Scribd
Upload
19 views23 pages

Address Resolution Protocol

Uploaded by

hgg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
19 views23 pages

Address Resolution Protocol

Uploaded by

hgg
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 23

Module 8: Address Resolution

Protocol
Instructor Materials

CyberOps Associate v1.0


Module 8: Address Resolution
Protocol

CyberOps Associate v1.0


Module Objectives
Module Title: Address Resolution Protocol

Module Objective: Analyze address resolution protocol PDUs on a network.

Topic Title Topic Objective


MAC and IP Compare the roles of the MAC address and the IP address.
ARP Analyze ARP by examining Ethernet frames.
ARP Issues Explain how ARP requests impact network and host performance as well as
potential security risks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
8.1 MAC and IP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Address Resolution Protocol
Destination on Same Network
• The two primary addresses assigned to a device on an Ethernet LAN:
Primary Description
Addresses on
Ethernet LAN
Physical Address • Used for Ethernet NIC to Ethernet NIC
(The Mac Address) communications on the same network.
• If the destination IP address is on the
same network, the destination MAC
address will be that of the destination
device.
Logical Address • Used to send the packet from the
(The IP Address) original source to the final destination.
• The destination IP address may be on
the same IP network as the source or
Communicating on a local network
may be on a remote network.
Note: Most applications use Domain Name System (DNS) to determine the IP address when
given a domain name such as www.cisco.com.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Address Resolution Protocol
Destination on Remote Network
• When the destination IP address is on a remote network, the destination MAC address will
be the address of the host’s default gateway. The process in the figure is as below:
• Routers examine the destination IPv4
address.
• When the router receives the Ethernet
frame, it de-encapsulates the Layer 2
information.
• Using the destination IP address, the router
determines the next-hop device, and then
encapsulates the IP packet in a new data
link frame for the outgoing interface.
• If the next-hop device is the final destination,
the destination MAC address will be that of
Communicating on a remote network
the device’s Ethernet NIC.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
8.2 ARP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
ARP
ARP Overview
• The figure illustrates a problem while
sending a packet to another host on the
same local IPv4 network because the IP
address is known but the MAC address of
the device is unknown.
• A device uses Address Resolution Protocol
(ARP) to determine the destination MAC
address of a local device when it knows its
IPv4 address.
• ARP provides two basic functions:
• Resolving IPv4 addresses to MAC
addresses
• Maintaining a table of IPv4 to MAC
address mappings
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
ARP
ARP Functions
• When a packet is sent to the data link layer Click play in the figure to see an animation of
to be encapsulated into an Ethernet frame, the ARP function.
the device refers to a table called ARP table
or ARP cache in its RAM memory to find the
MAC address that is mapped to the IPv4
address.
• The sending device will search its ARP table
for a destination IPv4 address and a
corresponding MAC address, if the packet’s
destination IPv4 address is on the same
network as the source IPv4 address.
• If the device locates the IPv4 address, its
corresponding MAC address is used as the
destination MAC address in the frame.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
ARP
Video - ARP Operation - ARP Request
• When a device needs to determine the MAC address mapped to the IPv4 address and no
entry is found for the IPv4 address in its ARP table, then an ARP request is sent.
• Click Play to view a demonstration of an ARP request for a destination IPv4 address that is
on the local network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
ARP
Video - ARP Operation - ARP Reply
• Only the device with the target IPv4
address associated with the ARP
request will respond with an ARP
reply.
• Click Play in the figure to view a
demonstration of an ARP reply.

Note: IPv6 uses a similar process to


ARP for IPv4, known as ICMPv6
Neighbor Discovery (ND). IPv6 uses
neighbor solicitation and neighbor
advertisement messages, similar to
IPv4 ARP requests and ARP replies.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
ARP
Video - ARP Role in Remote Communication
• Click Play to view a demonstration of an ARP request and ARP reply associated with the
default gateway.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
ARP
Removing Entries from an ARP Table
• For each device, an ARP cache timer
removes the ARP entries that have not
been used for a specified period of
time.
• The times differ depending on the
operating system of the device.
• Commands may also be used to
manually remove some or all of the
entries in the ARP table.
• After an entry has been removed, the
process for sending an ARP request
and receiving an ARP reply must
occur again to enter the map in the
ARP table.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
ARP
ARP Tables on Networking Devices
On a Cisco router, the show ip arp
command is used to display the
ARP table.

On a Windows 10 PC, the arp –a


command is used to display the
ARP table.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
ARP
Lab - Wireshark to Examine Ethernet Frames
In this lab, you will do the following:
• Use Wireshark to capture and view Ethernet Frames in order to investigate ARP and IP
and MAC addressing.
• Capture and analyze ICMP frames.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
8.3 ARP Issues

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
ARP Issues
ARP Issues - ARP Broadcasts and ARP Spoofing
ARP Broadcasts
• As a broadcast frame, an ARP request is
received and processed by every device on the
local network. 
• On a typical business network, these
broadcasts would have minimal impact on
network performance.
• If many devices start accessing network
services at the same time, there can be
reduction in performance for a short time.
• After the devices send out the initial ARP
broadcasts and have learned the necessary
MAC addresses, any impact on the network will
be minimized.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
ARP Issues
ARP Issues - ARP Broadcasts and ARP Spoofing (Contd.)
ARP Spoofing
• The use of ARP can lead to a potential security
risk in some cases.
• A threat actor uses ARP spoofing to perform an
ARP poisoning attack.
• It is a technique used by a threat actor to
reply to an ARP request for an IPv4 address
belonging to another device, such as the
default gateway.
• The threat actor sends an ARP reply with its
own MAC address.The receiver of the ARP
reply will add the wrong MAC address to its
ARP table and send these packets to the
threat actor.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
ARP Issues
Video - ARP Spoofing
• Click Play in the figure to view a video about ARP Spoofing.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
8.4 Address Resolution
Protocol Summary

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Module Summary and Quiz
What Did I Learn in this Module?
• IP addresses are used to identify the address of the original source device and the final
destination device.
• MAC addresses are used to deliver the data link frame with the encapsulated IP packet
from one NIC to another NIC on the same network.
• ARP is used to map the logical IPv4 address with the Layer 2 MAC address.
• ARP provides two basic functions: resolving IPv4 addresses to MAC addresses and
maintaining a table of IPv4 to MAC address mappings.
• When the destination IPv4 address is on the same network as the source, the ARP
process sends the IPv4 address to all hosts on the network so that the host with the
matching IPv4 address can reply with the corresponding MAC address
• If the packet’s destination IPv4 address is on the same network as the source IPv4
address, the device will search the ARP table for the destination IPv4 address.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Module Summary and Quiz
What Did I Learn in this Module? (Contd.)
• If there is no entry for the IPv4 address in its ARP table, the sending device sends out
an ARP request to determine the destination MAC address.
• Only the device with the target IPv4 address associated with the ARP request will
respond with an ARP reply.
• In IPv6, ICMPv6 Neighbor Discovery (ND) is used.
• As a broadcast frame, an ARP request is received and processed by every device on
the local network.
• A threat actor can use ARP spoofing to perform an ARP poisoning attack by replying to
an ARP request for an IPv4 address belonging to another device, such as the default
gateway.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28

You might also like