ARP Rewrite
Available Languages
Table Of Contents
Application-specific ARP Table Entries
ARP Security Against ARP Attacks
ARP Information Display Enhancements
ARP Information Refresh Enhancements
ARP Broadcast and Response Process
Application-specific ARP Table Entry Modes
ARP Table Entry Synchronization with CEF Adjacency
ARP Table Size Monitoring Per Interface
Co-Existence with Stateful Switchover
How to Monitor and Maintain ARP Information
Displaying a Summary of All ARP Table Entries
Displaying All ARP Table Entries
Displaying Only the ARP Table Entries for a Specific Type of ARP Application
Displaying ARP HA Status and Statistics
Refreshing Dynamically Learned ARP Table Entries
Enabling Debug Trace for ARP Transactions
Enabling ARP Trap on the Number of Learned Entries on an Interface
ARP Table Size as an Indicator of a Possible ARP Attack
Feature Information for ARP Rewrite
ARP Rewrite
First Published: August 24, 2006Last Updated: August 24, 2006Address Resolution Protocol (ARP) is an Internet protocol used to map an IP address to a Media Access Control (MAC) address. ARP finds the MAC address, also known as the hardware address, of an IP-routed host from its known IP address and maintains this mapping information in a table. The router uses this IP address and MAC address mapping information to send IP packets to the next-hop router in the network.
Development of the ARP Rewrite feature is an incremental step within an overall program to improve the management tools for ARP support in a Cisco IOS environment:
•
To better support ARP analysis activities, the ARP administrative facilities have been enhanced to provide more detailed information about and more granular control over ARP information. This information can be used to investigate issues with ARP packet traffic, ARP high availability (HA), or ARP synchronization with Cisco Express Forwarding (CEF) adjacency.
•
•
No configuration tasks are associated with the ARP Rewrite feature. The ARP-related enhancements introduced by this feature are expanded forms of existing ARP management tasks.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for ARP Rewrite" section.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
•
•
Restrictions for ARP Rewrite
For Cisco IOS Release 12.2(33)ZW, the following restrictions apply to the ARP Rewrite feature:
•
•
Application-specific ARP Table Entries
The ARP Rewrite feature introduces new ARP table entry modes to support application-specific ARP table entries. Applications that use these new mode types (Application Simple, Application Alias, and Application Timer) receive enhanced support in terms of software architecture and debugging tools. However, Cisco IOS Release 12.2(33)ZW does not support the Application Timer mode.
ARP High Availability
The ARP Rewrite feature supports ARP high availability (HA) on Cisco networking devices that support dual Route Processors (RPs) for redundant processing capability. However, ARP HA is limited to the synchronization of dynamically learned ARP entries from the active Route Processor (RP) to the standby RP. Statically configured ARP entries are not synchronized to the standby RP.
ARP Security Against ARP Attacks
The ARP Rewrite feature introduces a method for detecting a possible ARP attack by monitoring the number of ARP table entries for specific interfaces. However, no router-level security feature can prevent Man-in-the-Middle (MIM) types of ARP-spoofing attacks. There are no ARP features to be implemented to resolve this security issue. Protecting the router from ARP attacks is best handled in switches through the ARP access control list (ACL) filters rather than at the router level.
Information About ARP Rewrite
To use the ARP Rewrite feature, you should understand the following concepts:
•
•
ARP Rewrite Feature Overview
Development of the ARP Rewrite feature is an incremental step within an overall program to improve the management tools for ARP support in a Cisco IOS environment. For information about the entire ARP feature, see the "Additional References" section. The following sections summarize the enhancements introduced in the ARP Rewrite feature:
•
•
ARP Information Display Enhancements
The ARP information display capabilities have been expanded to support display of selected ARP entries, display of ARP entry details, and display of other ARP information.
Display of Selected ARP Entries
ARP table entries can be selected for display based on the following criteria:
•
•
•
•
In Cisco IOS software versions prior to Release 12.2(33)ZW, the show arp command displays the entire ARP table.
Display of ARP Entry Details
The following detailed ARP information can be displayed:
•
•
•
The show ip arp command, introduced in Cisco IOS Release 9.0, allows you to display only certain ARP table entries based on specified criteria (IP address, interface, or hardware address). However, that command does not display the ARP entry modes, CEF adjacency notification information, or the associated interface for floating static ARP entries.
Display of Other ARP Information
The following ARP information—other than the contents of the ARP table entries—can be displayed:
•
•
ARP Information Refresh Enhancements
In Cisco IOS software versions prior to Release 12.2(33)ZW, the clear arp command refreshes all non-static entries in the ARP table. The ARP Rewrite feature introduces enhancements to the ARP information refresh facility that enable you to manage selected ARP information:
•
•
•
•
ARP Debug Trace Enhancements
In Cisco IOS software versions prior to Release 12.2(33)ZW, the debug arp command supports debugging information for ARP packet traffic only. The ARP Rewrite feature introduces enhancements to the ARP debug trace facility that provide more detailed selection and filter options for ARP debug trace.
Debug Trace for Selected ARP Events
The ARP Rewrite feature includes enhancements that allow ARP debugging information to be enabled for the following types of ARP events:
•
•
•
•
Support for Filtering Debug Trace by Interface or Access List
The ARP Rewrite feature also includes enhancements to ARP debugging so that the debug arp command supports debug trace filtering as defined by the debug list command. This enhancement enables ARP debugging information to be focused on desired debugging information based on a specific router interface, an access list of IP addresses, or both.
ARP Security Enhancement
The ARP Rewrite feature introduces trap-based enabling of ARP system message logging (syslog) output. When this feature is configured, the router monitors the number of dynamically learned ARP table entries for each interface and triggers ARP logging whenever the number of learned ARP entries for a particular interface exceed the preconfigured value.
Such syslog traps can in turn alert network administrators (via protocols such as SNMP) with the identity of the affected interface and the number of learned ARP entries over that interface. The administrator can then investigate why the ARP table has grown to the configured thresholds, and take the necessary action to resolve possible security breaching. Alternatively, the router can take self-defense actions automatically, with the action depending on the severity, from more frequent refreshing to shutting down the interface port.
Note
Address Resolution Protocol
ARP was developed to enable communications on an internetwork, as defined by RFC 826. Routers and Layer 3 switches need ARP to map IP addresses to MAC hardware addresses so that IP packets can be sent across networks. This section provides background information about ARP:
•
ARP Broadcast and Response Process
Before a device sends a datagram to another device, it looks in its own ARP information to see if there is a MAC address and corresponding IP address for the destination device. If there is no entry, the source device sends a broadcast message to every device on the network. Each device compares the IP address to its own. Only the device with the matching IP address replies to the sending device with a packet containing the MAC address for the device. The source device adds the destination device MAC address to its ARP table for future reference, creates a data-link header and trailer that encapsulates the packet, and proceeds to transfer the data.
When the destination device lies on a remote network, one beyond another router, the process is the same except that the sending device sends an ARP request for the MAC address of the default gateway. After the address is resolved and the default gateway receives the packet, the default gateway broadcasts the destination IP address over the networks connected to it. The router on the destination device network uses ARP to obtain the MAC address of the destination device and delivers the packet.
ARP Caching
Because the mapping of IP addresses to MAC addresses occurs at each hop (router) on the network for every datagram sent over an internetwork, performance of the network could be compromised. To minimize broadcasts and limit wasteful use of network resources, ARP caching was implemented.
ARP caching is the method of storing network addresses and the associated data-link addresses in memory for a period of time as the addresses are learned. This minimizes the use of valuable network resources to broadcast for the same address each time a datagram is sent. The cache entries must be maintained because the information could become outdated, so it is critical that the cache entries are set to expire periodically. Every device on a network updates its tables as addresses are broadcast.
ARP Table
The ARP table provides a database in which a Cisco router caches learned and configured route-mapping information. Each entry in the ARP table is associated with either a local IP address (which represents a device owned by the router) or a remote host IP address (which represents an external device). The contents of the entry define the following ARP-intrinsic information:
•
•
When the router forwards a packet using an IP switching technology such as CEF, the ARP table entries supply MAC rewrite information.
ARP Table Entry Modes
Each entry in the ARP table is designated with a mode type. The ARP Rewrite feature supports the basic ARP table entry modes and also introduces new, application-specific modes.
Basic ARP Table Entry Modes
The ARP subsystem uses the following basic ARP table entry modes to organize the ARP entries for ARP-internal processing:
•
•
•
•
•
To maintain the validity of dynamically learned routes, the ARP subsystem refreshes dynamic ARP entries periodically (as configured or every four hours by default) so that the ARP table reflects any changed, aged-out, or removed dynamic routes.
To maintain the validity of statically configured routes, the ARP subsystem updates static ARP entries and alias ARP entries once per minute so that the ARP table reflects any changed or removed statically configured routes.
Application-specific ARP Table Entry Modes
The ARP subsystem uses the application-specific ARP table entry modes to support applications that need to add ARP table entries for their solutions. ARP applications can register with the ARP subsystem to obtain an application type handle. With this handle, the applications can insert ARP entries with the appropriate application-specific entry mode:
•
•
•
Application-specific entries do not expire, but instead are maintained by the application.
ARP Table Entry Subblocks
The ARP Rewrite feature introduces the ARP entry subblock structure as a means to attach non-ARP intrinsic data to selected ARP entries. When an ARP entry inserted into the ARP table requires special, ARP-internal handling, the information needed by the process that performs the special handling is defined in a subblock that is attached to the ARP entry.
The ARP subsystem attaches subblocks to the following types of ARP entries, as needed:
•
•
•
ARP Table Entry Synchronization with CEF Adjacency
If CEF is enabled on the router, the router maintains forwarding information (outbound interface and MAC header rewrite) for adjacent nodes. A node is said to be adjacent to another node if the node can be reached with a single hop across a link layer (Layer 2). CEF stores the forwarding information in an adjacency database so that Layer 2 addressing information can be inserted into link-layer headers attached to the ARP packets.
The ARP table information is one of the sources for CEF adjacency. Whenever the ARP subsystem attaches an ARP table entry to an outbound interface with a valid hardware address, the subsystem issues an internal "ARP adjacency" notification. The notification causes an ARP background process to synchronize that ARP entry with CEF adjacency via the adjacency database.
Attachment to an outbound interface occurs only for entries in the following modes:
•
•
•
•
•
The ARP subsystem processes each floating static ARP entry to find the attached interface by using the IP address in the entry to locate the connected or proxy-ARP interface. The addition of this interface information completes the ARP entry so that it can be synchronized with CEF adjacency.
ARP Table Size Monitoring Per Interface
The ARP protocol can be used as a vehicle to attack router systems. One ARP attack method, spoofing, is applied on the medium to forge the identity of the host. The Cisco IOS routers have implemented a self-defense scheme to protect the router's own interface address. Other features, such as secure ARP and authorized ARP learning, are implemented in some Cisco IOS releases to limit the scope of ARP learning.
Another ARP attack method, denial-of-service (DoS), includes sending ARP packets to the router in an attempt to overwhelm the CPU processing the ARP packets and to deplete system memory by the ARP table entries created as a result of the ARP packets, resulting in a service outage on the network. A high rate of incoming ARP packets can also cause the ARP input queue to fill up quickly and exceed the maximum default or router-configured capacity, causing an out-of-service condition.
One way to detect a possible attempt to breach security through an ARP attack on the router is to monitor the size of the ARP table and trigger an alert when the number of entries reaches a configured threshold. With a simple limit on the overall ARP table size, though, it is difficult to distinguish between a valid ARP packet and a rogue packet. For a more accurate view of the incoming packets, the ARP Rewrite feature monitors the ARP table size at the interface level. Based on the number of nodes the router serves and the number of hosts on an interface, the expected maximum number of interface-specific entries can be determined. If the number of ARP table entries for an interface exceeds the predetermined threshold, that condition might indicate an attempt to breach security through an ARP attack on the router.
ARP High Availability
ARP HA is a feature of the Cisco Nonstop Forwarding (NSF) feature in the Cisco IOS software. On a Cisco networking device that contains dual RPs and has been configured for stateful switchover (SSO), ARP HA provides a method for increasing network availability for processing ARP entries.
This section summarizes the internal processes and data structures that the ARP Rewrite feature uses to implement ARP HA:
•
Co-Existence with Stateful Switchover
In Cisco networking devices that support dual RPs, ARP uses the SSO feature in the Cisco IOS software. SSO provides redundancy and synchronization for many Cisco IOS applications and features. SSO takes advantage of RP redundancy by establishing one of the RPs as the active processor while the other RP is designated as the standby processor, and then synchronizing critical state information between them.
Following an initial synchronization between the two processors, SSO dynamically maintains RP state information between the processors. A switchover from the active to the standby processor occurs when the active RP fails, is removed from the networking device, or is manually taken down for maintenance.
For more information about the SSO feature, see the "Additional References" section.
Synchronization Queue
The active RP maintains a synchronization queue, which contains two lists of ARP table entries:
•
•
Note
When switchover occurs, the ARP HA process uses the list of not-yet synchronized entries to determine which of the entries in the redundant ARP table in the new standby RP (originally the active RP) to synchronize with the main ARP table.
If the standby RP crashes, the ARP HA process bulk synchronizes the entire synchronization queue (entries from both of the lists) to the standby RP when the standby RP reboots.
Backup ARP Table
The standby RP maintains a backup ARP table, which stores backup ARP entries that the standby RP receives from the active RP. During a switchover, the ARP HA process monitors the interface up events. For interfaces that come up, the process searches the backup table on the new active RP (originally the standby RP) for the related ARP entries. The process then adds any related backup ARP entries to the main ARP table.
ARP HA State Machine
The ARP HA process is controlled by an event-driven state machine that consists of two halves: one half for the active RP and the other half for the standby RP. When a switchover occurs, the standby RP transitions to the active half of the state machine. The state machine tracks the status of active/standby synchronization and switchover.
The active half of the state machine can be in any one of the following states:
•
•
•
•
The standby half of the state machine contains the following states:
•
•
These states and recent activities of the RP can be displayed for monitoring the ARP HA activities.
How to Monitor and Maintain ARP Information
This section contains the following procedures:
•
•
•
•
•
•
•
•
Displaying a Summary of All ARP Table Entries
The summary of all ARP table entries provides a high-level view of the contents of the ARP table.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Displaying All ARP Table Entries
The following information can be displayed for any entry in the ARP table:
•
•
–
–
–
–
•
•
•
–
–
–
SUMMARY STEPS
1.
2.
3.
[detail]DETAILED STEPS
Displaying Only the ARP Table Entries for a Specific Type of ARP Application
The following information can be displayed for any ARP table entry for an application supported by ARP and running on a registered client:
•
•
•
•
–
–
–
–
SUMMARY STEPS
1.
2.
DETAILED STEPS
Displaying ARP HA Status and Statistics
ARP HA status and statistics provide a detailed view of ARP HA processing. Different HA details are displayed, depending on the current RP state:
•
•
•
Restrictions
The ARP HA status and statistics are collected only on HA-capable platforms (that is, Cisco networking devices that support dual RPs).
SUMMARY STEPS
1.
2.
DETAILED STEPS
Refreshing Dynamically Learned ARP Table Entries
Refresh dynamically learned ARP table entries to ensure the validity of the IP address and MAC address mapping information and to immediately age out any stale entries (dynamic ARP entries that have expired but have not yet been aged out by the default, timer-based process).
The scope of the refresh operation can be limited to the entries that match any one of the following selection criteria:
•
•
•
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Resetting ARP HA Statistics
Reset the ARP HA statistics when debugging the ARP HA subsystem.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Enabling Debug Trace for ARP Transactions
Enable debug trace for ARP transactions to monitor the ARP subsystem.
Debug trace can be enabled for all IP ARP packet traffic, or it can be enabled for an individual type of ARP event, such as:
•
–
–
–
–
•
–
–
•
•
–
–
Debug Filtering Support
The amount of ARP debug information displayed is filtered according to the interface and access list specified by the debug list command.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Enabling ARP Trap on the Number of Learned Entries on an Interface
Enable interface-specific ARP syslog output if network administrators are to be alerted when the number of ARP entries for an interface reaches a configured threshold.
ARP Table Size as an Indicator of a Possible ARP Attack
If the number of ARP table entries for an interface reaches a high level (based on the number of nodes the router serves and the number of hosts on that interface), the cause might be an ARP DoS attack on the router through that interface. This condition is described in the "ARP Table Size Monitoring Per Interface" section.
Prerequisites
Determine the expected maximum number of entries for an interface. Such an estimate is typically based on the following information:
•
•
Depending on your network configuration, other factors, such as whether proxy ARP is enabled, can affect the number of ARP table entries for a given interface.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Additional References
The following sections provide references related to the ARP Rewrite feature.
Related Documents
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
Technical Assistance
Command Reference
This section documents new and modified commands only.
New Commands
Modified Commands
arp log threshold entries
To enable an Address Resolution Protocol (ARP) trap so that the ARP log is triggered when a specific number of dynamically learned entries is reached on the router interface, use the arp log threshold entries command in interface configuration mode. To disable the ARP trap for the interface, use the no form of this command.
arp log threshold entries entry-count
no arp log threshold entries
Syntax Description
entry-count
Triggers the ARP log service when the number of dynamically learned entries on the interface reaches this threshold. The range is from 1 to 2147483647.
Command Default
ARP trap is disabled for the interface.
Command Modes
Interface configuration
Command History
Usage Guidelines
This command enables an ARP trap for the router interface. When the number of dynamically learned entries on the interface exceeds the preconfigured amount, an ARP event message is written to system message logging (syslog) output.
A high number of learned entries on the interface might indicate anomalies such as an attempt to breach security through an ARP attack on the router. The threshold at which to configure the ARP log service trigger should be determined heuristically, based on the expected number of nodes the router will serve and the number of hosts on the interface.
To display information about the setting configured by the arp log threshold entries command, use the show running-config command. If an ARP trap is enabled for a given interface, the information for that interface command includes the arp log threshold entries command, followed by the threshold value.
To display the syslog history statistics and buffer contents, use the show logging command.
Examples
The following example shows how to enable an ARP trap so that the ARP log is triggered when 50 dynamically learned entries is reached on the Ethernet interface at slot 2, port 1:
Router(config)# interface ethernet2/1Router(config-if)# arp log threshold entries 50The following sample output from the show logging command shows that the ARP trap entry was triggered when 50 dynamic ARP entries was reached on the Ethernet interface at slot 2, port 1:
Router# show loggingSyslog logging: enabled (0 messages dropped, 39 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)Console logging: disabledMonitor logging: level debugging, 0 messages logged, xml disabled,filtering disabledBuffer logging: level debugging, 309 messages logged, xml disabled,filtering disabledException Logging: size (8192 bytes)Count and timestamp logging messages: disabledPersistent logging: disabledNo active filter modules.Trap logging: level informational, 312 message lines loggedLog Buffer (65536 bytes):Jan 27 18:27:32.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 10:27:31 PST Fri Jan 27 2006 to 10:27:32 PST Fri Jan 27 2006, configured from console by console.Jan 27 18:27:32.431: %SYS-5-CONFIG_I: Configured from console by consoleJan 27 18:27:34.051: %ARP-4-TRAPENTRY: 50 dynamic ARP entries on Ethernet2/1 installed in the ARP tableRelated Commands
clear arp-cache
To refresh dynamically created entries from the Address Resolution Protocol (ARP) cache, use the clear arp-cache command in privileged EXEC mode.
clear arp-cache [interface type number | [vrf vrf-name] ip-address]
Syntax Description
Command Default
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command updates the dynamically learned IP address and MAC address mapping information in the ARP table to ensure the validity of those entries. If the refresh operation encounters any stale entries (dynamic ARP entries that have expired but have not yet been aged out by an internal, timer-driven process), those entries are aged out of the ARP table immediately as opposed to at the next refresh interval.
Note
The clear arp-cache command can be entered multiple times to refresh dynamically created entries from the ARP cache using different selection criteria.
•
•
Tip
•
•
To display ARP table entries, use the show arp command.
This command does not affect permanent entries in the ARP cache, and it does not affect the ARP HA statistics.
•
•
•
Examples
The following example shows how to refresh all dynamically learned ARP cache entries for all enabled interfaces:
Router# clear arp-cacheThe following example shows how to refresh dynamically learned ARP cache entries for the Ethernet interface at slot 1, port 2:
Router# clear arp-cache interface ethernet1/2The following example shows how to refresh dynamically learned ARP cache entries for the host at 192.0.2.140:
Router# clear arp-cache 192.0.2.140The following example shows how to refresh dynamically learned ARP cache entries from the VRF named vpn3 and for the host at 192.0.2.151:
Router# clear arp-cache vrf vpn3 192.0.2.151Related Commands
clear arp-cache counters ha
To reset the Address Resolution Protocol (ARP) high availability (HA) statistics, use the clear arp-cache counters ha command in privileged EXEC mode.
clear arp-cache counters ha
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the clear arp-cache counters ha command to reset all ARP high availability statistics for all enabled interfaces.
To display the ARP HA status and statistics, use the show arp ha command.
Note
Examples
The following example shows how to reset the ARP HA statistics:
Router# clear arp-cache counters haRelated Commands
clear arp-cache
Refreshes dynamically learned entries in the ARP cache.
show arp ha
Displays the ARP HA status and statistics.
debug arp
To enable debugging output for Address Resolution Protocol (ARP) transactions, use the debug arp command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug arp [arp-entry-event | arp-table-event | ha | interface-interaction]
no debug arp [arp-entry-event | arp-table-event | ha | interface-interaction]
Syntax Description
Command Default
Debugging output is disabled for ARP transactions.
Command Modes
Privileged EXEC
Command History
10.3
This command was introduced.
12.2(33)ZW
The following keywords were added: adjacency, application, dynamic, ha, interface, static, subblocking, table, and timer.
Usage Guidelines
To enable ARP packet debugging, use this command without a keyword. The debugging information shows whether the router is sending ARP packets and whether it is receiving ARP packets. Use this command when some nodes on a TCP/IP network are responding, but others are not.
The amount of debug information displayed is filtered based on an interface, an access list, or both, as specified by the debug list command.
To list the debugging options enabled on this router, use the show debugging command.
Examples
The following example shows how to enable ARP packet debugging filtered on ARP table entries for the host at 192.0.2.10:
Router(config)# access-list 10 permit host 192.0.2.10Router(config)# exitRouter# debug list 10Router# debug arpARP packet debugging is onfor access list: 10The following is sample output from the debug arp command:
IP ARP: sent req src 192.0.2.7 0000.0c01.e117, dst 192.0.2.96 0000.0000.0000IP ARP: rcvd rep src 192.0.2.96 0800.2010.b908, dst 192.0.2.7IP ARP: rcvd req src 172.16.6.10 0000.0c00.6fa2, dst 192.0.2.62IP ARP: rep filtered src 192.0.2.7 aa92.1b36.a456, dst 255.255.255.255 ffff.ffff.ffffIP ARP: rep filtered src 192.0.2.240 0000.0c00.6b31, dst 192.0.2.7 0800.2010.b908In the output, each line of output represents an ARP packet that the router sent or received. Explanations for the individual lines of output follow.
The first line indicates that the router at IP address 192.0.2.7 and MAC address 0000.0c01.e117 sent an ARP request for the MAC address of the host at 192.0.2.96. The series of zeros (0000.0000.0000) following this address indicate that the router is currently unaware of the MAC address.
IP ARP: sent req src 192.0.2.7 0000.0c01.e117, dst 192.0.2.96 0000.0000.0000The second line indicates that the router at IP address 192.0.2.7 receives a reply from the host at 192.0.2.96 indicating that its MAC address is 0800.2010.b908:
IP ARP: rcvd rep src 192.0.2.96 0800.2010.b908, dst 192.0.2.7The third line indicates that the router receives an ARP request from the host at 172.16.6.10 requesting the MAC address for the host at 192.0.2.62:
IP ARP: rcvd req src 172.16.6.10 0000.0c00.6fa2, dst 192.0.2.62The fourth line indicates that another host on the network attempted to send the router an ARP reply for its own address. The router ignores meaningless replies. Usually, meaningless replies happen if a bridge is being run in parallel with the router and is allowing ARP to be bridged. This condition indicates a network misconfiguration.
IP ARP: rep filtered src 192.0.2.7 aa92.1b36.a456, dst 255.255.255.255 ffff.ffff.ffffThe fifth line indicates that another host on the network attempted to inform the router that it is on network 192.0.2.240, but the router does not know that the network is attached to a different router interface. The remote host (probably a PC or an X terminal) is misconfigured. If the router were to install this entry, it would deny service to the real machine on the proper cable.
IP ARP: rep filtered src 192.0.2.240 0000.0c00.6b31, dst 192.0.2.7 0800.2010.b908Related Commands
show arp
To display the entries in the Address Resolution Protocol (ARP) table, use the show arp command in user EXEC or privileged EXEC mode.
show arp [[vrf vrf-name] [[arp-mode] [[ip-address [mask]] [interface-type interface-number]]]]
[detail]Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
To display all entries in the ARP cache, use this command without any arguments or keywords.
Tip
ARP Adjacency Notification
If Cisco Express Forwarding (CEF) is enabled on the router, the router maintains forwarding information (outbound interface and MAC header rewrite) for adjacent nodes. A node is said to be adjacent to another node if the node can be reached with a single hop across a link layer (Layer 2). CEF stores the forwarding information in an adjacency database so that Layer 2 addressing information can be inserted into link-layer headers attached to the ARP packets.
•
•
The ARP table information is one of the sources for CEF adjacency. Whenever the ARP subsystem attaches an ARP table entry to an outbound interface with a valid hardware address, the subsystem issues an internal "ARP adjacency" notification. The notification causes an ARP background process to synchronize that ARP entry with CEF adjacency via the adjacency database. If the synchronization succeeds, IP ARP adjacency is said to be "installed"; if the synchronization fails, IP ARP adjacency is said to have been "withdrawn."
Note
To display detailed information about any ARP adjacency notification that may have occurred, use the show arp command with the detail keyword. You can use this information to supplement the information available through ARP/CEF adjacency debug trace. To enable debug trace for ARP/CEF adjacency interactions, use the debug arp command with the adjacency keyword.
ARP Cache Administration
To refresh all entries for the specified interface (or all interfaces) or to refresh all entries of the specified address (or all addresses) in the specified VRF table (or in the global VRF table), use the clear arp-cache command.
To enable debugging output for ARP transactions, use the debug arp command.
Examples
The following is sample output from the show arp command with no optional keywords or arguments specified:
Router# show arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 192.0.2.112 120 0000.a710.4baf ARPA Ethernet3AppleTalk 4028.5 29 0000.0c01.0e56 SNAP Ethernet2Internet 192.0.2.114 105 0000.a710.859b ARPA Ethernet3AppleTalk 4028.9 - 0000.0c02.a03c SNAP Ethernet2Internet 192.0.2.121 42 0000.a710.68cd ARPA Ethernet3Internet 192.0.2.9 - 0000.3080.6fd4 SNAP TokenRing0AppleTalk 4036.9 - 0000.3080.6fd4 SNAP TokenRing0Internet 192.0.2.9 - 0000.0c01.7bbd SNAP Fddi0Table 1 describes the fields shown in the display.
When this command is used to display dynamic ARP entries, the display information includes the time of the last update and the amount of time before the next scheduled refresh is to occur. The following is sample output from the show arp command for the dynamic ARP entry at network address 192.0.2.1:
Router# show arp 192.0.2.1 detailARP entry for 192.0.2.1, link type IP.Alias, last updated 13323 minutes ago.Encap type is ARPA, hardware address is 1234.1234.1234, 6 bytes long.ARP subblocks:* Static ARP SubblockFloating entry.Entry is complete, attached to GigabitEthernet1/1.* IP ARP AdjacencyAdjacency (for 192.0.2.1 on GigabitEthernet1/1) was installed.When this command is used to display floating static ARP entries, the display information includes the associated interface, if any.The following is sample output from the show arp command for the floating static ARP entry at network address 192.0.2.2 whose intended interface is down:
Router# show arp 192.0.2.2 detailARP entry for 192.0.2.2, link type IP.Alias, last updated 13327 minutes ago.Encap type is ARPA, hardware address is 1234.1234.1234, 6 bytes long.ARP subblocks:* Static ARP SubblockFloating entry.Entry is incomplete.* IP ARP AdjacencyAdjacency (for 192.0.2.2 on GigabitEthernet1/1) was withdrawn.The following is sample detailed output from the show arp command for the Application Alias ARP entry at network address 192.0.2.3:
Router# show arp 192.0.2.3 detailARP entry for 192.0.2.3, link type IP.Application Alias, via Ethernet2/2, last updated 0 minute ago.Created by "HSRP".Encap type is ARPA, hardware address is 0000.0c07.ac02, 6 bytes long.ARP subblocks:* Application Alias ARP Subblock* HSRPARP Application entry for application HSRP.The following is sample detailed output from the show arp command for all dynamic ARP entries:
Router# show arp dynamic detailARP entry for 192.0.2.4, link type IP.Dynamic, via Ethernet2/1, last updated 0 minute ago.Encap type is ARPA, hardware address is 0000.0000.0014, 6 bytes long.ARP subblocks:* Dynamic ARP SubblockEntry will be refreshed in 0 minute and 1 second.It has 1 chance to be refreshed before it is purged.Entry is complete.* IP ARP AdjacencyAdjacency (for 192.0.2.4 on Ethernet2/1) was installed.Related Commands
show arp application
To display Address Resolution Protocol (ARP) table entries for a specific ARP application or for all applications supported by ARP and running on registered clients, use the show arp application command in user EXEC or privileged EXEC mode.
show arp application [application-id] [detail]
Syntax Description
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
To display ARP table information about all supported ARP applications running on registered clients, use this command without any arguments or keywords.
Examples
The following is sample output from the show arp application command:
Router# show arp applicationNumber of clients registered: 7Application ID Num of SubblocksARP Backup 200 1IP SIP 201 0LEC 202 0DHCPD 203 0IP Mobility 204 0HSRP 209 1IP ARP Adjacency 212 2The following is sample detailed output from the show arp application detail command:
Router# show arp application detailNumber of clients registered: 7Application ID Num of SubblocksARP Backup 200 1ARP entry for 192.0.2.10, link type IP.Application Alias, via Ethernet2/2.Subblock data:Backup for Interface on Ethernet2/2Application ID Num of SubblocksIP SIP 201 0Application ID Num of SubblocksLEC 202 0Application ID Num of SubblocksDHCPD 203 0Application ID Num of SubblocksIP Mobility 204 0Application ID Num of SubblocksHSRP 209 1ARP entry for 192.0.2.10, link type IP.Application Alias, via Ethernet2/2.Subblock data:ARP Application entry for application HSRP.Application ID Num of SubblocksIP ARP Adjacency 212 2ARP entry for 192.0.2.4, link type IP.Dynamic, via Ethernet2/1.Subblock data:Adjacency (for 192.0.2.4 on Ethernet2/1) was installed.ARP entry for 192.0.2.2, link type IP.Dynamic, via Ethernet2/1.Subblock data:Adjacency (for 192.0.2.2 on Ethernet2/1) was installed.Table 2 describes the significant fields shown in the display.
Table 2 show arp application Field Descriptions
Application
ARP application name
ID
ARP application ID number
Num of Subblocks
Number of subblocks attached
Related Commands
show arp ha
To display the status and statistics of Address Resolution Protocol (ARP) high availability (HA), use the show arp ha command in user EXEC or privileged EXEC mode.
show arp ha
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
Use this command to display the ARP HA status and statistics.
HA-Capable Platforms
This command is available only on HA-capable platforms (that is, Cisco networking devices that support dual Route Processors [RPs]).
ARP HA Statistics
The ARP HA process collects one set of statistics for the active RP (described in Table 3) and a different set of statistics for the standby RP (described in Table 4). These statistics can be used to track the RP state transitions when debugging ARP HA issues.
The output from this command depends on the current and most recent states of the RP:
•
•
•
Examples
The following is sample output from the show arp ha command on the active RP that has been the active RP since the last time the router was rebooted. ARP HA statistics are displayed for the active state only.
Router# show arp haARP HA in active state (ARP_HA_ST_A_UP_SYNC).2 ARP entries in the synchronization queue.No ARP entry waiting to be synchronized.806 synchronization packets sent.No error in allocating synchronization packets.No error in sending synchronization packets.No error in encoding interface names.The following is sample output from the show arp ha command on the active RP that had been a standby RP and became the active RP after the most recent stateful switchover (SSO) occurred. ARP HA statistics are displayed for the active state and also for the previous standby state.
Router# show arp haARP HA in active state (ARP_HA_ST_A_UP).1 ARP entry in the synchronization queue.1 ARP entry waiting to be synchronized.No synchronization packet sent.No error in allocating synchronization packets.No error in sending synchronization packets.No error in encoding interface names.Statistics collected when ARP HA in standby state:No ARP entry in the backup table.808 synchronization packets processed.No synchronization packet dropped in invalid state.No error in decoding interface names.2 ARP entries restored before timer.No ARP entry restored on timer.No ARP entry purged since interface is down.No ARP entry purged on timer.The following is sample output from the show arp ha command on the standby RP. ARP HA statistics are displayed for the standby state only.
Router# show arp haARP HA in standby state (ARP_HA_ST_S_UP).2 ARP entries in the backup table.806 synchronization packets processed.No synchronization packet dropped in invalid state.No error in decoding interface names.Table 3 describes the significant fields shown in the display collected for an active RP.
Table 4 describes the significant fields shown in the display collected for a standby RP or for an active RP that was previously in the active state.
Related Commands
show arp summary
To display the total number of Address Resolution Protocol (ARP) table entries, the number of ARP table entries for each ARP entry mode, and the number of ARP table entries for each interface on the router, use the show arp summary command in user EXEC or privileged EXEC mode.
show arp summary
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC
Privileged EXECCommand History
Usage Guidelines
Use this command to display high-level statistics about the ARP table entries:
•
•
•
Examples
The following is sample output from the show arp summary command:
Router# show arp summaryTotal number of entries in the ARP table: 63928.Total number of Dynamic ARP entries: 63925.Total number of Incomplete ARP entries: 0.Total number of Interface ARP entries: 2.Total number of Static ARP entries: 1.Total number of Alias ARP entries: 0.Total number of Simple Application ARP entries: 0.Total number of Application Alias ARP entries: 0.Total number of Application Timer ARP entries: 0.Interface Entry CountGigabitEthernet5/2 1GigabitEthernet5/1 63926EOBC0/0 1Related Commands
Feature Information for ARP Rewrite
Table 5 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Glossary
ACL—access control list. A list kept by routers to control access to or from the router for a number of services (for example, to prevent packets with a certain IP address from leaving a particular interface on the router).
adjacency—A relationship formed between selected neighboring routers and end nodes for the purpose of exchanging routing information. Adjacency is based upon the use of a common media segment by the routers and nodes involved.
ARP—Address Resolution Protocol. Internet protocol used to map an IP address to a MAC address. Used to obtain the physical address when only the logical address is known. Defined in RFC 826.
ARPA—Advanced Research Projects Agency. Research and development organization that is part of the Department of Defense (DoD). ARPA is responsible for numerous technological advances in communications and networking. ARPA evolved into DARPA, and then back into ARPA again (in 1994).
CEF—Cisco Express Forwarding. A Layer 3 switching technology. CEF can also refer to central CEF mode, one of two modes of CEF operation. CEF enables a Route Processor to perform express forwarding. Distributed CEF (dCEF) is the other mode of CEF operation.
dCEF—distributed Cisco Express Forwarding. A mode of CEF switching in which line cards (such as Versatile Interface Processor [VIP] line cards) maintain identical copies of the forwarding information base (FIB) and adjacency tables. The line cards perform the express forwarding between port adapters; this relieves the Route Switch Processor of involvement in the switching operation.
DHCP—Dynamic Host Configuration Protocol. Provides a mechanism for allocating IP addresses dynamically so that addresses can be reused when hosts no longer need them.
EtherTalk—Apple Computer's data-link product that allows an AppleTalk network to be connected by Ethernet cable.
FIB—Forwarding Information Base. Next-hop address information that is based on the information in the IP routing table and is used by CEF to make IP destination prefix-based switching decisions.
hop—Passage of a data packet between two network nodes (for example, between two routers).
HSRP—Hot Standby Routing Protocol. Provides high network availability and transparent network topology changes. HSRP creates a Hot Standby router group with a lead router that services all packets sent to the Hot Standby address. The lead router is monitored by other routers in the group, and if it fails, one of these standby routers inherits the lead position and the Hot Standby group address.
IP—Internet Protocol. Network layer for the TCP/IP protocol suite. Internet Protocol version 4 is a connectionless, best-effort packet switching protocol. Defined in RFC 791.
IP datagram—Fundamental unit of information passed across the Internet. An IP datagram contains source and destination addresses along with data and a number of fields that define such things as the length of the datagram, the header checksum, and flags to indicate whether the datagram can be (or was) fragmented.
LLC—Logical Link Control. The higher of the two data link layer sublayers defined by the IEEE. The LLC sublayer handles error control, flow control, framing, and MAC-sublayer addressing. The most prevalent LLC protocol is IEEE 802.2, which includes both connectionless and connection-oriented variants. See also MAC.
MAC—Media Access Control. Lower of the two sublayers of the data link layer defined by the IEEE. The MAC sublayer handles access to shared media, such as whether token passing or contention will be used. See also LLC.
MAC address—Media Access Control address. Standardized data link layer address that is required for every port or device that connects to a LAN. Also known as a hardware address, MAC-layer address, and physical address.
MIM—Man-in-the-Middle. A type of ARP attack performed by impersonating another device (for example, the default gateway) in the ARP packets sent to the attacked device so that the end station or router learns counterfeited device identities. This deception allows a malicious user to pose as intermediary who can launch an ARP-spoofing attack.
proxy ARP—proxy Address Resolution Protocol. Variation of the ARP protocol in which an intermediate device (for example, a router) sends an ARP response on behalf of an end node to the requesting host. Proxy ARP can lessen bandwidth use on slow-speed WAN links. See also ARP.
QoS—quality of service. Measure of performance for a transmission system that reflects its transmission quality and service availability.
RP—Route Processor. Processor module in the Cisco 7000 series routers that contains the CPU, system software, and most of the memory components that are used in the router. Sometimes called a supervisory processor.
SMDS—Switched Multimegabit Data Service. High-speed, packet-switched, datagram-based WAN networking technology offered by the telephone companies.
SNAP—Subnetwork Access Protocol. Internet protocol that operates between a network entity in the subnetwork and a network entity in the end system. SNAP specifies a standard method of encapsulating IP datagrams and ARP messages on IEEE networks. The SNAP entity in the end system makes use of the services of the subnetwork and performs three key functions: data transfer, connection management, and QoS selection.
SSO—stateful switchover. A method of providing redundancy and synchronization for many Cisco IOS applications and features. SSO is necessary for the Cisco IOS firewall to learn about the redundancy state of the network and to synchronize their internal application state with their redundant peers. SSO allows the active and standby routers to share firewall session state information so that each router has enough information to become the active router at any time.
Stateful failover—Stateful failover for the Cisco IOS firewall enables a router to continue processing and forwarding firewall session packets after a planned or unplanned outage occurs. You employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This process is transparent and does not require adjustment or reconfiguration of any remote peer.
Stateful failover for the Cisco IOS firewall is designed to work in conjunction with stateful switchover (SSO) and Hot Standby Routing Protocol (HSRP). To configure stateful failover for the Cisco IOS firewall, a network administrator should enable HSRP, assign a virtual IP address, and enable the SSO protocol.
VPN—Virtual Private Network. Framework that consists of multiple peers transmitting private data securely to one another over an otherwise public infrastructure. A VPN protects inbound and outbound network traffic by using protocols that tunnel and encrypt all data at the IP level. This framework permits networks to extend beyond their local topology, while remote users are provided with the appearance and functionality of a direct network connection. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses "tunneling" to encrypt all information at the IP level.
VRF—VPN routing and forwarding instance. A VRF consists of an IP routing table, a derived forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols that determine what goes into the forwarding table. In general, a VRF includes the routing information that defines a customer VPN site that is attached to a PE router. Each VPN instantiated on the PE router has its own VRF.
Note
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2006 Cisco Systems, Inc. All rights reserved.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)