Deciphering Layer 2 devices and the ARP process

Home > Blogs > Cisco > Deciphering Layer 2 devices and the ARP process

Deciphering Layer 2 devices and the ARP process

Like This Blog 1 Mark Jacob
Added by March 27, 2013

So you are troubleshooting the network and PING from one device to another. A reply is received. Great! Connectivity has been restored. But what happened behind the scenes? As long as the two devices are on the same network or subnet, the proof of connectivity never really has to live above Layer 2 (the Data Link layer) of the OSI model. Let’s take a look at what happens to make this PING succeed.

If you have a couple of clients that look like this:

PING Deciphering Layer 2 devices and the ARP process

Let’s say the left client, call it client A, is 192.168.1.1 /24 and the right client (B) is 192.168.1.2 /24. If I go to the client on the left and type the command PING 192.168.1.2, I expect a reply.  Keep in mind what we know and what we are trying to determine. Since I am typing the IP address, I can say that I know the Layer 3 information, the IP address. I am trying to determine the Layer 2 address, the MAC Address. The client on the left will check his ARP (Address Resolution Protocol) cache to see if there is a Layer 3 to Layer 2 mapping.  If none exists, it will send an ARP broadcast to try the locate the destination IP address. Recall that broadcast messages are all ones, which in MAC address format would be all f s (ffff.ffff.ffff).  So we can imagine that client B (and any other nodes on this network) receives this broadcast. Then what?  For this to make sense, we have to discuss the Boolean operator AND.  It turns out that the receiving nodes perform a Boolean AND with the destination MAC address (all 1s) and themselves. Let’s shorten up the MAC address to just four digits to make our example easier to follow. So client B has MAC address 1100, for example, the destination (broadcast) MAC is 1111. A Boolean AND works like this. If the inputs are both 0, the result is 0. If one input is 1 and the other is 0, the result is 0. But if both inputs are 1, the result is 1.

It helps to see it in diagram format:

Boolean Deciphering Layer 2 devices and the ARP process

Let’s apply that to this example. Putting them on top of each other to visualize would look like this:

Virtual Deciphering Layer 2 devices and the ARP process

So the client performs the Boolean operation and Voila! it says, “Hey, this is for me!” because the result of the operation is his own MAC address. Once this happens, it pushes up the information to Layer 3, which then says, “Yep, we are IP address 192.168.1.2. Then client B can respond directly to the MAC address of the sender, since that information was contained in the original broadcast. Once each client has a mapping to the MAC address of the other, a unicast conversation can ensue. Or, in our example, the PINGs will be answered.

ARP information stays in the cache for a default time of 300 seconds, or five minutes, whichever comes first.  😉

This is just a quick rundown of the ARP process, and as I mentioned in my last blog, you can have lots of fun watching processes take place within your network using Wireshark, or another packet sniffer of your choice.

Happy troubleshooting…

Mark Jacob
Cisco Instructor – Interface Technical Training
Phoenix, AZ

Videos You May Like

Agile Methodology in Project Management

0 156 0

In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management

Creating Users and Managing Passwords in Microsoft Office 365

0 675 3

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.   For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365    

Detailed Forensic Investigation of Malware Infections – April 21, 2015

4 630 5

How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015

Write a Comment

See what people are saying...

    Share your thoughts...

    Please fill out the comment form below to post a reply.