From: Todd, Douglas M. (DTODD@PARTNERS.ORG)
Date: Wed Apr 11 2007 - 15:00:16 ART
Ian:
I would avoid doing ANY debug in any production enviroment if you can not afford
downtime. The hsrp mac address is a minor outage for those devices which are
using that ip as a gateway.
However, to make sure you don't cause any issues I would run a trace on the
segment and filter on the ip address you are looking for. This is the "safest"
method of any. This may take a while, but you will at least find those users
using it as the gw.
Lastly, having been in the same boat as you. There is no easy solution. We could
not change all devices on the segments with wrong gws or even no gws, so we had
to enable proxy-arp. Really ugly, but it resolved the problem and made sure that
devices would work even with the wrong gateway or no gateway.
DMT
________________________________
From: Ian Blaney [mailto:ian.blaney@gmail.com]
Sent: Wednesday, April 11, 2007 1:53 PM
To: Todd, Douglas M.
Cc: Karl Brenner; ccielab@groupstudy.com
Subject: Re: HSRP - Default Gateway
Douglas, Craig and all
Its a HIGH availability environment. I will get lynched to the nearest
tree if there is any downtime. I cannot make any changes which will bring the
interface down even for a second.
My heart was beating like after a 100m sprint even when I was doing a
debug arp on the router.
With the debug arp I can see some devices arping for the gateway address
but I presume alot of the hosts will already have an entry in their cache. I
would have to physically clear the arp cache on all machines.
Ian
On 4/11/07, Todd, Douglas M. <DTODD@partners.org> wrote:
Ian:
Good point, we are assuming that we are going to ping from the
closest router to
the host(local segment). If you are a hop or few hops back the
host you are
pinging will send the traffic default gateway and not the
physical address.
Change the virtual mac address on one of the standby groups:
int vlan 112
standby mac-address 0000:dead:beaf
DMT
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> Behalf Of Ian Blaney
> Sent: Wednesday, April 11, 2007 12:47 PM
> To: Karl Brenner
> Cc: ccielab@groupstudy.com
> Subject: Re: HSRP - Default Gateway
>
> Karl
>
> An ACL on the IP address of the HSRP physical/virtual will
> not work as the destination address will always be the same
> and will never be the actual HSRP IP address. For example if
> I do a ping from a remote subnet to a machine that I am
> trying to find the default gateway of. The icmp reply Layer 3
> IP header will always have the IP address of the remote
> destination so it will never be matched on the ACL. Its only
> the layer 2 headers that changes. Someone correct me here if
> I am talking out my ar*e.
>
> Saying the layer 2 header changes my initial question was not
> quite correct.
> This is a sample of the config
>
> interface Vlan122
> ip address 10.10.10.251 255.255.255.0
> standby 2 ip 10.10.10.254
> standby 2 ip 10.10.10.253 secondary
> standby 2 priority 200
> standby 2 preempt
>
> As a temporary workaround the line "standby 2 ip 10.10.10.253
> secondary" was added as some hosts had the wrong default
> gateway of 10.10.10.253 instead of 10.10.10.254. The company
> want to take this out now but before they want to find all
> hosts with the wrong IP address ie .253. The problem is when
> I do a show ip arp
>
> TestLab#sh ip arp vlan 122
> Protocol Address Age (min) Hardware Addr Type
Interface
> Internet 10.10.10.100 35 000a.e4b9.c78b ARPA
Vlan122
> Internet 10.10.10.251 - 0050.80ce.d200 ARPA
Vlan122
> Internet 10.10.10.253 - 0000.0c07.ac02 ARPA
> Vlan122 <---
> Internet 10.10.10.254 - 0000.0c07.ac02 ARPA
> Vlan122 <---
>
> You see that both .253 and .254 have the same mac address ie
> reserved HSRP mac address 00-00-0c-07-ac-xx where xx is the
> standby group number. I cannot even sniff and filter on mac
> address as they have the same mac address.
>
> Anyone have any ideas.
>
> Ian
>
> PS It would be great if we could use DHCP but there are some
> really old specialized machines where DHCP is not available
> and the only option is to statically configure the IP
information
>
>
>
> On 4/11/07, Karl Brenner <karl.brenner@morenet.biz> wrote:
> >
> > Hi Ian,
> >
> > I've to recall my previous mail. You can't get the info
> you're after
> > with an ACL. I can't think of anything else than sniffing
> for the arp
> > requests. Don't you use a DHCP server for the subnet to
manage IP
> > addressing centrally?
> >
> > Karl
>
> ______________________________________________________________
> _________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
The information transmitted in this electronic communication is
intended only for the person or entity to whom it is addressed and may contain
confidential and/or privileged material. Any review, retransmission,
dissemination or other use of or taking of any action in reliance upon this
information by persons or entities other than the intended recipient is
prohibited. If you received this information in error, please contact the
Compliance HelpLine at 800-856-1983 and properly dispose of this information.
The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information.
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART