Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3017
Views
0
Helpful
8
Replies

One IP and two different MAC issue on the LAN

ALIAOF_
Level 6
Level 6

‎06-13-2011 01:42 PM - edited ‎03-07-2019 12:47 AM

Here is the scenario with one of our customer.

1- We have our router Cisco 861 at a customers site connected to their core switch

2- That router has a VPN connection back to our data center

3- Customer wants to connect another Cisco 861 to their network with the same exact config on it and leave the port on the switch shut

4- If the VPN goes down from the first router or if there is a problem or any sort with it they want to be able to simply turn the port back on, on the second router and re establish the VPN tunnel

5- Now here is what I have tried to explain because both routers will have the same IP but two different MAC's and they are both connected to two different ports that will cause the problem on the network because the last hop router will try to send traffic back to the port where the first router is connected until the arp cache gets cleared and their core rebuilds the cache with the new MAC on the new port.

6- Customers network engineers don't believe that is true, now if I am wrong please tell me that I am wrong but if I am right is there any links or articles that some one can point me to so that I can prove it to them that this is the case?

Labels:
0 Helpful
8 Replies 8

eduardopozo56
Level 1
Level 1

‎06-13-2011 01:50 PM

Even if you show them an article they might not trust you. You should make a demo and WIN

0 Helpful

ALIAOF_
Level 6
Level 6
In response to eduardopozo56

‎06-13-2011 03:37 PM

So basically I am right then?

0 Helpful

fgasimzade
Level 4
Level 4
In response to ALIAOF_

‎06-13-2011 10:50 PM

ARP table and MAC address table has nothing to do with each other. Moreover, there are aging time for arp and mac addresses, so even if you are right, aging times will expire and new bindings will be created

However, the best option here is to make a demo

0 Helpful

ALIAOF_
Level 6
Level 6
In response to fgasimzade

‎06-14-2011 12:19 PM

1- I didn't say anything about them having to anything with each other, I am simply explaining how the Layer 2 works and how what customer is trying to do can cause the second router to not work until the arp times out and new MAC address table gets updated.

2- I know that arp cache times out, customer has a Cisco ASA firewall and the arp time out on that firewall by default is 14400 = 4 hours

3- They have HP switches and I'm assuming arp time out is also around the same.

0 Helpful

milan.kulik
Level 10
Level 10
In response to ALIAOF_

‎06-15-2011 12:13 AM

Hi,

IMHO, you need to consider two timers:

a) ARP cache timer - 4 hours by default

b) switch forwarding table timer - 5 minutes by default on Cisco switches.

So in your case:

a) If you are using the same IP address on two VPN devices (different MAC addresses), the router which is forwarding the VPN packets has an ARP cache for that IP address. If you replace the HW for the VPN tunnel, it could take 4 hours in theory until the forwarding router ARP cache entry expires.

So you could try to decrease the timer by using arp timer interface commad

(see

http://www.cisco.com/en/US/customer/docs/ios/ipaddr/command/reference/iad_arp.html#wp1011700 )

Or you could try to use the same MAC address on the VPN devices possibly?

Isn't it possible to use a virtual HSRP IP address for the tunnel destination, e.g.?

In that case a virtual MAC (the same on both VPN routers) would be used!

b) It takes 5 minutes maximally for the Cisco LAN switches to notice the MAC address has moved from one port to another in any case. In a case a port goes Down, the MAC address is removed from the forwarding table immediately. So if you used the same MAC address (as described above), it should work pretty fast, I hope.

HTH,

Milan

0 Helpful

Alen Danielyan
Level 1
Level 1

‎06-15-2011 12:25 AM

I am sorry, but what you said means that if we change NIC on the PC connected to that switch it will not be able to work for a long time!?

Why you ignore the fact the switch will just rapidly learn the new MAC and that's all?

P.S. BTW, your clients can store the reserve router in the closet or just unplugged from the switch, and connect it instead of the failed one to the same port. In that case they will not need to spent additional 2 minutes to turn on another port.

0 Helpful

ALIAOF_
Level 6
Level 6
In response to Alen Danielyan

‎06-15-2011 01:34 PM

I understand your example about the PC however in this case we are using a Cisco router that is initiating a VPN connection outbound.  Customer wants to be able to do this remotely like after hours that is why they want both of the routers connected. 

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-2/switch_evolution.html

0 Helpful

ALIAOF_
Level 6
Level 6
In response to ALIAOF_

‎11-11-2011 09:24 AM

Just to update every one on this.  I was able to get this working with some fine tunning and adding HSRP in the mix, forgot to mention with the latest IOS.

0 Helpful
Customers Also Viewed These Support Documents