ARP

how-arp-works-2

ARP (Address Resolution Protocol) is a Layer 2 Protocol. Layer 2 uses Physical addresses (MAC addresses) and Layer 3 uses Logical addresses (IP Addresses) for the communication. ARP Protocol is used to discover the MAC Address of a node associated with a given IPv4 Address. This important duty makes this protocol a key protocol for Ethernet based networks. ARP is used with IPv4 only. For IPv6, there is another protocol is used for similar role named IPv6 NDP.

 

Basically for the transfer of the IP packets in a network, beside the IP adddress, the destination hardware address (MAC Address) also must be known by the sender (Source). If the source do not know the destinatin MAC address, then it sends the packets to everyone in the network. In other words, it floods the traffic. This will cause an unnecessary traffic in the network.  But, if this destination MAC Address is known, then the source can send this packet directly to the destination. So, if the destination MAC Address is not known before the transmission, it must be learned. ARP does this role.

 


You can also check Dynamic ARP Inspection (DAI), a preventing method for malicious ARP Attacks. 


How does ARP Works?

We can explain ARP (Address Resolution Protocol) operation in three different case. These three different case also has its own ARP type. These cases and the ARP types are:

 

The first case, is the basic ARP Protocol operation in a single network, in one broadcast domain.

 

The second case, Proxy ARP, is the ARP operation between one more broadcast domains. Proxy ARP enables data link discovery between networks.

 

Lastly, Gratuitous ARP. We use Gratuitous ARP to check if any dublicate IP exist in the network.

 

Let’s explain these ARP cases.

 


ARP Protocol Packet

ARP Packet is consist of some main parts. Below you can find these parts.


arp-packet-format-ipcisco

 


 

ARP Protocol Operation

We can explain ARP Operation in some basic steps. Here, for the explanation of ARP Operation, we will use an example. Our example topology will be like below:


arp-operation-how-arp-works-1
 

Think about that, PC 1 wants to ping PC 5. Firstly, it checks its ARP Table (ARP Cache) and try to find PC 5 MAC Address there. At the beginning, the ARP Table (ARP Cache) of PC 1 is empty and it does not contain PC 5 ‘s MAC address. PC 1 only knows the IP address of PC 5.


arp-operation-how-arp-works-2-ipcisco
 

PC 1 sends an “ARP Request” Message to the network as broadcast. This ARP Request is sent to all the nodes in the network. The meaning of this ARP Request is:

 

“Which Host has IP Address 192.168.0.5?”

 

This ARP Request Message consist of source and destination IP, source MAC address and operation code “Request”. Destination MAC is written as 00:00:00:00:00:00:00 means it is requested.

 

In the Layer 2 header of this message, the destination MAC is FF:FF:FF:FF:FF:FF. This is the broadcast MAC address.


arp-operation-how-arp-works-3
 

PC 5 replies this ARP Request Message with an “ARP Reply” Message. PC 5 sends this ARP Reply Message directly to the PC 1 as unicast message. This ARP Reply Message means:

 

“I am 192.168.0.5 and this AA:BB:CC:55:55:55 is my MAC address.”

 

The ARP Reply is consist of Source and Destination MAC, Source and Destination IP and operation code, “Reply”.

 

When PC 1 receives ARP Reply Message, it record this MAC address to the ARP Table (ARP Cache). And whenever it needs to send a packet to PC 5, it uses this record. But here there is also a time limitation (ARP Timeout). ARP records stays in the ARP Cache till this ARP Timeout.

 

After this process, the Ping (ICMP Echo Request) is coming from PC 1 can directly go to the PC 5.

arp-operation-how-arp-works-4
And the Ping Reply (ICMP Echo Reply) come to back to the PC1 from PC5.


arp-operation-how-arp-works-5


 

What is “.!!!!” ?

When you ping from one node to another firstly, there are 5 pings is sent firstly. Everybody remember the conclusion of the ping as “.!!!!” . This means that, the first ping is failed. And the remaining are successful. The failure of the first packet is because ARP process. After that first packet, the pinging node learns the MAC address of the destination and the remainning ping packets become successfull.

 


 

How to Identify ARP Frames?

On an Ethernet LAN, we can identfy ARP frames with iss Ethertype value. As you can see above, Ethertype value of ARP frames is 0x0806. It is 2 bytes value after teh destination MAC and source MAC  part in an ethernet frame.

 


 

ARP Questions

Question 1: ARP Protocol is used to discover …. of a node associated with a given .

a) Port Number / IP Address

b) IP Address / Hostname

c) MAC Address / IP Address


Question 2: At which layer does Adress Resolution Protocol operate?

a) 1

b) 2

c) 3

d) 4

e) 7


Question 3: With IPv6, …. is used instead of ARP protocol used with IPv4.

a) Gratuitous ARP

b) RARP

c) IPv6 NDP

d) ARPv6

e) None of them


Question 4: Which ARP protocol type is used for dublicate IP Check?

a) Gratuitous ARP

b) Proxy ARP

c) ARP


Answers: 1)c   2)b   3)c   4)a

Lesson tags: arp
Back to: JNCIE > ARP and ICMP

Leave a Reply

Your email address will not be published. Required fields are marked *

JNCIE

Collapse
Expand
Latest Blog Posts