Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Need some help with weird stuff

Need some help with weird stuff 9 years 5 months ago #22269

  • DataStorm
  • DataStorm's Avatar
  • Offline
  • New Member
  • Posts: 5
  • Karma: 0
Hi. I have 2 questions that have bothered me for quite a while. Here they are :

1.

PC1=10.0.0.1/8
PC2=10.1.0.1/24

PC1 and PC2 connected by a switch.

PC1 wants to ping PC2. It doesn't have the MAC address of PC2 in ARP table, it does 10.1.0.1 AND 255.0.0.0, it sees it's on 10.0.0.0 subnet, it has to ARP for the MAC address of PC2. PC2 gets the ping from PC1, checks the src ip address, 10.1.0.1, it ANDs it with 255.255.255.0, sees it's on 10.1.0.0 subnet. So it shouldn't work, right? Tried this in a Windows network and it works. In Packet Tracer 4.01, when PC2 receiver the ARP request, it drops the packet (the explination given : it checks the source ip address and it sees it's on different subnet).

2.
Seen this in a school network :
PC1 (windows) ip address = 192.168.0.100 netmask 255.255.255.0, default gateway : 172.16.0.1, and it works.

Can anyone shed some light on these 2 problems?
The administrator has disabled public write access.

Re: Need some help with weird stuff 9 years 5 months ago #22270

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi there,

1. I have seen this happen a long time ago and just put it down to the way Windows did its networkid checking. When you have tested it, did you have a Default Gateway configured on both machines ?

For the machine on the /8 network, it would think the machine is on the local network and do an ARP for that IP Address. Because it broadcasts on the local lan for the machine that has the ip address (ignores subnet masks), it will get a reply from the machine that is in the /24 network. This therefore will put MAC to IP lines in the ARP cache. Theoretically, the /24 machine would think the machine is on a differnet subnet and ARP for the Default Gateway and send the traffic that way. You may experience hit and miss communication with this, not too sure what the process is if the MAC to IP is already in the table, will it check the networkID first or just notice that the MAC exisits and therefor assume it can talk directly ? Hmm, ponder...i may check this myself.

2. This is a common one. If the switch/router supports Proxy Arp, then the switch/router will pick the traffic up and then just forward it to the correct subnet.

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Need some help with weird stuff 9 years 5 months ago #22271

  • DataStorm
  • DataStorm's Avatar
  • Offline
  • New Member
  • Posts: 5
  • Karma: 0
1. I tried that in the past with no default gateway set.

Tried it on 2 Cisco routers, connected viat ethernet :

R1<
>R2

[code:1]
R1#sh ip int f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.0.0.1/8
<output ommited>

R1#ping 10.1.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:

*Jun 15 20:44:58.539: IP: tableid=0, s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), routed via RIB
*Jun 15 20:44:58.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, sending
*Jun 15 20:44:58.547: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, encapsulation failed.
*Jun 15 20:45:00.539: IP: tableid=0, s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), routed via RIB
*Jun 15 20:45:00.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, sending
*Jun 15 20:45:00.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, encapsulation failed.
*Jun 15 20:45:02.539: IP: tableid=0, s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), routed via RIB
*Jun 15 20:45:02.543: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, sending
*Jun 15 20:45:02.547: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, encapsulation failed.
*Jun 15 20:45:04.539: IP: tableid=0, s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), routed via RIB
*Jun 15 20:45:04.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, sending
*Jun 15 20:45:04.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, encapsulation failed.
*Jun 15 20:45:06.539: IP: tableid=0, s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), routed via RIB
*Jun 15 20:45:06.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, sending
*Jun 15 20:45:06.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, encapsulation failed.
Success rate is 0 percent (0/5)

R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.0.1 - ca00.0e15.0000 ARPA FastEthernet0/0
[/code:1]

[code:1]
R2#sh ip int f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.1.0.1/24
<output ommited>

R2#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

*Jun 15 20:41:26.331: IP: s=10.1.0.1 (local), d=10.0.0.1, len 100, unroutable.
*Jun 15 20:41:28.331: IP: s=10.1.0.1 (local), d=10.0.0.1, len 100, unroutable.
*Jun 15 20:41:30.331: IP: s=10.1.0.1 (local), d=10.0.0.1, len 100, unroutable.
*Jun 15 20:41:32.331: IP: s=10.1.0.1 (local), d=10.0.0.1, len 100, unroutable.
*Jun 15 20:41:34.331: IP: s=10.1.0.1 (local), d=10.0.0.1, len 100, unroutable.
Success rate is 0 percent (0/5)

R2#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.0.1 - ca01.0e15.0000 ARPA FastEthernet0/0
[/code:1]

So in the case i described earlier it must be the Windows fault.

2. I think that PC1 and GW should not even talk to each other since they both are in different subnets. Also tried it with 2 Cisco routers .

192.168.0.1/24 172.16.0.1/24
R1<
>R2

[code:1]
R1#sh ip int f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.0.1/24
<output ommited>

R1#ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:

*Jun 15 20:57:58.711: IP: s=192.168.0.1 (local), d=172.16.0.1, len 100, unroutable.
*Jun 15 20:58:00.715: IP: s=192.168.0.1 (local), d=172.16.0.1, len 100, unroutable.
*Jun 15 20:58:02.711: IP: s=192.168.0.1 (local), d=172.16.0.1, len 100, unroutable.
*Jun 15 20:58:04.711: IP: s=192.168.0.1 (local), d=172.16.0.1, len 100, unroutable.
*Jun 15 20:58:06.711: IP: s=192.168.0.1 (local), d=172.16.0.1, len 100, unroutable.
Success rate is 0 percent (0/5)

R1(config)#ip route 0.0.0.0 0.0.0.0 172.16.0.1
R1(config)#^Z
R1#sh ip route
*Jun 15 20:56:59.495: %SYS-5-CONFIG_I: Configured from console by console
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.0.0/24 is directly connected, FastEthernet0/0

R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.1 - ca00.0e15.0000 ARPA FastEthernet0/0

[/code:1]

same on R2...

Again, is it Windows's fault that it sends/accepts ARP requests for addresses on different subnets?
The administrator has disabled public write access.

Re: Need some help with weird stuff 9 years 5 months ago #22278

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
1. Yes i think that this is something to do with windows. As my previous post, i am wondering if its because of the ARP entries and Windows checks that first and notices its there. I am also wondering if, the /24 machine is unable to ping the other machine first and it only works once the /8 machine has first talked to the /24 machine. This would make sense since the /24 would notice its not on the same subnet and would therefore try to route the traffic, hence it would never get to the ARP Cache. The other way around, /8 thinks its on the same subnet, does an ARP broadcast which /24 will respond to since its a broadcast and therefore both machine would get ARP entries and therefore talk.

2. The only real explination to this one is if a router or layer 3 switch is doing proxy arp.

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Need some help with weird stuff 9 years 5 months ago #22280

  • DataStorm
  • DataStorm's Avatar
  • Offline
  • New Member
  • Posts: 5
  • Karma: 0
Thanks for the input :)
The administrator has disabled public write access.
Time to create page: 0.083 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup