does switches perform arp broadcast?
ramesh841
Registered Users Posts: 4 ■□□□□□□□□□
in CCNA & CCENT
415 831.476675 Private_66:68:02 Broadcast ARP 64 Who has 10.0.0.1? Tell 10.0.0.3 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
416 831.477150 Private_66:68:00 Private_66:68:02 ARP 64 10.0.0.1 is at 00:50:79:66:68:00 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
417 831.477650 10.0.0.3 10.0.0.1 ICMP 98 Echo (ping) request id=0x795d, seq=1/256, ttl=64 (reply in 41
418 831.478150 10.0.0.1 10.0.0.3 ICMP 98 Echo (ping) reply id=0x795d, seq=1/256, ttl=64 (request in 417)
when a unknown destination frame reach switches,they simply flood the frame right and doesnt broadcast arp
i ping from 10.0.0.3 to 10.0.0.1 and switches broadcast arp..
switches only flood the frame without arp messages..why the arp performed on switches?arp is a layer 3,why the arp messages generated at layer 2 switches?
above info is captured from wireshark with broadcast arp
416 831.477150 Private_66:68:00 Private_66:68:02 ARP 64 10.0.0.1 is at 00:50:79:66:68:00 [ETHERNET FRAME CHECK SEQUENCE INCORRECT]
417 831.477650 10.0.0.3 10.0.0.1 ICMP 98 Echo (ping) request id=0x795d, seq=1/256, ttl=64 (reply in 41
418 831.478150 10.0.0.1 10.0.0.3 ICMP 98 Echo (ping) reply id=0x795d, seq=1/256, ttl=64 (request in 417)
when a unknown destination frame reach switches,they simply flood the frame right and doesnt broadcast arp
i ping from 10.0.0.3 to 10.0.0.1 and switches broadcast arp..
switches only flood the frame without arp messages..why the arp performed on switches?arp is a layer 3,why the arp messages generated at layer 2 switches?
above info is captured from wireshark with broadcast arp
Comments
-
james43026 Member Posts: 303 ■■□□□□□□□□ARP is a layer 3 concept. I need more context here. What model switch is this? What debug are you running? Or is this from Wireshark, as it looks like a wireshark type of capture, taken from an end node, or maybe from a device connected to a mirrored port / port monitoring in the cisco world? I ask because most modern NICS support checksum offloading, which means the checksum would be calculated in hardware, instead of the network or protocol driver (IE outside of the OS) , meaning that the checksum field will be blank when Wireshark sees the packet. Most likely the computer you are taking this capture from supports checksum offloading.
-
theodoxa Member Posts: 1,340 ■■■■□□□□□□ARP translates a Layer 3 (IP) Address to a Layer 2 (MAC) Address. For example, if you are on a PC and ping another PC on the same subnet, the PC will ARP for the MAC Address that goes with the IP Address you are PINGing. If you PING a PC on a different subnet, it will realize it needs to send the frame to its gateway and will generally ARP for its default gateway. Now, as for a switch. A Layer 3 switch should ARP when doing Layer 3 routing. I would think that it should also ARP when it generates its own unicast traffic. For example, when you PING from the switch's management interface, I would expect even a Layer 2 switch to ARP for the destination (same subnet as management interface) or the default gateway (different subnet, "ip default-gateway").R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ] -
james43026 Member Posts: 303 ■■□□□□□□□□A layer 2 switch will ARP when needed to complete the mapping of a layer 3 to a layer 3 address. And does indeed store an ARP table. It is still susceptible to unicast flooding like all switches. Also I should clarify, that technically ARP exists at layer 2 of the OSI model. But it's primary function is to establish a map between layer 3 and layer 2 addressing.
-
ramesh841 Registered Users Posts: 4 ■□□□□□□□□□thank you guys..i thought arp only performed on layer3 switches and routers..
now i understand arp can also be performed on layer2 switches for the searching of unknown mac -
jofas88 Member Posts: 29 ■■■□□□□□□□What type of nodes are the IP's assigned? If 10.0.0.3 is assigned to your pc/laptop Ethernet interface and the switch (L2) management port/svi is 10.0.0.1 AND if you are sniffing packets(wireshark) on said Ethernet interface, then yes you are going to see the ARP request from your NIC to the owner of 10.0.0.1. ARP itself is a broadcast to discover an unknown IP to MAC. My assumption is that your NIC is actually sending out the broadcast, not the switch. ARP on a layer 2 switch is for the management svi tcp/ip stack to facilitate icmp, ssh, snmp, etc. A layer 2 switch will make forwarding decisions based on the CAM table for L2 pdu, if no entry in cam table, then flood.
-
theodoxa Member Posts: 1,340 ■■■■□□□□□□thank you guys..i thought arp only performed on layer3 switches and routers..
now i understand arp can also be performed on layer2 switches for the searching of unknown mac
ARP is used when you go from Layer 3 to Layer 2. For example, a Layer 2 switch would still have a management interface and that interface could generate traffic such as Telnet, SSH, ICMP, etc...Using the example of Telnet, the switch will work its way down the OSI model, starting by
1) Encapsulating the Telnet data inside a Layer 4 Segment. In this case, it would use TCP, a random source port from above 1024, and a destination port of 23
2) It would then encapsulate that segment inside a Layer 3 packet. It would most likely use IPv4, the source address being the IP of management interface of the switch, and the destination address being the final destination of the packet (assuming NAT is not in use somewhere in between)
3) Now, the switch would have to create a Layer 2 frame to encapsulate the packet. Most likely this would be an Ethernet Frame. It would supply its own MAC Address as the source address, but would not know (assuming it has not already learned it) what the destination MAC Address should be.
4) Since it knows the destination IP Address, it can now generate an ARP request asking who has that IP Address and what their MAC Address is. If the destination is on the same subnet as the management interface, it should generate an ARP request for the final destination IP, but if it is on another subnet then the switch should realize this (given the IP and Subnet Mask assigned to the management interface) and should, if configured with a default gateway, ARP for the default gateway, since that is how traffic will reach the destination.
5) Once it receives an ARP Reply, it can then finish the Ethernet frame by filling in the destination MAC.
6) If the final destination is on the same subnet, from here on, the frame should be switched at Layer 2 and should not require any further ARP requests to reach its final destination. Plus, the destination should automatically learn the mapping when it receives the traffic, so it should not need to ARP coming back either. If the final destination is on another subnet, ARPs may be required at Layer 3 hops also.R&S: CCENT → CCNA → CCNP → CCIE [ ]
Security: CCNA [ ]
Virtualization: VCA-DCV [ ] -
james43026 Member Posts: 303 ■■□□□□□□□□Also be aware that on a switch, if the ARP cache is populated for the destination of your traffic, but the CAM table doesn't have an entry for the MAC address, then the switch will create a unicast flood. This is also a popular problem with layer 3 switches when using an FHRP like HSRP, when you have asymmetric routing going on in your network.