Recently I have been doing some on the HP 5500EI including a port security feature limiting the number of MAC addresses to 8. This is not a difficult configuration at all – in fact it is just one command on the interface itself .
mac-address max-mac-count 5
So now with the limit in place I would like to test it. The first thought was to use Linux alias as a fast and dirty way of doing this but unfortunately I soon found out that tit doesn’t allow for the requirements I had in mind.
- There have to be 5 or more virtual interfaces on one physical interface
- Each virtual interface must have its own individual MAC address
- All virtual interfaces must be getting their own IP addresses from the DHCP server
- All the virtual interfaces must receive an IP address from the same subnet (as they as plugged into an access port)
The main issue with just aliasing the interface is that it is a L3 interface only (uses the same MAC) and definitely doesn’t allow for DHCP allocations from the same subnet. But fortunately on Linux this is not an issue and this can be done via “ip link” feature which is part of the iproute package in Debian. The usage is rather simple:
ip link add dev intX link eth0 type macvlan ip link del dev intX link eth0 type macvlan
Where int will be name and X the number of the new interface and eth0 is the physical interface you want to bind to. This can be repeated multiple times and the MAC address will be generated randomly. There is also a way for setting it up to whatever you want by changing the syntax to this:
ip link add dev intX link eth0 address aa:aa:aa:aa:aa:aa type macvlan
If you run this couple times and get some IP addresses on those interfaces from DHCP server you will soon notice the following messages on your switches.
%Jun 7 11:03:01:411 2000 Core1 ARP/5/ARP_DUPLICATE_IPADDR_DETECT: Detected an IP address conflict. The device with MAC address 6e99-1b38-2b8c connected to Bridge-Aggregation2 in VLAN 100 and the device with MAC address d6b2-1ac8-9bd2 connected to Bridge-Aggregation2 in VLAN 100 are using the same IP address 10.0.3.248.
Quick check will reveal that there are no duplicate addresses assigned nor allocated so what is the system complaining about? The answer is that the default behavior of Linux kernel is that it will reply to ARP from the first interface in the list (eth0) also it can reply from all interfaces /and or random interface making the Comware go crazy.
Fortunately this default behavior can be adjusted by the following commands:
echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore echo 8 > /proc/sys/net/ipv4/conf/eth0/arp_announce
There has been a lot of people around the net suggesting the second value should be 5 but that didn’t work for me at all. If you want to make these changes persistent add the line with the values into /etc/sysctl.conf
There is some more explanation of the values above here