The un/helpful ARP response

“Right Machine, Wrong Network Mr. Bond”

As this would equally well be titled. This is a a post about the wonderful discovery I made today regarding Linux, ARP, and trying to be helpful – but in reality confusing the hell out of me.

Situation is that I have many machines sharing three networks over three vlan’s. Here is a sketch to articulate the issue.

FullSizeRender

Machine A pings machine B over the 10 range or the 172 range.

Can I ping them – sure, yes.

Can I connect to services – curiously – no. What the hell?

Logically (for me) this would tend to suggest as long as the subnetting was correct) that this means that the ping for each range went out through the correct interface, and came back via the same network. However this makes no sense!

So – a little thought on this and we find that I have wired them around the wrong way after checking MAC addresses on ports and the VLAN allocated to them.

Which asks the question how on earth is it returning a ping?!

Well – it turns out that Linux is trying to be useful. It sees the packet, realises it has the interface, so replies via any route it can.

Slightly more technical (a lot more) can be found here….

http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP

… so cursing aside… less of the trusting of ICMP. Sure you can turn it off, but that is not really the point. It is something that will mess you up if you are not aware of it.

Moral of the story – show mac-addresses on the ports is the way forward. Check this. Double check this. Ignore what ICMP appears to be telling you.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this:
Skip to toolbar