Layer 2 addresses are used for local transmissions between devices that are directly connected.

Layer 3
addresses are used for indirectly connected devices in an internetwork environment
In order for devices to be able to communicate with each when they are not part of the same network, the
48-bit MAC address must be mapped to an IP address. Some of the Layer 3 protocols used to perform the
mapping are:
• Address Resolution Protocol (ARP)
• Reverse ARP (RARP)
• Serial Line ARP (SLARP)
• Inverse ARP

ARP Mapping
Even though the ip packets are addressed using ip address haredware addresses must be
actually transport data from one host to another. Address Resolution Protocol is used to map
OSI level 3 IP address to OSI level 2 MAC address. A Router has a table of currently used ARP
entries. Normally the table is built dynamically, but to increase network security it can be built
statically by means of adding static entries.
Address Resolution Protocol (ARP) is a network layer protocol used in IP to convert
IP addresses into MAC addresses. A network device looking to learn a MAC
address broadcasts an ARP request onto the network. The host on the network that
has the IP address in the request replies with its MAC (hardware) address. This is
called ARP mapping, the mapping of a Layer 3 (network) address to a Layer 2(data link)
address.
Because the network layer address structure in IP does not provide for a simple
mapping to data-link addresses, IP addresses use 32 bits, and data-link addresses
use 48 bits. It is not possible to determine the 48-bit data-link address for a host
from the host portion of the IP address. For packets destined for a host not on a
locally attached network, the router performs a lookup for the next-hop router’s
MAC address. For packets destined for hosts on a locally attached network, the
router performs a second lookup operation to find the destination address to use in
the data-link header of the forwarded packet’s frame, as illustrated in Figure 6-18.
After determining for which directly attached network the packet is destined, the
router looks up the destination MAC address in its ARP cache. Recall that ARP
enables the router to determine the corresponding MAC address when it knows
the network (IP) address. The router then forwards the packet across the local network
in a frame with the MAC address of the local host, or next-hop router.
The result of this final lookup falls into one of the three following categories:
■ The packet is destined for the router itself—The IP destination address
(network and station portion combined) corresponds to one of the IP addresses
of the router. In this case, the packet must be passed to the appropriate
higher-layer entity within the router and not forwarded to any external port.
■ The packet is destined for a known host on the directly attached network—
This is the most common situation encountered by a network router.
The router determines the mapping from the ARP table and forwards the
packet out the appropriate interface port to the local network.
■ The ARP mapping for the specified host is unknown—The router initiates
a discovery procedure by sending an ARP request determining the mapping
of network to hardware address. Because this discovery procedure takes
time, albeit measured in milliseconds, the router might drop the packet that
resulted in the discovery procedure in the first place. Under steady-state conditions,
the router already has ARP mappings available for all communicating
hosts. The address discovery procedure is necessary when a previously
unheard-from host establishes a new communication session.

II. ARP OPERATIONS

ARP operates by sending out “ARP request” packets. An ARP request asks the question “Is your IP address x.x.x.x?
If so, send your MAC back to me.” These packets are broadcast to all computers on the LAN, even on a switched
network. Each

III. VULNERABILITIES OF THE ADDRESS RESOLUTION PROTOCOL

The Address Resolution Protocol (ARP) [4] is a widely used protocol for resolving network layer addresses into link
layer addresses. When an Internet Protocol (IP) datagram is sent from one host to another on a local area network,
the destination IP address must be converted into a MAC address for transmission via the data link layer. When
another host's IP address is known, and its MAC address is needed, a broadcast packet is sent out on the local
network. This packet is known as an ARP request fig2. The destination machine with the IP in the ARP request then
responds with an ARP reply fig2, which contains the MAC address for that IP.
ARP is a stateless protocol. Network hosts will automatically cache any ARP replies they receive, regardless of
whether or not they requested them. Even ARP entries which have not yet expired will be overwritten when a new
ARP reply packet is received. There is no method in the ARP protocol by which a host can authenticate the peer
from which the packet originated. This behavior is the vulnerability which allows ARP spoofing to occur.

Fig : ARP request and response

ARP Processing
q ARP responses are cached.
q Entry replaced when
q Cache table fills up (oldest removed)
q After some time, e.g., 20 minutes
q Sender’s address binding is stored in
the cache of the
target
Reverse ARP (RARP)
q What is the IP address of a given
hardware address?
q Used by diskless systems to find their
own IP address.
q Need RARP server to respond.

Inverse ARP
q Used on point to point links
q Find IP address of the host on the other
end
q Used in frame relay and ATM

Proxy ARP: A router may act as a proxy

for many IP
Addresses
The Address Resolution Protocol (ARP) feature performs a required function in IP routing. ARP finds the
hardware address, also known as Media Access Control (MAC) address, of a host from its known IP
address. ARP maintains a cache (table) in which MAC addresses are mapped to IP addresses. ARP is part
of all Cisco systems that run IP.
This feature module explains ARP for IP routing and the optional ARP features you can configure, such as
static ARP entries, timeout for dynamic ARP entries, clearing the cache, and proxy ARP.

Overview of the Address Resolution Protocol

The Address Resolution Protocol (ARP) was developed to enable communications on an internetwork and
is defined by RFC 826. Layer 3 devices need ARP to map IP network addresses to MAC hardware
addresses so that IP packets can be sent across networks. Before a device sends a datagram to another
device, it looks in its ARP cache to see if there is a MAC address and corresponding IP address for the
destination device. If there is no entry, the source device sends a broadcast message to every device on the
network. Each device compares the IP address to its own. Only the device with the matching IP address
replies to the sending device with a packet containing the MAC address for the device (except in the case of
“proxy ARP”). The source device adds the destination device MAC address to its ARP table for future
reference, creates a data-link header and trailer that encapsulates the packet, and proceeds to transfer the
data.

When the destination device lies on a remote network, one beyond another Layer 3 device, the process is
the same except that the sending device sends an ARP request for the MAC address of the default gateway.
After the address is resolved and the default gateway receives the packet, the default gateway broadcasts
the destination IP address over the networks connected to it. The Layer 3 device on the destination device
network uses ARP to obtain the MAC address of the destination device and delivers the packet.

The ARP request message has the following fields:

• HLN—Hardware address length. Specifies how long the hardware addresses are in the message. For
IEEE 802 MAC addresses (Ethernet) the value is 6.
• PLN—Protocol address length. Specifies how long the protocol (Layer 3) addresses are in the
message. For IPv4, the value is 4.
• OP—Opcode. Specifies the nature of the message by code:
◦ 1—ARP request.
◦ 2—ARP reply.
◦ 3 through 9—RARP and Inverse ARP requests and replies.
• SHA—Sender hardware address. Specifies the Layer 2 hardware address of the device sending the
message.
• SPA—Sender protocol address. Specifies the IP address of the sending device.
• THA—Target hardware address. Specifies the Layer 2 hardware address of the receiving device.
• TPA—Target protocol address. Specifies the IP address of the receiving device.
Overview of the Address Resolution Protocol
Information About the Address Resolution Protocol

ARP Caching
Because the mapping of IP addresses to media access control (MAC) addresses occurs at each hop (Layer 3
device) on the network for every datagram sent over an internetwork, performance of the network could be
compromised. To minimize broadcasts and limit wasteful use of network resources, Address Resolution
Protocol (ARP) caching was implemented.
ARP caching is the method of storing network addresses and the associated data-link addresses in memory
for a period of time as the addresses are learned. This minimizes the use of valuable network resources to
broadcast for the same address each time a datagram is sent. The cache entries must be maintained because
the information could become outdated, so it is critical that the cache entries are set to expire periodically.
Every device on a network updates its tables as addresses are broadcast.
There are static ARP cache entries and dynamic ARP cache entries. Static entries are manually configured
and kept in the cache table on a permanent basis. Static entries are best for devices that have to
communicate with other devices usually in the same network on a regular basis. Dynamic entries are added
by Cisco software, kept for a period of time, and then removed.
Static and Dynamic Entries in the ARP Cache
Static routing requires an administrator to manually enter into a table IP addresses, subnet masks, gateways,
and corresponding Media Access Control (MAC) addresses for each interface of each device. Static routing
enables more control but requires more work to maintain the table. The table must be updated each time
routes are added or changed.
Dynamic routing uses protocols that enable the devices in a network to exchange routing table information
with each other. The table is built and changed automatically. No administrative tasks are needed unless a
time limit is added, so dynamic routing is more efficient than static routing. The default time limit is 4
hours. If the network has many routes that are added and deleted from the cache, the time limit should be
adjusted.
The routing protocols that dynamic routing uses to learn routes, such as distance-vector and link-state
routing protocols, are beyond the scope of this document
Devices That Do Not Use ARP
When a network is divided into two segments, a bridge joins the segments and filters traffic to each
segment based on Media Access Control (MAC) addresses. The bridge builds its own address table, which
uses MAC addresses only, as opposed to a router, which has an Address Resolution Protocol (ARP) cache
that contains both IP addresses and the corresponding MAC addresses.
Passive hubs are central-connection devices that physically connect other devices in a network. They send
messages out all ports to the devices and operate at Layer 1, but they do not maintain an address table.
Layer 2 switches determine which port is connected to a device to which the message is addressed and send
the message only to that port, unlike a hub, which sends the message out all its ports. However, Layer 3
switches are routers that build an ARP cache (table).
Reverse ARP
Reverse ARP (RARP) as defined by RFC 903 works the same way as the Address Resolution Protocol
(ARP), except that the RARP request packet requests an IP address instead of a media access control
(MAC) address. RARP often is used by diskless workstations because this type of device has no way to
store IP addresses to use when they boot. The only address that is known is the MAC address because it is
burned in to the hardware.
RARP requires a RARP server on the same network segment as the device interface.

Because of the limitations with RARP, most businesses use Dynamic Host Configuration Protocol (DHCP)
to assign IP addresses dynamically. DHCP is cost-effective and requires less maintenance than RARP. The
most important limitations with RARP are as follows:
• Because RARP uses hardware addresses, if the internetwork is large with many physical networks, a
RARP server must be on every segment with an additional server for redundancy. Maintaining two
servers for every segment is costly.
• Each server must be configured with a table of static mappings between the hardware addresses and
the IP addresses. Maintenance of the IP addresses is difficult.
• RARP only provides IP addresses of the hosts but not subnet masks or default gateways.

How to Configure the Address Resolution

Protocol

Defining Static ARP Entries

Perform this task to define static mapping between an IP address (32-bit address) and a Media Access
Control (MAC) address (48-bit address) for hosts that do not support dynamic Address Resolution Protocol
(ARP). Because most hosts support dynamic address resolution, defining static ARP cache entries is
usually not required. Performing this task installs a permanent entry in the ARP cache that never times out.
The entries remain in the ARP table until they are removed using the no arp command or the clear arp
interface command for each interface.
1. enable
2. configure terminal
3. arp {ip-address | vrf vrf-name} hardware-address encap-type [interface-type]
4. end
DETAILED STEPS

C0mmand or action purpose

Step 1 enable Enables privileged EXEC mode.
Example:
Device> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Device# configure terminal
Step 3 arp {ip-address | vrf vrf-name} Globally associates an IP address with a MAC address
hardware-address encap-type in the ARP cache.
[interface-type] • ip-address—IP address in four-part dotted decimal
Example: format corresponding to
Device(config)# arp 10.0.0.0 the local data-link address.
aabb.cc03.8200 arpa
• vrf vrf-name—Virtual routing and forwarding
instance for a Virtual Private
Network (VPN). The vrf-name argument is the name of
the VRF table.
• hardware-address—Local data-link address (a 48-bit
address).
• encap-type—Encapsulation type for the static entry.
The keywords are as
follows:
◦ arpa—For Ethernet interfaces.
◦ sap—For Hewlett Packard interfaces.
◦ smds—For Switched Multimegabit Data Service
(SMDS) interfaces.
◦ snap—For FDDI and Token Ring interfaces.
◦ srp-a—Switch route processor side A (SRP-A)
interfaces.
◦ srp-b—Switch route processor side B (SRP-B)
interfaces.
Note Some keywords might not apply to your
hardware platform.
• interface-type—(Optional) Interface type (for more
information, use the
question mark (?) online help).
Step 4 end Returns to privileged EXEC mode.
Example:
Device(config)# end
Setting an Expiration Time for Dynamic Entries in the
ARP Cache
1. enable
2. configure terminal
3. interface type number
4. arp timeout seconds
5. end
9

Verifying the ARP Configuration

Done at privileged exec mode
1. show interfaces
2. show arp
3. show ip arp
4. show processes cpu | include (ARP | PID)

ARP Protocol
􀂾 Machine A wants to send a packet to B, but A only knows B’s IP address
􀂾 Machine A broadcasts ARP request with B’s IP address
􀂾 All machines on the local network receive the broadcast
􀂾 Machine B replies with its physical address
􀂾 Machine A adds B’s address information to its table
􀂾 Machine A delivers packet directly to B
􀂾 ARP Caching
􀂾 To reduce communication cost, computers that use ARP maintain a cache of recently
acquired IP-to-physical address bindings.
􀂾 Each entry has a timer (usual timeout period is 20 minutes)
􀂾 The sender’s IP-to-address binding is included in every ARP broadcast; receivers update
the IP-to-physical address binding information in their cache before processing an ARP
packet.
􀂾 ARP is stateless, and most of operating systems update their cache when receiving an ARP
reply, regardless of whether they have actually sent out a request or not.
􀂾 Gratuitous message (src IP = dest IP, operation code = 2:reply)
􀂾 The same IP address is used for both source IP and dest IP. This is used during the
initialization of IP stack to find out whether the IP address is used by other host.
Whoever has the same IP replies (this message is a broadcast). Otherwise, every host
updates its cache.
4-2
Cisco Content Services Switch Routing and Bridging Configuration Guide
OL-4580-01

ARP Configuration Quick Start

Task and Command Example
1. Define a static ARP mapping.
(config)# arp 192.168.11.1 00-60-97-d5-26-ab e2
2. Set the time, in seconds, to hold an ARP resolution result. Note that this
timeout period affects dynamic ARP entries. Static ARP entries are
permanent and not affected by this timeout period.
(config)# arp timeout 120
3. Set the time, in seconds, to wait for an ARP resolution.
(config)# arp wait 15
4. (Optional) Update the file containing hosts reachable through ARP.
# update arp file
Note This command is available only in SuperUser mode.
5. (Optional) Clear ARP parameters for the ARP file or ARP cache that
contains known hosts reachable through ARP.
# clear arp file
6. (Recommended) Display ARP information. For example, to display the
complete ARP resolution table, enter:
# show arp

Address Mappings
Each host keeps a mapping table:
When a machine on a physical network
wants to
reach another host on the same physical
network (either first-hop router, or another
host),
it consults this table
How is this table maintained?

ARP
When the table doesn’t have the required
mapping, the host broadcasts a message
(to the
physical net) asking: who has this IP
address?
The appropriate host responds with its
physical
address (and inserts the requester in its
table)
All others listening who have either host
in their
table refresh their entries
Mao F04 4

Assumptions in ARP
Assumes that physical network can
broadcast
Not always true: e.g., ATM
Must find methods for these networks
- (e.g., ATMARP)

Host A ARP Request

SenderMAC = MACA
SenderIP = IPA Broadcast to everybody on the LAN
TargetMAC = ???
TargetIP = IPB
Host B ARP Reply
SenderMAC = MACB
SenderIP = IPB Unicast just to A

TargetMAC = MACA
TargetIP = IPA

ARP Cache
• Wish to avoid sending an ARP Request for every
data packet
• Solution: cache address mapping for reuse
– A caches the ARP Reply (MACB, IPB) mapping
– All hosts on LAN cache ARP Request (MACA, IPA) mapping

Solution: Dynamic Binding (RFC 826)

Host A wants to send data to
Host B with logical address
IPB, located on same local
area network
Host A broadcasts to all hosts
on LAN: “What is the
hardware address of host with
logical address IPB”?
B receives broadcast frame,
decapsulates ARP Request
 Host B recognizes its logical (IP)
address, unicasts “My hardware
address is MACB” to MACA
Host A sends IP datagram to IPB
inside frame with hardware
address MACB

ARP Operation
 Applications use a logical address (IP address) to identify
the destination host. The IP packets are encapsulated
into frames. The delivery of frames across links (source –
source, or source – router, router – router, …, router –
destination) is based on local addresses called physical or
MAC addresses. The mapping of IP addresses into
physical addresses is done through the Address
Resolution Protocol (ARP).

Four cases using ARP

Case 1: Host to Host
The IP address of destination host is taken from the IP
datagram.
Case 2: Host to Router
The IP address of the destination (router) is not taken
from the IP datagram.
Instead it is taken from the next-hop column of the
routing table of the source host
Case 3: Router to Router
The IP address of destination (router) is not taken from
the IP datagram.
Instead it is taken from the next-hop column of the
sending router’s routing table

Case 4: Router to Host

Now, the IP address of destination host is taken from the
IP datagram.

ARP Cache Table

It would be very inefficient to use ARP to deliver
each IP datagram.
Therefore the most recent mappings are kept in
a cache table.
In order to be consistent with network dynamics,
entries in the ARP cache have a timeout value
which is used to remove aged
entries.
To be concrete, consider the following scenario. The network layer on
the host 137.140.8.105/24 has decided that a datagram needs to be
sent to 137.140.8.250, which is on the same network, directly
connected to it. In order for the link layer of A to construct the Ethernet
frame, it needs to know the MAC address of the NIC that is bound to the
IP address 137.140.8.250. (Remember that MAC addresses are fixed
properties of NICs. IP addresses, on the other hand are set at the
software level; one or more IP addresses can be associated with a NIC
using /sbin/ifconfig (for linux) or similar commands.
It is the role of the ARP module to resolve this issue - ARP finds out the
hardware (MAC) addresses associated with a particular IP address. This
is similar to DNS where a mnemonic name is resolved into an IP address
at the application level. We can think of ARP as sitting between the
Network and Link layers.
In order to find the MAC address of C, A's ARP broadcasts an ARP
request, basically asking “who has the IP 137.140.8.250? Tell
137.140.8.105”. All hosts on the network will receive this ARP request
broadcast.