ARP 101

ARP

ARP is a protocol used on broadcast networks such as Ethernet, Token Ring or FDDI that is used to map L3 Addresses (like IP) to layer 2 Addresses (like Ethernet MAC). When a host needs to send traffic to another host, it knows its Layer 3 address, but it needs to find out the Layer 2 address in order to encapsulate the frame. In order to find the Layer 2 Address, the host will send an ARP Request to the Layer 2 asking “Who has the IP Address x.x.x.x?”. All hosts in the broadcast domain will receive this message, but only the one that was assigned that specific L3 address should respond with a unicast ARP Reply.

When a host receive an ARP message, either ARP Request(broadcast) or ARP Reply(unicast) it updates its ARP Cache. This cache contains all the L3 to L2 mappings that the host knows about. When it needs to send a packet, the host will look in the ARP Cache to find the appropriate mapping. If there is no mapping for the destination IP Address it will send an ARP Request. If it doesn’t receive an ARP Reply, then L2 encapsulation will fail. Entries in the ARP Cache can be dynamic (with a limited lifetime) or static (permanent). To define static entries, use:

R(config)# arp IP-ADDRESS MAC ENCAPSULATION-TYPE ...
! For Ethernet, ENCAPSULATION-TYPE = arpa

To configure the timeout of dynamic ARP entries, use:

R(config)#arp timeout SEC
!default: 14400 sec = 4 hours

You can clear dynamic ARP entires using one of the following commands:

! per interface
R# clear arp interface INTERFACE
! all dynamic entires
R# clear arp-cache

To see the ARP cahce, use:

!All L3 protocols:
R# show arp
! Only IP
R# show ip arp

Authorized ARP

Authorized ARP disables the dynamic update of the ARP cache on an interface. This means that clients connecting to that interface will not be able to communicate with the router unless their MAC address was added to the cache by an authorized process. Authorized processes are static ARP entries and DHCP generated entries. To enable DHCP to update the arp-cache, use the following command inside the DHCP Pool:

R(dhcp-config)# update arp

See DHCP 101 for details.

Inverse ARP

Inverse ARP is used in Frame Relay or ATM networks and it is used to find the IP Address of the device connected at the other end of a Virtual Circuit. See Frame Relay

Reverse ARP

Reverse ARP is used when a host doesn’t know its IP Address and works similar to DHCP. The host will send a RARP messages with its MAC Address and expects to receive a reply from a RARP server letting it know what IP Address should use.

Proxy ARP

Proxy ARP is used when a host needs to communicate with another host that is not in the same broadcast domain. A router can detect that the destination IP is not in the same broadcast domain and if it has a route to that destination it can respond with its own L2 address. The packets for the L3 destination will reach the router which will decapsulate and reencapsulate them before sending them over another interface. Proxy ARP is enabled by default on routed interfaces. You can disable proxy ARP per interface, using:

R(config-if)#no ip proxy-arp

or globally:

R(config)# ip arp proxy disable

Local Proxy ARP

Even when configured with proxy-apr, a router will not respond to ARP requests for destination that are on the same incoming interface. However, in some situations (like when having a router connect hosts in an isolated Private VLAN) you might need the router to respond to such ARP requests. To enable this, use:

R(config-if)# ip local-proxy-arp

Last updated