ARP
Address Resolution Protocol
How Layer 2 and Layer 3 come together: a deep-dive into the protocol that bridges IP addresses and MAC addresses on every network you’ll ever build.
🌐What is Address Resolution Protocol?
The Address Resolution Protocol is a foundational Layer 2/Layer 3 boundary protocol defined in RFC 826 (published in November 1982). Its single, essential purpose is to dynamically resolve a known IPv4 address into its corresponding MAC (Media Access Control) address on the same local network segment. Without ARP, communication between devices on an Ethernet-based network would be impossible, even when IP connectivity is fully configured.
To understand why ARP exists, it helps to appreciate a critical design constraint of the Internet Protocol suite: IP addresses (Layer 3 logical addresses) are used to route packets across networks, but the actual delivery of frames on a local segment — such as an Ethernet LAN — requires Layer 2 physical addressing, specifically MAC addresses. A router or host can know the destination IP address of the next hop, but without knowing the associated MAC address, it cannot construct a valid Ethernet frame to transmit on the wire.
ARP bridges this gap. Whenever a host needs to communicate with another device on the same subnet, it first checks its local ARP cache (also called the ARP table) to see if a mapping for that IP address already exists. If no entry is found, the host broadcasts an ARP Request onto the network segment, asking “Who has IP address X? Tell me your MAC address.” The owner of that IP address responds directly with an ARP Reply containing its MAC address. The requesting host stores this mapping in its ARP cache for future use, reducing broadcast traffic and improving efficiency.
ARP is a stateless, unauthenticated protocol. It operates below the IP layer and is considered part of the link layer in the TCP/IP model, even though it interfaces directly with both Layer 2 and Layer 3. This simplicity is a double-edged sword: ARP is lightweight and easy to implement, but its lack of authentication makes it inherently vulnerable to spoofing attacks — a topic that every serious network engineer must understand and mitigate.
ARP also has several specialised variants that extend its utility beyond basic resolution. Gratuitous ARP allows a host to broadcast its own IP-to-MAC mapping, which is commonly used during failover, NIC replacement, or IP address changes. Proxy ARP enables a router to respond to ARP requests on behalf of devices in another subnet, providing transparent routing in certain network designs. Each of these variants plays a specific role in the operational toolkit of a practicing network engineer.
From a Cisco IOS perspective, ARP is fully managed and visible through a range of show and debug commands. Understanding how ARP tables are populated and aged out, how to interpret ARP entries, and how to manually intervene when necessary are all essential competencies for professionals working in production network environments.
🧩Key Components
ARP is deceptively simple in structure, but its operation relies on several well-defined components working in concert. A thorough understanding of each component is essential for both network troubleshooting and security hardening. The following cards detail the primary building blocks of the ARP process.
ARP Request Packet
An ARP Request is a broadcast frame sent to the Layer 2 broadcast address (FF:FF:FF:FF:FF:FF). It contains the sender’s IP and MAC addresses and asks every device on the segment to identify itself if it owns the target IP address. All devices process this frame; only the owner replies.
ARP Reply Packet
An ARP Reply is a unicast frame sent directly back to the requesting host. It carries the target device’s IP address and MAC address as a definitive mapping. The requesting host installs this mapping into its ARP cache, where it is retained for a configurable period before expiry.
ARP Cache (ARP Table)
The ARP cache is a local, temporary table maintained by every IP-capable host and router. It stores recently resolved IP-to-MAC mappings to avoid repeated broadcasts. Entries have a time-to-live (TTL) and are periodically aged out. On Cisco IOS, the default ARP cache timeout is 4 hours (240 minutes).
ARP Packet Structure
An ARP packet is 28 bytes (for IPv4/Ethernet). Fields include: Hardware Type (1 = Ethernet), Protocol Type (0x0800 = IPv4), Hardware & Protocol Address Lengths, Operation Code (1 = Request, 2 = Reply), Sender MAC, Sender IP, Target MAC, and Target IP. It is encapsulated directly in an Ethernet frame with EtherType 0x0806.
Gratuitous ARP (GARP)
A Gratuitous ARP is a special ARP Request where a host broadcasts a mapping for its own IP address. It is used to announce an IP address change, update neighbouring devices’ ARP caches after a failover event, or detect duplicate IP addresses on the network. The target IP equals the sender IP in the packet.
Proxy ARP
Proxy ARP allows a router to respond to ARP requests on behalf of hosts in a different subnet, substituting its own MAC address. This enables communication between subnets without requiring hosts to have a default gateway configured. While useful in legacy designs, Proxy ARP is generally disabled in modern, well-structured networks.
ARP Spoofing / Poisoning
ARP has no built-in authentication. An attacker can send forged ARP replies to redirect traffic by associating their MAC address with a legitimate IP (such as the default gateway). This enables man-in-the-middle (MITM) attacks, session hijacking, and denial-of-service. Dynamic ARP Inspection (DAI) on Cisco switches mitigates this threat.
EtherType 0x0806
ARP packets are identified in Ethernet frames by EtherType value 0x0806. This tells the receiving device how to interpret the payload of the Ethernet frame. ARP does not use any port numbers (it is not a TCP/UDP protocol) and is processed entirely at the data link layer by the network interface card driver and the OS networking stack.
⚙️How It Works
The ARP resolution process follows a clear, deterministic sequence of events every time a host needs to transmit a packet to another device within its subnet. Understanding this process at a packet level is critical for network troubleshooting, protocol analysis, and security evaluation.
The ARP Resolution Sequence
A host (e.g., PC-A with IP 192.168.1.10) has an IP packet to send to a destination (e.g., 192.168.1.20). Before constructing the Ethernet frame, the OS checks whether 192.168.1.20 is on the same subnet. Since both are on /24, the destination is local — ARP is required.
The OS checks its ARP table for an existing mapping of 192.168.1.20 to a MAC address. If a valid (non-expired) entry exists, the frame is built immediately and the ARP process is skipped entirely. If no entry exists, the process continues to step 3.
PC-A constructs an ARP Request packet: Sender MAC = AA:BB:CC:11:22:33, Sender IP = 192.168.1.10, Target MAC = 00:00:00:00:00:00 (unknown), Target IP = 192.168.1.20. This is encapsulated in an Ethernet frame with destination MAC FF:FF:FF:FF:FF:FF (broadcast) and EtherType 0x0806, then transmitted onto the LAN segment.
Every device on the broadcast domain receives and de-encapsulates the ARP Request. Each device checks the Target IP against its own configured IP address. Devices for which the Target IP does not match silently discard the request. Optionally, devices may update their own ARP caches with PC-A’s IP-to-MAC mapping from the sender fields.
PC-B (192.168.1.20) recognises its own IP address in the Target IP field. It constructs an ARP Reply: Sender MAC = DD:EE:FF:44:55:66, Sender IP = 192.168.1.20, Target MAC = AA:BB:CC:11:22:33, Target IP = 192.168.1.10. This reply is sent as a unicast Ethernet frame directly to PC-A’s MAC address.
PC-A receives the ARP Reply and installs the new mapping (192.168.1.20 → DD:EE:FF:44:55:66) into its ARP cache with a TTL timer. The original pending IP packet can now be encapsulated in an Ethernet frame with the correct destination MAC address and transmitted successfully.
The original IP packet is now wrapped in a valid Ethernet frame: Src MAC = AA:BB:CC:11:22:33, Dst MAC = DD:EE:FF:44:55:66, EtherType = 0x0800 (IPv4). The frame is transmitted onto the LAN and delivered to PC-B. Future packets to 192.168.1.20 use the cached MAC address directly, with no ARP broadcast required.
ARP and the OSI / TCP-IP Models
ARP uniquely straddles the boundary between Layer 2 (Data Link) and Layer 3 (Network) in the OSI model. In the TCP/IP model, it sits within the Link Layer (also called Network Access Layer). The visual below shows where ARP fits relative to other protocols:
Boundary
Cisco IOS: Viewing and Verifying ARP
On Cisco IOS devices, the ARP table can be inspected using the show arp or show ip arp command. Understanding the output is fundamental to day-to-day network operations and troubleshooting.
! View the complete ARP table on a Cisco router or Layer 3 switch
Router# show ip arp! Example output:
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.1 - 0019.e86a.4a80 ARPA GigabitEthernet0/0
Internet 192.168.1.10 12 aabb.cc11.2233 ARPA GigabitEthernet0/0
Internet 192.168.1.20 3 ddee.ff44.5566 ARPA GigabitEthernet0/0
! Age "-" = the router's own IP. Age in minutes since last refresh.
! ARPA = standard Ethernet ARP (as opposed to SNAP or other encaps)
! Filter ARP entries for a specific interface
Router# show ip arp GigabitEthernet0/0
! Show ARP for a specific IP address only
Router# show ip arp 192.168.1.20
! Set the ARP cache timeout on an interface (default is 14400 seconds / 4 hours)
Router(config)# interface GigabitEthernet0/0
Router(config-if)# arp timeout 7200
! Timeout is in seconds. Setting to 7200 = 2-hour timeout.! Add a static ARP entry (manually map an IP to a MAC address)
Router(config)# arp 192.168.1.50 aabb.ccdd.eeff arpa
! Static entries do not age out and can help lock down critical hosts.
! Clear a specific ARP cache entry
Router# clear arp-cache
! Warning: Clears ALL dynamic ARP entries — temporary traffic disruption possible.
! Disable Proxy ARP on an interface (recommended for most designs)
Router(config-if)# no ip proxy-arp
! Proxy ARP is enabled by default on Cisco IOS router interfaces.
! Enable Dynamic ARP Inspection on a VLAN (Catalyst switch)
Switch(config)# ip arp inspection vlan 10
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip arp inspection trust
! Mark uplinks to routers and trusted devices as "trusted" ports for DAI.
📊Usage and Functions
ARP serves multiple roles in modern network operations, extending well beyond its basic resolution function. The table below maps each key use case to its corresponding ARP function and relevant Cisco IOS context, providing a practical reference for engineers working in production environments.
| Use Case | Function | Cisco IOS |
|---|---|---|
| IP-to-MAC Resolution | Resolves an IPv4 address to a MAC address within the same broadcast domain before an IP packet can be encapsulated in an Ethernet frame and transmitted. | show ip arp — displays all current ARP cache mappings on the device. |
| ARP Cache Population | After a successful ARP exchange, both the requesting host and (optionally) all other hosts on the segment can update their ARP caches with the sender’s IP-to-MAC mapping, reducing future broadcast traffic. | ARP timeout per interface: arp timeout <seconds> under interface config mode. |
| Default Gateway Resolution | When a host needs to send traffic off-subnet, it ARPs for the default gateway’s IP address. Routers maintain their own ARP caches for all directly connected hosts and forward traffic accordingly. | Cisco router ARP table is populated automatically for all connected subnet hosts that communicate through the router. |
| Gratuitous ARP (GARP) | A host broadcasts its own IP-to-MAC mapping to proactively update all neighbours’ caches. Used during NIC replacement, virtual IP failover (e.g., HSRP/VRRP), and IP address changes to ensure seamless traffic continuity. | HSRP and VRRP automatically send Gratuitous ARPs upon active gateway transitions. Visible via debug arp. |
| Duplicate IP Detection | When a device comes online, it may send a Gratuitous ARP for its own IP. If another device replies, a duplicate IP conflict is detected and an alert can be raised, preventing silent IP address collisions. | Cisco IOS logs a syslog message (IP_DUPADDR) when a duplicate IP is detected based on an ARP reply with a conflicting MAC address. |
| Proxy ARP | A router responds to ARP requests on behalf of hosts in remote subnets by substituting its own MAC address. This allows hosts with no default gateway configured to still reach off-subnet destinations via the router. | Enabled by default on Cisco IOS. Disabled per-interface with no ip proxy-arp. Check with show interfaces — look for “Proxy ARP enabled.” |
| ARP Spoofing / Poisoning Detection | Attackers may send forged ARP Replies to corrupt neighbouring hosts’ ARP caches, redirecting traffic through an attacker-controlled host (MITM). Dynamic ARP Inspection (DAI) on Cisco switches validates ARP packets against a trusted DHCP snooping binding table. | Enable DAI with ip arp inspection vlan <vlan-id> on Catalyst switches. Mark trusted uplinks with ip arp inspection trust. |
| Static ARP Entries | Administrators can manually configure permanent IP-to-MAC mappings that do not age out. This is used to protect critical infrastructure hosts (e.g., servers, firewalls) from ARP cache poisoning and to guarantee consistent resolution. | Configure with arp <ip-address> <mac-address> arpa in global config. Verify with show ip arp — static entries show no age value. |
| HSRP / VRRP Virtual MAC Resolution | High Availability protocols like HSRP and VRRP use virtual IP and virtual MAC addresses. ARP is used by hosts to resolve the virtual gateway IP to the virtual MAC address (e.g., 0000.0c07.acXX for HSRP), ensuring transparent failover. | Virtual MAC for HSRP group 1 = 0000.0c07.ac01. Verify with show standby and show ip arp on the router. |
| Troubleshooting Connectivity | ARP table inspection is a primary diagnostic step for Layer 2/3 connectivity issues. A missing or incorrect ARP entry is often the root cause of intermittent packet loss, “destination host unreachable” errors, and routing black holes on the local segment. | Use show ip arp <ip>, clear arp-cache, and debug arp for live troubleshooting. Packet captures (via SPAN) can also reveal ARP anomalies. |
✅Best Practices
Properly managing ARP across an enterprise network is a critical component of both operational stability and security posture. The following best practices reflect industry standards and Cisco recommendations for deploying and hardening ARP in production environments.
-
Enable Dynamic ARP Inspection (DAI) on All User-Facing VLANs. DAI is the single most effective defence against ARP spoofing and poisoning attacks on Cisco Catalyst switches. By validating ARP packets against the DHCP snooping binding table, DAI ensures that only legitimate hosts can send ARP replies. Always configure uplinks to routers and trusted switches as trusted ports (
ip arp inspection trust) to prevent dropping legitimate traffic. -
Enable DHCP Snooping as a Prerequisite for DAI. Dynamic ARP Inspection depends on the DHCP snooping binding table to validate ARP packet source IP-to-MAC mappings. Deploy DHCP snooping on all user VLANs with
ip dhcp snooping vlan <vlan-id>before enabling DAI. Without DHCP snooping, all ARP packets from untrusted ports will be dropped by DAI. -
Disable Proxy ARP on Routed Interfaces Where Not Required. Proxy ARP (
ip proxy-arp) is enabled by default on Cisco IOS router interfaces. While useful in specific legacy scenarios, it can cause unexpected routing behaviour and security issues in modern, properly segmented networks. Applyno ip proxy-arpto every routed interface unless Proxy ARP is explicitly required for a documented use case. - Use Static ARP Entries for Critical Infrastructure Hosts. For servers, firewalls, management hosts, and other critical infrastructure where IP-to-MAC mappings should never change unexpectedly, configure static ARP entries on connected routers and Layer 3 switches. Static entries are immune to ARP cache poisoning and ensure consistent delivery of traffic to critical systems, even in the presence of an attacker on the same segment.
- Tune the ARP Cache Timeout Based on Network Characteristics. The default Cisco IOS ARP cache timeout of 14,400 seconds (4 hours) is appropriate for most stable network environments. In highly dynamic environments — such as those with frequent VM migrations or DHCP churn — consider reducing the timeout to 300–600 seconds to ensure stale mappings are cleared promptly. In stable environments with static addressing, extending the timeout reduces broadcast traffic.
- Monitor ARP Tables for Anomalies and Unexpected Changes. Implement syslog monitoring and SNMP traps for ARP-related events, including duplicate IP address detection (IP_DUPADDR syslog message) and DAI violations. Rapid or unexplained changes in ARP table entries — particularly for gateway IP addresses — are strong indicators of an ARP spoofing attack and require immediate investigation.
- Limit Broadcast Domain Size to Reduce ARP Overhead. In large flat Layer 2 networks (e.g., a single /16 or /8 subnet), ARP broadcast traffic can become significant at scale. Each host that joins the network broadcasts an ARP Request for every new destination it contacts. Segment large networks into smaller subnets using VLANs and inter-VLAN routing to contain ARP broadcast domains and improve overall network performance.
-
Validate ARP Rate Limiting on DAI-Enabled Switches. DAI includes a configurable ARP rate-limiting feature that drops ARP packets exceeding a defined threshold (packets per second per port). This protects the switch CPU from ARP flood attacks. Use
ip arp inspection limit rate <pps>on untrusted ports, and set an appropriate burst interval. The default rate is typically 100 pps — tune this based on your environment’s legitimate ARP traffic profile. -
Harden HSRP and VRRP Against ARP-Based Attacks. When deploying First Hop Redundancy Protocols (FHRP) such as HSRP or VRRP, enable MD5 authentication for HSRP (
standby <group> authentication md5 key-string <key>) to prevent rogue routers from becoming the active gateway. Since FHRP routers send Gratuitous ARPs on failover, an attacker who can inject ARP spoofs for the virtual IP can silently redirect all gateway traffic. -
Document and Audit ARP Table State as Part of Change Management. Capture baseline ARP table snapshots (
show ip arp) before and after network changes, especially during maintenance windows involving IP renumbering, NIC replacements, or server migrations. Unexpected ARP entries — such as a MAC address appearing against multiple IPs, or a known IP mapping to an unfamiliar MAC — are valuable forensic indicators of misconfigurations or security incidents.
⚖️Pros and Cons
ARP has served as a cornerstone of IPv4 networking for over four decades. Its design reflects the pragmatic engineering philosophy of the early Internet: keep it simple, keep it fast, and solve one problem well. However, the protocol’s age and fundamental design choices create real operational and security challenges in modern networks. Understanding both sides equips engineers to deploy ARP responsibly and to make informed decisions about mitigation strategies.
✔ Advantages
- Fully automatic and transparent — requires zero manual configuration under normal operation, making it plug-and-play for end hosts.
- Extremely lightweight and low overhead — a single ARP Request/Reply exchange (two small frames) resolves an address. Subsequent communications use the cached mapping with no additional broadcast traffic.
- Universally supported — every IPv4-capable device, OS, and network stack implements ARP. It is hardware and vendor agnostic.
- ARP caching dramatically reduces broadcast traffic by storing resolutions locally. Most hosts only issue an ARP broadcast for a given destination once every several hours.
- Supports critical high-availability mechanisms via Gratuitous ARP — HSRP, VRRP, and GLBP all rely on GARP to ensure seamless gateway failover with minimal traffic disruption.
- Enables Proxy ARP, which can simplify routing in specific legacy or ISP access designs where hosts lack default gateway awareness.
- Straightforward to troubleshoot — ARP table outputs and debug commands on Cisco IOS provide clear, actionable information for diagnosing Layer 2/3 connectivity issues.
✘ Disadvantages
- No authentication or authorisation — any host on the segment can send an ARP Reply claiming any IP-to-MAC mapping, making ARP inherently vulnerable to spoofing and MITM attacks without additional security controls.
- ARP broadcasts do not scale well in large, flat Layer 2 networks. In environments with hundreds or thousands of hosts per broadcast domain, ARP traffic can constitute a meaningful percentage of total LAN traffic.
- Stateless and trust-based — hosts accept unsolicited ARP Replies (ARP cache poisoning does not even require sending an initial ARP Request). This makes it trivial to poison caches in the absence of DAI.
- ARP cache entries age out and must be periodically refreshed. During the brief window between entry expiry and refresh, a short burst of broadcast traffic occurs. In volatile environments, this can be continuous.
- IPv4-only — ARP has no role in IPv6 networks, requiring engineers to understand and manage two completely different address resolution mechanisms (ARP for IPv4, NDP/ICMPv6 for IPv6) in dual-stack environments.
- Proxy ARP, when left enabled by default, can mask misconfigurations in routing (e.g., hosts with no default gateway or incorrect subnet masks communicating as if routing is working correctly).
- ARP has no mechanism to detect or prevent ARP table exhaustion attacks, where an attacker floods a switch or router with ARP requests for non-existent hosts, consuming CPU and memory resources.
🎯 Conclusion
The Address Resolution Protocol is one of the most fundamental protocols in IPv4 networking. Defined in RFC 826 in 1982, it solves the critical problem of bridging Layer 3 IP addresses to Layer 2 MAC addresses, making Ethernet frame delivery possible on local network segments. Despite its age and simplicity, ARP remains active in every IPv4 network you will encounter throughout your networking career.
Understanding ARP at a packet level — the broadcast Request, the unicast Reply, the ARP cache, and its TTL behaviour — gives you the diagnostic foundation to resolve a wide range of Layer 2/3 connectivity issues quickly and confidently. The Cisco IOS command set for ARP (show ip arp, clear arp-cache, debug arp, arp timeout) provides the visibility you need to validate, troubleshoot, and manage ARP in production environments.
However, ARP’s lack of authentication is a genuine security concern that every network engineer must address proactively. Deploying Dynamic ARP Inspection (DAI) in conjunction with DHCP Snooping on access-layer switches is the standard Cisco recommended approach to mitigating ARP spoofing and MITM attacks. Disabling Proxy ARP on interfaces where it is not explicitly needed, and using static ARP entries for critical infrastructure hosts, further hardens your network posture.
ARP is a core topic that underpins your understanding of how switches learn MAC addresses, how routers forward traffic, how HSRP failover works, and how Dynamic ARP Inspection protects the network. Master the protocol, its variants, and the Cisco IOS toolset, and you will have a solid foundation for everything that builds upon it.
📖Glossary
The following terms are central to understanding ARP and the broader addressing and switching concepts that surround it. Familiarity with this vocabulary is essential for production network operations.
Address Resolution Protocol. An IPv4 network protocol (RFC 826) used to dynamically map a Layer 3 IP address to its corresponding Layer 2 MAC address within a local broadcast domain.
A local table maintained by every IP device that stores recently resolved IP-to-MAC mappings. Entries are time-limited (TTL) and refreshed through new ARP exchanges. Also called the ARP table.
A broadcast ARP packet (EtherType 0x0806, Opcode 1) sent to FF:FF:FF:FF:FF:FF asking all hosts on the segment to identify themselves if they own a specific IP address.
A unicast ARP packet (Opcode 2) sent directly to the requesting host containing the target host’s IP address and MAC address, completing the resolution process.
ARP
An ARP Request where the sender IP and target IP are identical, broadcasting the host’s own IP-to-MAC mapping. Used for duplicate IP detection, post-failover cache updates, and NIC replacement announcements.
A feature where a router responds to ARP requests on behalf of hosts in a different subnet, providing its own MAC address. Enabled by default on Cisco IOS router interfaces. Use
no ip proxy-arp to disable.A Layer 2 attack in which a malicious host sends forged ARP Replies to associate its own MAC address with a legitimate IP address (e.g., the default gateway), enabling traffic interception or disruption.
Inspection
A Cisco Catalyst switch security feature (DAI) that validates ARP packets against the DHCP snooping binding table, dropping packets with invalid or spoofed IP-to-MAC mappings. Configured per-VLAN.
A Cisco switch feature that monitors DHCP exchanges and builds a binding table of legitimate IP-to-MAC-to-port mappings. This table is used as the trust anchor for Dynamic ARP Inspection.
Media Access Control address. A 48-bit (6-byte) hardware address assigned to every network interface card, used for Layer 2 frame delivery within a local network segment. Written as hexadecimal (e.g., AA:BB:CC:DD:EE:FF).
Domain
The set of all devices that receive a Layer 2 broadcast frame. ARP Requests are broadcast within the broadcast domain. Routers segment broadcast domains; switches do not (by default).
0x0806
The Ethernet frame type identifier for ARP packets. Used by the receiving device’s network stack to identify the payload as an ARP message and route it to the appropriate protocol handler.
Neighbor Discovery Protocol. The IPv6 replacement for ARP, implemented as part of ICMPv6. Uses Neighbor Solicitation and Neighbor Advertisement messages to perform address resolution and includes built-in security extensions (SEND).
The duration for which an ARP cache entry is considered valid before it must be refreshed. The default on Cisco IOS is 14,400 seconds (4 hours). Configurable per-interface with the
arp timeout command.Hot Standby Router Protocol. A Cisco proprietary First Hop Redundancy Protocol (FHRP) that provides gateway redundancy using a virtual IP and virtual MAC address. Relies on Gratuitous ARP for cache updates during failover.
Entry
A manually configured, permanent ARP cache entry that maps a specific IP address to a specific MAC address. Does not age out and is immune to ARP cache poisoning. Configured with the
arp <ip> <mac> arpa command.