Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
4
Replies

Does CSS answer arp request to VIP addresses?

csco10306685
Level 1
Level 1

‎11-09-2006 04:21 PM

It seems that CSS doesn?t answer arp requests for the VIP addresses it has configured. I wasn?t able yet to sniffer the traffic in order to confirm this suspicion but the fact is that I have to add a static route destined to the VIP address in a Firewall-1 that is before the CSS11150 to make things work. The Firewall-1 and the CSS have interfaces in the same IP network and the static route added in Firewall-1 has the a real IP address of the CSS as its gateway.

Does it make any sense that CSS doesn?t answer arp requests for VIP addresses?

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎11-10-2006 01:16 AM

the CSS does answer arp request for vip address.

It will respond with its own physical address or virtual mac address if you have configured redundancy.

Are you sure the vip address is part of the subnet ?

No arp request are sent for addresses outside the subnet.

Gilles.

0 Helpful

csco10306685
Level 1
Level 1
In response to Gilles Dufour

‎11-10-2006 11:39 AM

Gilles,

first of all, thank you very much for your response. Well, I'm not sure if understood your question so I can?t assure whether vip address is part of the subnet or not. Anyway, if you could take a look at the configuration of my CSS maybe you can identify it. The vip address is 200.152.40.29 and the ip address of Firewall-1 is 200.152.40.1. There?s a circuit vlan1 with ip address 200.152.40.231/24. In another subnet (10.121.0.0/23) resides the server for which CSS directs traffic that comes to vip address. Here is the config of my CSS:

!************************** CIRCUIT ***********

circuit VLAN1

redundancy

description "Rede 1"

ip address 200.152.40.231 255.255.255.0

circuit VLAN3

redundancy

description "VLAN 3 - DMZ X"

ip address 10.121.2.231 255.255.255.0

circuit VLAN4

redundancy

description "VLAN 4 - DMZ XPTO"

ip address 10.121.0.231 255.255.254.0

circuit VLAN8

description "HeartBeat"

ip address 172.16.1.1 255.255.255.0

redundancy-protocol

!************************** SERVICE **************************

service XPTO

ip address 10.121.0.29

keepalive type tcp

keepalive port 25

active

!*************************** OWNER ***************************

owner SMTP

content SMTP

vip address 200.152.40.29

add service XPTO

protocol tcp

port 25

active

!*************************** GROUP ***************************

group SMTP

vip address 200.152.40.29

add service XPTO

active

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to csco10306685

‎11-12-2006 12:14 AM

The css should answer for arp request sent in vlan 1 for the vip address. No need of static route.

Capture a sniffer trace in this vlan to verify that the arp request comes in [to force a request, clear the arp entry on the firewall].

If you don't want to disrupt traffic, attach a pc in vlan 1 and try to access the vip.

Take a sniffer trace on the same pc.

Gilles.

0 Helpful

csco10306685
Level 1
Level 1
In response to Gilles Dufour

‎11-13-2006 04:24 PM

I took a sniffer trace as you recommended and I could see that CSS answer arp requests for vip addresses. Well, I will continue investigating why the static route in the firewall is necessary. If I get anything new, I will let you know.

Thank you very much for you help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents