Skip to main content
Your first session is free. Claim mine
PacketMentor logo
Open menu
Home
Training
Cisco Mentorship
CCNACCNP
Short Courses
Python for Network EngineersAI for Network OperationsDevNet Associate PrepInterview Sprint
Custom Training
Corporate Training
All training →
CCNA Library (74)
Browse all CCNA topics →
Network (13)
OSI Model & TCP/IPIPv4 AddressingTCP vs UDPSubnettingIPv6 BasicsARP — Address Resolution ProtocolICMP — Internet Control Message ProtocolTCP 3-Way HandshakeCabling & Media StandardsMTU & FragmentationWAN Connection TypesHierarchical Network DesignNetwork Virtualization & Containers
Device Operations (5)
Cisco IOS Device ManagementPower over Ethernet (PoE)Cisco IOS File SystemPassword Recovery & Configuration RegisterNetwork Troubleshooting Methodology
Network Access (12)
MAC Address TableVLANsTrunks & 802.1Q TaggingSpanning Tree Protocol (STP)EtherChannel (Link Aggregation)Switching OperationCDP & LLDP — Neighbor DiscoveryBPDU Guard & Root GuardCatalyst Boot ProcessVTP — VLAN Trunking ProtocolRapid STP & MSTPPrivate VLANs (PVLAN)
Wireless (6)
Wireless LAN BasicsWLAN Architectures — Autonomous, Centralized (WLC), Cloud, EmbeddedWi-Fi Security — WEP, WPA, WPA2, WPA3Wi-Fi 6, 6E, and 7 FeaturesWireless RF FundamentalsAccess Point Operating Modes
IP Connectivity (10)
Inter-VLAN RoutingStatic RoutingDefault RoutingRouting Decision ProcessFHRP — HSRP, VRRP & GLBPLayer-3 Switch & SVI RoutingOSPF Single-AreaRoute SummarizationIPv6 SLAAC & DHCPv6IPv6 Transition Mechanisms
IP Services (11)
HSRP vs VRRP vs GLBP — FHRP ComparedDHCP — Dynamic Host Configuration ProtocolNAT & PATDNS — Domain Name SystemNTP — Network Time ProtocolSyslogQoS BasicsSNMP — Simple Network Management ProtocolIGMP & IGMP SnoopingNTP Authentication & SecurityDHCP Relay & IP Helper
Security (10)
Access Control Lists (ACLs)Port SecurityDHCP SnoopingAAA · RADIUS & TACACS+802.1X — Port-Based Network Access ControlVPN Basics — IPsec & SSLDynamic ARP Inspection (DAI)IP Source Guard (IPSG)Encryption FundamentalsCybersecurity Threats & Mitigation
Automation (7)
REST APIs for Network EngineersAnsible for Network EngineersJSON, YAML & XML for Network EngineersNETCONF & YANGPython for Network EngineersSDN & Controller-Based NetworkingAI & ML in Network Operations
CCNP Library (15)
Browse all CCNP topics → SPAN, RSPAN & ERSPAN — Port MirroringGRE TunnelsEIGRPOSPF Multi-AreaIPv6 Routing — Static & OSPFv3BGP BasicsTCP Connection StatesCisco AnyConnect / Remote Access VPNCisco ISE BasicsNetFlow & Flow-Based MonitoringgRPC & gNMI — Streaming TelemetrySD-WAN ConceptsMPLS BasicsCisco DNA Center / Catalyst CenterVRF Basics — Virtual Routing and Forwarding
LabsPricing
Contact 📞 +1 (860) 556-3010 Book a Call
← All topics
Network Fundamentals Foundational

ARP — Address Resolution Protocol

How a host turns an IP address into the MAC address it needs to actually deliver a frame. Broadcast question, unicast answer, cached for hours. Also covers Gratuitous ARP, Proxy ARP, and the ARP spoofing attack.

TL;DR
  • ARP translates an IPv4 address into the MAC address required for Layer-2 frame delivery.
  • Process: broadcast a request asking 'who has IP X?', the owner replies unicast with its MAC, both sides cache the mapping.
  • ARP cache lives ~4 hours by default. ARP spoofing is the classic LAN attack; Dynamic ARP Inspection (DAI) defends against it.

Mental model

A host has an IP packet to send to 10.0.0.50. The packet needs to be wrapped in an Ethernet frame, and that frame needs a destination MAC address. But the host only knows the destination’s IP, not its MAC.

ARP’s job: turn an IP into a MAC.

The protocol is brutally simple:

  1. Host broadcasts a Layer-2 frame to everyone: “Who has IP 10.0.0.50? Reply with your MAC.”
  2. The target host hears its own IP and replies unicast: “I am 10.0.0.50, my MAC is bb:bb:bb:bb.”
  3. Both sides remember the mapping in their ARP cache for ~4 hours.

That’s the whole protocol. The rest is variations and edge cases.

The ARP table — view it

R1# show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1         -          aaaa.bbbb.cccc  ARPA   GigabitEthernet0/0
Internet  10.0.0.50        4          dddd.eeee.ffff  ARPA   GigabitEthernet0/0

Each entry: an IP, the MAC it maps to, and how long until it expires. Age - means it’s a local interface (never expires). On a Linux laptop: arp -a. On Windows: arp -a.

ARP only works within a broadcast domain

ARP frames are L2 broadcasts. They don’t cross routers. So ARP only resolves IPs that are on the same subnet as the asker.

When a host wants to reach an IP on a different subnet, it sends the packet to its default gateway’s MAC instead. The host:

  1. Notices the destination IP isn’t in its own subnet.
  2. ARPs for its default gateway’s IP.
  3. Wraps the packet in a frame destined for the gateway’s MAC.
  4. The gateway (a router) unwraps, re-wraps for the next hop, and forwards.

This is why your computer ARPs for 10.0.0.1 (the router) when you ping 8.8.8.8 — the destination MAC for the frame leaving your NIC is the router’s, not Google’s.

Gratuitous ARP (GARP)

Sometimes a host sends an ARP reply that nobody asked for: “Hey, I’m 10.0.0.50, my MAC is X.” This is gratuitous ARP.

Used to:

  • Announce a new IP assignment (after DHCP)
  • Refresh other hosts’ caches after a failover (HSRP/VRRP do this)
  • Detect duplicate IPs on the wire (if someone replies, “that’s my IP”, you have a conflict)

Proxy ARP

A router answers ARP requests for IPs that aren’t its own — pretending to be the destination so the host sends frames to the router, which then routes them properly. Used in some legacy networks where hosts have wrong subnet masks. Mostly an anti-pattern in modern networking — disable it in production.

R1(config)# interface GigabitEthernet0/0
R1(config-if)# no ip proxy-arp

ARP spoofing — the classic attack

An attacker sends gratuitous ARP replies claiming to be the default gateway: “Hey everyone, I’m 10.0.0.1, my MAC is X.” All victim hosts update their ARP cache and start sending Layer-2 frames to the attacker. The attacker can now read, modify, or forward traffic as MITM.

The defense: Dynamic ARP Inspection (DAI) on switches. DAI watches ARP packets and validates them against the DHCP Snooping binding table. ARP replies that don’t match a legit DHCP lease get dropped.

Commands

! View ARP table on a Cisco device
R1# show arp
R1# show ip arp

! Clear an ARP entry (forces re-resolution)
R1# clear ip arp 10.0.0.50

! Adjust ARP cache timeout (default 4 hours = 14400 seconds)
R1(config)# interface GigabitEthernet0/0
R1(config-if)# arp timeout 1800       ! 30 minutes

! Static ARP entry (manually pin an IP-MAC mapping)
R1(config)# arp 10.0.0.50 dddd.eeee.ffff arpa

! Disable Proxy ARP
R1(config-if)# no ip proxy-arp

Common mistakes

  1. Confusing ARP table with MAC address table. ARP table (on hosts and routers): IP → MAC. MAC address table (on switches): MAC → port. Different layers, different purposes.

  2. Static ARP entries left in place after a server moves. A static entry never times out. If you set arp 10.0.0.50 aaaa.bbbb.cccc and the actual server later changes its NIC, traffic blackholes. Use sparingly.

  3. Leaving Proxy ARP on. Default-on for historical reasons. Disable it on modern networks — it hides misconfiguration and creates security risks.

  4. Forgetting ARP only works in the same broadcast domain. Hosts can’t ARP for an IP behind a router. Always check default gateway settings when “ping by IP doesn’t work” troubleshooting starts.

  5. Confusing IPv6 Neighbor Discovery with ARP. IPv6 doesn’t use ARP — it uses Neighbor Discovery Protocol (NDP), which is conceptually similar but uses multicast (not broadcast) and runs over ICMPv6. The exam tests this distinction.

  6. Not realizing the gateway’s MAC is what your frames are addressed to. When you ping anywhere off-subnet, the destination MAC of the outgoing frame is your router’s MAC, not the remote host’s. Surprises Wireshark beginners constantly.

Lab to try tonight

  1. Open a terminal on your laptop. Run arp -a (or ip neigh on Linux). Note the entries.
  2. Ping a device on your LAN. Run arp -a again — the new entry is the device’s MAC.
  3. Ping a public IP (e.g. 8.8.8.8). Note that 8.8.8.8 doesn’t appear in your ARP table — only your gateway does.
  4. Open Wireshark, start capture. Run arp -d * (Windows) or sudo arp -d <ip> (Linux) to clear an entry. Re-ping. Watch the ARP request (broadcast) and ARP reply (unicast).
  5. Bonus: set up a small lab with DHCP Snooping + Dynamic ARP Inspection. Run a free ARP-spoofing tool from one host. Watch DAI block the bogus replies.

Cheat strip

ConceptPlain English
ARPIP → MAC address resolver
RequestLayer-2 broadcast asking “who has X?”
ReplyUnicast answer with the responder’s MAC
CacheIP↔MAC mappings kept ~4 hours
Gratuitous ARPUnsolicited reply — used for announcements and failover
Proxy ARPRouter answers for others. Mostly disable in production.
ARP spoofingAttacker claims to be the gateway. Defend with DAI.
IPv6 equivalentNeighbor Discovery (NDP) — multicast, not broadcast
Off-subnetARP only resolves IPs on your own broadcast domain. Off-subnet = use gateway.
← Previous topic

IPv6 Basics

128-bit addresses, hex notation, the :: shortcut, address types (global, link-local, multicast), SLAAC, and why IPv6 is finally happening 25 years after it was supposed to.
Next topic →

ICMP — Internet Control Message Protocol

The network's diagnostic channel. Covers echo / reply (ping), destination unreachable, TTL exceeded (traceroute), and the security trade-offs of blocking ICMP at the firewall.
Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNA® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

Related topics

Security Fundamentals

DHCP Snooping

Switch security feature that blocks rogue DHCP servers. Trusts one port (where the real server lives) and drops DHCP server messages from any other port. Foundation for Dynamic ARP Inspection too.

 IP Services

DHCP — Dynamic Host Configuration Protocol

Definitive CCNA-level DHCP guide — the DORA exchange step-by-step, packet anatomy, DHCP options table, lease renewal timing (T1/T2), Cisco IOS server + relay config, DHCPv6 brief, DHCP Snooping security, 8 worked scenarios, and the DHCP debug workflow.

 Network Fundamentals

IPv4 Addressing

32-bit addresses, dotted decimal, classful vs classless, private ranges, and the special addresses (loopback, broadcast, APIPA) you should never accidentally use for production hosts.

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.

Start typing — or browse popular topics below.

↑↓ navigate open Searches topics · labs · programs · pages