ARP (Address Resolution Protocol) explained

Hi Reze/Laz,

Is it true that Routers don’t broadcast or suppress any broadcast frames it recieves on an Interface, assuming we have two routers connected to each other w/192.168.1.0/24 subnet, initially the Mac address tables on R1 and R2 are empty. Now R1 tries sending an packet to R2 so it encapsulates ip packet inside an ethernet frame, since the sending router doesn’t know the Mac address it is expected to do an ARP, hence it sends an broadcast frame. Can you explain how this handled also can you explain what is gratuitous arp?

Thanks in advance.
Teja

Hello Teja

Routers that receive broadcast packets on one of their interfaces will process that packet, but will not broadcast it out of any other interfaces. Routers act as a border for a broadcast domain. You can find out more about this at the following lesson.

In the particular topology that you describe, R1 tries sending a packet to R2 and it has the destination IP but not the destination MAC. So it sends an ARP request. This request is indeed a broadcast, and it reaches R2, but it is not broadcast beyond that interface of R2. R2 responds, R1 receives the MAC address, continues the encapsulation, and places the frame on the wire.

The fact that R1 sends a broadcast is not in violation of its role as a border to a broadcast domain. Routers are able to generate broadcasts such as ARP requests, but they are generated only from one single interface, since each interface of a router corresponds to a different subnet, and thus a different broadcast domain.

(In your post, you mentioned MAC address table. I assume you meant ARP table, since MAC address tables only exist in switches).

Finally, gratuitous ARP is a special ARP reply that is not a response to an ARP request. A gratuitous ARP reply is an ARP reply without an ARP request so no reply is expected for a Gratuitous ARP. Gratuitous ARPs are broadcast frames that are bound within collision domains according to the same rules as all other broadcast frames/packets.

I hope this has been helpful!

Laz

1 Like

Hi Laz,

Thanks a lot.

Teja

1 Like

Hi Rene,

I was wondering why i dint find anything about GARP being explained anywhere when it comes to ARP. Isnt it the most essential part of ARP, could you please explain GARP in more detail or probably direct me towards the lesson where you have already explained about it.

Regards,
Harsha

Hi rene,

Now, the IP packet encapsulated to data link layer with source Mac address , source IP address and destination IP address so now it has to broadcast the Mac address to get the destination mac address through which layer the broadcast signal will be sent? Through physical layer?

Hello Harsha

True, Gratuitous ARP is not included within the content of the lessons. It is definately a vital part of what ARP is, but it is not central to the operation of ARP. Typically, gratuitous ARP is used:

  • when attempting to detect duplicate IPv4 addresses
  • when updating an ARP table after an IPv4 or MAC address change
  • in conjunction with FHRPs such as HSRP

You can find some information about it in a part of the following post. Note the first part of the post deals with something other than Gratuitous ARP, but the second part explains it in some detail.

If you would like to see more information or a lesson about Gratuitous ARP, feel free to submit your suggestion at the following Member Ideas link:

I hope this has been helpful!

Laz

Hello Rajaram

It is important to understand that the process of encapsulation of a particular packet, and the ARP request that is sent out are two different operations. A device will encapsulate data, and place a source and destination IP address in the IP header. As it encapsulates this into a frame, it will place the source MAC address (which it knows because it is the address of itself) and the destination MAC address. The destination is obtained either from the ARP table or using a new ARP request.

The encapsulation process is paused, and the device sends out an ARP request, as you correctly stated as a broadcast. This is done on the data-link layer. This means that the ARP request will have a source MAC (the device’s own MAC) and a broadcast destination MAC. This frame is then placed on the wire (the physical layer) just like any other frame that is ready to be sent. Receiving devices will respond, and once the MAC address has been obtained, the encapsulation process of the original packet is resumed, with the appropriate destination MAC, and the frame is then placed on the wire.

I hope this has been helpful!

Laz

Lazaros,

Thanks for this deep explanation

1 Like


Hello,
Nice explanation about GARP. I have one query in the topic, you mentioned the 4th characteristic of GARP packet that “No reply is expected” I am having a hard time understanding that particular point. Could you give a practical example/scenario or packet capture to support that characteristic? That would be a great help.

Actually, I captured a GARP reply packet while assigning the IP address to Cisco IOS for the very first time, I guess it happens to check whether our given IP is locally unique in our subnet or not? Right? Correct me if I’m wrong.

I have attached the packet capture here.

Thank you.

Hello Varun

In order to understand GARP and its place within the framework of networking, it’s important to understand the two procedures involved with ARP. When regular ARP is employed, there is an ARP request and an ARP reply. GARP is exactly the same thing as an ARP reply, there is absolutely no difference in the packet itself. There’s no field that says "this is a GARP packet and not an ARP reply packet.

What differentiates a GARP from a regular ARP reply is that an ARP reply has a corresponding ARP request. A GARP does not. A GARP is initiated by a host for the reasons stated in my previous post.

So if you see an ARP reply in a packet capture like the one above, you can’t actually tell if it is a simple ARP reply or a GARP. Wireshark labels it as Address Resolution Protocol (reply/gratuitous ARP) meaning it may be a reply or a GARP.

If you see a previous ARP request in the Wireshark packet capture that corresponds to this, then it is an ARP reply. If not, then it is a GARP.

An example of when GARP is used is when a backup NIC of a server becomes active with the same IP address as the primary NIC. The MAC address has changed, so a GARP is sent informing all of the devices on the segment that they must update their ARP tables. No initial ARP request was sent so such a message is indeed a GARP.

I hope this has been helpful!

Laz

When we will ping google at 8.8.8.8 how my laptop will get MAC address of google’s server in order to put in layer 2 header as a destination MAC address?

Hello ntlipcore

Remember that the IP address provides you with end-to-end connectivity, while the MAC address provides you with “next hop” connectivity. In other words, the destination IP address will remain the same for the whole journey of your ping echo request, but the destination MAC address will change for every hop.

Having this in mind, when you ping 8.8.8.8, this is the destination IP that is used in the IP header. However, the MAC address you need is that of the next-hop router, which in your case is your default gateway. Your PC will look in the ARP table to see if the configured gateway’s MAC address is there. If it is, it will use that MAC address. If it is not, it will send an ARP request for the MAC address of your gateway.

This process is repeated by every router along the path. Your default gateway will receive the packet, decapsulate it to layer 3, read the destination IP address, determine the next-hop IP address, and will then request the MAC address of the next hop address. Each router will do the same until the last router, which is directly connected to the network of 8.8.8.8 requests the MAC address corresponding to this IP address. Only then will the MAC address of Google’s DNS server be inserted in the destination MAC address field.

I hope this has been helpful!

Laz

1 Like

does by default gratuitous arp is enabled in cisco devices ??
i means to say that , i have a network …A L3 switch is connected to the 2 computer and the gateway of the 2 computer is the SVI of that switch , lets say the host 1 has 2 lan port and host-1 primary port fails , so once the host-1 primary port fails the secondary port will activate , in that case who will send the gratuitous ARP reply within that broadcast domain , the switch or the host-1 ?? …if the Host-1 will sent it then Host-2 will update his ARP cache ?

Hello Narad

In the scenario that you describe in your post, the gratuitous ARP would be sent by the secondary port of host 1 that has just been enabled. All devices (including host 2) that recieve the gratuitous ARP will update their ARP caches. You can find more information about this process at the following post:

I hope this has been helpful!

Laz

Laz,
I great explanation. I had the same question as Willy. Thanks a lot.

Mike

1 Like

Hi, I just need some clarification on my question please.

I understand that ARP request is a L2 protocol and it’s used to get the destination MAC address of the next hop/device IP address within the LAN. My question is if ARP in not used in for example three router are located around the globe and they are NOT connected directly, then what would be the alternative protocol to be used here in this case if ARP request is not use? Thanks!

Hello Eyad

When you have communication between hosts that are not directly connected, you must go through several “hops” from network to network to get there. That’s where IP routing comes in. IP routing, which operates at Layer 3 of the OSI model, allows for end-to-end communication and enables a packet to find its way to the destination based on the destination IP address.

However, ARP is still used in this process. Routing involves finding the very next hop to which the packet should be sent to get to its destination. Once a router determines the next hop IP from its routing table, it needs to encapsulate that IP packet into an Ethernet frame. What destination MAC address will it put there? The MAC address that corresponds to the next-hop IP. If it doesn’t know it already from its ARP table, it will send out an ARP request for that information.

So on a hop by hop basis, ARP is still used. That’s the great thing about the OSI layered model, ARP operates at Layer 2 on a hop by hop basis, while IP works at Layer 3 dealing with end to end communication.

Take a look at this post as well, as it may add some helpful information:

I hope this has been helpful!

Laz

1 Like

Excellent. I got now. Thanks for your help!

1 Like

Hi Rene
Can you pls explain how switch learn mac address with the below topo ? If u can give mac address table info along with the interfaces info , it would be great. Pls explain beginning with ARP

Host A - Switch 1 - Switch 2 - Host B

Also in the video u had explained that the switch learnt mac address of Host A and the flood since it is does not know where mac address of B is . But my question , when Host A does not know mac of Host B , it send ARP and when ARP reply comes, switch learns both mac address of A and B. Is that correct.
Also in the video u had explained that the switch learnt mac address of Host A and the flood since it is does not know where mac address of B is . But my question , when Host A does not know mac of Host B , it send ARP and when ARP reply comes, switch learns both mac address of A and B. Is that correct.

Hello Ananth

In a topology like the one you show in your post, MAC address learning on all of the ports for SW1 and SW2 will be the same. A switch will always populate its MAC address table with the source MAC addresses arriving on specific ports. This is also done on the ports connecting the two switches. And it is also important to note that this is done regardless of the port type. If SW1 and SW2 are connected via a trunk, MAC address learning will still occur on those ports.

So in essence, the MAC address table entries for the port on SW2 where SW1 connects, should have multiple MAC addresses, including all of the hosts connected to SW1.

Now concerning ARP, you are correct. ARP responses are unicast responses that contain the source MAC address of the responding host. That means that the switch will indeed learn about that MAC address and populate the MAC address table accordingly. So after an ARP exchange, a switch will know the MAC addresses of both hosts.

However, the lesson was written in this way to emphasize that these are two separate processes, independent from each other, but related. This is the reason why Rene emphasized that when a switch doesn’t have a particular MAC address in the MAC address table, any frame destined for that MAC address will be initially flooded.

Keep in mind that there are many cases where ARP is not sufficient to keep that MAC address table up to date. For example, a MAC table entry expires, by default, after 300 seconds (5 minutes). An ARP entry in a host expires after four hours, again by default. This means that hosts may send traffic to destination MAC addresses that have expired without needing to send an ARP request. In this case, the flooding of such frames is a necessary part of the process of communication.

I hope this has been helpful!

Laz