Layer 2 Switches and IP address duplication - networking

Hello Networking Gurus,
I have a question about IP duplication and how this impact the associated switches (layer 2). Sorry, I don't have any resources available to test this. It would be great if someone can shed some lights of their experience on this.
If I have two servers (Linux), say A & B, serving exactly same contents and for some reason they both are assigned same IP address. To be more specific, if A already has an address IP.100 and B has another address IP.200. Now at this point everything seems working and the switch has proper MAC addresses stored. If, later, B also gets the address IP.100, how would this affect the switch's ARP cache? When B gets the new address I assume it broadcasts ARP? to inform the associated switch.
So the question is, Does the switch stores both machines' entries? or overwrites the existing with new? Is there any standard behaviour or proprietary switches reacts differently?
If a client, with no ARP cache, tries to connect to IP.100, which machine would it be forwarded to? A or B or none? If A OR B, can I say from client point-of-view, that there's no outage? (Assume this is a static website, with no login sessions etc)
Feel free to point any relevant documentation.
Thank you in advance.

In theory, you shouldn’t have two hosts talking on the same IP, unless they are participating in routing. Eg any-cast. As things will break.
Each host will have its own MAC address. If the switch is only doing layer two forwarding, then the switch only keeps track of MAC addresses. It is the end hosts or routers that track ARP entries.
If you move IP 100 to B, then the hosts will update their own ARP table.
But if A and B have 100 at the same time, this will cause issues.

Switch will not see any IP's and do not have arp cache for forwarding packets , it will had only mac address table map macs to ports and macs in your case will be unique

I actually think this is how multicast works.
Hosts obtain a multicast address and all of the devices share that same multicast address.
A switch will gather collections of Mac addresses to that same multicast in it's mac table.
I could be wrong though....Still learning.

Related

Various questions about vlan's

I have some questions about vlan's. I know that this forum is more for programming than for networking but this is the best forum that I could think of.
So all my questions are about vlan's. Here they come:
Can one vlan have a different beginning of a ip adress as the other one's (e.g. vlan 1=192.168.2.xx, vlan 2=10.0.0.x)?
Can devices have the same ipadress when they're in different vlan's?
Can you make a "hole" between the vlan's so that a few devices (chosen by you, for example using static ip adresses) can still talk with each other (e.g. a file server on vlan 1 can still talk to the printer on vlan 2)?
Can you have different dns servers for different vlan's?
Can you have different firewall settings for different vlan's? How do you "choose" which firewall you want to change as an admin?
Can you have wifi vlan's (like a vlan for your home wifi and a vlan for your guest wifi)
Can you access the routers settings (192.168.1.1) from every vlan?
When I connect to a network, how do I get assigned to a vlan? Is there like a "If someone connects to the network, it automatically goes to vlan 1 until the admin moves them to a different vlan"?
Can you put a password on a vlan so that you have to put in a password to change vlan's?
Can a user (so not a network admin) choose to change from vlan's (because then question 8 would be relevant)?
How does portforwarding work with vlan's?
If you access the network from outside (e.g. a hacker or just someone else), do you automatically get "redirected" to the standard vlan (1) or do you end up in a "intersection" where you first have to choose the vlan you want to go to?
Can you make a port on a switch that has special access to every vlan at the same time (Only for the network admin)(So for that ethernet port, the network is just one big network instead of divided vlan's)(This would contradict question 2 as then you would have two devices with the same ip adress)?
Can you have a network port with a device attached to it, that will be accessable to every vlan (e.g. a printer)? Is that dangerous because than a hacker could probably access that device and use it to jump between vlan's?
That's it. I know that there are alot of questions but I hope you can help with a few at least. The thing is, youtube video's always just explain that vlan's are separate networks, but I want to know: "How separate are they?" You see that almost every question is about "How separate are they exactly?"
I hope you can help!
Thanks
hopefully this will answer your questions
VLANs are like separated cables inside cable and they do not mix or intefer between themselfs
Answers:
Yes. As mentioned above
Yes but it's not good practice because you can make mistake durring VLANs settings causing sec flaws or IP collisions
Not directly but this can be done via gateway/router between VLANs and all traffic have to go thru GW (easy way)
Yes and usually you do. For example you have:
VLAN 10: Subnet 192.168.10.0/24; GW 192.168.10.1; DNS 192.168.10.1
VLAN 20: Subnet 192.168.20.0/24; GW 192.168.20.1; DNS 192.168.20.1
Yes it is common/required behavior. It is done by filtering firewall rule by incoming interface (eg vnet7), incoming subnet or incoming IP
Yes. But there are two ways setting VLANs:
ACCESS (untag): VLAN is ended at output interface thus client device dont have to support/setup VLAN. Actualy client device even don't know that there is some VLAN
TRUNK (tag): VLAN (or multiple VLANs) are routed thru access point and client device has to be configured same way on incoming interface
Access is what you need in this case
Yes if you setup firewall that way (routing between subnes)
As explained in point 6
No. VLAN is just number. To protect your vlans you have to setup network devices in way that every port (unless needed - eg switches bond interconnection) is set in ACCESS mode so only admin with access to network device can change VLAN for client device. Or implement NAC such as packetfence
As points 6. and 8. Only when your setup allows
Inside VLAN no portforward is needed because all devices in same VLAN are at same L2 network
No simple answer here, it all depends on your VLAN and firewall settings
Can not be done with VLANs only. Common practice is to setup specific VLAN (lets call it management VLAN) which is ended in ACCESS mode on some physicaly secured switch ethernet port and then using firewall and routings on GW to setup access across all VLANS (well .. not all but required ones)
Yes you can as mentioned above but again using firewall and routing settings on gateway
This one is long :) ... fell free to continue in chat

Is there a way to detect the number of connections active on a Wifi network?

If I want to detect the number of connections active on my home Wifi network, how should I go ahead doing it? This can be useful for building applications which would serve as monitoring unidentified/unrecognized people being fraudulently misusing a person's Wifi network.
How to know whether your neighbors or others are using your wireless network is rather complicated.
If your neighbors are experienced Wi-Fi hackers, you might not be able to tell at all.
If they're just stealing your Internet connection, you may be able to tell from the logs on your router.
To find out who's on your wireless network, you'll need to start by taking inventory of all the devices that are meant to be connected. Find out their MAC IDs and their IP addresses (if they're static).
To find out the MAC ID/IP address on a PC, click the Start menu and choose Run. Type cmd and click OK. In the screen that opens, type ipconfig /all and hit Enter. The MAC address will be shown as the physical address. Once you know the MAC addresses of each of the PCs on your network, you will recognize any addresses that don’t belong under the screen that shows the MAC addresses of current connections.
Check IP addresses
Likewise you may be able to see how many IP addresses have been dished out by the DHCP server. If you check the IP addresses of each of your PCs, you can see if other IP addresses have been served.
To find out your IP address from the Start menu, click Run. Then type in cmd and click OK. In the screen that comes up, type ipconfig which will display the IP address for that computer. (Bear in mind, however, that if the PC is set to auto detect settings, then the PC's IP address will change the next time the computer is rebooted or switched on. Sometimes previously served numbers have not yet expired, so you may think someone is connected when they are not.)
Dealing with intruders
If you do find someone using your connection, they may well not be doing so maliciously or even knowingly. Sometimes people can’t tell which is their own connection and they may honestly believe that they are using their Wi-Fi router rather than yours. The best way to deal with this is to set up your own security and maybe you can help them find their own router!
The optimal solution is to set up a strong password using WPA or WPA 2 of almost 20 to 30 digits and numbers. Once your network is functioning, you can switch off the SSID broadcast (which prevents it from advertising the name of your network) so it would effectively disappear as far as your neighbors are concerned, and the first you might hear of it is when someone complains that their Web connection has disappeared.
You could look for logs such as current LAN clients, connection or status log, or connected MAC addresses.
Be Happy :-)
Do you have access to the Access Point management ?
Look for MAC addresses and their filtering. Modern APs allow you to filter devices and or limit the timeframe during which devices can authenticate themselves, using a hardware button.
A link on how to secure your AP here, and a good start to know what to play with !
You can Either USE this Command... On your Router or Modem... Some Modem's have console for Ping and Commands like that....
ipconfig -all

Creating a TCP connection between 2 computers without a server

2 computers are in different subnets.
Both are Windows machines.
There are 2-5 IGMP-ready routers between them.
They can connect each other over multicast protocol (they have joined the same multicast group and they know about each other's existance).
How to establish a reliable TCP connection between them without any public server?
Programming language: C++, WinAPI
(I need a TCP connection to send some big critical data, which I can not entrust to UDP)
You haven't specified a programming language, so this whole question may be off-topic.
Subnets are not the problem. Routability is the problem. Either there is routing set up or there isn't. If they are, for example, both behind NAT boxes, then you're at the mercy of the configuration of the nat boxes. If they are merely on two different subnets of a routed network, it's the job of the network admin to have set up routing. So, each has an IP address, and either can address the other.
On one machine, you are going to create a socket, bind it to some port of your choice, and listen. On the other, you will connect to the first machine's IP + the selected port.
edit
I'm going to try again, but I feel like there's a giant conceptual gap here.
Once upon a time, the TCP/IP was invented. In the original conception, every item on the network has an IPV4 address, and every machine could reach every other machine, via routing, except for machines in the 'private' address space (10.x, etc).
In the very early days, the only 'subnets' were 'class A, class B, class C'. Later the idea of subdividing a network via bitmasks was added. The concept of 'subnet' is just a way of describing a piece of network in which all the hosts can deliver packets to each other by one hop over some transport or another. In a properly configured network, this is only of concern to operating system drivers. Ordinary programs just address packets over the network and they arrive.
The implementation of this connectivity was always via routing protocol. If you have a (physical) ethernet A over here, and a (physical) ethernet B over there, connected by some sort of point-to-point link, the machines on A need to know where to send packets for B. Or, to be exact, they need to know where to send 'not-A' packets, and whatever they send them needs to know where to send 'B' packets. In simple cases, this is arranged via explicit configuration: routing rules stuffed into router boxes or even computers with multiple physical interfaces. In more complex cases, routing boxes intercommunicate via protocols like EGP or BGP or IGMP to learn the network topology.
If you use the Windows 'route' command, you will see the 'default route' that the system uses to send packets that need to leave the local subnet. It is generally the address of the router box responsible for moving information from the local subnet to everywhere else.
The whole goal of this routing is to arrange that a packet sent from a.b.c.d to e.f.g.h will get there. TCP is no different than UDP, except that you can't get there by multicast or broadcast: you need to know the exact address of your correspondent.
DNS was invented to allow hosts to learn each other's IP addresses without having human being send them around in email messages.
All this stops working when people start using NAT and firewalls to turn off routing. The whole idea of NAT is that the computers behind the NAT box are not addressable at all. They all appear to have one IP address. They can send stuff out, but they can only receive stuff if the NAT box has gone to extra trouble to map them a port.
From your original message, I sort of doubt that NAT is in use here. I just don't understand your comment 'I don't have access to the network.' You say that you've sent UDP packets here and there. So how did you do that? What addresses did you use?

Need for IP address

Why do we need an IP address when the MAC address is unique? Cant we communicate only with the MAC address?
You COULD communicate using only the MAC address, but only on your local network. IP addresses are routeable, without every system on the network needing to know about every other. You just need to know a range of addresses that are on your local network, and throw everything else up to your router. The same thing happens at the ISP level. "All 216.x.x.x traffic goes that way, all 105.x.x.x goes that way..."(Obviously a gross oversimplification, but that's the basic process).
If we tried to route everything by MAC address, every machine on the network would have to maintain a list of every other participant, and it just wouldn't scale.
No. MAC addresses are specific to Ethernet, IP is independent of the underlying hardware. You can connect machines that don't use Ethernet to the Internet, if you have the required bridges.
MAC addresses are not unique. MAC addresses are reused between media. This is why wireless (802.11) and wired (802.3) may not both be present on one collision domain (see 802.1D).
MAC addresses are not clustered -- meaning that devices which are nearby in network space do not have nearby MAC addresses. IP addresses do have this property of locality. Do you intend to route packets by having a universal list of MAC addresses copied to every computer on the Internet, or do you intend to route packets to their destinations through a hierarchy of localities?
On a single collision domain, MAC addresses can be the primary addressing mode (q.v. arp and rarp). However, extension to multiple collision domains is ineffective for the above reasons.
A great professor of mine named George Varghese, now at UCSD, made the following apt analogy: You want to send someone a letter. The analogy of sending to a device anywhere in the USA based on its MAC address is like sending someone a letter knowing only their Social Security Number. It does uniquely identify someone (OK, yes, SSN isn't guaranteed unique, but suppose it was for the sake of example), but it would be very hard to find them without some giant table of where everyone lived that you could look up indexed by their SSN.
An IP address (and the similar Open Systems Interconnect, or OSI, network addresses) are more like USA phone numbers with area codes and exchange numbers: (AAA) BBB-CCCC, where AAA is an area code, BBB is an exchange number, and CCCC identifies an individual line at that exchange. There is hierarchical information encoded in that number, so that when you are far away from the destination, you only need a small table indexed by area code to determine a good "next hop" to forward the call to, rather than a table of all phone numbers in the country.
Ethernet is a Medium Access Layer protocol. It was designed specifically to connect computers on the same network. If you want to connect computers remotely located, you certainly need to jump to destination by hopping through several routers. IP (Internet Protocol) was designed with this goal in mind, hence the need for it, while Ethernet protocol does not support routing. Only some forms of primitive bridging that would not scale for something huge like the Internet.
they are used for different protocol layer.
MAC address is your device specific address. It has no relation with the geographical location, etc. you are in currently.
Ex: You can buy a cellphone/laptop in US and use it in Japan,
Australia, etc. But MAC address would remain the same. But IP address
would change with respect to the network you are connected to.
So it is difficult to route packet in an internetwork of portable devices especially.
How would it be:
Consider you have a portable network-accessing device with you on which you are using the internet. If we use only the MAC address, how would any incoming packet find the location of your portable-device. Since MAC address gives you only a fixed 48-bit device address. (The worst case scenario is using a desktop computer and having a MAC address without the IP facility. Coupling it with the static table to find your predefined location based on the MAC address, but our life is incomplete without these portable devices right?)
Thus we need some addressing scheme that can help us with addressing in a big and portable environment like internet, and thus the role of IP comes into picture, where address is hierarchal to provide a more geographically exact location.

How do I get a MAC address for a remote system when I only know it's IP address?

I'm working on a Wake on LAN service that will run from a web site and should interact with many different platforms - therefore, no Windows-only solutions. When a user registers their system with the web site, I need to get the MAC address to use in constructing the "magic" packet. I have a Java Applet that is able to do this for me and am aware of an ActiveX control that will work, but I'm wondering if there is a way to do this server-side by querying routers/switches. Since the system may be on any of a number of different physical subnets, using ARP won't work -- unless there's a way to configure the router(s) to perform the ARP on my behalf.
Anyone know of any network APIs, proprietary or otherwise, that can be used to look up MAC addresses given an IP address? I think we're using Cisco routers, but it's a complicated network and there may be multiple vendors involved at various levels. I'd like to get some background information on possible solutions before I go to make a sacrifice to the network gods. No point in abasing myself if it's not technically possible. :-)
EDIT: We do have the network infrastructure set up to allow directed broadcast, though figuring out the exact broadcast address since netmasks are not always /24 is another conundrum that I need to solve.
If you are on a local network that uses DHCP you might be able to look in the servers database to get the MAC of the last user with that address. In the future you could watch the network for ARP requests and cache the responses in some sort of table. You might also look at using RMON or SNMP to try and query the Address Tables on the switches and routers.
It should be noted that to use WoL across routers you either need to enable Directed Broadcasts or you need to have a relay server in the local segment.
Been a while since I played routers and swtiches but this might be a starting point for what to query using SNMP http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml
Use the following:
getmac /s destIp
To get the remote session Mac address.
I don't know if these might be helpful but take a look:
http://www.webdeveloper.com/forum/showthread.php?t=134120
http://www.qualitycodes.com/tutorial.php?articleid=19
You've said everything I can think of...
The source MAC address changes as a packet hops from device to device so unless the client is on the same subnet, the server won't be able to get the MAC address. (You would do it via ARP)
A signed java applet or activex control would be the easiest solution. It would be able to (almost passively) get all the networking info you need (IE doesn't even prompt to run a signed applet)
If you are fully aware of the network that is using the service then you could probably query a gateway's client-list via SNMP or CDP. You would be able to map out IP-Addresses to MAC addresses... but this is really vendor dependent (but common) and wouldn't be much better (imo) than having an applet.
Currently the application is using a Java 6 applet that allows me to extract both the hostname and the MAC address from the remote system. I don't like having this dependency on Java 6, but Snow Leopard and Windows both support it, so I can probably live with it.
On a related-front our networking folks approached me for some help with converting some existing code to ASP.NET. During the conversation I asked if they had live MAC address information (since they do port shutoffs based on suspicious network activity -- viruses/worms). Turns out they do and we may be able to leverage this project to get access to the information from the network database.
I don't think there is any way to accomplish this. When the IP packet goes via the first router the host's MAC information is lost (as you know MAC is only used in ethernet layer). If the router most close to your PC was capable of telling the remote MAC code to you, again it would only see the MAC of the next router between your PC and the "other end".
Start sacrificing.
There's no general way to do this in terms of the network unless you have no routers involved. With a router involved, you will never see the MAC address of the originating system.
This assumes that the originating system only ever has a single network interface, so has only a single MAC address.
In fact, are you even sure that your "magic packet" (whatever that is) will reach the system you want it to reach, through the routers? That sounds like a function the routers or other network infrastructure should be performing.
Mac address is only used on network segments, and is lost at each hop. Only IP is preserved for end-to-end - and even then the from ip address is rewritten when Natted. I guess my answer is, not possible unless everything is on the same network segment, or your routers are set up for proxy arp (which is not really realistic).
You can only get MAC entries in the ARP table for machines on the same network. If you connect to a machine via a router then you will only see the routers MAC address in the ARP table. So there is no way of knowing the foreign host’s MAC address unless it's a host on the same network (no routers involved).
And by the way there are many similar question already on SO.
if it's a windows system you can use NBTSTAT -A
this will return the netbios info and the IP is there
any Management system like SMS or Altiris will have this info
The DHCP server is a good idea
If it's local you can ping it and then quickly run ARP -a
look for the IP and the MAC will be there.
you might need to write a small batch file.
if you have access to the PC you can use WMI to access the info for the Nic with DHCP.
As said above we can get mac address from a known IP address if that host is in the same subnet. First ping that ip; then look at arp -a | grep and parse the string on nix* to get mac address.
We can issue system command from all programming languages standard API's and can parse the output to get mac address.Java api can ping an IP but I am not sure if we parse the ping output(some library can do it).
It would be better to avoid issuing system command and find an alternative solution as it is not really Platform Independent way of doing it.
Courtesy: Professor Saleem Bhatti

Resources