Hi....I have a question about ARP. Let's say you have a LAN network consisting of PC1, Switch1, and Router1. The ip address/subnet mask of PC1 is 10.1.1.10/24 and the gateway is 10.1.1.1. The ip address/subnet mask of Router1 is 10.1.1.1/24. So, PC1 and Router1 are in the same subnet. They are wired as follows:

PC1---------Switch1---------Router1

Then you connect PC2 to Switch1. The ip address/subnet mask of PC2 is 10.1.1.130/25. So, PC2 is in a different subnet than PC1/Router1. The arp caches of PC1, PC2, and Router1 are empty and the mac address table of Switch1 is empty as well.

If you issue a ping on PC1 to 10.1.1.130, what are the answers to the following questions:

1) Does PC1 use ARP to try to find the ethernet address of 10.1.1.130 (PC2)?
2) Does PC1 successfully learn the ethernet address of 10.1.1.130 (PC2)?
3) Does the subnet mask of the sender of the ARP request, PC1, play any role in 10.1.1.130 (PC2) sending an ARP reply?
4) Does the ping succeed?

According to my virtual network simulator, Cisco Packet Tracer, the answers are:

1) Yes
2) No
3) Yes
4) No

Cisco Packet Tracer says that PC2 sees the sender of the ARP request, PC1, in a different subnet so PC2 does not process the ARP request. But, according to my book, PC1 should have learned the ethernet address of PC2. Which is correct, Cisco Packet Tracer or my book?

Thanks

1) Yes
2) No
3) No
4) No

With 3, the subnet mask of PC2 plays a role in PC2 sending a reply, not PC1. PC2 receives a broadcast, looks at the source IP address of that broadcast. Notices that 10.1.1.1 is not in the same subnet as R2 and hence should ignore it.

I say should, as real life behaviour could be slightly different. I'm not 100% sure if PC2 would respond to a broadcast from a source on a different subnet, although it could. Whether it does or not, a ping should NOT work.

Proxy arp (enabled by default) on the router could also play havoc with this scenario...

_________________
www.mellowd.co.uk/ccie/

Interesting question... I'm going to guess PC2 see's it, but would not respond to the ARP request as it comes from (what it considers to be) a different subnet.

The ARP message says "who has 10.1.1.130, tell 10.1.1.10". PC2 would see this as it would be a broadcast, but for PC2 to get back to PC1 it needs to route via it's default gateway.

So:

1) Yes
2) No
3) No.. PC1 believes it's in it's local subnet but PC2 has a mask that doesn't agree with that. PC2 is going to try and send packets to 10.1.1.10 via 10.1.1.1.
4) No

I don't think that's right because there isn't a source IP address in an ARP frame. ARP only has a source and destination MAC address (Ethernet header) and then there's the payload.

I would think that it would respond... But I've never tested it.

_________________
blog.brokennetwork.ca

Yeah......that does make more sense. PC2 sees that 10.1.1.1 is not in its own subnet. So, I guess that is why PC2 dropped the ARP request. Plus, when I looked at the ARP request packet in Cisco Packet Tracer there was no subnet mask anywhere. I was wondering how PC2 determined that PC1 was in a different subnet without the subnet mask.....but it didn't actually need it because PC1's ip address alone is not in the range of ip addresses of its own subnet.

So, Cisco Packet Tracer is right and I think the book either has a typo or the answer is worded funny.

'If PC1 issued a ping 10.1.1.130 command, PC1 would use ARP to learn PC2’s MAC address.'

I took this statement to mean that PC1 learned PC2's MAC address via ARP. I guess it means that PC1 used ARP to try to learn PC2's MAC address.

Thanks.....

Hey Infinite,

Isn't the source IP address listed under 'Address Resolution Protocol' as 'Sender IP address'? But, the packet doesn't show a subnet mask. So I'm confident that ARP packets do not include a subnet mask. Thanks for the attachment..... Is that WireShark?

I'm making a distinction here. An ARP frame does not have an IP header, and therefore there isn't a "source IP" in that sense. ARP however does include the IP of the the sender as a field in the ARP request. It's a subtle difference, but important.

Yes, an ARP frame absolutely does not include a subnet mask.

It is wireshark. I had it running today troubleshooting a problem. It was easy to grab a random ARP request out of it.

_________________
blog.brokennetwork.ca

Hey Infinite,

Do you have access to Cisco Routers? If so.....could you make a reply to this forum topic with an attachment showing the tcp and/or udp ports in an acl in the 30's range using the '?'. You know....like what you did with the WireShark attachment. The command is something like

Router(config)#access-list 110 permit tcp any any eq ?

I'd like to see the ports in the 30's range on a real Cisco router.

Thanks....

ARP protocol is redundantly redundant

should be referred to as the AR protocol or
just simply ARP.

calling it the Address Resolution Protocol protocol is silly.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

Not really on topic...

_________________
blog.brokennetwork.ca

Hey Infinite,

I know it's not on topic.....but I figured you had the equipment to do it. Anyway....these are all the ports (well-known ports) on a Cisco Router. I'm looking for port 35 for a print server. Is it a UDP port? So how do you configure an acl to control access to a print server? Is it:

Router(config)#access-list 110 deny tcp address-of-denied-computer address-print-server eq 35

Is the print server the IP address of the computer that is attached to the printer? If so....my desktop computer has a printer attached to it which it shares with other computers on the network. If I try to do a print job from my laptop, can I use WireShark on the desktop to capture packets which would show port 35?

Thanks.....




__________________________________________

Update:

Well, I tried printing from my laptop to the printer connected to the desktop and, according to WireShark, the port on the desktop was TCP port 445 (Microsoft-DS SMB file sharing).

So, I still don't know what port to use to control access to a print server using an acl.......