ARP Data in Axonius

Overview

Layer 2 of the OSI model is the Data Link layer. The most common device found at layer 2 are switches. Switches are responsible for the forwarding of data to any devices that may be connected to the switch’s interfaces. Switches are classified by hierarchy: at the top you have Core level switches, in the middle you have distribution switches, and at the lowest level you have access-level switches. Core switches provide access to the WAN or internet, Distribution switches are responsible for passing any data across the LAN to any other local resources, and last, access switches allow direct access to the network.

Most of us are familiar with the term Packet, the type of data that is transmitted at layer 3 the Network layer. The data link layer is responsible for distributing Frames across the network. Frames are the type of data that is received by a switch. Frames have 2 main parts: the header and the payload. In the Header we have 2 main additional points of data: the destination MAC address, and the source MAC address. Switches store this data in a local database. This database is known as a CAM (Content Addressable Memory) Table. The CAM address table houses the information required to forward a frame to the correct port or interface. To view this table you can utilize the “show mac-address-table” command.

A PC can communicate to another PC on the same local network via a protocol called ARP (Address Resolution Protocol). Referring to the topology above, PC 1 wishes to send data to PC 2. To accomplish this, PC 1 must be able to identify the MAC address that belongs to PC2. This is where ARP comes in, let’s look at the flow of an ARP request:

1. PC 1 sends an ARP request to all the other PCs in the network (0,2,3, and 4)
2. PC 0 responds with nothing because it is not PC2, same thing applies to PC 3 and 4.
3. PC 2 responds with its MAC address and sends it back to PC1

While this is going on, the Switch can identify which interface to send the ARP request to by performing a look up to its mac-address-table.

ARP data in Axonius

Axonius can capture ARP data from most vendors such as Cisco, Arista, Juniper, PaloAlto, etc. This data is extremely useful, as it gives a representation of what is directly connected to your network switches. To better understand if ARP data is something that is useful to you, you want to examine the environment that the switch is in and where in the hierarchy the switch stands. At the access level, if your switch is providing access to the corporate network at a branch office, daily changes in the ARP table would be expected. This is because people may switch seats or devices may change. If your switch is sitting in a data center and is providing access to virtualization host or storage servers, you wouldn’t expect daily changes in ARP tables. The same concept applies to distribution- and core-level switches; we wouldn’t expect changes to these interfaces daily. If we see daily changes, it may indicate that changes are occurring in the network that could be untracked.

As always, feel free to reach out directly for any other questions about utilizing network services data in Axonius!