At Fri, 26 Aug 2011 16:51:45 -0400 (EDT), "Michael T. Davis"
<DAVISM%ecr6.ohio-state.edu@localhost> wrote:
Subject: Any way to suppress select arp messages?
>
> We have a number of Windows systems with multiple network interfaces
> that are "ganged" via Intel's load balancing configuration. Our NetBSD
> (i386 5.1 release) firewall keeps reporting ARP messages of the following
> form:
>
> arp info overwritten for <ip-addr> by 00:06:5b:ef:29:9f
> arp info overwritten for <ip-addr> by 00:06:5b:ef:29:a0
I must admit ignorance of this Intel load balancing thing you speak of
but I'm a wee bit astounded by something which would cause such a
mis-configuration on purpose. How's it work? Does it use some other
protocol than IP, i.e. something that doesn't use ARP?
Or is it just for fail-over?
> Of course, there are cases where we would want to know when the IP address of
> a host seems to somehow migrate to another MAC address. But in the case of
> these specific systems, where this behavior is unavoidable, we'd like to be
> able to suppress these notifications.
I think you might want to look at suppressing them after the kernel
generates them -- i.e. with a filter on your log viewer/analyzer.
And only filter those MACs for which you know this is just noise.
--
Greg A. Woods
Planix, Inc.
<woods%planix.com@localhost> +1 250 762-7675 http://www.planix.com/
Attachment:
pgp5KwGBP8UrD.pgp
Description: PGP signature