ARP principle
ARP is a protocol used to map an IP address to the correct MAC address.
ARP entries can be divided into two types: static and dynamic. The so-called dynamic ARP is to use ARP broadcast messages to dynamically execute and automatically perform the resolution of IP addresses to Ethernet MAC addresses without manual network configuration; while static ARP is to establish IP addresses and The fixed mapping relationship between MAC addresses cannot be dynamically adjusted on the host and router and needs to be added manually.
Whether it is a computer or a network device, there will be an ARP cache table to store the mapping between IP addresses and MAC addresses. They use ARP request and response messages to refresh the table, and then encapsulate the three-layer data packet into two-layer Data frame achieves the purpose of quickly encapsulating data frame and correctly forwarding data, and Proxy ARP is an extended application of ARP.
Proxy ARP
Proxy ARP is also Proxy ARP. When an ARP request is sent from a host to resolve the hardware address of another host on the same three-layer logical network but not on the same physical network segment, the one that connects them has the proxy ARP function The device can respond to the request, so that hosts on different physical network segments can communicate normally.
Proxy ARP experimental network topology
This configuration method is not commonly used in actual networks and is usually used as a temporary solution.
Generally speaking, if the IP network is too large, the impact of broadcasting on the network will increase accordingly. Without changing the network equipment configuration, the administrator will transparently insert a router into the network, and the router will separate multiple broadcast domains. In order to reduce the impact of broadcasting on the network, it is a feasible temporary solution. The disadvantage of this approach is that the communication between hosts will increase the delay due to the introduction of additional routers, and there is a bottleneck problem.
In the topology, when host 1 communicates with host 2, first, the host needs to obtain the mac address of the opposite host through the ip address, and will send an arp request (arp request message). The arp request message is a broadcast message. The 192.168.1.0 network segment will receive this message.
However, if host 1 and host 2 are on different networks, the arp request will be terminated at G0/0/0 of the router. By default, the router will not forward broadcast packets.
In order to solve this problem, you need to enable the arp proxy on the router. After the arp proxy is enabled, the router will query the routing table after receiving the arp request. If there is a routing entry for host 2, the router will set the G0/0/0 interface In response to host 1, host 1 receives the arp reply sent by the router, and uses the mac address of the router's G0/0/0 interface as the destination mac address to forward data.
Client1 (Host 1): 192.168.1.2
In the same way, the IP configuration of Client2 (host 2) is: 192.168.2.2
AR1 configuration
<Huawei>system-view
Enter system view, return user view with Ctrl+Z.
[Huawei]sysname AR1
[AR1]int GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]ip address 192.168.1.1 24
[AR1-GigabitEthernet0/0/0]arp-proxy enable //启用arp代理
[AR1-GigabitEthernet0/0/0]quit
[AR1]int GigabitEthernet 0/0/1
[AR1-GigabitEthernet0/0/1]ip address 192.168.2.1 24
[AR1-GigabitEthernet0/0/1]arp-proxy enable
[AR1-GigabitEthernet0/0/1]quit
After the configuration is complete, ping 192.168.2.2 from host 1, and the ping is successful, and vice versa.
PC>ping 192.168.2.2
Ping 192.168.2.2: 32 data bytes, Press Ctrl_C to break
From 192.168.2.2: bytes=32 seq=1 ttl=127 time=63 ms
From 192.168.2.2: bytes=32 seq=2 ttl=127 time=62 ms
From 192.168.2.2: bytes=32 seq=3 ttl=127 time=94 ms
From 192.168.2.2: bytes=32 seq=4 ttl=127 time=78 ms
From 192.168.2.2: bytes=32 seq=5 ttl=127 time=63 ms
ARP spoofing
When the host and the gateway have data access, if there is no corresponding entry in the ARP table for the target IP and target MAC, the ARP protocol is triggered, and an ARP broadcast request packet is sent to the directly connected network segment to request the MAC address corresponding to the target IP, and the gateway receives When it arrives, it responds to a unicast ARP response message, which contains IP and MAC.
The working behavior of this ARP protocol is often easy to be used by attackers. If the attacker obtains IP and MAC through packet capture, and through forged ARP packets (wrong IP and MAC mapping), the host or gateway will incorrectly The mapping is updated to the ARP table entry, then when the host wants to send data to the specified IP address, it gets the wrong MAC address from the ARP and uses it for encapsulation, causing the data frame to not be sent correctly.
If there is an ARP virus in a host in the internal network, it will cause such a situation. If you encounter this situation, you should first use display arp all on the router to check the ARP cache table of the device (packet capture is also possible, capture the host Ping the router's packet to check whether the destination MAC sent to the router is correct), whether the mapping relationship between the disconnected host's IP and MAC is correct, add a static ARP entry, arp static 192.168.1.1 e022-83sx-3333. (Static ARP has a lot of workload, better is dynamic ARP)