Router MAC address

Hey guys,

I need some info on this . I have a router/gw with x.x.x.1 ip address . When a linux system within the same n/w pings the gw, linux box gets updated with a different MAC address of gw in its ARP table as compared with a Windows system. Both Windows and linux system are in the same network.

However, Windows system is able to use the router effectivity and connect to outside world.

I am not able to physically see the router.Neither I am able to use a browser to connect x.x.x.1.

Is the router having 2 or more ethernet adapters but same IP given to each one of them ? How come multiple linux systems are obtaining the MAC address of router whereas windows are obtaining a differnt set ?

Reply to
objecttrack
Loading thread data ...

I added comp.protocols.tcp-ip to this reply. I don't believe that there is a comp.protocols.arp yet.

It might help if you gave the MAC addresses, or at least the OUI (first six hex digits). Of the possibilities I can think of, one is that they are not really on the same network, but just look that way. (VLAN's being one possibility.)

If you exchange the IP addresses, do the MAC addresses follow?

As long as the router accepts data sent to the MAC addresses it returns for ARP, it should work.

Most routers will have one TCP port that they will accept connections on. Traditionally that was 23 (telnet), but more recently 80 (http). Which one did you try?

It could be some type of load sharing system. Maybe odd addresses to one interface, even to the other, even though both go into the same router and are otherwise on the same subnet.

-- glen

Reply to
Glen Herrmannsfeldt

I believe both the linux and windows system are in the same network. linux system receives 00-1c-58 as MAC addr of router whereas windows system receive 00-1f-6c as the router mac address.

I tried port 80.

Reply to
objecttrack

snipped-for-privacy@gmail.com wrote: (snip)

Both belong to Cisco, if that helps any.

It would seem that they could both be the same router.

-- glen

Reply to
Glen Herrmannsfeldt

Some more info I got - This is happenening even though I connect Windows and linux system to the same physical port in the same network,

During the device discovery phase, linux box uses a different MAC address corresponding to router compared with Windows system.

And if I try to manually edit the arp table in linux system, I connect to outside world.

I am not sure if the IPv6 stack in linux kernel is causing any issue although I am using using only Ipv4 address.

Reply to
objecttrack

When I scanned through the network for system having MAC -address

00-1c-58 through a network tool (CCGMA) in windows , I did not get a hit.
Reply to
objecttrack

Hello,

snipped-for-privacy@gmail.com a écrit :

It should not. IPv6 does not use ARP, it has its own address resolution protocol.

Reply to
Pascal Hambourg

okay.

Looks like their are 2 interface cards on tha same network configured with x.x.x.1 IP address (Gateway address) .

How come windows takes the correct one while Linux takes an incorrect value.

One more interesting observation :

Using 'arping' on Linux - I find linux arping both x.x.x.1 machine - [00:1C:58:aa:bb:cc] 0.692ms [00:1F:6C:dd:ee:ff ] 0.820ms

00:1C:58:aa:bb:cc] 0.688ms [00:1F:6C:dd:ee:ff ] 0.808ms

Notice the difference between the time.And linux takes the former MAC address and updates in ARP table.

How is windows and linux approach different in the case of multiple routers in same network ?

Reply to
objecttrack

Do you have redundant routers using HSRP or VRRP for failover? Maybe the routers have lost contact with each other, so they're both active.

How is Linux supposed to know it's incorrect? If it shows up in an ARP response it's correct as far as it can tell.

Apparently Windows will replace an ARP cache entry whenever it receives a response, while Linux only does when it has sent an ARP request. So Linux considers the second response extraneous, because it hasn't sent an ARP request since receiving the first response, and ignores it.

Reply to
Barry Margolin

Alternatively you may have run into proxy arp which is on by default on Cisco routers. Under proxy arp a router will send an arp response for an address it can get to (or thinks it can get to) even if not directly connected. This can be a real pain to troubleshoot.

Or it may be as you say and both routers have the same IP address.

Good find with the arping. If I read the RFC correctly (linked RFC

820) from

formatting link
a host should update its arp table with the last info received. That said I may have read it incorrectly - it was only a cursory scan over the info - or the arp handler may choose not to add an entry for the second update. The RFC doesn't look like it was written with this situation in mind.

So, I guess the answer as to why Windows does one think and Linux the other depends on the software running their arp handling. One thing is for sure. The second router to respond (which is either busier or slower than the first) should not send an arp reply if it cannot reach the address mentioned. I think the next place to look is the router config and see where that leads you.

James

Reply to
James Harris

I think you're right. That's how "gratuitous ARP" works to update ARP caches when an IP moves to a new machine.

So I find it strange that Linux uses the first ARP response received, rather than the last.

Reply to
Barry Margolin

Barry Margolin wrote: (snip, someone wrote)

Not so good for security, though. If someone can put ARP packets on the line they can hijack a connection by removing the other host from ARP.

Reminds me of the time I accidentally setup two diskless Suns with the same IP address. The second one gets into the ARP cache, the first one gets ignored by the server.

-- glen

Reply to
Glen Herrmannsfeldt

" The Gratuitous ARP is an ARP request for their own IP address and is used to check for a duplicate IP address. If there is a duplicate address then the stack does not complete initialisation. " So if both the systems were to follow it, we would not have duplicate IP address in the first place.

Am I correct in understanding that linux is using the first ARP response in its ARP table while Windows updates the ARP table with the last entry ?

Reply to
objecttrack

As I understand the previous posts, when multiple replies come in a short time linux keeps the first one. If one comes much later, it seems that linux will use that one.

I believe if a host changes its IP address it can send a broadcast ARP reply with the new address. Hosts should use that one.

-- glen

Reply to
Glen Herrmannsfeldt

I dont think I have access to the router to check its configuration. So what should be my solution ? Tell the system admin that routers with duplicate IP address are causing the problem ?

Reply to
objecttrack

If you have no access to the routers it's worth being a bit careful depending on how helpful your sys admin is. The routers could have the same IP address or one could be responding with a proxy arp. If I've followed the comments on this thread closely enough what you can say for sure is:

  1. Arp requests for IP address X on your network seem to get two responses from the two mac addresses. Is this intended?
  2. Both responses appear to be from Cisco devices *
  3. Hosts which use mac address Y don't work

(*) To show that they are Ciscos type the first three octets of the mac address without colons (e.g. 001c58) into the public OUI search box on

formatting link
The first three bytes of a mac address are called the OUI (organizationally unique identifier) and identify the organisation who bought the range from the IEEE.

As a test you could also put a fixed/manual mac address on a Unix box to check that this is the only problem.

James

Reply to
James Harris

James Harris wrote: (snip)

If one works, you can put a static permanent entry into your ARP cache such that it will find the one that works.

Not the best way, but it should work. For windows and unix, it is arp -s,

-- glen

Reply to
Glen Herrmannsfeldt

Where can I get more information about ARP handler's implementation in Windows ? Does it set a default value to its timer and wait for all ARP response during that period and updates the ARP table with the latest response ?

Reply to
objecttrack

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.