Address Resolution

Objective: Explain how ARP and ND enable communication on a network.

Introduction
Hosts and routers both create routing tables to ensure that they can send and receive data across networks. So how
does this information get created in a routing table? As a network administrator, you could enter these MAC and IP
addresses manually. But that would take a lot of time and the likelihood of making a few mistakes is great. Are you
thinking that there must be some way that this could be done automatically, by the hosts and routers themselves?
Of course, you are correct! And even though it is automatic, you must still understand how this works, because you
may have to troubleshoot a problem, or worse, your network could be attacked by a threat actor.

MAC and IP
Destination on Same Network
Sometimes a host must send a message, but it only knows the IP address of the destination device. The host needs
to know the MAC address of that device, but how can it be discovered? That is where address resolution becomes
critical.
There are two primary addresses assigned to a device on an Ethernet LAN:
Physical address (the MAC address) – Used for NIC to NIC communications on the same Ethernet network.
Logical address (the IP address) – Used to send the packet from the source device to the destination device. The
destination IP address may be on the same IP network as the source or it may be on a remote network.
Layer 2 physical addresses (i.e., Ethernet MAC addresses) are used to deliver the data link frame with the
encapsulated IP packet from one NIC to another NIC that is on the same network. If the destination IP address is on
the same network, the destination MAC address will be that of the destination device.
Consider the following example using simplified MAC address representations.

In this example, PC1 wants to send a packet to PC2. The figure displays the Layer 2 destination and source MAC
addresses and the Layer 3 IPv4 addressing that would be included in the packet sent from PC1.
The Layer 2 Ethernet frame contains the following:
Destination MAC address – This is the simplified MAC address of PC2, 55-55-55.
Source MAC address – This is the simplified MAC address of the Ethernet NIC on PC1, aa-aa-aa.
The Layer 3 IP packet contains the following:
Source IPv4 address – This is the IPv4 address of PC1, 192.168.10.10.
Destination IPv4 address – This is the IPv4 address of PC2, 192.168.10.11.
Destination on Remote Network
When the destination IP address (IPv4 or IPv6) is on a remote network, the destination MAC address will be the
address of the host default gateway (i.e., the router interface).

Consider the following example using a simplified MAC address representation.

In this example, PC1 wants to send a packet to PC2. PC2 is located on remote network. Because the destination IPv4
address is not on the same local network as PC1, the destination MAC address is that of the local default gateway on
the router.

Routers examine the destination IPv4 address to determine the best path to forward the IPv4 packet. When the
router receives the Ethernet frame, it de-encapsulates the Layer 2 information. Using the destination IPv4 address, it
determines the next-hop device, and then encapsulates the IPv4 packet in a new data link frame for the outgoing
interface.

In our example, R1 would now encapsulate the packet with new Layer 2 address information as shown in the figure.

The new destination MAC address would be that of the R2 G0/0/1 interface and the new source MAC address would
be that of the R1 G0/0/1 interface.

Along each link in a path, an IP packet is encapsulated in a frame. The frame is specific to the data link technology
that is associated with that link, such as Ethernet. If the next-hop device is the final destination, the destination MAC
address will be that of the device Ethernet NIC, as shown in the figure.
How are the IP addresses of the IP packets in a data flow associated with the MAC addresses on each link along the
path to the destination? For IPv4 packets, this is done through a process called Address Resolution Protocol (ARP).
For IPv6 packets, the process is ICMPv6 Neighbor Discovery (ND).
Packet Tracer - Identify MAC and IP Addresses
Objectives
Part 1: Gather PDU Information for Local Network Communication
Part 2: Gather PDU Information for Remote Network Communication

Background
This activity is optimized for viewing PDUs. The devices are already configured. You will gather PDU
information in simulation mode and answer a series of questions about the data you collect.

Instructions

Part 1: Gather PDU Information for Local Network Communication

Note: Review the Reflection Questions in Part 3 before proceeding with Part 1. It will give you an idea of
the
type of information you will need to gather PDU information as a packet travels from 172.16.31.5 to
172.16.31.2.
a. Click 172.16.31.5 and open the Command Prompt.
b. Enter the ping 172.16.31.2 command.
c. Switch to simulation mode and repeat the ping 172.16.31.2 command. A PDU appears next to
172.16.31.5.
d. Click the PDU and note the following information from the OSI Model and Outbound PDU Layer
tabs:
o Destination MAC Address: 000C:85CC:1DA7
o Source MAC Address: 00D0:D311:C788
o Source IP Address: 172.16.31.5
o Destination IP Address: 172.16.31.2
o At Device: 172.16.31.5
e. Click Capture / Forward (the right arrow followed by a vertical bar) to move the PDU to the next
device. Gather the same information from Step 1d. Repeat this process until the PDU reaches its
destination. Record the PDU information you gathered into a spreadsheet using a format like the table
shown below:

Example Spreadsheet Format

At Device Dest. MAC Src MAC Src IPv4 Dest IPv4

172.16.31.5 000C:85CC:1DA7 00D0:D311:C788 172.16.31.5 172.16.31.2

Switch1 000C:85CC:1DA7 00D0:D311:C788 N/A N/A

Hub N/A N/A N/A N/A

172.16.31.2 00D0:D311:C788 000C:85CC:1DA7 172.16.31.2 172.16.31.5

Step 2: Gather additional PDU information from other pings.

Repeat the process in Step 1 and gather the information for the following tests:
• Ping 172.16.31.2 from 172.16.31.3.

• Ping 172.16.31.4 from 172.16.31.5.

Return to Realtime mode.
Part 2: Gather PDU Information for Remote Network Communication
In order to communicate with remote networks, a gateway device is necessary. Study the process that
takes place to communicate with devices on the remote network. Pay close attention to the MAC addresses
used.
Step 1: Gather PDU information as a packet travels from 172.16.31.5 to 10.10.10.2.
a. Click 172.16.31.5 and open the Command Prompt.
b. Enter the ping 10.10.10.2 command.
c. Switch to simulation mode and repeat the ping 10.10.10.2 command. A PDU appears next to
172.16.31.5.
d. Click the PDU and note the following information from the Outbound PDU Layer tab:
• Destination MAC Address: 00D0:BA8E:741A
• Source MAC Address: 00D0:D311:C788
• Source IP Address: 172.16.31.5
• Destination IP Address: 10.10.10.2
• At Device: 172.16.31.5
Question:
What device has the destination MAC that is shown?
e. Click Capture / Forward (the right arrow followed by a vertical bar) to move the PDU to the next
device. Gather the same information from Step 1d. Repeat this process until the PDU reaches its
destination. Record the PDU information you gathered from pinging 172.16.31.5 to 10.10.10.2 into a
spreadsheet using a format like the sample table shown below:

At Device Dest. MAC Src MAC Src IPv4 Dest IPv4

172.16.31.5 00D0:BA8E:741A 00D0:D311:C788 172.16.31.5 10.10.10.2

Switch1 00D0:BA8E:741A 00D0:D311:C788 N/A N/A

Router 0060:2F84:4AB6 00D0:588C:2401 172.16.31.5 10.10.10.2

Switch0 0060:2F84:4AB6 00D0:588C:2401 N/A N/A

Access Point N/A N/A N/A N/A

10.10.10.2 00D0:588C:2401 0060:2F84:4AB6 10.10.10.2 172.16.31.5

Reflection Questions
Answer the following questions regarding the captured data:
1. Were there different types of cables/media used to connect devices?
2. Did the cables change the handling of the PDU in any way?
3. Did the Hub lose any of the information that it received?

4. What does the Hub do with MAC addresses and IP addresses?

5. Did the wireless Access Point do anything with the information given to it?
6. Was any MAC or IP address lost during the wireless transfer?
7. What was the highest OSI layer that the Hub and Access Point used?
8. Did the Hub or Access Point ever replicate a PDU that was rejected with a red “X”?
9. When examining the PDU Details tab, which MAC address appeared first, the source or the destination?
10. Why would the MAC addresses appear in this order?
11. Was there a pattern to the MAC addressing in the simulation?
12. Did the switches ever replicate a PDU that was rejected with a red “X”?
13. Every time that the PDU was sent between the 10 network and the 172 network, there was a point where
the MAC addresses suddenly changed. Where did that occur?
14. Which device uses MAC addresses that start with 00D0:BA?
15. What devices did the other MAC addresses belong to?
16. Did the sending and receiving IPv4 addresses change fields in any of the PDUs?
17. When you follow the reply to a ping, sometimes called a pong, do you see the sending and receiving IPv4
addresses switch?
18. What is the pattern to the IPv4 addressing used in this simulation?
19. Why do different IP networks need to be assigned to different ports of a router?
20. If this simulation was configured with IPv6 instead of IPv4, what would be different?
Type your answers here.
End of document

Check Your Understanding - MAC and IP

Answers

1.B 2.C 3.B&D

ARP
ARP Overview
If your network is using the IPv4 communications protocol, the Address Resolution Protocol, or ARP, is what you
need to map IPv4 addresses to MAC addresses. This topic explains how ARP works.

Every IP device on an Ethernet network has a unique Ethernet MAC address. When a device sends an Ethernet Layer
2 frame, it contains these two addresses:

Destination MAC address - The Ethernet MAC address of the destination device on the same local network segment.
If the destination host is on another network, then the destination address in the frame would be that of the default
gateway (i.e., router).

Source MAC address - The MAC address of the Ethernet NIC on the source host.

The figure illustrates the problem when sending a frame to another host on the same segment on an IPv4 network.

To send a packet to another host on the same local IPv4 network, a host must know the IPv4 address and the MAC
address of the destination device. Device destination IPv4 addresses are either known or resolved by device name.
However, MAC addresses must be discovered.

A device uses Address Resolution Protocol (ARP) to determine the destination MAC address of a local device when it
knows its IPv4 address.

ARP provides two basic functions:

i. Resolving IPv4 addresses to MAC addresses

ii. Maintaining a table of IPv4 to MAC address mappings

ARP Functions
When a packet is sent to the data link layer to be encapsulated into an Ethernet frame, the device refers to a table in
its memory to find the MAC address that is mapped to the IPv4 address. This table is stored temporarily in RAM
memory and called the ARP table or the ARP cache.

The sending device will search its ARP table for a destination IPv4 address and a corresponding MAC address.

If the packet’s destination IPv4 address is on the same network as the source IPv4 address, the device will search the
ARP table for the destination IPv4 address.

If the destination IPv4 address is on a different network than the source IPv4 address, the device will search the ARP
table for the IPv4 address of the default gateway.

In both cases, the search is for an IPv4 address and a corresponding MAC address for the device.
Each entry, or row, of the ARP table binds an IPv4 address with a MAC address. We call the relationship between the
two values a map. This simply means that you can locate an IPv4 address in the table and discover the corresponding
MAC address. The ARP table temporarily saves (caches) the mapping for the devices on the LAN.

If the device locates the IPv4 address, its corresponding MAC address is used as the destination MAC address in the
frame. If there is no entry is found, then the device sends an ARP request.

ARP Operation - ARP Request

An ARP request is sent when a device needs to determine the MAC address that is associated with an IPv4 address,
and it does not have an entry for the IPv4 address in its ARP table.

ARP messages are encapsulated directly within an Ethernet frame. There is no IPv4 header. The ARP request is
encapsulated in an Ethernet frame using the following header information:

Destination MAC address – This is a broadcast address FF-FF-FF-FF-FF-FF requiring all Ethernet NICs on the LAN to
accept and process the ARP request.

Source MAC address – This is MAC address of the sender of the ARP request.

Type - ARP messages have a type field of 0x806. This informs the receiving NIC that the data portion of the frame
needs to be passed to the ARP process.

Because ARP requests are broadcasts, they are flooded out all ports by the switch, except the receiving port. All
Ethernet NICs on the LAN process broadcasts and must deliver the ARP request to its operating system for
processing. Every device must process the ARP request to see if the target IPv4 address matches its own. A router
will not forward broadcasts out other interfaces.

Only one device on the LAN will have an IPv4 address that matches the target IPv4 address in the ARP request. All
other devices will not reply.

Log into the cisco academy and play video 9.2.3 to view a demonstration of an ARP request for a destination IPv4
address that is on the local network.
ARP Operation - ARP Reply
Only the device with the target IPv4 address associated with the ARP request will respond with an ARP reply. The
ARP reply is encapsulated in an Ethernet frame using the following header information:
Destination MAC address – This is the MAC address of the sender of the ARP request.
Source MAC address – This is the MAC address of the sender of the ARP reply.
Type - ARP messages have a type field of 0x806. This informs the receiving NIC that the data portion of the frame
needs to be passed to the ARP process.
Only the device that originally sent the ARP request will receive the unicast ARP reply. After the ARP reply is
received, the device will add the IPv4 address and the corresponding MAC address to its ARP table. Packets destined
for that IPv4 address can now be encapsulated in frames using its corresponding MAC address.
If no device responds to the ARP request, the packet is dropped because a frame cannot be created.
Entries in the ARP table are time stamped. If a device does not receive a frame from a particular device before the
timestamp expires, the entry for this device is removed from the ARP table.
Additionally, static map entries can be entered in an ARP table, but this is rarely done. Static ARP table entries do not
expire over time and must be manually removed.
Note: IPv6 uses a similar process to ARP for IPv4, known as ICMPv6 Neighbor Discovery (ND). IPv6 uses neighbor
solicitation and neighbor advertisement messages, similar to IPv4 ARP requests and ARP replies.
Log into the cisco academy and play video 9.2.4 to view a demonstration of an demonstration of an ARP reply.

ARP Role in Remote Communications

When the destination IPv4 address is not on the same network as the source IPv4 address, the source device needs
to send the frame to its default gateway. This is the interface of the local router. Whenever a source device has a
packet with an IPv4 address on another network, it will encapsulate that packet in a frame using the destination
MAC address of the router.
The IPv4 address of the default gateway is stored in the IPv4 configuration of the hosts. When a host creates a
packet for a destination, it compares the destination IPv4 address and its own IPv4 address to determine if the two
IPv4 addresses are located on the same Layer 3 network. If the destination host is not on its same network, the
source checks its ARP table for an entry with the IPv4 address of the default gateway. If there is not an entry, it uses
the ARP process to determine a MAC address of the default gateway.
Log into the cisco academy and play video 9.2.4 to view a demonstration of an ARP request and ARP reply associated
with the default gateway.

Removing Entries from an ARP Table

For each device, an ARP cache timer removes ARP entries that have not been used for a specified period of time. The
times differ depending on the operating system of the device. For example, newer Windows operating systems store
ARP table entries between 15 and 45 seconds, as illustrated in the figure.
Commands may also be used to manually remove some or all of the entries in the ARP table. After
an entry has been removed, the process for sending an ARP request and receiving an ARP reply must occur
again to enter the map in the ARP table.
ARP Tables on Networking Devices
On a Cisco router, the show ip arp command is used to display the ARP table, as shown in the figure.

On a Windows 10 PC, the arp –a command is used to display the ARP table, as shown in the figure.

ARP Issues - ARP Broadcasts and ARP Spoofing

As a broadcast frame, an ARP request is received and processed by every device on the local network. On a typical
business network, these broadcasts would probably have minimal impact on network performance. However, if a
large number of devices were to be powered up and all start accessing network services at the same time, there
could be some reduction in performance for a short period of time, as shown in the figure. After the devices send
out the initial ARP broadcasts and have learned the necessary MAC addresses, any impact on the network will be
minimized.

In some cases, the use of ARP can lead to a potential security risk. A threat actor can use ARP spoofing to perform an
ARP poisoning attack. This is a technique used by a threat actor to reply to an ARP request for an IPv4 address that
belongs to another device, such as the default gateway, as shown in the figure. The threat actor sends an ARP reply
with its own MAC address. The receiver of the ARP reply will add the wrong MAC address to its ARP table and send
these packets to the threat actor.
Enterprise level switches include mitigation techniques known as dynamic ARP inspection (DAI). DAI is beyond the
scope of this course.

Packet Tracer Activity - Examine the ARP Table

In this Packet Tracer, activity you will complete the following objectives:

Examine an ARP Request

Examine a Switch MAC Address Table

Examine the ARP Process in Remote Communications

This activity is optimized for viewing PDUs. The devices are already configured. You will gather PDU information in
simulation mode and answer a series of questions about the data you collect.

Packet Tracer - Examine the ARP Table

Addressing Table

Objectives

Part 1: Examine an ARP Request

Part 2: Examine a Switch MAC Address Table

Part 3: Examine the ARP Process in Remote Communications

Background

This activity is optimized for viewing PDUs. The devices are already configured. You will gather PDU

information in simulation mode and answer a series of questions about the data you collect.

Instructions

Part 1: Examine an ARP Request

Step 1: Generate ARP requests by pinging 172.16.31.3 from 172.16.31.2.

Open a command prompt

a. Click 172.16.31.2 and open the Command Prompt.

b. Enter the arp -d command to clear the ARP table.

Close command prompt

c. Enter Simulation mode and enter the command ping 172.16.31.3. Two PDUs will be generated. The

ping command cannot complete the ICMP packet without knowing the MAC address of the destination.

So the computer sends an ARP broadcast frame to find the MAC address of the destination.

d. Click Capture/Forward once. The ARP PDU moves Switch1 while the ICMP PDU disappears, waiting

for the ARP reply. Open the PDU and record the destination MAC address.

Question:

Is this address listed in the table above?

e. Click Capture/Forward to move the PDU to the next device.

Question:

How many copies of the PDU did Switch1 make?

What is the IP address of the device that accepted the PDU?

f. Open the PDU and examine Layer 2.

Question:

What happened to the source and destination MAC addresses?

g. Click Capture/Forward until the PDU returns to 172.16.31.2.

Question:

How many copies of the PDU did the switch make during the ARP reply?

Type your answers here.

Step 2: Examine the ARP table.

a. Note that the ICMP packet reappears. Open the PDU and examine the MAC addresses.

Question:

Do the MAC addresses of the source and destination align with their IP addresses?

b. Switch back to Realtime and the ping completes.

c. Click 172.16.31.2 and enter the arp –a command.

Question:

To what IP address does the MAC address entry correspond?

In general, when does an end device issue an ARP request?

Part 2: Examine a Switch MAC Address Table

Step 1: Generate additional traffic to populate the switch MAC address table.

Open a command prompt

a. From 172.16.31.2, enter the ping 172.16.31.4 command.

b. Click 10.10.10.2 and open the Command Prompt.

c. Enter the ping 10.10.10.3 command.

Question:

How many replies were sent and received?

Close a command prompt

Step 2: Examine the MAC address table on the switches.

a. Click Switch1and then the CLI tab. Enter the show mac-address-table command.

Question:

Do the entries correspond to those in the table above?

b. Click Switch0, then the CLI tab. Enter the show mac-address-table command.

Questions:

Do the entries correspond to those in the table above?

Why are two MAC addresses associated with one port?

Part 3: Examine the ARP Process in Remote Communications

Step 1: Generate traffic to produce ARP traffic.

Open a command prompt

a. Click 172.16.31.2 and open the Command Prompt.

b. Enter the ping 10.10.10.1 command.

c. Type arp –a.

Question:

What is the IP address of the new ARP table entry?

d. Enter arp -d to clear the ARP table and switch to Simulation mode.

e. Repeat the ping to 10.10.10.1.

Question:

How many PDUs appear?

Close a command prompt

f. Click Capture/Forward. Click the PDU that is now at Switch1.

Question:

What is the target destination IP destination address of the ARP request?

g. The destination IP address is not 10.10.10.1.

Question:

Why?

Step 2: Examine the ARP table on Router1.

a. Switch to Realtime mode. Click Router1 and then the CLI tab.

b. Enter privileged EXEC mode and then the show mac-address-table command.

Question:

How many MAC addresses are in the table? Why?

c. Enter the show arp command.

Questions:

Is there an entry for 172.16.31.2?

What happens to the first ping in a situation where the router responds to the ARP request?

Check Your Understanding – ARP

Answers

1. A&E 2.D 3.D 4.D 5.C

IPv6 Neighbor Discovery
If your network is using the IPv6 communications protocol, the Neighbor Discovery protocol, or ND, is what you need
to match IPv6 addresses to MAC addresses. This topic explains how ND works.

Log into the cisco academy and play video 9.3.1 to view a demonstration of IPv6 Neighbor Discovery.

IPv6 Neighbor Discovery Messages

IPv6 Neighbor Discovery protocol is sometimes referred to as ND or NDP. In this course, we will refer to it as ND. ND
provides address resolution, router discovery, and redirection services for IPv6 using ICMPv6. ICMPv6 ND uses five
ICMPv6 messages to perform these services:

 Neighbor Solicitation messages

 Neighbor Advertisement messages
 Router Solicitation messages
 Router Advertisement messages
 Redirect Message

Neighbor Solicitation and Neighbor Advertisement messages are used for device-to-device messaging such as
address resolution (similar to ARP for IPv4). Devices include both host computers and routers.

Router Solicitation and Router Advertisement messages are for messaging between devices and routers. Typically
router discovery is used for dynamic address allocation and stateless address autoconfiguration (SLAAC).

Note: The fifth ICMPv6 ND message is a redirect message which is used for better next-hop selection. This is beyond
the scope of this course.

IPv6 ND is defined in the IETF RFC 4861.

IPv6 Neighbor Discovery - Address Resolution

Much like ARP for IPv4, IPv6 devices use IPv6 ND to determine the MAC address of a device that has a a known IPv6
address.

ICMPv6 Neighbor Solicitation and Neighbor Advertisement messages are used for MAC address resolution. This is
similar to ARP Requests and ARP Replies used by ARP for IPv4. For example, assume PC1 wants to ping PC2 at IPv6
address 2001:db8:acad::11. To determine the MAC address for the known IPv6 address, PC1 sends an ICMPv6
Neighbor Solicitation message as illustrated in the figure.

The diagram shows PC1 and PC2 connected to the same switch on network 2001:db8:acad:1::/64. PC1 has an IPv6
address 2001:db8:acad:1::10 and PC2 has an IPv6 address of 2001:db8:acad:1::11. PC1 is sending an ICMPv6
neighbor solicitation message that reads: Hey whoever has 2001:db8:acad:1::11, send me your MAC address? PC2 is
replying with an ICMPv6 neighbor advertisement message that reads: Hey 2001:db8:acad:1::10, I am
2001:db8:acad:1::11 and my MAC address is f8-94-c3-e4-c5-0A.
ICMPv6 Neighbor Solicitation messages are sent using special Ethernet and IPv6 multicast addresses. This allows the
Ethernet NIC of the receiving device to determine whether the Neighbor Solicitation message is for itself without
having to send it to the operating system for processing.

PC2 replies to the request with an ICMPv6 Neighbor Advertisement message which includes its MAC address.

Packet Tracer Activity- IPv6 Neighbor Discovery

In order for a device to communicate with another device, the MAC address of the destination device must be
known. With IPv6, a process called Neighbor Discovery is responsible for determining the destination MAC address.
You will gather PDU information in simulation mode to better understand the process.

Packet Tracer – IPv6 Neighbor Discovery

Addressing Table

Part 1: IPv6 Neighbor Discovery Local Network

Part 2: IPv6 Neighbor Discovery Remote Network

Background
In order for a device to communicate with another device, the MAC address of the destination must be known.
With IPv6, a process called Neighbor Discovery using NDP or ND protocol is responsible for determining the
destination MAC address. You will gather PDU information in simulation mode to better understand the
process. There is no Packet Tracer scoring for this activity.

Instructions

Part 1: IPv6 Neighbor Discovery Local Network

In Part 1 of this activity, you will obtain the MAC address of a destination device on the same network.

Step 1: Check the router for any neighbors that it discovered.

a. Click the RTA Router. Select the CLI tab and issue the command show ipv6 neighbors from the
privileged exec mode. If there are any entries displayed, remove them using the command clear ipv6
neighbors.
b. Click PCA1, select the Desktop tab and click the Command Prompt icon.

Step 2: Switch to Simulation Mode to capture events.

c. Click the Simulation button in the lower right corner of the Packet Tracer Topology window.
d. Click the Show All/None button in the lower left part of the Simulation Panel. Make certain Event List
Filters – Visible Events displays None.
e. From the command prompt on PCA1, issue the command ping –n 1 2001:db8:acad:1::b. This will start
the process of pinging PCA2.
f. Click the Play Capture Forward button, which is displayed as an arrow pointing to the right with a vertical
bar within the Play Controls box. The status bar above the Play Controls should read Captured to 150.
(The exact number may vary.)

g. Click the Edit Filters button. Select the IPv6 tab at the top and check the boxes for ICMPv6 and NDP.
Click the red X in the upper right of the Edit ACL Filters window. The captured events should now be
listed. You should have approximately 12 entries in the window.
Question:

Why are ND PDUs present?

h. Click the square in the Type column for the first event, which should be ICMPv6.
Question:

Because the message starts with this event there is only an Outbound PDU. Under the OSI Model tab,
what is the Message Type listed for ICMPv6?
Notice there is no Layer 2 addressing. Click the Next Layer >> button to get an explanation about the ND
(Neighbor Discovery) process.
i. Click the square next to the next event in the Simulation Panel. It should be at device PCA1 and the type
should be NDP.
Questions:

What changed in the Layer 3 addressing?

What Layer 2 addresses are shown?
When a host does not know the MAC address of the destination, a special multicast MAC address is used
by IPv6 Neighbor Discovery as the Layer 2 destination address.
j. Select the first NDP event at SwitchA.
Question:

Is there any difference between the In Layers and Out Layers for Layer 2?
k. Select the first NDP event at PCA2. Click the Outbound PDU Details.
Question:

What addresses are displayed for the following?

Note: The addresses in the fields may be wrapped, adjust the size of the PDU window to make address
information easier to read.
Ethernet II DEST ADDR:
Ethernet II SRC ADDR:
IPv6 SRC IP:
IPv6 DST IP:
Question:

l. Select the first NDP event at RTA. Why are there no Out Layers?
m. Click through the Next Layer >> button until the end and read steps 4 through 7 for further explanation.
n. Click the next ICMPv6 event at PCA1.
Question:

Does PCA1 now have all of the necessary information to communicate with PCA2?
o. Click the last ICMPv6 event at PCA1. Notice this is the last communication listed.
Question:

What is the ICMPv6 Echo Message Type?

p. Click the Reset Simulation button in the Simulation Panel. From the command prompt of PCA1 repeat
the ping to PCA2. (Hint: you should be able to press the up arrow to bring the previous command back.)
q. Click the Capture Forward button 5 times to complete the ping process.
Question:

Why weren’t there any NDP events?

Type your answers here.
Part 2: IPv6 Neighbor Discovery Remote Network
In Part 2 of this activity, you will perform steps that are similar to those in Part 1, except in this case, the
destination host is on another LAN. Observe how the Neighbor Discovery process differs from the process
you observed in Part 1. Pay close attention to some of the additional addressing steps that take place when a
device communicates with a device that is on a different network.
Make sure to click the Reset Simulation button to clear out the previous events.

Step 1: Capture events for remote communication.

a. Display and clear any entries in the IPv6 neighbor device table as was done in Part I.
b. Switch to simulation mode. Click the Show All/None button in the lower left part of the Simulation Panel.
Make certain the Event List Filters – Visible Events displays None.
c. From the command prompt on PCA1 issue the command ping –n 1 2001:db8:acad:2::a to ping host
PCB1.
d. Click the Play Capture Forward button which is displayed as an arrow pointing to the right with a vertical
bar within the Play Controls box. The status bar above the Play Controls should read Captured to 150.
(The exact number may vary.)
e. Click the Edit Filters button. Select the IPv6 tab at the top and check the boxes for ICMPv6 and NDP.
Click the red X in the upper right of the Edit ACL Filters window. All of the previous events should now be
listed. You should notice there are considerably more entries listed this time.
f. Click the square in the Type Column for the first event, which should be ICMPv6. Because the message
starts with this event, there is only an Outbound PDU. Notice that it is missing the Layer 2 information as
it did in the previous scenario.
g. Click the first NDP event At Device PCA1.
Question:

What address is being used for the Src IP in the inbound PDU?
Type your answers here.
IPv6 Neighbor Discovery will determine the next destination to forward the ICMPv6 message.
h. Click the second ICMPv6 event for PCA1. PCA1 now has enough information to create an ICMPv6 echo
request.
Question:

What MAC address is being used for the destination MAC?

i. Click the next ICMPv6 event at device RTA. Notice that the outbound PDU from RTA lacks the
destination Layer 2 address, This means that RTA once again has to perform a Neighbor Discovery for
the interface that has the 2001:db8:acad:2:: network because it doesn’t know the MAC addresses of the
devices on the G0/0/1 LAN.
j. Skip down to the first ICMPv6 event for device PCB1.
Question:

What is missing in the outbound Layer 2 information?

Type your answers here.
k. The next few NDP events are associating the remaining IPv6 addresses to MAC addresses. The previous
NDP events associated MAC addresses with Link Local addresses.
l. Skip to the last set of ICMPv6 events and notice that all of the addresses have been learned. The
required information is now known, so PCB1 can send echo reply messages to PCA1.
m. Click the Reset Simulation button in the Simulation Panel. From the command prompt of PCA1 repeat the
command to ping PCB1.
n. Click the Capture Forward button nine times to complete the ping process.
Question:

Were there any NDP events?

Type your answers here.
o. Click the only PCB1 event in the new list.
Questions:

What does the destination MAC address correspond to?

Type your answers here.
Why is PCB1 using the router interface MAC address to make its ICMP PDUs?

Step 2: Examine router outputs.

a. Return to Realtime mode.
b. Click RTA and select the CLI tab. At the router prompt enter the command show ipv6 neighbors.
Questions:

How many addresses are listed?

Type your answers here.
What devices are these addresses associated with?
Type your answers here.
Are there any entries for PCA2 listed (why or why not)?
Type your answers here.
Ping PCA2 from the router.
c. Issue the show ipv6 neighbors command.
Question:

Are there entries for PCA2?

Reflection Questions
1. When does a device require the IPv6 Neighbor Discovery process?
Type your answers here.
2. How does a router help to minimize the amount of IPv6 Neighbor Discovery traffic on a network?
Type your answers here.
How does IPv6 minimize the impact of the ND process on network hosts?
Type your answers here.
3. How does the Neighbor Discovery process differ when a destination host is on the same LAN and when it
is on a remote LAN?
Check Your Understanding - Neighbor Discovery

Answers

1. C&D 2.A&B 3. B
Summary
MAC and IP
Layer 2 physical addresses (i.e., Ethernet MAC addresses) are used to deliver the data link frame with the
encapsulated IP packet from one NIC to another NIC on the same network. If the destination IP address is on the
same network, the destination MAC address will be that of the destination device. When the destination IP address
(IPv4 or IPv6) is on a remote network, the destination MAC address will be the address of the host default gateway
(i.e., the router interface). Along each link in a path, an IP packet is encapsulated in a frame. The frame is specific to
the data link technology associated that is associated with that link, such as Ethernet. If the next-hop device is the
final destination, the destination MAC address will be that of the device Ethernet NIC. How are the IP addresses of
the IP packets in a data flow associated with the MAC addresses on each link along the path to the destination? For
IPv4 packets, this is done through a process called ARP. For IPv6 packets, the process is ICMPv6 ND.

ARP
Every IP device on an Ethernet network has a unique Ethernet MAC address. When a device sends an Ethernet Layer
2 frame, it contains these two addresses: destination MAC address and source MAC address. A device uses ARP to
determine the destination MAC address of a local device when it knows its IPv4 address. ARP provides two basic
functions: resolving IPv4 addresses to MAC addresses and maintaining a table of IPv4 to MAC address mappings. The
ARP request is encapsulated in an Ethernet frame using this header information: source and destination MAC
addresses and type. Only one device on the LAN will have an IPv4 address that matches the target IPv4 address in
the ARP request. All other devices will not reply. The ARP reply contains the same header fields as the request. Only
the device that originally sent the ARP request will receive the unicast ARP reply. After the ARP reply is received, the
device will add the IPv4 address and the corresponding MAC address to its ARP table. When the destination IPv4
address is not on the same network as the source IPv4 address, the source device needs to send the frame to its
default gateway. This is the interface of the local router. For each device, an ARP cache timer removes ARP entries
that have not been used for a specified period of time. Commands may also be used to manually remove some or all
of the entries in the ARP table. As a broadcast frame, an ARP request is received and processed by every device on
the local network, which could cause the network to slow down. A threat actor can use ARP spoofing to perform an
ARP poisoning attack.

Neighbor Discovery
IPv6 does not use ARP, it uses the ND protocol to resolve MAC addresses. ND provides address resolution, router
discovery, and redirection services for IPv6 using ICMPv6. ICMPv6 ND uses five ICMPv6 messages to perform these
services: neighbor solicitation, neighbor advertisement, router solicitation, router advertisement, and redirect. Much
like ARP for IPv4, IPv6 devices use IPv6 ND to resolve the MAC address of a device to a known IPv6 address.
Quiz
Answers
1. C 2.c 3.c 4.d 5.a 6. a&c 7.c 8.d 9.d 10.d 11.d 12.c 13.c 14. e
Assignment
1. Describe the Layer 2 addresses used when a destination is on the same local network and when the
destination is on a remote network.
2. What impact do ARP requests have on the network and other local devices?
3. What are some security risks associated with ARP?
4. Why do you suppose ICMPv6 Neighbor Solicitations are sent as a multicast and not broadcast?
5. Discuss the similarities and differences between the ARP and the ICMPv6 ND processes.