[ILUG] ARP Insanity!
Nick Murtagh
nickm at go2.ie
Thu Feb 23 10:12:29 GMT 2006
Cian Davis wrote:
> Could there be, for some reason, a machine on the switch that has been
> spoofing the phantom MAC address? I know we were left scratching our
> heads a while ago when we forgot that we had spoofed MAC addresses on a
> machine (for totally legitimate reasons *cough*).
I am 100% sure this was caused by the server itself, not by proxy ARP,
crazy switches or other machines. When this server was rebooted the
problem went away - see my post from 22nd February for more details.
I have since figured out how the problem arose initially.
The were four IP addresses setup using sub interfaces:
eth0
eth0:0
eth0:1
eth0:2
We wanted to make eth0:0 go away.
The administrator (not me ;) commented out the entry for eth0:0 in
/etc/networking/interfaces, and ran /etc/init.d/networking restart.
It turns out this is actually the wrong thing to do, as ifdown -a only
removes the interfaces listed in /etc/networking/interfaces.
So eth0:0 was still up and running.
At this point the administrator edited /etc/networking/interfaces,
putting the configuration for eth0:1 into the stanza for eth0:0, and
putting the configuration for eth0:2 into the stanza for eth0:1. I'm not
sure if eth0:2 was commented out or not.
Then the administrator ran /etc/init.d/networking restart. Everything
looked fine - we now had the right IP addresses on the right interfaces.
Except - for some reason the kernel still thought it should answer ARP
requests for an IP address no longer configured on any of its interfaces
:(
(The correct thing to do is to run ifconfig eth0:0 down and then edit
/etc/networking/interfaces to comment out the undesired sub interface.)
I'd love to try and reproduce this and submit the appropriate bug
reports but I haven't got the time right now :(
More information about the ILUG
mailing list