Involved Products and Versions
All products and versions
Networking
As shown in Figure 1-1, a VRRP group is configured on SwitchA and SwitchB. SwitchA is the VRRP master device and SwitchB is the VRRP backup device. A heartbeat link is deployed between SwitchA and SwitchB to transparently transmit packets of the corresponding VLAN. SwitchA is connected to SwitchC, and SwitchB is connected to SwitchD. Two network ports on the server are connected to SwitchA and SwitchB, respectively.
Figure 1-1 Networking diagram for the failure to switch services to the VRRP backup device in a timely manner when the link to the VRRP master device fails
Fault Symptom
When the link between the server and SwitchA fails, services cannot be switched to the standby link in a timely manner. Services can be restored only after 20 minutes.
Cause Analysis
Normally, SwitchA is the VRRP master device and SwitchB is the VRRP backup device. The link between the server and SwitchA is the active link, and the link between the server and SwitchB is the standby link. SwitchA learns the ARP entry of the server through the interface GE1/0/1, and SwitchB learns the ARP entry of the server from SwitchA through the heartbeat interface GE1/0/2.
When the active link of the server fails, the packets of the server are forwarded through the standby link of SwitchB. After the interface of SwitchA goes Down, SwitchA re-learns the ARP entry of the server. Therefore, no fault occurs when the server sends out packets and the reply packets reach SwitchA. However, if the reply packets reach SwitchB, the reply packets cannot reach the server. After the ARP entries on SwitchB are queried, it is found that the ARP interface on SwitchB is still the heartbeat interface and ARP update is not performed. As a result, the reply packets arriving at SwitchB continue to be sent to SwitchA. Because the link between SwitchA and the server is interrupted, a network fault occurs. The network recovers 20 minutes later after ARP entries are updated.
To locate the failure to update ARP entries in a timely manner, the configurations on SwitchA and SwitchB are checked. It is found that the arp anti-attack entry-check fixed-all enable and arp learning strict force-enable commands are configured on SwitchA and SwitchB. SwitchB learns the ARP entry of the server from the heartbeat interface. After the server performs an active/standby link switchover, the ARP entries learned by SwitchB through the interface GE1/0/1 are inconsistent with the original ARP entries. As a result, SwitchB does not update the ARP entries.
Troubleshooting Procedure
Step 1 Run the undo arp anti-attack entry-check enable command to disable ARP entry fixing, and run the undo arp learning strict command to disable strict ARP learning.
----End
Conclusions and Suggestions
The following describes the application scenarios of ARP entry fixing and strict ARP learning.
ARP entry fixing
To defend against ARP address spoofing attacks, enable ARP entry fixing. The fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive:
l The fixed-mac mode applies to networks where user MAC addresses are unchanged but user access locations often change. When a user connects to a different interface on the device, the device updates interface information in the ARP entry of the user timely.
l The fixed-all mode applies to networks where user MAC addresses and user access locations are fixed.
l The send-ack mode applies to networks where user MAC addresses and user access locations often change.
Strict ARP learning
If many user hosts send a large number of ARP packets to a device simultaneously or attackers send bogus ARP packets to the device, the following problems occur:
l Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
l After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.
To avoid the preceding problems, enable strict ARP learning on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This defends the device against most ARP attacks.