freebsd stable - Sep 2005 - Gratuitous ARP

Hi all,



   I am using UCARP on two FreeBS   highly available apache virtual
hosts.&nb   work very well except that occasionally one webserv  
inaccessable from outside it's subnet.  I have narrowed   an arp issue. 
When a UCARP IP becomes unavailable.    start a constant ping to it from my
machine which lives on a d   ifferent subnet, all requests timeout.  I log into
the cisco router
   th   view th   listed for that   clear the arp cache   table update correctly
aft   the webserver is again accessible


   So, I have come up with a few    include:



   1.&nbs   that outages a   problably stress th   about cisco devices so  
think that this is a bad th   cache arp entries on just the   currently consists
of about 25 hosts    all?

   2.  Run an ANT task to    task can become part of the UCARP   solution but
security is a concern.

   3.  Find a way to make the FreeBSD nodes produce more than usual   gratuitous
arp packets or add a line to do only that in the UCARP
   scripts.   may be able   sometimes d   Could it be a p   properly?

   &
   Any input at all is greatly appreciated.



   Thanks,

   Colin

On Monday 19 September 2005 19:31, Colin Farley wrote:
>    1.&nbs=p; Set the arp cache timeout of the cisco router very low so
>    that outages a=re minimal.  I would rather not do this as it will
>    problably stress th=e router too much.  Unfortunately I know little
>    about cisco devices so=I really cant figure this one out, does anyone
>    think that this is a bad th=ing?  Can you tell a cisco device not to
>    cache arp entries on just the=internal interface?  The subnet
>    currently consists of about 25 hosts =so this may not be so bad after
>    all?
Depending on your Cisco router model you will not have any issues whatsoever 
lowering the timeout to really low, in the region of a few seconds.

even an old 25xx device would be to handle that without problems.

>
>    2.  Run an ANT task to =clear the cache on the cisco device, this
>    task can become part of the UCARP=scripts.  This may be a good
>    solution but security is a concern.
This would be very very bad, cause no matter how you do it the security 
concern would be severe.

-- 
Matt Douhan
www.fruitsalad.org
(remember, amateurs built the Ark, professionals built the Titanic)

Hi Matt,



   Thanks for your reply.     you think that lowering the   seen that Cisco does
not recommen   after reading your reply and seeing as the   hosts on this subnet
I would think that thi   confirm. Thanks again.



   
   Colin

   -----owner-freebsd-stable@freebsd
     To: freebsd-stable@freebsd.org
     From: Matt Douhan <matt@fru     Sent by:
owner-freebsd-stable@freebsd.org
     Date: 09/19     cc: Colin Farley <Colin.Farley@ecarecenters.com>
          On Monday 19 September 2005 19:31, Colin      >    1.&nbs=p;
Set the arp cache timeou     very low so
     >    that outages a=re      it will
     >    p     know little>    about cisco devices so=I really cant
figure this
     one      >    think that this is a bad th=ing? &n     cisco device
not to
     >    cache arp entri     subnet
     >         so bad after
          Depending on your Cisco router model you will     whatsoever
     lowering the timeout to really low, in      seconds.
     even an old 25xx device would be to han     >
     >    2.  Ru     device, this
     >       go     >    solution but security is a concern.
     This wou     security
     concern     --
     Matt Douhan
     www.fruitsalad.org
     (remem     Titanic)
     ___     ______________________     5F__     freebsd-stable    
[1]http://lists.freebsd.org/mailman/li     To unsubscribe, send any mail to
"freebsd-stab     le-unsubscribe@freebsd.org"
     
   
References

   1. 3D"http://lists.freebsd.org/mailman/li

On Sep 19, 2005, at 3:08 PM, Colin Farley wrote:
>    Thanks for your reply.   The model of the Cisco router is 2811.  Do
>    you think that lowering the timeout to 5 seconds would be ok? I  
> have
>    seen that Cisco does not recommend a timeout below 30 seconds but
>    after reading your reply and seeing as the re are only a couple  
> dozen
>    hosts on this subnet I would think that thi s would be fine.   
> Please
>    confirm. Thanks again.
Remember that the router is going to have to re-ARP for these hosts  
whenever something external sends traffic to them, unless the router  
already has another active connection going.  The thing is,  
ARPOP_REQUESTS use a broadcast MAC address which gets sent to all of  
the machines on the network, which adds processing overhead not just  
on the router itself but also on all of these machines.

Fortunately, you can see what this overhead is quite easily in order  
to tune things:

Run "tcpdump -nt arp" and see how often your Cisco is making requests
with a 5-second ARP cache timeout.  So long as your network is only  
getting, say, a single-digit number of ARP requests per second, this  
amount of overhead is not going to matter significantly.  Adjust as  
needed.

-- 
-Chuck

Colin Farley wrote:
>    Hi Matt,
> 
> 
> 
>    Thanks for your reply.  =he model of the Cisco router is 2811.  Do
>    you think that lowering the=imeout to 5 seconds would be ok? I have
>    seen that Cisco does not recommen= a timeout below 30 seconds but
>    after reading your reply and seeing as the=e are only a couple dozen
>    hosts on this subnet I would think that thi= would be fine.  Please
>    confirm. Thanks again.
It should be fine, but some experimentation will be in order, as the 
amount of traffic each node generates could be a factor as well.

Set it to what you want, then keep an eye on CPU utilization on the 
router. The command you want is:

show proc cpu

-jav