how arp works

8/7/2019 How ARP Works

1/5

Home

About

Art

Personal

Photo

Tech

ARPEncapsulation

Travel

How ARP Works

This article is based off of a series of usenetposts (one in particular) on thealt.certification.network-plus news group. I'vedone some revision in order to make the wholething flow as a stand-alone document and I've alsomade some revisions to the example.

What is ARP?

ARP stands for Address Resolution Protocol.It is used to associate a layer 3 (Network layer)address (such as an IP address) with a layer 2(Data Link layer) address (MAC address).

Layer 2 vs. Layer 3 addressing

I think where a lot of confusion with ARP comes from is inregards to how the IP address and the MAC address work together.The IP address is a layer 3 (network layer) address. The MAC address

is a layer 2 (data link) address. The layer 3 address is a logicaladdress. It will pertain to a single protocol (such as IP, IPX, orAppletalk). The layer 2 address is a physical address. It pertains tothe actual hardware interface (NIC) in the computer. A computer canhave any number of layer 3 addresses but it will only have 1 layer 2address per LAN interface. At layer 3, the data is addressed to thehost that the data is destined for. At layer 2 though, the data isaddressed to the next hop. This is handy because you only need toknow a host's layer 3 address (which can be found out by using DNSfor instance) but you won't need to know the hardware address (andyou won't have to bog down the network by sending an ARP request

across the internet to find it out). The layer 3 packet (addressed tothe destination host) will be encapsulated within a layer 2 frame(addressed to the next hop).

ARP operation for a local host

Your computer will have data that it needs to send (I'massuming that we're using TCP/IP from here on). When the data getsto the Network layer it will put on the destination IP address. All ofthis info (the network layer datagram, aka packet) is passed down to

ARP Works file:///C:/Documents and Settings/Joe/Desktop/ar

3/27/2011


2/5

the data link layer where it is taken and placed within a data linkframe. Based on the IP address (and the subnet mask), yourcomputer should be able to figure out if the destination IP is a local IPor not. If the IP is local, your computer will look in it's ARP table (atable where the responses to previous ARP requests are cached) tofind the MAC address. If it's not there, then your computer willbroadcast an ARP request to find out the MAC address for thedestination IP. Since this request is broadcast, all machines on theLAN will receive it and examine the contents. If the IP address in therequest is their own, they'll reply. On receiving this information, yourcomputer will update it's ARP table to include the new information andwill then send out the frame (addressed with the destination host'sMAC address).

ARP operation for a remote host

If the IP is not local then the gateway (router) will see this(remember, the ARP request is broadcast so all hosts on the LAN will

see the request). The router will look in it's routing table and if it hasa route to the destination network, then it will reply with it's own MACaddress.

This is only the case if your own computer doesn't knowanything about the network topology. In most cases, your computerknows the subnet mask and has a default gateway set. Because ofthis, your own computer can figure out for itself that the packet is notdestined for the local network. Instead, your computer will use theMAC address of the default gateway (which it will either have in it'sARP table or have to send out an ARP request for as outlined above).When the default gateway (router) receives the frame it will see thatthe MAC address matches it's own, so the frame must be for it. Therouter will un-encapsulate the data link frame and pass the data partup to the network layer. At the network layer, the router will see thatthe destination IP address (contained in the header of the IP packet)does not match it's own (remember, the IP address has not beentouched at all in this process since your computer created the IPpacket). The router will realise that this is a packet that is supposedto be routed. The router will look in it's routing table for the closestmatch to the destination IP in order to figure out which interface to

send the packet out on. When a match is found, the router will createa new data link frame addressed to the next hop (and if the routerdoesn't know the hardware address for the next hop it will request itusing the appropriate means for the technology in question). The dataportion of this frame will contain the complete IP packet (where thedestination IP address remains unchanged) and is sent out theappropriate interface. This process will continue at each router alongthe way until the information reaches a router connected to thedestination network. It will see that the packet is addressed to a hostthat's on a directly connected network (the closest match you can get


3/27/2011


3/5

for an address, short of the packet being addressed to you). It willsend out an ARP request for MAC address of the destination IP(assuming it doesn't already have it in it's table) and then address itto the destination's MAC address.

Now then, I did slightly gloss over 1 part in the aboveexplanation and that's the part about the router finding out thehardware address for the next hop. I just didn't want to disturb the

flow with entering into that there. How the router does this willdepend on what type of connection (and in some cases, whatprotocol and/or encapsulation is used on the connection). In somecases, this will be a hard set value (like a frame relay pvc) within theconfiguration of the router. In some cases, you don't even need ahardware address (like any point to point connection, there's only 1possible host you could send it to), in those cases the router will justcreate a data link frame appropriate for the connection and it won'teven need to be addressed. This is why the OSI model is good. It'slayered so that any layer can change and as long as it takes in

information in a standard way (the way the layer above wants to sendit) and spits out information in a standard way (the way the layerbelow wants to receive it), then it's all good. When Frame Relay camealong nothing changed with the way you had to address IP packets,all of the changes took place at the data link and physical layers. Ifsome new type of connection comes along in the future, only the datalink and physical layers will likely change. When we go to IPv6, onlythe network layer should change (it probably won't but that's more todo with how the layers tend to blur, but if it were truly layered thatwould be the case).

Putting it all together

Anyways, since I feel like doing an example here's one showingthe whole process. In the original post, I had used IP addresses fromthe 10.x.x.x range (which is a reserved range for private networks)with a subnet mask of 255.255.255.0. This seemed to cause someconfusion (both because of the misconception that the 10.x.x.x rangeis non-routable and because I was using a class C subnet mask for aclass A network) both of these are valid and would work but I'vedecided to change this so that I'm using non-reserved (ie, real) IPs

from class C networks. I figure that this will help reduce the confusionin this example, and I can clear up the rest in another article or 2.Needless to say then, if you want to try this on your own network,don't connect it to the internet! IP conflicts are just plain evil and canscrew up lots of stuff. If you want to try this in a home lab that isconnected to the internet then put the whole network behind somekind of a firewall and use the reserved IPs. Or, if you're lucky enoughto have a block of real IPs, use them. The bottom line is don't use IPsthat haven't been assigned to you on the internet.


3/27/2011


4/5

Your computer has an address of 200.0.1.2, it's connected tothe 200.0.1.0 network (I'm assuming a subnet mask of255.255.255.0, we'll call this network 1) which is an ethernetnetwork. Your default gateway is a router (router a) which has anaddress of 200.0.1.1. That router is connected to the 200.0.1.0network and the 200.0.2.0 (network 2) network (the interfaceconnected to the 200.0.2.0 network will have an address of200.0.2.1). The network 2 is also an ethernet network. Alsoconnected to network 2 is another router (router b) which has theaddress (for the interface connected to network 2 at least) of200.0.2.2. Router b is also connected to network 3 (200.0.3.0).Router b's interface on network 3 has the address of 200.0.3.1.Here's a (probably bad) ASCII diagram to illustrate:

Router Router

a b

-----------O-------------O------------

Network 1 Network 2 Network 3

(200.0.1.0) (200.0.2.0) (200.0.3.0)

Now then, your computer (on network 1 with an address of200.0.1.2) wants to send some data to a computer on network 3(with an address of 200.0.3.2). We'll assume that none of the info inalready cached in an ARP table on any of the machines or routers (abig assumption but it's mine to make!). Your computer will create anIP packet addressed to 200.0.3.2. That packet will be sent to the datalink layer where it needs a MAC address. Based on the subnet mask,your computer will know that the destination computer isn't on thesame local network. So, your computer will send out an ARP requestfor the default gateway's MAC address (ie, what's the MAC for

200.0.1.1?). On receiving the MAC address, your computer will sendout the IP packet (still addressed to 200.0.3.2) encapsulated within adata link frame that is addressed to the MAC address of router a'sinterface on network 1 (because routers have more than 1 interfacethey can have more than 1 MAC address, in this case each router has2 ethernet interface each with it's own unique MAC address). Router awill receive this frame and send the data portion up to the networklayer (layer 3). At the network layer, router a will see that the packet(which is addressed to 200.0.3.2) is not addressed to router a.Router a will look in it's routing table to find out where to send thepacket. The routing table will show that network 3 (the closest match

to 200.0.3.2) is reachable via network 2. The routing table will alsoshow the IP address for the next hop is 200.0.2.2. Router a will sendout an ARP request onto network 2 asking for router b's MAC address(well at least for the interface connected to network 2). On receivingthis, router a will send the IP packet (still addressed to 200.0.3.2,nothing's changed here) encapsulated in a data link frame addressedto router b's MAC address. When router b receives this frame it will dothe same thing that router a did, it will send the IP packet up to thenetwork layer and see that the packet is not addressed to router b(the packet is still addressed to 200.0.3.2). Router b will then look up


3/27/2011


5/5

in it's routing table for the closest match and see that it is directlyconnected to network 3, so there isn't a next hop router to send it to.Router b will send out an ARP request to learn the MAC address for200.0.3.2. When this is received, router b will send out the IP packet(again, this is still addressed to 200.0.3.2) encapsulated within a datalink frame that is addressed to the MAC address of the destinationcomputer. The destination computer will see that the data link frameis addressed to it and will pass the IP packet to the network layer. Atthe network layer, the IP address will also match that of the computerand the data from the IP packet will be passed up to the transportlayer. Each layer will examine the header and determine where topass it up to until eventually, the data reaches the application runningon the destination computer that has been waiting for the data.

What you'll notice through this whole process is that the IPaddress never changes. The IP packet is always addressed to200.0.3.2. However, at the data link layer, the address used changesat each hop (it's always addressed to the next hop). As you go up

through the layers, you get more and more specific about where thedata is supposed to be going. At the data link layer this is very vague,it's basically just, "here's who to pass it on to, they should know whatto do with it". At the network layer you get more specific (this is theexact computer I want to send this to). Above that you get morespecific (is it TCP or UDP?, what port?, etc)

[email protected]

Copyright Andrew Dacey
