IT Education
Apr 4, 2024

What is ARP? Address Resolution Protocol

NGT Academy
NGT Academy

Welcome to the ARP lesson where we get to discuss a nifty little protocol that helps us to discover what the MAC address is of different computers on the network. Like this diagram kind of entails, we can think of it like this. Hey, bro, what's your Mac? Well, that does give you an idea of what it's all about, but it's not exactly how it works, and we'll get into all those details. So, what exactly is ARP? ARP is Address Resolution Protocol, it is used to resolve IP addresses into MAC addresses, meaning the IP address is already known, but the Mac is not. The reason why we need ARP is because computers need to know both the IP address and the MAC address of a destination before they can start network communication. We're going to find out now how we can actually make sure that we always have both of those things through the use of ARP. ARP is used, of course, to find out a MAC address when the IP address of the destination is known. 

Before we move on to the next subject, let's go ahead and look at the actual ARP packet. The ARP packet is inside an Ethernet frame. You can tell we're inside an Ethernet frame because we have an Ethernet header, source address, destination address, and we have that infamous CRC check at the end of it. Inside this particular Ethernet frame is the ARP request or the ARP reply and this is what it looks like. Now, that you guys are familiar with packets inside of frames and things like that, we can actually kind of understand that the frame is going to contain some cool information. In this case, we have ARP inside of our frames and the point of this particular diagram is to show you that included in an ARP request or an ARP reply are going to be these items, the source hardware address, source protocol address, target hardware address and target protocol address. The hardware ID, meaning the MAC address protocol, in our case, meaning the IP address, so these are the things included in an ARP request or an ARP reply.

ARP Cache

The ARP cache is a temporary table. That's why it's called a cache. It can have items be removed from it over time, but it's a temporary kind of table of all known IP addresses to MAC address mappings. Anytime that we do an ARP request, and we get a response with a MAC address we put that, or the computer puts that rather in the ARP cache or the ARP table. In a Windows or a Mac or a Linux, all three of these use the same actual command to view the ARP table, it's ARP -a. ARP -a on a Cisco router or switch, just shows ARP from the privileged exec mode. Or if you're in global config, you can type show ARP. You can go ahead and pull up your command prompt on your Windows machine and type ARP -a and you'll see that your computer has an ARP cache. It has an ARP table with listings of all the IP addresses and all the related MAC addresses that it knows about. ARP cache also includes both static and dynamic entries. If you do an ARP -a command on your Windows machine via your command prompt, you're going to see something that says static on the right side and also dynamic on the right side. Static is going to be for things like the broadcast. Your specific network has a broadcast IP address and that's going to relate directly to the broadcast frame and 255.255.255.255 is the all-inclusive broadcast IP address and that relates directly to the frame ff-ff-ff-ff-ff-ff. That is a static translation and it's always going to be in there, it's never going to change because that's always the way it is. Dynamically ones are basically learned entries. If there's anything that says dynamic, it's because the device actually reached out via an ARP request and pulled the MAC address or got a response with the MAC address and put that in the table because of a response it got. Or it was updated some other way by the network about the IP address and MAC address and it learned it dynamically. This is a good way to start thinking about static things versus dynamic things because static and dynamic are two types of words that are used often in networking, not just with ARP stuff.

Here is the output of an ARP -a. You can see we have the dynamic and the static entries and at the bottom we have the 255.255.255.255 IP broadcast. The Mac relationship to that is all F’s because a MAC broadcast is all F’s. This is a static broadcast entry. Then we have some dynamic entries, the computer has learned that 192.168.1.1 has the MAC address c8-3a-35-20-c6-38 and it was learned dynamically. Next, we need to go ahead and say that before sending network communication, computers will first reference their ARP cache. That's actually the first thing they do is they check to see if they already have the MAC address, then if they don't, they will send an ARP request to determine the MAC. All right, and after the ARP is completed, then of course, they update the ARP cache.

Gratuitous ARP

Gratuitous ARP is an ARP announcement and it's used whenever hosts come onto the network for the first time. If their operating systems configured with gratuitous ARP turned on, it will go ahead and send an ARP update out onto the network saying hey guys, here is my MAC address and my IP, and it does this without the need of an ARP request. That's what's special about gratuitous ARP. Now, some networks may not like gratuitous ARP to happen, and they can block these types of things, but in general, it's a good thing to have. However, there are some kind of security risks involved with gratuitous ARP. It is sometimes performed during the computer startup process. So, whenever your computer operating system boots up, it might send out a gratuitous ARP. It would do this to make sure the network is updated. If you go into your computer and you change the IP address to a different static address and then you reboot the machine, it might come online and send out a gratuitous ARP.

What is RARP

RARP is the reverse address resolution protocol, and it is used to resolve MAC addresses into IP addresses. The thing is it requires servers on every single network in order to do this. BOOTP actually replaced RARP. and then Dynamic Host Configuration Protocol came along, and Dynamic Host Configuration Protocol still uses BOOTP and provides the same services as ARP, but much better, meaning that it doesn't have to have a server on every single network. It also provides Dynamic Host Configuration services, meaning it hands out IP addresses.

Diagram of an ARP Request

Here is our awesome ARP diagram. In this diagram, we'll get to see what happens whenever an ARP request gets sent out onto the network. We have the host here on the left, he wants to send data to 10.10.10.55, which is the host on the right. The host on the right, we know has the MAC address of all B’s. The computer on the left, 10.10.10.105 does not know the MAC address of the 10.10.10.55 host. Otherwise, he wouldn't be trying to send an ARP. Because we need both the IP and the Mac. Let me check my ARP cache to see if I have an entry in there. Hmm, Nope. No MAC address in there. I guess I'll have to go ahead and send out a broadcast ARP message. The host creates a frame, and, in that frame, he has the ARP request inside the payload of that frame and this ARP request is sent to ff-ff-ff-ff-ff. The MAC address is a broadcast MAC, but it also puts the source of where it's coming from, the MAC address with all A's because that's the MAC address of this host. In the payload it's saying who is 10.10.10.55 and creates a frame. Then sends the frame out to the network and it makes it to the switch. Then the switch says, oh, let me check that frame out. It's got a destination MAC address of all F's. I guess I need to go ahead and forward that out, then I guess I need to go ahead and copy that frame and send it down to both of these hosts that are connected to me. So, he sends it out. It's a broadcast frame and this guy in the bottom here with all C's and 10.10.10.200 IP address responds with, oh, well, that's not me. I'm not 10.10.10.55. I'm going to discard this frame and the host on the right, who is 10.10.10.55 says that's me. I'm going to go ahead and reply to this ARP request. So then, that's exactly what happens. Host 10.10.10.55 creates a new frame with the ARP reply and it is sent directly to as a unicast frame to all A's MAC address, which is our host on the left, and of course includes the source of all B's and saying, Hey, I am 10.10.10.55 and sends that right over to the host that requested it. Then what happens? Well, the host says alright, I received that ARP reply. Now I need to update my ARP cache. It'll go ahead and take the new IP address or it will go ahead and take the new MAC address which is all B's, and put it in its ARP cache. It knows that 10.10.10.55 is BB-BB-BB-BB-BB-BB. So that's how ARP works.

Conclusion

To recap, Address Resolution Protocol is a very useful protocol for building the ARP table. Why? Because that's exactly what it was made for to build out the ARP table. Looking at our tables, again, on hosts in any networking equipment, like a router or switch is good for troubleshooting because you can check to see if the host router or switch knows the IP to MAC relationship and if it doesn't, then you can understand that maybe that's why communication isn't happening. For some reason if a host or router or switch is not able to build its ARP cache properly and it's alluding to another problem in the network so it can help you kind of identify what's working and what's not. ARP tables are good things to look at. Gratuitous ARP is helpful for updating the network automatically. Remember, if you change the IP address on your computer, and then reboot it, you might send out a gratuitous ARP if it's allowed on your operating system.

Subscribe to the NGT Academy Newsletter

Subscribe to our weekly newsletter for valuable tips and advice, IT news and trends, and more to stay ahead.