features and Functionality that was suggested
by Daniel:

However, the usebbia command has several disadvantages:
- When a router becomes active, the virtual IP address is moved to a
different MAC address. The newly
active router sends a gratuitous ARP response, but not all host
implementations handle the gratuitous
ARP correctly.
- Proxy ARP breaks when usebbia is configured. A atandby router cannot
cover
for the lost proxy ARP
database of a failed router.
- Prior to Cisco IOS release 12.0(3.4)T, only one HSRP group is allowed if
usebbia is configured.

Thanks guys,

Eric

- Original Message -
From: garrett allen 
To: 
Sent: Tuesday, March 18, 2003 6:06 PM
Subject: Re: Gratuitous ARP and HSRP [7:65633]


 eric,

 i can only comment in a limited way and only based on what i have
 read.  the lower end cisco products (like the 2500's i've been
 deploying in remote offices) can only associate one virtual mac address
 to an interface and so can only belong to a single hsrp group.  if you
 have a need to support more than one hsrp group on an interface one way
 around that limitation it is to use the bia of the interface as the
 virtual address and to issue a gratuitous arp whenever the interface
 takes over - the command is standby use-bia i recall.  higher end
 products don't have the limitation and some end stations don't really
 respond well to it.

 i haven't actually used this before for money, so there is the
 possibility of being wrong and your mileage may vary will use.  but it
 should start the ball rolling to hear from others.

 cheers.
 garrett

 - Original Message -
 From: ericbrouwers
 Date: Tuesday, March 18, 2003 1:24 am
 Subject: Gratuitous ARP and HSRP [7:65633]

  Hello all,
 
  I've read in the CCNP Switching Exam Cert. Guide that a standby
  router that
  becomes active in an HSRP group, sends a gratuitous ARP to update
  the ARP
  cache of the end stations with the new active MAC address...
 
  This is strange, since the same virtual MAC address is used by
  active and
  standby HSRP routers.
 
  However, maybe Cisco's implementation has once been like this,
  because I've
  seen instances in the field that ARP caches contained the real MAC
  instead of
  the virtual MAC address when using HSRP.
 
  Can someone give comments on this?
 
  Thanks,
 
  Eric Brouwers
  [EMAIL PROTECTED]
  Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65695t=65633
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Gratuitous ARP and HSRP [7:65633]

2003-03-18 Thread Karen E Young

Eric,

The gratuitous ARP is just to let the switch or bridge know that the port
that the virtual MAC is attached to has changed.

If an existing router is converted to HSRP, then the end stations will
continue to track the real MAC address, not the virtual one. You have to
reboot the end stations or otherwise clear their ARP caches to get them to
use the virtual MAC.

Help any?
Karen

*** REPLY SEPARATOR  ***

On 3/18/2003 at 6:24 AM ericbrouwers wrote:

Hello all,

I've read in the CCNP Switching Exam Cert. Guide that a standby router that
becomes active in an HSRP group, sends a gratuitous ARP to update the ARP
cache of the end stations with the new active MAC address...

This is strange, since the same virtual MAC address is used by active and
standby HSRP routers.

However, maybe Cisco's implementation has once been like this, because I've
seen instances in the field that ARP caches contained the real MAC instead
of
the virtual MAC address when using HSRP.

Can someone give comments on this?

Thanks,

Eric Brouwers
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65699t=65633
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Gratuitous ARP and HSRP [7:65633]

2003-03-18 Thread Priscilla Oppenheimer

ericbrouwers wrote:
 
 It is indeed related to the command use-bia. Here's a section
 from the doc

An HSRP router using Gratuitous ARP isn't just related to switches that have
to use a BIA. Unfortunately, most descriptions of HSRP, including ones I
have written myself, assume two routers on a shared old-style Ethernet.
Remember HSRP has been around for a long time!

But consider this typical modern campus network design that GroupStudy
posting software hopefully won't totally munge:

R1   R2
 |   |
 |   |
Sw1--Sw2
 ||
PC1   PC2

Let's say the routers have chosen a virtual HSRP address of 10.0.0.1 for
HSRP Group 1. The virtual MAC address is .0c07.ac01.

PC1 broadcasts an ARP looking for 10.0.0.1 and R1 is the active router. R1
sends back a unicast ARP reply.

Sw1 picks up that .0c07.ac01 is reachable via the port at the top of SW1
in the drawing.

When PC2 broadcast an ARP, the reply will travel from Sw1 to Sw2 to PC2. So
Sw2 picks up that the .0c07.ac01 address is reachable via the port to
the left of Sw2 in the drawing. Sorry, if that's too confusing, but I don't
want to waste time doing a good drawing with port numbers that will just get
munged anyway.

Now R2 stops hearing from R1 and takes over as the active HSRP router. R2
must send a Gratuitous ARP broadcast so that Sw1 and Sw2 change their MAC
address tables. Now the virtual MAC address .0c07.ac01 is reachable on
Sw1 on its port that is shown to the right of Sw1 in the drawing.

On Sw2, the .0c07.ac01 address is reachable from its port at the top of
the drawing.

The Gratuitous ARP fixes the MAC address tables on switches. Isn't that
explained in any Cisco docs? It has to work that way it seems to me.


 Hot Standby Router Protocol Features and Functionality that
 was suggested
 by Daniel:
 
 However, the usebbia command has several disadvantages:
 - When a router becomes active, the virtual IP address is moved
 to a
 different MAC address. The newly
 active router sends a gratuitous ARP response, but not all host
 implementations handle the gratuitous
 ARP correctly.

That may be true, but it's not meant to say that this is the only case where
the Gratuitous ARP is needed. It's needed for the general case too, from
what I understand.

Most host implementations do handle the Gratuitous ARP correctly, by the
way. In fact, this is open to an infamous man-in-the-middle security
vulnerability, sometimes misnamed as ARP sniffing. An attacker can send a
Gratuitous ARP claiming to be the default gateway. Now all traffic destined
for another network goes to the attacker's machine! The attacker's machine
can use the info, but also better forward the traffic, or it will also be a
denial-of-service attack.

  - Original Message -
  From: ericbrouwers
  Date: Tuesday, March 18, 2003 1:24 am
  Subject: Gratuitous ARP and HSRP [7:65633]
 
   Hello all,
  
   I've read in the CCNP Switching Exam Cert. Guide that a
 standby
   router that
   becomes active in an HSRP group, sends a gratuitous ARP to
 update
   the ARP
   cache of the end stations with the new active MAC address...
  
   This is strange, since the same virtual MAC address is used
 by
   active and
   standby HSRP routers.
  
   However, maybe Cisco's implementation has once been like
 this,
   because I've
   seen instances in the field that ARP caches contained the
 real MAC
   instead of
   the virtual MAC address when using HSRP.

Seeing the real MAC address is probably a different problem. You could see
it if the router was at one point using the virtual address on a real
interface. For example, when you first get HSRP up and running, you may move
Ethernet1's IP address to the virtual address and assign a new real address
to Ethernet1.

The hosts will still have in their ARP cache the previous mapping. You can
clear their cache. Or just wait a couple minutes if it's Windows and the
users aren't doing anything. On Windows entries stay in the ARP cache for
only 2 minutes.


Priscilla Oppenheimer
www.troubleshootingnetworks.com
www.priscilla.com

  
   Can someone give comments on this?
  
   Thanks,
  
   Eric Brouwers
   [EMAIL PROTECTED]
   Nondisclosure violations to [EMAIL PROTECTED]
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65704t=65633
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Gratuitous ARP and HSRP [7:65633]

2003-03-18 Thread Priscilla Oppenheimer

So, it did munge the picture, at least in the Web posting. Please know that
R2 and PC2 are connected to Sw2.

The Web posting software changes multiple spaces to one. But I have noticed
that if you use the Quote button, the picture that it puts in the box has
the spaces. So you can do that to see it better. (But don't hit the Post
button unless you really have something to say. That's a mistake I make all
the time. The Quote and Post buttons are too close together for someone with
no hand-eye coordination. ;-)

Perhaps the picture didn't get munged for those of you reading it via mail
or news.

Priscilla

Priscilla Oppenheimer wrote:
 
 ericbrouwers wrote:
  
  It is indeed related to the command use-bia. Here's a
 section
  from the doc
 
 An HSRP router using Gratuitous ARP isn't just related to
 switches that have to use a BIA. Unfortunately, most
 descriptions of HSRP, including ones I have written myself,
 assume two routers on a shared old-style Ethernet. Remember
 HSRP has been around for a long time!
 
 But consider this typical modern campus network design that
 GroupStudy posting software hopefully won't totally munge:
 
 R1   R2
  |   |
  |   |
 Sw1--Sw2
  ||
 PC1   PC2
 
 Let's say the routers have chosen a virtual HSRP address of
 10.0.0.1 for HSRP Group 1. The virtual MAC address is
 .0c07.ac01.
 
 PC1 broadcasts an ARP looking for 10.0.0.1 and R1 is the active
 router. R1 sends back a unicast ARP reply.
 
 Sw1 picks up that .0c07.ac01 is reachable via the port at
 the top of SW1 in the drawing.
 
 When PC2 broadcast an ARP, the reply will travel from Sw1 to
 Sw2 to PC2. So Sw2 picks up that the .0c07.ac01 address is
 reachable via the port to the left of Sw2 in the drawing.
 Sorry, if that's too confusing, but I don't want to waste time
 doing a good drawing with port numbers that will just get
 munged anyway.
 
 Now R2 stops hearing from R1 and takes over as the active HSRP
 router. R2 must send a Gratuitous ARP broadcast so that Sw1 and
 Sw2 change their MAC address tables. Now the virtual MAC
 address .0c07.ac01 is reachable on Sw1 on its port that is
 shown to the right of Sw1 in the drawing.
 
 On Sw2, the .0c07.ac01 address is reachable from its port
 at the top of the drawing.
 
 The Gratuitous ARP fixes the MAC address tables on switches.
 Isn't that explained in any Cisco docs? It has to work that way
 it seems to me.
 
 
  Hot Standby Router Protocol Features and Functionality that
  was suggested
  by Daniel:
  
  However, the usebbia command has several disadvantages:
  - When a router becomes active, the virtual IP address is
 moved
  to a
  different MAC address. The newly
  active router sends a gratuitous ARP response, but not all
 host
  implementations handle the gratuitous
  ARP correctly.
 
 That may be true, but it's not meant to say that this is the
 only case where the Gratuitous ARP is needed. It's needed for
 the general case too, from what I understand.
 
 Most host implementations do handle the Gratuitous ARP
 correctly, by the way. In fact, this is open to an infamous
 man-in-the-middle security vulnerability, sometimes misnamed as
 ARP sniffing. An attacker can send a Gratuitous ARP claiming
 to be the default gateway. Now all traffic destined for another
 network goes to the attacker's machine! The attacker's machine
 can use the info, but also better forward the traffic, or it
 will also be a denial-of-service attack.
 
   - Original Message -
   From: ericbrouwers
   Date: Tuesday, March 18, 2003 1:24 am
   Subject: Gratuitous ARP and HSRP [7:65633]
  
Hello all,
   
I've read in the CCNP Switching Exam Cert. Guide that a
  standby
router that
becomes active in an HSRP group, sends a gratuitous ARP to
  update
the ARP
cache of the end stations with the new active MAC
 address...
   
This is strange, since the same virtual MAC address is
 used
  by
active and
standby HSRP routers.
   
However, maybe Cisco's implementation has once been like
  this,
because I've
seen instances in the field that ARP caches contained the
  real MAC
instead of
the virtual MAC address when using HSRP.
 
 Seeing the real MAC address is probably a different problem.
 You could see it if the router was at one point using the
 virtual address on a real interface. For example, when you
 first get HSRP up and running, you may move Ethernet1's IP
 address to the virtual address and assign a new real address to
 Ethernet1.
 
 The hosts will still have in their ARP cache the previous
 mapping. You can clear their cache. Or just wait a couple
 minutes if it's Windows and the users aren't doing anything. On
 Windows entries stay in the ARP cache for only 2 minutes.
 
 
 Priscilla Oppenheimer
 www.troubleshootingnetworks.com
 www.priscilla.com
 
   
Can someone give comments on this?
   
Thanks,
   
Eric Brouwers
[EMAIL PROTECTED]
Nondisclosure

RE: Gratuitous ARP and HSRP [7:65633]

2003-03-18 Thread Priscilla Oppenheimer

ericbrouwers wrote:
 
 
snip

 I've
 seen instances in the field that ARP caches contained the real
 MAC instead of
 the virtual MAC address when using HSRP.

One more comment on seeing the router's real MAC address. 

It might interest you to know that, at least on my routers, the ARP reply
from the router, after a host tries to find its default gateway (the virtual
router), does actually come from the router's real MAC address at the
data-link layer. At the ARP layer, the virtual router puts the virtual MAC
address in the ARP reply, but at the Ethernet layer it puts its real
address. This could cause the real MAC address to end up in the ARP cache,
at least temporarily.

In the following example 00:00:0C:05:3E:80 is the router's real MAC address.
Note that the router uses it as the source address. However, the ARP payload
of the frame shows the virtual MAC address, 00:00:0C:07:AC:00.

10.10.0.3 is the virtual IP. It was PC 00:00:0E:D5:C7:E7 (10.10.0.10) who
sent the ARP looking for the default gateway that resulted in this ARP reply:

Ethernet Header
  Destination:  00:00:0E:D5:C7:E7
  Source:   00:00:0C:05:3E:80
  Protocol Type:0x0806  IP ARP
ARP - Address Resolution Protocol
  Hardware: 1  Ethernet (10Mb)
  Protocol: 0x0800  IP
  Hardware Address Length:6
  Protocol Address Length:4
  Operation:2  ARP Response
  Sender Hardware Address:00:00:0C:07:AC:00
  Sender Internet Address:10.10.0.3
  Target Hardware Address:00:00:0E:D5:C7:E7
  Target Internet Address:10.10.0.10


Isn't that weird? The PC does the right thing though and sends the actual
packet (after the ARP) to 00:00:0C:07:AC:00.

A reply comes back through the router and the router uses the virtual MAC
address 00:00:0C:07:AC:00 in the source Ethernet address of that reply. Good
thing. Otherwise switches wouldn't ever pick up the port to use for
00:00:0C:07:AC:00.

HSRP is much more complicated than the simple descriptions make it sound!

Do some sniffing of it to see how it really works (and how easy it is to
hack, by the way.)
___

Priscilla Oppenheimer
www.troubleshootingnetworks.com
www.priscilla.com





 
 Can someone give comments on this?
 
 Thanks,
 
 Eric Brouwers
 [EMAIL PROTECTED]
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=65710t=65633
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Gratuitous ARP and HSRP [7:65633]

RE: Gratuitous ARP and HSRP [7:65633]

Re: Gratuitous ARP and HSRP [7:65633]

Re: Gratuitous ARP and HSRP [7:65633]

Re: Gratuitous ARP and HSRP [7:65633]

Re: Gratuitous ARP and HSRP [7:65633]

Re: Gratuitous ARP and HSRP [7:65633]

RE: Gratuitous ARP and HSRP [7:65633]

8 matches

Site Navigation

Mail list logo

Footer information