For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Andrew_Lagomar1's avatar
Andrew_Lagomar1
Icon for Nimbostratus rankNimbostratus
Jun 09, 2016

BIG-IP LTM Dynamic ARP Table Visibility

I am trying to audit my LTM virtual server vlan arp cache because we are looking for servers that were erroneously added to this vlan. However, I did notice while in tmsh 'net arp' I can only see external hosts to the LTM if I ping them (obviously), BUT it never lists the LTM virtual servers in this same cache.

 

I cannot check our switch arp table because it is only a layer 2 pass through and the F5 is the gateway for this virtual server vlan.

 

I am trying to avoid pinging 253 unique IP addresses across six vlans and hoping to find another way to get this information or at the very least script a ping sweep, where I can edit the network ID (10.10.X.0/24).

 

Thanks

 

application delivery
BIG-IP
LTM

1 Reply

  • IanB's avatar
    IanB
    Icon for Employee rankEmployee
    Jun 10, 2016

    The ARP protocol is used to resolve layer-3 addresses to layer-2 addresses. Since the LTM never needs to ask this question for directly connected interfaces, those will not be present in the table.

    You could try pinging the broadcast address (make sure you use -b), or the multicast 'all hosts' address (224.0.0.1) to elicit traffic from other devices.

    Alternatively, use a linux device connected to the same subnet and run nmap 10.0.0.1-255 (adjust for whatever your subnet is)

    And if you can't do that, script it:

    for i in {1..254} ; do ping -W1 -c1 10.0.0.$i ; done ; arp -na

    With a 1-second timeout (-W1), that will take a little over 4 minutes.