[lug] Linux boxes drop off the net? Router problem?

Sebastian Sobolewski spsobole at mindless.com
Tue Feb 6 13:00:53 MST 2001 

An Explanation of ARP:

When a host needs to send a datagram to another host on the same network, 
the sending application must know both the IP and MAC addresses of the 
intended receiver; this is because the destination IP address is placed in 
the IP packet and the destination MAC address is placed in the LAN MAC 
protocol frame. (If the destination host is on another network, the sender 
will look instead for the MAC address of the default gateway, or router.)
Unfortunately, the sender's IP process may not know the MAC address of the 
intended receiver on the same network. The Address Resolution Protocol 
(ARP), described in RFC 826, provides a mechanism so that a host can learn 
a receiver's MAC address when knowing only the IP address. The process is 
actually relatively simple: the host sends an ARP Request packet in a frame 
containing the MAC broadcast address; the ARP request advertises the 
destination IP address and asks for the associated MAC address. The station 
on the LAN that recognizes its own IP address will send an ARP Response 
with its own MAC address. As Figure 1 shows, ARP message are carried 
directly in the LAN frame and ARP is an independent protocol from IP. The 
IANA maintains a list of all ARP parameters.

(Stolen from: http://www.hill.com/library/publications/tcpip.shtml )

--------------------
         ARP is handled by the Linux TCP/IP stack.. but it could still be 
possible that one of your security packages is blocking ARP packets. To 
make ARP queries you can use the built in Linux/Unix "arp -a" 
executable.  This will list all ip<->mac addresses discovered on the 
network by the kernel. If it's not your security software then it must be 
either the switch or the cisco router not causing the drops.
   My guess would be that one or both of the boxes are relying on ARP for 
intelligent packet routing.  Is there anyway that you can isolate a ping so 
that it does NOT hit the router?  This could let you figure out if it's the 
router or the switch.
         I also believe that both the switch and the Cisco router have the 
ability to log into and display current ARP tables. (either through the 
network or the serial manage port on the back of the devices)  You could 
have your network admin check that to see what the switch and router think 
they see on the network.

Unfortunately this is where my knowledge of routing ends.

Either way I hope this helps a bit more.
-Sebastian



> >> You mentioned that you had several security packages installed on all of
>the linux machines. Perhaps one of them is filtering ARP messages? <<
>
>Hmmm...
>
>ARP is handled by the kernel, isn't it?
>
>I'm asking to make sure I didn't turn off a daemon or something that handles
>it. I have ArpWatch turned off, for example, but I'm pretty sure that's
>okay.
>
>Is there some sort of ARP client that I could use from a Linux or Solaris
>box to query another and see if/how it responds?
>
>Okay, here's some more [potentially very relevent] info: when I verified
>with our SysAdmin that our hubs were unmanaged hubs (and explained why I was
>asking) he "happened to mention" that he turned off a bunch of features on
>the router some time ago (probably at least a year ago) -- he described the
>features to me as "RIP this and ARP that" -- he said he had to turn them off
>to resolve some other sort of misrouting issue with our ISP.
>
>Is it possible that he turned off one feature too many, and now the router
>*isn't* using ARP to check for connected machines? Windows machines are
>obviously noisy enough on the network to keep the router informed of where
>they are without ARP. Linux boxes are quiet enough when they're not doing
>something that they could be missed, I suppose.
>
>Our SysAdmin is pretty good in many respects, but I think he'd be the first
>to say that he falls short of the "guru level" in some areas -- Linux is
>definitely one of them, and I don't think he knows everything there is to
>know about router configuration either.
>
>-- Gary
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

Sebastian Sobolewski

More information about the LUG mailing list