in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 12-29-2016 9:12 PM by Martinl. 15 replies.
Page 1 of 2 (16 items) 1 2 Next >
Sort Posts: Previous Next
  • 11-16-2016 7:49 PM

    tshoot 2

    hi everyone on ieoc

     

     

    I MAKE this lab to test something about proxy-arp and need help

    r1)#no ip routing

    i make r1 as end host to test proxy-arp on r2 and r3 and change mac for r2 and r3 to make it easily to ask my question

     

    proxy-arp is on by default on r2 and r3

    r1#show arp

    R1#SH ARP

    Protocol  Address          Age (min)  Hardware           Addr                            Type                      Interface

    Internet  10.1.1.1                -                      aabb.cc00.0130                         ARPA                    Ethernet0/3

     

    now r1 is store mac of his own interface e0/3

    R1#ping 192.168.1.1

    Type escape sequence to abort.

    Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

    !!!!!

    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/202/1007 ms

     

    when i ping to 192.168.1.1 then what happened is r1 store mac for r2 only on his own arp cache

    R1#show arp

    Protocol  Address          Age (min)                    Hardware  Addr            Type                 Interface

    Internet  10.1.1.1                -                         aabb.cc00.0130           ARPA                 Ethernet0/3

    Internet  192.168.1.1            21                      0000.0000.0002           ARPA                 Ethernet0/3

     

    why? and why r1 don`t using mac for r3 also?

     

    look at result for wireshark:-

    now look at all these red box:-

    into first picture r3 reply with his proxy-arp for 192.168.1.1 and his mac 0000.0000.0003

    but look at the second picture , you`ll notice that r2 with mac 0000.0000.0002 reply also but with another notification into his own reply into yellow (red box)that there`re duplicate

     

    how r2 know there`re duplicate into this situation? arp msg from r1 reached to r2 and r3 at sametime , so how r2 know there`re duplicate ip address?

    why r3 also don`t send arp reply with duplicate address into this arp msg?

    why r1 using info for r2 only ? not using info from r3 ?or not using both info r2 and r3 ?

    • Post Points: 65
  • 11-27-2016 9:18 AM In reply to

    Re: tshoot 2

    please anyone reply me!!!!!!![:'(]

    • Post Points: 20
  • 12-13-2016 2:40 PM In reply to

    Re: tshoot 2

    TCP/IP book has sample topo and explains Proxy ARP very well. check it out.

    I don't think proxy arp is being used widely, is it ?

    • Post Points: 5
  • 12-13-2016 4:54 PM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,005

    Re: tshoot 2

    major133:

    please anyone reply me!!!!!!![:'(]

    Hi Muhamed, 

    I have mentioned this to you a few times.   Giving better subject headings will get better results.   Something like "Proxy Arp and Mac-Addresses".    "tshoot 2" doesn't say anything about the subject.  ;-)

    You always ask good questions. I will look at your puzzle later this evening.

     

    • Post Points: 5
  • 12-14-2016 12:02 AM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,005

    Re: tshoot 2

     

    SUBJECT:   DUPLICATE IP ADDRESS DETECTION vs ARP CACHE

    major133:
    why r1 using info for r2 only ? not using info from r3 ?or not using both info r2 and r3 ?

    I do not believe there is a preference for which mac-address wins the final ARP entry.  It is a crapshoot as to which one will win, and this would result in flapping between R2 and R3 and more errors. My guess is that it is the last arp response that was populated.

    Looking at your packet captures, I see this:

    1.  Which arp response arrives last at R1? = accepted mac-address for R1

    2.  R3 responded before R2, and R2 detected this, and it sends out it's warning message.

     

    Try clearing your ARP cache, and see what happens if you can get R3's arp response to arrive last. 

    Also try labbing HSRP, and notice what happens if one side is brought down.  Their is a gratuitous arp that aims to update the mac-address to all other hosts on the local subnet.   This is an easy way to see the virtual HSRP mac-address change from one device to the other.

     

    • Post Points: 20
  • 12-14-2016 1:36 AM In reply to

    Re: tshoot 2

    hello my friend JoeM 

    how are you? i hope you`re into good healthy you and all your family

    iam sorry about this headline of subject but i forget all the times

     

    JoeM:

     

    2.  R3 responded before R2, and R2 detected this, and it sends out it's warning message.

     

     

    how?

    • Post Points: 20
  • 12-14-2016 12:18 PM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,005

    Re: tshoot 2

    The order that the ARP replies are sent/received is random luck. If you play with this enough, you can reverse your result to use the other router. But it will require clearing ARP's on each of the routers.

    Take a look at your packets. The warning that we see for Addresss Conflict Detection (ACD) points to the conflicting mac-address in (frame 9) where it saw the conflict. Take a look at the previous frame and note that it is Frame 9. The reason for the warning is that a conflict was seen.

                     " - also in use by 00:00:00:00:00:03 (frame 9)"

     

    Another test you may like to do, is simply make the lan facing addresses the same on R2 (e0/0) and R3 (e0/1).  It will be necessary to contantly clear your ARP's and/shut-NoShut interfaces. When you bring the LAN interfaces back up, then notice the different arp messages.

     

    The RFC seems to have been created mostly to answer DHCP issues.  For new DHCP addresses, a device will ARP for the address (checking) using a source 0.0.0.0.   But the whole idea of ACD is still needed for misconfigured networks as in your example.

    RFC-5227 is for for IPv4 Address Conflict Detection

              2.4.  Ongoing Address Conflict Detection and Address Defense

     

     

    • Post Points: 20
  • 12-16-2016 4:37 PM In reply to

    Re: tshoot 2

    WoW, u can always count on JoeM,  Good Job , JoeM!!!

    • Post Points: 20
  • 12-16-2016 5:25 PM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,005

    Re: tshoot 2

    haha  Thanks Martin.   I guess that means I got the answer correct.  

    • Post Points: 5
  • 12-18-2016 8:38 AM In reply to

    Re: tshoot 2

    major133:

    how r2 know there`re duplicate into this situation? arp msg from r1 reached to r2 and r3 at sametime , so how r2 know there`re duplicate ip address?

    why r3 also don`t send arp reply with duplicate address into this arp msg?

    why r1 using info for r2 only ? not using info from r3 ?or not using both info r2 and r3 ?

    I think looking at your Wireshark trace has caused some confusion.  The duplicate address detection information is not actually in the captured ARP reply, its actually generated by Wireshark.  Any fields shown within square brackets are supplementary information derrived from the trace.  In this case it's showing that you have the same IP address mapping to different MAC address, which may or not be desired behavior.

     

     

    • Post Points: 20
  • 12-19-2016 11:17 AM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,005

    Re: tshoot 2

    Hi Welshy, It is good to see you on the forum.  Hope your studies are going well.

    Thanks for clearing this this up. Yes, I fell into the trap, and ended up studying DHCP Address Conflict Detection. ;-)  What I see in WireShark underneath the warning message is "Expert Info" meaning wireshark input.

    wireshark output:

    [Duplicate IP address detected for 10.10.10.10 (ca:11:ea:18:00:00) - also in use by ca:10:e7:94:00:00 (frame 15)]
        [Frame showing earlier use of IP address: 15]
            [Expert Info (Warning/Sequence): Duplicate IP address configured (10.10.10.10)]
                [Duplicate IP address configured (10.10.10.10)]
                [Severity level: Warning]
                [Group: Sequence]
        [Seconds since earlier frame seen: 0]

    The 2nd part of Muhamed's question is why R1 decides to choose one over the other.  I cannot think of a time when there would be more than one mac-address per ip address.  This would defeat the purpose of arp resolution. 

    This is why HSRP depends on gratituous arp to update the arp cache of all devices on the network. Without the arp mechanism, it it would be necessary for the arp entry to timeout (or be cleared), and then another arp request would be sent.   Or use a technology that does gratuitous arp for the given address (i.e HSRP or other).

     

    • Post Points: 20
  • 12-20-2016 1:51 AM In reply to

    Re: tshoot 2

    JoeM:
    I cannot think of a time when there would be more than one mac-address per ip address.

    The only reason I can think of is for a load balancing, however this would require only one arp response to sent out and would only work for locally connected hosts. GLBP does this.

    In terms of study - I have paused for the moment - due to work and family commitments.  The trouble is it is very hard to get started again!

    • Post Points: 20
  • 12-20-2016 1:25 PM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,005

    Re: tshoot 2

    Welshy, If you are looking to study with someone, I am working on my re-written, and I am reviewing everything again.

     

    I do not think that a client will maintain more than one mac-address per IP address (although one-mac can have multiple ip addresses).

    Below is a test that I just did with GLBP (good practice for written :-)

    GLBP uses a different virtual mac-address per forwarder. The interesting thing I see, is that there is no gratuitous arp (update) during a failover.  Both GLBP forwarders will respond to the same virtual mac-addresses.....with its real mac-address.

    lab testing GLBP:

    FastEthernet0/0 - Group 1
      State is Standby
        12 state changes, last state change 00:00:11
      Virtual IP address is 123.0.0.10
      Hello time 5 sec, hold time 15 sec
        Next hello sent in 3.296 secs
      Redirect time 600 sec, forwarder time-out 14400 sec
      Preemption disabled
      Active is 123.0.0.2, priority 200 (expires in 16.544 sec)
      Standby is local
      Priority 100 (default)
      Weighting 100 (default 100), thresholds: lower 1, upper 100
      Load balancing: round-robin
      Group members:
        cccc.0000.0002 (123.0.0.2)
        cccc.0000.0003 (123.0.0.3) local

      There are 2 forwarders (2 active)
      Forwarder 1
        State is Active
          1 state change, last state change 00:32:15
        MAC address is 0007.b400.0101 (default)
        Owner ID is cccc.0000.0003

        Preemption enabled, min delay 30 sec
        Active is local, weighting 100
        Arp replies sent: 2
      Forwarder 2
        State is Active
          5 state changes, last state change 00:03:56
        MAC address is 0007.b400.0102 (learnt)
        Owner ID is cccc.0000.0002

        Time to live: 14399.968 sec (maximum 14400 sec)
        Preemption enabled, min delay 30 sec
        Active is local, weighting 100
        Arp replies sent: 1

     

     

     

    R1#        sh ip arp
    Protocol  Address   Age (min)  Hardware Addr   Type   Interface
    Internet  123.0.0.1        -   cccc.0000.0001  ARPA   FastEthernet0/0
    Internet  123.0.0.2        0   cccc.0000.0002  ARPA   FastEthernet0/0  GLBP active
    Internet  123.0.0.3        0   cccc.0000.0003  ARPA   FastEthernet0/0  GLBP speak (standby)


    R1#        ping 123.0.0.10
    .!!!!

    R1#        sh ip arp
    Protocol  Address          Age (min)  Hardware Addr   Type   Interface
    Internet  123.0.0.1               -   cccc.0000.0001  ARPA   FastEthernet0/0
    Internet  123.0.0.2               1   cccc.0000.0002  ARPA   FastEthernet0/0
    Internet  123.0.0.3               0   cccc.0000.0003  ARPA   FastEthernet0/0
    Internet  123.0.0.10              0   0007.b400.0102  ARPA   FastEthernet0/0



    NOW I shut the interface down on R2
    FAILOVER to R3  (note that the mac-address does not change)


    R1#        ping 123.0.0.10
    !!!!!

    echo request from R1
    Ethernet II, Src: cc:cc:00:00:00:01 (cc:cc:00:00:00:01), Dst: CiscoInc_00:01:02 (00:07:b4:00:01:02)

    echo reply from R3
    Ethernet II, Src: cc:cc:00:00:00:03 (cc:cc:00:00:00:03), Dst: cc:cc:00:00:00:01 (cc:cc:00:00:00:01)

    R1#        sh ip arp
    <snip>
    Internet  123.0.0.10              6   0007.b400.0102  ARPA   FastEthernet0/0



    R1#        clear ip arp 123.0.0.10

    R1 ARP REQUEST
    cc:cc:00:00:00:01    CiscoInc_00:01:02 ARP  Who has 123.0.0.10? Tell 123.0.0.1
    R3 ARP REPLY
    cc:cc:00:00:00:03    cc:cc:00:00:00:01 ARP  123.0.0.10 is at 00:07:b4:00:01:01


    R1#        sh ip arp
    <snip>
    Internet  123.0.0.10              0   0007.b400.0101  ARPA   FastEthernet0/0

     

    NOW I failback to R2 (again both forwarders will respond to the same virtual mac. no change)

    R2(config-if)#no shut
    R3(config-if)#shut


    R1#        ping 123.0.0.10
    .!!!!
    R1#        sh ip arp
    <snip>
    Internet  123.0.0.10              9   0007.b400.0101  ARPA   FastEthernet0/0

     

     

     

     

    • Post Points: 5
  • 12-27-2016 3:39 PM In reply to

    Re: tshoot 2

    Switch Foundation book fro switch exam 642-813 has also mentioned proxy arp; it says " back when PC host did not have option to configure default gateway, Proxy ARP was used"

    • Post Points: 20
  • 12-27-2016 3:53 PM In reply to

    • JoeM
    • Top 10 Contributor
    • Joined on 04-15-2012
    • Guadalajara, Mexico
    • Elite
    • Points 31,005

    Re: tshoot 2

    Yes. It is interesting that Cisco has proxy-arp on by default.   Juniper has it disabled.

    • Post Points: 20
Page 1 of 2 (16 items) 1 2 Next >
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved