Page |1

ARP:--
Address Resolution Protocol (ARP) is one of the major protocol in the TCP/IP suit and
the purpose of Address Resolution Protocol (ARP) is to resolve an IPv4 address (32
bit Logical Address) to the physical address (48 bit MAC Address).
Network Applications at the Application Layer use IPv4 Address to communicate with
another device. But at the Datalink layer, the addressing is MAC address (48 bit Physical
Address), and this address is burned into the network card permanently. You can view your
network card’s hardware address by typing the command "ipconfig /all" at the command
prompt (Without double quotes using Windows Operating Systems).
The purpose of Address Resolution Protocol (ARP) is to find out the MAC address of a
device in your Local Area Network (LAN), for the corresponding IPv4 address, which
network application is trying to communicate.

Address Resolution Protocol (ARP) Message Format

Following are the fields in the Address Resolution Protocol Message Format:

Hardware Type [2 bytes]: It specifies the type of hardware used for the local network
transmitting the ARP message. Ethernet is the common Hardware Type and he value is 1.
The size of this field is 2 bytes.

Protocol Type [2 bytes]: Each protocol is assigned a number used in this field, IPv4 is 2048
(0x0800 in Hexa).

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 Page |2

Hardware Address Length: Hardware Address Length in the ARP Message is length in bytes
of a hardware (MAC) address. Ethernet MAC addresses are 6 bytes long.

Protocol Address Length: Length in bytes of a logical address (IPv4 Address). IPv4
addresses are 4 bytes long.

Opcode [Operation] [2 bytes]: Opcode field in the Address Resolution Protocol (ARP)
Message specifies the nature of the ARP message. 1 for ARP request and 2 for ARP reply.

Sender Hardware Address [4 bytes]: Layer 2 [MAC] address of the device sending the
message.

Sender IP Address [4bytes]: The protocol address (IPv4 address) of the device sending the
message

Target Hardware Address [6 bytes]: Layer 2 [MAC] address of the intended receiver. This
field is ignored in requests.

Target IP Address [4 bytes]: The protocol address (IPv4 Address) of the intended receiver.

ARP Table

• Every device utilizing the IP protocol has an ARP table.

• ARP is a dynamic resolution protocol, which means that every resolution requires the
exchange of messages on the network.
• Each time a host sends an ARP message, it consumes network bandwidth.
• Moreover, ARP Request message is broadcasted, which means that every host on
the local network must spend CPU time examining the contents of each request.
• Sending an ARP request for each datagram is inefficient.
• For these reasons, cache is created to store network addresses and the associated
data-link addresses in memory for a period of time.
• Caching also ensures that the resolution of commonly-used addresses is fast.
• ARP cache entries can be:

1. static: created by manual configuration.

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 Page |3

2. dynamic: created by using the ARP protocol.

• A host will exhaust its ARP cache with a lot of unused ARP entries, so it is critical
that the cache entries are set to expire periodically.
• Static entries remain in the table forever and are not timed out.
• If a dynamic ARP entry is not used a specific amount of time called the ARP timeout
the entry is removed from the caching table.
• The default timeout timer is 4 hours.
• If a ARP request packet is received and the mapping already exists in the ARP
cache, it will be overwritten with the values present in the request.

Working:
=======
Step 1: When a source device want to communicate with another device, source device
checks its ARP cache to find if it has already a resolved MAC Address of the destination
device. If present, it will use that MAC Address for communication. To view your Local ARP
cache, Open Command Prompt and type command "arp -a” in windows.

ARP cache table

Any machine in the LAN has an ARP cache table. This cache table holds multiple ARP
entries. Each ARP entry consists of an ip address and a mac address.
Here, let's stop and think about why there is this cache table? What if not?
ARP cache table operation:--
View current cache table information:

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 Page |4

At the same time, the arp command can also perform delete and add operations

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 Page |5

Step 2: If ARP resolution is not there in local cache, the source machine will generate an
ARP request message, it puts its own MAC address as the Sender Hardware Address and
its own IPv4 Address as the Sender Protocol Address. It fills the destination IPv4 Address as
the Target Protocol Address. The Target Hardware Address will be left blank, since the
machine is trying to find that.

Step 3: The source broadcast the Address Resolution Protocol (ARP) request message to
the local network.

Step 4: The message is received by each device on the LAN since it is a broadcast. Each
device compare the Target Protocol Address (IPv4 Address of the machine to which the
source is trying to communicate) with its own Protocol Address (IPv4 Address). Those who
do not match will drop the packet without any action.

Step 5: When the targeted device checks the Target Protocol Address, it will find a match
and will generate an Address Resolution Protocol (ARP) reply message. It takes the Sender
Hardware Address and the Sender Protocol Address fields from the Address Resolution
Protocol (ARP) request message and uses these values for the Targeted Hardware Address
and Targeted Protocol Address of the reply message.

Step 6: The destination device will update its Address Resolution Protocol (ARP) cache,
since it need to contact the sender machine soon.

Step 7: Destination device send the Address Resolution Protocol (ARP) reply message and
it will NOT be a broadcast, but a unicast.

Step 8: The source machine will process the Address Resolution Protocol (ARP) reply from
destination, it store the Sender Hardware Address as the layer 2 address of the destination.

Step 9: The source machine will update its Address Resolution Protocol (ARP) cache with
the Sender Hardware Address and Sender Protocol Address it received from the Address
Resolution Protocol (ARP) reply message.

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 Page |6

ARP Explanation with Example

=========================
Let us take an example of below topology.

Suppose I am sitting at 192.168.0.93 and I want to ping to 192.168.0.109, to check the

network connectivity.
NOTE: While issuing ping command, we never specify the MAC Address of the destination
device.
As we know that ping command works using ICMP. ICMP is encapsulated inside IP
datagram and IP datagram is encapsulated within Ethernet Frame. We need Source IP
Address (my IP Address, 192.168.0.93), Destination IP Address (192.168.0.109), Source
MAC Address (my MAC Address 00:00:00:00:00:33) and Destination MAC Address to make
the Ethernet Frame for ICMP message. Source IP Address, Destination IP Address, Source
MAC Address are known at this instance, but the Destination MAC Address unknown at this
instance.
To assemble the Ethernet Frame, our device must have the Destination MAC Address
corresponding to the IP Address 192.168.0.109
We need to resolve the Destination MAC Address corresponding to the IP Address
192.168.0.109.

HERE IS EXACTLY WHAT IS DONE:

=============================

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 Page |7

Step 1: Before resolving the Destination MAC Address corresponding to the IP Address
192.168.0.109, using ARP, source device checks its ARP cache to find if it already has a
resolved MAC Address of the destination device. We can view the ARP cache by using the
command arp –a. Suppose that the ARP cache is empty.

Step 2: Computer [.93] need to resolve the destination MAC address using ARP. It will
prepare an ARP Request message and send it with a Destination MAC Address as
FF:FF:FF:FF:FF:FF (Broadcast MAC Address) to LAN Switch.

Step 3: Since the Destination MAC Address is FF:FF:FF:FF:FF:FF (Broadcast MAC

Address), the LAN Switch will flood it to all the connected ports and every device in the LAN
will get a copy of it.

If we capture the packet with Wireshark of ARP request Message. We see the below values.
Hardware Type: Ethernet (1)
Protocol Type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1) ------------------- Means ARP Request
Sender Mac-Address: 00:00:00:00:00:33
Sender IP Address: 192.168.0.93
Target Mac-Address: 00:00:00:00:00:00 -------------- This is all Zero
Target IP Address: 192.168.0.109
We see from the above values that the Destination MAC Address is FF:FF:FF:FF:FF:FF
(Broadcast MAC Address), ARP opcode is 1 (for ARP Request), and the Target MAC
Address is 00:00:00:00:00:00, which is unknown at this instance, the Source IP Address is
192.168.0.93, Destination IP Address is 192.168.0.109, Source MAC Address
00:00:00:00:00:33 and Destination MAC Address is 00:00:00:00:00:00.

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 Page |8

Step 4: The ARP Request message is received by each device on the LAN since it is a
broadcast. Each device compare the Target Protocol Address (192.168.0.109), with its own
IP Address. Those who do not match will drop the packet without any action.

Step 5: When the computer with the IP Address 192.168.0.109 receives the ARP Request, it
must prepare an ARP Reply and send back to the computer who sent the ARP
Request. ARP Reply will be a unicast, to save Network Resources.

If we capture the packet with Wireshark of ARP reply Message. We see the below values.
Hardware Type: Ethernet (1)
Protocol Type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (2) ------------------- Means ARP Reply
Sender Mac-Address: 00:00:00:00:00:44
Sender IP Address: 192.168.0.109
Target Mac-Address: 00:00:00:00:00:33
Target IP Address: 192.168.0.93

Now both the computers can update their ARP cache, so that the MAC Address to IP
Address mappings can be used for a future communication.

ARP - Q&A
----------
What is ARP?
Address Resolution Protocol (ARP) is a network protocol, which maps a network layer
protocol address to a data link layer hardware address. For example, ARP is used to resolve
IP address to the corresponding Ethernet address.

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 Page |9

To which OSI layer does ARP belong?

ARP belongs to the OSI data link layer (Layer 2). ARP protocol is implemented by the
network protocol driver. ARP packets are encapsulated by Ethernet headers and
transmitted.

Which RFC specify the requirements for ARP?

RFC 826 specifies the ARP packet format and other details.

What is the use of ARP?

A host in an Ethernet network can communicate with another host, only if it knows the
Ethernet address (MAC address) of that host. The higher level protocols like IP use a
different kind of addressing scheme (like IP address) from the lower level hardware
addressing scheme like MAC address. ARP is used to get the Ethernet address of a host
from its IP address. ARP is extensively used by all the hosts in an Ethernet network.

Why an IP address needs to be mapped to a MAC address, why can't the MAC
address itself is represented using the IP address?
The length of a MAC address is 6 bytes and the length of an IP address is 4 bytes.
Obviously, the MAC address cannot be represented using the IP address. So an IP address
must be mapped to the corresponding MAC address.

Can ARP be used in a network other than Ethernet?

ARP is a general protocol, which can be used in any type of broadcast network. The fields in
the ARP packet specifies the type of the MAC address and the type of the protocol address.
ARP is used with most IEEE 802.x LAN media. In particular, it is also used with FDDI, Token
Ring, and Fast Ethernet, in precisely the same way as it is with Ethernet.

How does ARP resolve an IP address to an Ethernet MAC address?

When ARP needs to resolve a given IP address to Ethernet address, it broadcasts an ARP
request packet. The ARP request packet contains the source MAC address and the source
IP address and the destination IP address. Each host in the local network receives this
packet. The host with the specified destination IP address, sends an ARP reply packet to the
originating host with its IP address.
DETAIL EXPLANATION SEE ABOVE EXAMPLE.

What is an ARP cache?

ARP maintains the mapping between IP address and MAC address in a table in memory
called ARP cache. The entries in this table are dynamically added and removed.

When is an ARP request packet generated?

The following steps results in the generation of an ARP request packet:
The IP module sends a packet, destined for another host in the network, to the ARP module.
The ARP module looks up the ARP table (cache) to resolve the IP address.
If the supplied IP address is present in the ARP cache, it is resolved into its Ethernet
address.
If the ARP module is not able to find an entry for this IP address in the ARP cache, then it
sends an ARP request packet to the Ethernet driver, to resolve the IP address to the
Ethernet address.
After the IP address is resolved by the ARP module, the packet is sent to the Ethernet driver
for transmission.
What happens when a host receives an ARP request packet?
The ARP request is received and processed by all the hosts in the network, since it is a
broadcast packet. The following steps are carried out when a ARP request packet is
received by a host:

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 P a g e | 10

If the IP address to be resolved is for this host, then the ARP module sends an ARP reply
packet with its Ethernet MAC address.
If the IP address to be resolved is for this host, then the ARP module updates its ARP cache
with the source Ethernet MAC address to source IP address mapping present in the ARP
request packet. If the entry is already present in the cache, it is overwritten. If it is not
present, it is added.
If the IP address to be resolved is not for this host, then the ARP module discards the ARP
request packet.

Will a host update its ARP cache upon receiving any ARP request?
A host will update its ARP cache, only if the ARP request is for its IP address. Otherwise, it
will discard the ARP request.

What is the disadvantage if a host updates its ARP cache upon receiving any ARP
request?
The host will exhaust the ARP cache with a lot of unused ARP entries, if it updates the ARP
cache for any ARP request.

What happens when a host receives an ARP reply packet?

The ARP reply packet is received only by the host, which transmitted the ARP request
packet. The ARP module adds the Ethernet hardware address to IP address mapping
present in the ARP reply packet to the ARP cache.

Is there a separate packet format for ARP request and ARP reply?
No. Both the ARP request and ARP reply packets use the same format.

Which MAC address is an ARP request directed to?

All ARP request packets are transmitted with the Ethernet broadcast address, so that all
hosts in the network will receive the request.

To which MAC address is an ARP reply packet directed to?

ARP reply packet is directed to the host, which transmitted the ARP request packet.

If a host is not able to get the MAC address of a host, how it knows about its IP
address?
A host will either use a static file like /etc/hosts or DNS protocol to get the IP address of
another host.

What will happen if an ARP reply is not received for an ARP request?
If an ARP reply is not received, then that IP address cannot be resolved to an Ethernet
address. Without a Ethernet address, the packets cannot be transmitted.

When is an entry added to the ARP cache?

A new entry is added to the ARP cache when an IP address is successfully mapped to a
MAC address. Usually, entries are added dynamically to the ARP cache. Static entries can
also be added.

What will happen if a new ARP request packet is received, but the MAC address to IP
address is already present in the ARP cache?
If a ARP request packet is received and the mapping already exists in the ARP cache, it will
be overwritten with the values present in the request.

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 P a g e | 11

When is an entry removed from an ARP cache?

An entry in an ARP cache is removed after a pre-determined timeout period (e.g. 20
minutes).

What is the format of an ARP packet?

Please see above for answer.
What is the size of an ARP request and reply packet?
The size of an ARP request or reply packet is 28 bytes.
How to differentiate between a ARP request packet and a ARP reply packet, as the
Ethernet type field is same on both the packets?
An ARP request packet can be differentiated from an ARP reply packet using the 'operation'
field in the ARP packet. For a ARP request it is 1 and for an ARP reply it is 2.

Why is the hardware MAC address present in both the Ethernet header and the ARP
packet (request and reply)?
The Ethernet header is processed by the data link driver and removed from the packet.
When the ARP layer gets the packet, it needs to know the hardware and protocol addresses
in order to update the table. That is why the hardware MAC address is present in both the
Ethernet header and the ARP packet.

What is proxy ARP?

Proxy ARP is the process in which one system responds to the ARP request for another
system. For example, host A sends an ARP request to resolve the IP address of host B.
Instead of Host B, Host C responds to this ARP request.

What is the use of proxy ARP?

When routers receive ARP requests from one network for hosts on the network, they will
respond with a ARP reply packet with their MAC address. For example, let us say host A is
in one network, host B is in another network and router C connects these two networks.
When host A sends an ARP request to resolve the IP address of host B, the router C
receives this packet. The router C sends an ARP reply with its MAC address. So host A will
send all the packets destined for host B to the router C. Router C will then forward those
packets to host B. Proxy ARP is also used if a host in a network is not able to understand
subnet addressing. For example, if host A and host B are actually in two different subnets,
but host A cannot understand subnet addressing. So host A assumes that host B is present
in the same network. In this case a router, host C, can use proxy ARP to route packets
between host A and host B.

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 P a g e | 12

What is gratuitous ARP?

When a host sends an ARP request to resolve its own IP address, it is called gratuitous
ARP. In the ARP request packet, the source IP address and destination IP address are filled
with the same source IP address itself. The destination MAC address is the Ethernet
broadcast address (FF:FF:FF:FF:FF:FF).

What is the use of gratuitous ARP?

Gratuitous ARP is used for the following:
In a properly configured network, there will not be an ARP reply for a gratuitous ARP
request. But if another host in the network is also configured with the same IP address as
the source host, then the source host will get an ARP reply. In this way, a host can
determine whether another host is also configured with its IP address.

When the network interface card in a system is changed, the MAC address to its IP address
mapping is changed. In this case, when the host is rebooted, it will send an ARP request
packet for its own IP address. As this is a broadcast packet, all the hosts in the network will
receive and process this packet. They will update their old mapping in the ARP cache with
this new mapping.

Switches SW1,SW2 and SW3 are interconnected and STP deployed on the switches. PC1
is on SW1 PC2 is on SW2 and PC3 is connected to SW3. All the PC’s are on the same
network address of 192.168.1.0/24. PC1 triggers ARP to find the mac-address of PC3. Will
the ARP packet reach the PC3

All the PC’s are on the same network address. The PC’s are on 3 switches which makes it one
large Layer 2 broadcast domain. So an ARP request which is a layer 2 broadcast will be received
on all the ports on all the switches and correspondingly the PC’s
Some Questions:-

1. Why we get the incomplete ARP. All possible reasons

2. sh ip arp, there is no output or incomplete arp output. Difference
3. sh arp Vs sh ip arp
4. In L2 switch, we can give single ip. If we don't give that single ip or simply
we don't have any ip on the switch. So, how ARP works on this L2 switch. what
is the mechanism

1. Why we get the incomplete ARP. All possible reasons

Let's suppose that your router must send a packet to a destination, you have a route
toward the destination in your routing table and this route points to a next hop. For
re-writing the L2 header your router must know the mac address of your next-hop.
Your router will send out an arp request asking for the mac address of the next-hop.
If the next-hop is not answering you will get an incomplete entry in your arp table.

Let's see this:

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 P a g e | 13

R1#sh run | s 192.168.1.0

ip route 192.168.1.0 255.255.255.0 10.10.14.1

The bold next-hop does not exist, is a fictive one, let's start a debug and ping
192.168.1.1

R1#ping 192.168.1.1
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

*Mar 1 00:02:01.967: IP: tableid=0, s=10.10.10.1 (local), d=192.168.1.1
(FastEthernet0/0), routed via RIB

*Mar 1 00:02:01.971: IP: s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), len 100, sending

*Mar 1 00:02:01.979: IP: s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), len 100,

encapsulation failed.

*Mar 1 00:02:03.967: IP: tableid=0, s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), routed via
RIB

*Mar 1 00:02:03.971: IP: s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), len 100, sending

*Mar 1 00:02:03.975: IP: s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), len 100,

encapsulation failed.

*Mar 1 00:02:05.967: IP: tableid=0, s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), routed via
RIB

*Mar 1 00:02:05.971: IP: s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), len 100, sending

*Mar 1 00:02:05.975: IP: s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), len 100,

encapsulation failed.

*Mar 1 00:02:07.967: IP: tableid=0, s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), routed via
RIB

*Mar 1 00:02:07.971: IP: s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), len 100, sending

*Mar 1 00:02:07.975: IP: s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), len 100,

encapsulation failed.

*Mar 1 00:02:09.967: IP: tableid=0, s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), routed via
RIB

*Mar 1 00:02:09.971: IP: s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), len 100, sending

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 P a g e | 14

*Mar 1 00:02:09.971: IP: s=10.10.10.1 (local), d=192.168.1.1 (FastEthernet0/0), len 100,

encapsulation failed.

Success rate is 0 percent (0/5)

R1#sh arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 10.10.10.1 - cc00.33b4.0000 ARPA FastEthernet0/0

Internet 10.10.14.1 0 Incomplete ARPA

You can see that the router has an incomplete ARP entry, the ping is not working
because the next-hop is not answering and the message "encapsulation failed"
appear in router debug output.

You should check also this link for another case where the proxy arp on the
neighboring router is not enabled (enabled by default) and you have some static
routes that points only to the exit interface instead of next-hop where the medium is
ethernet.

2. sh ip arp, there is no output or incomplete arp output. Difference

The difference between these 2 is obvious. If no output (anyway you will have at
least some entries due to directly connected interfaces and enabled with an ip
address) means that the router did not had any attempt to find out a mac address of
a neighboring router or some arp entries already expired and you will not see them in
the output. But if the router had tried to find out but no response you will get the
incomplete entry.

3. sh arp Vs sh ip arp

No difference because in most cases you are running only IP:

R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 - cc00.33b4.0000 ARPA FastEthernet0/0

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167
 P a g e | 15

R1#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 - cc00.33b4.0000 ARPA FastEthernet0/0

sh arp will show you your IP-MAC bindings and as well other bindings if you are
using let's say AppleTalk.

sh ip arp will show you only IP-MAC binding exclusing any other bindings from
another L3 suite like AppleTalk.

But because on most routers you will have only IPv4 enabled both command will
show you the same information.

Check this:

R1#show ?
.
.
.
arp ARP table ------ > the entire ARP table from all L3 suite protocols

R1#show ip ?
access-lists List IP access lists
accounting The active IP accounting database
admission Network Admission Control information
aliases IP alias table
arp IP ARP table ------------ > only IP-MAC bindings

4. In L2 switch, we can give single ip. If we don't give that single ip or simply
we don't have any ip on the switch. So, how ARP works on this L2 switch. what
is the mechanism

If you don't have any ip address on a vlan interface the switch will not use ARP. The
switch will forward information only based on L2 header, it will not touch the L3 so no
need for ARP, thus no need for arp table.

THANK YOU
Rakesh A

RAKESH https://www.linkedin.com/in/rakesh-sa-b2b664167