A Unified ARP Table (and how to get one when you don’t have one)

Posted on by Claudia de Luna
Hand-drawn network diagram: tiny engineer ‘marauders’ throw ropes and climb a wall toward a firewall. ARP tables sit on both sides; labels note ‘Segmentation/ACL boundary’ and ‘Can’t read ARP across firewall.’

How to get one when you don't have one and what happens when its gone!

There is so much propaganda out there today (and I am not even referring to politics), it feels good to go back to fundamentals.

Few things are more foundational to networking than Address Resolution Protocol (ARP). It is inconceivable to me that when you look up what happened in 1982 the publication of RFC 826 is missing. Must be a mistake.

For network engineers, the ARP table is a core troubleshooting tool. It is the “vi” of networking. When troubleshooting device issues, the first stop is often the ARP table.

When a user is having network issues, they usually only know their host name or fully qualified domain name (FQDN), maybe their IP.

The ARP table helps you connect that IP to its' MAC address. From there you can continue investigating. It is basically your map that ties IPs to MACs and points you to the right interface, SSID, etc.

Loosing access to the ARP Table is a body blow for a network engineer. As devices move behind firewalls the ARP table for the gateway on that subnet now lives on the firewall and not on your network device.

Best case scenario

You have access to the firewall and you can jump over there to start/continue your triage.

Worst case scenario

I've seen many instances where those devices are managed by two teams who do not "co manage" the devices. The security or firewall team manages the firewalls and the network team manages the network equipment. Now what?

SuzieQ Enterprise To The Rescue with ARP and DHCP Snooping

First the obvious, with SuzieQ you already have a consolidated ARP Table for all the devices you are monitoring.

You don't need to figure out which layer 3 device to start with. SuzieQ will tell you. BUT, if you are not monitoring that device, there isn't much SuzieQ can do...or IS there?

For some time now, SuzieQ has been able to bridge this gap as it understands both Cisco Device Tracking (ARP Snooping) and DHCP Snooping. If you are a Cisco shop and you are in a situation where devices you need to support have gateways on devices you don't have access to this is invaluable. SuzieQ supports DHCP Snooping for Arista, Cisco NXOS, ACI, IOS-XE, and JunOS and ARP Snooping (Device Tracking) for IOS/IOS-XE.

That capability is critical if you are moving end user devices to other networks or to security segments.

Think about it, not only can you confirm the new IP for the device without having to have the user look it up, it even helps in the planning. You know going in if the device uses DHCP or has a static IP. If it is an obscure or "limited" OT or IOT device with a static IP, you have time to figure out who has the credentials to change its IP (or reconfigure it to DHCP), how to change it, see if it needs a console cable that was lost years ago, etc.

✅ Is that MAC on the network? (or has it been)
✅ Is that IP on the network? (or has it been)
✅ Does that device use DHCP?
✅ Does that device have its IP Address hard-coded?
✅ What is the MAC Vendor OUI for that MAC?

Handy ... but what if this snooping is not an option?

SuzieQ's support for "snooping" tables is a tremendous advantage but may not always be an option.

Ultimately, there is nothing better than having a comprehensive view of your network.

If you are a Fortinet shop I think you will be as excited as I am because now SuzieQ gives me networking data from my switches, wireless controllers, and now my Fortinet firewalls!

A pencil drawing of a treasure chest on a beach containing a Fortinet device, with cables running out, a crown, and a floating diamond-shaped emblem with an owl face.
Fortinet Treasure with SuzieQ Enterprise

Gone are the days of having a fragmented view of my network where I have to go to:

  • the wireless controller for wireless information
  • one or more switches for routing, vlan, mac, arp information
  • the firewall for network information (yes. I still have to go to the firewall for policy information!)

and one common set of commands, GUI, or API to get whatever network information I am looking for!

Let see what happens...

🎥 SuzieQ Enterprise and the Unified ARP Table ~15min

Conclusion

Having a unified and normalized ARP table across your multi-vendor infrastructure is powerful.

SuzieQ Enterprise can provide that unified and normalized ARP table even when you don't have all the APR Tables!

If you watched the video, you have had a taste of the SuzieQ Enterprise GUI and CLI.

I shall leave you with this repository for the REST.

https://github.com/cldeluna/unified_arp

A few details on the SuzieQ Enterprise support for Fortinet

  • L3 NAT mode is currenlty supported
  • Tested on Fortios Versions 7.2, 74, and 7.6