Argh ARP !
Let’s get straight to the point ARP. All through my academic and professional career, ARP is one protocol which I have seen most of the tech folks and students struggle with. In this story I will try to lift the mysterious veil off ARP and also encourage you to try dissecting this protocol on your own. Let’s get started and I will show you how.
Let us start from the beginning, a very good place to start. ARP stands for Address Resolution Protocol.On the OSI model, it is a Layer 2 protocol and works only with the IPv4, yes that is correct only with IPv4. So what does ARP do and why is it important ? ARP provides a mapping between the MAC address and the IP address for a resource on the network and makes communication happen on the local network i.e. ARP is not routable. Before we delve into ARP a quick look at the protocol data units.
Data encapsulation at Layer 2 occurs using Frames and for the first time during the encapsulation process we start to see a trailer, more about that maybe in a later story. To see the Layer 2 Frames in action, I will use Cisco Packet Tracer. You can probably do it on GNS3, but oh well.
Setting up the network
I start with a very basic network configuration, three PC’s connected via a standard switch and yep Layer 2, most (if not all) switches are Layer 2 devices. This is shown in the diagram below.
I assign the following IP addresses to the PCs
Next I connect the three PCs to the switch by the means of copper straight through cables.
While ARP is being discussed, I will also introduce the CAM table of a switch. Let us have a look at the CAM (or MAC) table of the switch using the CLI command show mac add, its empty. More about this in a bit hold tight.
Now change Cisco Packet Tracer into Simulation mode, this can be done by using Shift+S on Windows. Under Simulation mode ensure only ARP is selected under Event List Filters.
The fun begins lets see how.
PC0 sends out an ARP request
Go to PC0 and open up its command prompt. Verify it’s IP, MAC address by ipconfig/all and its ARP entries by typing arp -a
On PC0 let us start a ping to PC1 i.e. 192.168.1.3
This will start the simulation and you should see a small envelop ready to leave PC0. This represents the ARP request.
Double click on the first entry in the simulation panel.
An ARP request can be seen being sent out. Source IP address is 192.168.1.2, destination is 192.168.1.3 and it is appended by the source MAC address 969A with the destination being a broadcast MAC address FFFF.FFFF.FFFF, interesting eh ?
So let’s pause and see what’s happening here. Since communication is happening on the local network or subnet or VLAN (take your pick), PC0 first sends this ARP request with a broadcast MAC address to see which network resource responds to this request. This request goes out from the only Ethernet port on the PC at the Physical Layer (1).
Switch processing of PC0’s ARP request
Let’s capture forward, the ARP request reaches the switch.
Lets examine the second entry
Let us examine what is happening here.
Inbound to the switch: The switch receives the request from PC0 containing the source 192.168.1.2 and destination 192.168.1.3 IP addresses. The request also contains the source MAC 969A and destination MAC address, which is a broadcast MAC address FFFF.FFFF.FFFF. This matches the outgoing request from PC0 which we saw in the previous section. The switch receives the request on port 0/1, the port which PC0 is connected to.
Switch CAM (MAC) table:
Once the request from PC0 is received at the switch, let us check the CAM table for the switch by typing in show mac add. We can now see an entry in the table. What sorcery is this ? A few scrolls up it can be seen the Mac Address Table for the switch is empty so how do we have one entry now.
Totally separate to ARP, a switch maintains a CAM table which is a mapping of the MAC Address and the corresponding switch Port number. This forms the core of the switch functionality. The incoming ARP request on port 0/1 originated from PC0 and it included the source MAC address 969A. The switch stores this information in its CAM table ensuring that the next time it receives traffic destined for PC0 it is transmitted out from port 0/1.
Righto back to our main topic ARP.
Outbound from the switch:
Since the destination MAC address is a broadcast address, the switch sends out the request from both the switch ports 0/2 and 0/3.
At this point it would be good to provide a quick re-cap on the functionality of a Layer 2 switch. When a switch receives a frame, it can perform one of three actions, Forward, Filter and Flood. In Forward, the frame is forwarded to the correct port on the switch that corresponds to the destination MAC address. The switch looks up its CAM table to make this decision. In Filter, the frame is dropped altogether. In Flood, the frame is transmitted out through all ports except the incoming port. Flooding normally happens when the destination MAC address is a broadcast address. The switch inspects frames for the source IP address and MAC address and builds up its CAM table from this information.
Frame processing on PC2
Before we look into the frame processing on PC2, let us check the network details for PC2. PC2 has an IP address of 192.168.1.4 and no ARP entries in its ARP table.
PC2 receives the frame broadcast from the switch. PC2 processes the frame. Since the destination IP address in the frame is 192.168.1.3 and this does not match PC2’s IP address of 192.168.1.4, the ARP process on PC2 drops the frame. PC2 does not respond back to this ARP request. The ARP table on PC2 is not updated.
Frame processing on PC1
PC1 receives the frame broadcast from the switch. PC1 processes the frame.
Since the destination IP address in the frame is 192.168.1.3 and this does match match PC1’s IP address of 192.168.1.3, the ARP process processes the frame.
During processing, the ARP process becomes aware of the source IP address 192.168.1.2 and its corresponding MAC address 969A and updates PC1’s ARP table with this information.
The ARP process on PC1 now prepares to reply to the ARP request sent by PC0
The ARP process prepares an ARP reply with source IP address 192.168.1.3 and source MAC address D357 corresponding to PC1, with the destination IP address 192.168.1.2 and MAC address 969A corresponding to PC0.
Switch processing of PC1’s ARP reply
We have seen, the original ARP request from PC0 is dropped by PC2. PC1 replies to the ARP request. PC1’s reply is received be the switch on port 0/2
Inbound to the switch: The switch receives the request from PC1 containing the source 192.168.1.3 and destination 192.168.1.2 IP addresses. The request also contains the source MAC D357 and destination MAC address 969A. The switch receives the request on port 0/2, the port which PC0 is connected to.
the switch updates its CAM table with the MAC address D357 and port 0/2 for PC1.
Outbound from the Switch:
The switch by this stage knows that MAC address 969A is connected to port 0/1.
The switch Forwards the ARP reply to port 0/1.
Frame processing on PC0
PC0 receives the ARP reply from PC1 through port 0/1 of the switch. The destination IP address of 192.168.1.2 and destination MAC address of 969A matches that of PC0.
The ARP process on PC0 accepts the ARP reply and updates the ARP table on PC0 with the source IP address 192.168.1.2 and MAC address D357 i.e. PC1 details.
In summary
I hope this story has provided some clarity on the inner workings of Network communications at Layer 2 and has turned the Argh ARP to Ah ARP ! Really all network communication within the local network need the ARP table and the respective entries in the CAM table for the switch. We started this story off by initiating a ping to PC1. The role of the ping was to really to start building the ARP table on PC0 as without it, PC0 will not be able to send and receive ping requests. A fundamental understanding of network communications will come in handy if you are interested in cyber security and DevOps. ARP is prone to ARP poisoning and also Man in the Middle attacks. A topic for another day ?
