On Fri, 30 Apr 1999, Bruce Stephens wrote:
> Hi Novi...
> >I think you're partially right, but I don't understand how the following
> >is going to work:
> >
> > packet A (from 1.2.3.4 to 194.231.254.115/28) is arriving at the cisco ..
> >the inner interface of the cisco has been bound to the network
> >194.231.254.112/28, so the cisco decides that .115 must be on a physical
> >connected subnet .. hence it sends an arp request onto the network asking
> >for the mac-address belonging to this ip... DH has disabled proxy arp, so
>
> <snip here>
> If the device is on the same subnet, then the cisco MUST have its MAC address
> by default.
that's the problem .. the ssl server is physically on another subnet ..
it's NOT seen by the cisco .. its mac address can NOT be added to cisco's
arp cache.. the arp request is sent as an ethernet broadcast to any host
on the physical subnet BETWEEN cisco and DH .. the ssl-server is exterior
to this subnet.. it does never receive any arp request so it can never
reply to them.. DH must be explicitly configured to act as an arp agent
for the ssl-server..
broadcast domain
,-------^------,
eth1 eth0 eth1 C = cisco
___ ____ _____ DH = dual homed host
| | .254.112/28 | | .19.18.0/24 | | SSL = ssl server
| C |--------------| DH |-----------------| SSL |
|___| |____| |_____|
^ ^ ^ ^
| | | |
.254.114 .254.119 | .254.115
|
172.19.18.1
SSL-routing could contain something like this:
172.19.18.1 0.0.0.0 255.255.255.255 H eth1
0.0.0.0 172.19.18.1 0.0.0.0 G eth1
DH-routing:
194.231.254.115 0.0.0.0 255.255.255.255 H eth0
0.0.0.0 194.231.254.114 0.0.0.0 G eth1
moreover DH should contain following arp entry:
194.231.254.115 ether xx:xx:xx:xx:xx:xx CMP * eth1
> It doesn't matter if the DH disables proxy arps or not - I don't think that
> you even need to consider proxy arps.
> If the cisco can see the MAC address of the DH input ethernet card,
> it will display the MAC address in its host listing. If you can ping
> the cisco then
> the link at the MAC level is there.
indeed..
> If there isn't a response then
> 1. The ethernet card is not enabled/misconfigured etc...
> 2. You haven't added the routes (netstat -r -n)
>
>
>
> >there's no response to the arp request so the cisco is generating ICMP
> >Host unreachable.. hmmm ...
> >
> >you think I should enable proxy arp on DH or create a special host route
> >to .115 on the cisco?.. am I mising something?
>
> Forget proxy arp!
> Routing yes...
> Add route for the entire 194.231.254.115/28 subnet
oh sorry .. i think, i see the source of our misunderstanding..
there is no 194.231.254.115/28 subnet .. it's simply a host within
194.231.254.112/28 .. must be a typo I made above .. 8-#
regards
Michael Mirold
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
