Comments inline:
PS: check out ICMP redirect It's another one that'll make your
traffic do things that you wouldn't expect.
DaveC
Scott Meyer wrote:
I have a question about network masks and proxy ARP that I have not
understood for a long time. I'm not sure that I can clearly explain the
question, but I'll give it my best. I got bits and pieces about the
situation, so I don't know exactly what is working and when.
A co-worker has a customer that has a really messy IP scheme. For
simplicity, the network scheme should be
network A router A
172.16.1.0 /24172.16.1.1 e0
192.168.1.1 s0
connects over WAN to
network B router B
172.16.2.0 /24 172.16.2.1 e0
192.168.1.2 s0
This customer has hosts with misconfigured masks and default gateways all
over the place. Some hosts have wrong masks, some wrong gateways, on some
both are wrong, and some are right. The routers are configured correctly,
as
above. Obviously he is experiencing some connectivity issues - sometimes
things work, and sometimes they don't.
I would like to more completely understand why. Proxy ARP is on (default).
Lets assume the following:
host A (wrong mask configured, 172.16.1.5 /16, gateway 172.16.1.1) tries
to
connect to host B 172.16.2.6 (correctly configured as /24, gateway
172.16.2.1)
My understanding of what happens: Host A does binary anding, and thinks
that host B is on the same subnet. So it ARPs for 172.16.2.1. Proxy ARP is
on, so I would think the router recognize that it needs to respond to host
A's ARP request. Host A now thinks that host B = MAC address of router A.
Host A sends traffic to router A and router A forwards. Both router A and
host A know the correct MAC address of each other, so host B's response
will
get to host A. So this should work consistently despite the
misconfiguration, but I know better. How am I thinking incorrectly?
#
That's correct: When the router sees an ARP for a subnet that it thinks
is not local to the interface it will reply with a proxy-arp.
From your statement but I know better. How am I thinking incorrectly?
I take it that it is not working? I see from your description that the
172.16.x.x is split between a 192.168.x.x. Are you using IGRP, EIGRP,
or RIPv2 with no auto-summary OR OSPF Check router A's routing
table to see where the 172.16.2.x network is.
##
Next question, let's assume the following:
host A (wrong gateway configured, 172.16.1.5 /24, gateway 172.16.1.3)
tries
to connect to host B 172.16.2.6 (correctly configured as /24, gateway
172.16.2.1)
My understanding of what happens: Host A does binary anding, and thinks
that host B is on another subnet. Host A thinks that the gateway is
172.16.1.3, and ARPs for that. If there is a 172.16.1.3, it will respond
with it's MAC, host A will send traffic for host B to 172.16.1.3, which
will
promptly drop it because it has no idea what to do with it. If there is not
a 172.16.1.3, host A will not get a response, and will timeout eventually.
I
will need to check, but I don't think that host A will ARP for host B (as
opposed to ARPing for the gateway). So this should consistently not work.
If
host A did not have a gateway at all, it would ARP for host B and router A
would respond (due to proxy ARP) and connectivity would be established. Am
I
correct?
#
Yes: 100% so far...
##
I do think it makes a difference who initiates the connection, because of
ARP. If host B tries to connect to host A, router A would ARP for host A.
Host A would place router A's MAC in it's ARP table for host B, and as long
as that entry existed, communication would work consistently? Am I thinking
correctly?
##
I suppose someone cound program a IP stack that way but I have not seen
any host do what you just described. Pretty much Host A will use the
same process whether it initiates or is responding.
##
If proxy ARP is enabled, why is a default gateway needed? I have never seen
a TCP/IP configuration that doesn't have a spot to enter a default gateway.
Conversely, if everything has a default gateway, why is proxy ARP needed?
If
one of those (either the gateway or proxy ARP) is not working for whatever
reason, why is communication spotty? Should it not be consistently either
working or not?
If proxy ARP works like it is supposed to, I don't see a need for hosts to
have masks and gateways configured. The only problem I see is if there are
multiple gateways available to a subnet, where both (or more) gateways will
forward the packet, so the destination gets 2 packets. What happens then is
protocol and application dependent.
#
Question:
Why do you need proxy-arp, masks, and gateways...
Answer:
Control and Flexibility
There is always some goofy