3

I have debian hosts which are connected through trunk port on 5 different vlans. But this host respond to arp "who-has" requests of all of their differents ip. I wish understand why ...

Here the network/interfaces file (eth0.1 handle 172.16.1.145/16) 

auto lo
iface lo inet loopback

allow-hotplug eth0
iface eth0 inet manual

auto eth0.1
iface eth0.1 inet dhcp

auto eth0.10
iface eth0.10 inet static
address 192.168.10.254
netmask 255.255.255.0

auto eth0.6
iface eth0.6 inet static
address 192.168.6.254
netmask 255.255.255.0

auto eth0.7
iface eth0.7 inet static
address 192.168.7.254
netmask 255.255.255.0

auto eth0.2
iface eth0.2 inet static
address 0.0.0.0
netmask 0.0.0.0

And this is the output of different arp who-has requests on vlan1 broadcast domain by ldc (172.16.1.50/16)

ldc:~# arping 172.16.1.145
ARPING 172.16.1.145
60 bytes from ab:cd:ef:01:23:45 (172.16.1.145): index=0 time=193.119 usec
^C
--- 172.16.1.145 statistics ---
1 packets transmitted, 1 packets received,   0% unanswered (0 extra)

ldc:~# arping 192.168.10.254
ARPING 192.168.10.254
60 bytes from ab:cd:ef:01:23:45 (192.168.10.254): index=0 time=221.014 usec
^C
--- 192.168.10.254 statistics ---
1 packets transmitted, 1 packets received,   0% unanswered (0 extra)

ldc:~# arping 192.168.6.254
ARPING 192.168.6.254
60 bytes from ab:cd:ef:01:23:45 (192.168.6.254): index=0 time=256.062 usec
^C
--- 192.168.6.254 statistics ---
1 packets transmitted, 1 packets received,   0% unanswered (0 extra)

ldc:~# arping 192.168.7.254
ARPING 192.168.7.254
60 bytes from ab:cd:ef:01:23:45 (192.168.7.254): index=0 time=211.954 usec
^C
--- 192.168.7.254 statistics ---
1 packets transmitted, 1 packets received,   0% unanswered (0 extra)

For sure l3 is not relayed but i want to fix this anyway... Can someone help me ?

jjumper
  • 41
  • 1
  • 5

3 Answers3

5

By default, a Linux installation would come implementing something which is called a "weak end host" model, accepting packets to all of its addresses on any interface. If it is just ARP bothering you, you should enable ARP filtering using the

net.ipv4.conf.<interface>.arp_filter

tunable. For other types of IP traffic, consider setting up appropriate netfilter rules for ingress filtering and/or enabling net.ipv4.conf.<interface>.rp_filter (no idea if Debian is not doing this by default)

Further reading: http://linux-ip.net/html/ether-arp.html#ether-arp-flux-arpfilter

the-wabbit
  • 40,319
  • 13
  • 105
  • 169
  • I tried with all values of rp_filter, didn't resolve the issue. And after i tried : `# echo 1 > /proc/sys/net/ipv4/conf/all/arp_filter # echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_filter # echo 1 > /proc/sys/net/ipv4/conf/eth0.7/arp_filter # echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter # echo 1 > /proc/sys/net/ipv4/conf/eth0.7/rp_filter` On the problematic host, and always get a response from arping ... But I learned a lots of things. Thanks guys ;) – jjumper Mar 11 '13 at 15:04
1

It's ok, i've found the fix :

It was a problem of arp_ignore : echo 1 > /proc/sys/net/ipv4/conf/eth0.1/arp_ignore (because i receive who-has request from vlan1)

IMHO, This should be the default behaviour...

Thanks again.

jjumper
  • 41
  • 1
  • 5
-2

You should write vlan-raw-device eth0 in every vlan interface entry. See man vlan-interfaces. If you name interfaces eth0.1, eth0.2, ... - it just adds additional addresses to the same physical interface. Use some other names, for example eth0_vlan1, ...

Just try this:

auto eth0
iface eth0 inet manual

auto vlan6
iface vlan6 inet static
address 192.168.6.254
netmask 255.255.255.0

...

and write if it works

Selivanov Pavel
  • 2,126
  • 3
  • 23
  • 47
  • I read man and it says that if ifaces named "ethx.y", parameter vlan-raw-device is ignored... – jjumper Mar 11 '13 at 15:15
  • It's not vlan-raw-device, that's only necessary if you don't have the ethX interface in the iface statement, his is there.. it seems more like arpings are being forwarded between interfaces.. – NickW Mar 11 '13 at 15:16
  • `man vlan-interfaces`: # Aliases are ignored. ethX. are just aliases for main interface, not VLANs. They exist in the same L2 broadcast segment – Selivanov Pavel Mar 11 '13 at 18:05