SOLVED (was Re: Problem clarification (was: Problems with vlan + carp + alias))

[Steve Bertrand]

Giulio Ferro wrote:
> I finally got the problem, and it had nothing to do either with vlans or 
> with carp.
> 
> The firewall I was setting up was meant to replace an existing freebsd 
> firewall
> which didn't use vlans (it had a lot of nics).
> The problem was that the network port where our ISP brings the internet 
> connection
> still had the old aliased mac addresses in its arp cache.

Thank you Giulio (is it Gio?)... for replying everyone with a definitive 
conclusion. Thats fantastic for the followers of the thread, but the 
archives as well.

> For some 
> reason when I
> plugged in the new firewall, only the base non-aliased address was 
> updated in
> the ISP switch arp cache (if someone can throw a guess at why, I'm eager 
> to listen).

Well, you need to know what type of switch they had upstream, and why 
they weren't updating their ARP cache dynamically properly. Perhaps 
because their cache ttl was too long (due to the type of hardware, or 
administrative setting).

I almost have to assume it wasn't a Cisco... only because I would have 
expected different behavior (less administrative setting) (this is my 
personal experience...I'm not trying to favour a brand in any way).

Perhaps you could ask them to provide the command they issued to 
determine how they found the problem. Better yet, ask what type of 
device your box is connected to at their end of the VLAN.

If you can find out what device they have at their end, it may almost be 
possible to non-destructively, and non-corruptively 'force' them to 
clear arp-cache remotely, and at the same time provide advice to the 
non-unscrupulous people who may run into this in the future.

I'd be just as interested to know what they had at their end for 
hardware, as I have been waiting to hear what your resolution was 
throughout your time consuming troubleshooting...

Steve