From: Craig Tompkins (sidalo@gmail.com)
Date: Wed Apr 11 2007 - 16:00:45 ART
Ian,
Well you can certianly go and touch every machine, lol
Changing to the two group scenario shouldnt have much effect, but if it is
as senstitive as you say then look into scripting from the hosts or server
side.
Do users log into all of the machines? What kind of hosts are they?
For Windows users logging into domain you might be able to:
Add a .bat file logon script that does a "route print" and pipes the output
to a shared file location, just make sure the shared file is mapped before
the route pring command via a NET USE command.
This will give you the MAC addresses and show you the default gateways for
all of the hosts routes
If you dont hve access to the servers, then coordinate with who does and
they may even have a better idea to get the info via script.
On 4/11/07, Ian Blaney <ian.blaney@gmail.com> wrote:
>
> Douglas, Craig and all
>
> Its a HIGH availability environment. I will get lynched to the nearest
> tree
> if there is any downtime. I cannot make any changes which will bring the
> interface down even for a second.
>
> My heart was beating like after a 100m sprint even when I was doing a
> debug
> arp on the router.
>
> With the debug arp I can see some devices arping for the gateway address
> but
> I presume alot of the hosts will already have an entry in their cache. I
> would have to physically clear the arp cache on all machines.
>
> Ian
>
>
> On 4/11/07, Todd, Douglas M. <DTODD@partners.org> wrote:
> >
> > Ian:
> >
> > Good point, we are assuming that we are going to ping from the closest
> > router to
> > the host(local segment). If you are a hop or few hops back the host you
> > are
> > pinging will send the traffic default gateway and not the physical
> > address.
> >
> > Change the virtual mac address on one of the standby groups:
> >
> > int vlan 112
> > standby mac-address 0000:dead:beaf
> >
> >
> > DMT
> >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > > Behalf Of Ian Blaney
> > > Sent: Wednesday, April 11, 2007 12:47 PM
> > > To: Karl Brenner
> > > Cc: ccielab@groupstudy.com
> > > Subject: Re: HSRP - Default Gateway
> > >
> > > Karl
> > >
> > > An ACL on the IP address of the HSRP physical/virtual will
> > > not work as the destination address will always be the same
> > > and will never be the actual HSRP IP address. For example if
> > > I do a ping from a remote subnet to a machine that I am
> > > trying to find the default gateway of. The icmp reply Layer 3
> > > IP header will always have the IP address of the remote
> > > destination so it will never be matched on the ACL. Its only
> > > the layer 2 headers that changes. Someone correct me here if
> > > I am talking out my ar*e.
> > >
> > > Saying the layer 2 header changes my initial question was not
> > > quite correct.
> > > This is a sample of the config
> > >
> > > interface Vlan122
> > > ip address 10.10.10.251 255.255.255.0
> > > standby 2 ip 10.10.10.254
> > > standby 2 ip 10.10.10.253 secondary
> > > standby 2 priority 200
> > > standby 2 preempt
> > >
> > > As a temporary workaround the line "standby 2 ip 10.10.10.253
> > > secondary" was added as some hosts had the wrong default
> > > gateway of 10.10.10.253 instead of 10.10.10.254. The company
> > > want to take this out now but before they want to find all
> > > hosts with the wrong IP address ie .253. The problem is when
> > > I do a show ip arp
> > >
> > > TestLab#sh ip arp vlan 122
> > > Protocol Address Age (min) Hardware Addr Type Interface
> > > Internet 10.10.10.100 35 000a.e4b9.c78b ARPA Vlan122
> > > Internet 10.10.10.251 - 0050.80ce.d200 ARPA Vlan122
> > > Internet 10.10.10.253 - 0000.0c07.ac02 ARPA
> > > Vlan122 <---
> > > Internet 10.10.10.254 - 0000.0c07.ac02 ARPA
> > > Vlan122 <---
> > >
> > > You see that both .253 and .254 have the same mac address ie
> > > reserved HSRP mac address 00-00-0c-07-ac-xx where xx is the
> > > standby group number. I cannot even sniff and filter on mac
> > > address as they have the same mac address.
> > >
> > > Anyone have any ideas.
> > >
> > > Ian
> > >
> > > PS It would be great if we could use DHCP but there are some
> > > really old specialized machines where DHCP is not available
> > > and the only option is to statically configure the IP information
> > >
> > >
> > >
> > > On 4/11/07, Karl Brenner <karl.brenner@morenet.biz> wrote:
> > > >
> > > > Hi Ian,
> > > >
> > > > I've to recall my previous mail. You can't get the info
> > > you're after
> > > > with an ACL. I can't think of anything else than sniffing
> > > for the arp
> > > > requests. Don't you use a DHCP server for the subnet to manage IP
> > > > addressing centrally?
> > > >
> > > > Karl
> > >
> > > ______________________________________________________________
> > > _________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> >
> >
> >
> > The information transmitted in this electronic communication is intended
> > only for the person or entity to whom it is addressed and may contain
> > confidential and/or privileged material. Any review, retransmission,
> > dissemination or other use of or taking of any action in reliance upon
> this
> > information by persons or entities other than the intended recipient is
> > prohibited. If you received this information in error, please contact
> the
> > Compliance HelpLine at 800-856-1983 and properly dispose of this
> > information.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Craig Tompkins CCIE #16921
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART