servers, routers, and switches—maintain an ARP cache to store ARP replies. The purpose of the ARP cache is to avoid having to send an ARP request every time the node needs to resolve an IP address to a MAC address.
When a node needs to resolve the MAC address of an IP address not in its ARP cache, it sends an ARP request to the broadcast address (FFFF.FFFF.FFFF). Upon receiving a reply, it stores the mapping in its ARP cache. The following example illustrates the process using two switches:
SW3 has a switched virtual interface (SVI) in VLAN 20 with an IP address of 10.10.20.3.
SW4 has an SVI also in VLAN 20 with an IP address of 10.10.20.4.
SW3:
! Show the ARP cache on SW3 SW3#show arp dynamic Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.10.4 0 0c3c.8ad7.800a ARPA Vlan10 ! Trigger an ARP request for 10.10.20.4 by sending a ping to it SW3#ping 10.10.20.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.20.4, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 10/10/10 ms ! The ping succeeded, implying an ARP reply was received. Show the ARP cache again. SW3#show arp dynamic Protocol Address Age (min) Hardware Addr Type Interface Internet 10.10.10.4 0 0c3c.8ad7.800a ARPA Vlan10 Internet 10.10.20.4 0 0c3c.8ad7.8014 ARPA Vlan20
SW4:
! ARP Snooping debugging has been enabled on SW4. Note the destination broadcast ! address. SW4# ARP Packet (Gi1/0/20) Src: 0c3c.8aab.8014, Dst: ffff.ffff.ffff, SM: 0c3c.8aab.8014, SI: 10.10.20.3, TM: ffff.ffff.ffff, TI: 10.10.20.3 Packet bridged by platform. ARP Packet (Gi1/1/20) Src: 0c3c.8aab.8014, Dst: ffff.ffff.ffff, SM: 0c3c.8aab.8014, SI: 10.10.20.3, TM: ffff.ffff.ffff, TI: 10.10.20.3 Packet bridged by platform. ! Although not shown in the output, SW4's ARP reply is addressed to SW3's ! SVI MAC address.
The default timeout for an ARP entry is 4 hours. You can modify this on a per-interface basis, as shown on SW3:
SW3#show interfaces vlan 20 | i ARP Encapsulation ARPA, loopback not set ARP type: ARPA, ARP Timeout 04:00:00 SW3#configure terminal Enter configuration commands, one per line. End with CNTL/Z. SW3(config)#interface vlan 20 SW3(config-if)#arp timeout ? <0-2147483> Seconds
You'll hear disagreement as to whether ARP is a layer 2 or layer 3 protocol, some even going so far as to call it a layer 2.5 protocol! ARP packets fit the definition of what the OSI model calls protocol control information. In addition to just providing a mapping between MAC and IP addresses, the fact that a node sends ARP packets indicates its willingness to use IP. In that respect, ARP is decidedly a layer 2 protocol.
Fragmentation
If an IP packet exceeds the MTU of any interfaces it has to traverse (the path MTU), then any intermediate router may fragment the packet into multiple datagrams. Each datagram must be no greater than the path MTU. The sender can optionally set the don't fragment (DF) bit in the IP header to prevent intermediate routers from fragmenting the packet.
IPv6 differs from IPv4 when it comes to fragmentation. IPv4 packets can be fragmented by any router along the path unless the DF bit is set. IPv6 can be fragmented only by the sender. If an IPv6 packet will exceed an intermediate router's interface MTU, the router will respond to the sender with an ICMPv6 “packet too big” message and discard the packet.
Routing vs. Forwarding
What's the difference between routing and forwarding? Not much, really. Forwarding is about sending the data one step closer to its destination. Routing is about figuring out what that next step is.
The routing versus forwarding distinction has nothing to do with layers. Recall that switches perform a crude version of routing by snooping the data plane to find out which port a MAC address is connected to. They compile this into a MAC address table, which they use to make forwarding decisions.
When it comes to IP, route calculation and route advertisements are performed by interior gateway routing protocols such as Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF). Although we don't normally think of them in this way, routing protocols are actually applications that run on routers. They just populate the IP routing table that feeds into the FIB, but CEF does the forwarding.
Layer 4: The Transport Layer
So far, we've seen how protocols at the first three layers enable communication between two host interfaces. The primary purpose of the Transport layer is to facilitate application-to-application (end-to-end) data transfer. Whereas Network layer protocols (e.g., IPv4, IPv6) provide a way to move data from one host's interface to another host's interface, the Transport layer protocols—TCP and UDP—provide a means for applications to distinguish different communication streams. They both do this using 16-bit port numbers, as shown in Table 1.3.
Table 1.3 Common applications and their TCP and UDP port numbers
| Application protocol | Transport protocol | Source IP | Source port | Destination IP | Destination port |
| HTTP | TCP | 192.168.88.10 | 5230 | 18.213.128.4 | 80 |
| HTTP | TCP | 192.168.88.10 | 5231 | 18.213.128.4 | 81 |
| DNS | UDP | 192.168.88.10 | 56801 | 192.168.88.1 | 53 |
For example, when a web browser retrieves a web page it may open multiple TCP connections to the same web server. Each TCP connection originates from a different ephemeral (short-lived) source port chosen by the operating system, allowing the web browser and web server to keep track of which requests go with which connection.
When a host receives an IP packet, the host's networking stack looks at the Protocol field to determine to which upper-layer protocol to send the data. If the Protocol field in the IP header is 6, the data contains a TCP segment. If it's 17, then it contains a UDP datagram. Consequently, a single host can use the same UDP and TCP port numbers simultaneously.
Transmission Control Protocol
RFC
