[All About Switches] ARP Serving as a Bridge Between IP and MAC Addresses

Latest reply: Apr 7, 2018 15:11:38 3607 2 1 1

 

Are you troubled with not knowing how to query the Address Resolution Protocol (ARP) table?

Are you puzzled about how ARP entries are generated?

Are you confused about how to configure static ARP entries?

Are you upset by an ARP learning failure on the same network segment?

Let me unveil ARP and ARP-related configurations to you.

First of all, let's see what is ARP. ARP is known as the bridge connecting IP and MAC addresses, and is mainly used to resolve IP addresses into MAC addresses.

A PC or switch has an ARP table that saves the mappings between IP and MAC addresses. If the PC or switch needs to communicate with another device on the network and knows the device's IP address, it also needs to obtain the device's MAC address to encapsulate IP packets into frames that can be transmitted over the physical network. The PC or switch can query the ARP table to obtain the device's MAC address based on the device's IP address.

Now, let's start to learn ARP together.

1         Querying the ARP Table

When a switch functions as a gateway, you can query ARP entries on the switch to obtain information such as IP addresses, MAC addresses, and interfaces of users connected to the switch. For example, if you know a user's IP address, you can find the user's MAC address by looking up the IP address in the ARP table.

How do we query the ARP table on a switch? The answer is running the display arp command.

Function

Command

Querying all ARP entries

display arp all

Querying dynamic ARP entries

display arp dynamic

Querying static ARP entries

display arp static

Querying ARP entries on a network segment

display arp network x.x.x.x

Querying ARP entries related to an interface

display arp interface xx

Querying ARP entries of a VPN instance

display arp vpn-instance xx

Querying the ARP entry containing a specific IP address

display arp all | include x.x.x.x

 

For example, we can run the display arp network command on a switch to check ARP entries on the network segment 172.16.0.0/16, as shown in the following figure. ARP entries are classified into S, I, and D types. How are these three types of ARP entries generated? How are they configured? I will answer these questions in detail later.

20170324140254274001.png

 

Maybe you have seen the MAC ADDRESS field of an ARP entry in the command output displays Incomplete. Incomplete indicates that the ARP entry is temporary, that is, the switch has sent an ARP request packet, but has not received an ARP reply packet.

You may have found in the preceding figure that some ARP entries of the S and D types do not contain a VLAN ID, while some ARP entries do. Why? If an ARP entry does not contain VLAN information, the interface in this entry is a Layer 3 interface. If an ARP entry contains VLAN information and the interface in the entry is not a sub-interface, the interface is a Layer 2 interface.

If you want to delete ARP entries on a switch, run the reset arp { all | dynamic xx | static xx | interface xx } command.

I promised to introduce how three types of ARP entries are generated. Here comes the answer. ARP entries of the I type are simple and will not be aged out. The switch generates an ARP entry of the I type after an IP address is configured on an interface. The IP and MAC addresses in the ARP entry are those of the interface. How about the other two types of ARP entries? Now, let me introduce ARP entries of the D type to you.

2         Learning of Dynamic ARP Entries

In most cases, a switch uses ARP to learn and update ARP entries dynamically. How does the switch learn ARP entries dynamically? The switch sends broadcast ARP request packets and receives unicast ARP reply packets to implement dynamic ARP learning and complete address resolution.

20170324140255423002.png

 

For example, switch A and switch C in the preceding figure have obtained each other's IP address. Switch A needs to communicate with switch C and finds that switch C's IP address 10.1.1.3/24 is on the same network segment 10.1.1.0/24 as itself. Therefore, switch A broadcasts an ARP request packet to request switch C's MAC address.

After receiving the ARP request packet, switch C unicasts an ARP reply packet to inform switch A of its MAC address 3-3-3. Switch B on the same network segment also receives the ARP request packet, but does not respond because the destination IP address in the ARP request packet is not switch B's IP address.

After receiving the ARP reply packet, switch A adds a dynamic entry with the mapping between the IP address 10.1.1.3 and the MAC address 3-3-3 to its ARP table. Switch A then can communicate with switch C. Dynamic ARP learning is simple, isn't it?

A PC or switch ages out dynamic ARP entries to release entry resources of the ARP table and ensure the accuracy of dynamic ARP entries. You can set the aging time of dynamic ARP entries on a switch. The default value 20 minutes is recommended.

After the aging time of a dynamic ARP entry on a switch expires, the switch sends an ARP aging probe packet (ARP request packet). If the switch receives an ARP reply packet, the switch updates the dynamic ARP entry and the aging probe ends. If the switch does not receive an ARP reply packet after the number of probes exceeds the specified upper limit, the switch deletes the dynamic ARP entry and the aging probe ends.

OK, that is all about dynamic ARP entries. Are you eager to know how to configure ARP entries of the S type?

3         Configuration of Static ARP Entries

We can configure static ARP entries on a switch for important devices such as servers on the network. This configuration prevents ARP entries containing the important devices' IP addresses on the switch from being incorrectly updated because of ARP attack packets, ensuring proper communication between users and the important devices.

Static ARP entries are not aged out or overwritten by dynamic ARP entries. You can manually configure static ARP entries. Let's see several examples.

For example, there is an important server on the network. The server's IP address is 172.16.10.2 and MAC address is 0023-0045-0067. GE1/0/1 on a switch is connected to the server, works in Layer 2 mode, and is added to VLAN 100. You can configure a static ARP entry for the server on the switch. The configuration is as follows:

<Quidway> system-view

[Quidway] vlan batch 100

[Quidway] interface vlanif 100

[Quidway-Vlanif100] ip address 172.16.10.1 24 //The IP address of the VLANIF interface must be on the same network segment as the IP address (172.16.10.2) in the static ARP entry.

[Quidway-Vlanif100] quit

[Quidway] interface gigabitethernet 1/0/1

[Quidway-GigabitEthernet1/0/1] port link-type access

[Quidway-GigabitEthernet1/0/1] port default vlan 100 //GigabitEthernet1/0/1 works in Layer 2 mode and is added to VLAN 100.

[Quidway-GigabitEthernet1/0/1] quit

[Quidway] arp static 172.16.10.2 0023-0045-0067 vid 100 interface gigabitethernet 1/0/1

If the switch interface connecting to the server works in Layer 3 mode, configure a static ARP entry on the switch as follows:

<Quidway> system-view

[Quidway] interface gigabitethernet 1/0/1

[Quidway-GigabitEthernet1/0/1] undo portswitch

[Quidway-GigabitEthernet1/0/1] ip address 172.16.10.1 24 //The IP address of GigabitEthernet1/0/1 must be on the same network segment as the IP address (172.16.10.2) in the static ARP entry.

[Quidway-GigabitEthernet1/0/1] quit

[Quidway] arp static 172.16.10.2 0023-0045-0067 interface gigabitethernet 1/0/1

Assume that a switch is connected to a network load balance (NLB) server cluster through multi-interface ARP, and the NLB server cluster's IP address is 172.16.40.2 and MAC address is 02bf-0045-0070. You can configure a static ARP entry on the switch as follows:

<Quidway> system-view

[Quidway] arp static 172.16.40.2 02bf-0045-0070

If the outbound interface is an Ethernet interface working in Layer 2 mode, it is recommended that you specify both the VLAN and outbound interface when configuring the static ARP entry; otherwise, service traffic may fail to be forwarded.

4         Proxy ARP

As we mentioned earlier, if a host performs dynamic ARP learning and finds that the destination IP address of a remote host is on the same network segment as itself, the host broadcasts an ARP request packet to obtain the remote host's MAC address. However, two hosts are on the same network segment but in different broadcast domains under some circumstances. The destination host cannot receive the local host's ARP request packet and the local host cannot learn the destination host's MAC address.

After proxy ARP is enabled on a switch connecting the two hosts, the switch works as a proxy. When Host_1 sends an ARP request packet to request Host_2's MAC address, the switch sends its own MAC address to Host_1. Data packets from Host_1 to Host_2 are sent to the switch first, and the switch then forwards the packets to Host_2.

We can use proxy ARP in the following situations:

Situation 1: Host_1 and Host_2 are on the same network segment but on different physical networks (in different broadcast domains). The two hosts have no default gateway configured and need to communicate with each other. Because the two hosts are in different broadcast domains, Host_2 cannot receive ARP request packets from Host_1. You can enable routed proxy ARP (using the arp-proxy enable command) on VLANIF 10 and VLANIF 20 of the switch so that Host_1 and Host_2 can communicate with each other.

20170324140256917003.png

 

Situation 2: Host_1 and Host_2 to communicate with each other are on the same network segment and in the same VLAN, but port isolation is configured on interfaces IF_1 and IF_2 in the VLAN. Because of port isolation between IF_1 and IF_2, Host_2 cannot receive ARP request packets from Host_1. You can configure intra-VLAN proxy ARP (using the arp-proxy inner-sub-vlan-proxy enable command) on the switch's VLANIF interface associated with VLAN 10 so that Host_1 and Host_2 can communicate with each other at Layer 3.

20170324140256045004.png

 

Situation 3: Host_1 and Host_2 to communicate with each other are on the same network segment but in different VLANs. Because the two hosts are in different VLANs, Host_2 cannot receive ARP request packets from Host_1. You can configure inter-VLAN proxy ARP (using the arp-proxy inter-sub-vlan-proxy enable command) on the switch's VLANIF 30 associated with VLAN 10 and VLAN 20 so that Host_1 and Host_2 can communicate with each other at Layer 3.

20170324140257061005.png

OK, that's all about ARP. Do you know more about basic ARP functions?

  • x
  • convention:

gululu
Admin Created Mar 25, 2017 00:41:55 Helpful(0) Helpful(0)

thanks!
  • x
  • convention:

Come on!
wissal
MVE Created Apr 7, 2018 15:11:38 Helpful(0) Helpful(0)

useful document, thanks
  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login