Patent filed

Finally, I have finished to file my patent regrading PVTD - The Private VLAN enabler.

It is storage how a patent attorney is able to add so many words to a technical document which he has got very limited understanding of its content…

Anyway, I am back to authoring labs. Hope you will enjoy them…

Windows 2008/Vista/7 ARP Cache

Starting with Windows 2008 for servers and Vista for workstations, Microsoft have decided to implement RFC4861. You can read about it here.

Now, I know that you haven’t really read it! So here is a short summary:
  • The ARP cache has the following states: Reachable and Stale
  • Reachable is the old “resolved” state
  • Stale means that the entry wasn’t used for some time. Not used means that there is no positive feedback that there is a two way communication with the host in that ARP cache entry.
  • If the host wants to send traffic to an entry which is in Stale status it will send a reachability probe.
  • A reachability prob is a Unicast ARP probe. Yes, a UNICAST ARP.
  • If there is an answer or suddenly there is a return traffic, then the state goes back to Reachable

Here was my question: While in “Stale” mode, will Windows send the packet triggering the probing, or will it wait for the reachability check?

The answer: Yes. As long there is a Reachable or Stale entry in the ARP cache windows won’t delay the packet.

I won’t bother you with the lab setup details, I’ll just show the dump:

1360422920.568726 00:00:0a:04:06:01 ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 6 pri 0 arp who-has 10.4.6.8 tell 10.4.6.1


A windows machine at 10.4.6.1 is looking for 10.4.6.8

1360422920.602252 00:00:0a:04:06:c8 00:00:0a:04:06:01 8100 46: 802.1Q vid 6 pri 0 arp reply 10.4.6.8 is-at 00:00:0a:04:06:c8


My lab machine (scapy) is sending and answer with non existing mac


1360422920.604391 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:152) (ttl 128, id 311, len 60)
1360422922.068152 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:153) (ttl 128, id 312, len 60)


Windows is sending ICMP request but never get any answer. Notice that there is a request every second. The first field in this dump is the time since… EPOC


1360422923.568005 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:154) (ttl 128, id 313, len 60)
1360422925.068738 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:155) (ttl 128, id 314, len 60)
1360422926.568041 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:156) (ttl 128, id 315, len 60)


More of the same, I’ll jump a head


1360422947.568142 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:170) (ttl 128, id 329, len 60)
1360422948.068760
00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 64: 802.1Q vid 6 pri 0 arp who-has 10.4.6.8 (00:00:0a:04:06:c8) tell 10.4.6.1
1360422949.068217 00:00:0a:04:06:01
00:00:0a:04:06:c8 8100 64: 802.1Q vid 6 pri 0 arp who-has 10.4.6.8 (00:00:0a:04:06:c8) tell 10.4.6.1


The ARP entry is now Stale and windows is sending a Unicast ARP probe, but it will never get an answer (this is a deliberate action)


1360422949.068248 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:171) (ttl 128, id 330, len 60)


But windows keep sending those packets every second


1360422950.068587 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 64: 802.1Q vid 6 pri 0 arp who-has 10.4.6.8 (00:00:0a:04:06:c8) tell 10.4.6.1
1360422950.568226 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:172) (ttl 128, id 331, len 60)
1360422952.068404 00:00:0a:04:06:01
ff:ff:ff:ff:ff:ff 8100 64: 802.1Q vid 6 pri 0 arp who-has 10.4.6.8 tell 10.4.6.1


Windows had enough of this and send a normal ARP request to a broadcast address which my scaly intend to answer


1360422952.101660 00:00:0a:04:06:c8 00:00:0a:04:06:01 8100 46: 802.1Q vid 6 pri 0 arp reply 10.4.6.8 is-at 00:00:0a:04:06:c8
1360422952.102077 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:173) (ttl 128, id 332, len 60)
1360422953.568186 00:00:0a:04:06:01 00:00:0a:04:06:c8 8100 78: 802.1Q vid 6 pri 0 10.4.6.1 > 10.4.6.8: icmp: echo request (id:0001 seq:174) (ttl 128, id 333, len 60)


Life goes on…



And remember, if you are using Private VLANs or plan to, make sure you visit my Private VLAN appliance site. You do not want to miss it.

PVTD-VR

I have just published a virtual appliance with a free 30 hosts license.

Enjoy.

For more information about Private VLANs and what PVTD is all about, visit my website at http://marathon-networks.com

Book list

From time to time I get asked about reading lists and books related to CCIE R&S. It is time I’ll place the list online, so with no farther delays and in the order of importance:

  1. Routing TCP/IP, Volume 1 (2nd Edition) - By far, the most important book you must read. First skim through it. Then re-read it. Yes, RE-READ-IT. But now, make sure you understand every paragraph. The only exception are the state machine diagrams.
  2. Routing TCP/IP, Volume II - No surprise here... The EGP section can be skimmed through.
  3. Developing IP Multicast Networks, Volume I - The one and only good book about multicast. You can skim through DVMRP
  4. Optimal Routing Design - Consolidate your IGP/BGP knowledge.
  5. Troubleshooting IP Routing Protocols - You know what i think about troubleshooting...
  6. QoS for IP/MPLS Networks - Just read the QOS part. The best QOS book out there!
  7. Cisco LAN Switching - Very dated, but most of it still true!
  8. MPLS and VPN Architectures - It sounds dated, but nothing has changed. Understand this, and you are the king of MPLS for the RS lab.
  9. Configuration Guide - Both for 3560 and IOS 12.4T. For each topic, before doing a technology lab, read the relevant chapter(s) from the configuration guide.

That is it.

And remember, if you are using Private VLANs or plan to, make sure you visit my Private VLAN appliance site. You do not want to miss it.

Marathon Networks' PVTD

In the last year I was very busy.

I have seen many broken Private VLAN networks, and decided to find a way to fix them.

So in the last year I have developed a network appliance called PVTD, which solves many of the Private VLAN problems.

You can read all bout it at www.marathon-networks.com