General technical discussions.
mitm
Junior Member
Posts:
62
Joined:
Tue Feb 07, 2012 4:13 pm
Certs:
CCENT, CCNA

ARP Protocol

Tue Feb 07, 2012 4:56 pm

Hi....I have a question about ARP. Let's say you have a LAN network consisting of PC1, Switch1, and Router1. The ip address/subnet mask of PC1 is 10.1.1.10/24 and the gateway is 10.1.1.1. The ip address/subnet mask of Router1 is 10.1.1.1/24. So, PC1 and Router1 are in the same subnet. They are wired as follows:

PC1---------Switch1---------Router1

Then you connect PC2 to Switch1. The ip address/subnet mask of PC2 is 10.1.1.130/25. So, PC2 is in a different subnet than PC1/Router1. The arp caches of PC1, PC2, and Router1 are empty and the mac address table of Switch1 is empty as well.

If you issue a ping on PC1 to 10.1.1.130, what are the answers to the following questions:

1) Does PC1 use ARP to try to find the ethernet address of 10.1.1.130 (PC2)?
2) Does PC1 successfully learn the ethernet address of 10.1.1.130 (PC2)?
3) Does the subnet mask of the sender of the ARP request, PC1, play any role in 10.1.1.130 (PC2) sending an ARP reply?
4) Does the ping succeed?

According to my virtual network simulator, Cisco Packet Tracer, the answers are:

1) Yes
2) No
3) Yes
4) No

Cisco Packet Tracer says that PC2 sees the sender of the ARP request, PC1, in a different subnet so PC2 does not process the ARP request. But, according to my book, PC1 should have learned the ethernet address of PC2. Which is correct, Cisco Packet Tracer or my book?

Thanks

User avatar
mellowd
CCIE #38070
Posts:
13814
Joined:
Wed Jun 18, 2008 7:49 am
Certs:
CCIE (RS,SP), JNCIE-SP, BC-/SPNE/NP

Re: ARP Protocol

Tue Feb 07, 2012 5:19 pm

1) Yes
2) No
3) No
4) No

With 3, the subnet mask of PC2 plays a role in PC2 sending a reply, not PC1. PC2 receives a broadcast, looks at the source IP address of that broadcast. Notices that 10.1.1.1 is not in the same subnet as R2 and hence should ignore it.

I say should, as real life behaviour could be slightly different. I'm not 100% sure if PC2 would respond to a broadcast from a source on a different subnet, although it could. Whether it does or not, a ping should NOT work.

Proxy arp (enabled by default) on the router could also play havoc with this scenario...

shapeshifter
Member
Posts:
133
Joined:
Sat Mar 26, 2011 10:42 pm

Re: ARP Protocol

Tue Feb 07, 2012 5:23 pm

Interesting question... I'm going to guess PC2 see's it, but would not respond to the ARP request as it comes from (what it considers to be) a different subnet.

The ARP message says "who has 10.1.1.130, tell 10.1.1.10". PC2 would see this as it would be a broadcast, but for PC2 to get back to PC1 it needs to route via it's default gateway.

So:

1) Yes
2) No
3) No.. PC1 believes it's in it's local subnet but PC2 has a mask that doesn't agree with that. PC2 is going to try and send packets to 10.1.1.10 via 10.1.1.1.
4) No

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: ARP Protocol

Tue Feb 07, 2012 5:24 pm

mellowd wrote:1) With 3, the subnet mask of PC2 plays a role in PC2 sending a reply, not PC1. PC2 receives a broadcast, looks at the source IP address of that broadcast. Notices that 10.1.1.1 is not in the same subnet as R2 and hence should ignore it.

I don't think that's right because there isn't a source IP address in an ARP frame. ARP only has a source and destination MAC address (Ethernet header) and then there's the payload.

I would think that it would respond... But I've never tested it.

arp.PNG
arp.PNG (17.05 KiB) Viewed 841 times

mitm
Junior Member
Posts:
62
Joined:
Tue Feb 07, 2012 4:13 pm
Certs:
CCENT, CCNA

Re: ARP Protocol

Tue Feb 07, 2012 6:19 pm

mellowd wrote:1) Yes
2) No
3) No
4) No

With 3, the subnet mask of PC2 plays a role in PC2 sending a reply, not PC1. PC2 receives a broadcast, looks at the source IP address of that broadcast. Notices that 10.1.1.1 is not in the same subnet as R2 and hence should ignore it.

I say should, as real life behaviour could be slightly different. I'm not 100% sure if PC2 would respond to a broadcast from a source on a different subnet, although it could. Whether it does or not, a ping should NOT work.

Proxy arp (enabled by default) on the router could also play havoc with this scenario...



Yeah......that does make more sense. PC2 sees that 10.1.1.1 is not in its own subnet. So, I guess that is why PC2 dropped the ARP request. Plus, when I looked at the ARP request packet in Cisco Packet Tracer there was no subnet mask anywhere. I was wondering how PC2 determined that PC1 was in a different subnet without the subnet mask.....but it didn't actually need it because PC1's ip address alone is not in the range of ip addresses of its own subnet.

So, Cisco Packet Tracer is right and I think the book either has a typo or the answer is worded funny.

'If PC1 issued a ping 10.1.1.130 command, PC1 would use ARP to learn PC2’s MAC address.'

I took this statement to mean that PC1 learned PC2's MAC address via ARP. I guess it means that PC1 used ARP to try to learn PC2's MAC address.

Thanks.....

mitm
Junior Member
Posts:
62
Joined:
Tue Feb 07, 2012 4:13 pm
Certs:
CCENT, CCNA

Re: ARP Protocol

Tue Feb 07, 2012 6:31 pm

Infinite wrote:
mellowd wrote:1) With 3, the subnet mask of PC2 plays a role in PC2 sending a reply, not PC1. PC2 receives a broadcast, looks at the source IP address of that broadcast. Notices that 10.1.1.1 is not in the same subnet as R2 and hence should ignore it.

I don't think that's right because there isn't a source IP address in an ARP frame. ARP only has a source and destination MAC address (Ethernet header) and then there's the payload.

I would think that it would respond... But I've never tested it.

arp.PNG


Hey Infinite,

Isn't the source IP address listed under 'Address Resolution Protocol' as 'Sender IP address'? But, the packet doesn't show a subnet mask. So I'm confident that ARP packets do not include a subnet mask. Thanks for the attachment..... Is that WireShark?

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: ARP Protocol

Tue Feb 07, 2012 6:38 pm

mitm wrote:Isn't the source IP address listed under 'Address Resolution Protocol' as 'Sender IP address'? But, the packet doesn't show a subnet mask. So I'm confident that ARP packets do not include a subnet mask. Thanks for the attachment..... Is that WireShark?

I'm making a distinction here. An ARP frame does not have an IP header, and therefore there isn't a "source IP" in that sense. ARP however does include the IP of the the sender as a field in the ARP request. It's a subtle difference, but important.

Yes, an ARP frame absolutely does not include a subnet mask.

It is wireshark. I had it running today troubleshooting a problem. It was easy to grab a random ARP request out of it. :)

mitm
Junior Member
Posts:
62
Joined:
Tue Feb 07, 2012 4:13 pm
Certs:
CCENT, CCNA

Re: ARP Protocol

Tue Feb 14, 2012 2:27 pm

Hey Infinite,

Do you have access to Cisco Routers? If so.....could you make a reply to this forum topic with an attachment showing the tcp and/or udp ports in an acl in the 30's range using the '?'. You know....like what you did with the WireShark attachment. The command is something like

Router(config)#access-list 110 permit tcp any any eq ?

I'd like to see the ports in the 30's range on a real Cisco router.

Thanks....

User avatar
ristau5741
Post Whore
Posts:
10202
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: ARP Protocol

Tue Feb 14, 2012 2:39 pm

ARP protocol is redundantly redundant

should be referred to as the AR protocol or
just simply ARP.

calling it the Address Resolution Protocol protocol is silly.
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

User avatar
jdsilva
Post Whore
Posts:
5347
Joined:
Mon Jan 17, 2005 11:01 pm
Certs:
CCNP

Re: ARP Protocol

Tue Feb 14, 2012 2:42 pm

Not really on topic...

Code: Select all
lamia(config)#access-list 110 permit tcp any any eq ?
  <0-65535>    Port number
  bgp          Border Gateway Protocol (179)
  chargen      Character generator (19)
  cmd          Remote commands (rcmd, 514)
  daytime      Daytime (13)
  discard      Discard (9)
  domain       Domain Name Service (53)
  drip         Dynamic Routing Information Protocol (3949)
  echo         Echo (7)
  exec         Exec (rsh, 512)
  finger       Finger (79)
  ftp          File Transfer Protocol (21)
  ftp-data     FTP data connections (20)
  gopher       Gopher (70)
  hostname     NIC hostname server (101)
  ident        Ident Protocol (113)
  irc          Internet Relay Chat (194)
  klogin       Kerberos login (543)
  kshell       Kerberos shell (544)
  login        Login (rlogin, 513)
  lpd          Printer service (515)
  nntp         Network News Transport Protocol (119)
  pim-auto-rp  PIM Auto-RP (496)
  pop2         Post Office Protocol v2 (109)
  pop3         Post Office Protocol v3 (110)
  smtp         Simple Mail Transport Protocol (25)
  sunrpc       Sun Remote Procedure Call (111)
  tacacs       TAC Access Control System (49)
  talk         Talk (517)
  telnet       Telnet (23)
  time         Time (37)
  uucp         Unix-to-Unix Copy Program (540)
  whois        Nicname (43)
  www          World Wide Web (HTTP, 80)

lamia(config)#access-list 110 permit tcp any any eq

mitm
Junior Member
Posts:
62
Joined:
Tue Feb 07, 2012 4:13 pm
Certs:
CCENT, CCNA

Re: ARP Protocol

Tue Feb 14, 2012 3:08 pm

Hey Infinite,

I know it's not on topic.....but I figured you had the equipment to do it. Anyway....these are all the ports (well-known ports) on a Cisco Router. I'm looking for port 35 for a print server. Is it a UDP port? So how do you configure an acl to control access to a print server? Is it:

Router(config)#access-list 110 deny tcp address-of-denied-computer address-print-server eq 35

Is the print server the IP address of the computer that is attached to the printer? If so....my desktop computer has a printer attached to it which it shares with other computers on the network. If I try to do a print job from my laptop, can I use WireShark on the desktop to capture packets which would show port 35?

Thanks.....




__________________________________________

Update:

Well, I tried printing from my laptop to the printer connected to the desktop and, according to WireShark, the port on the desktop was TCP port 445 (Microsoft-DS SMB file sharing).

So, I still don't know what port to use to control access to a print server using an acl.......

'

Return to General Tech

Who is online

Users browsing this forum: No registered users and 7 guests