Cisco and ARP troubles

[Warren Togami]

Jimen Ching wrote:

> On Wed, 11 Apr 2001, Warren Togami wrote:
> >Today I tried to replace my workplace's Cisco PIX firewall with a Linux
> >iptables box, but the network seemed to refuse to let go of the old MAC
> >attached to the IP address.  The campus network is entirely Cisco.  I
> >thought it was the MAC address, so I tried to manually set the MAC on the
> >Linux ethernet card to match the PIX interface.  It didn't work.
>
> What do you mean the network refuses to let go of the old MAC?  Do you
> mean the hosts behind the firewall is still trying to send traffic to the
> firewall using the MAC address of the Cisco PIX?

Doh.  I may have had a brain lapse in something so obvious.  You're may be
right.  We also didn't have access to the Cisco CLI at the time.  I think
"clear arp <IP address>" would do the trick.  This however doesn't explain
why it didn't work when I forced the MAC address on the Linux box to match
the PIX interface.  Is there more to this than simply matching the MAC?

>
> >I'm perplexed.  I know very little about the Cisco specific stuff.
Anyone
> >have any clue what I'm doing wrong?
>
> If you are trying to get rid of the Cisco, why do you need to learn about
> Cisco specific stuff?
> Concerning ARP, the ARP table entries expire in either 10 or 30 minutes,
> depending on the system.  If the ARP software works correctly, if the
> firewall pings the hosts inside, the ARP table will be updated with the
> new MAC address.  But I am still a little confused about the exact problem
> you are having.
>

The Linux interface couldn't ping anything on the inside, with and without a
forced matching MAC.  About "Cisco specific", I'm wondering if there's
something proprietary between the Cisco PIX and switches beyond the MAC
address that it uses to prevent hostile takeover of IP addresses.  I know
very little about Cisco's stuff.

Warren Togami
warren at togami.com