Shulou(Shulou.com)06/01 Report--

Address Resolution Protocol (Address Resolution Protocol,ARP) is a protocol that determines the physical address of a host when only its IP address is known. Because of the wide application of IPv4 and Ethernet, its main function is to obtain the corresponding physical address by knowing the IP address. But it can also be used in ATM (Asynchronous transfer Mode) and FDDIIP (Fiber Distributed Data Interface Optical distributed data Interface) networks. There are two ways to map from IP addresses to physical addresses: tabular and non-tabular. ARP specifically parses the address of the network layer (IP layer, which is equivalent to the third layer of OSI) to the MAC address of the data link layer (MAC layer, that is, the second layer of OSI).

At the network layer

Arp address resolution work process through the packet destination ip address-"if there is something in the cache to find the destination mac address for encapsulation, if it does not exist, it will send a broadcast to find it, for example:

In TCP/IP protocol, A sends IP packet to B. the IP of B needs to be filled in as the destination address in the header. But when the IP packet is transmitted over Ethernet, it needs to be encapsulated by an Ethernet packet. In this Ethernet packet, the destination address is the MAC address of B. How does computer A know the MAC address of B? The key to solving the problem lies in the ARP protocol.

When A does not know the MAC address of B, A broadcasts an ARP request packet filled with B's IP (192.168.1.2). All computers in Ethernet will receive the request, but normally only B will give the ARP reply packet, and the packet will be filled with B's MAC address and reply to A. After A gets the ARP reply, put the MAC address of B in the local cache for the next time. The native MAC cache has a lifetime, and when the lifetime ends, the above process will be repeated again.

The ARP protocol does not receive an ARP reply only when an ARP request is sent. When the computer receives the ARP reply packet, it updates the local ARP cache and stores the IP and MAC addresses in the reply in the ARP cache. Therefore, when a machine B in the local area network sends a forged ARP reply to A, and if the reply is forged by B pretending to be C, that is, the IP address is IP with C, and the MAC address is forged, then when A receives the fake ARP reply from B, it will update the local ARP cache, so that in A's opinion, C's IP address has not changed, but its MAC address is no longer the original one. Because the network circulation of the local area network is not carried out according to the IP address, but according to the MAC address. Therefore, the fake MAC address is changed to a non-existent MAC address on A, which will cause the network to be blocked and A can't Ping C! This is a simple ARP deception.

Arp can bind ip address and mac address, using the following commands:

Arp static ip address mac address

Advantages: avoid broadcasting

Safety

RARP (inverse ARP) is often used on diskless workstations to obtain its logical IP address.

Rarp own mac-"own ip

Port isolation

In order to achieve layer 2 isolation between messages, different ports can be added to different VLAN, but limited VLAN resources will be wasted. By using the port isolation feature, the isolation between ports in the same VLAN can be realized. Users only need to add ports to the isolation group to achieve layer 2 data isolation between ports in the isolation group. The port isolation function provides users with a more secure and flexible networking solution.

At present, some devices support only one isolation group (hereinafter referred to as a single isolation group). Isolation group 1 is automatically created by the system, and users cannot delete the isolation group or create other isolation groups. Some devices support multiple isolation groups (hereinafter referred to as multiple isolation groups), which can be configured manually. The number of isolation groups supported by different devices is different. Please refer to the actual situation of the device. There is no limit to the number of ports that can be added to the isolation group. The port isolation feature is independent of the VLAN to which the port belongs. For ports belonging to different VLAN, only the layer 2 messages from the ordinary port to the uplink port of the same isolation group can pass through one way, and the layer 2 data of the port in other cases are isolated from each other. Implementation of port isolation technology on H3C switch system-view enters system view interface interface-type interface-number enters Ethernet port view port isolate adds Ethernet port to isolation group Port isolation technology is very strong and easy to use on H3C switch, the above three commands can realize the isolation between the corresponding ports.

Switch H3C

1. One isolation group on the second floor

Port isolation:

Int Port ID

Port isolate

In this case, as long as neither of the isolated ports can communicate, there are limitations.

2. Multiple isolation groups at layer 3 [am]

Port isolation:

Am enable (start am function)

Int Port ID

The port to be quarantined by am isolate. Isolate from the specified port (there is no need to configure port isolation on the specified port)

Port + ip binding:

Am enable

Int Port ID

Am ip-pool ip address (you can write a specified ip, or you can specify a range followed by a number)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.