cancel
Showing results for 
Search instead for 
Did you mean: 

Gateway sends VIP ARP request to F5 using F5 interface MAC address instead of broadcast MAC FF:FF..

muruganyash
Nimbostratus
Nimbostratus

When i capture the tcpdump i noticed, upstream network device sends virtual server IP's ARP request to F5 using F5's self interface MAC address instead of broadcast MAC FF:FF.. May i know how the upstream device aware to send the request to F5 interface MAC and how F5 responsd to that request? Is that using proxy ARP ?

Example:
231 2022-11-23 13:07:23.402506 Cisco_43:ae:43 VMware_83:3f:f4 ARP 84 IN s1/tmm0 : Who has 10.240.133.130? Tell 10.240.133.2
232 2022-11-23 13:07:23.402568 VMware_83:3f:f4 Cisco_43:ae:43 ARP 84 OUT s1/tmm0 : 10.240.133.130 is at 00:50:56:83:3f:f4

7 REPLIES 7

mihaic
Cirrostratus
Cirrostratus

read this:

bigip utilizes gratuitous ARP

https://support.f5.com/csp/article/K15858

 

muruganyash
Nimbostratus
Nimbostratus

If F5 use to update its virtual server address MAC to neighbour device using GARP periodically, why cisco gateway is sending ARP request for F5 VIP address ? All i want to know is how this ARP request is answered  by F5 selp interface?

GARP is used when an F5 device boots,  becomes active or when the VIP is enabled.

Both ARP and MAC table entries have an aging timer. MAC and ARP entries have different aging timers.

So when this expires the upstream device will remove the ARP entry for example.

If new traffic is coming for a VIP IP it will need to know the MAC address so it will ask by broadcasting an ARP request. The F5 will reply  VIP IP  request with its MAC address from its interface.

muruganyash
Nimbostratus
Nimbostratus

But what am noticing in wireshark output is not a broadcast MAC. Its clearly sending the ARP to F5 interface MAC VMware_83:3f:f4, that is the poing it confusing me.

Example:
231 2022-11-23 13:07:23.402506 Cisco_43:ae:43 VMware_83:3f:f4 ARP 84 IN s1/tmm0 : Who has 10.240.133.130? Tell 10.240.133.2
232 2022-11-23 13:07:23.402568 VMware_83:3f:f4 Cisco_43:ae:43 ARP 84 OUT s1/tmm0 : 10.240.133.130 is at 00:50:56:83:3f:f4

mihaic
Cirrostratus
Cirrostratus

Do a tcpdump  on that Cisco device.

mihaic
Cirrostratus
Cirrostratus

Some devices send ARP unicast request to refresh their arp entry.

So they send it to the mac address they know before it times out.

Check these documents:
https://www.ietf.org/rfc/rfc1122.txt search for "Unicast Poll"

https://community.cisco.com/t5/switching/router-arp-request-unicast/td-p/1479724

 

CA_Valli
Cumulonimbus
Cumulonimbus

Do you have a mac masquerade configuration?