Networking

Address Resolution Protocol

Translates Layer 3 IP addresses to Layer 2 MAC addresses for local network communication

Address Resolution Protocol (ARP)

  • ARP translates Layer 3 IP addresses to Layer 2 MAC addresses - essential for local network communication since Ethernet frames require MAC addresses for delivery
  • Works only within the same broadcast domain (subnet) - cannot resolve MAC addresses across routers
  • Uses broadcast requests and unicast replies to build and maintain ARP tables on each device

ARP Process Flow

  • Host needs to send data to IP address but only knows the IP, not the MAC address
  • Host checks local ARP table first (cache lookup)
  • If no entry exists, host sends ARP Request broadcast (FF:FF:FF:FF:FF:FF) asking “Who has IP X.X.X.X?”
  • Target device responds with ARP Reply unicast containing its MAC address
  • Requesting host updates ARP table and can now send the original data frame

ARP Message Types

Type Description Destination Purpose
ARP Request Broadcast message FF:FF:FF:FF:FF:FF “Who has this IP address?”
ARP Reply Unicast response Specific MAC “I have that IP, here’s my MAC”

ARP Table Management

  • Entries are dynamically learned and cached locally on each device
  • Default aging timer: 20 minutes for Cisco devices (can be modified)
  • Static ARP entries can be manually configured (never age out)
  • Table size limited by device memory - older entries removed when full

Viewing ARP Information

  • show arp - displays ARP table on Cisco devices
  • arp -a - Windows/Linux command to view local ARP cache
  • Entries show IP address, MAC address, interface, and age

Vocabulary

  • ARP Cache/Table: Local storage of IP-to-MAC address mappings on each device
  • Gratuitous ARP: Unsolicited ARP announcement sent when device boots or IP changes
  • Proxy ARP: Router responds to ARP requests on behalf of devices on different subnets
  • ARP Aging: Process of removing old entries from ARP table after timeout period

Security Considerations

  • ARP has no authentication mechanism - devices trust any ARP reply received
  • Vulnerable to ARP spoofing/poisoning attacks where malicious device claims another’s IP
  • ARP storms can occur in poorly designed networks with loops
  • Used in man-in-the-middle attacks on local networks

Notes

  • ARP is only used for IPv4 - IPv6 uses Neighbor Discovery Protocol (NDP) instead
  • No ARP traffic crosses routers - each subnet maintains its own ARP communications
  • Switches learn MAC addresses from ARP traffic to populate their CAM tables
  • High ARP traffic can indicate network issues, loops, or security problems