Level in-depth learning Mac IP ARP with common processing means

1. Mac definition

A Mac is called a hardware address, which is a unique identifier for a device in the network, which amounts to a bit. For example, my wireless mac:8c-a9-82-96-f7-66

The presentation form in the system is a combination of 6 groups of numbers made up of 16 binary. For example, the beginning of the 8C for 8__c to 2 binary digits for the 4x2=8 bit, 8x6=48 bit. Extended content: The address is the only one in the world, There is no duplicate MAC address, if there is a duplicate MAC address in the switching network, it is bound to have a loop, loop phenomenon will be caused by the time is not through or at all.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/78/8B/wKiom1Z_nUuS9gKGAACoIpe8HyI652.png "title=" 1.png " alt= "Wkiom1z_nuus9gkgaacoipe8hyi652.png"/>

2. PC Communication in LAN (IP and Mac)

There is a kind of thing in the world called Computer, computer has LOL,CF, haha. How great it is for you to play something called a game. So how does the PC communicate? The most basic is the existence of its own hardware, and then more is the Mac and IP for communication transmission.

Example : We have a switch, 2 PCs, how to make the two PCs communicate? So simple, PC with two addresses of the same network segment

LAP0:192.168.1.1/24 lap1:192.168.1.2/24

1> topology separate two PCs hang to the same switch VLAN1

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/78/8B/wKiom1Z_pcXjU-kLAABeiwrb7To876.png "style=" float: none; "title=" 2.png "alt=" Wkiom1z_pcxju-klaabeiwrb7to876.png "/>

2>lap0 and Lap1 Ping each other

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/78/8B/wKiom1Z_pcbjTJ0lAADJUxElKkM081.png "style=" float: none; "title=" 3.png "alt=" Wkiom1z_pcbjtj0laadjuxelkkm081.png "/>

Why can 3>lap0 communicate with LAP1?

(1) Two lap in the same network segment (2) within the same VLAN (3) PC-side through the ARP protocol resolution to the relationship between IP and Mac. The Mac and IP mappings for LAP1 192.168.1.2 have been arp-a queried on lap0 so that they can communicate with each other. Then lap1 on the contrary will inevitably learn lap0 mac and IP address.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/78/8B/wKioL1Z_rAWjilmZAADLPD-CbPw533.png "title=" 3.png " alt= "Wkiol1z_rawjilmzaadlpd-cbpw533.png"/>

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/78/8B/wKioL1Z_q1-jcPcAAADxaXdeXR4921.png "title=" 6.png " alt= "Wkiol1z_q1-jcpcaaadxaxdexr4921.png"/>

3. Introduction of ARP protocol

The above is very lively, now introduce the ARP, that is, a common but very important agreement. ARP English full name is: Address Resolution Protocol, addresses resolution Protocol, ARP provides dynamic mapping for IP and Mac, the process is completed automatically. When the PC makes a communication request, according to the Protocol, its destination address must be 48bit MAC address. Mac is not able to communicate directly with IP. Then we need our ARP protocol to do the corresponding conversion work. The following is an excerpt from TCP/IP Volume 1 for reference only

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/78/8E/wKiom1Z_tReiz_6XAACaoaLZzC8272.png "title=" Arp.png "alt=" Wkiom1z_treiz_6xaacaoalzzc8272.png "/>

As above in the Ethernet environment:

1>lap0 to communicate with LAP1, you need to convert the 32-bit IP address to a 48-bit MAC address.

The 2>ARP protocol belongs to the broadcast network, and ARP broadcasts its request information to the network in broadcast form.

3>LAP1 receives the broadcast request, replies to Lap0 's own IP and MAC address. Both sides have established correspondence.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/78/8D/wKioL1Z_uPexfRg_AACS6MQgkRg263.png "title=" 123. PNG "alt=" Wkiol1z_upexfrg_aacs6mqgkrg263.png "/>

4, switch Mac correspondence relationship

In addition to the above ARP protocol, communication between PCs is based on a 2-layer switch to communicate. In addition, each port in the switch has a MAC address for itself. When Lap0 goes to ping Lap1, Lap0 's request frame arrives at the switch, records the MAC address, and forwards the request to LAP1. Such a back-and-forth request, the Mac corresponding table relationship is set up. The two-layer switch only records the Mac and port correspondence, generally 2-layer switch is only to do high-speed switching, of course, if there are special needs can also be based on the Mac to do a series of restrictions on the class, binding class operation.

Mac-to-port relationship:

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/78/8F/wKioL1Z_upbgYgJhAABhlvncm8I981.png "title=" sw.png "alt=" Wkiol1z_upbgygjhaabhlvncm8i981.png "/>

5, the Gateway Mac, ARP information

The 1> is connected to a core on the access switch and joins the Gateway |192.168.1.254/24.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/78/93/wKiom1Z_vkmzqVthAAExnCx9cCI348.png "title=" Core-sw.png "alt=" Wkiom1z_vkmzqvthaaexncx9cci348.png "/>

2> let's start by analyzing:

1, first inter-switch interconnection between the ports to learn from each other port address

2, Lap0 and LAP1 Ping Request packet arrives gateway, core switch establishes MAC Address table (dynamic)

3, at the same time, set up the ARP table entry, because the gateway is the interface between different network segments communication

4. View the MAC Address table of the core and core switch.

The core learns to Lap0 with the Lap1 MAC address, and also learns the MAC address of the connected port to the access switch. Access switch MAC Address table: Mac learns from two PC Macs while learning the core switch onboard MAC address as well as the Interconnect port Address table. Such as:

Core switch Show Mad add

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/78/93/wKioL1Z_xzaD2YUkAACfz6gflQw460.png "title=" Core-mac.png "alt=" Wkiol1z_xzad2yukaacfz6gflqw460.png "/>

Access switch Show Mac add

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/78/95/wKiom1Z_yByAT41EAACNGzVngE8582.png "title=" Jieru-mac.png "alt=" Wkiom1z_ybyat41eaacngzvnge8582.png "/>

The core switch show ARP, which contains IP columns, time-outs, MAC addresses, and owning VLANs, is particularly helpful for our troubleshooting. H3C, Huawei's ARP information table and Cisco are actually similar, subtle differences, the general content will not be too much.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/78/95/wKiom1Z_ykbzCtsFAACCMTZ-vkQ774.png "title=" Showarp.png "alt=" Wkiom1z_ykbzctsfaaccmtz-vkq774.png "/>

6, practice of ARP spoofing problem processing

Ethernet environment, if DHCP gets the address then OK,DHCP snooping will be safe, there will not be too many problems. If it is static too IP, you will often encounter ARP attacks, ARP spoofing and other headache problems. In fact, when we understand his working mechanism, it is particularly easy to troubleshoot such problems.

I met the situation is relatively simple, a network segment under the server, Shitong. First of all, the network structure to exclude, after communication learned that the service is a single network card and no network card binding, the core do HSRP access dual upstream redundancy. First, the loop is excluded, the core spanning tree status is normal, the switch CPU utilization is normal, and the server is located on the Access switch Interconnect port broadcast packet and no burst packet, loop exclusion. Second, look at the ARP table entry under the server, discover the Server gateway ARP entry exception, MAC address is not the gateway's Mac.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/78/94/wKioL1Z_zf6iSx46AABltchtabQ657.png "title=" Cheat.png "alt=" Wkiol1z_zf6isx46aabltchtabq657.png "/>

This is ARP spoofing, that is, there is a virus in the PC, pretending that the gateway constantly send the broadcast packet said: I am the gateway, you have to forward the packet to me here. This can sometimes break the situation. And then we're going to pull out this poisoned machine.

1> gateway under Show Mac-add | In Mac to see which interconnect port it came from and find the access switch under that port

2> Find the station access switch, continue to find out which port the show Mac-add | In Mac

3> found the machine, broken network, anti-virus or heavy semi-system, and can enable 360 of ARP firewall, to avoid similar events.

But the main thing is to disinfect.

4> If you encounter an old 3COM switch like a silly hub, it needs to be manually ruled out.

Say so much, in fact, is the ARP deception solution is poison machine positioning.

7. Summary

1>mac definition function

2>arp is a protocol for Mac and IP conversion

3>mac address learning under the switch

ARP Information and related table entries under the 4> gateway

5> Practice Chapter, ARP spoofing troubleshooting

Small white, the blog if you want to understand a thorough need for more simulation and practice, deepen understanding, knowledge is nothing more than a from understanding to paste Tu to understand, a few times thoroughly understand to remember. Our basic knowledge is very, very important content!!!!!!!!

Big God, also please more advice!!

This article is from the "unrestrained" blog, please be sure to keep this source http://keep11.blog.51cto.com/1443840/1728862

Level in-depth learning Mac IP ARP with common processing means