How to: Use ARP commands to bind IP addresses and MAC addresses

Source: ISA Chinese site

ISA Server does not provide MAC address control function, why? This is because the MAC address can only be used in the local network. When a packet crosses the router, the source MAC address of the host in the packet will be replaced by the MAC address of the router's outbound interface, in this case, MAC address control is not applicable. Therefore, enterprise-level hardware or software firewalls do not provide MAC address control functions.

However, Microsoft has long considered this. In Windows, if you have installed the TCP/IP network protocol component, You can execute the command arp. The ARP command is used to view the local ARP cache, statically bound IP addresses and MAC addresses, and delete static bindings. In fact, the intention of binding IP addresses and MAC addresses is to reduce ARP broadcast traffic, but this function can be used to control the use of IP addresses.

Here, I will briefly describe how ARP works in windows. Address Resolve Protocol (ARP) works on the Layer 2-data link layer of TCP/IP protocol, which is used to convert IP addresses into hardware addresses of network interfaces (Media Access Control addresses, MAC address ). Communication of any high-level protocol will eventually be converted into communication of the hardware address at the data link layer. Each host has an ARP cache list for caching MAC addresses. You can use the ARP-A or ARP-G command to view the current ARP cache list. The ARP cache list is dynamically updated. By default, when the cache entry exceedsTwo minutesWhen there is no activity, this cache item will be deleted timeout. You can use ARP-s to statically bind IP addresses and MAC addresses. However, in Windows systems before Windows Server 2003 and XP, even if you set static MAC Address binding items, the bound items will also be updated by receiving data packets from other hosts. In Windows Server 2003 and XP, static binding items are not dynamically updated until the TCP/IP protocol is terminated, for example, restarting the computer. If you want to create a permanent static MAC Address binding item, you can write a script file to execute ARP static binding, and then use the scheduled task to execute this script when starting the computer.

For example, if host a's IP address is 192.168.0.1 and needs to communicate with host B whose IP address is 192.168.0.8, perform the following actions:

1. Host a queries its own ARP cache list. If it finds a MAC address entry corresponding to the destination IP address 192.168.0.8, it constructs and sends an Ethernet packet using this MAC address entry, if no corresponding MAC address is found, proceed to the next step;

2. Host a sends an ARP resolution request broadcast. The target MAC address is FF: FF. The request IP address is 192.168.0.8 and the host replies to the MAC address;

3. After receiving the ARP resolution request broadcast, host B replies to host a with an ARP response packet, which includes its own IP address and MAC address;

4. After receiving the ARP reply from host B, A puts the MAC address of host B into its own ARP cache list, and then uses the MAC address of host B as the destination MAC address, host B's IP address (192.168.0.8) serves as the destination IP address to construct and send Ethernet packets;

5. If host a still sends data packets to 192.168.0.8, host a uses this MAC address to send data packets directly because the IP address 192.168.0.8 already exists in the ARP cache list, instead of sending ARP resolution request broadcasts. When the cached address item is not active for more than two minutes (unused), the ARP cache will be deleted after timeout.

By default, the ARP cache timeout period is two minutes. You can modify it in the registry. Two key values that can be modified are located

HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters

Modified key value:

Key value 1: arpcachelife; Type: DWORD; Unit: Second; default value: 120

Key Value 2: arpcacheminreferencedlife; Type: DWORD; Unit: seconds; default value: 600

Note: These key values do not exist by default. If you want to modify them, you must create them by yourself. The modification takes effect after you restart the computer.

If the value of arpcachelife is greater than that of arpcacheminreferencedlife, set the ARP cache timeout value to the value of arpcachelife. If the value of arpcachelife does not exist or is smaller than that of arpcacheminreferencedlife, for unused ARP caches, the timeout value is set to 120 seconds. For ARP caches in use, the timeout value is set to the value of arpcacheminreferencedlife.

 

 

The TCP/IP Settings of each computer are as follows. This test does not involve DNS resolution. The DNS servers of each server are set to null. Before the test, the network connection has been confirmed to work properly:

ISA 2004 Firewall:

LAN interface:

• IP: 192.168.0.1/24

• DG: None

• Mac: 00: 03: 47: F4: FC: E7

　

True (offline ):

• IP: 192.168.0.8/24

• DG: 192.168.0.1

• Mac: 00: 0d: 60: C3: 05: 34

　

Fake (change the IP address to 192.168.0.8 ):

• IP: 192.168.0.8/24

• DG: 192.168.0.1

• Mac: 00: 06: D0: 06: 05: 47

　

　

First, I use ARP-S on the ISA Server to bind a true IP address and a MAC address. Run the following command:

ARP-s 192.168.0.8 00-0d-60-c3-05-34

Run ARP-a to view the ARP cache list. The result is shown in. You can see that the IP address 192.168.0.8 type in the ARP cache list is static, which indicates that it is a static item. In this case, the binding on the ISA Server is successful.

 

 

 

Now we are at the clientFake, Change your IP address to 192.168.0.8, and ping the ISA Server:

C:/Documents and Settings/admin> ipconfig/all

Windows IP configuration

Host Name ......: Anonymous
Primary DNS suffix .......:
Node Type ......: Unknown
IP routing enabled...: No
Wins proxy enabled...: No

Ethernet Adapter local connection:

Connection-specific DNS suffix .:
Description ......: Intel (r) Pro/100 ve network connection
Physical address ......: 00-06-d0-06-05-47
DHCP enabled...
IP address ......: 192.168.0.8
Subnet Mask ......: 255.255.255.0
Default Gateway...: 192.168.0.1
DNS servers ......: 192.168.0.1

C:/Documents and Settings/admin> Ping 192.168.0.1-N 2

Pinging 192.168.0.1 with 32 bytes of data:

Request timed out.
Request timed out.

Ping statistics for 192.168.0.1:
Packets: Sent = 2, received = 0, lost = 2 (100% loss ),

　

Ping timeout, why? The data packets captured from sniffer can be described more clearly:

Is the captured data packet, which describesFake(192.168.0.8) ping the whole process of 192.168.0.1:

 

1. BecauseFake(00: 06: D0: 06: 05: 47) There is no MAC address for 192.168.0.1, soFakeSend an ARP Address Resolution request broadcast and ask what the MAC address of 192.168.0.1 is;
2. ISA Server (00: 03: 47: F4: FC: E7) replies with ARPFake(00: 06: D0: 06: 05: 47), tellFakeYour own IP address (192.168.0.1) and MAC address;
3. After obtaining the MAC address of 192.168.0.1,Fake(192.168.0.8) Send the ping request packet to 192.168.0.1;
4. 192.168.0.1 replies Ping reply packet to 192.168.0.8;
5. Fake(192.168.0.8) Send the ping request packet to 192.168.0.1 again;
6. 192.168.0.1 replies Ping reply packet to 192.168.0.8 again;

It seems that there is no problem? Why?FakePing will time out?

All of this indicates that there is no problem, but you will find the problem by carefully looking at the captured packet's Ethernet header:

First, let's look at the third packet,Fake(192.168.0.8) Ping request sent to 192.168.0.1, as shown in,FakeThere is no problem with sending data packets at the source MAC address and the MAC address of 192.168.0.1 (00: 03: 47: F4: FC: E7.

 

So let's take a look at the ping reply packet from the fourth ISA Server. The source MAC address is the MAC address of the ISA Server (00: 03: 47: F4: FC: E7 ), this is fine, but check the target MAC address,00: 0d: 60: C3: 05: 34 is the true MAC address of the offline client.. Do you still remember to bind the IP address (192.168.0.8) on the ISA Server to the MAC address? ISA server sends data directly using static binding items in its ARP cache, instead of using the source MAC address in the received Ping request packet as the destination address. Therefore, fake considers that the packet is not sent to itself and will not process the packet. Therefore, fake considers that the packet is timed out if no ping is returned.

Finally, we do not recommend binding static IP addresses to MAC addresses, which brings more management load. You can use the powerful authentication function of ISA Server and IP address management to achieve better results. Please do not ask me in the forum how to use ARP commands. Windows is the best teacher.

Original address: http://www.isacn.org/info/info.php? Sessid = & infoid = 264