Shulou(Shulou.com)06/01 Report--

When I was reading some technical documents, I suddenly thought of proxy arp. I didn't pay attention to it before, so I took advantage of today to learn it.

First of all, there is the topology diagram: here I use the simulator to draw ~ ~ the experiment done with the real machine (CISCO 1921)

The explanation of most people and websites on the Internet for proxy ARP: when PC does not have a default gateway, if PC wants to communicate with clients of different network segments, then you need to know the destination mac address and how to obtain it, of course, through ARP, but what if the destination address and the local address do not belong to the same network segment? This is where the problem arises. Many people think that PC will send ARP broadcasts at this time, and then the router interface will respond with its own interface mac if the interface of the router is enabled with proxy arp (enabled with no ip arp proxy and shut down globally with Ip arp proxy disable), but this is not the case. The reality is that PC does not send any ARP messages. See the picture below

As you can see, PCA does not send any ARP and ICMP messages, because if the destination network segment is different from its own network segment, and PC does not set a default gateway, PC will directly discard it, which has nothing to do with whether or not to enable ARP proxy.

The ARP agent is open at this time

Here, I would like to ask the great god, what is this Local Proxy ARP for? it can never be displayed as enable. Ask for the guidance of the great gods.

You can see that even though PCA uses the ping command, the router does not get any arp entries for PCA and PCB.

At this point, it should be clear that the ARP agent does not act as a default gateway as it is said on the Internet, so how on earth do you use this thing?

Next we use another topology, as shown in the figure:

Yes, it is such a strange topology that the PC mask on the left side of the router is different from the G0Unipedia 0 of the router, but the same on the right side.

Close the ARP agent first

You can turn it off globally by using ip arp proxy disable.

And grab the bag. Remember that the gateways of An and B are not set at this time.

Check the arp entry of PCA first.

As mentioned before, PCA does not generate any messages, so of course there will not be any other ARP entries.

At this time, the router is still an ARP entry with only its own two interfaces.

So what happens when we use PCA ping PCB next?

Why does PCA have no gateway here, but send an ARP request?

Because!

The network number of PCA is 172.16.0.0. (the ip address and mask are operated with), and the address of PCB is 172.16.2.2. PCA calculates its mask with the PC address and finds that it belongs to the same network segment as the destination address (even if the network segment of PCB is 172.16.2.0). That's why the ARP request occurs, but because the router turns off the ARP agent, it doesn't respond to PCA's ARP request. So there is only arp request but no arp reply in the image above. So the ARP entry of the PCA and the ARP entry of the router will not change at this time. Of course, PCA added a few strange ARP items, and I didn't find out what it was for.

If the router gets the mac address of PCB at this time, will the router inform PCA of the mac of PCB under the premise of shutting down the ARP agent?

Quite simply, we use the G0can1 interface address of the PCB ping router. Although PCB does not have a default gateway, it can ping because they belong to the same network segment, and the router can learn the mac address of PCB.

Use PCA ping PCB again, and then observe the ARP entry for PCA. There is still no change, because after the ARP request of An arrives at the router, the router will de-encapsulate from the first layer of the OSI model, and when unencapsulated to the second layer, because the destination mac is broadcast, the router will directly discard the broadcast packet, so even if the router has the MAC address of B, it will not give An ARP Reply.

Even if all devices have other MAC address table entries (using static binding), they cannot be connected, because when unicast packets are unpacked, to the second layer, if the destination MAC is not the router's own interface address, the router will directly discard it.

The next step is to turn on the ARP proxy. Use no ip arp proxy (which looks strange).

When the ARP agent is turned on, PCA can learn the MAC address of PCB, and it is the mac address of router G0Univer 0.

Using the ping command, the Icmp echo request message can successfully reach PCB. This is the conclusion drawn from the use of Wireshark to grab packages on PCB. I won't take a screenshot. It's too much trouble.

However, after PCB receives the message, when creating the ICMP echo reply message, because the destination address does not belong to the same network segment and is not a broadcast address, and the default gateway is not set, the return packet of ping is discarded directly, so it is impossible for PCA to obtain reply, as shown in the figure:

At this point, I have a question. I sincerely consult Daniel here.

I statically bound the ARP PCA'S ip- "G0DB 1's mac in PCB. In my opinion, when creating a reply message, encapsulating it from top to bottom, and encapsulating it to the data link layer, the destination mac address is the mac address of G0Univer 1. Should reply, why PCB discarded directly instead of replying!

If you want PCA to be able to ping PCB, specify a default gateway on PCB.

After the default gateway is specified, AB can communicate normally in both directions. See the above section for the principle.

By now, we should have basically explained the function and role of acting ARP, which is actually very chicken.

One more thing, by the way. Specifying the default gateway is completely different from the arp table entry that uses the ARP proxy PC.

Use ARP proxy: there will be corresponding ip and mac of different network segments as shown in the figure.

However, there is only one correspondence when using the default gateway. The corresponding relationship between the gateway and the gateway mac is shown in the figure.

Finally, when I wrote this, I did some things on Baidu, some of which are similar to those of Brother Wolf, but I tested some details. @ Brother Wolf his blog address is bbs.51cto.com/thread-651652-1.html.

I hope the master can dispel my previous doubts, thank you.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.