IP Addresses and Address Resolution Protocol (ARP)
Document revision 1.4 (29-Dec-2003)
This document applies to the MikroTik RouterOS V2.7
Table of Contents
Summary
The following Manual discusses managing IP addresses and the Address Resolution Protocol (ARP). IP addresses serve as identification when communicating with other network devices using the TCP/IP protocol. In turn, communication between devices in one physical network proceeds with the help of Address Resolution Protocol and ARP addresses.
Specifications
Packages required :
None
License required :
Any
Home menu level :
/ip address,
/ip arp
Protocols utilized :
IP (RFC791),
ARP (RFC826)
Hardware usage:
not significant
Related Documents
Software Package Installation and Upgrading
IP Addressing
Submenu level :
/ip address Description
IP addresses serve for a general host identification purposes in IP networks. Tupical (IPv4) address consists of four octets. For correct addressing the router also needs the network mask value,
id est which bits of the complete IP address refer to the address of the host, and which - to the address of the network. The network address value is calculated by binary AND operation from network mask and IP address values. It's also possible to specify IP address followed by slash "/" and amount of bits assigned to a network mask. In most cases, it is enough to specify the address, the netmask, and the interface arguments. The network prefix and the broadcast address are calculated automatically.
It is possible to add multiple IP addresses to an interface or to leave the interface without any addresses assigned to it. Leaving a physical interface without an IP address is a must when the bridging between interfaces is used. In case of bridging, the IP address is assigned to a bridge interface.
MikroTik RouterOS has following types of addresses:
- Static IP Addresses are user-assigned addresses to the network interfaces.
- Dynamic IP Addresses are assigned automatically when ppp, ppptp, or pppoe connections are established.
Property Description
address (
IP address) - IP address of the host
broadcast (
IP address; default:
255.255.255.255) - broadcasting IP address, by default calculated from an IP address and a network mask
comment (
text; default: "") - an optional comment for the IP address
disabled (yes | no; default:
no) - is the address disabled or not
interface (
name) - the name of the interface IP address assigned to
netmask (
IP address; default:
0.0.0.0) - specifies the network address part of an IP address
network (
IP address; default:
0.0.0.0) - IP address of the network. For the point-to-point links should be the address of the remote end
Example
[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=ether2
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 2.2.2.1/24 2.2.2.0 2.2.2.255 ether2
1 10.5.7.244/24 10.5.7.0 10.5.7.255 ether1
2 10.10.10.1/24 10.10.10.0 10.10.10.255 ether2
[admin@MikroTik] ip address>
Address Resolution Protocol
Submenu level :
/ip arp Description
Address Resolution Protocol is used to map IP addreses to MAC layer addreses. A router has a table of currently used ARP entries. Normally the table is built dynamically, but to increase network security, static entries can be added.
Property Description
address (
IP address) - IP address
comment (
text; default: "") - an optional comment
disabled (yes | no; default:
no) - is the entry disabled or not
interface (
name) - the name of the interface
mac-address (
MAC address; default:
00:00:00:00:00:00) - MAC address to be mapped to
Notes
Maximal number of ARP entries is 1024. If arp feature is turned off on interface, i.e.,
arp=disabled is used, ARP requests from clients are not answered by the router. Therefore, static arp entry should be added to the clients as well. For example, the router's IP and MAC addresses should be added to the Windows workstations using the
arp command:
C:\> arp -s 10.5.8.254 00-aa-00-62-c6-09
Example
[admin@MikroTik] ip arp> add address=10.10.10.10 interface=ether2 mac-address=06 \\
\\... :21:00
00:12
[admin@MikroTik] ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 D 2.2.2.2 00:30:4F:1B:B3:D9 ether2
1 D 10.5.7.242 00:A0:24:9D
A4 ether1
2 10.10.10.10 06:21:00
00:12 ether2
[admin@MikroTik] ip arp>
If static arp entries are used for network security on an interface, you should set arp to 'reply-only' on that interface. Do it under the relevant
/interfaces menu: [admin@MikroTik] ip arp> /interface ethernet set ether2 arp=reply-only
[admin@MikroTik] ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 D 10.5.7.242 00:A0:24:9D
A4 ether1
1 10.10.10.10 06:21:00
00:12 ether2
[admin@MikroTik] ip arp>
Using the Proxy-ARP Feature
Description
All physical interfaces, like Ethernet, Prism, Aironet (PC), WaveLAN, etc., can be set for using the Address Resolution Protocol or not. By default, the arp feature is
enabled. However, it can be changed to
proxy-arp. The Proxy-ARP feature means that the router will be listening to arp requests received at the relevant interface and respond to them with it's own MAC address, if the requests matches any other IP address of the router.
Example
For example, you can assign IP addresses to dial-in (ppp, pppoe, pptp) clients from the same address space as used on the connected LAN, of you enable the
proxy-arp on the LAN interface. Let us consider the following setup:
The MikroTik router setup is as follows:
[admin@MikroTik] ip arp> /interface ethernet print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R eth-LAN 1500 00
08:00:00:F5 proxy-arp
[admin@MikroTik] ip arp> /interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE MTU
0 eth-LAN ether 1500
1 prism1 prism 1500
2 D pppoe-in25 pppoe-in
3 D pppoe-in26 pppoe-in
[admin@MikroTik] ip arp> /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.0.217/24 10.0.0.0 10.0.0.255 eth-LAN
1 D 10.0.0.217/32 10.0.0.230 0.0.0.0 pppoe-in25
2 D 10.0.0.217/32 10.0.0.231 0.0.0.0 pppoe-in26
[admin@MikroTik] ip arp> /ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 S 0.0.0.0/0 r 10.0.0.1 1 eth-LAN
1 DC 10.0.0.0/24 r 0.0.0.0 0 eth-LAN
2 DC 10.0.0.230/32 r 0.0.0.0 0 pppoe-in25
3 DC 10.0.0.231/32 r 0.0.0.0 0 pppoe-in26
[admin@MikroTik] ip arp>
Using Unnumbered Interfaces
Description
The unnumbered interfaces can be used on serial point-to-point links, e.g., MOXA or Cyclades interfaces. A private address should be put on the interface with the
network being the same as an address on the router on the other side of the p2p link (there may be no IP on that interface, but there is an ip for that router).
Example
[admin@MikroTik] ip address> add address=10.0.0.214/32 network=192.168.0.1 \
\... interface=pppsync
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.0.0.214/32 192.168.0.1 192.168.0.1 pppsync
[admin@MikroTik] ip address>
[admin@MikroTik] ip address> .. route print detail
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
0 S dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=192.168.0.1
gateway-state=reachable distance=1 interface=pppsync
1 DC dst-address=192.168.0.1/32 preferred-source=10.0.0.214
gateway=0.0.0.0 gateway-state=reachable distance=0 interface=pppsync
[admin@MikroTik] ip address>
Here, you can see, that a dynamic connected route has been automatically added to the routes list. If you want the default gateway be the other router of the p2p link, just add a static route for it. It is shown as #0 in the example above.
Troubleshooting
- I added IP addresses 10.0.0.1/24 and 10.0.0.2/24 to the interfaces ether1 and ether2, but nothing works.
Both addresses are from the same network 10.0.0.0/24, use addresses from different networks on different interfaces, or enable proxy-arp on ether1 or ether2. - I was going to use static ARP and have my network secured that way. For the first 10 minutes everything is fine, then router becomes totally unavailable.
After you turn off ARP on router's interface, the dynamic ARP entries expire on the client computers. You should add the router's IP and MAC addresses to the static ARP entries of the workstations.
Additional Resources
Addressing in Local Area Networks © Copyright 1999-2003, MikroTik
============================================
ARP: Address Resolution Protocol
Ethernet hosts use the Address Resolution Protocol (ARP) to convert a 32-bit internet IP addresses into a 48-bit Ethernet MAC address used by network hardware. (See:
RFC 826) ARP broadcasts are sent to all hosts on the subnet by the data transmitting host to see who replies. The broadcast is ignored by all except the intended receiver which recognizes the IP address as its own. The MAC addresses are remembered (APR cache) for future network communications. Computers on the subnet typically keep a cache of ARP responses. ARP broadcasts are passed on by hubs and switches but are blocked by routers.
Reverse ARP (See:
RFC 903) is a bootstrap protocol which allows a client to broadcast requesting a server to reply with its IP address.
- arp (8) man page - manipulate the system ARP cache
- Shows other systems on your network (including IP address conflicts): arp -a
- Show ARP table Linux style: arp -e
- arpwatch (8) man page - keep track of ethernet/ip address pairings
- arpsnmp (8) man page - keep track of ethernet/ip address pairings. Reads information generated by snmpwalk
- arping (8) man page - send ARP REQUEST to a neighbor host
Print ARP reply (similar to arp -a): arping 192.168.10.99 - List ARP table: cat /proc/net/arp
- ip (8) man page - show / manipulate routing, devices, policy routing and tunnels
View ARP table: ip neighbor
ARP is something that simply works. No Linux system configuration is necessary. It's all part of the ethernet and IP protocol. The aforementioned information is just part of the Linux culture of full visibility into what is going on.
================================================== =============
- arp - Linux ARP kernel module.
- DESCRIPTION
- This kernel protocol module implements the Address Resolution Protocol defined in RFC 826. It is used to convert between Layer2 hardware addresses and IPv4 protocol addresses on directly connected networks. The user normally doesn't interact directly with this module except to configure it; instead it provides a service for other protocols in the kernel.
A user process can receive ARP packets by using packet(7) sockets. There is also a mechanism for managing the ARP cache in user-space by using netlink(7) sockets. The ARP table can also be controlled via ioctl(2) on any AF_INET socket.
The ARP module maintains a cache of mappings between hardware addresses and protocol addresses. The cache has a limited size so old and less frequently used entries are garbage-collected. Entries which are marked as permanent are never deleted by the garbage-collector. The cache can be directly manipulated by the use of ioctls and its behavior can be tuned by the /proc interfaces described below.
When there is no positive feedback for an existing mapping after some time (see the /proc interfaces below), a neighbor cache entry is considered stale. Positive feedback can be gotten from a higher layer; for example from a successful TCP ACK. Other protocols can signal forward progress using the MSG_CONFIRM flag to sendmsg(2) . When there is no forward progress, ARP tries to reprobe. It first tries to ask a local arp daemon app_solicit times for an updated MAC address. If that fails and an old MAC address is known, a unicast probe is sent ucast_solicit times. If that fails too, it will broadcast a new ARP request to the network. Requests are only sent when there is data queued for sending.
Linux will automatically add a non-permanent proxy arp entry when it receives a request for an address it forwards to and proxy arp is enabled on the receiving interface. When there is a reject route for the target, no proxy arp entry is added. Ioctls Three ioctls are available on all AF_INET sockets. They take a pointer to a struct arpreq as their argument.
struct arpreq {
struct sockaddr arp_pa; /* protocol address */
struct sockaddr arp_ha; /* hardware address */
int arp_flags; /* flags */
struct sockaddr arp_netmask; /* netmask of protocol address */
char arp_dev[16];
- ================================================== =====================\
- MAC Address: (media access control) is the network card address used for communication between other network devices on the subnet. This info is not routable. The ARP table maps TCP/IP address (global internet) to the local hardware on the local network. Use the command /sbin/ifconfig to view both the IP address and the MAC address. The MAC address uniquely identifies each node of a network and is used by the Ethernet protocol.
- Full Duplex: Allows the simultaneous sending and receiving of packets. Most modern modems support full duplex.
- Half Duplex: Allows the sending and receiving of packets in one direction at a time only.
- OSI 7 Layer Model: The ISO (International Standards Organization) has defined the OSI (Open Systems Interconnection) model for current networking protocols. OSI Layer Description Linux Networking Use 7 Application Layer.
The top layer for communications applications like email and the web. telnet, web browser, sendmail 6 Presentation Layer.
Syntax and format of data transfer. SMTP, http 5 Session Layer.
4 Transport Layer.
Connection, acknowledgement and data packet transmission. TCP
UDP 3 Network Layer. IP
ARP 2 Data Link Layer.
Error control, timing Ethernet 1 Physical Layer.
Electrical characteristics of signal and NIC Ethernet - Network Hub: Hardware to connect network devices together. The devices will all be on the same network and/or subnet. All network traffic is shared and can be sniffed by any other node connected to the same hub.
- Network Switch: Like a hub but creates a private link between any two connected nodes when a network connection is established. This reduces the amount of network collisions and thus improves speed. Broadcast messages are still sent to all nodes.
================================================== ============
- };
SIOCSARP ", " SIOCDARP " and " SIOCGARP respectively set, delete and get an ARP mapping. Setting and deleting ARP maps are privileged operations and may only be performed by a process with the CAP_NET_ADMIN capability or an effective UID of 0.
arp_pa must be an AF_INET socket and arp_ha must have the same type as the device which is specified in arp_dev . arp_dev is a zero-terminated string which names a device. c s l l. arp_flags flag:meaning ATF_COM:Lookup complete ATF_PERM:Permanent entry ATF_PUBL:Publish entry ATF_USETRAILERS:Trailers requested ATF_NETMASK:Use a netmask ATF_DONTPUB:Don't answer
If the ATF_NETMASK flag is set, then arp_netmask should be valid. Linux 2.2 does not support proxy network ARP entries, so this should be set to 0xffffffff, or 0 to remove an existing proxy arp entry. ATF_USETRAILERS is obsolete and should not be used. /proc interfaces ARP supports a range of /proc interfaces to configure parameters on a global or per-interface basis. The interfaces can be accessed by reading or writing the /proc/sys/net/ipv4/neigh/*/* files. Each interface in the system has its own directory in /proc/sys/net/ipv4/neigh/ . The setting in the "default" directory is used for all newly created devices. Unless otherwise specified, time-related interfaces are specified in seconds. anycast_delay " (since Linux 2.2)" The maximum number of jiffies to delay before replying to a IPv6 neighbor solicitation message. Anycast support is not yet implemented. Defaults to 1 second. app_solicit " (since Linux 2.2)" The maximum number of probes to send to the user space ARP daemon via netlink before dropping back to multicast probes (see mcast_solicit ). Defaults to 0. base_reachable_time " (since Linux 2.2)" Once a neighbor has been found, the entry is considered to be valid for at least a random value between base_reachable_time "/2 and 3*" base_reachable_time /2. An entry's validity will be extended if it receives positive feedback from higher level protocols. Defaults to 30 seconds. This file is now obsolete in favor of base_reachable_time_ms . base_reachable_time_ms " (since Linux 2.6.12)" As for base_reachable_time , but measures time in milliseconds. Defaults to 30000 milliseconds. delay_first_probe_time " (since Linux 2.2)" Delay before first probe after it has been decided that a neighbor is stale. Defaults to 5 seconds. gc_interval " (since Linux 2.2)" How frequently the garbage collector for neighbor entries should attempt to run. Defaults to 30 seconds. gc_stale_time " (since Linux 2.2)" Determines how often to check for stale neighbor entries. When a neighbor entry is considered stale, it is resolved again before sending data to it. Defaults to 60 seconds. gc_thresh1 " (since Linux 2.2)" The minimum number of entries to keep in the ARP cache. The garbage collector will not run if there are fewer than this number of entries in the cache. Defaults to 128. gc_thresh2 " (since Linux 2.2)" The soft maximum number of entries to keep in the ARP cache. The garbage collector will allow the number of entries to exceed this for 5 seconds before collection will be performed. Defaults to 512. gc_thresh3 " (since Linux 2.2)" The hard maximum number of entries to keep in the ARP cache. The garbage collector will always run if there are more than this number of entries in the cache. Defaults to 1024. locktime " (since Linux 2.2)" The minimum number of jiffies to keep an ARP entry in the cache. This prevents ARP cache thrashing if there is more than one potential mapping (generally due to network misconfiguration). Defaults to 1 second. mcast_solicit " (since Linux 2.2)" The maximum number of attempts to resolve an address by multicast/broadcast before marking the entry as unreachable. Defaults to 3. proxy_delay " (since Linux 2.2)" When an ARP request for a known proxy-ARP address is received, delay up to proxy_delay jiffies before replying. This is used to prevent network flooding in some cases. Defaults to 0.8 seconds. proxy_qlen " (since Linux 2.2)" The maximum number of packets which may be queued to proxy-ARP addresses. Defaults to 64. retrans_time " (since Linux 2.2)" The number of jiffies to delay before retransmitting a request. Defaults to 1 second. This file is now obsolete in favor of retrans_time_ms . retrans_time_ms " (since Linux 2.6.12)" The number of milliseconds to delay before retransmitting a request. Defaults to 1000 milliseconds. ucast_solicit " (since Linux 2.2)" The maximum number of attempts to send unicast probes before asking the ARP daemon (see app_solicit ). Defaults to 3. unres_qlen " (since Linux 2.2)" The maximum number of packets which may be queued for each unresolved address by other network layers. Defaults to 3.
پاسخ : کسی میدونه arp چیه ؟
12 proxy-arp [admin@RemoteOffice] interface ethernet>
پاسخ با نقل قول