Skip to main content

Need some help with weird stuff

More
17 years 6 months ago #22269 by DataStorm
Hi. I have 2 questions that have bothered me for quite a while. Here they are :

1.

PC1=10.0.0.1/8
PC2=10.1.0.1/24

PC1 and PC2 connected by a switch.

PC1 wants to ping PC2. It doesn't have the MAC address of PC2 in ARP table, it does 10.1.0.1 AND 255.0.0.0, it sees it's on 10.0.0.0 subnet, it has to ARP for the MAC address of PC2. PC2 gets the ping from PC1, checks the src ip address, 10.1.0.1, it ANDs it with 255.255.255.0, sees it's on 10.1.0.0 subnet. So it shouldn't work, right? Tried this in a Windows network and it works. In Packet Tracer 4.01, when PC2 receiver the ARP request, it drops the packet (the explination given : it checks the source ip address and it sees it's on different subnet).

2.
Seen this in a school network :
PC1 (windows) ip address = 192.168.0.100 netmask 255.255.255.0, default gateway : 172.16.0.1, and it works.

Can anyone shed some light on these 2 problems?
More
17 years 6 months ago #22270 by Smurf
Hi there,

1. I have seen this happen a long time ago and just put it down to the way Windows did its networkid checking. When you have tested it, did you have a Default Gateway configured on both machines ?

For the machine on the /8 network, it would think the machine is on the local network and do an ARP for that IP Address. Because it broadcasts on the local lan for the machine that has the ip address (ignores subnet masks), it will get a reply from the machine that is in the /24 network. This therefore will put MAC to IP lines in the ARP cache. Theoretically, the /24 machine would think the machine is on a differnet subnet and ARP for the Default Gateway and send the traffic that way. You may experience hit and miss communication with this, not too sure what the process is if the MAC to IP is already in the table, will it check the networkID first or just notice that the MAC exisits and therefor assume it can talk directly ? Hmm, ponder...i may check this myself.

2. This is a common one. If the switch/router supports Proxy Arp, then the switch/router will pick the traffic up and then just forward it to the correct subnet.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 6 months ago #22271 by DataStorm
1. I tried that in the past with no default gateway set.

Tried it on 2 Cisco routers, connected viat ethernet :

R1<
>R2

[code:1]
R1#sh ip int f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.0.0.1/8
<output ommited>

R1#ping 10.1.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.0.1, timeout is 2 seconds:

*Jun 15 20:44:58.539: IP: tableid=0, s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), routed via RIB
*Jun 15 20:44:58.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, sending
*Jun 15 20:44:58.547: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, encapsulation failed.
*Jun 15 20:45:00.539: IP: tableid=0, s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), routed via RIB
*Jun 15 20:45:00.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, sending
*Jun 15 20:45:00.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, encapsulation failed.
*Jun 15 20:45:02.539: IP: tableid=0, s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), routed via RIB
*Jun 15 20:45:02.543: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, sending
*Jun 15 20:45:02.547: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, encapsulation failed.
*Jun 15 20:45:04.539: IP: tableid=0, s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), routed via RIB
*Jun 15 20:45:04.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, sending
*Jun 15 20:45:04.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, encapsulation failed.
*Jun 15 20:45:06.539: IP: tableid=0, s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), routed via RIB
*Jun 15 20:45:06.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, sending
*Jun 15 20:45:06.539: IP: s=10.0.0.1 (local), d=10.1.0.1 (FastEthernet0/0), len 100, encapsulation failed.
Success rate is 0 percent (0/5)

R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.0.1 - ca00.0e15.0000 ARPA FastEthernet0/0
[/code:1]

[code:1]
R2#sh ip int f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 10.1.0.1/24
<output ommited>

R2#ping 10.0.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

*Jun 15 20:41:26.331: IP: s=10.1.0.1 (local), d=10.0.0.1, len 100, unroutable.
*Jun 15 20:41:28.331: IP: s=10.1.0.1 (local), d=10.0.0.1, len 100, unroutable.
*Jun 15 20:41:30.331: IP: s=10.1.0.1 (local), d=10.0.0.1, len 100, unroutable.
*Jun 15 20:41:32.331: IP: s=10.1.0.1 (local), d=10.0.0.1, len 100, unroutable.
*Jun 15 20:41:34.331: IP: s=10.1.0.1 (local), d=10.0.0.1, len 100, unroutable.
Success rate is 0 percent (0/5)

R2#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.0.1 - ca01.0e15.0000 ARPA FastEthernet0/0
[/code:1]

So in the case i described earlier it must be the Windows fault.

2. I think that PC1 and GW should not even talk to each other since they both are in different subnets. Also tried it with 2 Cisco routers .

192.168.0.1/24 172.16.0.1/24
R1<
>R2

[code:1]
R1#sh ip int f0/0
FastEthernet0/0 is up, line protocol is up
Internet address is 192.168.0.1/24
<output ommited>

R1#ping 172.16.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:

*Jun 15 20:57:58.711: IP: s=192.168.0.1 (local), d=172.16.0.1, len 100, unroutable.
*Jun 15 20:58:00.715: IP: s=192.168.0.1 (local), d=172.16.0.1, len 100, unroutable.
*Jun 15 20:58:02.711: IP: s=192.168.0.1 (local), d=172.16.0.1, len 100, unroutable.
*Jun 15 20:58:04.711: IP: s=192.168.0.1 (local), d=172.16.0.1, len 100, unroutable.
*Jun 15 20:58:06.711: IP: s=192.168.0.1 (local), d=172.16.0.1, len 100, unroutable.
Success rate is 0 percent (0/5)

R1(config)#ip route 0.0.0.0 0.0.0.0 172.16.0.1
R1(config)#^Z
R1#sh ip route
*Jun 15 20:56:59.495: %SYS-5-CONFIG_I: Configured from console by console
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.0.0/24 is directly connected, FastEthernet0/0

R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.0.1 - ca00.0e15.0000 ARPA FastEthernet0/0

[/code:1]

same on R2...

Again, is it Windows's fault that it sends/accepts ARP requests for addresses on different subnets?
More
17 years 6 months ago #22278 by Smurf
1. Yes i think that this is something to do with windows. As my previous post, i am wondering if its because of the ARP entries and Windows checks that first and notices its there. I am also wondering if, the /24 machine is unable to ping the other machine first and it only works once the /8 machine has first talked to the /24 machine. This would make sense since the /24 would notice its not on the same subnet and would therefore try to route the traffic, hence it would never get to the ARP Cache. The other way around, /8 thinks its on the same subnet, does an ARP broadcast which /24 will respond to since its a broadcast and therefore both machine would get ARP entries and therefore talk.

2. The only real explination to this one is if a router or layer 3 switch is doing proxy arp.

Cheers

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
17 years 6 months ago #22280 by DataStorm
Thanks for the input :)
Time to create page: 0.125 seconds