IP addresses cannot be obtained from DHCP due to proxy-ARP

The company uses Telecom optical fiber and allocates five IP addresses. For ease of use, the optical fiber of the optical cat is directly connected to the switch.

The outside and inside networks of the Cisco 2911 router are all wired from the vswitch.

Because the Cisco router enables proxy-ARP by default, when outside receives the broadcast ARP information, because the inside CIDR Block and the broadcast CIDR block are in the same CIDR block, the router returns the MAC address of outside.

After the computer uses DHCP to obtain the IP address from the server, it finds that the IP address has been bound to the outside mac on the vro. Therefore, DHCP incorrectly considers that the IP address is already in use, and mark it as dirty IP. The client cannot obtain the IP address.

Information about proxy-ARP is as follows:

Https://learningnetwork.cisco.com/docs/DOC-10774

1. ARP
ARP is the Address Resolution Protocol, which is used inEthernet environmentFind the two-layer MAC address through the three-layer IP address and obtain an ARP cache table. Data is transmitted according to the ARP cache table during data forwarding. Describes in detail how ARP performs step-by-step operations during data transmission.
After the IP address is configured, no ping is performed. The ARP cache table is as follows:

 

650) This. width = 650; "border =" 0 "src =" http://www.link-hope.com/zero/ARP1.bmp "style =" border: 0px; border-collapse: collapse; border-Spacing: 0px; List-style: none; margin: 0px 10px 0px; padding: 0px; Background: transparent; "alt =" arp1.bmp "/>

 

When the PC Ping R1, you will find the first packet loss. Like this
R1 # Ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP echos to 192.168.1.2, timeout is 2 seconds:
.!!!!
Success rate is 100 percent (5/5), round-trip min/AVG/max = 8/25/56 MS

 

The first packet is actually an ARP request. The PC finds that ping is in this segment and sends an ARP broadcast to R1 requesting the MAC address of 192.168.1.2. After a response is received, the corresponding content obtained from the ARP request is added to the ARP table.

 

650) This. width = 650; "border =" 0 "src =" http://www.link-hope.com/zero/ARP2.bmp "style =" border: 0px; border-collapse: collapse; border-Spacing: 0px; List-style: none; margin: 0px 10px 0px; padding: 0px; Background: transparent; "alt =" arp2.bmp "/>

 

PC:At this time, Ping 10.1.1.3 on the PC and you will find that the Ping is not from this network segment. Because the PC does not have the routing function, you do not know where to send the ping. The Ping will be sent according to the default gateway that has been configured previously, generally, the default gateway is configured as the IP address of the router interface, which is 192.168.1.2. View the ARP cache table and find the MAC address corresponding to 192.168.1.2. Then, the packet is handed over to the router for processing.

 

R1:When the router receives a packet destined for 10.1.1.0, It queries the route table. First, it checks the route table and finds that the data sent to fastethernet 0/1
# Show IP Route
C 10.1.1.0 is directly connected, fastethernet0/1
Check whether the ARP table has MAC address information for the next hop 10.1.1.3. If so, send data to the next hop by Mac. If not, send an ARP query, obtain the MAC address 10.1.1.3 of the next hop address, store it in the ARP cache table, and forward it.
650) This. width = 650; "border =" 0 "src =" http://www.link-hope.com/zero/ARP3.bmp "style =" border: 0px; border-collapse: collapse; border-Spacing: 0px; List-style: none; margin: 0px 10px 0px; padding: 0px; Background: transparent; "alt =" arp3.bmp "/>

 

Data packets are sent to R2 (Static Routing is completed ). In the same way, packets are successfully pinged.

 

 

 

2. Proxy ARP
"What is proxy ARP? Proxy ARP is to use a host (usually a router) to respond to ARP requests from another device as a specified device ." This is an official explanation. You can use the same topology for verification. Here we use it most often.Router disables the routing function to simulate a PCComplete this experiment (the left-side PC is a router simulation. please clear the ARP information of the previous experiment before doing this experiment. We recommend that you restart it ):
650) This. width = 650; "border =" 0 "src =" http://www.link-hope.com/zero/ARP4.bmp "style =" border: 0px; border-collapse: collapse; border-Spacing: 0px; List-style: none; margin: 0px 10px 0px; padding: 0px; Background: transparent; "alt =" arp4.bmp "/>

 

If no default gateway is configured on the PC, Ping 192.168.1.2 and 10.1.1.3 on the PC. The following ARP table is displayed:
650) This. width = 650; "border =" 0 "src =" http://www.link-hope.com/zero/ARP5.bmp "style =" border: 0px; border-collapse: collapse; border-Spacing: 0px; List-style: none; margin: 0px 10px 0px; padding: 0px; Background: transparent; "alt =" arp5.bmp "/>
Therefore, the PC sends the MAC address 10.1.1.3 of the ARP request. R2 responds to the PC with its own fastethernet0/0 address proxy R3 and tells the PC that its fastethernet0/0 is the MAC address of 10.1.1.3.
Conclusion: when there is a default gateway, the PC follows the default gateway. If there is no default gateway, the router uses the proxy ARP to complete communication.
So far everything seems so reasonable and smooth. This experiment is often used in some training courses.Actually, it's wrong!

 

Where is the problem? The problem is that we use a router to simulate a PC. No matter whether or not the routing function is disabled, it is never a PC. It processes data in a different way than a PC. If you are using a PC without a default gateway, what will happen if you ping a non-CIDR block address?
650) This. width = 650; "border =" 0 "src =" http://www.link-hope.com/zero/ARP6.bmp "style =" border: 0px; border-collapse: collapse; border-Spacing: 0px; List-style: none; margin: 0px 10px 0px; padding: 0px; Background: transparent; "alt =" arp6.bmp "/>
If no default gateway exists, ping a non-CIDR block address, and the target network is inaccessible, and packet loss occurs directly, so no ARP query is triggered.
When will the PC issue an ARP query? Ping a CIDR Block (you can capture packets to verify it ). This is actually the situation in the Cisco documentation:
650) This. width = 650; "border =" 0 "src =" http://www.link-hope.com/zero/ARP7.bmp "style =" border: 0px; border-collapse: collapse; border-Spacing: 0px; List-style: none; margin: 0px 10px 0px; padding: 0px; Background: transparent; "alt =" arp7.bmp "/>

 

See clearly, the IP address of the PC-A is/16, the IP address of the PC-D is/24, so when the PC-A to ping the PC-D, The PC-A that is ping the same network segment, the ARP request will be sent, and the ARP request will be sent to the vro. If the router has enabled the proxy ARP function, will replace the PC-D to respond to the PC-A, tell the PC-A router E0 port MAC address 00-00-0c-94-36-ab is the PC-D MAC address, complete the proxy ARP operation, protects MAC address privacy for PC-D.

 

I agree with this statement, which is reasonable. But there is a problem. Who will use this method to configure IP addresses? Well, there should be.
The Linux Private food from laruence is as follows:
"If the initial design of the network environment is the same C class network, for example, 192.168.10.0/24, later, because some factors have to move some hosts to the environment of the platform, for example, the pc2 ~ Pc4. Then, because of some factors, you cannot change to PC2 ~ The IP address of pc4, that is to say, is a bit as shown below :"
650) This. width = 650; "border =" 0 "src =" http://www.link-hope.com/zero/arp_proxy.bmp "style =" border: 0px; border-collapse: collapse; border-Spacing: 0px; List-style: none; margin: 0px 10px 0px; padding: 0px; Background: transparent; "alt =" arp_proxy.bmp "/>

 

Proxy ARP is a solution to this special situation, but it is reasonable to say that this situation is none. Since the probability of this situation is so low, why should we set the proxy ARP to start by default? Isn't this a waste of resources? There are also security risks such as ARP spoofing. You can set the proxy ARP function to be disabled by default. Personal opinion. If you know the reason, please let us know.

 

3. Routing Interconnectivity is disabled for different network segments of a layer-3 switch.
Slack bears:
For a layer-3 Switch, F0/1 is set to the IP address of the gateway specified as the same network segment of the PC, F0/2 is specified as the IP address of another network segment, and the routing function of the switch is disabled. can ping F0/2 on the PC?

 

The answer to the broken bear:
I can experiment with dy,
The purpose of a PC is different from that of its own network segment. After the PC learns the MAC address of the gateway through ARP, it sends a ping request to the Gateway. The Ping request package is a three-tier package, the data packet format is target MAC (GATEWAY), source MAC (PC), Source IP (PC), and target IP (F0/2 IP) after receiving this packet, the gateway detects the head of the data frame and finds that it is for itself. Therefore, it unpacks the packet, removes the frame header, and then checks the IP address header. The Gateway finds that the destination IP address is not in the same network segment as itself, because the routing function is no longer available on Layer 3, the route table is not found. Normally, the route table is first searched. after the first data record is forwarded, the system will view the ARP table instead of the route table. Otherwise, the system will find the route table as soon as it receives a packet that is out of the network segment. What is the ARP table used? Therefore, the MAC address that has been resolved by this IP address is found through searching, because it is the IP address configured with the switch's own interface, of course, exists in the router arp. that is to say, the IP address of this target can be found without learning. after searching, the frame is reencapsulated. then return to PC,
For personal opinions, please testify if you have different opinions ......

 

I personally think it is very correct and thorough. However, I have some reserved opinions. "after the first data record is forwarded, I will view the ARP table instead of the route table. Otherwise, I will go to the route table as soon as I receive a packet that is not in the network segment, what is the ARP table used?"
Here I have corrected it. When the router receives the packet, it should first check the route table, and then check whether the next hop address ARP cache table has a MAC address. If yes, it will forward it.

 

I also want to add that a layer-3 Switch has only one MAC address. Therefore, the ARP cache table in the layer-3 switch shows the above problems:
650) This. width = 650; "border =" 0 "src =" http://www.link-hope.com/zero/ARP8.bmp "style =" border: 0px; border-collapse: collapse; border-Spacing: 0px; List-style: none; margin: 0px 10px 0px; padding: 0px; Background: transparent; "alt =" arp8.bmp "/>
The MAC addresses of F0/1 and F0/2 are the same.

 

The last question is: Can I ping port F0/2 on a layer-3 Switch with port F0/1 when the routing function is also disabled?

This article is from the carlwu blog, please be sure to keep this source http://carlwu.blog.51cto.com/2329717/1547766

IP addresses cannot be obtained from DHCP due to proxy-ARP