Address Resolution Protocol (ARP)
Routers pass packets across a logical path, composed of multiple data links, by reading and acting on the network addresses in the packets. The packets are passed across the individual data links by encapsulating the packets in frames, which use data-link identifiers (MAC addresses, for example) to get the frame from source to destination on the link. One of the major topics of this book concerns the mechanisms by which routers discover and share information about network addresses so that routing might take place. Similarly, devices on a data link need a way to discover their neighbors' data-link identifiers so that frames might be transmitted to the correct destination.
Several mechanisms can provide this information; IPv4 uses the Address Resolution Protocol (ARP), described in RFC 826. Figure 1-13 shows how ARP works. A device needing to discover the data-link identifier of another device will create an ARP Request packet. This request will contain the IPv4 address of the device in question (the target) and the source IPv4 address and data-link identifier (MAC address) of the device making the request (the sender). The ARP Request packet is then encapsulated in a frame with the sender's MAC address as the source and a broadcast address for the destination (see Example 1-6).
Figure 1-13. ARP is used to map a device's data-link identifier to its IP address.
Example 1-6. An analyzer capture of the ARP Request depicted in Figure 1-13, with its encapsulating frame.
Ethernet II, Src: 00:30:65:2c:09:a6, Dst: ff:ff:ff:ff:ff:ff Destination: ff:ff:ff:ff:ff:ff (Broadcast) Source: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6) Type: ARP (0x0806) Address Resolution Protocol (request) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: request (0x0001) Sender MAC address: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6) Sender IP address: 172.16.1.21 (172.16.1.21) Target MAC address: 00:00:00:00:00:00 (00:00:00_00:00:00) Target IP address: 172.16.1.33 (172.16.1.33)
The broadcast address means that all devices on the data link will receive the frame and examine the encapsulated packet. All devices except the target will recognize that the packet is not for them and will drop the packet. The target will send an ARP Reply to the source address, supplying its MAC address (see Example 1-7).
Example 1-7. An analyzer capture of the ARP Reply depicted in Figure 1-13.
Ethernet II, Src: 00:10:5a:e5:0e:e3, Dst: 00:30:65:2c:09:a6 Destination: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6) Source: 00:10:5a:e5:0e:e3 (3com_e5:0e:e3) Type: ARP (0x0806) Trailer: 15151515151515151515151515151515... Address Resolution Protocol (reply) Hardware type: Ethernet (0x0001) Protocol type: IP (0x0800) Hardware size: 6 Protocol size: 4 Opcode: reply (0x0002) Sender MAC address: 00:10:5a:e5:0e:e3 (3com_e5:0e:e3) Sender IP address: 172.16.1.33 (172.16.1.33) Target MAC address: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6) Target IP address: 172.16.1.21 (172.16.1.21)
Cisco routers will display ARP activity when the debug function debug arp is invoked, as shown in Example 1-8.
Example 1-8. Router Aretha (172.21.5.1) responds to an ARP request from host 172.19.35.2.
Aretha#debug arp IP ARP: rcvd req src 172.19.35.2 0002.6779.0f4c, dst 172.21.5.1 Ethernet0 IP ARP: sent rep src 172.21.5.1 0000.0c0a.2aa9, dst 172.19.35.2 0002.6779.0f4c Ethernet0 Aretha#
Figure 1-14. ARP packet format.
Protocol Type specifies the type of network-level protocol the sender is mapping to the data link identifier; IPv4 is 0x0800.
Hardware Address Length specifies the length, in octets, of the data link identifiers. MAC addresses would be 6.
Protocol Address Length specifies the length, in octets, of the network-level address. IPv4 would be 4.
Operation specifies whether the packet is an ARP Request (1) or an ARP Reply (2). Other values might also be found here, indicating other uses for the ARP packet. Examples are Reverse ARP Request (3), Reverse ARP Reply (4), Inverse ARP Request (8), and Inverse ARP Reply (9).
The final 20 octets are the fields for the sender's and target's data-link identifiers and IPv4 addresses.
In the top screen in Example 1-9, the IOS command show arp is used to examine the ARP table in a Cisco router.
Example 1-9. The ARP table for three devices connected to the same network: a Cisco router, a Microsoft Windows host, and a Linux host.
Martha#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.158.43.34 2 0002.6779.0f4c ARPA Ethernet0 Internet 10.158.43.1 - 0000.0c0a.2aa9 ARPA Ethernet0 Internet 10.158.43.25 18 00a0.24a8.a1a5 ARPA Ethernet0 Internet 10.158.43.100 6 0000.0c0a.2c51 ARPA Ethernet0 Martha# ________________________________________________________________________ C:\WINDOWS>arp -a Interface: 184.108.40.206 Internet Address Physical Address Type 10.158.43.1 00-00-0c-0a-2a-a9 dynamic 10.158.43.34 00-02-67-79-0f-4c dynamic 10.158.43.100 00-00-0c-0a-2c-51 dynamic _________________________________________________________________________ Linux:~# arp -a Address HW type HW address Flags Mask 10.158.43.1 10Mbps Ethernet 00:00:0C:0A:2A:A9 C * 10.158.43.100 10Mbps Ethernet 00:00:0C:0A:2C:51 C * 10.158.43.25 10Mbps Ethernet 00:A0:24:A8:A1:A5 C * Linux:~#
Notice the Age column. As this column would indicate, ARP information is removed from the table after a certain time to prevent the table from becoming congested with old information. Cisco routers hold ARP entries for four hours (14,400 seconds); this default can be changed. The following example changes the ARP timeout to 30 minutes (1800 seconds):
Martha(config)# interface ethernet 0 Martha(config-if)# arp timeout 1800
The middle screen of Example 1-9 shows the ARP table of a Microsoft Windows PC, and the bottom shows the ARP table from a Linux machine. Although the format is different from the IOS display, the essential information is the same in all three tables.
ARP entries might also be permanently placed in the table. To statically map 172.21.5.131 to hardware address 0000.00a4.b74c, with a SNAP (Subnetwork Access Protocol) encapsulation type, use the following:
Martha(config)# arp 172.21.5.131 0000.00a4.b74c snap
The command clear arp-cache forces a deletion of all dynamic entries from the ARP table. It also clears the fast-switching cache and the IP route cache.
Several variations of ARP exist; at least one, proxy ARP, is important to routing.
Sometimes called promiscuous ARP and described in RFCs 925 and 1027, proxy ARP is a method by which routers might make themselves available to hosts. For example, a host 192.168.12.5/24 needs to send a packet to 192.168.20.101/24, but it is not configured with default gateway information and therefore does not know how to reach a router. It might issue an ARP Request for 192.168.20.101; the local router, receiving the request and knowing how to reach network 192.168.20.0, will issue an ARP Reply with its own data link identifier in the hardware address field. In effect, the router has tricked the local host into thinking that the router's interface is the interface of 192.168.20.101. All packets destined for that address are then sent to the router.
Figure 1-15 shows another use for proxy ARP. Of particular interest here are the address masks. The router is configured with a 28-bit mask (four bits of subnetting for the Class C address), but the hosts are all configured with 24-bit, default Class C mask. As a result, the hosts will not be aware that subnets exist. Host 192.168.20.66, wanting to send a packet to 192.168.20.25, will issue an ARP Request. The router, recognizing that the target address is on another subnet, will respond with its own hardware address. Proxy ARP makes the subnetted network topology transparent to the hosts.
Figure 1-15. Proxy ARP enables the use of transparent subnets.
The ARP cache in Example 1-10 gives a hint that proxy ARP is in use. Notice that multiple IPv4 addresses are mapped to a single MAC identifier; the addresses are for hosts, but the hardware MAC identifier belongs to the router interface.
Example 1-10. This ARP table from host 192.168.20.66 in Figure 1-15 shows multiple IPv4 addresses mapped to one MAC identifier, indicating that proxy ARP is in use.
C:\WINDOWS>arp -a Interface: 192.168.20.66 Internet Address Physical Address Type 192.168.20.17 00-00-0c-0a-2a-a9 dynamic 192.168.20.20 00-00-0c-0a-2a-a9 dynamic 192.168.20.25 00-00-0c-0a-2a-a9 dynamic 192.168.20.65 00-00-0c-0a-2c-51 dynamic 192.168.20.70 00-02-67-79-0f-4c dynamic
Proxy ARP is enabled by default in IOS and might be disabled on a per interface basis with the command no ip proxy-arp.
A host might occasionally issue an ARP Request with its own IPv4 address as the target address. These ARP Requests, known as gratuitous ARPs, have several uses:
Many IP implementations do not use gratuitous ARP, but you should be aware of its existence. It is disabled by default in IOS but can be enabled with the command ip gratuitous-arps.
Instead of mapping a hardware address to a known IPv4 address, Reverse ARP (RARP) maps an IPv4 address to a known hardware address. Some devices, such as diskless workstations, might not know their IPv4 address at startup. RARP might be programmed into firmware on these devices, allowing them to issue an ARP Request that has their burned-in hardware address. The reply from a RARP server will supply the appropriate IPv4 address.
RARP has been largely supplanted by Dynamic Host Configuration Protocol (DHCP), an extension of the Bootstrap Protocol (BootP), both of which can provide more information than the IPv4 address, and which, unlike RARP, can be routed off the local data link.