CCNA Routing and Switching
<< IP and Network Fundamentals Course
>> Models, Protocols, and Standards Section
- Understanding TCP/IP and OSI Models
- Understanding Packet Flow Across the Network Part1
- Understanding Packet Flow Across the Network Part2
- Understanding Ethernet LAN Standards
- Understanding Ethernet MAC Addresses
- Understanding WAN Technologies
- Understanding Data Link Layer Encapsulation
- Understanding EoMPLS WAN Technology
- Understanding IP Routing Process Concept
- Understanding Web Browser DNS Lookup
- Understanding ARP Broadcast Message
- Understanding TCP and UDP Protocols
- Understanding TCP and UDP Multiplexing
- Understanding Application Layer Services
- Understanding Quality of Service Concept

Understanding ARP Broadcast Message complete the process of how and why Mapping an IP address to MAC Address is crucial under Ethernet Networks. Address Resolution Protocol (ARP) used by Data Link Layer to provide two basic functions: 1) Resolve IPv4 or IPv6 addresses to MAC addresses, and 2) Maintain a Cache Table of MAC to IP addresses. To resolve Name to IP address DNS service is used, to resolve IP address to MAC Ethernet Address, ARP service is used.
For Instance, if a shared NFS folder located on one of the servers, and a client requested a document from that folder, to complete the document browsing process, the network must resolve the Shared Folder’s name to an IP Address, and Resolve the server’s IP Address to its MAC address in order to browse the shared folder.
Table of Contents
Address Resolution Protocol
IP routing logic requires that network devices encapsulate IP packets inside Data Link Frames based on the cable type used, and if Ethernet language is being used, then ARP Resolution from an IP Address to MAC address is required to complete the encapsulation process of IP packets inside Ethernet frames.
Whenever a host or a router needs to communicate with other hosts or routers, they encapsulate TCP or UDP segments in an IP packet. Hosts and Routers’ Network Layer knows all the important pieces to build an IP packet such destination IP address and source IP address. But when it comes to Layer 2 and if Ethernet Network is being used, hosts and routers do not know neighbors NIC’s or interface’s MAC addresses beforehand, hence, ARP protocol broadcast messages get evolved.
TCP/IP defines ARP as the method by which any host or router on a LAN can dynamically learn the MAC address of another host or router on the same LAN. ARP includes a protocol called ARP request, simply broadcast a message as follows: (if this is your IP address, please reply with your MAC address). ARP also includes a ARP Reply message, which include both the original IP address and the matching MAC address of the network device in question.
Detailed ARP Request Process
Based on the image below, PC1’s Ethernet cable plugged into SW2, shows detailed steps of how PC1 initially knew its Default Gateway’s (R3) MAC address in order to route IP packets outside its LAN network.
Step 1: PC1’s Network Layer sends an IP packet encapsulated with destination IP address of R3 (192.168.1.1) as a receiver, and a source MAC address of PC1 (192.168.1.100) as sender.
Step 2: PC1’s Data-Link Layer encapsulate the IP packet inside an Ethernet Frame with a broadcast destination MAC Address (FFFF.FFFF.FFFF), which means all devices on this LAN will receive this message, and a source MAC address of PC1 NIC interface as sender.
Step 3: The switch receives the broadcast frame, learn the source MAC address and record it along the interface port number in its MAC table (1), and flood the broadcast frame from all ports except the port where it was received (2).
Step 4: All devices receive the broadcast packet and drop it, except R3. R3 replies to PC1 with its MAC address since the IP packet included ARP message request indicating its IP address in the destination field.
Step 5: PC1 receives the ARP reply request indicating R3’s MAC address, hence, learning the MAC address and saves it in its MAC table.
Step 6: PC1’s Network layer is ready right now to create an IP packet heading to Web server, and ready to encapsulate it inside an Ethernet Frame to be forward to R3’s MAC address for further routing process.
Note, how PC1 has to prepare all required pieces before completing web page request, resolving Name to IP using DNS (1) learn R3 MAC address (2), and finally creates an HTTP Get request IP packet heading to the web server.
Looking Inside the Frame for ARP
R3’s IP Address (192.168.1.1) known to PC1 as Default Gateway by DHCP or Static configuration. The following image shows how PC1 created an IP packet indicating R3’s IP address as destination, and encapsulated the packet inside a frame indicating an ARP Request as destination Broadcast address (FFFF.FFFF.FFFF) inside the frame.
Once PC1 release a broadcast frame, it will hit all network devices on this LAN address which is 192.168.1.0/24. After R3 receives the broadcast frame, replies with its MAC, hence, PC1 learns R3’s MAC address and save it in it’s cache MAC table.
Next image shows how PC1 afterwards created a new IP packet indicating Web Server’s IP address this time, and encapsulated the IP packet inside a Frame heading this time to R3’s MAC address as next-hop instead of Broadcast Address since PC1 learned already R3’s MAC address.
Note that Hosts save the ARP replies in their ARP cache or ARP table for future use as they do with DNS queries. ARP is not used every time the host or the router needs to forward a packet to neighbor device. Each time a host or router needs to send a packet encapsulated inside an Ethernet Frame, it first checks its ARP table for correct IP address and matching MAC address. Besides, Network devices might let ARP cache entries to time out in order to clean up the table, occasionally ARP Requests and Replies traffic can be seen on LAN.
Frames Types and their Usage
Why we need different types of Ethernet frames? To understand how ARP service works, it’s good to look at the difference among all 3 types of Ethernet frames communication.
By looking at the images below and for sake of simplicity, note how each type has different color. Unicast is Orange and what inside the circle corresponds to the color as well, and so on.
1. Unicast frame: indicates that only 2 network devices talking to each other.
Remember, that Hubs broadcast everything including Unicast, Broadcast, and Multi-Cast messages, hence, Frames Types meant nothing to hubs. In contrast, switches do care, why? Because they want to save time and energy and be specific in their communication.
They know how to talk Ethernet language, therefore, know how to deal with MAC addresses regardless what Ethernet frame type is being used. Switches’ Intelligence similar to Routing Intelligence in Routers in that regard.
2. Broadcast frames: indicate that a single machine sending frames to everyone on the LAN.
3. Multicast frame: indicates that a group of devices are willing to respond to a specific machine request on the network, or a single network device is trying to talk only to a specific group of devices that are willing to listen to a specific Multicast frame that hold a MAC address such this one 0100.5E7F.0001.
Internet Control Protocol (ICMP)
I don’t remember the last time I used arp commands for troubleshooting, however, I would like to end this article with ICMP. Troubleshooting and verifying tools are crucial in Network, ICMP included some primary tools for troubleshooting and verifying basic network connectivity, commands such Packet Internet Groper (Ping) and Traceroute (tracert in windows) are the main tools to verify connectivity.
Ping uses ICMP to send a message called ICMP echo request to another IP address. The host with that IP address should reply with an ICMP echo reply packet. If that works, you successfully have tested the IP network.
In other words, you know that the network can deliver an IP packet from one host to other. ICMP does not rely on any application; it tests the basics layer 1, 2, and 3 connectivity of TCP/IP model. The following shows a ping reply from a host google.com.
Traceroute uses ICMP as well, is a network tool used to test and shows an IP packet route taken by PC1’s Internet Protocol (IP) across the routers that are located between PC1 and Web server. E.g. the following shows a windows tracert command from a host to google.com.
Subject Related
By Wikipedia ARP | Tummy How ARP Works | Omnisecu ARP Protocol | Juniper Networks – How ARP Works? | R&S ICND1 and ICND2 | Introduction To Network | Practical Packet | Computer Network | Introduction to Networking | Who is Running the Internet | Networking Self-Teaching Guide
CCNA Routing and Switching
<< IP and Network Fundamentals Course
>> Models, Protocols, and Standards Section
- Understanding TCP/IP and OSI Models
- Understanding Packet Flow Across the Network Part1
- Understanding Packet Flow Across the Network Part2
- Understanding Ethernet LAN Standards
- Understanding Ethernet MAC Addresses
- Understanding WAN Technologies
- Understanding Data Link Layer Encapsulation
- Understanding EoMPLS WAN Technology
- Understanding IP Routing Process Concept
- Understanding Web Browser DNS Lookup
- Understanding ARP Broadcast Message
- Understanding TCP and UDP Protocols
- Understanding TCP and UDP Multiplexing
- Understanding Application Layer Services
- Understanding Quality of Service Concept
Thanks for your article about ARP, Imad
I think the question of Rajan is clear and I have same question too. May be I have been confused with your idea. My opinion is:
—————–
"Step 1: PC1’s Network Layer sends an IP packet encapsulated with destination IP address of R3 (192.168.1.1) as a receiver, and a source MAC address of PC1 (192.168.1.100) as sender". The source MAC address of PC 1 is 3001.3333.3333, not its IP (192.168.1.1). At first time to work, PC1 has only its MAC address and destination's IP address (or domain name).
——————–
"Step 5: PC1 receives the ARP reply request indicating R3’s MAC address, hence, learning the MAC address and saves it in its MAC table."
– Switch or PC1 receives ARP reply message? I think it's Switch, not PC1. MAC table is in the Switch, not in the PC1.
– ARP reply request or ARP request message? I think it's just a ARP reply message, not request message.
———————-
For whole the article, it seems that you have combined PC1 and Switch as one.
Hi thanks for the ARP article….. i would like know if in 1st step of ARP will it be source MAC of PC1 or source IP of PC1
Thank you Rajan for the question,
As you probably guessed, initially, when PC1 receives its IP Address by DHCP, PC1’s ARP MAC table at this moment before making any communication might still don’t know R3’s MAC address if the DHCP is windows Server for example. But PC1 knows that R3 is the gateway, hence, it knows it’s IP address, and what left is to figure out R3’s MAC address, therefore, initially, PC1 sends an ARP broadcast FFFF.FFFF.FFFF, but the main purpose of this ARP broadcast is to figure out R3 MAC address first.
To answer your Question: well, both MAC and IP will be in the TCP/IP Stack communication, however, once ARP instruct Ethernet to use FFFF.FFFF.FFFF, meaning, the IP communication can’t be accomplished all the way to the end until R3 MAC address is known by PC1’s MAC Table.
Eventually, R3 will respond to the ARP broadcast message, and PC1 will be able to complete IP communication with R3. Think about this way, the MAC address will be used as delivery car to deliver the IP Packet from point A to point B, then the R3 will assemble another car to deliver the IP Packet using R2’s MAC address.
I hope this answer clear any confusion you might have, thank you again for viewing and sharing your thoughts. Good luck with your studies 🙂