Solved

ARP on behalf

Posted on 2004-09-08
6
277 Views
Last Modified: 2010-04-11
Saw this, wondering what is up with this.

172.25.22.1 ---------> Broadcast     Who has 172.25.42.53? Tell 172.25.42.1



Note that we are running two DHCP scopes here on the same DHCP server.
172.25.22.5-172.25.22.150
172.25.42.5-172.25.42.150
 One physical network, 2 logicals.
Thanks
0
Comment
Question by:dissolved
6 Comments
 

Assisted Solution

by:JMellin
JMellin earned 50 total points
Comment Utility
As I would guess 172.25.42.1 have made a ARP request for 172.25.42.53. This is intercepted by 172.25.22.1 which is on another subnet but same physical network, ARP is a physical broadcast seen by all regardless of IP network.

Normally this would be ignored by the IP Protocol but perhaps 172.25.22.1 is a router with a sort of proxy-ARP feature.
It will then try to help negotiate mac address information (not route) between hosts on different subnets.

Regards
Johan
0
 

Author Comment

by:dissolved
Comment Utility
But if its a broadcast, and 172.25.42.0 and 172.25.22.0 are differerent networks, how did 172.25.22.1 see the broadcast???

I found out these two networks are on separate VLANs. Perhaps the router is doing inter-vlan routing. But even then, would it pass broadcasts in between them?
Thanks
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 50 total points
Comment Utility
172.25.22.1 ---------> Broadcast     Who has 172.25.42.53? Tell 172.25.42.1


1)  172.25.22.1 looks for 172.25.42.53
2)  Immediately knows this is not on the same subnet, so sends to default router
3)  Default router knows about 172.25.42.x, so issues ARP
4)  172.25.42.x responds to router with MAC address
5)  Router ARP table updated
6)  172.25.22.1 can now talk to 172.25.42.53
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:dissolved
Comment Utility
default router is 172.25.22.1. I'm thinking 172.25.42.1 is a sub-interface on the e0 of the cisco router (172.25.22.1)
0
 

Author Comment

by:dissolved
Comment Utility
We are running VLANs and have our router (172.25.22.1) with a sub interface on the e0


172.25.22.1 ---------> Broadcast     Who has 172.25.42.53? Tell 172.25.42.1


1)  172.25.42.1 looks for 172.25.42.53
2)  However, since 172.25.42.1 is a sub-interface, 172.25.22.1 is shown as issuing the ARP request
3)  172.25.42.53 responds to 172.25.22.1 with it's physical address.

is this possible?
0
 
LVL 11

Accepted Solution

by:
PennGwyn earned 400 total points
Comment Utility
I'm guessing that 172.25.22.1 and 172.25.42.1 are primary and secondary addresses on the same physical interface of the router.

The router wants to talk to 172.25.42.53, so it sends an ARP request.  172.25.42.1 is the router address on that subnet, so that's where the reply should go.

However, because 172.25.22.1 is the router's primary address on that port, it gets filled in as the source of the message.

0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now