arp | IPv5

Коллега очистил весь ARP cache на BRAS и «немного ой», временно поднялась загрузка CPU, посмотрим, как это работает, раньше мне это виделось так, очищаем кэш, запись удаляется, прилетает новый пакет генерируется ARP запрос, но это не всегда так:

В RFC нашел следующее:

RFC 826
Another alternative is to have a daemon perform the timeouts. After a suitable time, the daemon considers removing an entry. It first sends (with a small number of retransmissions if needed) an address resolution packet with opcode REQUEST directly to the Ethernet address in the table. If a REPLY is not seen in a short amount of time, the entry is deleted. The request is sent directly so as not to bother every station on the Ethernet. Just forgetting entries will likely cause useful information to be forgotten, which must be regained.

RFC 1122
IMPLEMENTATION:
Four mechanisms have been used, sometimes in
combination, to flush out-of-date cache entries.

(1) Timeout — Periodically time out cache entries,
even if they are in use. Note that this timeout
should be restarted when the cache entry is
«refreshed» (by observing the source fields,
regardless of target address, of an ARP broadcast
from the system in question). For proxy ARP
situations, the timeout needs to be on the order
of a minute.

(2) Unicast Poll — Actively poll the remote host by
periodically sending a point-to-point ARP Request
to it, and delete the entry if no ARP Reply is
received from N successive polls. Again, the
timeout should be on the order of a minute, and
typically N is 2.

Linux:

[root@server1 ~]# uname -a
Linux server1 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

1 2	[root@server1 ~]# uname -a Linux server1 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

На всякий случай удаляем текущий ARP cache:

[root@server1 ~]# man arp
   arp -d address will delete a ARP table entry. Root or netadmin privilege is required to do this. The entry is found by IP address. If a hostname is
   given, it will be resolved before looking up the entry in the ARP table.

[root@server1 ~]# man arp

arp -d address will delete a ARP table entry. Root or netadmin privilege is required to do this. The entry is found by IP address. If a hostname is

given, it will be resolved before looking up the entry in the ARP table.

[root@server1 ~]# arp -d 192.168.122.101
No ARP entry for 192.168.122.101

1 2	[root@server1 ~]# arp -d 192.168.122.101 No ARP entry for 192.168.122.101

Отправляем трафик чтобы получить ARP:

[root@server1 ~]# ping -c 1 192.168.122.101
PING 192.168.122.101 (192.168.122.101) 56(84) bytes of data.
64 bytes from 192.168.122.101: icmp_seq=1 ttl=64 time=0.407 ms

--- 192.168.122.101 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.407/0.407/0.407/0.000 ms

[root@server1 ~]# ping -c 1 192.168.122.101

PING 192.168.122.101 (192.168.122.101) 56(84) bytes of data.

64 bytes from 192.168.122.101: icmp_seq=1 ttl=64 time=0.407 ms

--- 192.168.122.101 ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.407/0.407/0.407/0.000 ms

В дампе все ожидаемо:

[root@server1 ~]# tcpdump -vnpi ens192 "(arp or ip ) and host 192.168.122.101"
tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
17:45:19.715061 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.122.101 tell 192.168.122.105, length 28
17:45:19.715236 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.122.101 is-at 00:0c:29:d7:b4:c3, length 46
17:45:19.715247 IP (tos 0x0, ttl 64, id 48626, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.122.105 > 192.168.122.101: ICMP echo request, id 19191, seq 1, length 64
17:45:19.715431 IP (tos 0x0, ttl 64, id 62652, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.122.101 > 192.168.122.105: ICMP echo reply, id 19191, seq 1, length 64
17:45:24.723945 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.122.105 tell 192.168.122.101, length 46
17:45:24.723962 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.122.105 is-at 00:0c:29:38:0a:11, length 28
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel

[root@server1 ~]# tcpdump -vnpi ens192 "(arp or ip ) and host 192.168.122.101"

tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes

17:45:19.715061 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.122.101 tell 192.168.122.105, length 28

17:45:19.715236 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.122.101 is-at 00:0c:29:d7:b4:c3, length 46

17:45:19.715247 IP (tos 0x0, ttl 64, id 48626, offset 0, flags [DF], proto ICMP (1), length 84)

192.168.122.105 > 192.168.122.101: ICMP echo request, id 19191, seq 1, length 64

17:45:19.715431 IP (tos 0x0, ttl 64, id 62652, offset 0, flags [none], proto ICMP (1), length 84)

192.168.122.101 > 192.168.122.105: ICMP echo reply, id 19191, seq 1, length 64

17:45:24.723945 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.122.105 tell 192.168.122.101, length 46

17:45:24.723962 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.122.105 is-at 00:0c:29:38:0a:11, length 28

6 packets captured

6 packets received by filter

0 packets dropped by kernel

Удаляем запись:

[root@server1 ~]# arp -d 192.168.122.101
[root@server1 ~]# arp -n 192.168.122.101
192.168.122.101 (192.168.122.101) -- no entry

[root@server1 ~]# arp -d 192.168.122.101

[root@server1 ~]# arp -n 192.168.122.101

192.168.122.101 (192.168.122.101) -- no entry

ARP трафика нет, поведение интуитивно понятное но не оптимальное (не зависит от режима работы net.ipv4.ip_forward ), очистка ARP cache собственно это и делает:

[root@server1 ~]# tcpdump -vnpi ens192 "(arp or ip ) and host 192.168.122.101"
tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

[root@server1 ~]# tcpdump -vnpi ens192 "(arp or ip ) and host 192.168.122.101"

tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes

0 packets captured

0 packets received by filter

0 packets dropped by kernel

Cisco IOS:
Изначально ARP cache пустой:

R1# sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1                -   aabb.cc00.1000  ARPA   Ethernet0/0

R2# sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.2                -   aabb.cc00.2000  ARPA   Ethernet0/0

R1# sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.0.0.1 - aabb.cc00.1000 ARPA Ethernet0/0

R2# sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.0.0.2 - aabb.cc00.2000 ARPA Ethernet0/0

R1# ping 10.0.0.2 repeat 2 timeout 5
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 10.0.0.2, timeout is 5 seconds:
.!
Success rate is 50 percent (1/2), round-trip min/avg/max = 1/1/1 ms

R1# sh arp 10.0.0.2
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.2                2   aabb.cc00.2000  ARPA   Ethernet0/0

R1# ping 10.0.0.2 repeat 2 timeout 5

Type escape sequence to abort.

Sending 2, 100-byte ICMP Echos to 10.0.0.2, timeout is 5 seconds:

Success rate is 50 percent (1/2), round-trip min/avg/max = 1/1/1 ms

R1# sh arp 10.0.0.2

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.0.0.2 2 aabb.cc00.2000 ARPA Ethernet0/0

R1# debug arp
ARP packet debugging is on

1 2	R1# debug arp ARP packet debugging is on

Очищаем:

R1# clear arp 10.0.0.2
R1#
*Feb 21 16:22:59.948: IP ARP: sent req src 10.0.0.1 aabb.cc00.1000,
                 dst 10.0.0.2 aabb.cc00.2000 Ethernet0/0
*Feb 21 16:22:59.949: IP ARP: sent rep src 10.0.0.1 aabb.cc00.1000,
                 dst 10.0.0.1 ffff.ffff.ffff Ethernet0/0
*Feb 21 16:22:59.949: IP ARP: rcvd rep src 10.0.0.2 aabb.cc00.2000, dst 10.0.0.1 Ethernet0/0

R1# clear arp 10.0.0.2

R1#

*Feb 21 16:22:59.948: IP ARP: sent req src 10.0.0.1 aabb.cc00.1000,

dst 10.0.0.2 aabb.cc00.2000 Ethernet0/0

*Feb 21 16:22:59.949: IP ARP: sent rep src 10.0.0.1 aabb.cc00.1000,

dst 10.0.0.1 ffff.ffff.ffff Ethernet0/0

*Feb 21 16:22:59.949: IP ARP: rcvd rep src 10.0.0.2 aabb.cc00.2000, dst 10.0.0.1 Ethernet0/0

Дамп трафика, «Frame 5» отправка unicast ARP req, следом «Frame 6» отправка broadcast Gratuitous ARP видимо для обновления кэша своего IP у удаленных машин, «Frame 7» unicast ARP rep от R2.

Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00), Dst: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (request)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    Sender MAC address: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)
    Sender IP address: 10.0.0.1 (10.0.0.1)
    Target MAC address: 00:00:00:00:00:00 (00:00:00:00:00:00)
    Target IP address: 10.0.0.2 (10.0.0.2)

Frame 2: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00), Dst: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)
Address Resolution Protocol (reply)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    Sender MAC address: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00)
    Sender IP address: 10.0.0.2 (10.0.0.2)
    Target MAC address: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)
    Target IP address: 10.0.0.1 (10.0.0.1)

Frame 3: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0
Ethernet II, Src: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00), Dst: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00)
Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.2 (10.0.0.2)
Internet Control Message Protocol

Frame 4: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0
Ethernet II, Src: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00), Dst: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)
Internet Protocol Version 4, Src: 10.0.0.2 (10.0.0.2), Dst: 10.0.0.1 (10.0.0.1)
Internet Control Message Protocol

Frame 5: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00), Dst: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00)
Address Resolution Protocol (request)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    Sender MAC address: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)
    Sender IP address: 10.0.0.1 (10.0.0.1)
    Target MAC address: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00)
    Target IP address: 10.0.0.2 (10.0.0.2)

Frame 6: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00), Dst: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
Address Resolution Protocol (reply/gratuitous ARP)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    [Is gratuitous: True]
    Sender MAC address: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)
    Sender IP address: 10.0.0.1 (10.0.0.1)
    Target MAC address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)
    Target IP address: 10.0.0.1 (10.0.0.1)

Frame 7: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0
Ethernet II, Src: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00), Dst: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)
Address Resolution Protocol (reply)
    Hardware type: Ethernet (1)
    Protocol type: IP (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    Sender MAC address: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00)
    Sender IP address: 10.0.0.2 (10.0.0.2)
    Target MAC address: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)
    Target IP address: 10.0.0.1 (10.0.0.1)

Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00), Dst: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (request)

Hardware type: Ethernet (1)

Protocol type: IP (0x0800)

Hardware size: 6

Protocol size: 4

Opcode: request (1)

Sender MAC address: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)

Sender IP address: 10.0.0.1 (10.0.0.1)

Target MAC address: 00:00:00:00:00:00 (00:00:00:00:00:00)

Target IP address: 10.0.0.2 (10.0.0.2)

Frame 2: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00), Dst: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)

Address Resolution Protocol (reply)

Hardware type: Ethernet (1)

Protocol type: IP (0x0800)

Hardware size: 6

Protocol size: 4

Opcode: reply (2)

Sender MAC address: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00)

Sender IP address: 10.0.0.2 (10.0.0.2)

Target MAC address: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)

Target IP address: 10.0.0.1 (10.0.0.1)

Frame 3: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0

Ethernet II, Src: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00), Dst: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00)

Internet Protocol Version 4, Src: 10.0.0.1 (10.0.0.1), Dst: 10.0.0.2 (10.0.0.2)

Internet Control Message Protocol

Frame 4: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0

Ethernet II, Src: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00), Dst: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)

Internet Protocol Version 4, Src: 10.0.0.2 (10.0.0.2), Dst: 10.0.0.1 (10.0.0.1)

Internet Control Message Protocol

Frame 5: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00), Dst: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00)

Address Resolution Protocol (request)

Hardware type: Ethernet (1)

Protocol type: IP (0x0800)

Hardware size: 6

Protocol size: 4

Opcode: request (1)

Sender MAC address: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)

Sender IP address: 10.0.0.1 (10.0.0.1)

Target MAC address: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00)

Target IP address: 10.0.0.2 (10.0.0.2)

Frame 6: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00), Dst: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)

Address Resolution Protocol (reply/gratuitous ARP)

Hardware type: Ethernet (1)

Protocol type: IP (0x0800)

Hardware size: 6

Protocol size: 4

Opcode: reply (2)

[Is gratuitous: True]

Sender MAC address: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)

Sender IP address: 10.0.0.1 (10.0.0.1)

Target MAC address: ff:ff:ff:ff:ff:ff (ff:ff:ff:ff:ff:ff)

Target IP address: 10.0.0.1 (10.0.0.1)

Frame 7: 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface 0

Ethernet II, Src: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00), Dst: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)

Address Resolution Protocol (reply)

Hardware type: Ethernet (1)

Protocol type: IP (0x0800)

Hardware size: 6

Protocol size: 4

Opcode: reply (2)

Sender MAC address: aa:bb:cc:00:20:00 (aa:bb:cc:00:20:00)

Sender IP address: 10.0.0.2 (10.0.0.2)

Target MAC address: aa:bb:cc:00:10:00 (aa:bb:cc:00:10:00)

Target IP address: 10.0.0.1 (10.0.0.1)

ARP cache обновился:

R1# sh arp 10.0.0.2
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.2                0   aabb.cc00.2000  ARPA   Ethernet0/0

R1# sh arp 10.0.0.2

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.0.0.2 0 aabb.cc00.2000 ARPA Ethernet0/0

Действительно, зачем удалять запись, получать дроп трафика, если можно попытаться обновить, не получили ответа, удаляем.

Если нужно удалить записи, можно положить/поднять интерфейс или выключить/включить ARP на нем.

Juniper, Junos: 14.2:

Отправляет Broadcast ARP req:

root@R1> clear arp hostname 10.0.0.2
root@R1>

1 2	root@R1> clear arp hostname 10.0.0.2 root@R1>

root@R1> monitor traffic interface xe-0/0/0.0 no-resolve matching arp detail layer2-headers
Address resolution is OFF.
Listening on xe-0/0/0.0, capture size 1514 bytes

22:04:17.205279 Out 10:0e:7e:92:4a:00 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 10.0.0.2 tell 10.0.0.1
22:04:17.208403  In 84:a9:c4:a5:b0:ad > 10:0e:7e:92:4a:00, ethertype ARP (0x0806), length 60: arp reply 10.0.0.2 is-at 84:a9:c4:a5:b0:ad
^C
68 packets received by filter
0 packets dropped by kernel

root@R1> monitor traffic interface xe-0/0/0.0 no-resolve matching arp detail layer2-headers

Address resolution is OFF.

Listening on xe-0/0/0.0, capture size 1514 bytes

22:04:17.205279 Out 10:0e:7e:92:4a:00 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: arp who-has 10.0.0.2 tell 10.0.0.1

22:04:17.208403 In 84:a9:c4:a5:b0:ad > 10:0e:7e:92:4a:00, ethertype ARP (0x0806), length 60: arp reply 10.0.0.2 is-at 84:a9:c4:a5:b0:ad

68 packets received by filter

0 packets dropped by kernel

IPv5

Архив рубрики: arp

Static route packet drops

clear arp cache

Networking