Manual:IP/ARP: Difference between revisions
No edit summary |
|||
Line 84: | Line 84: | ||
A router with properly configured proxy ARP feature acts like a transparent ARP proxy between directly connected networks. | A router with properly configured proxy ARP feature acts like a transparent ARP proxy between directly connected networks. | ||
This behaviour can be usefull, for example, if you want to assign dial-in (ppp, pppoe, pptp) clients IP addresses from the same address space as used on the connected LAN. | |||
[[Image:image10002.gif]] | |||
Lets look at example setup from image above. Host A (172.16.1.2) on Subnet A wants to send packets to Host D (172.16.2.3) on Subnet B. Host A has a /16 subnet mask ''<u>which means that Host A believes that it is directly connected to all 172.16.0.0/16 network (the same LAN).</u>'' Since the Host A believes that is directly connected it sends an ARP request to the destination to clarify MAC address of Host D. (in case when Host A finds that destination IP address is not from the same subnet it send packet to default gateway.) | |||
Host A broadcasts an ARP request on Subnet A: | |||
Info from packet analyzer software: | |||
<pre> | |||
No. Time Source Destination Protocol Info | |||
12 5.133205 00:1b:38:24:fc:13 ff:ff:ff:ff:ff:ff ARP Who has 173.16.2.3? Tell 173.16.1.2 | |||
Packet details: | |||
Ethernet II, Src: (00:1b:38:24:fc:13), Dst: (ff:ff:ff:ff:ff:ff) | |||
Destination: Broadcast (ff:ff:ff:ff:ff:ff) | |||
Source: (00:1b:38:24:fc:13) | |||
Type: ARP (0x0806) | |||
Address Resolution Protocol (request) | |||
Hardware type: Ethernet (0x0001) | |||
Protocol type: IP (0x0800) | |||
Hardware size: 6 | |||
Protocol size: 4 | |||
Opcode: request (0x0001) | |||
[Is gratuitous: False] | |||
Sender MAC address: 00:1b:38:24:fc:13 | |||
Sender IP address: 173.16.1.2 | |||
Target MAC address: 00:00:00:00:00:00 | |||
Target IP address: 173.16.2.3 | |||
</pre> | |||
With this ARP request, Host A (172.16.1.2) isasking Host D (172.16.2.3) to send its MAC address. The ARP request packet is then encapsulated in an Ethernet frame with the MAC address of Host A as the source address and a broadcast (FF:FF:FF:FF:FF:FF) as the destination address. Layer 2 broadcast means that frame will be sent to all hosts in the same layer 2 broadcast domain which includes the ether0 interface of the router, but does not reach Host D, because router'' ''by default does not forward layer 2 broadcast. | |||
Since the router knows that the target address (172.16.2.3) is on another subnet but it can reach Host D, it replies with its own MAC address to Host A. | |||
<pre> | |||
No. Time Source Destination Protocol Info | |||
13 5.133378 00:0c:42:52:2e:cf 00:1b:38:24:fc:13 ARP 172.16.2.3 is at 00:0c:42:52:2e:cf | |||
Packet details: | |||
Ethernet II, Src: 00:0c:42:52:2e:cf, Dst: 00:1b:38:24:fc:13 | |||
Destination: 00:1b:38:24:fc:13 | |||
Source: 00:0c:42:52:2e:cf | |||
Type: ARP (0x0806) | |||
Address Resolution Protocol (reply) | |||
Hardware type: Ethernet (0x0001) | |||
Protocol type: IP (0x0800) | |||
Hardware size: 6 | |||
Protocol size: 4 | |||
Opcode: reply (0x0002) | |||
[Is gratuitous: False] | |||
Sender MAC address: 00:0c:42:52:2e:cf | |||
Sender IP address: 172.16.1.254 | |||
Target MAC address: 00:1b:38:24:fc:13 | |||
Target IP address: 172.16.1.2 | |||
</pre> | |||
This is the ''Proxy ARP reply'' that the router sends to Host A. Router sends back unicast proxy ARP reply with its own MAC address as the source address and the MAC address of Host A as the destination address, by saying ''"send these packets to me, and I'll get it to where it needs to go."'' | |||
When Host A receives ARP response it updates its ARP table, as shown: | |||
<pre> | |||
C:\Users\And>arp -a | |||
Interface: 173.16.2.1 --- 0x8 | |||
Internet Address Physical Address Type | |||
173.16.1.254 00-0c-42-52-2e-cf dynamic | |||
173.16.2.3 00-0c-42-52-2e-cf dynamic | |||
173.16.2.2 00-0c-42-52-2e-cf dynamic | |||
</pre> | |||
After MAC table update, Host A forwards all the packets intended for Host D (172.16.2.3) directly to router interface ether0 (00:0c:42:52:2e:cf) and the router forwards packets to Host D. The ARP cache on the hosts in Subnet A is populated with the MAC address of the router for all the hosts on Subnet B. Hence, all packets destined to Subnet B are sent to the router. The router forwards those packets to the hosts in Subnet B. | |||
Multiple IP addresses by host are mapped to a single MAC address (the MAC address of this router) when proxy ARP is used. | |||
Proxy ARP can be enabled on each interface individually with command '''arp=proxy-arp''': | |||
Setup proxy ARP: | |||
<pre> | |||
[admin@MikroTik] /interface ethernet> set 1 arp=proxy-arp | |||
[admin@MikroTik] /interface ethernet> print | |||
Flags: X - disabled, R - running | |||
# NAME MTU MAC-ADDRESS ARP | |||
0 R ether1 1500 00:30:4F:0B:7B:C1 enabled | |||
1 R ether2 1500 00:30:4F:06:62:12 proxy-arp | |||
[admin@MikroTik] interface ethernet> | |||
</pre> | |||
===Reply Only=== | ===Reply Only=== |
Revision as of 12:34, 18 April 2011
Applies to RouterOS: 2.9, v3, v4 +
Summary
Sub-menu: /ip arp
Standards: ARP RFC 826
Even though IP packets are addressed using IP addresses, hardware addresses must be used to actually transport data from one host to another. Address Resolution Protocol is used to map OSI level 3 IP addresses to OSI level 2 MAC addreses. Router has a table of currently used ARP entries. Normally the table is built dynamically, but to increase network security, it can be partialy or completely built statically by means of adding static entries.
Properties
Property | Description |
---|---|
address (IP; Default: ) | IP address to be mapped |
interface (string; Default: ) | Interface name the IP address is assigned to |
mac-address (MAC; Default: 00:00:00:00:00:00) | MAC address to be mapped to |
Read only properties:
Property | Description |
---|---|
dhcp (yes | no) | Whether ARP entry is added by DHCP server |
dynamic (yes | no) | Whether entry is dynamically created |
invalid (yes | no) | Whether entry is not valid |
Note: Maximal number of ARP entries is 8192.
ARP Modes
It is possible to set several ARP modes in interface configuration .....
Disabled
If ARP feature is turned off on the interface, i.e., arp=disabled is used, ARP requests from clients are not answered by the router. Therefore, static arp entry should be added to the clients as well. For example, the router's IP and MAC addresses should be added to the Windows workstations using the arp command:
C:\> arp -s 10.5.8.254 00-aa-00-62-c6-09
Enabled
This mode is enabled by default on all interfaces. ARPs will be discovered automatically and new dynamic entries will be added to ARP table.
Proxy ARP
A router with properly configured proxy ARP feature acts like a transparent ARP proxy between directly connected networks.
This behaviour can be usefull, for example, if you want to assign dial-in (ppp, pppoe, pptp) clients IP addresses from the same address space as used on the connected LAN.
Lets look at example setup from image above. Host A (172.16.1.2) on Subnet A wants to send packets to Host D (172.16.2.3) on Subnet B. Host A has a /16 subnet mask which means that Host A believes that it is directly connected to all 172.16.0.0/16 network (the same LAN). Since the Host A believes that is directly connected it sends an ARP request to the destination to clarify MAC address of Host D. (in case when Host A finds that destination IP address is not from the same subnet it send packet to default gateway.)
Host A broadcasts an ARP request on Subnet A:
Info from packet analyzer software:
No. Time Source Destination Protocol Info 12 5.133205 00:1b:38:24:fc:13 ff:ff:ff:ff:ff:ff ARP Who has 173.16.2.3? Tell 173.16.1.2 Packet details: Ethernet II, Src: (00:1b:38:24:fc:13), Dst: (ff:ff:ff:ff:ff:ff) Destination: Broadcast (ff:ff:ff:ff:ff:ff) Source: (00:1b:38:24:fc:13) Type: ARP (0x0806) Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) [Is gratuitous: False] Sender MAC address: 00:1b:38:24:fc:13 Sender IP address: 173.16.1.2 Target MAC address: 00:00:00:00:00:00 Target IP address: 173.16.2.3
With this ARP request, Host A (172.16.1.2) isasking Host D (172.16.2.3) to send its MAC address. The ARP request packet is then encapsulated in an Ethernet frame with the MAC address of Host A as the source address and a broadcast (FF:FF:FF:FF:FF:FF) as the destination address. Layer 2 broadcast means that frame will be sent to all hosts in the same layer 2 broadcast domain which includes the ether0 interface of the router, but does not reach Host D, because router by default does not forward layer 2 broadcast.
Since the router knows that the target address (172.16.2.3) is on another subnet but it can reach Host D, it replies with its own MAC address to Host A.
No. Time Source Destination Protocol Info 13 5.133378 00:0c:42:52:2e:cf 00:1b:38:24:fc:13 ARP 172.16.2.3 is at 00:0c:42:52:2e:cf Packet details: Ethernet II, Src: 00:0c:42:52:2e:cf, Dst: 00:1b:38:24:fc:13 Destination: 00:1b:38:24:fc:13 Source: 00:0c:42:52:2e:cf Type: ARP (0x0806) Address Resolution Protocol (reply) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: reply (0x0002) [Is gratuitous: False] Sender MAC address: 00:0c:42:52:2e:cf Sender IP address: 172.16.1.254 Target MAC address: 00:1b:38:24:fc:13 Target IP address: 172.16.1.2
This is the Proxy ARP reply that the router sends to Host A. Router sends back unicast proxy ARP reply with its own MAC address as the source address and the MAC address of Host A as the destination address, by saying "send these packets to me, and I'll get it to where it needs to go."
When Host A receives ARP response it updates its ARP table, as shown:
C:\Users\And>arp -a Interface: 173.16.2.1 --- 0x8 Internet Address Physical Address Type 173.16.1.254 00-0c-42-52-2e-cf dynamic 173.16.2.3 00-0c-42-52-2e-cf dynamic 173.16.2.2 00-0c-42-52-2e-cf dynamic
After MAC table update, Host A forwards all the packets intended for Host D (172.16.2.3) directly to router interface ether0 (00:0c:42:52:2e:cf) and the router forwards packets to Host D. The ARP cache on the hosts in Subnet A is populated with the MAC address of the router for all the hosts on Subnet B. Hence, all packets destined to Subnet B are sent to the router. The router forwards those packets to the hosts in Subnet B.
Multiple IP addresses by host are mapped to a single MAC address (the MAC address of this router) when proxy ARP is used.
Proxy ARP can be enabled on each interface individually with command arp=proxy-arp:
Setup proxy ARP:
[admin@MikroTik] /interface ethernet> set 1 arp=proxy-arp [admin@MikroTik] /interface ethernet> print Flags: X - disabled, R - running # NAME MTU MAC-ADDRESS ARP 0 R ether1 1500 00:30:4F:0B:7B:C1 enabled 1 R ether2 1500 00:30:4F:06:62:12 proxy-arp [admin@MikroTik] interface ethernet>
Reply Only
If arp property is set to reply-only
on the interface, then router only replies to ARP requests. Neighbour MAC addresses will be resolved using /ip arp statically, but there will be no need to add the router's MAC address to other hosts' ARP tables like in case if arp is disabled.