Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
932
Views
15
Helpful
7
Replies

BGP update-source and ARP Inspection

Go to solution
frknl
Level 1
Level 1

‎06-06-2022 03:24 PM - last edited on ‎06-06-2022 10:22 PM by Community Manager

Hi there, i'm learning BGP slowly nowadays and one thing that i don't understand from security perspective is using another IP with same MAC address.

So here is a simple and basic config

R1 F0/0           >---<      F0/0 R2

192.168.0.1                   192.168.0.2

AS10                               AS10




R1> router bgp 10

neighbor 192.168.0.2 remote-as 10




R2> router bgp 10

neighbor 192.168.0.1 remote-as 10


At this point two routers populated ARP tables and there is a one IP address and corresponding MAC.

Let's say R1 MAC: AA:AA:AA R2 MAC: BB:BB:BB

R1 ARP table > 192.168.0.2 BB:BB:BB

R2 ARP table > 192.168.0.1 AA:AA:AA

 

Two routers on same L2 segment and same subnet. Even they don't need IP's for communicating they use IP for TCP requirements. So far so good everything works.

 

Now, when R1 wanst a loopback0 with 100.0.0.1 255.255.255.0 to be used with BGP source-update option it's add this.

R1> Neighbor 192.168.0.2 remote-as 10 source-update loopback 0

 

For proper communication, we add to R2:

R2> Neighbor 100.0.0.1 remote-as 10

ip route 100.0.0.1 255.255.255.0 192.168.0.1


Now, older neighborship is dead and new neighborship is up. But even the using R1's real interface MAC address for loopback IP source, R2 also recieved new ARP for 100.0.0.1 and it's pointing out to already existed MAC address.

 

I'm not sure dynamic ARP inspection is a special feature to swtiches and no routers have this, but maybe if we use a switch between two routers and/or another security mechanism to protect our domain like IP - MAC bindings, what is the result of this scenario from R2's perspective? 

The problem isn't multiple packets that recieved with same MAC and different IP's, the problem is ARP.

 

Thank you.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Harold Ritter
Level 12
Level 12

‎06-06-2022 03:44 PM

Hi @frknl ,

 

R2 will not send an ARP request sent for 100.0.0.1. It has an IP route for 100.0.0.1 with a next hop of 192.168.0.1. It simply need to resolve the directly connected next hop, not the 100.0.0.1 as such.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎06-06-2022 03:31 PM - last edited on ‎06-06-2022 10:18 PM by Community Manager

I get your point 
other Peer use static route and use next-hop send ARP to ask MAC of next-hop to build frame,
the next-hop reply and hence the peer now have 
IP-MAC

how can I protect this 
you can do DAI with ACL 
but this protect only from MAC spoofing not other attack.

example:-

SW# arp access-list H2

SW(config-arp-nacl)# permit ip host 1.1.1.1 mac host 1.1.1


0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-06-2022 03:31 PM

It is not unusual, and in general is not a problem, for multiple IP addresses to have the same mac address shown in the arp table. I have not tested but do not believe that arp inspection would change this behavior.

HTH

Rick
0 Helpful

Go to solution
frknl
Level 1
Level 1
In response to Richard Burts

‎06-06-2022 03:39 PM

Hi Richard,

Thanks for your response.

I realized that R2 newer starts a ARP process because of static route and there is no directly connected segment for 100.0.0.0

So it's always transmit packets properly. I guess this is fair solution

 

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12

‎06-06-2022 03:44 PM

Hi @frknl ,

 

R2 will not send an ARP request sent for 100.0.0.1. It has an IP route for 100.0.0.1 with a next hop of 192.168.0.1. It simply need to resolve the directly connected next hop, not the 100.0.0.1 as such.

 

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Go to solution
frknl
Level 1
Level 1
In response to Harold Ritter

‎06-06-2022 03:48 PM

Hi Harold.

After two and half hour İntrodouction to BGP webinar, my mind is flying around.

You are totally correct and i marked as solution for this topic.

Thanks.

0 Helpful

Go to solution
Harold Ritter
Level 12
Level 12
In response to frknl

‎06-06-2022 03:52 PM

You are very welcome @frknl . Good learning

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card