I have a RouterOS appliance running in a KVM VPS in a datacenter. I'm moving IP addresses from the hardware interface to the VPS, but run into a problem all the time I do this. The datacenter's uplink switch has a 4-hour eviction policy set on its ARP cache, so I'm guarenteed to have a 4-hour downtime for the IP being moved to the VPS. This could be alleviated in theory by sending out garuitous ARP replies to update the neighbors' ARP caches. I haven't found a way to do this from the ROS running in the VPS (actually the fact that it runs in a VPS is irrelevant).
How could this be solved without uplink intervention or waiting for the cache eviction timeout?
Re: Gratuitous ARP to update neighbors' ARP table
Well, I seem to have found a solution. I'm posting it in order for others looking for a solution to this problem can find it in the future. The "nemesis" utility needs to be installed. In my case on Debian, it's a simple matter of running "aptitude update; aptitude install nemesis". Then run the following command:
nemesis arp -d <interface> -r -S <moved IP> -h <target MAC> -D <uplink IP> -m <uplink MAC>
<interface> is the physical ethernet interface (or bridge with the physical interface as slave on it) to your uplink. You should be now able to access the new IP on the VPS without waiting for the timeout. This technique is also called ARP spoofing/poisoning, AFAIK, and ill use of it is discouraged (and probably a breach of a few laws).
As a side note, on a standard Debian system in a VPS (probably other distros as well) this problem does not exist. The interface starting procedure probably sends out the necessary gatutious ARP reply packet without any tricks. It's just sad that RouterOS doesn't behave the same way.
nemesis arp -d <interface> -r -S <moved IP> -h <target MAC> -D <uplink IP> -m <uplink MAC>
<interface> is the physical ethernet interface (or bridge with the physical interface as slave on it) to your uplink. You should be now able to access the new IP on the VPS without waiting for the timeout. This technique is also called ARP spoofing/poisoning, AFAIK, and ill use of it is discouraged (and probably a breach of a few laws).
As a side note, on a standard Debian system in a VPS (probably other distros as well) this problem does not exist. The interface starting procedure probably sends out the necessary gatutious ARP reply packet without any tricks. It's just sad that RouterOS doesn't behave the same way.
-
-
millanbelsue
just joined
- Posts: 18
- Joined:
Re: Gratuitous ARP to update neighbors' ARP table
How is posible to activate ARP GRATUITOUS in every Ethernet interface?
-
-
StubArea51
Trainer
- Posts: 1742
- Joined:
- Location: stubarea51.net
- Contact:
Re: Gratuitous ARP to update neighbors' ARP table
Usually, a simple ping or a flood ping is enough to ensure ARP transitions quickly when moving Layer 2 connectivity. Because ARP is a Layer 2 broadcast, the old host will quit responding and the new host should answer ARP immediately...this method typically causes only a few seconds of an outage.
There are certainly unique cases with respect to ARP timeout and transition, but most of the time it will transition between hosts quickly if there is an active ping to the IP or other traffic.
There are certainly unique cases with respect to ARP timeout and transition, but most of the time it will transition between hosts quickly if there is an active ping to the IP or other traffic.