Showing posts with label arp. Show all posts
Showing posts with label arp. Show all posts

Wednesday, January 14, 2015

Avoid tromboning effect on extended Datacenter

If we want extend a datacenter between 2 sites, we have to have the same vlan on these 2 sites.
And as a virtual machine can be located on DC A or DC B, we cannot have static path between the client and the server. If we consider the diagram below we are facing a tromboning issue when a User on site B tries to reach a VM located in DC B.
The traffic follows the path:
client in site B -> router on DC B -> VM (vlan directly connected) -> Gateway in DC A -> Router DC B -> client in site B


However the optimal is:
client in site B -> router on DC B -> VM (vlan directly connected) -> Gateway in DC B -> Router DC B -> client in site B

In order to have this path, we have to have 2 actives HSRP routers on the same vlan.

This can obtained by filtering HSRP request between site on the port-channel.
This can easily be done with the following PACL:

ip access-list extended HSRP-FILTER
 10 deny udp any 224.0.0.2 0.0.0.0 eq 1985
 20 deny udp any 224.0.0.102 0.0.0.0 eq 1985
 30 permit ip any any
!
interface port-channel 10
 access-group mode prefer port
 ip access-group HSRP-FILTER in

However, we will have a duplicate IP address and logs messages will be generated.
On a Nexus, we can stop this log with the command below on the bvi:
no ip arp gratuitous hsrp duplicate

In my case, I was using Catalyst to interconnect my DC. 'Gratuitous arp' are the source of my problem! This message are sent by the router to announce their IP and their associated MAC. To filter this message and all ARP coming from the HSRP (other site), you can use the PACL to filter it.
As we know how a MAC is built in HSRP, this ACL filter all arp message coming with an address MAC of a HSRP (v1 and v2) source:

mac access-list extended FILTER-ARP-HSRP
 deny 0000.0c07.ac00 0000.0000.00ff any
 deny 0000.0c9f.f000 0000.0000.0fff any
 permit any any
!
int po 10
 mac access-group FILTER-ARP-HSRP in

Tuesday, March 13, 2012

Good bye ARP, welcome ICMPv6

Today I was working on an IPv6 lab. I wanted discover the relation between an address MAC and an IP address. So, on the windows machine I execute the command 'arp -a'. It's a bad reflex, why ? ARP no longer exists in IPv6. The equivalent is now realized with ICMPv6. So to discover the correlation between MAC and IP address we have to use these commands:
  • On a windows laptop:
C:\Users\Administrator>netsh interface ipv6 show neighbors 14

Interface 14: LAB

Internet Address                               Physical Address    Type
--------------------------------------------           -----------------             -----------
fe80::2                                             00-14-1c-c9-d9-a8    Stale (Router)
fe80::214:1cff:fec9:d9a8                     00-14-1c-c9-d9-a8    Stale (Router)
ff02::2                                              33-33-00-00-00-02     Permanent
ff02::5                                              33-33-00-00-00-05     Permanent
ff02::c                                              33-33-00-00-00-0c     Permanent
ff02::16                                            33-33-00-00-00-16     Permanent
ff02::1:2                                           33-33-00-01-00-02     Permanent
ff02::1:3                                           33-33-00-01-00-03     Permanent
ff02::1:ff00:2                                     33-33-ff-00-00-02      Permanent
ff02::1:ff00:d                                     33-33-ff-00-00-0d      Permanent
ff02::1:ff00:f                                      33-33-ff-00-00-0f       Permanent
ff02::1:ff08:c77                                 33-33-ff-08-0c-77       Permanent
ff02::1:ffae:564d                               33-33-ff-ae-56-4d       Permanent
ff02::1:ffc9:d9a8                               33-33-ff-c9-d9-a8       Permanent  

  
  • On a Linux laptop (has to be validated):
ip -f inet6 neigh show

  • On a Cisco router:
R2#show ipv6 neighbors
IPv6 Address                                         Age Link-layer Addr    State      Interface
FE80::4491:69A9:39F3:7344                   5     000c.2928.4c53  STALE    Fa0/0
2001:DB9:1:1:DD52:657C:D340:F2FF      19   000c.2980.fc6c   STALE    Fa0/0
2001:DB9:1:1:B140:2298:3E92:A99B       6     000c.2928.4c53  STALE    Fa0/0
FE80::1                                                 4     0016.479a.f630   STALE    Fa0/0
FE80::20C:29FF:FE80:FC6C                  19    000c.2980.fc6c   STALE    Fa0/0
2001:DB9:1:1::1                                     22    0016.479a.f630  STALE    Fa0/0