Comments inline:
PS: check out ICMP redirect It's another one that'll make your
traffic do things that you wouldn't expect.
DaveC
Scott Meyer wrote:
>
> I have a question about network masks and proxy ARP that I have not
> understood for a long time. I'm not sure that I can clearly explain the
> question, but I'll give it my best. I got bits and pieces about the
> situation, so I don't know exactly what is working and when.
>
> A co-worker has a customer that has a really messy IP scheme. For
> simplicity, the network scheme should be
>
> network A router A
> 172.16.1.0 /24172.16.1.1 e0
> 192.168.1.1 s0
>
> connects over WAN to
>
> network B router B
> 172.16.2.0 /24 172.16.2.1 e0
> 192.168.1.2 s0
>
> This customer has hosts with misconfigured masks and default gateways all
> over the place. Some hosts have wrong masks, some wrong gateways, on some
> both are wrong, and some are right. The routers are configured correctly,
as
> above. Obviously he is experiencing some connectivity issues - sometimes
> things work, and sometimes they don't.
>
> I would like to more completely understand why. Proxy ARP is on (default).
>
> Lets assume the following:
> host A (wrong mask configured, 172.16.1.5 /16, gateway 172.16.1.1) tries
to
> connect to host B 172.16.2.6 (correctly configured as /24, gateway
> 172.16.2.1)
>
> My understanding of what happens: Host A does binary anding, and thinks
> that host B is on the same subnet. So it ARPs for 172.16.2.1. Proxy ARP is
> on, so I would think the router recognize that it needs to respond to host
> A's ARP request. Host A now thinks that host B = MAC address of router A.
> Host A sends traffic to router A and router A forwards. Both router A and
> host A know the correct MAC address of each other, so host B's response
will
> get to host A. So this should work consistently despite the
> misconfiguration, but I know better. How am I thinking incorrectly?
#
That's correct: When the router sees an ARP for a subnet that it thinks
is not local to the interface it will reply with a proxy-arp.
>From your statement "but I know better. How am I thinking incorrectly?"
I take it that it is not working? I see from your description that the
172.16.x.x is split between a 192.168.x.x. Are you using IGRP, EIGRP,
or RIPv2 with no auto-summary OR OSPF Check router A's routing
table to see where the 172.16.2.x network is.
##
>
> Next question, let's assume the following:
> host A (wrong gateway configured, 172.16.1.5 /24, gateway 172.16.1.3)
tries
> to connect to host B 172.16.2.6 (correctly configured as /24, gateway
> 172.16.2.1)
>
> My understanding of what happens: Host A does binary anding, and thinks
> that host B is on another subnet. Host A thinks that the gateway is
> 172.16.1.3, and ARPs for that. If there is a 172.16.1.3, it will respond
> with it's MAC, host A will send traffic for host B to 172.16.1.3, which
will
> promptly drop it because it has no idea what to do with it. If there is not
> a 172.16.1.3, host A will not get a response, and will timeout eventually.
I
> will need to check, but I don't think that host A will ARP for host B (as
> opposed to ARPing for the gateway). So this should consistently not work.
If
> host A did not have a gateway at all, it would ARP for host B and router A
> would respond (due to proxy ARP) and connectivity would be established. Am
I
> correct?
#
Yes: 100% so far...
##
>
> I do think it makes a difference who initiates the connection, because of
> ARP. If host B tries to connect to host A, router A would ARP for host A.
> Host A would place router A's MAC in it's ARP table for host B, and as long
> as that entry existed, communication would work consistently? Am I thinking
> correctly?
##
I suppose someone cound program a IP stack that way but I have not seen
any host do what you just described. Pretty much Host A will use the
same process whether it initiates or is responding.
##
>
> If proxy ARP is enabled, why is a default gateway needed? I have never seen
> a TCP/IP configuration that doesn't have a spot to enter a default gateway.
> Conversely, if everything has a default gateway, why is proxy ARP needed?
If
> one of those (either the gateway or proxy ARP) is not working for whatever
> reason, why is communication spotty? Should it not be consistently either
> working or not?
>
> If proxy ARP works like it is supposed to, I don't see a need for hosts to
> have masks and gateways configured. The only problem I see is if there are
> multiple gateways available to a subnet, where both (or more) gateways will
> forward the packet, so the destination gets 2 packets. What happens then is
> protocol and application dependent.
#
Question:
Why do you need proxy-arp, masks, and