ARP Cache and Routing Table

These two tables are confusing because you don't normally see them.  But they are an integral part of Ethernet and TCP/IP.  Actually, with a home or small business Cable/DSL Modem and Router, you should not have to do anything with the routes.  The great thing about routing is that once you enter a default gateway (default router) into your TCP/IP settings, all other routes are learned.  There are several common routing protocols, and they all send out periodic routing information packets, so that all routers in a network can learn the paths to each other.  They do the work for you !!  But, some people have special requirements, or just want to learn.  So here we go  .  .  . 

Your PC has two tables that store addresses and routes  .  .  . an ARP cache and a Routing Table.  

The ARP cache stores local data only (all on the same LAN segment).  It stores MAC addresses along with their IP counterparts, and is cleared upon reboot.  

The Routing Table contains next-hop routing, and is cleared of dynamic routes when you reboot - persistent routes (static routes) are kept even during reboot.  When the system is booted, the routes are built dynamically, as your system requests info from other networked devices.  

• ARP cache - a lookup table that contains a list of MAC and IP addresses of directly connected devices.  An ARP cache only has info about stations on the same LAN segment or subnet.  If you need to send an IP packet to one of these stations but your PC does not have the MAC address listed in it's ARP cache - it broadcasts out an ARP request for it, and the remote station responds back with it's MAC address.  An ARP is a local broadcast only.
  *** to view the ARP cache:  Start/Run . . . cmd (or command for Win98-ME)  .  . 
                                                then enter:   arp -a  (view all entries - ARP cache's for PC's are usually only 1 entry)
  

• Routing Table - a lookup table that contains a list of IP addresses and subnet masks, with a corresponding "next hop" device.  When the PC has an IP packet to send, it looks in it's routing table.   The PC's routing table is very similar to a router's routing table.
  *** to view the Routing Table:  Start/Run . . . cmd (or command for Win98-ME)  .  . 
                                                then enter:   route print
  

How the two Tables are Built and used by your PC

99% of PC's have but one WAN port .  .  . the Ethernet port on their NIC.  But they could have multiple NIC's and multiple ports, and in that case, each port is connected to a gateway (router) and the various routing paths through each gateway are stored in the routing table.  So why would the 99% that only have one gateway, need a routing table?  Good question, since they really don't !!  But a routing table insures that the PC network communications has the flexibility to add a port, or add a route if necessary.

Initial Loading of the Tables (during Bootup) - upon bootup, the ARP cach is empty, and will be built while you ARP for MAC addresses during the packet send algorithm.  As to the routing table  . . . . most of it is immediately filled in.  Your TCP/IP settings are stored on your hard drive in the TCP/IP stack, and they are simply copied to the Routing table in memory (the subnet mask, default gateway, and Loopback addresses are copied to the routing table).  Your station is also immediately assigned an IP address upon bootup, by the DHCP server (usually the router for small networks), and that address is copied to the table. 

Aging - both tables run an aging algorithm, which eventually kills off unused entries (those that have not been used for a while).  The ARP and route tables are aged so that if a path "goes away" due to a station being removed or shut down, the table will not continue to report that the link exists.  This allows the table to self adjust over time.

Subsequent Entries during normal operation - each time your workstation needs to send a packet, it must decide which gateway to use, if any, and if it must use a new path that was not already in the tables - it updates the ARP cache or Routing table accordingly.  The process is as follows:

1. if the destination IP is on the same LAN or subnet as your PC, then the ARP cache is checked for the MAC address.  If not found there, your station will send out an ARP and get the dest MAC address that way, and the packet is framed with that MAC address and sent.  At the same time, one record (one row) is entered into the ARP cache with the IP and MAC address of that destination.

2. if the destination is not on the same LAN (it is remote), then the routing table is accessed to look for  a specific gateway for that specific IP address (a match).  

1. If a match is found then the packet is sent to the gateway listed in the routing table.  Since an entry was found, the table is not updated.

2. if no match is found, then the packet is sent out the default gateway (default router)

Local or Remote ??

For any packet that is being prepared for transmission, your Station must find out if it is destined for a local or remote network:

• Local - the destination station is on your LAN/subnet

• Remote - the destination station is beyond your LAN, and it must go through a Router or Routers to get there.  The first router in that path is called the default gateway.  Basically, if the packet does not belong on your LAN, it is dumped off to the default gateway (default router).  Your machine may have multiple default gateways, if it has multiple NIC's - but that is very rare and we will not discuss it here.

A simple test is performed by your PC's routing algorithm, to find out whether the destination is local or remote:

1. the subnet mask and your own IP address are logically AND'ed together to separate out the Network address and the Host address
2. the subnet mask and the destination IP address are logically AND'ed together to separate out the Network address and the Host address
3. the two Network addresses are compared, and if they are identical then the destination is local (on your LAN)  -  if they are different then the destination is remote (not on your LAN)

Step 3 detailed - if the result of the masking matches your network address, your computer knows that the destination is on the same network, so it looks in it's ARP cache to see if it has an actual hardware (MAC) address for that IP. If the computer gets a cache hit, it frames the packet and addesses it to the destination - and then stores that info in the ARP cache.  Local matches are always stored in the ARP cache. If it doesn't have the MAC address in cache, it broadcasts to all computers with the question "Who owns MAC address assigned the IP <IP address>." The computer that owns this IP address will reply back with it's IP and MAC address. Your computer then frames the packet and sends it on.  

If no match exists in the routing table, then the packet is sent out the default gateway (default router).  Every machine on your network with a TCP/IP stack has a configuration setting for a gateway. This is so that it can reach IP networks other than its own. When it detects that the destination is part of a remote network, it sends the packet to the gateway for forwarding. For destinations in the same subnet, it will send the packet directly to the other machine. How does a workstation determine if a destination is part of the same or a different IP network?

Masking Example

First it ANDs the destination address of the packet with its own subnet mask. If the resulting address matches its own network mask, then the destination is in the same subnet, and the TCP/IP stack tells the card to send the packet directly to the destination machine. (if the address is not in your ARP cache, then your station will send out an ARP to get it).  If, however, the calculation shows that the destination is part of another network, then the packet is sent to the default gateway.  In effect, the sender is saying, "I do not know how to deliver this packet; can you please deliver it for me?" The gateway accepts the packet and then goes through a similar procedure. (That procedure is known as routing.)

Here are a few examples of the workstation's decision-making process.

Example 1 - Workstation A sends to Workstation B

Workstation A knows its own network address/subnet mask is 192.168.16.0/22. Workstation A calculates the local-subnettedness of the destination packet as follows:

 

Are A and B in the same subnet?
bitwise-AND	11111111 . 11111111 . 11111100 . 00000000 11000000 . 10101000 . 00010001 . 00010100	subnet mask of A IP addr of dest (B)
	11000000 . 10101000 . 00010000 . 00000000	network of dest
compare	11000000 . 10101000 . 00010000 . 00000000	network of A
They are equal - Both Workstations are on the network 192.168.16.0

Because the network address of the sender matches the result of this calculation, the packet is sent directly to machine B.

Workstation C knows its network address/subnet mask is 192.168.30.0/24. Machine C checks to see if the destination packet falls within its subnet.

 

Are A and B in the same subnet?
bitwise-AND	11111111 . 11111111 . 11111111 . 00000000 11000000 . 10101000 . 00010001 . 00010100	subnet mask of C IP addr of dest (B)
	11000000 . 10101000 . 00010001 . 00000000	network of dest
compare	11000000 . 10101000 . 00011110 . 00000000	network of C
They ARE NOT equal - 192.168.17.0 < not equal to > 192.168.30.0

In this case, the comparison fails. The sender, C, has no choice but to send packet to its gateway. (If you take the time to do the calculation, you discover the gateway is in machine C's subnet. In fact the gateway must always be in the sender's subnet; otherwise, the sender could not send to it either!)

Route Table Example

When working with routes on a PC, you can use a couple of the excellent DOS utilities provided.  

• Ping.exe will ask any station if it is reachable, and the station will reply back if it is.  

• Tracert (trace route) will list the entire route that it takes to reach an IP address, one step at a time.  

• Route.exe works directly with the routing table.  can be used to add, delete, or view (print) routes.  Any route that is added by you, and not automatically learned, is called a "static route". 

At home I have three computers networked together via Ethernet.  They connect to a LinkSys Router, which in turn, is connected to a Cable Modem for Internet access.  Here is a sample output from the "route print" command on both machines - which lists the routing tables.  WinXP lists a bit of additional info, such as the Default Gateway (default router) and the Persistent routes.:

Let's break each route print display - we will details each of the seven entries for the WinXP machine  .  .  .

1. 0.0.0.0 is called "this network", and basically refers to all addesses on this LAN segment.  This also defines the default gateway used.  All remote destination addressed packets will be sent to 192.168.1.1
2. 127.0.0.0 - this is the local loopback address used for diagnostic and troubleshooting. 
3. 192.168.1.0 - this defines your local LAN or subnet network address.  Since the subnet mask 255.255.255.0 was used, every ip address starting with 192.168.1. will be in the same subnet and routing will not be required. Please note the difference between example I and II in line 3. The actual IP address is used for the gateway.
4. 192.168.1.102 - This is the local address (your station's IP address), therefore 127.0.0.1 is once again used for the gateway.
5. 192.168.1.255 - This is the local broadcast address for your LAN or subnet
6. 224.0.0.0 - This is a class D network, used for multicasts
7. 255.255.255.255 - This is the broadcast address to All networks

The DOS "route" Command (not supported in Win95)

Start/run  .  .  .  cmd (then type in the Route command in the DOS box)

route -options command destination

ROUTE [-f] [-p] [command [destination][MASK netmask] [gateway] [METRIC metric] [IF interface]

-f   Clears the routing tables of all gateway entries. If this is used in conjunction with one of the commands, the tables are cleared prior to running the command.

-p   When used with the ADD command, makes a route persistent across boots of the system. 

By default, routes are not preserved when the system is restarted. 

Command :

PRINT Prints a route
ADD Adds a route
DELETE Deletes a route
CHANGE Modifies an existing route destination Specifies the host.

MASK Specifies that the next parameter is the 'netmask' value

netmask Specifies a subnet mask value for this route entry.  If not specified, it defaults to 255.255.255.255.

gateway Specifies gateway.

METRIC specifies the metric, ie. cost for the destination.

interface the interface number for the specified route.

NETWORKS. The symbolic names for gateway are looked up in the host name
database file HOSTS.

If the command is PRINT or DELETE. Destination or gateway can be a wildcard,
(wildcard is specified as a star '*'), or the gateway argument may be omitted.

If Dest contains a * or ?, it is treated as a shell pattern, and only matching destination routes are printed. The '*' matches any string, and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*, *224*.

Diagnostic Notes:
Invalid MASK generates an error, that is when (DEST & MASK) != DEST.
Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1
The route addition failed: The specified mask parameter is invalid.
(Destination & Mask) != Destination.

Examples:

> route PRINT
> route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
                   ^destination^            ^mask ^  ^gateway^       ^metric^ ^Interface^
If IF is not given, it tries to find the best interface for a given gateway.

> route PRINT
> route PRINT 157* .... Only prints those matching 157*
> route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2

CHANGE is used to modify gateway and/or metric only.
> route PRINT
> route DELETE 157.0.0.0
> route PRINT