Ethernet
Ethernet allows multiple hosts to share the same network segment. There are only 3 ways to deliver a frame to another computer over ethernet. You can send a broadcast and interrupt every host on the segment, send a multicast and hope that the intended receiver is listening, or send a unicast by placing the intended recipient’s MAC address in the destination field of the ethernet header. Address Resolution Protocol (ARP) is used to discover the MAC addresses of other hosts on the same ethernet segment. ARP works by sending a frame asking, “What is the MAC address of the host with <IP Address>?” ARP requests are typically broadcast, and ARP replies are typically unicast. Unicast ARP requests are used periodically to verify the validity of the ARP cache.
Static Routes
Static route configuration typically consists of 2 to 3 components. The destination network/subnet mask, the next hop IP address, and sometimes, an exit interface. Most NOSs allow you to configure a next hop IP, an exit interface, or both. When only a next hop IP is configured, it is referred to as a “recursive static route” because the router will have to do a recursive lookup to determine which interface the next hop is attached to. When only an exit interface is configured, it is referred to as a “directly attached static route”. If an exit interface and next hop IP address are configured, it is called a “fully specified static route”.
Recursive static route:
ip route 10.0.0.1 255.255.255.255 172.16.0.1
Directly attached static route:
ip route 10.0.0.1 255.255.255.255 GigabitEthernet0/0
Fully specified static route:
ip route 10.0.0.1 255.255.255.255 GigabitEthernet0/0 172.16.0.1
Using directly attached routes on ethernet networks causes an interesting problem. The next hop IP address is unknown. Without knowing the IP address of the next hop, what IP do you send an ARP for to discover the destination MAC address? The router will assume the destination IP is directly connected and send an ARP broadcast asking for the MAC address of the destination IP. If the destination is not directly attached, the downstream router(s) may respond to the ARP request on behalf of the destination. This is known as proxy ARP.
Demo Network
To demonstrate this behavior, I built a simple 3 router topology with all routers connected to a switch. All routers are in the same VLAN. The switch is configured for SPAN to send a copy of all packets to my PC for capture and analysis. The shared segment between the routers is 172.16.0.0/16 where the last octet is the router number. Each router has a loopback interface configured with 10.0.0.router# /32. Each router has various kinds of static routes to provide reachability to the other loopbacks. All routers are using interface Gi0/0 to connect to the switch. Diagram drawn on diagrams.net
Routes configured:
R1 has a “directly attached” default route.
RoutingLoop_R1#show run | include ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
R2 has a mix of recursive and fully specified routes.
RoutingLoop_R2#show run | include ip route
ip route 10.0.0.1 255.255.255.255 172.16.0.1
ip route 10.0.0.3 255.255.255.255 GigabitEthernet0/0 172.16.0.3
R3 has two recursive routes.
RoutingLoop_R3#show run | include ip route
ip route 10.0.0.1 255.255.255.255 172.16.0.1
ip route 10.0.0.2 255.255.255.255 172.16.0.2
You may want to take note of each router’s Gi0/0 MAC addresses for packet capture analysis.
RoutingLoop_R1#show int g0/0 | include bia
Hardware is CN Gigabit Ethernet, address is 88f0.31ab.2a20 (bia 88f0.31ab.2a20)
RoutingLoop_R2#show int g0/0 | include bia
Hardware is CN Gigabit Ethernet, address is d48c.b525.0d80 (bia d48c.b525.0d80)
RoutingLoop_R3#show int g0/0 | include bia
Hardware is CN Gigabit Ethernet, address is cc16.7e8d.a3a0 (bia cc16.7e8d.a3a0)
Warning
Before we get into the packet captures, I want to point out that the router displayed a warning when I configured the directly attached default route on R1. If this route is used for reaching multiple destinations, the router would ARP for each unique destination. This can impact performance by causing a high number of broadcasts. If packets are sent to enough unique destinations, the router could run out of memory for the ARP table, causing reachability issues.
RoutingLoop_R1(config)#ip route 0.0.0.0 0.0.0.0 g0/0
%Default route without gateway, if not a point-to-point interface, may impact performance
Traffic Analysis
I started on R1 by pinging a destination that is not reachable, 198.51.100.10. Because R1 has a default route, it sent an ARP broadcast out of Gi0/0. This ARP was captured with a debug on R1 and by my PC. Because no router in the network is aware of this destination, the ARP request does not receive a response. The debug and pcap confirm that the ARP request target IP is 198.51.100.10.
RoutingLoop_R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, GigabitEthernet0/0
10.0.0.0/32 is subnetted, 1 subnets
C 10.0.0.1 is directly connected, Loopback1
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/16 is directly connected, GigabitEthernet0/0
L 172.16.0.1/32 is directly connected, GigabitEthernet0/0
RoutingLoop_R1#ping 198.51.100.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.51.100.10, timeout is 2 seconds:
*Sep 9 10:19:49.815: IP ARP: creating incomplete entry for IP address: 198.51.100.10 interface GigabitEthernet0/0
*Sep 9 10:19:49.815: IP ARP: sent req src 172.16.0.1 88f0.31ab.2a20,
dst 198.51.100.10 0000.0000.0000 GigabitEthernet0/0.
*Sep 9 10:19:51.815: IP ARP: sent req src 172.16.0.1 88f0.31ab.2a20,
dst 198.51.100.10 0000.0000.0000 GigabitEthernet0/0.
*Sep 9 10:19:53.815: IP ARP: sent req src 172.16.0.1 88f0.31ab.2a20,
dst 198.51.100.10 0000.0000.0000 GigabitEthernet0/0.
*Sep 9 10:19:55.815: IP ARP: sent req src 172.16.0.1 88f0.31ab.2a20,
dst 198.51.100.10 0000.0000.0000 GigabitEthernet0/0.
*Sep 9 10:19:57.815: IP ARP: sent req src 172.16.0.1 88f0.31ab.2a20,
dst 198.51.100.10 0000.0000.0000 GigabitEthernet0/0.
Success rate is 0 percent (0/5)
With a test for an unreachable destination completed, I then tested reachability from R1 to R3’s loopback, 10.0.0.3. This caused R1 to send an ARP request asking, “Who has 10.0.0.3?”. R3 responded with a proxy ARP answer, providing the MAC address of it’s Gi0/0 interface. The ping was successful after the first ping timed out waiting on ARP resolution. The CEF output confirms that R1 considers 10.0.0.3 to be directly attached to Gi0/0.
RoutingLoop_R1#show ip cef 10.0.0.3
0.0.0.0/0
attached to GigabitEthernet0/0
RoutingLoop_R1#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
ARP Request:
ARP Reply:
Ping Echo Request from R1 to R3s loopback. Notice that the source and destination MAC addresses are those of the respective router’s Gi0/0 interface.
Ping Echo Reply with the MAC address transposed.
Disabling Proxy ARP
With ARP behavior confirmed, I disabled proxy ARP on R2’s Gi0/0 interface. After doing so, I attempted to ping from R1 to R2’s loopback, 10.0.0.2. There was no ARP reply and ping was not successful.
RoutingLoop_R2#show run int g0/0
Building configuration...
Current configuration : 113 bytes
!
interface GigabitEthernet0/0
ip address 172.16.0.2 255.255.0.0
no ip proxy-arp
duplex auto
speed auto
end
RoutingLoop_R1#clear arp
RoutingLoop_R1#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Unicast ARP Request
During this lab I learned that unicast ARP requests are used periodically to verify the validity of cached ARP information. If no response is received, the entry should be deleted. This behavior is defined in the “Unicast Poll” section of RFC 1122. Example below, notice the unicast destination MAC address.