ARP (Address Resolution Protocol)
The ARP command is a tremendous troubleshooting tool for ARP issues as well as layer two troubleshooting. ARP stands for Address Resolution Protocol and is responsible for doing the layer three IP mapping to layer two MAC addresses.
Whenever a computer needs to send information to another host on a directly connected subnet, it will first check its ARP cache. If a mapping exists, it will send the traffic based on this information. If a cache is empty, it will send out an ARP request asking for the IP’s owner to send back its MAC address.
you may also like: How to configure SSH
To view the ARP cache, I issue arp -a. If you scroll up, you can see all of the different cached entries based on interface. I’m gonna go ahead and clear the screen now. Say, for example, I have a rogue DHCP server on the network. He’s handing me an IP and a default gateway. It’s a false path to the Internet. I can do an ipconfig, space, forward slash, all, and take note of the DHCP server that handed me the IP.
I’ll scroll up, and use my actual valid gateway as an example. 10.3.25.1. I’ll clear the screen again. Next, I’ll ping the IP of the server. Ping 10.3.25.1. This will force my machine to do an ARP request to that rogue server. I’ll clear the screen again. I can now issue the arp -a command and determine what the MAC address associated with that device is.
I’m gonna scroll up until I find it. I’ve noted that the ARP entry for 10.3.25.1 is listed right here, under interface for 10.3.25.52. Then, I could track the MAC of this client in my switches and shut him down.
The ARP cache breaks down the IP-to-MAC mappings per interface. It will list them as either static,which are user or system created, or dynamic, if they are learned from a neighbor. I’m gonna clear this screen now.
If I have a specific IP address I’m looking for, I can initiate the arp -a, and then the IP address to get any cached results for that matching IP. I’ll do it with our default gateway. 10.3.25.1. I’m gonna clear this screen now. If I have a cached entry that I wanna remove, I can issue an arp -d, and the IP address to have it removed. I’ll enter my default gateway, 10.3.25.1.
Though not frequently necessary, the arp -s IP address then MAC address, lets me add a static ARP entry. The ARP command isn’t used very frequently,but when it’s necessary, it’s indispensable.
Latest posts by Hamza Arif (see all)
- What is RDP (Remote Desktop Protocol) & How RDP works - July 20, 2018
- Understanding SNMP & Install and configure SNMP - July 18, 2018
- Ping, Tracert, PathPing – Troubleshoot Network - July 17, 2018