Friday, July 1, 2011

Top Ten Cisco IOS Commands - 7) sh arp

A brief into to ARP:

In order for a node to communicate with another node on an Ethernet network they must know 2 things, the IP address and the MAC address. Arp is the liason between layer 2 (the MAC address) and layer 3 (the IP address). First, the DNS protocol is used to resolve the host name to an IP address. Then, ARP takes over by sending a broadcast to all nodes on the local subnet (aka, broadcast domain) to resolve the IP to a MAC address.

Arp broadcasts only go as far as the local subnet before being replied to. Usually there are only 2 things that can happen here, 1) the destination node responds with its MAC address (through a switch). Or, 2) a router or other gateway device responds with its MAC address because it knows a route to the destination node on a different subnet (this is referred to as proxy-arp, it forwards the broadcast for you to the non-local subnet). Knowing these two possible results is an important concept to remember when looking up IP or MAC info on your Cicso routers and switches.

The requesting node doesn't care who responds as long as it gets the MAC address, so there are some obvious security concerns with this protocol.

If you run the "sh arp" on your switch or router you can see the results are about the same. You get info about devices that are communicating directly with interfaces on the device (i.e., IP, MAC, interface name, aging timer)...

Switch1# s arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet             41   0025.13f7.0141  ARPA   Vlan333
Internet              -   0025.13f6.c041  ARPA   Vlan333
Internet             98   0025.77c2.6dc1  ARPA   Vlan333
Internet             140   0025.77c2.6dc1  ARPA   Vlan333
Internet             0   0025.77c2.6dc1  ARPA   Vlan333
Internet              7   00e0.d812.77f1  ARPA   Vlan333

Router1# s arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet               43   da30.9171.834a  ARPA   GigabitEthernet0/0
Internet               19   f4ac.c178.f442  ARPA   GigabitEthernet0/0
Internet             227   0026.77c2.6bc1  ARPA   GigabitEthernet0/0
Internet             156   001f.bd8b.3545  ARPA   GigabitEthernet0/0
Internet             266   001b.044c.1280  ARPA   GigabitEthernet0/0
Internet              64   0024.c4d5.4cf0  ARPA   GigabitEthernet0/0
Internet             157   001b.2acc.2b50  ARPA   GigabitEthernet0/0
Internet              86   001d.9d13.55c1  ARPA   GigabitEthernet0/0
Internet              -   001d.2abb.2a36  ARPA   GigabitEthernet0/0
Internet          5   001f.9e58.c0d3  ARPA    GigabitEthernet0/1
Internet          -   001b.2abb.3337  ARPA    GigabitEthernet0/1

Now that you know the IPs and MACs you just need the port numbers associated with them and you'll have a pretty decent port mapping of the switch. Try this...

Switch1# sh mac address-table

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 All    0200.0ccc.cccc    STATIC      CPU
 All    0200.0ccc.cccd    STATIC      CPU
 All    0162.c200.0000    STATIC      CPU
 All    0162.c200.0001    STATIC      CPU
 All    0162.c200.0002    STATIC      CPU
 All    0162.c200.0003    STATIC      CPU
 All    0162.c200.0004    STATIC      CPU
 All    0162.c200.0005    STATIC      CPU
 All    0162.c200.0006    STATIC      CPU
 All    0162.c200.0007    STATIC      CPU
 All    0162.c200.0008    STATIC      CPU
 All    0162.c200.0009    STATIC      CPU
 All    0162.c200.000a    STATIC      CPU
 All    0162.c200.000b    STATIC      CPU
 All    0162.c200.000c    STATIC      CPU
 All    0162.c200.000d    STATIC      CPU
 All    0162.c200.000e    STATIC      CPU
 All    0162.c200.000f    STATIC      CPU
 All    0162.c200.0010    STATIC      CPU
 All    ffff.ffff.ffff    STATIC      CPU
   1    0025.8386.9034    DYNAMIC     Gi1/0/3
   1    0025.83f0.e52a    DYNAMIC     Gi3/0/4
 300    001b.2abb.2f90    DYNAMIC     Gi1/0/3
 300    001b.2abb.25c0    DYNAMIC     Gi1/0/3
 300    001b.d44c.9277    DYNAMIC     Gi1/0/3
 300    001e.bd8b.2145    DYNAMIC     Gi1/0/3
 300    0024.c4c5.4df0    DYNAMIC     Gi1/0/3
 300    0025.8206.9085    DYNAMIC     Gi1/0/3
 300    0025.83c2.5ac1    DYNAMIC     Gi1/0/3
 300    ec30.9171.8322    DYNAMIC     Gi1/0/3
 333    001b.d44c.1180    DYNAMIC     Gi1/0/3
 333    0025.5586.9485    DYNAMIC     Gi1/0/3
 333    0015.83c2.6dc4    DYNAMIC     Gi1/0/3
 333    0fe0.d810.ba7f    DYNAMIC     Gi1/0/3
 333    0fe0.d812.83d1    DYNAMIC     Gi1/0/3
 333    0fe0.d812.644f    STATIC      Fa1/0/47

Looking at MAC addresses associated with IP addresses can be confusing at first. For example, you may be wondering why there are so many MAC addresses assigned to one port, Gi1/0/3 above. This port happens to be a trunk port which carries all inter-vlan traffic. So, some of these are other switches, routers, etc.

When looking at your devices arp cache, you'll sometimes see multiple IP addresses with the same MAC entry. This is because of the proxy-arp mentioned above. The MAC you see is your gateway device. Run an "arp -a" command on your Windows pc you'll only see your gateway device's MAC for anything you ping outside your local subnet.

Additional notes:

Arp cache timeout defaults vary by vendor. Windows is sometimes 10 minutes, while Cisco devices are often 4 hours!

Most newer switches today have layer 3 (routing) capability, so, they may be the gateway device and perform the inter-vlan routing that used to require a router.

Also, sometimes you'll see "bia" in front of the MAC address on cisco routers and switches, this means "burned in address."

No comments:

Post a Comment