[Nottingham] NIC MACs aliases & IP aliases

Graeme Fowler graeme at graemef.net
Thu Mar 26 15:36:28 UTC 2009

On Thu, 2009-03-26 at 14:50 +0000, Matthew Walster wrote:
> Yes. This is how networks using VRRP make sure that you have near-100%
> uptime when you take the primary default gateway down.

That's not *quite* correct. VRRP (Virtual Router Replacement Protocol)
doesn't do any form of MAC manipulation; it simply moves the active IP
address between nodes when failover happens and then sends GARP
(Gratuitous ARP) packets to the local network saying "I'm Spartacus",
like this:

15:24:29.310112 arp who-has tell
15:24:29.310275 arp who-has tell
15:24:29.310339 arp who-has tell
15:24:29.310399 arp who-has tell
15:24:29.310483 arp who-has tell

The VRRP advertisements (not shown) themselves only tell participating
routers who is currently master.

Cisco's HSRP (Hot Spare Replacement Protocol) protocol uses a "virtual"
MAC address group for the participating routers which is essentially
moved between devices as failover takes place. It is felt by Cisco to be
more reliable as it doesn't require any Layer 3 traffic therefore
converges more quickly, but the definition of "quickly" at this point is
a matter of milliseconds. This protocol is propietary, and although
reverse engineering was done on it several years ago Cisco exerted their
patent and killed that project. It eventually morphed into CARP and
uCARP, frequently used by the various BSD projects to do the same thing.

Going back to Martin's original question, though:

> Can multiple MACs be spoofed for a single NIC?

Unless the hardware and driver support MAC address changes, most NICs
cannot be reprogrammed "on the fly". 

> For example, can one NIC port be made to appear to be multiple
> physical ports to a network switch?

I'm not entirely sure I understand what you mean here - do you mean "is
it possible to make a single hardware device look like several at the
same time"?

> And... Is there a simple way to set the source IP address of outbound 
> packets to be from a particular IP alias (and MAC alias)? Or must 
> individual routing "via" commands be given for each case?

If you have two IP aliases, return traffic for sessions established on
them as destinations will always be answered by the address the request
arrived on (or the TCP handshake would fail).
If you want to initiate sessions from different IP addresses according
to some sort of policy, then usually the application manages that itself
(like the "interface" option to Exim's "remote_smtp" driver).

You can, however, use the iproute2 toolkit to classify traffic as it
arrives and make sure it always leaves via a specified upstream router.
This, however, is *not* for the faint of heart and successful boot-time
setup varies according to distro of choice...


More information about the Nottingham mailing list