< Home

Understanding ARP

This section describes the mechanism of the Address Resolution Protocol (ARP).

Address Resolution Process

ARP was developed for the Ethernet network that supports broadcast functions. A host can use ARP to obtain the MAC address of a destination host on the same physical network though the host only obtains the IP address of the destination host. The mapping between IP and MAC addresses is dynamically updated. The dynamic mapping update allows IP addresses to be translated into MAC addresses even if hosts change, for example, when the number of hosts is changed or a network interface card (NIC) is replaced.

The address resolution process is as follows:

  1. ARP request

    Host A shown in Figure 1 knows only the IP address of host B. Host A broadcasts an ARP request packet to request the MAC address of host B.

    Figure 1 ARP request

  2. ARP reply

    All hosts on the network, including host B, receive the ARP request packet. Only host B responds to the ARP request packet. Host B shown in Figure 2 sends an ARP reply packet carrying a local MAC address to host A.

    Host A obtains host B's MAC address and uses this MAC address to communicate with host B.

    Figure 2 ARP reply

ARP Aging Mechanism

ARP cache

Host A broadcasts an ARP Request packet before sending a packet to host B each time, which causes traffic to increase. All hosts have to receive and process the ARP Request packets, which decreases network efficiency.

To solve the preceding problems, each host maintains an ARP cache. This cache maintains recently created mappings between IP and MAC addresses.

Before sending a packet, a sender searches the cache for a MAC address mapped to the destination IP address. If the sender finds a matched MAC address, the sender directly sends the packet to a host with the MAC address, without sending an ARP Request packet. If the sender does not find a matching MAC address, the sender broadcasts an ARP Request packet.

Aging time of dynamic ARP entries

After host A shown in Figure 2 obtains host B's MAC address from an ARP Reply packet sent by host B, host A generates a mapping entry between the IP and MAC addresses of host B in the ARP cache. If host B fails or its NIC is replaced, host A fails to update the mapping entry and keeps sending packets to host B.

A timer can be set to allow host A to delete cached ARP entries after the timer expires.

Using the timer helps only reduce address resolution errors because the sender can detect a fault and delete invalid ARP entries only after the timer expires.

Probes for aging dynamic ARP entries

A specified upper limit of probes can be set on a device to reduce errors that occur during address resolution. If the device receives no response after the number of times probes can be set on a device reaches the upper limit, the device deletes an ARP entry.

Static ARP

Static ARP supports the fixed mappings between IP and MAC addresses. Hosts and routers involved cannot change mappings dynamically. Static ARP is configured manually by network administrators.

Static ARP entries are used in the following situations:

  • A gateway on a local network segment is used to forward packets with destination addresses on other network segments.

  • Packets with invalid IP addresses can be filtered out by binding these IP addresses to a nonexistent MAC address.

  • IP addresses are bound to MAC addresses to defend against attacks, such as ARP flood attacks.

Static ARP entries have a higher priority than dynamic ARP entries. When you configure a static ARP entry for an IP address that maps to a dynamic ARP entry in the ARP table, the static ARP entry replaces the dynamic ARP entry.

Dynamic ARP

Dynamic ARP dynamically and automatically resolves IP addresses into Ethernet MAC addresses. Dynamic ARP does not require the involvement of an administrator.

A FW creates or updates an ARP entry if a received ARP packet satisfies any of the following conditions:

  • The ARP packet carries a non-broadcast source address that is on the same network segment as the inbound interface address. The ARP packet is bound for the IP address of the inbound interface.

  • The ARP packet carries a non-broadcast source address that is on the same network segment as the inbound interface address. The ARP packet is bound for the virtual IP address of a Virtual Router Redundancy Protocol (VRRP) backup group created on the inbound interface.

  • The ARP packet is bound for an address in a Network Address Translation (NAT) address pool configured on the inbound interface.

If the source IP address of the received ARP packet maps to an ARP entry of the inbound interface, the FW also updates the ARP entry.

Proxy ARP

A gateway runs proxy ARP to enable hosts to communicate with each other when the hosts are on the same network segment but different physical networks.

Proxy ARP has the following characteristics:

  • A proxy ARP-enabled subnet gateway processes all ARP packets, except for hosts connected to the gateway.
  • Proxy ARP enables hosts to communicate with each other over a single IP network, regardless of physical subnets.
  • Proxy ARP updates cached ARP entries only on hosts, but does not update entries in the ARP cache and routing table on a gateway.
  • The aging time of ARP entries must be reduced on hosts connected to a proxy ARP-enabled gateway. This approach speeds up the aging of invalid ARP entries and minimizes the number of packets that the gateway receives but fails to forward because of invalid ARP entries.

The device supports routed proxy ARP. Routed proxy ARP enables communication between PCs or routers on the same network segment but different physical networks. If a host connected to a router is not configured with a default gateway address, the host cannot forward data packets.

Routed proxy ARP was introduced to solve this problem. The host sends an ARP Request packet requesting the MAC address of a destination host. After receiving the request, the proxy ARP-enabled router replies with its own MAC address to the host. The host sends packets to the router, and the router forwards the packets to the specific destination.

Gratuitous ARP

Gratuitous ARP enables a device to send an ARP Request packet to its own IP address. Gratuitous ARP provides the following functions:

  • IP address conflicts: If a device receives no reply to a gratuitous ARP request packet, the device has a unique IP address. If the device receives an ARP reply packet in response to a gratuitous ARP request packet, there is an IP address conflict.

  • New MAC address advertising: If a device has its NIC replaced and its MAC address is changed, the device sends a gratuitous ARP to notify all hosts of the MAC address update before the ARP entry aging time elapses.

  • In hot standby networking, if the active/standby status changes, the new active device immediately sends a Gratuitous ARP message to declare the VRRP virtual IP addresses.

  • In hot standby networking, the device whose VRRP group is Active periodically sends a gratuitous ARP message to declare the VRRP virtual IP address.

Authorized ARP

Authorized ARP allows a DHCP server to automatically add an ARP entry that contains the MAC and IP addresses of the client after assigning an IP address to the client.

  • Authorized ARP entries

    Authorized ARP entries do not age. After a DHCP server logs out DHCP clients, the DHCP server automatically deletes their authorized ARP entries from an ARP table.

    Authorized ARP entries have higher priorities than dynamic ARP entries, but lower than static ARP entries. A new authorized ARP entry overrides a duplicate dynamic ARP entry, but not a duplicate static ARP entry. The authorized ARP entry can be overridden by a duplicate static ARP entry.

  • Working mechanism

    Authorized ARP combines the ARP and DHCP working mechanisms. The authorized ARP function is only available on devices with the DHCP server function enabled when the DHCP server and client reside on the same network segment. Authorized ARP is not applicable to DHCP relay scenarios.

    The authorized ARP mechanism is as follows:

    1. A DHCP client broadcasts a DHCPDISCOVER message. After receiving this message, a DHCP server replies with a DHCPOFFER message carrying network parameters, including an IP address.

    2. If many DHCP servers send DHCPOFFER messages to the client at the same time, the client accepts the first DHCPOFFER message. The client then broadcasts a DHCPREQUEST message to all DHCP servers. The DHCPREQUEST message contains the MAC address of the DHCP client and IP address request.

    3. After the selected DHCP server receives the DHCPREQUEST message, the DHCP server sends a DHCPACK message to the client. The message contains network parameters, including the assigned IP address. Meanwhile, the DHCP server automatically adds an authorized ARP entry that contains the IP and MAC addresses of the DHCP client.

    4. The DHCP server uses the authorized ARP entry to prevent DHCP clients from dynamically learning MAC addresses in invalid ARP responses. An attacker forges the IP or MAC address of a valid DHCP client to originate an ARP request. Upon receipt, the DHCP server (gateway) finds that the IP or MAC address in the request does not match an authorized ARP entry and sends no response. The attacker, therefore, cannot access the network, which improves network security. The address of the DHCP server is the same as the gateway address when the DHCP server and client reside on the network segment.

Parent Topic: ARP
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >