How to use Ip neighbor command

Leave a Comment / Linux Networking / By

Table of Contents

Introduction

Wondering how to use Ip neighbor command to check and modify  the arp table entries ? This article explains you in detail the ways in which we can use the ip neighbor command 

How to use Ip neigh command to check arp entries 

We can use the following command to check the arp table / ip neighbor table  entries on the linux machine 

[root@discoveringsystems-centos /]# ip neigh
192.168.44.254 dev ens37 lladdr 00:50:56:f8:0e:e9 STALE
192.168.44.1 dev ens37 lladdr 00:50:56:c0:00:08 REACHABLE
192.168.44.2 dev ens37 lladdr 00:50:56:ee:88:ce STALE
192.168.94.100 dev ens33 lladdr 00:0a:0a:0a:0a:0a STALE

Another way to display the same is using the following command 

[root@discoveringsystems-centos /]# ip neigh show
192.168.44.254 dev ens37 lladdr 00:50:56:f8:0e:e9 STALE
192.168.44.1 dev ens37 lladdr 00:50:56:c0:00:08 DELAY
192.168.44.2 dev ens37 lladdr 00:50:56:ee:88:ce STALE
192.168.94.100 dev ens33 lladdr 00:0a:0a:0a:0a:0a STALE

To check all other options we can use along with the ip neigh command , we can use help option  

[root@discoveringsystems-centos /]# ip neigh help
Usage: ip neigh { add | del | change | replace }
                { ADDR [ lladdr LLADDR ] [ nud STATE ] | proxy ADDR } [ dev DEV ]
       ip neigh { show | flush } [ proxy ] [ to PREFIX ] [ dev DEV ] [ nud STATE ]
                                 [ vrf NAME ]

STATE := { permanent | noarp | stale | reachable | none |
           incomplete | delay | probe | failed }

Understanding states seen in Ip neighbor/ arp  table

In the below example , we were able to see the states such as STALE , REACHABLE , Sometimes  we will also see 5 other states like DELAY , PROBE , INCOMPLETE , FAILED and PERMANENT . In this section we will be explaining these states in detail with examples 

[root@discoveringsystems-centos /]# ip neigh
192.168.44.254 dev ens37 lladdr 00:50:56:f8:0e:e9 STALE
192.168.44.1 dev ens37 lladdr 00:50:56:c0:00:08 REACHABLE
192.168.44.2 dev ens37 lladdr 00:50:56:ee:88:ce STALE
192.168.94.100 dev ens33 lladdr 00:0a:0a:0a:0a:0a STALE

What does the INCOMPLETE and FAILED State mean

When you try to ping a host (eg: 192.168.94.250 ) which is not present in the network and check the states associated with it . We were able to see as a result there is an entry added to the Ip neighbor table with state INCOMPLETE as we don’t know it’s mac address and it is the initial stage where an address resolution of it is in progress , in this time the ping packets meant to the be destined to that Ip address are queued. 

After some time we were not able to get any response for the arp request sent  , so we were able to see that entry moved to the state FAILED 

[root@discoveringsystems-centos /]# ping 192.168.94.250 -c 1
PING 192.168.94.250 (192.168.94.250) 56(84) bytes of data.
^C
--- 192.168.94.250 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[root@discoveringsystems-centos /]# ip neigh
192.168.94.250 dev ens33  INCOMPLETE


[root@discoveringsystems-centos /]# ip neigh
192.168.94.250 dev ens33  FAILED

While the entry is in FAILED state  , again I started to ping the same IP and we can see the states movement happens like before 

[root@discoveringsystems-centos /]# ping 192.168.94.250 -c 1
PING 192.168.94.250 (192.168.94.250) 56(84) bytes of data.
^[[A^C
--- 192.168.94.250 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[root@discoveringsystems-centos /]# ip neigh
192.168.94.250 dev ens33  INCOMPLETE


[root@discoveringsystems-centos /]# ip neigh
192.168.94.250 dev ens33  FAILED

What does the REACHABLE and STALE state mean

In the earlier section we tried to ping an Host which is not present in the network and was able to explore Incomplete and Failed states.  Now in this example we will try to ping an IP which is present in the network and will explore the states such as REACHABLE and STALE 

In the following example , we were able to ping 192.168.94.100 successfully , so its arp entries would have been resolved for sure 

[root@discoveringsystems-centos /]# ping 192.168.94.100 -c 2
PING 192.168.94.100 (192.168.94.100) 56(84) bytes of data.
64 bytes from 192.168.94.100: icmp_seq=1 ttl=64 time=0.438 ms
64 bytes from 192.168.94.100: icmp_seq=2 ttl=64 time=0.281 ms

--- 192.168.94.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms

Here we can see that the entry for Ip 192.168.94.100  shows up as reachable , but technically it would have been in the incomplete state for some microseconds before it got the Arp response and then moved to the state REACHABLE 

[root@discoveringsystems-centos /]# ip neigh
192.168.94.100 dev ens33 lladdr 00:0a:0a:0a:0a:0a REACHABLE

Same entry after 30 seconds moves to STALE state  , if there was no communication happening on that entry 

[root@discoveringsystems-centos /]# ip neigh
192.168.94.100 dev ens33 lladdr 00:0a:0a:0a:0a:0a STALE

What does the DELAY and PROBE state mean

Here in this example I am pinging the host(192.168.94.100)  which is in a STALE state  , now the entry will change to  DELAY state for a few seconds. This is technically delaying the arp request probe to be sent to the peer and allowing the upper layers protocols  to provide the reachability info from the packets received from the host we are trying to ping. 

[root@discoveringsystems-centos /]# ip neigh
192.168.94.100 dev ens33 lladdr 00:0a:0a:0a:0a:0a STALE



[root@discoveringsystems-centos /]# ping 192.168.94.100 -c 2
PING 192.168.94.100 (192.168.94.100) 56(84) bytes of data.
64 bytes from 192.168.94.100: icmp_seq=1 ttl=64 time=0.438 ms
64 bytes from 192.168.94.100: icmp_seq=2 ttl=64 time=0.281 ms

--- 192.168.94.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms


[root@discoveringsystems-centos /]#  ip neigh
192.168.94.100 dev ens33 lladdr 00:0a:0a:0a:0a:0a DELAY

Let’s say for some reason the upper layer protocols didn’t update the ARP entry. Now after the delay period expires , now it moves to the state PROBE , where it sends the Unicast Arp requests 

[root@discoveringsystems-centos /]#  ip neigh
192.168.94.100 dev ens33 lladdr 00:0a:0a:0a:0a:0a PROBE

Here is the packet capture example of the probed unicast arp packets

04:19:34.799012 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.94.100 tell 192.168.94.200, length 46

04:19:34.799033 00:0a:0a:0a:0a:0a > 00:0b:0b:0b:0b:0b, ethertype ARP (0x0806), length 42: Ethernet (len 6), IPv4 (len 4), Reply 192.168.94.100 is-at 00:0a:0a:0a:0a:0a, length 28

After resolving the arp entries with the Unicast ARP request sent and ARP response received  it will move the entry  back to the state REACHABLE and the states discussed in the above section repeats based on the scenarios we are into. 

[root@discoveringsystems-centos /]#  ip neigh
192.168.94.100 dev ens33 lladdr 00:0a:0a:0a:0a:0a REACHABLE

Alternatively,  for some reason host(192.168.94.100) is not present in the network anymore or not responding to the ARP probes , it will end up in the state FAILED after sending couple probes 

04:26:50.433425 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.94.100 tell 192.168.94.200, length 46
04:26:51.369872 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.94.100 tell 192.168.94.200, length 46
04:26:52.378685 00:0b:0b:0b:0b:0b > 00:0a:0a:0a:0a:0a, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.94.100 tell 192.168.94.200, length 46

[root@discoveringsystems-centos /]# ip neigh
192.168.94.100 dev ens33  FAILED

How to use Ip neighbor command to add a manual arp entry which has state PERMANENT 

Using the following command syntax we should be able to add an entry into the arp table or the ip neighbor table and that entry will show the state  PERMANENT 

[root@discoveringsystems-centos /]# ip neighbor add 192.168.94.250  lladdr 00:0a:0a:0a:0a:0a dev ens33

[root@discoveringsystems-centos /]# ip neighbor
192.168.94.250 dev ens33 lladdr 00:0a:0a:0a:0a:0a PERMANENT

How to use Ip neighbor command to delete a Arp entry 

In the following example , we will be deleting the already added manual ARP entry for the host 192.168.94.250

[root@discoveringsystems-centos /]# ip neighbor
192.168.94.250 dev ens33 lladdr 00:0a:0a:0a:0a:0a PERMANENT


[root@discoveringsystems-centos /]# ip neighbor del 192.168.94.250  lladdr 00:0a:0a:0a:0a:0a dev ens33

[root@discoveringsystems-centos /]# ip neighbor
< entry not found >

How to create Manual ARP entries using Ip neigh command  and adding it to different state other than Permanent 

Using the following command syntax we were able to create a manual ARP entry with state STALE 

[root@discoveringsystems-centos /]# ip neighbor add 192.168.94.250  lladdr 00:0a:0a:0a:0a:0a dev ens33 nud stale

[root@discoveringsystems-centos /]# ip neighbor
192.168.94.250 dev ens33 lladdr 00:0a:0a:0a:0a:0a STALE

How to use Ip neighbor with change option

Change option with the Ip neighbor command helps in overwriting an entry or changing the state of the already existing entry in the ARP table. In the below example we tried to overwrite the state STALE to state PROBE  using the add option for the entry 192.168.94.250 . It was not allowed , then we used the change option to fix that 

[root@discoveringsystems-centos /]# ip neighbor
192.168.94.250 dev ens33 lladdr 00:0a:0a:0a:0a:0a STALE


[root@discoveringsystems-centos /]# ip neighbor add 192.168.94.250  lladdr 00:0a:0a:0a:0a:0a nud probe dev ens33
RTNETLINK answers: File exists

[root@discoveringsystems-centos /]# ip neighbor
192.168.94.250 dev ens33 lladdr 00:0a:0a:0a:0a:0a STALE


[root@discoveringsystems-centos /]# ip neighbor change 192.168.94.250  lladdr 00:0a:0a:0a:0a:0a nud probe dev ens33

[root@discoveringsystems-centos /]# ip neighbor
192.168.94.250 dev ens33 lladdr 00:0a:0a:0a:0a:0a PROBE

How to use Ip neigh command with replace option 

Both Change and Replace option does the similar job when used along with the ip neighbor command 

[root@discoveringsystems-centos /]# ip neighbor
192.168.94.250 dev ens33 lladdr 00:0a:0a:0a:0a:0a STALE


[root@discoveringsystems-centos /]# ip neighbor replace 192.168.94.250  lladdr 00:0a:0a:0a:0a:0a nud reachable   dev ens33

[root@discoveringsystems-centos /]# ip neighbor
192.168.94.250 dev ens33 lladdr 00:0a:0a:0a:0a:0a REACHABLE

How to use Ip neighbor command with Flush option

Ip neighbor command with Flush option clears the Arp entry for a host from the table . Even delete option does a similar job , however delete option needs all the details of the entry to delete it , but flush option works just with an Ip address specified. 

In the below example we we flushed the entry for the host 192.168.94.250 

[root@discoveringsystems-centos /]# ip neighbor
192.168.94.250 dev ens33  FAILED



[root@discoveringsystems-centos /]# ip neighbor flush 192.168.94.250

[root@discoveringsystems-centos /]# ip neighbor
< entry not found >

Now lets see what happens when we tried with delete option for the same , Delete option needs more details to work

[root@discoveringsystems-centos /]# ip neighbor
192.168.94.250 dev ens33  FAILED

[root@discoveringsystems-centos /]# ip neighbor delete 192.168.94.250
Device and destination are required arguments.

[root@discoveringsystems-centos /]# ip neighbor delete 192.168.94.250 dev ens33

[root@discoveringsystems-centos /]# ip neighbor
<entry not found >

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe