[Linux-HA] Cisco Switch question

Alan Robertson alanr at unix.sh
Thu Jun 3 09:31:55 MDT 2004 

Brian Tinsley wrote:
> On Thu, 2004-06-03 at 09:13, Alan Robertson wrote:
> 
>>Brian Tinsley wrote:
>>
>>>On Wed, 2004-06-02 at 17:00, Alan Robertson wrote:
>>>
>>>
>>>>/Boulytchev, Vasiliy wrote:
>>>>
>>>>> Ladies and Gents,
>>>>>	Imagine the following setup: 2 server running ha+mon.  If I plugged
>>>>>the two servers in separate switches for redundancy, (cisco fabric with
>>>>>OSPF), when the ip is taken over, would that make an impact on anything?  If
>>>>>mon was to see switch1 go down, the secondary node came up, taking over the
>>>>>ip, would the cisco switches have an arp issue?  Cisco arp timeout is
>>>>>rediculous by default.
>>>>
>>>>
>>>>First, I think you mean routers rather than switches...
>>>>
>>>>
>>>>
>>>>When IP address takeover occurs, we send out several gratuitous ARPs.  If 
>>>>the routers are RFC-compliant, then all should be well...
>>>>/
>>>>
>>>
>>>We have had some issues with Cisco switches not accepting the gratuitous 
>>>ARPs from heartbeat. I'm not sure about why this happens, but in 
>>>general, we ask customers to lower the ARP timeout down to the 30 to 60 
>>>second range.
>>
>>When this happens, you can also do an rsh (or ssh) into the router to clear 
>>the ARP cache.  This can either be added as a resource, or simply be put in 
>>a script in /etc/ha.d/rc.d/local_takeip [I think that's the right directory].
> 
> 
> Can I recruit you to ask hospital IT folks for the password to their
> switches?  ;)

I'm not a great social engineer, I'm afraid...  Comes from telling the 
truth too often, I guess...  ;-)

It is my understanding that this sometimes can be fixed by changing a 
'security' setting on the switches.  Sometimes switch vendors think that by 
locking down IP addresses to particular MAC addresses, they are getting 
some kind of security.  Of course, since MAC addresses are also easily 
forged, and the timeouts aren't *that* long, this doesn't improve security 
measurably.

-- 
     Alan Robertson <alanr at unix.sh>

"Openness is the foundation and preservative of friendship...  Let me claim 
from you at all times your undisguised opinions." - William Wilberforce

More information about the Linux-HA mailing list