Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to deeply study the ARP protocol. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

1. MAC definition

The MAC, called the hardware address, is the unique identifier of the device in the network, totaling 48 bit. For example, my wireless MAC:8C-A9-82-96-F7-66

The presentation form in the system is a combination of six sets of numbers composed of hexadecimal numbers. For example, the 8C of the first bit is 8C and the binary bit is changed to 4X2=8 bit and 8X6=48 bit. Expanded content: this address is unique in the world, and there is no duplicate MAC address. If there is a duplicate MAC address in the switching network, there must be a loop, and the loop phenomenon will cause the time pass to be blocked or not at all.

2. PC communication in local area network (IP and MAC)

There is a kind of thing called computer in the world. There is LOL,CF on the computer, . The IT world is so great that you can play something called a game. So how do PC communicate with each other? The most basic is the existence of its own hardware, followed by more communication and transmission between MAC and IP.

For example: we have one switch and two PC. How do we get these two PC to communicate? Then it's very simple. PC has two addresses of the same network segment.

Lap0: 192.168.1.1/24 lap1:192.168.1.2/24

1 > Topology two separate PC are attached to the same switch VLAN1

2 > lap0 and lap1 ping each other

3 > Why can lap0 communicate with lap1?

(1) two lap in the same network segment, (2) in the same VLAN, (3) the PC side resolves the relationship between IP and MAC through ARP protocol. The mapping between MAC and IP of lap1 192.168.1.2 has been queried by arp-an on lap0, so they can communicate with each other. Then on the contrary, it is necessary to learn the MAC and IP address of lap0 on lap1.

3. Introduction of ARP protocol

What is said above is very lively. Now I would like to introduce ARP, a common but very important protocol. ARP English full name is: Address resolution protocol, address resolution protocol, ARP provides dynamic mapping for IP and MAC, the process is completed automatically. When PC makes a communication request, according to the protocol, its destination address must be the MAC address of 48bit. MAC cannot communicate directly with IP. Then we need our ARP protocol to do the corresponding conversion work. The following excerpt from TCP/IP Volume 1 is for reference only

In the Ethernet environment as above:

1 > lap0 to communicate with lap1, you need to convert a 32-bit IP address to a 48-bit MAC address.

2 > ARP protocol belongs to broadcast network, and ARP broadcasts its own request information to the network in the form of broadcast.

3 > after receiving the broadcast request, lap1 replies to the IP and MAC addresses of lap0 itself. Both sides have established a corresponding relationship.

4. MAC correspondence of the switch

In addition to the above ARP protocol, the communication between PC relies on layer 2 switches for communication. In addition, each port of the switch has an MAC address. When lap0 goes to ping lap1, the request frame of lap0 will make a record when it arrives at the switch, record the MAC address, and then forward the request to lap1. Such a back-and-forth request establishes the MAC corresponding table relationship. Layer 2 switch only records the corresponding relationship between MAC and port. In general, layer 2 switch only does high-speed switching. Of course, if there is a special need, you can also do a series of operations of restriction class and binding class according to MAC.

The correspondence between MAC and port:

5. MAC and ARP information under the gateway

1 > connect a core to the access switch and join the gateway | 192.168.1.254Universe 24.

2 > Let's analyze it first:

1. First of all, the switches are interconnected, and the ports learn the port addresses from each other.

2. Lap0 and lap1 ping request packets arrive at the gateway, and the core switch establishes the MAC address table (dynamic)

3. At the same time, set up the ARP entry, because the gateway is the interface for communication between different network segments

4. Check the MAC address table of the core and core switch.

The core learns the lap0 and lap1 MAC addresses, as well as the MAC addresses of the interconnected ports of the access switch. Access switch MAC address table: MAC learns the MAC of the two PC, as well as the on-board MAC address of the core switch and the interconnection port address table. As shown below:

Core switch show mad add

Access switch show mac add

The core switch show arp, which contains IP column, timeout, MAC address, and VLAN, is particularly helpful for us to troubleshoot errors. H3C, Huawei's ARP information table and Cisco's are actually more or less the same, slightly different, the general content will not be much different.

6. Dealing with the problem of ARP deception in practice

Ethernet environment, if the address is obtained by DHCP, then OK,dhcp snooping will be a gatekeeper in security, there will not be too many problems. If it is Jing too IP, you will often encounter headaches such as ARP*** and ARP deception. In fact, when we understand his working mechanism, it will be very easy to troubleshoot such problems.

The situation I encountered was relatively simple. The server under a certain network segment could not be connected from time to time. First of all, the network structure is excluded, and after communication, we know that the service single network card is not bound by the network card, and the core does HSRP access double uplink redundancy. First of all, exclude the loop, check the normal state of the core spanning tree, normal CPU utilization of the switch, broadcast packets with no burst of large traffic in the interconnection port of the access switch where the server is located, and exclude the loop. Secondly, look at the ARP entry under the server and find that the ARP entry of the server gateway is abnormal and the MAC address is not the MAC of the gateway.

This is ARP deception, that is, there is a virus in PC, pretending to be a gateway and constantly sending broadcast packets saying: I am the gateway, you forward all the packets to me. In this way, there will be intermittent communication. Next, we're going to find this poisoned machine.

1 > show mac-add under the gateway | in mac to see which interconnection port it comes from and find the access switch under that port.

2 > find the access switch and continue to find the specific port show mac-add | in mac

3 > find the machine, cut off the network, kill virus or re-half the system, and enable the ARP firewall of 360to avoid similar events.

But the most important thing is antivirus.

4 > if you encounter an old 3COM switch like silly HUB, you need to eliminate it manually.

Say so much, in fact, it is ARP deception solution is the location of the poisoning machine.

After reading the above, do you have any further understanding of how to learn more about ARP protocol? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.