Skip to content

Arp

← Back to all decks

18 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard

🟢 Easy (3)

1. What does ARP (Address Resolution Protocol) do in networking?

Show answer ARP (Address Resolution Protocol) maps Layer 3 IP addresses to Layer 2 MAC addresses so that Ethernet frames can be addressed to the correct next-hop device on a local network segment.

Remember: ARP = 'Address Resolution Protocol' — resolves IP (Layer 3) to MAC (Layer 2). Think 'I know your name, what's your face?'

Fun fact: ARP only works within a single broadcast domain (LAN segment). Routers do not forward ARP broadcasts.

2. What command shows the ARP table on a modern Linux system?

Show answer ip neigh show (from the iproute2 package). The legacy equivalent is arp -a.

Remember: 'ip neigh' replaced 'arp -a' — both show the ARP cache, but ip neigh is the modern iproute2 way.

Example: ip neigh show | grep REACHABLE shows only active entries. States: REACHABLE, STALE, DELAY, PROBE, FAILED.

Gotcha: 'arp' command may not be installed on minimal distros. iproute2 (ip neigh) is always available on modern Linux.

3. How does a host resolve an IP address to a MAC address using ARP?

Show answer The host broadcasts an ARP request asking "Who has ? Tell ." The target host responds with a unicast ARP reply containing its MAC address. The requester caches the mapping.

Under the hood: ARP requests use Ethernet broadcast (ff:ff:ff:ff:ff:ff). Replies are unicast directly to the requester's MAC.

Remember: 'Broadcast the question, unicast the answer.' Like shouting in a room vs. whispering back.

🟡 Medium (4)

1. What is a gratuitous ARP and when is it used?

Show answer A gratuitous ARP is an unsolicited ARP reply announcing a host's own IP-to-MAC mapping. It is used for IP failover (VRRP/keepalived), duplicate IP detection on boot, and updating neighbor caches after NIC replacement.

Remember: 'Gratuitous = unsolicited announcement.' The host says 'I am 10.0.0.1 at MAC aa:bb:cc:dd:ee:ff' without anyone asking.

Example: keepalived sends gratuitous ARPs when a VIP fails over, updating all neighbors' caches instantly.

2. What is proxy ARP and what problem does it solve?

Show answer Proxy ARP allows a router to answer ARP requests on behalf of hosts on another subnet, enabling communication between hosts that lack proper routing configuration. It is common in legacy networks and VPN setups.

Remember: 'Proxy ARP = router answers on behalf of a remote host.' The router pretends to be the destination.

Gotcha: proxy ARP can mask routing misconfigurations. It makes things 'just work' but hides the real problem.

3. What is ARP flux and how do you fix it on Linux?

Show answer ARP flux occurs on multi-homed Linux hosts where the kernel responds to ARP requests on the wrong interface. Fix with sysctl: set net.ipv4.conf.all.arp_ignore=1 (only respond if address is on the receiving interface) or net.ipv4.conf.all.arp_filter=1.

Remember: arp_ignore=1 means 'only reply if the IP is on this interface.' Default (0) replies on any interface, causing flux.

Example: a server with eth0 (10.0.0.1) and eth1 (10.0.1.1) replies to ARP for 10.0.1.1 on eth0 — that's ARP flux.

4. How do you capture and inspect ARP traffic on a Linux host?

Show answer Use tcpdump: tcpdump -i eth0 -nn arp. This shows all ARP requests and replies on the interface, including the IP and MAC addresses involved.

Example: tcpdump -i eth0 -nn arp shows output like 'ARP, Request who-has 10.0.0.1 tell 10.0.0.2, length 28'.

Gotcha: use -nn to avoid DNS lookups that slow down capture and can trigger more ARP requests.

🔴 Hard (3)

1. What happens when the Linux ARP table overflows and how do you fix it?

Show answer The kernel logs "neighbour table overflow" in dmesg and drops ARP entries, causing random connectivity failures. Fix by increasing gc_thresh values: sysctl -w net.ipv4.neigh.default.gc_thresh3=16384 (hard max). This commonly occurs in large flat networks with 1000+ hosts.

Remember: gc_thresh1 < gc_thresh2 < gc_thresh3. thresh1=soft min, thresh2=goal, thresh3=hard max. Default thresh3=1024 is too low for large networks.

Example: sysctl -w net.ipv4.neigh.default.gc_thresh3=16384 raises the hard limit. Set thresh1=4096 and thresh2=8192 proportionally.

2. What is ARP spoofing and how is it mitigated in a datacenter?

Show answer ARP spoofing is an attack where a malicious host sends fake ARP replies to redirect traffic through itself (man-in-the-middle). It is mitigated by enabling Dynamic ARP Inspection (DAI) on managed switches, which validates ARP packets against a trusted binding table.

Remember: DAI = Dynamic ARP Inspection. The switch checks ARP packets against a DHCP snooping binding table. No match = drop.

Fun fact: ARP spoofing is the basis of many MITM tools (ettercap, arpspoof, bettercap). DAI and 802.1X are the primary defenses.

3. How do you detect duplicate IP addresses on a network using arping?

Show answer Run arping -D -I eth0 . The -D flag enables duplicate address detection mode. If another host replies, there is an IP conflict. This sends a DAD probe (source IP 0.0.0.0) and reports if a response is received.

Remember: arping -D = Duplicate Address Detection. Source IP is 0.0.0.0 (DAD probe). If anyone replies, there's a conflict.

Example: arping -D -I eth0 10.0.0.50 && echo 'No conflict' || echo 'IP conflict detected!'