LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-26-2014, 07:38 PM   #1
homerwsmith
LQ Newbie
 
Registered: Aug 2010
Posts: 14

Rep: Reputation: 0
ARP tables showing other subnet mac addresses


Dear Gentle folk,

I have 3 machines running CentOS connected
like this:

A --- eth0 Router eth0 --- B

A is 192.168.1.3/24
B is 192.168.2.3/24
Router has both subnets on eth0 with one network card.

Both A and B show each other's MAC address in
their own ARP table. Thus when A is sending to B,
it appears some processes send it directly to B rather than
through the router.

Why?

How do I stop this behavior utterly?

Thanks in advance,

Homer W. Smith
CEO Lightlink Internet.
 
Old 03-27-2014, 04:44 AM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
For a host to add an entry to its ARP table, it must receive an ARP Reply packet from another host. And for that to happen, there has to be a Layer 2 connection between the hosts. Perhaps the router has a built-in switch and has two IP addresses assigned to the same Layer 3 interface, what is commonly known as a "router on a stick" setup?

Somehow it seems the hosts in question are sharing the same physical network infrastructure. It is entirely possible to have two logical (layer 3) networks (for instance, 192.168.1.0/24 and 192.168.2.0/24) share the same Layer 2 (typically Ethernet) network infrastructure. This will not cause routing issues in and by itself, but hosts on either network are bound to pick up ARP replies from the other network.

If you run tcpdump -i eth0 on either host, you should be able to see whether the host is picking up traffic (broadcasts) from the opposite network. traceroute will tell you whether packets to hosts on the other network are sent via the gateway router or not.
 
Old 03-27-2014, 04:27 PM   #3
homerwsmith
LQ Newbie
 
Registered: Aug 2010
Posts: 14

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Ser Olmy View Post
For a host to add an entry to its ARP table, it must receive an ARP Reply packet from another host. And for that to happen, there has to be a Layer 2 connection between the hosts. Perhaps the router has a built-in switch and has two IP addresses assigned to the same Layer 3 interface, what is commonly known as a "router on a stick" setup?

Somehow it seems the hosts in question are sharing the same physical network infrastructure. It is entirely possible to have two logical (layer 3) networks (for instance, 192.168.1.0/24 and 192.168.2.0/24) share the same Layer 2 (typically Ethernet) network infrastructure. This will not cause routing issues in and by itself, but hosts on either network are bound to pick up ARP replies from the other network.

If you run tcpdump -i eth0 on either host, you should be able to see whether the host is picking up traffic (broadcasts) from the opposite network. traceroute will tell you whether packets to hosts on the other network are sent via the gateway router or not.
All three machines are standard Fedora/Centos setups, the router has two interfaces, one on eth1 facing the
outside world, and eth0 facing the inside world.

eth0 has 192.168.1.1/24 and 192.168.2.1/24 assigned to it.

machines A and B are connected via a standard dell switch to each other and the router. There are no vlan's on
the switch except the default vlan 1.

Machine A is 192.168.1.3/24
Machine B is 192.168.2.3/24

Both A and B hear each other's arp requests as they are broadcasts. However they should not be hearing
each other's replies as they are unicast through the switch. Each machine maybe offering gratuitous arps as
broadcasts and thus learning about each other's mac addresses.

However A has no business putting mac addresses in its arp table for B's subnet 192.168.2.x/24

traceroute shows that A talks to B via the router.

However tcpdump shows that pings sometimes go through the router both going out and coming back,
and sometimes one goes through the router and the other path goes directly, and sometimes both paths
are direct between A and B.

Is this a 'feature' or a bug?

Homer W. Smith
CEO Lightlink Internet
 
Old 03-27-2014, 05:02 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Quote:
Originally Posted by homerwsmith View Post
eth0 has 192.168.1.1/24 and 192.168.2.1/24 assigned to it.

machines A and B are connected via a standard dell switch to each other and the router. There are no vlan's on
the switch except the default vlan 1.
So the networks do share the same L2 infrastructure.

Quote:
Originally Posted by homerwsmith View Post
Both A and B hear each other's arp requests as they are broadcasts. However they should not be hearing
each other's replies as they are unicast through the switch. Each machine maybe offering gratuitous arps as
broadcasts and thus learning about each other's mac addresses.
Gratuitous ARPs are quite common, so I wouldn't be surprised to see ARP entries for hosts in the opposite network.

Quote:
Originally Posted by homerwsmith View Post
However A has no business putting mac addresses in its arp table for B's subnet 192.168.2.x/24
ARP doesn't check networks/subnets. Any received ARP reply, solicited or not, goes straight into the ARP table.

Quote:
Originally Posted by homerwsmith View Post
traceroute shows that A talks to B via the router.
As expected...

Quote:
Originally Posted by homerwsmith View Post
However tcpdump shows that pings sometimes go through the router both going out and coming back,
and sometimes one goes through the router and the other path goes directly, and sometimes both paths
are direct between A and B.
Are you absolutely sure you're interpreting the capture correctly? Because there's really no way that should happen unless there's something odd going on with the routing table on the source host.

Entries in the ARP table should never affect routing operations. The routing table is checked first, then the ARP table is consulted to find the MAC address of the desired gateway or host.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] ARP does not resolve MAC address of hosts on the same subnet chenbo Linux - Networking 1 07-26-2011 11:12 PM
IP addresses Vs MAC and ARP KinnowGrower Linux - Networking 6 09-15-2008 03:33 PM
Binding 2 NICs (MAC addresses) to 2 IP Addresses in same Subnet RedHat EL4.0 skhira Linux - Networking 13 02-24-2008 09:16 PM
Binding 2 NICs (MAC addresses) to 2 IP Addresses in same Subnet RedHat EL4.0 skhira Linux - Networking 1 02-09-2008 08:17 AM


All times are GMT -5. The time now is 06:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration