Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1400
Views
5
Helpful
9
Replies

Spoofed Gratuitous Arp & multiple MAC entries in the ARP table

Go to solution
wardwolfram
Level 1
Level 1

‎03-28-2022 10:54 AM

I am reading the CCNAv7 materials within the Security chapter, specifically the 'Spoofed Gratuitous ARP Replies.

 

The logic makes sense but the diagram to this attack leads me to other questions:

1. When an attacker sends gratuitous ARP replies (which are broadcast messages) to PC-A and the router R1, does not both devices have multiple entries in their arp tables using duplicate MAC address of the attacker?

2. If multiple duplicate MAC address entries are permitted in the devices ARP table, would this break any arp table functionality?

 

Thanks,Spoofed Gratuitous ARP.jpg

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎03-29-2022 10:11 AM

I am focusing on this statement from the original poster "I am concerned about the duplicate MAC addresses created in an ARP table from a gratuitous ARP reply (not ip addresses)." If I am interpreting this correctly the concern is not about multiple entries for the same IP, but is concern that multiple IP addresses in the table might have the same mac address. Indeed this can easily happen and it is NOT necessarily a problem.

Let me describe an example of how this could happen: assume that a router is configured with this static default route

ip route 0.0.0.0 0.0.0.0 G0/0

The router would accept this as valid. Since there is no next hop address every time the router is forwarding traffic toward any remote address it will arp for that address. If the upstream router has enabled proxy arp it will respond to the arp request with its own mac address. So on the router if you do show arp there will be many IP entries all of which have the same mac address (which is the mac of the upstream router). 

HTH

Rick

View solution in original post

0 Helpful
9 Replies 9

Go to solution
MHM Cisco World
VIP
VIP

‎03-28-2022 11:19 AM - edited ‎03-29-2022 11:14 AM

..

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-28-2022 11:23 AM

 

It is not added as a duplicate, it overwrites the existing entry so there is no duplicate entry for the same IP address. 

 

Jon

0 Helpful

Go to solution
wardwolfram
Level 1
Level 1
In response to Jon Marshall

‎03-28-2022 11:32 AM

I am concerned about the duplicate MAC addresses created in an ARP table from a gratuitous ARP reply (not ip addresses).

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to wardwolfram

‎03-28-2022 11:51 AM - edited ‎03-29-2022 11:15 AM

...

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to wardwolfram

‎03-28-2022 11:52 AM

 

I don't follow. 

 

A mac address maps to an IP address so there can't be multiple mac address entries for the same IP because as I say it is overwritten. 

 

Jon

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎03-29-2022 10:11 AM

I am focusing on this statement from the original poster "I am concerned about the duplicate MAC addresses created in an ARP table from a gratuitous ARP reply (not ip addresses)." If I am interpreting this correctly the concern is not about multiple entries for the same IP, but is concern that multiple IP addresses in the table might have the same mac address. Indeed this can easily happen and it is NOT necessarily a problem.

Let me describe an example of how this could happen: assume that a router is configured with this static default route

ip route 0.0.0.0 0.0.0.0 G0/0

The router would accept this as valid. Since there is no next hop address every time the router is forwarding traffic toward any remote address it will arp for that address. If the upstream router has enabled proxy arp it will respond to the arp request with its own mac address. So on the router if you do show arp there will be many IP entries all of which have the same mac address (which is the mac of the upstream router). 

HTH

Rick
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Richard Burts

‎03-29-2022 10:39 AM

 

Rick 

 

Agree with what you say but based on the original question about how the attack works I was assuming the OP thought there might be multiple mac address entries for the same IP address which is not the case. 

 

However you may well be right in that the question was asking something else entirely. 

 

Jon 

0 Helpful

Go to solution
wardwolfram
Level 1
Level 1
In response to Richard Burts

‎03-29-2022 11:14 AM

Thank you for the example Richard!

 

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to wardwolfram

‎03-29-2022 12:25 PM

You are welcome. An example frequently is helpful in understanding some of these principles. I am glad that our explanations have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

@Jon Marshall I agree that the original question might be understood to be about multiple entries for the same IP address. But the diagram in the question shows multiple IP with the same mac address. And the follow up statement from the original poster which I mentioned was pretty clear that he was concerned with multiple mac entries rather than multiple IP entries being the same.

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card