From: steven.j.nelson@xxxxxx
Date: Tue Nov 06 2001 - 11:41:11 GMT-3
All,
I must be going mad...
I take it that the scenario is like this
Sun Boxes------Hub------Router-----INTERNET
I can't get my head round the comment "Arp them to us..."
Surley this is the wrong way round, If the arp tables are built in the
checkpoint box (Multicast IP to Multicast MAC address (there are reserved
ones)) then the packets destined for the router will be complete with SA/DA
for both Layer 2 and 3 with the MAC address of the router being the DA of
layer 2 (gateway).
How can you get the sun box to arp the table to the router ? does it
generate a unicast arp response packet for each address that is statically
mapped, if so does the router process these without first issuing an arp
request and put them in it's table?
If the ARP tables are built on the router then the sun boxes will be acting
as normal forwarding packets (either straight or nat and depending on rule
base) to the router for fowarding based on its routing table and in turn
it's ARP cache.
Maybe it's me, it has been a long day.....
Any comments would be good.
Steve
-----Original Message-----
From: Tracy Blackmore [mailto:TracyB@TSLAD.com]
Sent: 06 November 2001 14:00
To: 'John Elias'; ccielab@groupstudy.com
Subject: RE: static arps for multicast mac addresses
John;
As they said, this should normally work. I have built many ARP tables on a
CheckPoint box and never had a problem. As a MAC is Layer-2 only, I don't
see what the difference between a Multicast MAC and a Unicast MAC would be
on the Solaris box. I did find this documentation for you:
Firewall-1 does not treat multicast as a special case, so for
VPN-1/FireWall-1, a
multicast packet is simply an IP packet with a class D (224.0.0.0 -
239.255.255.255) destination address.
Ask them to attempt loading their ARP table with the multicast MAC and see
what happens. As well, have them call me if they need help :)
Tracy W. Blackmore
Senior Security Engineer
T.S. Lad Consulting
1026 East Stanford Avenue
Gilbert, Arizona, 85234
-----Original Message-----
From: John Elias [mailto:jelias_@hotmail.com]
Sent: Tuesday, November 06, 2001 6:33 AM
To: ccielab@groupstudy.com
Subject: OT: static arps for multicast mac addresses
Guys,
I have a customer who is using 2 sun boxes running checkpoint firewall
connected with a hub to our router, then out to the internet. They are both
running as primary and are sharing a virtual ip and mac address. The
customer wants us to statically arp map 140 ips to mac addresses on the
router, which we are not willing to do as per upper management. I suggested
he try to implement it on his own box and arp them to us. He has informed
me that his firewall people told him that under normal conditions it would
work but since they are looking to arp map ips to multicast mac addresses it
would not work. Firewall guy says that cisco routers do this on purpose so
as to not to use the multicast mac addresses on the internet.
1. Is this true?
2. Is there any documentation on this? (Looked and did not find any)
John E.
CCIE #8150
This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:05 GMT-3