Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2942
Views
10
Helpful
3
Replies

Directed ARP on a Cisco router

Go to solution
kfarrington
Level 3
Level 3

‎09-27-2005 03:19 AM - edited ‎03-03-2019 12:10 AM

Guys,

Simple one here.

If you do a clear ip arp-cache on a cisco box, tried on a 7304, 3745 and 3600, it seems to use a directed ARP mechanism (if there is a routing protocol adjacency) and if not, it uses a broadcast "standard" ARP.

Please see below.

Can anyone explain why this is? Is it anything to do with RFC1433?

Please see attached text file :-

Many kind regards,

Ken

1 person had this problem
Labels:
Preview file
4 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-27-2005 06:03 AM

Ken

I am not sure what you mean when you refer to a directed ARP mechanism. I think I understand what you are asking. If my answer is not on the mark please post again and clarify.

What you are seeing is standard behavior of a Cisco router. The router maintains an ARP chache to be able to resolve layer 3 to layer 2 addresses. The router will time out an entry in the cache at a timeout interval (which defaults to 4 hours). The cache can also be cleared manually. When an entry is cleared from the cache (either through timeout or by manual clearing) the router will attempt to relearn the address. The rationale for this is that the router attempts to maintain a complete chache of devices on the local subnets so that it will not encounter delays when it needs to forward a packet but does not have the necessary ARP entry.

So when you enter the command to clear the cache the router immediately attempts to relearn all the ARP entries that it has known. We might categorize the ARP entries as being of two types: entries for other devices, and entries for connected interfaces. For ARP for connected devices the router sends the ARP request and fills in the source and destination as shown in the first entry in your list:

*Apr 16 23:42:29.080 BST: IP ARP: sent req src 192.168.19.9 000e.839c.69f1, dst 192.168.19.10 0004.c1f1.e5a2 FastEthernet0/1

In this example we know that the router is sending on interface FastEthernet0/1 which has address 192.168.19.9 and is looking for address 192.168.19.10. Since it already knew the remote MAC the router goes ahead and fills in the destination MAC (to minimize impact on other devices on the network). When the router receives a response to this request it has validated that this device is still connected on the network and puts that entry back into the ARP cache. The router does this for all the device entries that it has had in the cache.

The action of the router for its own interface entries in the cache is slightly different. Notice an example from your list:

*Apr 16 23:42:29.080 BST: IP ARP: sent rep src 192.168.19.9 000e.839c.69f1, dst 192.168.19.9 ffff.ffff.ffff FastEthernet0/1

This is also sent on interface FastEthernet0/1. In this case the source address and the destination address are the same 192.168.19.9. The router is doing this as a way of detecting duplicate addresses. It is sending an ARP for its own address. In this case the destination MAC address is the broadcast address. The router does this because it wants to verify that no other device on the broadcast domain will respond for that address.

So I believe the thing that you did not understand was that some of the ARP requests had the destination MAC filled in with a particular station MAC and some used the broadcast address. As I explained this is because for ARP for other device addresses, it is attempting to verify what it already knew and fills in the MAC to minimize disruption to other devices. When it ARPs for its own address it uses the broadcast because it want every machine in the broadcast domain to see this request.

HTH

Rick

HTH

Rick

View solution in original post

3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-27-2005 06:03 AM

Ken

I am not sure what you mean when you refer to a directed ARP mechanism. I think I understand what you are asking. If my answer is not on the mark please post again and clarify.

What you are seeing is standard behavior of a Cisco router. The router maintains an ARP chache to be able to resolve layer 3 to layer 2 addresses. The router will time out an entry in the cache at a timeout interval (which defaults to 4 hours). The cache can also be cleared manually. When an entry is cleared from the cache (either through timeout or by manual clearing) the router will attempt to relearn the address. The rationale for this is that the router attempts to maintain a complete chache of devices on the local subnets so that it will not encounter delays when it needs to forward a packet but does not have the necessary ARP entry.

So when you enter the command to clear the cache the router immediately attempts to relearn all the ARP entries that it has known. We might categorize the ARP entries as being of two types: entries for other devices, and entries for connected interfaces. For ARP for connected devices the router sends the ARP request and fills in the source and destination as shown in the first entry in your list:

*Apr 16 23:42:29.080 BST: IP ARP: sent req src 192.168.19.9 000e.839c.69f1, dst 192.168.19.10 0004.c1f1.e5a2 FastEthernet0/1

In this example we know that the router is sending on interface FastEthernet0/1 which has address 192.168.19.9 and is looking for address 192.168.19.10. Since it already knew the remote MAC the router goes ahead and fills in the destination MAC (to minimize impact on other devices on the network). When the router receives a response to this request it has validated that this device is still connected on the network and puts that entry back into the ARP cache. The router does this for all the device entries that it has had in the cache.

The action of the router for its own interface entries in the cache is slightly different. Notice an example from your list:

*Apr 16 23:42:29.080 BST: IP ARP: sent rep src 192.168.19.9 000e.839c.69f1, dst 192.168.19.9 ffff.ffff.ffff FastEthernet0/1

This is also sent on interface FastEthernet0/1. In this case the source address and the destination address are the same 192.168.19.9. The router is doing this as a way of detecting duplicate addresses. It is sending an ARP for its own address. In this case the destination MAC address is the broadcast address. The router does this because it wants to verify that no other device on the broadcast domain will respond for that address.

So I believe the thing that you did not understand was that some of the ARP requests had the destination MAC filled in with a particular station MAC and some used the broadcast address. As I explained this is because for ARP for other device addresses, it is attempting to verify what it already knew and fills in the MAC to minimize disruption to other devices. When it ARPs for its own address it uses the broadcast because it want every machine in the broadcast domain to see this request.

HTH

Rick

HTH

Rick

Go to solution
kfarrington
Level 3
Level 3
In response to Richard Burts

‎09-27-2005 07:06 AM

That is brilliant.

Thx very much. Did not know that fella :)

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to kfarrington

‎09-27-2005 07:30 AM

Ken

Thanks for the kind words (and for the rating).

I encourage you to continue your participation in the forums.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents