cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
885
Views
0
Helpful
8
Replies

two ip two gateway

QFX527518
Level 1
Level 1

one unix server have two adapter,so user config two ip and two default gateway,like 10.10.1.1/gw 10.10.1.254 and 10.10.2.1/gw 10.10.2.254.now,sometime some user access the unix,not ok.why.

if we delete 10.10.2.254 defaultgateway,other user can still ping 10.10.2.1.why.

8 Replies 8

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Qing,

>> if we delete 10.10.2.254 defaultgateway,other user can still ping 10.10.2.1.why.

if you delete default gateway 10.10.2.254 the gateway is still there and can reach it.

Proxy ARP can play a role on why the return traffic is successful verify on router interface if it is enabled with

sh ip interface type x/y

look for the Proxy ARP line and check if it says enabled.

About first question:

verify security configurations on the server itself.

Hope to help

Giuseppe

thanks.

now,the unix define two ip and two default gateway.and the unix's root delete one gateway,like 10.10.2.254.

but the client can still ping 10.10.2.1.

the connection is unix server->switch(L2)->switch(L3).normal,if computer delete the default gateway,only the same subnet can ping it.other subnet can't ping it.

Hello Qing,

>> normal,if computer delete the default gateway,only the same subnet can ping it.other subnet can't ping it.

this depends on proxy-ARP settings on router device:

it means a device without a gateway tries to ARP for any ip address also out of local subnet and the router if proxy-ARP is enabled answers with its own MAC address if it knows how to reach the destination address.

in your case the unix box could do something similar allowing to reach ip 10.10.2.1 from the other subnet.

you should find out what path the packets do in both directions to understand why this happens.

Hope to help

Giuseppe

thanks.

the unix box self ip is 10.10.1.1 and 10.10.2.1.the box connect l2-switch,one port is vlan 101,other port is vlan 102.L3-switch have define vlan 101 and 102.ip address is 10.10.1.254.and 10.10.2.254.check ip int vlan 101 and 102,Proxy ARP is disabled and Local Proxy ARP is disabled.

so if we delete unix's gateway 10.10.2.254.other user can still ping 10.10.2.1,the unix use the 10.10.1.254 default gateway to response the ping 10.10.2.1.it all right????

you can do a tcpdump on your unix to see how it's responding to the pings.

today,capture the icmp packet and telnet icmp.the result like this:

1:on the unix box,delete 10.10.2.254 default gateway,user can still ping 10.10.2.1,the 10.10.2.1 rechive the icmp echo,and reply is through the 10.10.1.1,so the request and relpy not the same path.the telnet action like ping.

if capture the flow of the 10.10.1.1 port,through sniffer,found the response packet mac add is 10.10.1.1 port adapter;but the ip add is 10.10.2.1.

so think the unix use ip forwarding to complete it.

Hello Qing,

so it is the unix box that answers back on interface with ip address 10.10.1.1 where it has its only default gateway.

source mac address has to be that of the outgoing NIC so what you see is correct.

Hope to help

Giuseppe

thanks.

yes,it is correct.

but now how to resolve the problem,user not want 10.10.2.1 use the NIC(10.10.1.1) mac to communicate.on the switch,which way can prevent this happen?

thks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco