From: Tim Fletcher (tim@fletchmail.net)
Date: Thu Dec 12 2002 - 19:42:50 GMT-3
On Thu, 12 Dec 2002, Robert Slaski wrote:
> Tim Fletcher wrote:
> > Your solution will not disable dynamic ARP.
>
> Of course, it will, watch 'no arp arpa'.
>
Sorry, I missed that line. My mistake. But I still maintain that it won't
work, see below.
> > It will only allow 1 MAC
> > address in the switch table, but that's not the same as the ARP cache.
> > So a device on that port with the correct MAC address could still respond
> > to an ARP request with a different IP address (or even send gratuitous
> > ARPs).
>
> > There are 2 problems with the ARP solution. The 1st is that it would only
> > affect traffic originated by or L3 switched by the switch. Any layer 2
> > traffic does not use the ARP cache.
>
> That's what I have replied to Adam. This will work only when we cross
> the routing process from another VLAN or we're pinging from the switch
> itself. It won't work in the same VLAN, that's what I have written
> earlier. As we cannot use access-lists, there are only two solutions:
> ARP method and vlan-maps method.
>
> > The second is that it just wouldn't work. Lets use your example below to
> > illustrate. Lets put a device on fa0/1 with a MAC address of
> > AAAA.BBBB.CCCC and an IP address of 10.10.10.11, and try to ping it. Since
> > we don't have any entry in the ARP cache for 10.10.10.11 (actually we
> > probably would because of gratuitous ARPS), so we do an ARP request. The
> > 10.10.10.11 would respond with it's MAC address, which would be entered in
> > our ARP cache, and the ping would be successful.
>
> When any kind of ARP is disabled (by default only ARPA is enabled and
> we've just disabled this only one with 'no arp arpa') no ARP requests
> will be sent and no ARP responses (even unsolicited, spoofed or
> gratuitous) we'll be put in ARP cache. All this occurs per interface
> (fa0/1 in this case).
>
I would have to disagree with this. Turning off ARP only prevents ARP
requests. Try the following examples in the lab.
Example 1, gratuitous ARP:
R1 config:
interface Ethernet0
ip address 10.10.10.10 255.255.255.0
no arp arpa
R2 config:
interface Ethernet0
ip address 10.10.10.11 255.255.255.0
R1#debug arp
R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.10 - 0000.0c09.c6f2 ARPA Ethernet0
Trigger a gratuitous ARP
R2#clear arp
R1 debug output:
1w4d: IP ARP: sent rep src 10.10.10.10 0000.0c09.c6f2,
dst 10.10.10.10 ffff.ffff.ffff Ethernet0
1w4d: IP ARP: rcvd req src 10.10.10.11 0000.0c0a.526a, dst 10.10.10.10
Ethernet0
1w4d: IP ARP: creating entry for IP address: 10.10.10.11, hw:
0000.0c0a.526a
1w4d: IP ARP: sent rep src 10.10.10.10 0000.0c09.c6f2,
dst 10.10.10.11 0000.0c0a.526a Ethernet0
1w4d: IP ARP: rcvd rep src 10.10.10.11 0000.0c0a.526a, dst 10.10.10.11
Ethernet0
R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.10 - 0000.0c09.c6f2 ARPA Ethernet0
Internet 10.10.10.11 0 0000.0c0a.526a ARPA Ethernet0
Example 2, incoming traffic:
R1#clear arp
R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.10 - 0000.0c09.c6f2 ARPA Ethernet0
R2#ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/4/4 ms
R1 debug output
1w4d: IP ARP: rcvd req src 10.10.10.11 0000.0c0a.526a, dst 10.10.10.10
Ethernet0
1w4d: IP ARP: creating entry for IP address: 10.10.10.11, hw:
0000.0c0a.526a
1w4d: IP ARP: sent rep src 10.10.10.10 0000.0c09.c6f2,
dst 10.10.10.11 0000.0c0a.526a Ethernet0
R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.10 - 0000.0c09.c6f2 ARPA Ethernet0
Internet 10.10.10.11 1 0000.0c0a.526a ARPA Ethernet0
> > Remember that we can only have one MAC address per IP address in the ARP
> > cache, but multiple IP addresses can point to the same MAC address.
> >
>
> That's why I have proposed ARP method to prevent this.
>
> mikrobi,
.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:44 GMT-3