华为HCNA之ARP和Proxy ARP实验

导语:

ARP是用来将IP地址转换成MAC地址的协议

拓扑图:

华为HCNA之ARP和Proxy ARP实验_第1张图片

步骤:

1.基础配置

如拓扑图所示,完成实验的各个物理设备和接口的配置
华为HCNA之ARP和Proxy ARP实验_第2张图片
接下来查看主机的ARP表:

PC>arp -a

Internet Address    Physical Address    Type

可以看到,主机的ARP表为空;

接下来查看R1的ARP表:

[R1]display arp all
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE 
                                          VLAN/CEVLAN PVC                      
------------------------------------------------------------------------------
10.1.1.254      00e0-fc89-0476            I -         GE0/0/1
10.1.2.254      00e0-fc89-0477            I -         GE0/0/2
------------------------------------------------------------------------------
Total:2         Dynamic:0       Static:0     Interface:2    

可以看到,R1仅有与之相连的两个接口ARP表项;

测试PC-1到R1和PC-2的连通性,测试PC-3到R1的连通性(自行测试,不贴代码了);

此时,再次查看PC-1和R1的ARP表项:

PC>arp -a

Internet Address    Physical Address    Type
10.1.1.2            54-89-98-1A-5D-B8   dynamic
[R1]display arp all
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE 
                                          VLAN/CEVLAN PVC                      
------------------------------------------------------------------------------
10.1.1.254      00e0-fc89-0476            I -         GE0/0/1
10.1.1.1        5489-98c8-5a5c  13        D-0         GE0/0/1
10.1.2.254      00e0-fc89-0477            I -         GE0/0/2
10.1.2.3        5489-98d3-3614  13        D-0         GE0/0/2
------------------------------------------------------------------------------
Total:4         Dynamic:2       Static:0     Interface:2    

可以看到,此时PC-1和R1的ARP表项都已经变化了

2.配置静态ARP

如果ARP报文中的IP地址和MAC地址被映射错误的话,网关很容易被攻击,如:

[R1]arp static 10.1.1.1 5489-98CF-2803
[R1]display  arp all 
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE 
                                          VLAN/CEVLAN PVC                      
------------------------------------------------------------------------------
10.1.1.254      00e0-fc89-0476            I -         GE0/0/1
10.1.2.254      00e0-fc89-0477            I -         GE0/0/2
10.1.2.3        5489-98d3-3614  20        D-0         GE0/0/2
10.1.1.1        5489-98cf-2803            S--
------------------------------------------------------------------------------
Total:4         Dynamic:1       Static:1     Interface:2   

此时,PC-1的MAC地址被错误配置了,这时,我们用R1和PC-1互相ping验证一下:

[R1]ping 10.1.1.1
  PING 10.1.1.1: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 10.1.1.1 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

PC>ping 10.1.1.254

Ping 10.1.1.254: 32 data bytes, Press Ctrl_C to break
Request timeout!
Request timeout!
Request timeout!
Request timeout!
Request timeout!

--- 10.1.1.254 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

可以看到,此时PC-1和R1无法通信

为了应对ARP欺骗攻击,可以通过静态配置ARP表项来实现,如果静态配置的映射已经出现在ARP中则动态学习到的ARP配置无法进入到ARP表中:

[R1]undo arp static 10.1.1.1 5489-98cf-2803
[R1]arp static 10.1.1.1 5489-98c8-5a5c 
[R1]arp static 10.1.1.2 5489-981a-5db8  
[R1]arp static 10.1.2.3 5489-98d3-3614   
[R1]display arp all
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE 
                                          VLAN/CEVLAN PVC                      
------------------------------------------------------------------------------
10.1.1.254      00e0-fc89-0476            I -         GE0/0/1
10.1.2.254      00e0-fc89-0477            I -         GE0/0/2
10.1.1.1        5489-98c8-5a5c            S--
10.1.1.2        5489-981a-5db8            S--
10.1.2.3        5489-98d3-3614            S--
------------------------------------------------------------------------------
Total:5         Dynamic:0       Static:3     Interface:2   

配置完成后,在PC-1上进行测试:

PC>ping 10.1.1.254

Ping 10.1.1.254: 32 data bytes, Press Ctrl_C to break
From 10.1.1.254: bytes=32 seq=1 ttl=255 time=47 ms
From 10.1.1.254: bytes=32 seq=2 ttl=255 time=32 ms
From 10.1.1.254: bytes=32 seq=3 ttl=255 time=31 ms
From 10.1.1.254: bytes=32 seq=4 ttl=255 time=47 ms
From 10.1.1.254: bytes=32 seq=5 ttl=255 time=31 ms

--- 10.1.1.254 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/37/47 ms

可以看到,恢复正常了。

3.配置Proxy ARP:

[R1]display ip routing-table 
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
         Destinations : 10       Routes : 10       

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

       10.1.1.0/24  Direct  0    0           D   10.1.1.254      GigabitEthernet
0/0/1
     10.1.1.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/1
     10.1.1.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/1
       10.1.2.0/24  Direct  0    0           D   10.1.2.254      GigabitEthernet
0/0/2
     10.1.2.254/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/2
     10.1.2.255/32  Direct  0    0           D   127.0.0.1       GigabitEthernet
0/0/2
      127.0.0.0/8   Direct  0    0           D   127.0.0.1       InLoopBack0
      127.0.0.1/32  Direct  0    0           D   127.0.0.1       InLoopBack0
127.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0
255.255.255.255/32  Direct  0    0           D   127.0.0.1       InLoopBack0

默认情况下,ARP代理功能是关闭的,因此PC-2和PC-3不能联通:

PC>ping 10.1.2.3

Ping 10.1.2.3: 32 data bytes, Press Ctrl_C to break
From 10.1.1.2: Destination host unreachable
From 10.1.1.2: Destination host unreachable
From 10.1.1.2: Destination host unreachable
From 10.1.1.2: Destination host unreachable
From 10.1.1.2: Destination host unreachable

--- 10.1.2.3 ping statistics ---
  5 packet(s) transmitted
  0 packet(s) received
  100.00% packet loss

如果配置ARP代理功能:

[R1]interface g0/0/1
[R1-GigabitEthernet0/0/1]arp-proxy enable 
PC>ping 10.1.2.3

Ping 10.1.2.3: 32 data bytes, Press Ctrl_C to break
From 10.1.2.3: bytes=32 seq=1 ttl=127 time=63 ms
From 10.1.2.3: bytes=32 seq=2 ttl=127 time=78 ms
From 10.1.2.3: bytes=32 seq=3 ttl=127 time=47 ms
From 10.1.2.3: bytes=32 seq=4 ttl=127 time=78 ms
From 10.1.2.3: bytes=32 seq=5 ttl=127 time=63 ms

--- 10.1.2.3 ping statistics ---
  5 packet(s) transmitted
  5 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 47/65/78 ms

可以看到,此时PC-2能联通PC-3;

查看PC-2的ARP表:

PC>arp -a

Internet Address    Physical Address    Type
10.1.2.3            00-E0-FC-89-04-76   dynamic

至此,ARP和Proxy ARP实验完成!

最后,思考一个问题:

在ARP代理开启的情况下,如果在PC-2上PING10.1.2.4(不存在),icmp echo报文是在PC-2还是R1路由器丢掉的?
答:在R1路由器上丢掉的。R1的G0/0/1开启ARP代理后,收到PC-2的广播请求后,R1查看到有10.1.2.0/24的网络,于是R1将G0/0/1的MAC地址返回给PC-2,PC-2已此MAC地址为目的地址将保卫呢发送给R1;R1收到后,在ARP缓存中查找10.1.2.4的映射MAC地址
,但没发现10.1.2.4的映射条目,于是在10.1.2.0/24的网段中广播发送查找10.1.2.4,但是没有找到,于是丢弃icmp echo报文。

你可能感兴趣的:(HCNA学习)