Featured image

Table of Contents Link to heading

Address Resolution Protocol (ARP) Link to heading

Info
ARP is used to translate 48-bit MAC addresses into 32-bit IPv4 addresses in IPv4 LANs.

Being ARP enabled, a host or router can dynamically learn the MAC address of another IP host or router on the same LAN.

Resolving IPv4 Addresses to MAC Addresses Link to heading

In a transmitting device, when an IPv4 packet is sent to L2 to be encapsulated into a frame, the device must identify the destination MAC address that is mapped to the destination IPv4 address.

To find this MAC address, the node refers to a table in its RAM memory called the ARP table or the ARP cache. Each entry, or row, of the ARP table has a pair of values: an IPv4 address and a MAC address. The ARP table caches the mapping for the devices on the local network.

Tip
To see the contents of the ARP cache on most PC operating systems, use the arp -a command from a command prompt.

To begin the process, a transmitting node attempts to locate in the ARP table the MAC address mapped to an IPv4 destination. If this map is cached in the table, the node uses the MAC address as the destination MAC in the frame that encapsulates the IPv4 packet. The frame is then encoded onto the networking media.

ARP Request Link to heading

Info

A broadcast message sent when a device needs a MAC address associated with an IPv4 address which it does not have an entry in its ARP table.

It is simply a request that reads: “if this is your IP address, please reply with your MAC address”.

The ARP request message includes:

  1. Target IPv4 address โ€“ The IPv4 address that requires a corresponding MAC address.
  2. Target MAC address - The unknown MAC address and will be empty in the ARP request message.

The ARP request is encapsulated in an Ethernet frame using the following header information:

  1. Destination MAC address โ€“ A broadcast address requiring all Ethernet NICs on the LAN to accept and process the ARP request (FF:FF:FF:FF:FF:FF).
  2. Source MAC address โ€“ The sender of the ARP request’s MAC address.
  3. Type - ARP messages have a type field of 0x806. This informs the receiving NIC that the data portion of the frame needs to be passed to the ARP process.

Since ARP requests are broadcasts, they are flooded out all ports by the switch except the receiving port. Every local Ethernet NIC must process the ARP request to see if the target IPv4 address matches its own. A router will not forward broadcasts out other interfaces.

Only one device on the LAN will have an IPv4 address that matches the target IP address in the ARP request. All other devices will not reply.

Scenario - Static IP Addressing Link to heading

When a local device (e.g. a PC) is statically assigned IP address (e.g. 192.168.1.10), in case that it does not have an entry for this IP address in the ARP table, it will broadcast an ARP request to determine if this address is available.

If there is no reply, the PC is successfully assigned “192.168.1.10”; otherwise, it will detect “an IP address confict” error.

ARP Reply Link to heading

Info
A unicast message sent by only the device with an IPv4 address associated with the target IPv4 address in the ARP request.

The ARP reply message includes:

  1. Sender’s IPv4 address - The IPv4 address of the device whose MAC address was requested by the sender of the ARP request.
  2. Sender’s MAC address - The MAC address of the device whose IP address matches that of the sender of the ARP request.

The ARP reply is encapsulated in an Ethernet frame using the following header information:

  1. Destination MAC address - The MAC address of the sender of the ARP request.
  2. Source MAC address - The MAC address of the sender of the ARP reply .
  3. Type - ARP messages have a type field of 0x806. This informs the receiving NIC that the data portion of the frame needs to be passed to the ARP process.

Only the device that originally sent the ARP request will receive the unicast ARP reply. Once the ARP reply is received, the device will cache the mapping of IPv4 address and the corresponding MAC address in its ARP table. Packets destined for that IPv4 address can now be encapsulated in frames using its corresponding MAC address.

ARP Messages

Image Source: Network Academy.

Maintaining a Cache of Mappings Link to heading

Populating to the ARP Table Link to heading

Dynamic Entries Link to heading

Info
Dynamic entries are removed from the ARP table if a device does not receive a frame from a particular device within the timestamp (default, 300 seconds).

As a node receives frames from the media, it can record the source IPv4 and MAC address from the frame’s header as a mapping in the ARP table. As frames are transmitted on the network, the devices dynamically populates their ARP table with address pairs.

Entries learnt through the ARP request-reply processes are also dynamic entries.

Static Entries Link to heading

Info
Manually added to and removed from the ARP table; they do not expire over time.
Note

To add a static ARP entry:

Host(config)# arp ip_# mac _#

To remove a static ARP entry:

Host(config)# no arp ip_# mac _#

Getting the Map for a Frame Link to heading

When ARP receives a request to map an IPv4 address to a MAC address, it looks for the cached map in its ARP table. If an entry is not found, the encapsulation of the IPv4 packet fails and the L2 processes notify ARP that they need a map.

The ARP processes then broadcast an ARP request in order to create a new map. If no device responds to the ARP request, the packet is dropped because a frame cannot be created. This encapsulation failure is reported to the upper layers of the device. If the device is an intermediary device, like a router, the upper layers can choose to respond to the source host with an error in an ICMPv4 packet.

Mapping Destinations Link to heading

Within the Local Network Link to heading

Info
If the destination IPv4 host is on the local network, the frame will use the MAC address of this device as the destination MAC address.

Outside of the Local Network Link to heading

Info
If the destination IPv4 host is on a remote network, the frame will use the MAC address of the router interface that is the gateway or next hop used to reach that destination.

In the event that the gateway entry is not in the table, the normal ARP process will send an ARP request to retrieve the MAC address associated with the IPv4 address of the router interface.

Proxy ARP Link to heading
Info
Used in circumstances under which a host might send an ARP request seeking to map an IPv4 address outside of the range of the local network.

In these cases, the device sends ARP requests for IPv4 addresses that are not on the local network instead of requesting the MAC address associated with the IPv4 address of the gateway.

To provide a MAC address for these hosts, a router interface can use a proxy ARP to respond on behalf of these remote hosts. This means that the ARP cache of the requesting device will contain the MAC address of the gateway mapped to any IPv4 addresses not on the local network.

Using proxy ARP, a router interface acts as if it is the host with the IPv4 address requested by the ARP request. By “faking” its identity, the router accepts responsibility for routing packets to the “real” destination.

If proxy ARP is disabled on the router interface, these hosts cannot communicate outside of the local network. However, by default, Cisco routers have proxy ARP enabled on LAN interfaces.

Use Cases of Proxy ARP Link to heading
  1. When an older implementation of IPv4 cannot determine whether the destination host is on the same logical network as the source. In these implementations, ARP always sends ARP requests for the destination IPv4 address.
  2. When a host believes that it is directly connected to the same logical network as the destination host. This generally occurs when a host is configured with an improper mask.
  3. When a host is not configured with a default gateway. Proxy ARP can help devices on a network reach remote subnets without the need to configure routing or a default gateway.

Removing Entries from the ARP Table Link to heading

Each device uses ARP cache timers to remove ARP entries that have not been used for a specified period of time. The times differ depending on the device and its operating system. For example, some Windows operating systems store ARP cache entries for 2 minutes. If the entry is used again during that time, the ARP timer for that entry is extended to 10 minutes.

Commands can also be used to manually remove all or some of the entries in the ARP table. After an entry has been removed, the process for sending an ARP request and receiving an ARP reply must occur again to enter the map in the ARP table.

Displaying ARP Tables Link to heading

DeviceCommand
Cisco routershow [ip] arp
Windows PCarp โ€“a

ARP Issues Link to heading

Overhead on the Media Link to heading

Info
An ARP request is received and processed by every device on the local network.

On a typical business network, these broadcasts would probably have minimal impact on network performance. However, if a large number of devices were to be powered up and all start accessing network services at the same time, there could be some reduction in performance for a short period of time.

For example, if all students in a lab logged in to classroom computers and attempted to access the Internet at the same time, there could be delays. However, after the devices send out the initial ARP broadcasts and have learnt the necessary MAC addresses, any impact on the network will be minimised.

ARP Spoofing/Poisoning Link to heading

Info
A technique used by an attacker to inject the wrong MAC address association into a network by issuing fake ARP requests.

An attacker forges the MAC address of a device, and then frames can be sent to the wrong destination.

Manually configuring static ARP associations is one way to prevent ARP spoofing. Authorised MAC addresses can be configured on some network devices to restrict network access to only those devices listed.

Reverse Address Resolution Protocol (RARP) Link to heading

Info
As the name suggest, RARP resolves MAC addresses to IP addresses.

Devices using RARP require that a RARP server be present on the network to response to RARP requests.

Consider an example in which a source device wants to send data to another device. The source knows the destination’s MAC address but is unable to locate its IP address in the ARP table. Therefore, the source initiates a process called a RARP request, which helps it detect its own IP address. The device builds a RARP request packet, and sends it out on the network. To ensure that all devices see the RARP request on the network, the device uses a broadcast MAC address.

Tip
RARP is an older protocol that has been largely replaced by Bootstrap Protocol (BOOTP) and Dynamic Host Configuration Protocol (DHCP). These protocols can also provide other configuration information to the devices, such as subnet mask, default gateway, and DNS server.

Neighbour Discovery Protocol (NDP) Link to heading

Info
NDP is used to translate 128-bit IPv6 addresses into 48-bit MAC addresses in IPv6 LANs.