• News
  • ARP and MAC address resolution: the first step in LAN communication

ARP and MAC address resolution: the first step in LAN communication 

In a local area network, whether you are accessing a printer or browsing a web page, the first step is actually to "ask for directions" - and this process of asking for directions relies on the ARP protocol. It is responsible for translating the IP address we know into the MAC address that is actually used for communication.

Key behaviors of ARP:

ARP request is broadcast, that is, sent to all hosts in the local area network (destination MAC is FF:FF:FF:FF:FF:FF)

ARP response is unicast, that is, only the target host responds to the requester

Each host has an ARP cache table that records known IP-MAC mappings to avoid frequent broadcasts

The role of ARP in communication: The data frames we transmit require a target MAC. The IP address is only a logical address. The data that the network card can actually send out depends on the MAC address. ARP is the "translator" from IP to MAC. Without the MAC address, local area network communication cannot be carried out.

2. Getting Started
Shenchang has always felt that just reading the principles without practicing is useless, so let’s take eNSP as an example to see how it works:



First, let's look at PC1's arp:

You can see that the ARP table is empty at this time, and then we use PC1 to request PC2:

By capturing the packet, we can find that when the request starts, the ARP query goes back to ask who is 192.168.1.20, and tells 192.168.1.10, and then the second response is that the MAC address corresponding to 192.169.1.20 is 54-89-98-F5-2F-D4.

Now let's look at the ARP table of PC1 and the switch:

It can be found that PC1 has the corresponding information of PC2's address and MAC.

Little knowledge: Dynamic ARP has a lifespan, that is, after a period of time, this record will disappear.




3. ARP spoofing
ARP also has "weaknesses" - because it trusts any response and has no verification mechanism. Attackers can forge ARP responses and pretend to be a gateway, forming a man-in-the-middle attack.

Prevention methods:

Use static ARP table;

Enable ARP anti-attack mechanism;

Set IP-MAC binding on Layer 3 switching or security devices.

4. Summary
ARP is a bridge connecting IP and MAC;
The first step of each LAN communication is to find the MAC address;
ARP request is broadcast, and the response is unicast;
The switch only forwards, not resolves;
In a secure environment, it is recommended to cooperate with static ARP or anti-attack settings.