ARP (Address Resolution Protocol) explained

papurva92 · July 29, 2016, 5:09am

hi Rene,

can you upload a lesson about isis protocol .

thanks

adave1103 · August 22, 2016, 8:40pm

Lot of times when we ping , we see . !!!
i mean to say the first thing is a . (dot)
is it becoz of our host (router/PC/) trying to find the ARP ?

andrew · August 22, 2016, 11:59pm

Abhishek,
You are exactly right! Usually that first time out is the ARP delay.

shantel · December 20, 2016, 10:00pm

19 posts were merged into an existing topic: ARP (Address Resolution Protocol) explained

abcjacob · January 19, 2017, 8:55am

Rene,
Have a small question about the need for ARP or in otherwords, MAC address.

When the packet has already reached the target network, can’t the packet be sent to the recipient based on the unique host id(in that network) alone (the last 8 ip address bits in the case of a /24 network, for example) ? What is need for the concept of MAC address and hence ARP protocol ?

Thanks,
abc

ReneMolenaar · January 19, 2017, 12:25pm

Hi Abc,

Something to keep in mind is that IP is just the “envelope”, IP doesn’t describe anything at all about how to actually send an electric signal on the wire or anything like that. We need other protocols like that…on our LAN, we use Ethernet for this:

https://networklessons.com/cisco/ccna-routing-switching-icnd1-100-105/introduction-to-ethernet/

Ethernet describes what wires to use, how to send electrical signals etc. Also keep in mind that it doesn’t just carry IP traffic…it could be IPv6 or any other protocols, before IP, that could have been IPX for example.

Besides Ethernet, there’s also other protocols…on our WAN, you might use DSL for example. We use these networks to transport IP but we also don’t use Ethernet (nor MAC addresses) there.

Rene

abcjacob · January 19, 2017, 2:42pm

Ok. Thank you Rene.

Understand that ethernet takes care of the low level packet transfer functions for IP, by interfacing with electrical specifications . And this is needed because there is no other mechanism inbuilt in the electrical systems for packet transfer based on unique IP in the context of LAN networks.

Abc

ReneMolenaar · January 19, 2017, 3:08pm

That’s it yes…Ethernet is the mail delivery, postman, mailbox, trucks etc. IP is just the envelope that we try to transport

abcjacob · January 20, 2017, 3:17am

Guess its somewhat clear. Thanks a lot Rene.

ssodd · July 20, 2017, 1:33pm

I Just have one query. Here is my scenario:

MY PC - SWITCH - ROUTER - ROUTER - GOOGLE PAGE

I want to communicate with google. I have google’s ip address, and I need MAC address of google to continue the communication with it.

Initially, i send a broadcast ARP request for my router, and I get the MAC address of my router.
So I want to know the google server MAC address to communicate. Whenever I see Wireshark I just see my PC send ARP to router and router replies to it. Usually, the router will ARP next router, and the process goes and finds the MAC address of google and communication happens.

Please explain this process. I am not clear. In the Wireshark, i see only PC to ROUTER and ROUTER to PC. How my router sends arp request to other router and get it.

Thanks,
SAM

ReneMolenaar · July 21, 2017, 8:31am

Hi Sam,

First of all, your computer will never know the MAC address of any of Google’s servers. MAC addresses are only used on the local segment.

Here’s how it works:

Your PC wants to send something to one of Google’s servers, let’s assume the Google DNS at 8.8.8.8. Your computer is configured to use IP address 192.168.1.1 with default gateway 192.168.1.254.
Your PC figures that 8.8.8.8 is not in its own subnet, so it has to send something to the default gateway. It will look up the MAC address of 192.168.1.254 in its ARP table and if it’s not there, it sends an ARP request.
The IP packet makes it to your router, which does a lookup in its routing table to figure out where to forward packets for 8.8.8.8 to. Let’s say it has an entry for 8.8.8.0/24 with 192.168.12.2 as the next hop (that’s the second router). The router will do a lookup in its ARP table for the MAC address of 192.168.12.2. If it’s not there, it will do an ARP request, gets a reply and forwards the IP packet.
The second router now has the IP packet, let’s assume it is directly connected to the google DNS server. It does a lookup in its routing table, finds 8.8.8.8 as directly connected. The router does a lookup in its ARP table for 8.8.8.8, if it’s not there it does an ARP request…gets a reply and can then deliver it to the destination.

I hope this helps!

macandelop · September 9, 2017, 11:18am

Hello,

Level 3 router (SVI) in a VLAN keeps ARP entries for 4 hours. If I replace a host in this VLAN ( different MAC address due to different NIC) but I maintain the same IP, how does level 3 router (SVI) realizes that MAC address has changed for this IP address in its arp table?

Thanks a lot

lagapidis · September 12, 2017, 7:13am

Hello Juan

It is true that ARP entries by default are kept in the ARP table for four hours. As you mentioned very correctly, this can be a problem if you install a new PC with the same IP address. Other cases where this could be a problem is if a server has a backup NIC card and the first fails, the backup will have the same IP address but a different MAC address.

In order to solve these issues, we use something called a Gratuitous ARP.

Gratuitous ARP is a sort of “advance notification”, it updates the ARP cache of other systems before they ask for it (no ARP request) or to update outdated information. More information about Gratouitous ARP can be found at RFC 5227.

The gratuitous ARP packet has the following characteristics:

* Both source and destination IP in the packet are the IP of the host issuing the gratuitous ARP
* The destination MAC address is the broadcast MAC address (ff:ff:ff:ff:ff:ff)
* This means the packet will be flooded to all ports on a switch
* No reply is expected

Gratuitous ARP is used for some reasons:

* Update ARP tables after a MAC address for an IP changes (failover, new NIC, etc.)
* Update MAC address tables on L2 devices (switches) that a MAC address is now on a different port
* Send gratuitous ARP when interface goes up to notify other hosts about new MAC/IP bindings in advance so that they don’t have to use ARP requests to find out

I hope this has been helpful!

Laz

macandelop · September 13, 2017, 7:13pm

Thanks a lot for your great explanation, Lazaros.

Do you know if cisco switches have got the same default behavior with gratuitous arp packets? I means, I have just replaced a Cisco 2955 switch for a new Cisco 3850, and since then users complain about the refreshing arp time when changing damaged IP devices. I have found that in older Cisco2955 there is not any specific arp command, so I suppose that it must allow gratuitous arp packets as default, while in Cisco 3850 there is a global command “ip gratuitous arp non-local”

lagapidis · September 14, 2017, 11:26am

Hello Manuel

By default, Cisco devices do respond to gratuitous arp requests as long as they come from the local network. That is what theip gratuitous arp local command means. Here is some output from a production 3650 switch I have:

Alikarnassos3650_1(config)#exit
Alikarnassos3650_1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Alikarnassos3650_1(config)#ip arp ?
  gratuitous  Gratuitous ARP control
  incomplete  Fine-tune the ARP Retry parameters
  inspection  Arp Inspection configuration
  poll        IP ARP polling for unnumbered interfaces
  proxy       Global proxy ARP configuration
  track       ARP Track configuration

Alikarnassos3650_1(config)#ip arp grat
Alikarnassos3650_1(config)#ip arp gratuitous ?
  local  Accept only local (same subnet) gratuitous arps
  none   Reject all gratuitous arps

Alikarnassos3650_1(config)#ip arp gratuitous local

You can see that the ip arp gratuitous local command accepts and responds to locally generated (same subnet) gratuitous arps. By default however, responding to gratuitous arps from other subnets are disabled.

The ip gratuitous arp non-local that you mentioned has to do with if the switch itself will generate gratuitous arps. This doesn’t affect your specific problem.

You may also want to inspect several other avenues such as the show arp and show arp summary command to see how many arp table entries there are. If there is an extensive number, then maybe the memory allocated to the arp table is being exhausted. Additionally, you are able to adjust the arp timeout on an interface by interface basis using the arp timeout x interface command where x is in seconds. Don’t make it too short as this could result in an arp storm. You should be careful when adjusting such defaults.

I hope this has been helpful for you!

Laz

macandelop · September 19, 2017, 6:16am

Thanks Lazaros, your explanation has been very useful. Now is more clear for me.

Deep · October 27, 2017, 10:21pm

@ReneMolenaar @lagapidis @andrew What would be the impact on ARP if two devices (for simplification) are geographically apart? Would not the packet/frame create impact on this?

ReneMolenaar · October 28, 2017, 8:51am

ARP is used on LANs and only in a broadcast domain so it’s unlikely to see this happen unless you somehow tunnel L2 over a WAN link.

Also, ARP is a simple protocol. The last ARP reply you receive updates the ARP table, which can be misused:

tonipema · October 28, 2017, 5:18pm

Hi Rene,
figure this:

H1 ----- SW -----H2

when a host1 sends a ARP request to know the MAC address of host2 and this one reply, the switch fill in their MAC address table with the MAC of both hosts?

ReneMolenaar · November 1, 2017, 8:17am

Hi Antonio,

A switch learns MAC addresses by looking at the source MAC address of a frame. It will see the source MAC address of H1 in its ARP request and the source MAC address of H2 in the ARP reply.