Lecture 7: Address Resolution

Module Objectives
Module Title: Address Resolution

Module Objective: Explain how ARP and ND enable communication on a network.

Topic Title Topic Objective

MAC and IP Compare the roles of the MAC address and the IP address.

ARP Describe the purpose of ARP.

ICMP Messages Explain how ICMP is used to test network connectivity.

Ping and Traceroute Testing Use ping and traceroute utilities to test network connectivity.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
MAC and IP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
MAC and IP
Destination on Same Network
There are two primary addresses assigned to a device on an Ethernet LAN:
• Layer 2 physical address (the MAC address) – Used for NIC to NIC communications
on the same Ethernet network.
• Layer 3 logical address (the IP address) – Used to send the packet from the source
device to the destination device.
Layer 2 addresses are used to deliver frames from one NIC to another NIC on the same
network. If a destination IP address is on the same network, the destination MAC address
will be that of the destination device.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
MAC and IP
Destination on Remote Network
When the destination IP address is on a remote network, the destination MAC address is
that of the default gateway.
• ARP is used by IPv4 to associate the IPv4 address of a device with the MAC address
of the device NIC.
• ICMPv6 is used by IPv6 to associate the IPv6 address of a device with the MAC
address of the device NIC.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
ARP

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
ARP
ARP Overview
A device uses ARP to determine the
destination MAC address of a local
device when it knows its IPv4 address.

ARP provides two basic functions:

• Resolving IPv4 addresses to MAC
addresses
• Maintaining an ARP table of IPv4
to MAC address mappings

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
ARP
ARP Functions
To send a frame, a device will search its ARP table for a destination IPv4 address and a
corresponding MAC address.
• If the packet’s destination IPv4 address is on the same network, the device will
search the ARP table for the destination IPv4 address.
• If the destination IPv4 address is on a different network, the device will search the
ARP table for the IPv4 address of the default gateway.
• If the device locates the IPv4 address, its corresponding MAC address is used as the
destination MAC address in the frame.
• If there is no ARP table entry is found, then the device sends an ARP request.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
ARP
Video - ARP Request

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
ARP
Video – ARP Operation - ARP Reply

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
ARP
Video - ARP Role in Remote Communications

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
ARP
Removing Entries from an ARP Table
• Entries in the ARP table are not permanent and are removed when an ARP cache
timer expires after a specified period of time.
• The duration of the ARP cache timer differs depending on the operating system.
• ARP table entries can also be removed manually by the administrator.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
ARP
ARP Tables on Networking Devices
• The show ip arp command displays the ARP table on a Cisco router.
• The arp –a command displays the ARP table on a Windows 10 PC.

R1# show ip arp

Protocol Address Age (min) Hardware Addr Type Interface
Internet [Link] - a0e0.af0d.e140 ARPA GigabitEthernet0/0/0

C:\Users\PC> arp -a

Interface: [Link] --- 0x10

Internet Address Physical Address Type
[Link] c8-d7-19-cc-a0-86 dynamic
[Link] 08-3e-0c-f5-f7-77 dynamic

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
ARP
ARP Issues – ARP Broadcasting and ARP Spoofing
• ARP requests are received and processed by every device on the local network.
• Excessive ARP broadcasts can cause some reduction in performance.
• ARP replies can be spoofed by a threat actor to perform an ARP poisoning attack.
• Enterprise level switches include mitigation techniques to protect against ARP attacks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Neighbor Discovery

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
IPv6 Neighbor Discovery
Video – IPv6 Neighbor Discovery

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
IPv6 Neighbor Discovery
IPv6 Neighbor Discovery Messages
IPv6 Neighbor Discovery (ND) protocol provides:
• Address resolution
• Router discovery
• Redirection services
• ICMPv6 Neighbor Solicitation (NS) and Neighbor Advertisement (NA)
messages are used for device-to-device messaging such as address
resolution.
• ICMPv6 Router Solicitation (RS) and Router Advertisement (RA) messages
are used for messaging between devices and routers for router discovery.
• ICMPv6 redirect messages are used by routers for better next-hop selection.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
IPv6 Neighbor Discovery
IPv6 Neighbor Discovery – Address Resolution
• IPv6 devices use ND to resolve
the MAC address of a known
IPv6 address.
• ICMPv6 Neighbor Solicitation
messages are sent using
special Ethernet and IPv6
multicast addresses.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
ICMP Messages

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
ICMP Messages
ICMPv4 and ICMPv6 Messages
• Internet Control Message Protocol (ICMP) provides feedback about issues related to the
processing of IP packets under certain conditions.
• ICMPv4 is the messaging protocol for IPv4. ICMPv6 is the messaging protocol for IPv6 and
includes additional functionality.
• The ICMP messages common to both ICMPv4 and ICMPv6 include:
• Host reachability
• Destination or Service Unreachable
• Time exceeded

Note: ICMPv4 messages are not required and are often not allowed within a network for
security reasons.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
ICMP Messages
Host Reachability
ICMP Echo Message can be used to
test the reachability of a host on an IP
network.
In the example:
• The local host sends an ICMP Echo
Request to a host.
• If the host is available, the
destination host responds with an
Echo Reply.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
ICMP Messages
Destination or Service Unreachable
• An ICMP Destination Unreachable message can be used to notify the source that a
destination or service is unreachable.
• The ICMP message will include a code indicating why the packet could not be delivered.

A few Destination Unreachable A few Destination Unreachable codes for

codes for ICMPv4 are as follows: ICMPv6 are as follows:
• 0 - Net unreachable • 0 - No route to destination
• 1 - Host unreachable • 1 - Communication with the destination is
administratively prohibited (e.g., firewall)
• 2 - Protocol unreachable
• 2 – Beyond scope of the source address
• 3 - Port unreachable
• 3 - Address unreachable
• 4 - Port unreachable

Note: ICMPv6 has similar but slightly different codes for Destination Unreachable messages.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
ICMP Messages
Time Exceeded
• When the Time to Live (TTL) field in a packet is decremented to 0, an ICMPv4 Time
Exceeded message will be sent to the source host.
• ICMPv6 also sends a Time Exceeded message. Instead of the IPv4 TTL field, ICMPv6 uses
the IPv6 Hop Limit field to determine if the packet has expired.

Note: Time Exceeded messages are used by the traceroute tool.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
ICMP Messages
ICMPv6 Messages
ICMPv6 has new features and improved functionality not found in ICMPv4, including four new
protocols as part of the Neighbor Discovery Protocol (ND or NDP).

Messaging between an IPv6 router and an Messaging between IPv6 devices, including
IPv6 device, including dynamic address duplicate address detection and address
allocation are as follows: resolution are as follows:
• Router Solicitation (RS) message • Neighbor Solicitation (NS) message
• Router Advertisement (RA) message • Neighbor Advertisement (NA) message

Note: ICMPv6 ND also includes the redirect message, which has a similar function to the redirect
message used in ICMPv4.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
ICMP Messages
ICMPv6 Messages (Cont.)
• RA messages are sent by IPv6-enabled
routers every 200 seconds to provide
addressing information to IPv6-enabled
hosts.
• RA message can include addressing
information for the host such as the prefix,
prefix length, DNS address, and domain
name.

• A host using Stateless Address

Autoconfiguration (SLAAC) will set its
default gateway to the link-local address of
the router that sent the RA.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
ICMP Messages
ICMPv6 Messages (Cont.)
• An IPv6-enabled router will also send out
an RA message in response to an RS
message.
• In the figure, PC1 sends a RS message to
determine how to receive its IPv6 address
information dynamically.
• R1 replies to the RS with an RA message.
• PC1 sends an RS message, “Hi, I just booted up.
Is there an IPv6 router on the network? I need to
know how to get my IPv6 address information
dynamically.”
• R1 replies with an RA message. “Hi all IPv6-
enabled devices. I’m R1 and you can use SLAAC
to create an IPv6 global unicast address. The
prefix is [Link]/64. By the way, use my
link-local address fe80::1 as your default gateway."

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
ICMP Messages
ICMPv6 Messages (Cont.)
• A device assigned a global IPv6 unicast or
link-local unicast address, may perform
duplicate address detection (DAD) to
ensure that the IPv6 address is unique.
• To check the uniqueness of an address, the
device will send an NS message with its
own IPv6 address as the targeted IPv6
address.

• If another device on the network has this

address, it will respond with an NA
message notifying to the sending device Note: DAD is not required, but RFC 4861
that the address is in use. recommends that DAD is performed on
unicast addresses.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
ICMP Messages
ICMPv6 Messages (Cont.)
• To determine the MAC address for the
destination, the device will send an NS
message to the solicited node address.
• The message will include the known
(targeted) IPv6 address. The device that
has the targeted IPv6 address will
respond with an NA message containing
its Ethernet MAC address.
• In the figure, R1 sends a NS message to
[Link] asking for its MAC
address.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Thanks
Any questions

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29