ARP operates at which layer?

yuddhidhtir

Its all complicated in the internet,expecting a simple answer.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Trifidw

I'm going to say layer 2 because it doesn't transverse through routers and as far as I'm aware doesn't include layer 3 headers?

yuddhidhtir

Amazon.com: CompTIA Network+ N10-004 Exam Cram (3rd Edition) (9780789737960): Mike Harwood: Books

But this book says it operates at network layer of OSI model

RobertKaucher

It is generally considered a Link Layer protocol in the TCP/IP model, but the OSI frame work generally places it between layers 2 and 3.

CodeBlox

EDIT: I'm editing my post to say in between layers two and three of the OSI model. I was thinking that an IP header gets prepened to the datagram. Looks like the source/destination IP addresses are a part of the ARP datagram as fields. You could say a data link layer protocol that relies on network layer services??

ptilsen

I would place it at 2 or 2.5, but not 3.

Webmaster

I would place it across multiple layers and hope not to be forced on an exam to pick between 2 and 3. Because the OSI model is just that, a model, in reality network technologies and protocols don't always fit neatly within layers in the model. ARP's position in the OSI model is a reoccurring topic at TE because of that, here are some quotes from an old post from me:

Cisco.com wrote:

In order for devices to be able to communicate with each when they are not part of the same network, the 48-bit MAC address must be mapped to an IP address. Some of the Layer 3 protocols used to perform the mapping are:

•Address Resolution Protocol (ARP)
•Reverse ARP (RARP)
•Serial Line ARP (SLARP)
•Inverse ARP

I can't find (an updated link to) the picture atm, but I've seen Cisco docs depicting it "in" layer 2 as well, and Cisco course material specifically mentioning it works across the bottom two layers of the DoD model.

CodeBlox wrote: »

You could say a data link layer protocol that relies on network layer services??

Well, ARP is implemented and used by the layer 3 protocol (suite) to send layer 2 Ethernet frames to map layers 3 to layer 2 addresses so you could say that.

Although in cases like this (ARP) it can lead to confusion and frustration even, it does force you to gain a better understanding of the workings of a protocol/service to place it in the layered approach of the OSI model, which is one of the OSI model's purposes opposed to creating 1-to-1 relationships between layers and protocols/services.

ptilsen

I'm reminded of this:
RFC 3439 - Some Internet Architectural Guidelines and Philosophy

Overall, it can be very difficult to accurately place certain protocols in the OSI model. That said, we are not designing protocols here. The OSI model is a great tool to aid in the troubleshooting process. For the purposes of troubleshooting problems, I have always treated ARP as a layer-2 protocol.

Webmaster wrote: »

Although in cases like this (ARP) it can lead to confusion and frustration even, it does force you to gain a better understanding of the workings of a protocol/service to place it in the layered approach of the OSI model, which is one of the OSI model's purposes opposed to creating 1-to-1 relationships between layers and protocols/services.

Really, this hits the nail on the head.

chopsticks

My understanding is it should be between layer 2 & 3. This is because it understands layer 3 IP address and layer 2 MAC address. Just my simple understanding.

it_consultant

Its layer 2. There isn't really a thing that is "between layer 2 and layer 3". It either does or does not cross the network layer, it does not. Even though it carries layer 3 information, it still operates at layer 2.

Turgon

it_consultant wrote: »

Its layer 2. There isn't really a thing that is "between layer 2 and layer 3". It either does or does not cross the network layer, it does not. Even though it carries layer 3 information, it still operates at layer 2.

Well MPLS is regarded as layer 2.5 because of what happens to the headers with Shim. I put ARP at layer 2 really. Yes it resolves layer 3 to a MAC address but it's a layer 2 resolver and that's what it's trying to do, so layer 2 for me. OSI layers, people argue all the time.

docrice

If you look at an ARP request and reply using a packet sniffer, you'll find that while it does carry IP address information as it relates to sender and target MAC addresses, there's no actual IP header where layer 3 essentially starts. I'd put it squarely in the layer 2 category.

ptilsen

it_consultant wrote: »

Its layer 2. There isn't really a thing that is "between layer 2 and layer 3". It either does or does not cross the network layer, it does not. Even though it carries layer 3 information, it still operates at layer 2.

Careful. The OSI model has no bearing on actual protocol design. It's not a science; it's a guideline. I agree with your assessment of ARP, but I can see logic in the "between" assessments, too, and as Turgon said MPLS is pretty widely treated at 2.5 (and I would consider Turgon somewhat of an authority on the matter). Read the RFCs. IEEE doesn't consider OSI relevant to networking protocol design, and some protocols are very difficult to place.

it_consultant

ptilsen wrote: »

Careful. The OSI model has no bearing on actual protocol design. It's not a science; it's a guideline. I agree with your assessment of ARP, but I can see logic in the "between" assessments, too, and as Turgon said MPLS is pretty widely treated at 2.5 (and I would consider Turgon somewhat of an authority on the matter). Read the RFCs. IEEE doesn't consider OSI relevant to networking protocol design, and some protocols are very difficult to place.

Even MPLS isn't really between 2 layers of the OSI model. It is more of a superlayer than can be wrapped on top of 2,3,4 for specialized applications like VPLS.

The idea something is between 2 layers isn't logical, if it were between layers then there would be another layer. You don't put 2 layers of paint on a wall and say "layer 1.5 of the paint". I understand that the OSI model was not carved in stone on a mountain, but there are commonly accepted demarcation points on the OSI model on what protocols do and don't do which place them on a layer.

instant000

yuddhidhtir wrote: »

Its all complicated in the internet,expecting a simple answer.

Here is the simple answer.

If you do a packet capture, you can see that the source and destination address that ARP uses for its frame are Layer 2 addresses. Therefore, from this perspective, it operates at Layer 2.

However, if you consider tht the information that ARP provides is actually used so that hosts communicate over Layer 3, you can see how some people consider it operating for both layers.

Truthfully,
The PAYLOAD data of ARP is used to translate L3 addresses to L2 addresses. It does this using Layer 2 frames.

In a successful ARP sequence:

Let's go through a scenario, where Host 1 wants to send some information to Host 2, but before it can start to do that, it acutally needs its MAC address. You might be wondering, why would it need a MAC address? i thought I only need to know its IP address, and I'm good to go. As Lee Corso would say "Not so fast, my friend!" You have to go a little deeper than that, if you really want to know what's going on in your network. "Will you take the red pill, or the blue pill?"

OK, well to start, Host 1 has this much information:

Host 1:
IP: 1.1.1.1
MAC: aa:aa:aa:aa:aa:aa

host 2:
IP: 1.1.1.2

Host 1 wants to communicate with Host 2, but only knows it's IP address. Please note that host 1 needs to know a MAC address for Host 2, in order to communicate with it, as it needs to know where to send the Frame.

Host1's ARP cache is basically empty at this time.

Host 1 then ARP's for Host 2, like so:

This is what the frame looks like:

source:  aa:aa:aa:aa:aa:aa
destination:  ff:ff:ff:ff:ff:ff
Payload: 
Sender MAC: aa:aa:aa:aa:aa:aa
Sender IP: 1.1.1.1
Target MAC:00:00:00:00:00:00
Target IP: 1.1.1.2

Note: Host 1 sends this information out, as it is tryiing to populate its local ARP cache with information about Host 2. It HAS to know the MAC address to send the information to, in order to properly address its frame. Note that Host 1 is basically saying "I know this much, can someone please fill in the blank?" The blank is the All zeroes target MAC. Note that Host 1 knows the IP of its target, but by definition, IP is a connectionless protocol, so no actual connection is implied here.

Also, note that Host 1 is sending out a BROADCAST (All F's) as it doesn't know where Host 2 is, so it's basically asking everybody on the network, in hopes that someone else knows.

Host 2, if it is awake, and sees this frame, should respond like this:

Awesome! I just found out some really cool information, let me update my arp cache:

Host 2's arp cache:

ip- 1.1.1.1 mac - aa:aa:aa:aa:aa:aa

Now, Host2 will respond with its information, to let Host1 know that it has the MAC address host 1 is looking for:

source:  bb:bb:bb:bb:bb:bb
destination:  aa:aa:aa:aa:aa:aa
Payload: 
Sender MAC: bb:bb:bb:bb:bb:bb
Sender IP: 1.1.1.2
Target MAC:  aa:aa:aa:aa:aa:aa
Target IP: 1.1.1.1

If Host 1 is still awake at this time, it should receive that information, and now update its ARP cache

Host 1's ARP cache

ip- 1.1.1.2 mac - bb:bb:bb:bb:bb:bb

Now, if Host 1 needs to send some information to Host 2, it knows which MAC address to encapsulate the frame with.

Now, of course, if you're like I was at this point of learning, you're undoubtedly a lot more curious about how all this works. If so, then get a packet **** program (Wireshark/tcpdump are two popular ones) and play with it, to see what's really going across your network.

Hope this helps!

Trifidw

instant000 wrote: »

Hope this helps!

Excellent post!

yuddhidhtir

Thanks instant000, nice explanation

Thanks everyone for your valuable information.

Turgon

it_consultant wrote: »

Even MPLS isn't really between 2 layers of the OSI model. It is more of a superlayer than can be wrapped on top of 2,3,4 for specialized applications like VPLS.

The idea something is between 2 layers isn't logical, if it were between layers then there would be another layer. You don't put 2 layers of paint on a wall and say "layer 1.5 of the paint". I understand that the OSI model was not carved in stone on a mountain, but there are commonly accepted demarcation points on the OSI model on what protocols do and don't do which place them on a layer.

MPLS is label switching, somewhat like frame relay on steroids

It sits at layer 2.5 because the labels live between layer 2 and 3. Im not a fan of referencing wiki but it covers things quite well.

Multiprotocol Label Switching - Wikipedia, the free encyclopedia

Foundry has a good paper on MPLS L3VPN (MP-BGP) and L2VPN (VPLS/VLL).

The OSI model is indeed useful, but circular debates rage about where things actually live

it_consultant

Turgon wrote: »

MPLS is label switching, somewhat like frame relay on steroids It sits at layer 2.5 because the labels live between layer 2 and 3. Im not a fan of referencing wiki but it covers things quite well.

Multiprotocol Label Switching - Wikipedia, the free encyclopedia

Foundry has a good paper on MPLS L3VPN (MP-BGP) and L2VPN (VPLS/VLL).

The OSI model is indeed useful, but circular debates rage about where things actually live

Frame relay on steroids is how I describe it to my customers! I still consider it a superlayer because within MPLS all of the normal protocols still operate within the MPLS encapsulation. I agree that MPLS is hard to classify and it would blow the mind of whoever came up with the OSI model.

thedrama

yuddhidhtir wrote: »

Its all complicated in the internet,expecting a simple answer.

Not complicated either. First, imagine how ARP is read when you open the abbreviation. Address Resolution Protocol. As you know, IP addresses are
logical addresses and they can be changed but our data could be transferred physically, right? So, when you are about to put a packet onto the medium, you must translate the logical address into physical address which is MAC(physical/hardware address) allowing you to send the packet 'physically'on the medium and find other hosts on the LAN.

In short, in order to transmit the packets from one computer to a computer on same LAN or on a different network, packet must be encapsulated at the data link layer and physical addresses on the network interface card (source) and the dest. MAC must be added inside the packet with relevant frame checking fields. This means, IP addresses must be translated to MAC addresses which is done by ARP.

Turgon

it_consultant wrote: »

Frame relay on steroids is how I describe it to my customers! I still consider it a superlayer because within MPLS all of the normal protocols still operate within the MPLS encapsulation. I agree that MPLS is hard to classify and it would blow the mind of whoever came up with the OSI model.

MPLS is protocol agnostic which makes it such a versatile transport mechanism. PPP offered some of that back in the day. It get's you there leveraging the hardware and logic along the way, but isn't hung up on the payload. Things like MP-BGP and VPLS will add identifiers to sort things out neatly into address-families using RDs, or VRIDs at the other end.

thedrama

Hey, may this come to all who say ARP operates at layer 2.

If ARP operates at layer 2, why the heck l2 switches are not be able to utilize it? you can not do anything with ARP on l2 switches. So, i do not imagine ARP belongs to layer 2.

CodeBlox

thedrama wrote: »

Hey, may this come to all who say ARP operates at layer 2.

If ARP operates at layer 2, why the heck l2 switches are not be able to utilize it? you can not do anything with ARP on l2 switches. So, i do not imagine ARP belongs to layer 2.

I don't know that that is true... They can have IP addresses for management purposes. In that way, I would think a switch could make ARP request.

thedrama

CodeBlox wrote: »

I don't know that that is true... They can have IP addresses for management purposes. In that way, I would think a switch could make ARP request.

As you told, they can have IP addresses, but, ARP's role is not it. Those are usually for being accessed remotely(i mean the destination). On the source part, no translation to MAC happens on layer 2 switches.

Forsaken_GA

I'm of two minds about it. The part of me that says it's layer 2 views it simply as an extension of the ethernet specification.

I tend to lean more towards the layer 3 side, however. Layer 2 devices can operate and communicate without ARP. Layer 3 ipv4 devices cannot (over an ethernet segment). As well, there are other layer 3 protocols that do not use ARP, so in that vein, ARP is essentially a part of the ipv4 suite, which is layer 3 and 4. Since ARP clearly has nothing to do with layer 4 functions, that puts it pretty much at layer 3 for me. This is further reinforced for me by the fact that ARP does not exist in ipv6.

To put it another way - each layer 3 protocol basically needs it's own shim to layer 2. That would need to be done above layer 2, and each layer 3 protocol is bring your own shim, which puts the shim as part of it.

Of course, as far as I'm concerned, the OSI model can burn in hell for all I care. I am so sick of test and interview questions that ask about it.

CodeBlox

thedrama wrote: »

As you told, they can have IP addresses, but, ARP's role is not it. Those are usually for being accessed remotely(i mean the destination). On the source part, no translation to MAC happens on layer 2 switches.

Lets say I SSH from the switch to another device on that same LAN and the other devices MAC address isn't in my switches ARP cache. What happens then? Is an ARP request not sent to get the MAC address? I'm at work right now so I can't verify it with a packet capture.EDIT: There is a thread that was created about this sometime last year: http://www.techexams.net/forums/ccna-ccent/67346-switches-do-they-use-arp.html

thedrama

CodeBlox wrote: »

Lets say I SSH from the switch to another device on that same LAN and the other devices MAC address isn't in my switches ARP cache. What happens then? Is an ARP request not sent to get the MAC address? I'm at work right now so I can't verify it with a packet capture.EDIT: There is a thread that was created about this sometime last year: http://www.techexams.net/forums/ccna-ccent/67346-switches-do-they-use-arp.html

i think you are wrong. what l2 switches do there is learning the MAC address which will arrive to its port from the devices connected to it. No ARP process comes up on l2 switches in this situation. what l2 switches do is receiving the source MAC then
according to the situation if they have a match on their filter table, broadcasting the frame out all their ports except the
port which frame is received or finding the correct match on their filter table and communicating the source and dest.
directly.

Trifidw

thedrama wrote: »

i think you are wrong. what l2 switches do there is learning the MAC address which will arrive to its port from the devices connected to it. No ARP process comes up on l2 switches in this situation. what l2 switches do is receiving the source MAC then
according to the situation if they have a match on their filter table, broadcasting the frame out all their ports except the
port which frame is received or finding the correct match on their filter table and communicating the source and dest.
directly.

If it doesn't do ARP, how would you SSH/telnet/ping a device that has yet to communicate through said switch?

Turgon

A layer 2 switch is a bridge. It is aware of what is out there on it's ports in terms of layer 2 by learning source MACs. Little else.

Zartanasaurus

Trifidw wrote: »

If it doesn't do ARP, how would you SSH/telnet/ping a device that has yet to communicate through said switch?

When host A does an ARP for Host B's mac, the switch will see the response from Host B.

Turgon

Zartanasaurus wrote: »

When host A does an ARP for Host B's mac, the switch will see the response from Host B.

Only if it's on that segment. Another device may respond on behalf of host B. Proxy ARP.