1 ARP Protocol Overview
ARP and ICMP are common TCP/IP underlying protocols. When diagnosing network faults, they are also the most common protocols.
ARP (Address Resolution Protocol) is a low-level Protocol located in the TCP/IP Protocol stack. It is responsible for resolving an IP Address into a corresponding MAC Address.
2. ARP Working Principle
2.1 ARP operation process
When a TCP/IP-based application needs to send data from one host to another, it splits the information and encapsulates it into packets, and attaches the IP address of the target host. Then, find the ing between the IP address and the actual MAC address, which requires sending an ARP broadcast message. After ARP finds the MAC address of the target host, it can form the complete Ethernet frame header of the frame to be sent. Finally, the Protocol Stack encapsulates the IP package and transmits it in frames.
1 describes the ARP broadcast process.
Figure 1 ARP Broadcast
In Figure 1, when host A needs to communicate with host B (for example, host A can Ping host B. Host A checks whether the ARP cache contains the MAC address of host B. If no, host A will send an ARP request broadcast package, which contains the IP address of the host to which it wants to communicate, that is, the IP address of host B. When host B receives the broadcast, it sends its MAC address to host A using the ARP response packet and updates its ARP cache, that is, the IP address/MAC address pair of host A is saved for later use. After obtaining the MAC address of host B, host A can communicate with host B. Host A also saves the IP address/MAC address pair of host B in its ARP cache.
2.2 ARP packet format
ARP packets are encapsulated in the Ethernet frame header for transmission, as shown in Figure 2. It is the ARP request protocol packet header format.
Figure 2 packet header format of ARP request protocol
The yellow part in Figure 2 is the frame header of the Ethernet (here it is the Ethernet II type. The first field is the MAC address of the broadcast type: 0xff-ff-ff-ff-ff, and the target is all hosts on the network. The second field is the source MAC address, that is, the host MAC address resolved by the request address. The third field is the protocol type. 0X0806 indicates that the encapsulated upper-layer protocol is the ARP protocol.
Next is the ARP packet. The meanings of each field are as follows:
Hardware type: indicates the type of network on which ARP is implemented.
Protocol type: Resolution Protocol (upper-layer protocol ). Here, it is generally 0800, that is, IP.
Hardware address length: the MAC address length, which is 6 bytes.
Protocol address length: the IP address length, which is 4 bytes.
Operation Type: indicates the ARP packet type. 0 indicates the ARP request packet, and 1 indicates the ARP response packet.
Source MAC address: the MAC address of the sender.
Source IP Address: The Protocol IP address of the sender ).
Target MAC address: The target MAC address (to be filled ).
Destination IP Address: indicates the Destination Protocol IP address ).
The ARP response protocol and ARP request protocol are similar. The difference is that the destination MAC address of the Ethernet frame header is the MAC address of the host sending the ARP Address Resolution request, and the source MAC address is the MAC address of the host being parsed. At the same time, the Operation Type field is 1, indicating the ARP response packet. The target MAC address field is filled with the target MAC address.
2.3 ARP Buffer
To save ARP buffer memory, the lifetime of parsed ARP entries is limited. If this entry has not been referenced for a period of time, it is automatically deleted. In the Windows environment of the workstation PC, the ARP entry has a lifetime of 2 minutes. In most Cisco switches, this value is 5 minutes.
In the Windows environment of the workstation PC, run arp-a to view the current ARP cache, as shown in 3. In the vro and vswitch, you can run the show arp command to perform the same functions, as shown in figure 4.
Figure 3 output of arp-a in Windows
Figure 4 output of the show arp command in the vro
Note: ARP cannot send broadcasts through IP Routers, so it cannot be used to determine the hardware address of the remote network device. When the target host is in a remote network, IP addresses use ARP to determine the hardware address of the default gateway (vro) and send data packets to the default gateway. The router forwards data packets in its own way.
3 reverse ARP
Reverse ARP (RARP) is used to convert a physical address (MAC address) to a corresponding IP address. For example, when a diskless workstation is started, it cannot obtain its own IP Address Configuration information from its operating system. In this case, the diskless workstation can send a broadcast request to obtain its own IP address information, while the RARP server responds to the IP request message-allocating an unused IP address to the diskless workstation (by sending an RARP response packet ).
Reverse ARP (RARP) has been replaced by BOOTP and DHCP to a large extent. The improvement of the later two protocols on RARP can provide more information besides IP addresses, such as the IP address of the default gateway and DNS server.
4 proxy ARP
Proxy arp is also called Promiscuous ARP (RFC 925, 1027) it is generally used by devices like routers to answer ARP requests from hosts in this network segment instead of hosts in another network segment.
The following is an application of proxy arp. As shown in figure 5, host pC1 (192.168.20.66/24) needs to send packets to host PC2 (192.168.20.20/24, because the host pC1 does not know the existence of the subnet and is in the same network segment as the target host pc2. therefore, host pC1 sends an ARP request broadcast packet to the MAC address of 192.168.20.20. In this case, the router identifies the destination address of the report as another subnet (note that the IP address of the router interface is configured with a 28-bit mask ), therefore, reply to the request host with its hardware address (0004. dd9e. cca0 ). Then, pC1 sends the packets sent to PC2 to the MAC address 0004. dd9e. cca0 (router interface E0/0), and the router forwards the packets to the target host pc2. (Next, the router will send data packets to pc2 ). This ARP makes the subnet network topology transparent to the host (or it can be said that the router spoofs the source host pC1 with an invalid PC2 MAC address ).
Figure 5 proxy ARP
5 ARP for no reason
Gratuitous ARP (Garp) ARP is also called Wuwei arp. The host sometimes uses its own IP address as the target address to send ARP requests. This kind of ARP request is called ARP for no reason. GARP has two main purposes:
(1) Check the duplicate address (if an ARP response is received, the duplicate address exists ).
(2) advertise a new data link identifier. When a device receives an ARP request and finds that there is an IP address of the sender in the ARP buffer, It updates the MAC address entry of this IP address.
6. After a Cisco router is powered on and started, a packet indicating the MAC address and IP address of an Ethernet interface (Ethernet 0) of the network is displayed during the boot process.
Figure 6 ARP for no reason
It can be seen that the type encoding of this ARP packet is 2, representing an ARP response message (but there was no ARP request message for this IP address before ). The source hardware address (MAC address) of this ARP package is the MAC address of this interface of the router, the target hardware address (MAC address) uses the broadcast address (FF-FF-FF-FF-FF-FF ); both the source and target Protocol addresses (IP addresses) are the IP addresses of this interface. This ARP packet is used to notify the device (router) of its IP address and MAC address ing to the network, and to check whether there are duplicate (conflicting) IP addresses.
