Address Resolution Protocol (ARP)
Sending IP packets on a multiaccess network requires mapping from an IP address to a MAC address (the physical or hardware address).
In an Ethernet environment, ARP is used to map a MAC address to an IP address. ARP dynamically binds the IP address (the logical address) to the correct MAC address. Before IP unicast packets can be sent, ARP discovers the MAC address used by the Ethernet interface where the IP address is configured.
Hosts that use ARP maintain a cache of discovered Internet-to-Ethernet address mappings to minimize the number of ARP broadcast messages. To keep the cache from growing too large, an entry is removed if it is not used within a certain period of time. Before sending a packet, the host looks in its cache for Internet-to-Ethernet address mapping. If the mapping is not found, the host sends an ARP request.
|
How ARP Works
The way ARP works can best be explained in a simple example. As shown in Figure 2-6, host 1 wants to send an IP packet to host 2 on a different subnet. To complete this transmission, host 1 needs the MAC address of router 1, to be used as the forwarding gateway.
- Host 1 broadcasts an ARP request to all devices on subnet 1, composed by a query with the IP address of router 1. The IP address of router 1 is needed because host 2 is on a different subnet.
- All devices on subnet 1 compare their IP address with the enclosed IP address sent by host 1.
- Having the matching IP address, router 1 sends an ARP response, which includes its MAC address, to host 1.
- Host 1 proceeds with its intended transmission of IP packet to layer 3 DA (host 2) using router 1's MAC address.
- Router 1 forwards IP packet to host 2. Router 1 may send an ARP request to identify the MAC of host 2.
ARP forces all receiving hosts to compare their IP addresses with the IP address of the ARP request. Keeping the above example in mind, if host 1 sent another IP packet to host 2, host 1 would first check its ARP table for the router 1's MAC address.
If the default router/gateway becomes unavailable, then all the routing/packet forwarding to remote destinations ceases. Usually, it requires manual intervention to restore connectivity, even though there may be alternative paths available. Alternatively, Virtual Router Redundancy Protocol (VRRP) may be used to prevent loss of connectivity. See Chapter 10, Configuring VRRP.
arp
- ipAddress and macAddress of the interface
- ipAddress, interfaceType and interfaceSpecifier, and an optional MAC address
host1(config)#arp 192.56.20.1 0090.1a00.0170
arp timeout
- Use to specify how long an entry remains in the ARP cache.
- On the FE-2 module, you can set the ARP timeout only on bridged IP 1483 and Fast Ethernet interfaces. You cannot set the timeout on the SRP module.
- The default value is 21,600 seconds (6 hours). Use the show config command to display the current value.
- If you specify a timeout of 0 seconds, entries are never cleared from the ARP cache.
- Example
host1(config-if)#arp timeout 8000
clear arp
- Use to clear dynamic entries from the ARP cache.
- To clear a particular entry, specify all of the following:
- ipAddress - IP address in four-part dotted-decimal format corresponding to the local data link address
- interfaceType - encapsulation type (for example, ATM)
- interfaceSpecifier - number of the interface specified in the appropriate format. Refer to the specific type of interface for details on the format required.
host1#clear arp
ip proxy-arp
- Use the ip proxy-arp command to enable proxy ARP on an Ethernet or bridge1483 interface.
- Proxy ARP is enabled by default.
- Example
host1(config-if)#ip proxy-arp unrestricted
MAC Address Validation
MAC address validation is a verification process performed on each incoming packet to prevent spoofing on IP Ethernet-based interfaces, including bridged Ethernet interfaces. When an incoming packet arrives on a layer 2 interface, the validation table is used to compare the packet's source IP address to its MAC address. If the MAC address and IP address match, the packet is forwarded; if it does not match, the packet is dropped.
|
MAC address validation on the ERX system can be accomplished in two ways:
- You can statically configure it on a physical interface via the arp validate command
- You can allow DHCP to perform the function independently and dynamically. See DHCP in ERX Link Layer Configuration Guide, Chapter 8, Configuring Bridged IP.
The arp validate command adds the IP-MAC address pair to the validation table maintained on the physical interface.
If the validation is added statically via the CLI, the IP address-MAC address pairs are stored in NVS. The entries are used for MAC validation only if MAC validation is enabled on the interface via the ip mac-validate command.
|
You can enable or disable MAC address validation on a per interface basis by issuing the ip mac-validate command. See ERX Physical and Link Layers Configuration Guide, Chapter 6, Configuring Ethernet Interfaces or ERX Physical and Link Layers Configuration Guide, Chapter 18, Configuring Bridged Ethernet for information.
arp validate
- Use to add IP address-MAC address validation pairs. When validation is enabled, all packets with the source IP address received on this IP interface are validated against the IP-MAC entries.
- You specify one of the following:
- ipAddress and macAddress of the interface
- ipAddress, interfaceType and interfaceSpecifier, and an optional MAC address
- You can issue this command only for an IP Ethernet-based interface.
- For subscriber interface configurations, the IP address-MAC address pair must have a matching source prefix that already exists on the subscriber interface. If the matching source prefix does not exist, the IP-MAC address pair is rejected.
- The following example shows packets originating from host 192.56.20.1 and validated at Gigabit Ethernet interface with the MAC address 0090.1a00.0170.
host1(config)#arp 192.56.20.1 gig 2/0 0090.1a00.0170 validate
host1(config)#arp 192.168.32.0 ip subsc 1 000.0001.8100