How ARP Works file:///C:/Documents and Settings/Joe/Desktop/arp.php.

htm

How ARP Works Home

About
This article is based off of a series of usenet
posts (one in particular) on the Art
alt.certification.network-plus news group. I've Personal
done some revision in order to make the whole
thing flow as a stand-alone document and I've also Photo
made some revisions to the example. Tech

What is ARP? ARP

Encapsulation
ARP stands for Address Resolution Protocol. Travel
It is used to associate a layer 3 (Network layer)
address (such as an IP address) with a layer 2
(Data Link layer) address (MAC address).

Layer 2 vs. Layer 3 addressing

I think where a lot of confusion with ARP comes from is in

regards to how the IP address and the MAC address work together.
The IP address is a layer 3 (network layer) address. The MAC address
is a layer 2 (data link) address. The layer 3 address is a logical
address. It will pertain to a single protocol (such as IP, IPX, or
Appletalk). The layer 2 address is a physical address. It pertains to
the actual hardware interface (NIC) in the computer. A computer can
have any number of layer 3 addresses but it will only have 1 layer 2
address per LAN interface. At layer 3, the data is addressed to the
host that the data is destined for. At layer 2 though, the data is
addressed to the next hop. This is handy because you only need to
know a host's layer 3 address (which can be found out by using DNS
for instance) but you won't need to know the hardware address (and
you won't have to bog down the network by sending an ARP request
across the internet to find it out). The layer 3 packet (addressed to
the destination host) will be encapsulated within a layer 2 frame
(addressed to the next hop).

ARP operation for a local host

Your computer will have data that it needs to send (I'm

assuming that we're using TCP/IP from here on). When the data gets
to the Network layer it will put on the destination IP address. All of
this info (the network layer datagram, aka packet) is passed down to

1 of 5 3/27/2011 1:26 AM
How ARP Works file:///C:/Documents and Settings/Joe/Desktop/arp.php.htm

the data link layer where it is taken and placed within a data link
frame. Based on the IP address (and the subnet mask), your
computer should be able to figure out if the destination IP is a local IP
or not. If the IP is local, your computer will look in it's ARP table (a
table where the responses to previous ARP requests are cached) to
find the MAC address. If it's not there, then your computer will
broadcast an ARP request to find out the MAC address for the
destination IP. Since this request is broadcast, all machines on the
LAN will receive it and examine the contents. If the IP address in the
request is their own, they'll reply. On receiving this information, your
computer will update it's ARP table to include the new information and
will then send out the frame (addressed with the destination host's
MAC address).

ARP operation for a remote host

If the IP is not local then the gateway (router) will see this
(remember, the ARP request is broadcast so all hosts on the LAN will
see the request). The router will look in it's routing table and if it has
a route to the destination network, then it will reply with it's own MAC
address.

This is only the case if your own computer doesn't know

anything about the network topology. In most cases, your computer
knows the subnet mask and has a default gateway set. Because of
this, your own computer can figure out for itself that the packet is not
destined for the local network. Instead, your computer will use the
MAC address of the default gateway (which it will either have in it's
ARP table or have to send out an ARP request for as outlined above).
When the default gateway (router) receives the frame it will see that
the MAC address matches it's own, so the frame must be for it. The
router will un-encapsulate the data link frame and pass the data part
up to the network layer. At the network layer, the router will see that
the destination IP address (contained in the header of the IP packet)
does not match it's own (remember, the IP address has not been
touched at all in this process since your computer created the IP
packet). The router will realise that this is a packet that is supposed
to be routed. The router will look in it's routing table for the closest
match to the destination IP in order to figure out which interface to
send the packet out on. When a match is found, the router will create
a new data link frame addressed to the next hop (and if the router
doesn't know the hardware address for the next hop it will request it
using the appropriate means for the technology in question). The data
portion of this frame will contain the complete IP packet (where the
destination IP address remains unchanged) and is sent out the
appropriate interface. This process will continue at each router along
the way until the information reaches a router connected to the
destination network. It will see that the packet is addressed to a host
that's on a directly connected network (the closest match you can get

2 of 5 3/27/2011 1:26 AM
How ARP Works file:///C:/Documents and Settings/Joe/Desktop/arp.php.htm

for an address, short of the packet being addressed to you). It will

send out an ARP request for MAC address of the destination IP
(assuming it doesn't already have it in it's table) and then address it
to the destination's MAC address.

Now then, I did slightly gloss over 1 part in the above

explanation and that's the part about the router finding out the
hardware address for the next hop. I just didn't want to disturb the
flow with entering into that there. How the router does this will
depend on what type of connection (and in some cases, what
protocol and/or encapsulation is used on the connection). In some
cases, this will be a hard set value (like a frame relay pvc) within the
configuration of the router. In some cases, you don't even need a
hardware address (like any point to point connection, there's only 1
possible host you could send it to), in those cases the router will just
create a data link frame appropriate for the connection and it won't
even need to be addressed. This is why the OSI model is good. It's
layered so that any layer can change and as long as it takes in
information in a standard way (the way the layer above wants to send
it) and spits out information in a standard way (the way the layer
below wants to receive it), then it's all good. When Frame Relay came
along nothing changed with the way you had to address IP packets,
all of the changes took place at the data link and physical layers. If
some new type of connection comes along in the future, only the data
link and physical layers will likely change. When we go to IPv6, only
the network layer should change (it probably won't but that's more to
do with how the layers tend to blur, but if it were truly layered that
would be the case).

Putting it all together

Anyways, since I feel like doing an example here's one showing

the whole process. In the original post, I had used IP addresses from
the 10.x.x.x range (which is a reserved range for private networks)
with a subnet mask of 255.255.255.0. This seemed to cause some
confusion (both because of the misconception that the 10.x.x.x range
is non-routable and because I was using a class C subnet mask for a
class A network) both of these are valid and would work but I've
decided to change this so that I'm using non-reserved (ie, real) IPs
from class C networks. I figure that this will help reduce the confusion
in this example, and I can clear up the rest in another article or 2.
Needless to say then, if you want to try this on your own network,
don't connect it to the internet! IP conflicts are just plain evil and can
screw up lots of stuff. If you want to try this in a home lab that is
connected to the internet then put the whole network behind some
kind of a firewall and use the reserved IPs. Or, if you're lucky enough
to have a block of real IPs, use them. The bottom line is don't use IPs
that haven't been assigned to you on the internet.

3 of 5 3/27/2011 1:26 AM
How ARP Works file:///C:/Documents and Settings/Joe/Desktop/arp.php.htm

Your computer has an address of 200.0.1.2, it's connected to

the 200.0.1.0 network (I'm assuming a subnet mask of
255.255.255.0, we'll call this network 1) which is an ethernet
network. Your default gateway is a router (router a) which has an
address of 200.0.1.1. That router is connected to the 200.0.1.0
network and the 200.0.2.0 (network 2) network (the interface
connected to the 200.0.2.0 network will have an address of
200.0.2.1). The network 2 is also an ethernet network. Also
connected to network 2 is another router (router b) which has the
address (for the interface connected to network 2 at least) of
200.0.2.2. Router b is also connected to network 3 (200.0.3.0).
Router b's interface on network 3 has the address of 200.0.3.1.
Here's a (probably bad) ASCII diagram to illustrate:
Router Router
a b
-----------O-------------O------------
Network 1 Network 2 Network 3
(200.0.1.0) (200.0.2.0) (200.0.3.0)

Now then, your computer (on network 1 with an address of

200.0.1.2) wants to send some data to a computer on network 3
(with an address of 200.0.3.2). We'll assume that none of the info in
already cached in an ARP table on any of the machines or routers (a
big assumption but it's mine to make!). Your computer will create an
IP packet addressed to 200.0.3.2. That packet will be sent to the data
link layer where it needs a MAC address. Based on the subnet mask,
your computer will know that the destination computer isn't on the
same local network. So, your computer will send out an ARP request
for the default gateway's MAC address (ie, what's the MAC for
200.0.1.1?). On receiving the MAC address, your computer will send
out the IP packet (still addressed to 200.0.3.2) encapsulated within a
data link frame that is addressed to the MAC address of router a's
interface on network 1 (because routers have more than 1 interface
they can have more than 1 MAC address, in this case each router has
2 ethernet interface each with it's own unique MAC address). Router a
will receive this frame and send the data portion up to the network
layer (layer 3). At the network layer, router a will see that the packet
(which is addressed to 200.0.3.2) is not addressed to router a.
Router a will look in it's routing table to find out where to send the
packet. The routing table will show that network 3 (the closest match
to 200.0.3.2) is reachable via network 2. The routing table will also
show the IP address for the next hop is 200.0.2.2. Router a will send
out an ARP request onto network 2 asking for router b's MAC address
(well at least for the interface connected to network 2). On receiving
this, router a will send the IP packet (still addressed to 200.0.3.2,
nothing's changed here) encapsulated in a data link frame addressed
to router b's MAC address. When router b receives this frame it will do
the same thing that router a did, it will send the IP packet up to the
network layer and see that the packet is not addressed to router b
(the packet is still addressed to 200.0.3.2). Router b will then look up

4 of 5 3/27/2011 1:26 AM
How ARP Works file:///C:/Documents and Settings/Joe/Desktop/arp.php.htm

in it's routing table for the closest match and see that it is directly
connected to network 3, so there isn't a next hop router to send it to.
Router b will send out an ARP request to learn the MAC address for
200.0.3.2. When this is received, router b will send out the IP packet
(again, this is still addressed to 200.0.3.2) encapsulated within a data
link frame that is addressed to the MAC address of the destination
computer. The destination computer will see that the data link frame
is addressed to it and will pass the IP packet to the network layer. At
the network layer, the IP address will also match that of the computer
and the data from the IP packet will be passed up to the transport
layer. Each layer will examine the header and determine where to
pass it up to until eventually, the data reaches the application running
on the destination computer that has been waiting for the data.

What you'll notice through this whole process is that the IP

address never changes. The IP packet is always addressed to
200.0.3.2. However, at the data link layer, the address used changes
at each hop (it's always addressed to the next hop). As you go up
through the layers, you get more and more specific about where the
data is supposed to be going. At the data link layer this is very vague,
it's basically just, "here's who to pass it on to, they should know what
to do with it". At the network layer you get more specific (this is the
exact computer I want to send this to). Above that you get more
specific (is it TCP or UDP?, what port?, etc)

frugal@tildefrugal.net
Copyright © Andrew Dacey

5 of 5 3/27/2011 1:26 AM