Educause Security Discussion mailing list archives
Re: Sun OS virtual zone ASA5520 arp problem
From: Jeffrey Ramsay <jramsay () UTICA EDU>
Date: Fri, 23 May 2008 03:24:03 -0400
Hello, I suspect you have two hosts/containers sharing the same IP address. The containers will all share the same mac address of the global zone unless you have multiple nics. With multiple nics it's possible to associate each zone with a physical interface and set the eeprom or OBP option local-mac-address to true. Also, depending on the host system (Sparc or X86) you're using you could have trunked the interfaces and this would change the arp table to show the same mac for all zones -- it's best to start testing using the following commands from the global zone "arp -a", "ifconfig -a", "netstat -rn" and "zoneadm list -v". Figure out which zones are running, identify the mac address associated with each zone along with the defined routes. Without knowing your network topology this is the best advice I can offer. -Jeff Steve Whitson wrote:
I am using virtual zones on Sun OS and experiencing intermittent Mac address table problem where two arp responses are being seen with the same IP address causing an intermittent Mac IP mismatch and resultant connectivity problem. As the table updates dynamically the Mac address of the ASA 5520 outside interface is sometimes being seen as the Mac address of the virtual zone for the server instance instead of the Mac/IP for the zone. The Virtual zones are all in our DMZ interface. Has anyone experienced this problem ?
-- Jeffrey J. Ramsay Systems Administrator (SCSA, SCNA, SCSECA) Utica College 1600 Burrstone Road Utica, NY 13502 Office: (315)223-2383 http://www.utica.edu AIM: sol6789
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Sun OS virtual zone ASA5520 arp problem Steve Whitson (May 22)
- <Possible follow-ups>
- Re: Sun OS virtual zone ASA5520 arp problem Jeffrey Ramsay (May 23)