=^.^=

Fix: Multiple NICs on Same Layer 2 Network Broadcast All MACs on ARP request

karma

By default when a Linux host is connected to the same layer 2 network by two network interfaces (i.e. plugged into the same or connected switch (and VLAN) or attached to a bridge in similar configuration) ARP requests for any IP on the NICs in question will produce a single response for every interface's MAC address. Obviously, this poses a problem called ARP flux where an IP may seem to migrate from MAC to MAC.

This example uses a DHCP server of similar stock to the one covered in Transparent Proxy for Hot Spot/Public Network Web-Based Authentication on ClearOS . It has an external interface (192.168.222.22) and an internal interface (192.168.111.1) on which DHCP clients are collected. Since we are collecting DHCP users then routing them through another private network both interfaces are connected to the same switch. When an ARP request for either IP is made both will respond at first. Observe:

bzp ~ # arping 192.168.222.22 -I br0
ARPING 192.168.222.22 from 192.168.222.53 br0
Unicast reply from 192.168.222.22 [00:16:3E:22:00:01]  0.950ms
Unicast reply from 192.168.222.22 [00:16:3E:22:00:02]  0.987ms
Unicast reply from 192.168.222.22 [00:16:3E:22:00:02]  0.930ms
^CSent 2 probes (1 broadcast(s))
Received 3 response(s)
bzp ~ # arping 192.168.111.1 -I br0
ARPING 192.168.111.1 from 192.168.111.99 br0
Unicast reply from 192.168.111.1 [00:16:3E:22:00:01]  0.946ms
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  0.981ms
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  0.887ms
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  0.891ms
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  0.953ms
^CSent 4 probes (1 broadcast(s))
Received 5 response(s)

We can correct this by adding the following lines to /etc/sysctl.conf:

net.ipv4.conf.default.arp_filter=1
net.ipv4.conf.all.arp_filter=1

Now run:

# sysctl -p

The issue should be corrected:

bzp ~ # arping 192.168.111.1 -I br0
ARPING 192.168.111.1 from 192.168.111.99 br0
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  1.171ms
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  0.991ms
^CSent 2 probes (1 broadcast(s))
Received 2 response(s)
bzp ~ # arping 192.168.222.22 -I br0
ARPING 192.168.222.22 from 192.168.222.22 br0
Unicast reply from 192.168.222.22 [00:16:3E:22:00:01]  0.919ms
Unicast reply from 192.168.222.22 [00:16:3E:22:00:01]  0.980ms
^CSent 2 probes (1 broadcast(s))
Received 2 response(s)

Note that one of the MACs will "win out" after the first broadcast because the target machine will start sending unicast responses from the correct interface; if you are consistently seeing multiple MACs responding on every ARPing it is safe to say you are probably looking at an IP address conflict instead.

Comments

• karlochacon

hi I have a similar environment

my linux server suse 11 have 2 IPs
192.168.128.10/24 - eth0
192.168.128.11/24 - eth1
as you same identical subnet
but every time I ping .10-eth0 is OK as well .11 of course I see arp shows me the same MACs
but If disconnect the cable from eth1 still both .11 is pingable
but If disconnect eth0 no IP is pingable....
what basically I need is each interface behave like itself
so If disconnect eth0 .10 won't be pinged and .11 will be and
If I disconnect eth1 .10 it is pingable but .11 won't respond

so basically in my case eth0 owns the server so
any idea how to fix this?
thanks