HCNA-7 ARP过程及Proxy ARP(代理ARP)
HCNA-7 ARP过程及ProxyARP(代理ARP)1、基本配置<Huawei>system-view<Huawei>clocktimezone BJ add 8:00:00<Huawei>clockdatetime 22:39 2020-04-25<Huawei>system-viewsysnamer1headerlogin information "Welcome ipgzj.com" //就当是为自己作广告了header shellinformation "Welcome zurkj.com" //就当是为自己作广告了interfaceGigabitEthernet 0/0/0quitipaddress 172.16.10.1 24quitinterfaceGigabitEthernet 0/0/1ipaddress 172.16.20.1 24quitdisplay ipinterface brief
2、查看ARPdisplay arpall//查看ARP表IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC
------------------------------------------------------------------------------172.16.10.1 00e0-fc21-5de0 I - GE0/0/0172.16.20.1 00e0-fc21-5de1 I - GE0/0/1------------------------------------------------------------------------------Total:2 Dynamic:0 Static:0 Interface:2查看下来,R1路由器两个接口IP地址及与其对应的MAC地址的ARP表项,没有其它任何条目。使用PC1 Ping R1和PC2(注意PC未配置网关地址)再使用PC3 Ping R1当主机和网关之间有数据访问时,如果ARP表中没有目标IP地址与目标MAC地址的对应表项,ARP协议会被触发,向直连网段发送ARP广播请求包,请求目标IP地址所对应的MAC地址。
上面图中PC2发送的广播报文,注意MAC地址是全F的。
上面图中网关收到广播请求后,回应单播的ARP响应报文,里面描述了发送者自身IP地址与MAC地址的对应关系。再次查看R1的ARP表项display arpallIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC
------------------------------------------------------------------------------172.16.10.1 00e0-fc21-5de0 I - GE0/0/0172.16.10.100 5489-98bd-374a9 D-0 GE0/0/0172.16.10.101 5489-9818-6ef618 D-0 GE0/0/0172.16.20.1 00e0-fc21-5de1 I - GE0/0/1172.16.20.100 5489-9835-288d14 D-0 GE0/0/1------------------------------------------------------------------------------Total:5 Dynamic:3 Static:0 Interface:2
3、配置静态ARParp static172.16.10.100 1234-12ab-458d//配置静态ARPdisplay arpallIP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC
------------------------------------------------------------------------------172.16.10.1 00e0-fc21-5de0 I - GE0/0/0172.16.10.101 5489-9818-6ef610 D-0 GE0/0/0172.16.20.1 00e0-fc21-5de1 I - GE0/0/1172.16.20.100 5489-9835-288d6 D-0 GE0/0/1172.16.10.1001234-12ab-458d S--------------------------------------------------------------------------------Total:5 Dynamic:2 Static:1 Interface:2 ping172.16.10.100PING 172.16.10.100: 56data bytes, press CTRL_C to break Request time out Request time out Request time out Request time out Request time out
--- 172.16.10.100 ping statistics --- 5 packet(s) transmitted0 packet(s) received
刻意错误配置静态ARP 由于PC1的MAC地址被错误映射,导致通讯失败,模拟了ARP欺骗时会出现的问题。
由于错误映射,R1发往PC1的数据报文二层头部,目的MAC地址被错误封装成12:34:12:ab:45:8d,这是导致通讯失败的直接原因。下面重新配置静态ARP,做正确映射:arpstatic 172.16.10.100 5489-98bd-374adisplayarp allIPADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC ------------------------------------------------------------------------------172.16.10.1 00e0-fc21-5de0 I - GE0/0/0172.16.10.101 5489-9818-6ef610 D-0 GE0/0/0172.16.20.1 00e0-fc21-5de1 I - GE0/0/1172.16.20.100 5489-9835-288d7 D-0 GE0/0/1172.16.10.100 5489-98bd-374a S--------------------------------------------------------------------------------Total:5 Dynamic:2 Static:1 Interface:2 ping172.16.10.100PING 172.16.10.100: 56data bytes, press CTRL_C to break Reply from 172.16.10.100: bytes=56Sequence=1 ttl=128 time=60 ms Reply from 172.16.10.100: bytes=56 Sequence=2ttl=128 time=50 ms Reply from 172.16.10.100: bytes=56Sequence=3 ttl=128 time=60 ms Reply from 172.16.10.100: bytes=56Sequence=4 ttl=128 time=40 ms Reply from 172.16.10.100: bytes=56Sequence=5 ttl=128 time=40 ms
--- 172.16.10.100 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet lossround-trip min/avg/max = 40/50/60 ms Ping测试与PC1通信恢复正常。
上图显示目标MAC地址为正确地址。
4、配置ProxyARP当前R1把拓扑网络划分出了两个独立的广播域:172.16.10.0/24和172.16.20.0/24<r1>displayip routing-table//查看路由表RouteFlags: R - relay, D - download to fib------------------------------------------------------------------------------RoutingTables: Public Destinations : 10 Routes : 10
Destination/Mask ProtoPreCost Flags NextHop InterfaceGigabitEthernet0/0/0 172.16.10.1/32Direct 0 0 D127.0.0.1 GigabitEthernet0/0/0172.16.10.255/32Direct 0 0 D127.0.0.1 GigabitEthernet0/0/0 172.16.20.0/24Direct 0 0 D172.16.20.1 GigabitEthernet0/0/1 172.16.20.1/32Direct 0 0 D127.0.0.1 GigabitEthernet0/0/1172.16.20.255/32Direct 0 0 D127.0.0.1 GigabitEthernet0/0/1255.255.255.255/32Direct 0 0 D127.0.0.1 InLoopBack0默认ARP代理功能不开启。
PC1无法访问到PC3
抓包显示,PC1发出ARP广播,却一直未收到ARP响应。原因是PC1与PC3处于两个广播域内,PC1发出的ARP请求无法跨越R1,自然PC3也就收不到PC1的ARP广播报文了。如此下来PC1无法得到PC3的回应,没有PC3的硬件MAC地址导致数据封装失败。下面R1打开ARP代理功能interfaceGigabitEthernet 0/0/0arp-proxyenable//开启arp代理
此时PC1发送的ARP请求得到了ARP回应。172.16.10.1 00e0-fc21-5de0 I - GE0/0/0172.16.10.101 5489-9818-6ef65 D-0 GE0/0/0172.16.20.1 00e0-fc21-5de1 I - GE0/0/1172.16.20.100 5489-9835-288d1 D-0 GE0/0/1172.16.10.100 5489-98bd-374a S—但是,从PC1的arp –a中看到响应中的IP172.16.20.100对应的MAC地址非PC3本机MAC。而是R1 GE 0/0/0接口MAC地址。
下面说明一下开启了ARP代理后PC1访问PC3的工作过程:当在R1的GE 0/0/0 接口执行了arp-proxy enable命令后,收到PC1的ARP广播请求报文之后,R1根据ARP请求中的目标IP地址172.16.20.100查看自身路由表中是否有对应的目标网络,R1的GE 0/0/1接口就是172.16.20.0/24网络,所以R1直接把自的GE 0/0/0接口的MAC地址通过ARP响应返回给PC1,PC1收到此ARP响应后使用该MAC作为目标硬件地址发送报文给R1,R1收到后再把报文转发给PC3,所以PC3要访问PC1也需要在R1的GE 0/0/1接口开启ARP代理功能。interfaceGigabitEthernet 0/0/1arp-proxyenable//开启ARP代理功能
页:
[1]
