Pages

Tuesday, March 17, 2015

ARP Interview Questions


1.What is the destination mac-address of an ARP request frame
Broadcast

2.Is ARP used on a PPP link
No

3.Does ARP contain an IP header
ARP is a layer 2 protocol. It does not use IP header.

4.What does a switch do when it receives an ARP request frame on one of its ports
It adds the source port to its mac-address-table and broadcasts the frame out to all ports.

5.Would an ARP request frame generated on a port which is member of VLAN 2, be received on a port which is a member of VLAN 3
ARP is a layer 2 broadcast. VLAN’s are used for segregating broadcast domains. So it would not be received.

6.Can an ARP packet cross IP networks
ARP is a layer 2 broadcast. It cannot traverse across IP networks.

7.If an ARP entry is available on the local cache of a computer, would an ARP request be triggered
No. The computer would first check its ARP entry before sending out an ARP request frame.

8.Explain how an ARP packet is triggered on a computer
Assume that a user on a computer pings another computer on the same network. For the ping packet to be sent to the other computer, it has to be encapsulated on an Ethernet frame. For constructing the frame, the mac-address of the destination is needed. The computer checks its ARP cache if the corresponding ARP entry for the destination computer is available. If not an ARP request is sent out.

9.Does a hub support ARP
If the hub works on mediums like Token Ring, Ethernet etc, then ARP would be supported.

10.3 switches SW1, SW2 and SW3 are interconnected and STP deployed on the switches. PC1 is on SW1 PC2 is on SW2 and PC3 is connected to SW3. All the PC’s are on the same network address of 192.168.1.0/24. PC1 triggers ARP to find the mac-address of PC3. Will the ARP packet reach the PC3
All the PC’s are on the same network address. The PC’s are on 3 switches which makes it one large Layer 2 broadcast domain. So an ARP request which is a layer 2 broadcast will be received on all the ports on all the switches and correspondingly the PC’s

How many addresses are defined in ARP?
In summary, ARP defines both hardware (MAC) and protocol (IP) addresses in its operations, and ARP packets use these addresses to map IP addresses to corresponding MAC addresses within a local network. 

Is an ARP message routable?
No, the messages do not contain an IP header

Describe the Ethernet addressing used in the standard ARP request. Are the source and destination addresses unicast, broadcast, or multicast?
The ARP request uses a unicast address for the source and a broadcast address for the destination 

Describe the Ethernet addressing used in the standard ARP reply. Are the source and destination addresses unicast, broadcast, or multicast?
The ARP reply uses a unicast address for the source and a unicast address for the destination 

What is a gratuitous ARP?
This term refers to a node sending out an ARP request for its own IP address in order to determine if another node is using the same address. 

What information is stored in an ARP table?
The ARP table contains a mapping between host MAC and IP addresses. It also shows whether each entry is static or dynamic 

Can we send standard ARP messages directly to computers that are not on our own network?
No, ARP is not routable 

Is ARP included in IPv6?
No. 

Is ARP a secure protocol?
No. False ARP messages can be created to fool ARP tables. Hosts then make incorrect forwarding decisions. ARP transmissions are also sent in the clear. 

What is the Ethertype hexadecimal value for an ARP message? 
0806 

1. What is ARP?

  • Address Resolution Protocol maps an IP address (logical) to a MAC address (physical) in a local network.

  • Example: 192.168.1.10 → 00:1A:2B:3C:4D:5E.

2. On which layer does ARP work?

  • ARP operates between Layer 2 (Data Link) and Layer 3 (Network) of the OSI model.

3. How does ARP work?

  1. A host needs the MAC for an IP (e.g., sending data in LAN).

  2. It broadcasts an ARP Request: “Who has IP 192.168.1.10?”

  3. The owner replies with an ARP Reply: “I am 192.168.1.10, my MAC is xx:xx:xx:xx:xx.”

  4. The sender caches the result in its ARP table.

4. What are ARP request and ARP reply?

  • ARP Request → Broadcast asking for the MAC of an IP.

  • ARP Reply → Unicast response with the MAC address.

5. What is an ARP table?

  • A cache maintained by devices that stores IP ↔ MAC mappings.

  • Example:

    IP Address      MAC Address
192.168.1.1     00:11:22:33:44:55

6. What are the types of ARP?

  • Normal ARP – Standard request/reply.

  • Gratuitous ARP – A host announces its own IP ↔ MAC (used for updating tables, duplicate IP detection, failover).

  • Proxy ARP – A router replies on behalf of another host (used in some special network setups).

  • Reverse ARP (RARP) – Used by a device to discover its IP when it only knows its MAC (mostly obsolete).

7. What is Gratuitous ARP? Why is it used?

  • An ARP reply sent without a request.

  • Used for:

    • Checking duplicate IPs.

    • Updating ARP tables after IP/MAC change.

    • Failover in high availability setups.

8. What is ARP spoofing/poisoning?

  • A security attack where a malicious device sends fake ARP replies to associate its MAC with another host’s IP (e.g., the gateway).

  • Allows MITM (Man-in-the-Middle) attacks, traffic interception.

9. How do you prevent ARP spoofing?

  • Use Dynamic ARP Inspection (DAI) on switches.

  • Use static ARP entries for critical systems.

  • Implement port security / DHCP snooping.

  • Use encrypted protocols (SSH, HTTPS) to protect data.

10. Does ARP exist in IPv6?

  • No 

  • IPv6 uses Neighbor Discovery Protocol (NDP) instead of ARP.

Quick Recap for Interviews:

  • ARP = maps IP → MAC.

  • Works on LAN (broadcasts).

  • Types: Normal, Gratuitous, Proxy, RARP.

  • Weak point: ARP spoofing.

  • IPv6 replaces it with NDP.


1. What is ARP and what is its primary purpose?

ARP stands for Address Resolution Protocol. Its primary purpose is to resolve an IP address (Layer 3) to a physical MAC address (Layer 2) on a local network. This is essential for a device to be able to send data to another device on the same local network, as data-link layer communication requires a physical MAC address.

2. Why is ARP necessary?

ARP is necessary because different layers of the networking model use different addressing schemes. The IP address is used for routing and identifying devices on a network (Layer 3), but the data-link layer (Layer 2) uses MAC addresses to physically transport frames between devices on the same segment. A host needs to know the destination's MAC address to properly encapsulate an IP packet into an Ethernet frame.

3. Describe the ARP process. How does a device find a MAC address for a given IP address?

The ARP process involves two main steps: the ARP request and the ARP reply.

  1. ARP Request: When a device (Device A) needs to send a packet to another device (Device B) on the same network but doesn't know Device B's MAC address, it sends an ARP request. This request is a broadcast message sent to all devices on the local network. The request contains the source IP and MAC address, and the target IP address.

  2. ARP Reply: All devices on the network receive the broadcast. Device B recognizes that the target IP address in the request is its own. It then sends an ARP reply (or ARP response), which is a unicast message directly back to Device A. The reply contains Device B's MAC address.

Once Device A receives the ARP reply, it stores the IP-to-MAC mapping in its ARP cache for future use.

4. What is an ARP cache or ARP table?

The ARP cache (or ARP table) is a table that a host or a router maintains to store recent IP-to-MAC address mappings. When a device needs to send data, it first checks its ARP cache. If an entry for the destination IP exists, it uses the stored MAC address. This prevents the need for an ARP broadcast for every new packet, making communication more efficient.

The entries in the ARP cache are temporary and expire after a certain amount of time.

5. What is the difference between static and dynamic ARP entries?

  • Dynamic ARP Entries: These are created automatically when a device learns a new IP-to-MAC mapping from an ARP reply. They have a timeout period and will be removed if not used within that time. This is the most common type of ARP entry.

  • Static ARP Entries: These are manually configured by a network administrator. They are permanent and do not expire. Static entries are often used for security purposes or for critical servers to prevent spoofing attacks.

6. What is a "gratuitous ARP"?

A gratuitous ARP is an ARP reply that is not prompted by an ARP request. A device sends a gratuitous ARP to the broadcast address of the network to announce its own IP and MAC address. This is typically done for two main reasons:

  1. To update the ARP caches of other devices on the network after a device's MAC address has changed (e.g., after a failover in a high-availability setup).

  2. To detect duplicate IP addresses on the network. If another device responds to the gratuitous ARP, it means that IP address is already in use.

7. What is an ARP spoofing attack?

An ARP spoofing (or ARP poisoning) attack is a malicious technique where an attacker sends falsified ARP messages over a local network. This allows the attacker to associate their own MAC address with the IP address of another device, such as a router or another host. By doing so, all traffic intended for the legitimate device is redirected to the attacker's machine, allowing the attacker to intercept, view, or modify the data.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)