Cisco and ARP troubles

Eric Hagen ehagen at hawaii.edu
Thu Apr 12 02:49:41 PDT 2001 

Warren,

If you are dealing with Cisco outside and switches inside, you should
always be able to ping.  In most cases that is still handled on a MAC
address to MAC. If its not; then most systems allow you to do a MAC to MAC
test for connectivity and signal.

I would instead try to add a new "test system" on the same ethernet subnet
inside, running tcpdump to examine what is happening on the inside
network.

With all respect to your skills and knowledge, this really sounds like a
config problem with your internal NIC, or routing, or the firewall rules.
The easiest answer would be a sniffer on the internal LAN segment, or you
may be able to do the same with your switches depending on their
capabilities.  I use FORE, they suck, and it was not my choice. The same
result could be gotten just running tcpdump on your internal NIC to see
what it is recieving off of the LAN if you have it installed on the box.

If you don't figure it out real soon, let me know and I can hit up some of
my friends who will be able to give me a little more info from the
CISCO side.

Eric Hagen                  "Sometimes we get lost in the darkness,
ehagen at Hawaii.Edu	     the dreamers learn to steer by the stars..."
			    "You fight for something because it is good.
	 				Not because it stands to succeed."

On Wed, 11 Apr 2001, Warren Togami wrote:

> Jimen Ching wrote:
>
> > On Wed, 11 Apr 2001, Warren Togami wrote:
> > >Today I tried to replace my workplace's Cisco PIX firewall with a Linux
> > >iptables box, but the network seemed to refuse to let go of the old MAC
> > >attached to the IP address.  The campus network is entirely Cisco.  I
> > >thought it was the MAC address, so I tried to manually set the MAC on the
> > >Linux ethernet card to match the PIX interface.  It didn't work.
> >
> > What do you mean the network refuses to let go of the old MAC?  Do you
> > mean the hosts behind the firewall is still trying to send traffic to the
> > firewall using the MAC address of the Cisco PIX?
>
> Doh.  I may have had a brain lapse in something so obvious.  You're may be
> right.  We also didn't have access to the Cisco CLI at the time.  I think
> "clear arp <IP address>" would do the trick.  This however doesn't explain
> why it didn't work when I forced the MAC address on the Linux box to match
> the PIX interface.  Is there more to this than simply matching the MAC?
>
> >
> > >I'm perplexed.  I know very little about the Cisco specific stuff.
> Anyone
> > >have any clue what I'm doing wrong?
> >
> > If you are trying to get rid of the Cisco, why do you need to learn about
> > Cisco specific stuff?
> > Concerning ARP, the ARP table entries expire in either 10 or 30 minutes,
> > depending on the system.  If the ARP software works correctly, if the
> > firewall pings the hosts inside, the ARP table will be updated with the
> > new MAC address.  But I am still a little confused about the exact problem
> > you are having.
> >
>
> The Linux interface couldn't ping anything on the inside, with and without a
> forced matching MAC.  About "Cisco specific", I'm wondering if there's
> something proprietary between the Cisco PIX and switches beyond the MAC
> address that it uses to prevent hostile takeover of IP addresses.  I know
> very little about Cisco's stuff.
>
> Warren Togami
> warren at togami.com
>
>
> ---
> You are currently subscribed to luau as: ehagen at hawaii.edu
> To unsubscribe send a blank email to $subst('Email.Unsub')
>

More information about the LUAU mailing list