1

I'm setting up a very basic IPS test, and wondering if an interface on a host pings an interface with a different IP address (of same network) on the same host, will it reply? Will it respond to ARP requests?

I have a setup where a linux box has two interfaces

  • eth1 - 192.168.1.28
  • eth2 - 192.168.1.29

Each of them are connected to an IPS (Intrustion Prevention Sensor) interface configured as a pair. In effect, eth1 is connected directly to eth2. No Sensing modes are activated.

TCPDUMP is run on the IPS, and on eth2.

if i send a ping from eth1 to eth2 by the command

ping -I eth2 192.168.1.29.

It shows destination not reachable.

TCPDUMP on IPS shows that packet is flowing through. TCPDUMP on eth2 shows that arp packets are received, but eth2 sends no reply.

Is this because the source ip of the arp packet is from the same host? Is there any way to force eth2 to reply to the arp?

Jeff Atwood
  • 13,104
  • 20
  • 75
  • 92
woodstok
  • 131
  • 5

1 Answers1

1

eth2 does not send a reply most likely because it is being sent by eth1. It is not necessarily the case that an ARP reply must be sent from the same interface from which it was received. I believe this is known as "ARP flux" and you may be able to find a solution to it here: http://wiki.openvz.org/Multiple_network_interfaces_and_ARP_flux

up_the_irons
  • 321
  • 1
  • 2