Re: HSRP - Default Gateway

From: Ian Blaney (ian.blaney@gmail.com)
Date: Wed Apr 11 2007 - 17:17:03 ART

Thanks Douglas

Maybe that's something I can work on.

I do not even have to change the mac address of standby group 2. It should
have 0000.0c07.ac02 while standby group 1 will have 0000.0c07.ac01. I can
then run a ping sweep on the subnet and filter the sniffer on
0000.0c07.ac02which should hopefully give me all the hosts with the
wrong default gateway.

Ian

On 4/11/07, Todd, Douglas M. <DTODD@partners.org> wrote:
>
> Rack1R1#sh standby br
> P indicates configured to preempt.
> |
> Interface Grp Pri P State Active Standby Virtual IP
> Fa0/0 1 100 Active local unknown 183.1.17.2
> Fa0/0 2 100 Active local unknown 183.1.17.254
> Here is what I ran in the lab -
>
> interface FastEthernet0/0
> ip address 183.1.17.1 255.255.255.0
> duplex auto
> speed auto
> standby 1 ip 183.1.17.2
> standby 2 ip 183.1.17.254
> standby 2 mac-address 0000.0dea.dbef
> end
>
>
> Rack1R1#
> Rack1R1#
> Rack1R1#sh ip arp
> Protocol Address Age (min) Hardware Addr Type Interface
> Internet 183.1.17.1 - 0002.fd8d.80f0 ARPA
> FastEthernet0/0
> Internet 183.1.17.2 - 0000.0c07.ac01 ARPA
> FastEthernet0/0
> Internet 183.1.17.7 36 000b.4617.7900 ARPA
> FastEthernet0/0
> Internet 183.1.17.254 - 0000.0dea.dbef ARPA
> FastEthernet0/0
> Rack1R1#sh run int f0/0
> Building configuration...
>
> Current configuration : 185 bytes
> !
>
>
> Rack1R1#ping 183.1.17.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 183.1.17.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
> Rack1R1#ping 183.1.17.254
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 183.1.17.254, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
> Rack1R1#
>
> It seems to work well in the lab - anyone see this type of configuration
> not
> working in production?
>
> DMT
>
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On
> > Behalf Of Ian Blaney
> > Sent: Wednesday, April 11, 2007 1:59 PM
> > To: Greg Wendel
> > Cc: Jian Gu; Karl Brenner; ccielab@groupstudy.com
> > Subject: Re: HSRP - Default Gateway
> >
> > Greg
> >
> > This changes the mac address for both IPs so I back to square
> > one again.
> >
> > test(config)#int vlan 122
> > test(config-if)#standby 2 mac-address 1111.1111.1111
> > test(config-if)# *Apr 11 17:15:43: %STANDBY-6-STATECHANGE:
> > Standby: 2: Vlan122 state
> > Active -> Listen
> > *Apr 11 17:16:03: %STANDBY-6-STATECHANGE: Standby: 2: Vlan122 state
> > Speak -> Standby
> > *Apr 11 17:16:03: %STANDBY-6-STATECHANGE: Standby: 2: Vlan122 state
> > Standby -> Active
> >
> > test#sh ip arp vlan 122
> > Protocol Address Age (min) Hardware Addr Type Interface
> > Internet 10.10.10.100 28 000a.e4b9.c78b ARPA Vlan122
> > Internet 10.10.10.251 - 0050.80ce.d200 ARPA Vlan122
> > Internet 10.10.10.253 - 1111.1111.1111 ARPA Vlan122
> > Internet 10.10.10.254 - 1111.1111.1111 ARPA Vlan122
> >
> >
> >
> > On 4/11/07, Greg Wendel <gwendel@gmail.com> wrote:
> > >
> > > Can you try to do this to force the secondary standby group
> > to use a
> > > different mack?
> > >
> > > Rack1R1(config-if)#int f0/0
> > > Rack1R1(config-if)#standby 111 mac-address abc.abc.abc
> > > Rack1R1(config-if)#
> > >
> > >
> > > On 4/11/07, Jian Gu <guxiaojian@gmail.com> wrote:
> > >
> > > > Can't you simply turn on debug arp and clear arp to see what are
> > > > those hosts are sending ARP requests to physical IP adderess?
> > > >
> > > > On 4/11/07, Ian Blaney <ian.blaney@gmail.com > wrote:
> > > > >
> > > > > Karl
> > > > >
> > > > > An ACL on the IP address of the HSRP physical/virtual will not
> > > > > work as
> > > > the
> > > > > destination address will always be the same and will
> > never be the
> > > > actual
> > > > > HSRP IP address. For example if I do a ping from a
> > remote subnet
> > > > > to a machine that I am trying to find the default
> > gateway of. The
> > > > > icmp
> > > > reply
> > > > > Layer 3 IP header will always have the IP address of the remote
> > > > > destination so it will never be matched on the ACL. Its
> > only the
> > > > > layer 2 headers
> > > > that
> > > > > changes. Someone correct me here if I am talking out my ar*e.
> > > > >
> > > > > Saying the layer 2 header changes my initial question was not
> > > > > quite correct.
> > > > > This is a sample of the config
> > > > >
> > > > > interface Vlan122
> > > > > ip address 10.10.10.251 255.255.255.0 standby 2 ip 10.10.10.254
> > > > > standby 2 ip 10.10.10.253 secondary standby 2 priority
> > 200 standby
> > > > > 2 preempt
> > > > >
> > > > > As a temporary workaround the line "standby 2 ip 10.10.10.253
> > > > secondary"
> > > > > was
> > > > > added as some hosts had the wrong default gateway of
> > > > > 10.10.10.253instead of 10.10.10.254. The company want
> > to take this
> > > > > out now but before they
> > > > want
> > > > > to
> > > > > find all hosts with the wrong IP address ie .253. The
> > problem is
> > > > > when
> > > > I do
> > > > > a
> > > > > show ip arp
> > > > >
> > > > > TestLab#sh ip arp vlan 122
> > > > > Protocol Address Age (min) Hardware Addr
> > Type Interface
> > > >
> > > > > Internet 10.10.10.100 35 000a.e4b9.c78b
> > ARPA Vlan122
> > > > > Internet 10.10.10.251 - 0050.80ce.d200
> > ARPA Vlan122
> > > > > Internet 10.10.10.253 - 0000.0c07.ac02 ARPA
> > > > Vlan122 <---
> > > > > Internet 10.10.10.254 - 0000.0c07.ac02 ARPA
> > > > Vlan122 <---
> > > > >
> > > > > You see that both .253 and .254 have the same mac address ie
> > > > > reserved
> > > > HSRP
> > > > > mac address 00-00-0c-07-ac-xx where xx is the standby group
> > > > > number. I cannot even sniff and filter on mac address
> > as they have
> > > > > the same mac
> > > > address.
> > > > >
> > > > > Anyone have any ideas.
> > > > >
> > > > > Ian
> > > > >
> > > > > PS It would be great if we could use DHCP but there are some
> > > > > really
> > > > old
> > > > > specialized machines where DHCP is not available and the only
> > > > > option
> > > > is to
> > > > > statically configure the IP information
> > > > >
> > > > >
> > > > >
> > > > > On 4/11/07, Karl Brenner <karl.brenner@morenet.biz> wrote:
> > > > > >
> > > > > > Hi Ian,
> > > > > >
> > > > > > I've to recall my previous mail. You can't get the
> > info you're
> > > > > > after with an ACL. I can't think of anything else
> > than sniffing
> > > > > > for the
> > > > arp
> > > > > > requests. Don't you use a DHCP server for the subnet
> > to manage
> > > > > > IP addressing centrally?
> > > > > >
> > > > > > Karl
> > > > >
> > > > >
> > > >
> > ____________________________________________________________________
> > > > ___
> > > > > Subscription information may be found at:
> > > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > ____________________________________________________________________
> > > > ___ Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > Gregory Wendel
> > > Springfield VA, 22153
> >
> > ______________________________________________________________
> > _________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
>
>
> The information transmitted in this electronic communication is intended
> only for the person or entity to whom it is addressed and may contain
> confidential and/or privileged material. Any review, retransmission,
> dissemination or other use of or taking of any action in reliance upon this
> information by persons or entities other than the intended recipient is
> prohibited. If you received this information in error, please contact the
> Compliance HelpLine at 800-856-1983 and properly dispose of this
> information.

This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART