Show arp cisco что это

ARP: Нюансы работы оборудования Cisco и интересные случаи. Часть 1

Привет habr! Каждый будущий инженер в процессе изучения сетевых технологий знакомится с протоколом ARP (Address Resolution Protocol, далее ARP). Основная задача протокола – получить L2 адрес устройства при известном L3 адресе устройства. На заре профессиональной карьеры начинающий специалист, как мне кажется, редко сталкивается с ситуациями, когда нужно вспомнить про существование ARP. Создаётся впечатление, что ARP – это некоторый автономный сервис, не требующий никакого вмешательства в свою работу, и при появлении каких-либо проблем со связью многие по неопытности могут забыть проверить работу ARP.

Я помню свой порядок мыслей, когда я начинал работать сетевым инженером: «Так, интерфейс поднялся, ошибок по физике вроде как не видно. Маршрут, куда слать пакеты, я прописал. Списков доступа никаких нет. Так почему же не идёт трафик? Что маршрутизатору ещё не хватает?» Рано или поздно каждый сетевой инженер столкнётся с проблемой, причина которой будет лежать именно в особенностях работы/настройки ARP на сетевом оборудовании. Простейший пример: смена шлюза на границе сети (например, вместо сервера MS TMG устанавливаем маршрутизатор). При этом конфигурация маршрутизатора была проверена заранее в лабораторных условиях. А тут, при подключении к провайдеру никакая связь не работает. Возвращаем MS TMG — всё работает. Куда смотреть после проверки канального и физического уровня? Наиболее вероятный ответ – проверить работу ARP.

В данной заметке я не буду подробно описывать принципы работы ARP и протоколов этого семейства (RARP, InARP, UnARP и т.д.). На эту тему уже существует уйма статей в Интернете (например, здесь не плохо описаны разновидности ARP). Единственный теоретический момент, на котором я заострю чуть больше внимания, – механизм Gratuitous ARP (GARP).

Статья будет состоять из двух частей. В первой части будет немного теории и особенности работы ARP на маршрутизаторах Cisco, связанные с правилами NAT и с функцией Proxy ARP. Во второй части опишу отличия в работе ARP между маршрутизаторами Cisco и межсетевыми экранами Cisco ASA, а также поделюсь несколькими интересными случаями из практики, связанными с работой ARP.

Ниже представлен пример обмена ARP-запросом/ARP-ответом в программе-сниффере Wireshark:

ARP-запрос отправляется на широковещательный MAC-адрес ff:ff:ff:ff:ff:ff. В теле ARP-запроса поле с неизвестным значением Target MAC Address заполняется нулями.

ARP-ответ отправляется на MAC-адрес получателя, отправившего ARP-запрос. В поле Sender MAC Address указывается запрашиваемый MAC-адрес устройства.

Поле opcode в заголовке ARP может принимает значение 1 для ARP-запроса и значение 2 для ARP-ответа.

Чтобы два устройства могли начать передавать трафика между собой, в их ARP-таблицах должна существовать соответствующая запись о соседнем устройстве. Логично предположить, чтобы ARP-запись появилась в таблицах, для каждого устройства должна отработать процедура ARP-запрос/ARP-ответ. То есть перед передачей трафика в сети должны пройти по два ARP-запроса и два ARP-ответа (ARP-запрос/ARP-ответ для первого компьютера и ARP-запрос/ARP-ответ для второго компьютера). Однако, данное предположение верно не для всех случаев. Сетевое оборудование Cisco добавляет новую запись в ARP-таблицу сразу по приходу ARP-запроса от удалённого устройства.

Рассмотрим пример. В широковещательный домен добавляется новое устройство с адресом 198.18.0.200. Запустим пинг с нового устройства и посмотрим debug arp на маршрутизаторе Cisco:

Как видно, сразу по пришествии ARP-запроса от неизвестного IP-адреса (rcvd req src 198.18.0.200), маршрутизатор создаёт соответствующую запись в своей ARP-таблице (creating entry for IP address: 198.18.0.200, hw: 64e9.50c8.d6cd).

Для текущей статьи я не проводил подробного исследования по вопросу, какое именно сетевое оборудование добавляет ARP-запись по пришествии ARP-запроса. Однако, предполагаю, описанное поведение присуще не только сетевому оборудованию Cisco, но и сетевому оборудованию других производителей, так как данный механизм позволяет существенно сократить ARP-трафик в сети.

Описанное поведение присуще сетевому оборудованию. Конечное оборудование в большинстве случаев, получает запись в ARP-таблицу только после полноценной процедуры ARP-запрос/ARP-ответ. Для примера, я проверил процедуру на компьютере с операционной системой Windows 7. Ниже представлен дамп ARP-пакетов. В данном примере был очищен arp-cache на маршрутизаторе Cisco и на Windows-компьютере. После этого был запущен пинг от маршрутизатора к компьютеру.

Из представленного дапма видно, что сперва маршрутизатор отправляет ARP-запрос и получает ARP-ответ. Но ARP-запрос от маршрутизатора не приводит к появлению требуемой записи в ARP-таблице Windows-компьютера, поэтому, в свою очередь, компьютер отправляет ARP-запрос и получает ARP-ответ от маршрутизатора.

Механизм Gratuitous ARP используется для оповещения устройств в рамках широковещательного домена о появлении новой привязки IP-адреса и MAC-адреса. Когда сетевой интерфейс устройства получает настройки IP (вручную или по DHCP), устройство отправляет Gratuitous ARP сообщение, чтобы уведомить соседей о своём присутствии. Gratuitous ARP сообщение представляет собой особый вид ARP-ответа. Поле opcode принимает значение 2 (ARP-ответ). MAC-адрес получается как в заголовке Ethernet, так и в теле ARP-ответа является широковещательным (ff:ff:ff:ff:ff:ff). Поле Target IP Address в теле ARP-ответа совпадает с полем Sender IP Address.

Механизм Gratuitous ARP используется для многих целей. Например, с помощью Gratuitous ARP можно уведомить о смене MAC-адреса или обнаружить конфликты IP-адресов. Другой пример — использование протоколов резервирования первого перехода (First Hop Redundancy Protocols), например, HSRP у Cisco. Напомню, HSRP позволяет иметь виртуальный IP-адрес, разделённый между двумя или более сетевыми устройствами. В нормальном режиме работы обслуживание виртуального IP-адреса (ответы на ARP-запросы и т.д.) обеспечивает основное устройство. При отказе основного устройства обслуживание виртуального IP-адреса переходит ко второму устройству. Чтобы уведомить о смене MAC-адреса ответственного устройства, как раз отправляется Gratuitous ARP-сообщения.

В примере ниже представлено Gratuitous ARP сообщение при включении сетевого интерфейса маршрутизатора с настроенным IP-адресов 198.18.0.1.

Если на маршрутизаторе настроен secondary IP-адрес, при переходе интерфейса в состояние UP будут отправлены Gratuitous ARP уведомления для каждого IP-адреса интерфейса. В примере ниже представлены Gratuitous ARP сообщения, отправляемые при включении интерфейса маршрутизатора с основным IP-адресом 198.18.0.1 и secondary IP-адресом 198.18.2.1.

Безусловно, маршрутизатор будет отвечать на ARP-запросы как для основного, так и для secondary IP-адреса.

Логично предположить, что как только устройство получает Gratuitous ARP, сразу добавляется новая запись в ARP-таблицу. Однако это не так. Если в таблице устройства отсутствовала ARP-запись, связанная с IP-адресом из Gratuitous ARP сообщения, новая запись добавлена не будет. При необходимости отправить трафик будет сформирован ARP-запрос и получен ARP-ответ. Только после этой процедуры новая запись добавится в ARP-таблицу.

Пример на маршрутизаторе Cisco. Включим debug arp и подключим в широковещательный домен новое устройство с адресом 198.18.0.200. До подключения нового устройства ARP-таблица маршрутизатора выглядит следующим образом:

Включаем новое устройство с адресом 198.18.0.200. Получаем debug-сообщение о приходе Gratuitous ARP:

Новая запись не появилась. Делаем пинг до нового адреса:

Debug-сообщения показывают, что прошла процедура ARP-запрос/ARP-ответ. Проверяем ARP-таблицу:

Новая запись появилась.

ARP и NAT на маршрутизаторах Cisco

Примечание: для тестов использовался маршрутизатор C4321 с программным обеспечением 15.4(3)S3 и межсетевой экран Cisco ASA5505 c программным обеспечением 9.1(6)6.

Компьютер Wireshark с адресов 198.18.0.250 в нашем случае будет обозначать подключение к внешней сети (например, к Интернет-провайдеру). С помощью сниффера Wireshark будем просматривать обмен сообщениями ARP между маршрутизатором и компьютером.

Настройки интерфейсов маршрутизатора:

Добавим правило динамического NAT, чтобы транслировать адрес компьютера из LAN (192.168.20.5) во внутренний глобальный адрес 198.18.0.5 при обращении к компьютеру во вне (Wireshark). Добавим правило статического PAT для публикации TCP порта 3389 (RDP) компьютера из LAN под глобальным адресом 198.18.0.2.

Посмотрим ARP-таблицу на маршрутизаторе:

Видим, что в ARP-таблице присутствуют статические записи как для внешнего интерфейса маршрутизатора (198.18.0.1), так и для внутренних глобальных адресов из правил динамического и статического NAT.

Сделаем clear arp-cache на маршрутизаторе и посмотрим в Wireshark, какие Gratuitous ARP уведомления будут отправлены с внешнего интерфейса:

Как видно, маршрутизатор уведомил о готовности обслуживать адрес интерфейса, адрес из правила динамического NAT и адрес из правила статического NAT.

А теперь представим ситуацию, когда провайдер расширяет пул публичных адресов, выданных клиенту, за счёт другой подсети. Предположим, дополнительно к IP-подсети 198.18.0.0/24 на внешнем интерфейсе маршрутизатора мы получаем от провайдера новый пул 198.18.99.0/24 и хотим публиковать наши внутренние сервисы под новыми IP-адресами. Для наглядности приведу схему с провайдером:

Добавим правило статического PAT для публикации TCP порта 3389 (RDP) компьютера из LAN под новым глобальным адресом 198.18.99.2:

Если снова посмотреть ARP-таблицу маршрутизатора командой show arp, увидим, что статическая запись для IP-адреса 198.18.99.2 не добавилась.

Чтобы иметь возможность отправлять ARP-запросы в новую сеть 198.18.99.0/24 с компьютера Wireshark, расширим маску его сетевых настроек до 255.255.0.0 (/16). Напомню, для нашего примера компьютер Wireshark выступает в роли маршрутизатора Интернет-провайдера.

После ввода clear arp-cache сниффер по-прежнему показывает Gratuitous ARP только для трёх IP-адресов: 198.18.0.1, 198.18.0.2, 198.18.0.5. Для нового адреса 198.18.99.2 Gratuitous ARP не срабатывает. Попробуем открыть tcp-порт 3389 адреса 198.18.99.2 и одновременно посмотреть сниффер:

Неуспех. Проверим ARP-таблицу:

Настройка Proxy ARP на интерфейсе маршрутизатора:

Отключить Proxy ARP на всех интерфейсах маршрутизатора можно глобально:

Данная настройка имеет приоритет над настройками Proxy ARP, применёнными на интерфейсах.
Помимо команды ip proxy arp в настройках интерфейса существует команда ip local-proxy-arp. Данная команда работает только когда ip proxy arp включён на интерфейсе и позволяет маршрутизатору отвечать на ARP-запросы, даже если целевой IP-адрес находится в той же IP-подсети, откуда ARP-запрос поступил. Пример настройки:

Данная настройка может пригодится, если мы хотим, чтобы трафик в рамках одного широковещательного домена шёл через интерфейс нашего маршрутизатора. Данную задачу можно реализовать с использованием Protected port (PVLAN edge) настроек на L2-коммутаторе (switchport protected).

Включение Proxy ARP на внешнем интерфейсе маршрутизаторе позволит решить проблему с новым пулом адресов, выданных провайдером. Попробуем открыть tcp-порт 3389 адреса 198.18.99.2 после включения Proxy ARP на интерфейсе маршрутизатора и одновременно посмотреть сниффер:

Успех. Маршрутизатор отвечает на ARP-запрос и порт открывается. Таким образом, функциональность Proxy ARP также можно использовать при необходимости трансляции адресов в новый пул.

Источник

ARP Commands

Available Languages

Download Options

ARP Commands

For detailed information about ARP concepts, configuration tasks, and examples, see the Cisco ASR 9000 Series Aggregation Services Router IP Addresses and Services Configuration Guide.

To add a permanent entry in the Address Resolution Protocol (ARP) cache, use the arp command in global configuration mode. To remove an entry from the ARP cache, enter the no form of this command.

arp [ vrf vrf-name ] ip-address hardware-address encapsulation-type [alias]

no arp [ vrf vrf-name ] ip-address hardware-address encapsulation-type [alias]

Syntax Description

(Optional) Specifies VPN routing and forwarding (VRF) instance.

(Optional) VRF instance that identifies a VPN.

IPv4 (network layer) address for which a permanent entry is added to the ARP cache. Enter the IPv4 address in a four-part dotted-decimal format that corresponds to the local data-link address (a 32-bit address).

Hardware (data link layer) address that the IPv4 address is linked to. Enter the local data-link address (a 48-bit address), such as 0800.0900.1834.

Encapsulation type. The encapsulation types are:

For Ethernet interfaces, this is typically the arpa keyword.

(Optional) Causes the software to respond to ARP requests as if it were the owner of both the specified IP address and hardware address, whether proxy ARP is enabled or not.

Command Default

No entries are permanently installed in the ARP cache.

Command Modes

Command History

This command was introduced.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator for assistance.

The software uses ARP cache entries to translate 32-bit IP addresses into 48-bit hardware addresses.

Because most hosts support dynamic resolution, you generally need not specify static ARP cache entries.

Static entries are permanent entries that map a network layer address (IPv4 address) to a data-link layer address (MAC address). If the alias keyword is specified when creating the entry, the interface to which the entry is attached will act as if it is the owner of the specified addresses, that is, it will respond to ARP request packets for this network layer address with the data link layer address in the entry.

The software does not respond to any ARP requests received for the specified IP address unless proxy ARP is enabled on the interface on which the request is received. When proxy ARP is enabled, the software responds to ARP requests with its own local interface hardware address.

To remove all nonstatic entries from the ARP cache, enter the clear arp-cache in EXEC mode.

Источник

Support

Monitoring and Maintaining ARP Information

Hierarchical Navigation

Viewing Options

Table Of Contents

Monitoring and Maintaining ARP Information

Address Resolution Protocol (ARP) is an Internet protocol used to map an IP address to a Media Access Control (MAC) address. ARP finds the MAC address, also known as the hardware address, of an IP-routed host from its known IP address and maintains this mapping information in a table. The router uses this IP address and MAC address mapping information to send IP packets to the next-hop router in the network.

Development of additional ARP information monitoring and maintenance capabilities is an incremental step within an overall program to improve the management tools for ARP support in a Cisco IOS environment:

•To better support ARP analysis activities, the ARP administrative facilities have been enhanced to provide more detailed information about and more granular control over ARP information. This information can be used to investigate issues with ARP packet traffic, ARP high availability (HA), or ARP synchronization with Cisco Express Forwarding (CEF) adjacency.

•The ARP debug trace facility has been enhanced to enable ARP packet debug trace for individual types of ARP events. The ARP debugging has also been enhanced to filter ARP entries for a specified interface, for hosts that match an access list, or both.

•For increased security against ARP attacks, trap-based enabling of ARP system message logging can be configured per interface to alert network administrators of possible anomalies.

No configuration tasks are associated with these additional ARP information monitoring and maintenance capabilities. The ARP-related enhancements introduced by this functionality are expanded forms of existing ARP management tasks.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the «Feature Information for Monitoring and Maintaining ARP Information» section.

Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Restrictions for Monitoring and Maintaining ARP Information

•Information About Monitoring and Maintaining ARP Information

•How to Monitor and Maintain ARP Information

•Additional References

•Feature Information for Monitoring and Maintaining ARP Information

•Glossary

Restrictions for Monitoring and Maintaining ARP Information

For Cisco IOS Release 12.4(11)T, the following restrictions apply to the ARP information monitoring and maintenance capabilities:

•ARP High Availability

•ARP Security Against ARP Attacks

ARP High Availability

The ARP subsystem supports ARP high availability (HA) on Cisco networking devices that support dual Route Processors (RPs) for redundant processing capability. However, ARP HA is limited to the synchronization of dynamically learned ARP entries from the active RP to the standby RP. Statically configured ARP entries are not synchronized to the standby RP.

ARP Security Against ARP Attacks

The ARP subsystem supports a method for detecting a possible ARP attack by monitoring the number of ARP table entries for specific interfaces. However, no router-level security feature can prevent Man-in-the-Middle (MiM) types of ARP-spoofing attacks, which are a form of wiretapping attack where the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association. There are no ARP features to be implemented to resolve this security issue. Protecting the router from ARP attacks is best handled in switches through the ARP access control list (ACL) filters rather than at the router level.

Information About Monitoring and Maintaining ARP Information

Before you begin monitoring and maintaining ARP information, you should understand the following concepts:

•Overview of Monitoring and Maintaining ARP Information

•Address Resolution Protocol

•ARP Table

•ARP Table Entry Modes

•ARP Table Entry Subblocks

•ARP Table Entry Synchronization with CEF Adjacency

•ARP Table Size Monitoring Per Interface

•ARP High Availability

Overview of Monitoring and Maintaining ARP Information

Development of additional ARP information monitoring and maintenance capabilities is an incremental step within an overall program to improve the management tools for ARP support in a Cisco IOS environment. For information about the entire ARP feature, see the «Additional References» section. The following sections summarize the ARP subsystem enhancements introduced in Cisco IOS Release 12.4(11)T:

•ARP Information Display Enhancements

•ARP Information Refresh Enhancements

•ARP Debug Trace Enhancements

•ARP Security Enhancement

ARP Information Display Enhancements

The ARP information display capabilities have been expanded to support display of selected ARP entries, ARP entry details, and other ARP information.

Display of Selected ARP Entries

ARP table entries can be selected for display based on the following criteria:

•Virtual Private Network (VPN) routing and forwarding (VRF) instance

•ARP mode type

•Host or network

•Router interface

In Cisco IOS software versions prior to Release 12.4(11)T, the show arp command displays the entire ARP table.

Display of ARP Entry Details

The following detailed ARP information can be displayed:

•Adjacency notification—This information can be used to investigate issues with ARP packet traffic, ARP high availability (HA), or ARP notification for Cisco Express Forwarding (CEF) adjacency. If the ARP subsystem needs to synchronize an ARP entry with CEF adjacency, that information is included when the affected entry is displayed.

•Associated interface for floating static ARP entries—If the ARP subsystem succeeds in finding the associated interface for a floating static ARP entry, that information can be included when the affected entry is displayed.

•Application subblocks—If an application-specific ARP entry is displayed, information about the subblock data can be included in the display.

The show ip arp command, introduced in Cisco IOS Release 9.0, allows you to display only certain ARP table entries based on specified criteria (IP address, interface, or hardware address). However, that command does not display the ARP entry modes, CEF adjacency notification information, or the associated interface for floating static ARP entries.

Display of Other ARP Information

The following ARP information—other than the contents of the ARP table entries—can be displayed:

•ARP table summary statistics—The numbers of entries in the table of each mode type and per interface.

•ARP HA status and statistics—Different types of switchover statistics are displayed based on the current state and recent activities of the RP.

ARP Information Refresh Enhancements

In Cisco IOS software versions prior to Release 12.4(11)T, the clear arp command refreshes all non-static entries in the ARP table. The ARP information refresh facility enables you to manage selected ARP information:

•Refresh all non-static ARP table entries

•Refresh non-static ARP table entries associated with a particular interface

•Refresh non-static ARP table entries for a particular IP address in a particular VRF

•Reset ARP HA statistics

ARP Debug Trace Enhancements

In Cisco IOS software versions prior to Release 12.4(11)T, the debug arp command supports debugging information for ARP packet traffic only. The ARP debug trace facility now provides more detailed selection and filter options for ARP debug trace.

Debug Trace for Selected ARP Events

The ARP debugging information can be enabled for the following types of ARP events:

•ARP table entry events

•ARP table events

•ARP interface interactions

•ARP HA events

Support for Filtering Debug Trace by Interface or Access List

The debug arp command supports debug trace filtering as defined by the debug list command. This enhancement enables ARP debugging information to be focused on desired debugging information based on a specific router interface, an access list of IP addresses, or both.

ARP Security Enhancement

When trap-based enabling of ARP system message logging (syslog) output is configured, the router monitors the number of dynamically learned ARP table entries for each interface and triggers ARP logging whenever the number of learned ARP entries for a particular interface exceeds the preconfigured value.

Such syslog traps can in turn alert network administrators (via protocols such as SNMP) with the identity of the affected interface and the number of learned ARP entries over that interface. The administrator can then investigate why the ARP table has grown to the configured thresholds, and take the necessary action to resolve possible security breaching. Alternatively, the router can take self-defense actions automatically, with the action depending on the severity, from more frequent refreshing to shutting down the interface port.

Note This router-level security feature can help detect a MiM ARP-spoofing attack, but it cannot prevent such an attack. There are no ARP features to be implemented to resolve this security issue. Protecting the router from ARP attacks is best handled in switches through the ARP-ACL filters rather than at the router level.

Address Resolution Protocol

ARP was developed to enable communications on an internetwork, as defined by RFC 826. Routers and Layer 3 switches need ARP to map IP addresses to MAC hardware addresses so that IP packets can be sent across networks. This section provides background information about ARP:

•ARP Broadcast and Response Process

•ARP Caching

ARP Broadcast and Response Process

Before a device sends a datagram to another device, it looks in its own ARP information to see if there is a MAC address and corresponding IP address for the destination device. If there is no entry, the source device sends a broadcast message to every device on the network. Each device compares the IP address to its own. Only the device with the matching IP address replies to the sending device with a packet containing the MAC address for the device. The source device adds the destination device MAC address to its ARP table for future reference, creates a data-link header and trailer that encapsulates the packet, and proceeds to transfer the data.

When the destination device lies on a remote network, one beyond another router, the process is the same except that the sending device sends an ARP request for the MAC address of the default gateway. After the address is resolved and the default gateway receives the packet, the default gateway broadcasts the destination IP address over the networks connected to it. The router on the destination device network uses ARP to obtain the MAC address of the destination device and delivers the packet.

ARP Caching

Because the mapping of IP addresses to MAC addresses occurs at each hop (router) on the network for every datagram sent over an internetwork, performance of the network could be compromised. To minimize broadcasts and limit wasteful use of network resources, ARP caching was implemented.

ARP caching is the method of storing network addresses and the associated data-link addresses in memory for a period of time as the addresses are learned. This minimizes the use of valuable network resources to broadcast for the same address each time a datagram is sent. The cache entries must be maintained because the information could become outdated, so it is critical that the cache entries are set to expire periodically. Every device on a network updates its tables as addresses are broadcast.

ARP Table

The ARP table provides a database in which a Cisco router caches learned and configured route-mapping information. Each entry in the ARP table is associated with either a local IP address (which represents a device owned by the router) or a remote host IP address (which represents an external device). The contents of the entry define the following ARP-intrinsic information:

•The association of the 32-bit IP address and 48-bit MAC address of that port

•Other information needed to support ARP in a Cisco IOS environment (such as link type, VRF table ID, and encapsulation type)

When the router forwards a packet using an IP switching technology such as CEF, the ARP table entries supply MAC rewrite information.

ARP Table Entry Modes

Each entry in the ARP table is designated with a mode type. The ARP subsystem supports the basic ARP table entry modes and also introduces new, application-specific modes.

Basic ARP Table Entry Modes

The ARP subsystem uses the following basic ARP table entry modes to organize the ARP entries for ARP-internal processing:

•Alias—This mode is assigned to an entry that has been explicitly configured by an administrator with a local IP address, subnet mask, gateway, and corresponding MAC address. Static ARP entries are kept in the cache table on a permanent basis. They are best for local addresses that need to communicate with other devices in the same network on a regular basis.

•Dynamic—This mode is assigned to a dynamically learned entry that was initiated by an ARP request and is associated with an external host. Dynamic ARP entries are automatically added by the Cisco IOS software and maintained for a period of time, then removed. No administrative tasks are needed unless a time limit is added. The default time limit is four hours. If the network has a large number routes that are added and deleted from the cache, the time limit should be adjusted. A dynamic ARP entry is considered «complete» in that the entry contains the MAC address of the external host, as supplied by an ARP reply.

•Incomplete—This mode is a transient mode for a dynamic ARP entry. This mode indicates an entry that was initiated by an ARP request and is associated with an external host but does not contain a MAC address.

•Interface—This mode is assigned to an entry for a local IP address that has been derived from an interface.

•Static—This mode is assigned to an entry that has been explicitly configured by an administrator with an external IP address, subnet mask, gateway, and corresponding MAC address. static ARP entries are kept in the cache table on a permanent basis. They are best for external devices that need to communicate with other devices in the same network on a regular basis. A static ARP entry is said to be «floating» if it is not associated with any interface when it is configured.

To maintain the validity of dynamically learned routes, the ARP subsystem refreshes dynamic ARP entries periodically (as configured or every four hours by default) so that the ARP table reflects any changed, aged-out, or removed dynamic routes.

To maintain the validity of statically configured routes, the ARP subsystem updates static ARP entries and alias ARP entries once per minute so that the ARP table reflects any changed or removed statically configured routes.

Application-Specific ARP Table Entry Modes

The ARP subsystem uses the application-specific ARP table entry modes to support applications that need to add ARP table entries for their solutions. ARP applications can register with the ARP subsystem to obtain an application type handle. With this handle, the applications can insert ARP entries with the appropriate application-specific entry mode:

•Simple Application—This mode is assigned to an application-created entry that represents an external device.

•Application Alias—This mode is assigned to an application-created entry that is associated with a local address.

•Application Timer—This mode is assigned to an application-created entry that is associated with an external device. The ARP subsystem provides timer-based services to applications that create entries of this mode.

Application-specific entries do not expire, but instead are maintained by the application.

ARP Table Entry Subblocks

The ARP entry subblock structure provides the means to attach non-ARP intrinsic data to selected ARP entries. When an ARP entry inserted into the ARP table requires special, ARP-internal handling, the information needed by the process that performs the special handling is defined in a subblock that is attached to the ARP entry.

The ARP subsystem attaches subblocks to the following types of ARP entries, as needed:

•Alias, dynamic, and static ARP entries—A subblock is attached to all entries of these types in order to specify information needed by the ARP timer process that coordinates the periodic refresh operation that ensures the validity of the associations between IP addresses and MAC address defined by these entries.

•Interface ARP entries—A subblock is attached to all interface ARP entries in order to store information about the interface.

•Application Simple, Alias Application, and Timer Application entries—An application that creates an ARP entry can include any application-specific data necessary for its work, such as timer structures for timer services or data structure pointers for grouping related subblocks.

ARP Table Entry Synchronization with CEF Adjacency

If CEF is enabled on the router, the router maintains forwarding information (outbound interface and MAC header rewrite) for adjacent nodes. A node is said to be adjacent to another node if the node can be reached with a single hop across a link layer (Layer 2). CEF stores the forwarding information in an adjacency database so that Layer 2 addressing information can be inserted into link-layer headers attached to the ARP packets.

The ARP table information is one of the sources for CEF adjacency. Whenever the ARP subsystem attaches an ARP table entry to an outbound interface with a valid hardware address, the subsystem issues an internal «ARP adjacency» notification. The notification causes an ARP background process to synchronize that ARP entry with CEF adjacency via the adjacency database.

Attachment to an outbound interface occurs only for entries in the following modes:

•Alias

•Dynamic

•Floating Static

•Application Simple

•Application Timer

The ARP subsystem processes each floating static ARP entry to find the attached interface by using the IP address in the entry to locate the connected or proxy-ARP interface. The addition of this interface information completes the ARP entry so that it can be synchronized with CEF adjacency.

ARP Table Size Monitoring Per Interface

The ARP protocol can be used as a vehicle to attack router systems. One ARP attack method, spoofing, is applied on the medium to forge the identity of the host. The Cisco IOS routers have implemented a self-defense scheme to protect the router’s own interface address. Other features, such as secure ARP and authorized ARP learning, are implemented in some Cisco IOS releases to limit the scope of ARP learning.

Another ARP attack method, denial-of-service (DoS), includes sending ARP packets to the router in an attempt to overwhelm the CPU processing the ARP packets and to deplete system memory by the ARP table entries created as a result of the ARP packets, resulting in a service outage on the network. A high rate of incoming ARP packets can also cause the ARP input queue to fill up quickly and exceed the maximum default or router-configured capacity, causing an out-of-service condition.

One way to detect a possible attempt to breach security through an ARP attack on the router is to monitor the size of the ARP table and trigger an alert when the number of entries reaches a configured threshold. With a simple limit on the overall ARP table size, though, it is difficult to distinguish between a valid ARP packet and a rogue packet. For a more accurate view of the incoming packets, the ARP subsystem monitors the ARP table size at the interface level. Based on the number of nodes the router serves and the number of hosts on an interface, the expected maximum number of interface-specific entries can be determined. If the number of ARP table entries for an interface exceeds the predetermined threshold, that condition might indicate an attempt to breach security through an ARP attack on the router.

ARP High Availability

ARP HA is a function of the Cisco Nonstop Forwarding (NSF) feature in the Cisco IOS software. On a Cisco networking device that contains dual RPs and has been configured for stateful switchover (SSO), ARP HA provides a method for increasing network availability for processing ARP entries.

This section summarizes the internal processes and data structures that the ARP subsystem uses to implement ARP HA:

•Co-Existence with Stateful Switchover

•Synchronization Queue

•Backup ARP Table

•ARP HA State Machine

Co-Existence with Stateful Switchover

In Cisco networking devices that support dual RPs, ARP uses the SSO feature in the Cisco IOS software. SSO provides redundancy and synchronization for many Cisco IOS applications and features. SSO takes advantage of RP redundancy by establishing one of the RPs as the active processor while the other RP is designated as the standby processor, and then synchronizing critical state information between them.

Following an initial synchronization between the two processors, SSO dynamically maintains RP state information between the processors. A switchover from the active to the standby processor occurs when the active RP fails, is removed from the networking device, or is manually taken down for maintenance.

For more information about the SSO feature, see the «Additional References» section.

Synchronization Queue

The active RP maintains a synchronization queue, which contains two lists of ARP table entries:

•ARP entries from the main ARP table that are to be synchronized to the standby RP

•ARP entries from the main ARP table that have already been synchronized to the standby RP

Note The synchronization queue consists of two lists of links to entries in the main ARP table.

When switchover occurs, the ARP HA process uses the list of not-yet synchronized entries to determine which of the entries in the redundant ARP table in the new standby RP (originally the active RP) to synchronize with the main ARP table.

If the standby RP crashes, the ARP HA process bulk synchronizes the entire synchronization queue (entries from both of the lists) to the standby RP when the standby RP reboots.

Backup ARP Table

The standby RP maintains a backup ARP table, which stores backup ARP entries that the standby RP receives from the active RP. During a switchover, the ARP HA process monitors the interface up events. For interfaces that come up, the process searches the backup table on the new active RP (originally the standby RP) for the related ARP entries. The process then adds any related backup ARP entries to the main ARP table.

ARP HA State Machine

The ARP HA process is controlled by an event-driven state machine that consists of two halves: one half for the active RP and the other half for the standby RP. When a switchover occurs, the standby RP transitions to the active half of the state machine. The state machine tracks the status of active/standby synchronization and switchover.

The active half of the state machine can be in any one of the following states:

•ARP_HA_ST_A_UP_SYNC—Active state in which the active RP sends entries from the synchronization queue to the standby RP. The active RP transitions into this state when the standby RP comes up.

•ARP_HA_ST_A_UP—Active state in which the active RP does not send entries to the standby RP. The active RP transitions into this state either because the standby RP has not come up yet or because a previous synchronization has failed.

•ARP_HA_ST_A_BULK—Transient state in which the active RP bulk-synchronizes the ENTIRE SET OF ARP entries to the standby RP and then waits for the standby RP to signal that it has finished processing the entries sent by the bulk-synchronization operation.

•ARP_HA_ST_A_SSO—Transient state in which the new active RP waits for the signal to be fully operational.

The standby half of the state machine contains the following states:

•ARP_HA_ST_S_BULK—Transient state in which the standby RP processes the entries sent by the bulk-synchronization operation. After the active RP signals that it has finished sending entries, the standby RP transitions into the ARP_HA_ST_S_UP state and then signals back to the active RP that it has finished processing the entries sent by the bulk-synchronization operation.

•ARP_HA_ST_S_UP—Active state in which the standby RP processes the incremental ARP synchronization entries from the active RP. When the switchover occurs, the standby RP transitions to the ARP_HA_ST_A_SSO state.

These states and recent activities of the RP can be displayed for monitoring the ARP HA activities.

How to Monitor and Maintain ARP Information

This section contains the following procedures:

•Displaying ARP Table Entry Information

•Displaying ARP HA Status and Statistics

•Refreshing Dynamically Learned ARP Table Entries

•Resetting ARP HA Statistics

•Enabling Debug Trace for ARP Transactions

•Enabling ARP Trap on the Number of Learned Entries on an Interface

Displaying ARP Table Entry Information

To verify ARP table entry information, use the show arp summary, show arp, and show arp application commands.

•Step 2 is useful for obtaining a high-level view of the contents of the ARP table.

•Step 3 and Step 4 are useful for displaying the contents of all ARP table entries and any entry subblocks.

•Step 5 is useful for displaying ARP table information about external applications that are supported by ARP and are running on registered clients.

SUMMARY STEPS

1. enable

2. show arp summary

3. show interfaces [ summary]

4. show arp [[ vrf vrf-name] [[ arp-mode] [[ ip-address [ mask]] [ interface-type interface-number]]]]
[ detail]

5. show arp application [ application-id ] [ detail ]

DETAILED STEPS

Step 1 enable

This command enables privileged EXEC mode.

Step 2 show arp summary

This command displays the total number of ARP table entries, the number of ARP table entries for each ARP entry mode, and the number of ARP table entries for each interface on the router.

Источник