Solved: Questions about ARP - mutiple entries possible ?

SJ K · ‎10-01-2015

Hi all,

1) If I have connected 2 computers to a L2 switch with the following configuration

CompA interface ip - 192.168.1.3

CompB interface ip - not set yet

Switch Int Vlan ip - 192.168.1.100

2) Assuming i ping to 192.168.1.100 from CompA, the switch ARP table will show

192.168.1.3 aaaa.bbbb.cccc -- aaaa.bbbb.cccc is CompA's interface MAC

3) Then i plug out the physical link from Comp A to the switch and immediately set

CompB interface IP to 192.168.1.3, then do a ping to 192.168.1.100

q1) will the switch ARP request shows

a) multiple arp entries for the same IP (e.g.

192.168.1.3 aaaa.bbbb.cccc -- aaaa.bbbb.cccc is CompA's interface MAC

192.168.1.3 bbbb.dddd.eeee -- bbbb.dddd.eeee is CompB's interface MAC

or

b) just the latest updated arp entry

~~192.168.1.3 aaaa.bbbb.cccc -- aaaa.bbbb.cccc is CompA's interface MAC~~

192.168.1.3 bbbb.dddd.eeee -- bbbb.dddd.eeee is CompB's interface MAC

========================================

q2) If the answer is a), what will be the impact/consequences - what if the switch choose a wrong MAC address that is no longer connected to the switch ?

Reason being I have a IP multipath setup in a box with 2 NICs, i am not sure if they will be using the same IP address across 2 physical interfaces to send out traffic.

p.s. I can't lab it out yet so hope gurus here can provide some valued information as most of our system folks have no exact answers as on what will happen.

Thank you!

Regards,
Noob

John Blakley · ‎10-01-2015

You can only have 1 arp entry that resolves to the same address with different mac at a time in the table. The entry will be wiped for the first learned if a second one with the same address is learned with a different mac address. I would team those NICs to avoid any confusion that you're going to run into with where the traffic is at, unless you're going to have 1 interface in two different vlans.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎10-01-2015

I would go with lacp if you have the option for that. The arp table will only have 1 entry at a time, so you're correct. When a user statically addresses a device to an address that already exists and you try to ping that address, you'll see drops to the address occassionally because the arp table continually updates. The device that responds first will enter into the routing table, which causes routing issues....

I'm not a server guy any longer, but I would think ip multipath would allow you to have two different subnets on the interface which would mean two different vlans. That also equates to two different arp entries for the same server. For example:

Server (ip multipath option configured):

IP 1: 192.168.1.50

IP 2: 192.168.2.50

Vlan 1: 192.168.1.1

Vlan 2: 192.168.2.1

The arp entry on the switch would look like:

192.168.1.50 <mac address> vlan 1

192.168.2.50 <second mac address> vlan 2

They go to the same server, but they're logically separate from each other. Does that make sense? You could also use two separate addresses in the same vlan and have it go to the same server if the server will let you put two addresses in the same network on two different interfaces:

Server (second solution):

interface A: 192.168.1.50

interface B: 192.168.1.51

Your arp entries would look like:

192.168.1.50 <mac address> vlan 1

192.168.1.51 <mac address> vlan 2

Your hosts would need to be configured to be able to talk to 192.168.1.50 and 51 for the same host (possibly via dns A records to resolve, say www, to both IP addresses for load balancing)

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎10-01-2015

The arp table is updated when the switch receives a reply and the associated mac address is different from the one that's currently in the table. In your example above, Computer B may get the reply depending on the timing of everything. In your example, is Comp B addressed the same as Comp A? If so, the arp entry on the switch should be updated when Comp B pings the switch...

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎10-01-2015

Correct. Normally, an arp request is sent out with the destination ip address requesting the mac address. The arp reply responds with that mac address if their destination ip matches the one that the originating system tried to communicate with. There is such a thing as gratuitous arp where no request exists, but the host will automatically broadcast out an arp reply so everything on the lan (within the same vlan) can update their tables without them needing to request it.

On my network, I captured:

57 0.633998000 Cisco_bf:24:00 Broadcast ARP 60 Who has xx.xx.xx.xx? Tell xx.xx.xx.xx

Sender MAC address: Cisco_bf:24:00 (00:15:c7:bf:24:00)
Sender IP address: 5.5.5.5 (5.5.5.5)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 5.5.5.52(5.5.5.52)

That's a request. A gratuitous arp looks like this:

710 8.179388000 SmdInfor_ac:a8:ad Broadcast ARP 60 Gratuitous ARP for x.x.x.x (Request)

Sender MAC address: SmdInfor_ac:a8:ad (00:40:48:ac:a8:ad)
Sender IP address: 1.1.1.1 (1.1.1.1)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 1.1.1.1 (1.1.1.1)

In the gratuitous arp case, the sending address and target address was the same. The standard arp request had a different target address than the source, but in both cases the target mac address is unknown.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎10-01-2015

Q1. Correct on all accounts

Q2. I'm not sure I understand the second bullet point. There can be multiple addresses associated to the same mac address (think secondary addresses on servers). Maybe bullet points 2 and 3 are the same question? If so, then you're correct on this as well...

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎10-01-2015

You are correct! :)

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎10-01-2015

You can only have 1 arp entry that resolves to the same address with different mac at a time in the table. The entry will be wiped for the first learned if a second one with the same address is learned with a different mac address. I would team those NICs to avoid any confusion that you're going to run into with where the traffic is at, unless you're going to have 1 interface in two different vlans.

HTH,

John

HTH, John *** Please rate all useful posts ***

SJ K · ‎10-01-2015

Hi John,

Thanks for the reply.

So do you meant that the ARP table will always reflect the latest ARP mapping and there will be only 1 at any 1 time - am i right ?

Yeap, there is an lacp option and a ip multipath option (where the interfaces are not team) which i am trying to figure out how it actually works.

Regards,
Noob

John Blakley · ‎10-01-2015

I would go with lacp if you have the option for that. The arp table will only have 1 entry at a time, so you're correct. When a user statically addresses a device to an address that already exists and you try to ping that address, you'll see drops to the address occassionally because the arp table continually updates. The device that responds first will enter into the routing table, which causes routing issues....

I'm not a server guy any longer, but I would think ip multipath would allow you to have two different subnets on the interface which would mean two different vlans. That also equates to two different arp entries for the same server. For example:

Server (ip multipath option configured):

IP 1: 192.168.1.50

IP 2: 192.168.2.50

Vlan 1: 192.168.1.1

Vlan 2: 192.168.2.1

The arp entry on the switch would look like:

192.168.1.50 <mac address> vlan 1

192.168.2.50 <second mac address> vlan 2

They go to the same server, but they're logically separate from each other. Does that make sense? You could also use two separate addresses in the same vlan and have it go to the same server if the server will let you put two addresses in the same network on two different interfaces:

Server (second solution):

interface A: 192.168.1.50

interface B: 192.168.1.51

Your arp entries would look like:

192.168.1.50 <mac address> vlan 1

192.168.1.51 <mac address> vlan 2

Your hosts would need to be configured to be able to talk to 192.168.1.50 and 51 for the same host (possibly via dns A records to resolve, say www, to both IP addresses for load balancing)

HTH,

John

HTH, John *** Please rate all useful posts ***

SJ K · ‎10-01-2015

Hi John,

Thanks for your reply.

Just to be sure, thinking further (i think my previous example is invalid)

When does an ARP table actually get updated ? Only upon retrieval of a ARP reply or as long as the interface receive a frame/packet ?

===================

Because assuming that an arp entry already exists + assuming the arp table only get updated only when an arp request is send out and a reply is receive, then for my scenario above ->

Switch already has arp entry for Comp A 's 192.168.1.3

Comp A get disconnected physically and Comp B get connected

Comp B ping to Switch (do a ARP request 1st for 192.168.1.100)

Switch reply with its VLAN interface's MAC address

Comp B updated its arp table and send an ICMP packet out to Switch

Switch receive the packet, and wanted to reply back to 192.168.1.3

Switch form up a packet with destination to 1.3, check its ARP table and find existing entry for 192.168.1.3 (whereby the mac address still points to Comp A)

Switch send out the frame, with dest 1.3 and mac address of Comp A, but will reach out to no device.

=====================

So tentatively, Comp B will never receive a reply from switch until the ARP entry is timeout on the switch side, isn't it ?

p.s. will come back on the multipath shortly :P

Regards,
Noob

John Blakley · ‎10-01-2015

The arp table is updated when the switch receives a reply and the associated mac address is different from the one that's currently in the table. In your example above, Computer B may get the reply depending on the timing of everything. In your example, is Comp B addressed the same as Comp A? If so, the arp entry on the switch should be updated when Comp B pings the switch...

HTH,

John

HTH, John *** Please rate all useful posts ***

SJ K · ‎10-01-2015

Hi John,

So you mean that a device arp table will always be updated if

a) the device receive a packet/frame from another source that is currently not in the arp table or have a different associated mac address from the one that's currently in the table

An update to a device's arp table is not only limited to receiving arp reply from an arp request.

Right ?

Regards,
Noob

John Blakley · ‎10-01-2015

Correct. Normally, an arp request is sent out with the destination ip address requesting the mac address. The arp reply responds with that mac address if their destination ip matches the one that the originating system tried to communicate with. There is such a thing as gratuitous arp where no request exists, but the host will automatically broadcast out an arp reply so everything on the lan (within the same vlan) can update their tables without them needing to request it.

On my network, I captured:

57 0.633998000 Cisco_bf:24:00 Broadcast ARP 60 Who has xx.xx.xx.xx? Tell xx.xx.xx.xx

Sender MAC address: Cisco_bf:24:00 (00:15:c7:bf:24:00)
Sender IP address: 5.5.5.5 (5.5.5.5)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 5.5.5.52(5.5.5.52)

That's a request. A gratuitous arp looks like this:

710 8.179388000 SmdInfor_ac:a8:ad Broadcast ARP 60 Gratuitous ARP for x.x.x.x (Request)

Sender MAC address: SmdInfor_ac:a8:ad (00:40:48:ac:a8:ad)
Sender IP address: 1.1.1.1 (1.1.1.1)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 1.1.1.1 (1.1.1.1)

In the gratuitous arp case, the sending address and target address was the same. The standard arp request had a different target address than the source, but in both cases the target mac address is unknown.

HTH,

John

HTH, John *** Please rate all useful posts ***

SJ K · ‎10-01-2015

Hi John,

Thanks for the example!

So to be absolutely sure,

q1) A device arp table can get updated

a) when it receives a reply from its arp request

b) receiving a gratuitous arp broadcast from some other device in the lan

c) receiving any packet/frame that is currently not in its arp table or with a different associated mac address then its current entry but with the same ip

right ?

q2) a arp table can have 1 entry for a 1:1 relationship between

ip and mac

-- a ip can map to 1 mac at any one time

but can have multiple entries for 1:many relationship with

mac and ip

-- a mac can be map to many ips at anytime

right ?

Regards,
Noob

John Blakley · ‎10-01-2015

Q1. Correct on all accounts

Q2. I'm not sure I understand the second bullet point. There can be multiple addresses associated to the same mac address (think secondary addresses on servers). Maybe bullet points 2 and 3 are the same question? If so, then you're correct on this as well...

HTH,

John

HTH, John *** Please rate all useful posts ***

SJ K · ‎10-01-2015

Hi John,

Thanks for the confirmation !

Yeap for the Q2)

I am actually referring to that in a ARP table, it can contain

- many entries of different IPs to the same MAC address

e.g.

1.1.1.1 a.b.c.d

1.1.1.2 a.b.c.d

1.1.1.3 a.b.c.d

but only

- 1 entry of a 1:1 mapping of a IP to MAC address

1.1.1.1 a.b.c.d

1.1.1.1 b.c.d.e <--- not allowed.

Am i right ?

Btw - i posted a new thread on the multipath issue over at
https://supportforums.cisco.com/discussion/12620731/ip-multipath-load-balancing-server-vs-firewall-cisco-asa-5500-tcp-3way-handshake

Hope to hear your feedback!

Regards,
Noob

John Blakley · ‎10-01-2015

You are correct! :)

HTH, John *** Please rate all useful posts ***

SJ K · ‎10-01-2015

Thanks a million John!

So glad to have your replies and confirmation :)

SJ K · ‎10-02-2015

Hi John,

Sorry to revisit this thread and i hope you are still around.

Reflecting what we have discussed,

I am abit unsure of the scenario whereby a device arp cache will get updated in such scenario below

c) receiving any packet/frame (non-ARP related) that is currently not in its arp table or with a different associated mac address then its current entry but with the same ip

Q1) meaning if device A has never intended to talk to Device B and has it arp information about B clear off from its arp cache

but if device B send a packet/frame to device A (assuming B has A's arp information), A will still update its arp cache automatically (without sending out any arp request to B at all) ?

Q2) Not relating to Q1, when 2 device start communication for the 1st time, and the initiator send out an ARP request, the the receiver update its ARP table as well when it receive the ARP request from the sender ?

A send arp request to B
B update its arp table of A information
B send out arp reply to A

or

A send arp request to B
B send out arp reply to A
then..
B send arp request to A
A send arp reply to B

Regards,
Noob