Understanding ARP Broadcast Message

Understanding ARP Broadcast Message complete the process of how and why Mapping an IP address to MAC Address is crucial under Ethernet Networks. Address Resolution Protocol (ARP) used by Data Link Layer to provide two basic functions: 1) Resolve IPv4 or IPv6 addresses to MAC addresses, and 2) Maintain a Cache Table of MAC to IP addresses. To resolve Name to IP address DNS service is used, to resolve IP address to MAC Ethernet Address, ARP service is used.

For Instance, if a shared NFS folder located on one of the servers, and a client requested a document from that folder, to complete the document browsing process, the network must resolve the Shared Folder’s name to an IP Address, and Resolve the server’s IP Address to its MAC address in order to browse the shared folder.

Address Resolution Protocol

IP routing logic requires that network devices encapsulate IP packets inside Data Link Frames based on the cable type used, and if Ethernet language is being used, then ARP Resolution from an IP Address to MAC address is required to complete the encapsulation process of IP packets inside Ethernet frames.

Whenever a host or a router needs to communicate with other hosts or routers, they encapsulate TCP or UDP segments in an IP packet. Hosts and Routers’ Network Layer knows all the important pieces to build an IP packet such destination IP address and source IP address. But when it comes to Layer 2 and if Ethernet Network is being used, hosts and routers do not know neighbors NIC’s or interface’s MAC addresses beforehand, hence, ARP protocol broadcast messages get evolved.

TCP/IP defines ARP as the method by which any host or router on a LAN can dynamically learn the MAC address of another host or router on the same LAN. ARP includes a protocol called ARP request, simply broadcast a message as follows: (if this is your IP address, please reply with your MAC address). ARP also includes a ARP Reply message, which include both the original IP address and the matching MAC address of the network device in question.

Detailed ARP Request Process

Based on the image below, PC1’s Ethernet cable plugged into SW2, shows detailed steps of how PC1 initially knew its Default Gateway’s (R3) MAC address in order to route IP packets outside its LAN network.

Step 1: PC1’s Network Layer sends an IP packet encapsulated with destination IP address of R3 (192.168.1.1) as a receiver, and a source MAC address of PC1 (192.168.1.100) as sender.

Step 2: PC1’s Data-Link Layer encapsulate the IP packet inside an Ethernet Frame with a broadcast destination MAC Address (FFFF.FFFF.FFFF), which means all devices on this LAN will receive this message, and a source MAC address of PC1 NIC interface as sender.

Step 3: The switch receives the broadcast frame, learn the source MAC address and record it along the interface port number in its MAC table (1), and flood the broadcast frame from all ports except the port where it was received (2).

Step 4: All devices receive the broadcast packet and drop it, except R3. R3 replies to PC1 with its MAC address since the IP packet included ARP message request indicating its IP address in the destination field.

Step 5: PC1 receives the ARP reply request indicating R3’s MAC address, hence, learning the MAC address and saves it in its MAC table.

Step 6: PC1’s Network layer is ready right now to create an IP packet heading to Web server, and ready to encapsulate it inside an Ethernet Frame to be forward to R3’s MAC address for further routing process.

Note, how PC1 has to prepare all required pieces before completing web page request, resolving Name to IP using DNS (1) learn R3 MAC address (2), and finally creates an HTTP Get request IP packet heading to the web server.

Looking Inside the Frame for ARP

R3’s IP Address (192.168.1.1) known to PC1 as Default Gateway by DHCP or Static configuration. The following image shows how PC1 created an IP packet indicating R3’s IP address as destination, and encapsulated the packet inside a frame indicating an ARP Request as destination Broadcast address (FFFF.FFFF.FFFF) inside the frame.

Once PC1 release a broadcast frame, it will hit all network devices on this LAN address which is 192.168.1.0/24. After R3 receives the broadcast frame, replies with its MAC, hence, PC1 learns R3’s MAC address and save it in it’s cache MAC table.

Next image shows how PC1 afterwards created a new IP packet indicating Web Server’s IP address this time, and encapsulated the IP packet inside a Frame heading this time to R3’s MAC address as next-hop instead of Broadcast Address since PC1 learned already R3’s MAC address.

Note that Hosts save the ARP replies in their ARP cache or ARP table for future use as they do with DNS queries. ARP is not used every time the host or the router needs to forward a packet to neighbor device. Each time a host or router needs to send a packet encapsulated inside an Ethernet Frame, it first checks its ARP table for correct IP address and matching MAC address. Besides, Network devices might let ARP cache entries to time out in order to clean up the table, occasionally ARP Requests and Replies traffic can be seen on LAN.

Frames Types and their Usage

Why we need different types of Ethernet frames? To understand how ARP service works, it’s good to look at the difference among all 3 types of Ethernet frames communication.

By looking at the images below and for sake of simplicity, note how each type has different color. Unicast is Orange and what inside the circle corresponds to the color as well, and so on.

1. Unicast frame: indicates that only 2 network devices talking to each other.

Remember, that Hubs broadcast everything including Unicast, Broadcast, and Multi-Cast messages, hence, Frames Types meant nothing to hubs. In contrast, switches do care, why? Because they want to save time and energy and be specific in their communication.

They know how to talk Ethernet language, therefore, know how to deal with MAC addresses regardless what Ethernet frame type is being used. Switches’ Intelligence similar to Routing Intelligence in Routers in that regard.

2. Broadcast frames: indicate that a single machine sending frames to everyone on the LAN.

3. Multicast frame: indicates that a group of devices are willing to respond to a specific machine request on the network, or a single network device is trying to talk only to a specific group of devices that are willing to listen to a specific Multicast frame that hold a MAC address such this one 0100.5E7F.0001.

Internet Control Protocol (ICMP)

I don’t remember the last time I used arp commands for troubleshooting, however, I would like to end this article with ICMP. Troubleshooting and verifying tools are crucial in Network, ICMP included some primary tools for troubleshooting and verifying basic network connectivity, commands such Packet Internet Groper (Ping) and Traceroute (tracert in windows) are the main tools to verify connectivity.

Ping uses ICMP to send a message called ICMP echo request to another IP address. The host with that IP address should reply with an ICMP echo reply packet. If that works, you successfully have tested the IP network.

In other words, you know that the network can deliver an IP packet from one host to other. ICMP does not rely on any application; it tests the basics layer 1, 2, and 3 connectivity of TCP/IP model. The following shows a ping reply from a host google.com.

Traceroute uses ICMP as well, is a network tool used to test and shows an IP packet route taken by PC1’s Internet Protocol (IP) across the routers that are located between PC1 and Web server. E.g. the following shows a windows tracert command from a host to google.com.

Detailed ICMP header

Subject Related

By Wikipedia ARP | Tummy How ARP Works | Omnisecu ARP Protocol | Juniper Networks – How ARP Works? | R&S ICND1 and ICND2 | Introduction To Network | Practical Packet | Computer Network | Introduction to Networking | Who is Running the Internet | Networking Self-Teaching Guide