Arp Switch Monitoring: How To Secure Your Network

ARP (Address Resolution Protocol) is an Internet protocol used to map an IP address to a MAC address. ARP finds the MAC address, also known as the hardware address, of an IP-routed host from its known IP address and maintains this mapping information in a table. The router uses this IP address and MAC address mapping information to send IP packets to the next-hop router in the network.

ARP information monitoring and maintenance capabilities improve the management tools for ARP support in a Cisco IOS environment. The ARP administrative facilities provide detailed information about and granular control over ARP information, which can be used to investigate issues with ARP packet traffic, ARP high availability, or ARP synchronization with Cisco Express Forwarding adjacency.

The ARP debug trace facility enables ARP packet debug trace for individual types of ARP events. The ARP debugging provides filtering of ARP entries for a specified interface, for hosts that match an access list, or for both.

ARP table entries can be selected for display based on Virtual Private Network (VPN) routing and forwarding (VRF) instance

The Address Resolution Protocol (ARP) is a protocol that bridges Layer 2 and Layer 3 of the OSI model, effectively gluing together the Ethernet and Internet Protocol layers. It is used to discover a device's MAC (media access control) address based on its known IP address. An ARP table is a method for storing the information discovered through ARP. Each device connected to a network has its own ARP table, which records the MAC and IP address pairs of devices it has communicated with.

ARP table entries can be selected for display based on the Virtual Private Network (VPN) routing and forwarding (VRF) instance. VRF is a technology included in Internet Protocol (IP) network routers that enables multiple instances of a routing table to exist in a virtual router and work simultaneously. This functionality increases connectivity by enabling network paths to be segmented without using multiple devices. VRF also increases network security and can eliminate the need for encryption and authentication.

VRF allows multiple instances of a routing table to coexist within the same router at the same time. It partitions a router by creating multiple routing tables and multiple forwarding instances. Because the routing instances are independent, you can use the same or overlapping IP addresses without conflict. The VRF table is also referred to as the VPNv4 routing table.

VRF is often used by Internet service providers to create separate VPNs for customers. When this is done, it is referred to as VPN routing and forwarding. VRF Select is a feature that allows a specified interface on a provider edge (PE) router to route packets to different VPNs based on the source IP address of the packet. This is an improvement over using a policy-based router to route packets to different VPNs.

The VRF Selection feature uses a two-table lookup mechanism at the ingress interface of the PE router to determine the routing and forwarding of packets coming from the customer networks, which use IP protocols, to the MPLS VPN networks, which use MPLS protocols. The first table, the VRF Selection table, is used to compare the source IP address of the packet with a list of IP addresses in the table. Each IP address in the table is associated with an MPLS VPN. If a match is found, the packet is routed to the second table, the VRF table, which contains the virtual routing and forwarding information for the specified VPN. The VRF table is used to forward the selected VPN traffic to the correct MPLS label-switched path based on the destination IP address of the packet.

VRF Select removes the association between the VPN and the interface, allowing more than one MPLS VPN to be associated with the interface. It also removes the association between a VPN and an interface, allowing packets from the Host network to the provider network to have more than one VPN available per interface.

The show ip arp command allows users to display certain ARP table entries

The show ip arp command allows users to display certain Address Resolution Protocol (ARP) table entries. ARP is an Internet protocol that maps an IP address to a MAC address. It establishes correspondences between network-layer addresses (Layer 3) and LAN hardware addresses (Layer 2 Media Access Control [MAC] address).

ARP is critical for network communication, as it allows devices to discover the MAC address of another device based on its known IP address. Each device connected to a network has its own ARP table, which records the discovered MAC and IP address pairs of devices it has communicated with. This information is stored for a specified period, after which the cache entry is discarded.

The show ip arp command was introduced in Cisco IOS Release 9.0. It allows users to display only certain ARP table entries based on specified criteria, such as IP address, interface, or hardware address. However, this command does not display the ARP entry modes, Cisco Express Forwarding adjacency notification information, or the associated interface for floating static ARP entries.

To display the IP ARP table, users can use the show ip arp command in Privileged EXEC Mode. This mode allows users to enter specific criteria to display the desired ARP table entries.

The show ip arp command is a valuable tool for network administrators, as it provides a quick way to view or verify directly connected hosts to a router. By monitoring ARP activity, administrators can detect issues such as ARP spoofing, network flip-flops, changed and new stations, and address reuse.

Adjacency notification can be used to investigate issues with ARP packet traffic, ARP high availability (HA), or ARP notification for Cisco Express Forwarding (CEF) adjacency

Adjacency notification is a feature of the Address Resolution Protocol (ARP) that can be used to investigate issues with ARP packet traffic, high availability (HA), or notification for Cisco Express Forwarding (CEF) adjacency.

ARP is an Internet protocol used to map an IP address to a MAC address. It finds the MAC address of an IP-routed host from its known IP address and maintains this mapping in a table. The router then uses this information to send IP packets to the next-hop router in the network.

Adjacency notification is part of the detailed information provided by the ARP administrative facilities to support ARP analysis activities. This information can be used to investigate issues with ARP packet traffic, ARP HA, or ARP notification for CEF adjacency.

CEF is a packet-switching technique that is the default for most Cisco routing platforms. It provides the ability to switch packets via a device in a way that minimises the load on the router's processor.

The ARP subsystem issues an internal "ARP adjacency" notification whenever it attaches an ARP table entry to an outbound interface with a valid hardware address. This notification causes an ARP background process to synchronise the ARP entry with CEF adjacency via the adjacency database.

CEF stores forwarding information (outbound interface and MAC header rewrite) for adjacent nodes in the adjacency database. A node is considered adjacent if it can be reached with a single hop across a link layer.

The ARP subsystem synchronises the ARP entry with CEF adjacency to ensure that the router has the necessary Layer 2 addressing information to insert into link-layer headers attached to the ARP packets.

The ARP subsystem uses basic ARP table entry modes to organise the ARP entries for ARP-internal processing

The Address Resolution Protocol (ARP) is an Internet protocol used to map an IP address to a MAC address. The ARP subsystem uses basic ARP table entry modes to organise the ARP entries for ARP-internal processing. These modes are:

• Alias: This mode is assigned to an entry that has been explicitly configured by an administrator with a local IP address, subnet mask, gateway, and corresponding MAC address. Static ARP entries are kept in the cache table on a permanent basis. They are best for local addresses that need to communicate with other devices in the same network on a regular basis.
• Dynamic: This mode is assigned to a dynamically learned entry that was initiated by an ARP request and is associated with an external host. Dynamic ARP entries are automatically added by the Cisco IOS software and maintained for a period of time, then removed. No administrative tasks are needed unless a time limit is added. The default time limit is four hours. If the network has a large number of routes that are added and deleted from the cache, the time limit should be adjusted. A dynamic ARP entry is considered "complete" when it contains the MAC address of the external host, as supplied by an ARP reply.
• Incomplete: This mode is a transient mode for a dynamic ARP entry. This mode indicates an entry that was initiated by an ARP request and is associated with an external host but does not contain a MAC address.
• Interface: This mode is assigned to an entry for a local IP address that has been derived from an interface.
• Static: This mode is assigned to an entry that has been explicitly configured by an administrator with an external IP address, subnet mask, gateway, and corresponding MAC address. Static ARP entries are kept in the cache table on a permanent basis. They are best for external devices that need to communicate with other devices in the same network on a regular basis. A static ARP entry is said to be "floating" if it is not associated with any interface when it is configured.

The ARP subsystem attaches subblocks to alias, dynamic and static ARP entries to specify information needed by the ARP timer process

The Address Resolution Protocol (ARP) subsystem attaches subblocks to alias, dynamic, and static ARP entries to specify information needed by the ARP timer process. This process coordinates the periodic refresh operation that ensures the validity of the associations between IP addresses and MAC addresses defined by these entries.

The ARP subsystem uses basic and application-specific ARP table entry modes to organise the ARP entries for ARP-internal processing. Basic ARP table entry modes include alias, dynamic, incomplete, interface, and static.

Alias entries are assigned to an entry that has been explicitly configured by an administrator with a local IP address, subnet mask, gateway, and corresponding MAC address. Static ARP entries are kept in the cache table on a permanent basis and are best for local addresses that need to communicate with other devices in the same network on a regular basis.

Dynamic entries are assigned to a dynamically learned entry that was initiated by an ARP request and is associated with an external host. Dynamic ARP entries are automatically added by the Cisco IOS software and maintained for a period of time (by default, four hours) before being removed.

Incomplete entries are a transient mode for a dynamic ARP entry. This mode indicates an entry that was initiated by an ARP request and is associated with an external host but does not contain a MAC address.

Interface entries are assigned to an entry for a local IP address that has been derived from an interface.

Static entries are assigned to an entry that has been explicitly configured by an administrator with an external IP address, subnet mask, gateway, and corresponding MAC address. Static ARP entries are kept in the cache table on a permanent basis and are best for external devices that need to communicate with other devices in the same network on a regular basis.

Application-specific ARP table entry modes include simple application, application alias, and application timer.

Simple application entries are assigned to an application-created entry that represents an external device.

Application alias entries are assigned to an application-created entry that is associated with a local address.

Application timer entries are assigned to an application-created entry that is associated with an external device. The ARP subsystem provides timer-based services to applications that create entries of this mode.

The ARP entry subblock structure provides the means to attach non-ARP intrinsic data to selected ARP entries. When an ARP entry inserted into the ARP table requires special, ARP-internal handling, the information needed by the process that performs the special handling is defined in a subblock that is attached to the ARP entry.

Frequently asked questions