Cisco TAC Entry Training

Address
Resolution
Protocol (ARP)

Tariq Bader
CCIE # 35627

Security/VPN team
Cisco TAC
Presentation_ID © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
 Agenda

Introduction to ARP

ARP Operation

ARP Packet Format

& Encapsulation

ARP Applications

RARP
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
 ARP
Introduction to ARP

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
 Introduction to ARP

 ARP Purpose: Sending node needs a way to find the MAC

address of the destination for a given Ethernet link
 On a typical physical network, such as a Ethernet LAN, each
device on a link is identified by a physical or station address
that is usually imprinted on the NIC.
 ARP associates an IP address with its physical (MAC) address.
 The ARP protocol provides two basic functions:
o Resolving IPv4 addresses to MAC addresses
o Maintaining a table of mappings

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
 Introduction to ARP

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
 ARP
ARP Operation

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
 ARP Functions/Operation

 ARP Table
o Used to find the data link layer address that is mapped to the
destination IPv4 address.
o As a node receives frames from the media, it records the source IP
and MAC address as a mapping in the ARP table.
o L3 devices and end hosts do have this table
 ARP Request
o Layer 2 broadcast to all devices on the Ethernet LAN.
o The node that matches the IP address in the broadcast will reply.
o If no device responds to the ARP request, the packet is dropped
because a frame cannot be created.
 Note: Static map entries can be entered in an ARP table, but
this is rarely done.

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
 ARP Operation – Local Communication

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
 ARP Operation – Local Communication

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
 ARP Operation – Local Communication

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
 ARP Operation – Local Communication

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
 ARP Operation – Local Communication

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
 ARP Operation – Local Communication

 L2 switch floods the ARP broadcast request out of all other

switchports

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
 ARP Operation – Remote Communication

 If the destination IPv4 host is on the local network, the

frame will use the MAC address of this device as the
destination MAC address.
 If the destination IPv4 host is not on the local network, the
source uses the ARP process to determine a MAC address
for the router interface serving as the gateway.
 In the event that the gateway entry is not in the table, an
ARP request is used to retrieve the MAC address associated
with the IP address of the router interface.

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
 ARP Operation – ARP Request Cases

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
 The Format of ARP Packet

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
 The Format of ARP Packet

 Hardware Type  Ethernet is type 1

 Protocol Type  IPv4 = x0800 (Ethertype)

 Hardware Length  length of Ethernet (MAC) address (6)

 Protocol Length  length of IPv4 address (4)

 Operation  Specifies the operation that the sender is

performing: 1 for request, 2 for reply.

 Hardware Address  MAC address

 Protocol Address  IPv4 address

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
 Encapsulation of ARP Packet

The ARP packet is encapsulated within an Ethernet packet.

Note: Type field for ARP in the Ethernet frame is x0806 (Ethertype)

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
 Encapsulation of ARP Packet

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
 ARP Tables on Networking Devices

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
 Removing Entries from an ARP Table
 The ARP cache
timer removes
ARP entries that
have not been
used for a
specified period
of time.
 Commands may
also be used to
manually remove
all or some of the
entries in the ARP
table  ‘clear
arp’ on router
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
 ARP
ARP Applications

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
 Proxy ARP
 A proxy ARP, running in a router, can respond to an ARP
request for any of its other directly connected hosts.
 The proxy ARP replies with its own MAC address.
 When the packet arrives, the router delivers it to the
appropriate host.

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
 Gratuitous ARP
 Also called ARP Announcements
 Updating other host's mapping of a hardware address when the
sender's IP address or MAC address has changed
 Broadcast as an ARP request containing the sender's protocol
address (SPA) in the target field (TPA=SPA), with the target
hardware address (THA) set to zero.
 Detecting IP conflicts
 No ARP reply is expected

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
 ARP Probe
 An ARP request constructed with an all-zero sender IP address
 Used in the IPv4 Address Conflict Detection specification (RFC
5227)
 Sent when there is any change in connectivity
 Should not send periodically

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
 ARP Spoofing
 Malicious host sends unsolicited ARP replies
to take over another host’s IP address
 For what?
o Passive sniffing
o Modifying packets (man-in-the-middle attack)
o Denial-of-service attack

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
 ARP Spoofing

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
 RARP
Reverse Address Resolution Protocol

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
 Reverse Address Resolution Protocol (RARP)

 RARP finds the logical address for a machine that only knows
its physical address.
 This is often encountered on thin-client workstations. No
disk, so when machine is booted, it needs to know its IP
address (don’t want to burn the IP address into the ROM).
 RARP requests are broadcast, RARP replies are unicast.
 If a thin-client workstation needs to know its IP address, it
probably also needs to know its subnet mask, router
address, DNS address, etc. So we need something more than
RARP. BOOTP, and now DHCP have replaced RARP.

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
 RARP Operation

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
 RARP Packet Format & Encapsulation

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
 Q&A

Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33