Arp Address Resolution Protocol

Category: Network Fundamentals
Type: Network Concepts
Generated on: 2025-07-10 08:53:10
For: Network Engineering, Administration & Technical Interviews

This cheatsheet provides a comprehensive guide to understanding and using ARP, crucial for network communication.

1. Quick Overview

What is ARP? Address Resolution Protocol (ARP) is a protocol used by the Internet Protocol (IP) to map IP network addresses to the hardware addresses (MAC addresses) used by a data link protocol. It’s essentially the bridge between the logical IP address and the physical MAC address within a local network.

Why is it important? Without ARP, devices on a local network wouldn’t be able to communicate. IP addresses are used for routing packets across networks, but within a local network, devices communicate directly using MAC addresses. ARP enables devices to find the MAC address associated with a specific IP address on the same network segment.

2. Key Concepts

IP Address: A logical address assigned to a device on a network (e.g., 192.168.1.10).
MAC Address: A unique hardware address assigned to a network interface card (NIC) (e.g., 00:1A:2B:3C:4D:5E). It’s sometimes called a physical address or hardware address.
ARP Request: A broadcast message sent by a device to discover the MAC address associated with a specific IP address.
ARP Reply: A unicast message sent by the device that owns the IP address requested in the ARP request, containing its MAC address.
ARP Cache: A table stored by each device that maps IP addresses to MAC addresses. This cache is used to avoid sending ARP requests for frequently contacted devices.
Gratuitous ARP (GARP): An ARP request sent by a device to announce its IP-to-MAC address mapping. Used for duplicate IP address detection and high availability failover.
Proxy ARP: A technique where a device (usually a router) responds to ARP requests on behalf of another device. Used in specific network configurations, but generally discouraged due to security and complexity issues.
Reverse ARP (RARP): (Largely obsolete) Used to discover an IP address based on a MAC address. Replaced by BOOTP and DHCP.
Dynamic ARP Inspection (DAI): A security feature that validates ARP packets in a network to prevent ARP spoofing attacks.

3. How It Works

Step-by-Step Explanation:

Device A wants to send a packet to Device B. Device A knows Device B’s IP address (e.g., 192.168.1.20).
Device A checks its ARP cache. If it finds an entry for 192.168.1.20, it uses the associated MAC address to send the packet.

If no entry is found, Device A sends an ARP Request. This request is a broadcast to all devices on the local network.

Source IP: 192.168.1.10 (Device A)
Source MAC: 00:AA:BB:CC:DD:EE (Device A)
Target IP: 192.168.1.20 (Device B)
Target MAC: 00:00:00:00:00:00 (Unknown - To be discovered)

Device B receives the ARP Request. It sees that the Target IP matches its IP address.

Device B sends an ARP Reply. This reply is a unicast message sent directly to Device A.

Source IP: 192.168.1.20 (Device B)
Source MAC: FF:11:22:33:44:55 (Device B)
Target IP: 192.168.1.10 (Device A)
Target MAC: 00:AA:BB:CC:DD:EE (Device A)

Device A receives the ARP Reply. It now knows the MAC address of Device B and updates its ARP cache.
Device A sends the packet to Device B using Device B’s MAC address.

Network Diagram:

   +-------+      +-------+      +-------+
   |Device A|------|Switch |------|Device B|
   |192.168.1.10|  |       |      |192.168.1.20|
   |00:AA:BB:CC:DD:EE|  |       |      |FF:11:22:33:44:55|
   +-------+      +-------+      +-------+

4. Protocol Details

ARP Packet Format:

Field	Size (bytes)	Description
Hardware Type	2	Specifies the type of hardware address (e.g., Ethernet = 1).
Protocol Type	2	Specifies the protocol type (e.g., IPv4 = 0x0800).
HLEN	1	Hardware address length (in bytes). For Ethernet, this is 6.
PLEN	1	Protocol address length (in bytes). For IPv4, this is 4.
Operation	2	Specifies the type of ARP packet: 1 = ARP Request, 2 = ARP Reply, 3 = RARP Request (rarely used), 4 = RARP Reply (rarely used).
Sender HA	HLEN	Sender’s hardware address (MAC address).
Sender PA	PLEN	Sender’s protocol address (IP address).
Target HA	HLEN	Target’s hardware address (MAC address). 00:00:00:00:00:00 in ARP Request.
Target PA	PLEN	Target’s protocol address (IP address).

Example Wireshark Capture (ARP Request):

Frame 1: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface en0
Ethernet II, Src: Apple_1a:2b:3c (00:1a:2b:3c:4d:5e), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: Apple_1a:2b:3c (00:1a:2b:3c:4d:5e)
    Type: ARP (0x0806)
Address Resolution Protocol (request)
    Hardware type: Ethernet (1)
    Protocol type: IPv4 (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: request (1)
    Sender MAC address: Apple_1a:2b:3c (00:1a:2b:3c:4d:5e)
    Sender IP address: 192.168.1.10
    Target MAC address: 00:00:00:00:00:00
    Target IP address: 192.168.1.20

Example Wireshark Capture (ARP Reply):

Frame 2: 42 bytes on wire (336 bits), 42 bytes captured (336 bits) on interface en0
Ethernet II, Src: Cisco_f1:11:22 (ff:11:22:33:44:55), Dst: Apple_1a:2b:3c (00:1a:2b:3c:4d:5e)
    Destination: Apple_1a:2b:3c (00:1a:2b:3c:4d:5e)
    Source: Cisco_f1:11:22 (ff:11:22:33:44:55)
    Type: ARP (0x0806)
Address Resolution Protocol (reply)
    Hardware type: Ethernet (1)
    Protocol type: IPv4 (0x0800)
    Hardware size: 6
    Protocol size: 4
    Opcode: reply (2)
    Sender MAC address: Cisco_f1:11:22 (ff:11:22:33:44:55)
    Sender IP address: 192.168.1.20
    Target MAC address: Apple_1a:2b:3c (00:1a:2b:3c:4d:5e)
    Target IP address: 192.168.1.10

5. Real-World Examples

Basic Network Communication: A computer wants to ping another computer on the same network. ARP is used to find the target computer’s MAC address before the ping packets are sent.
Web Browsing: When you type a website address in your browser, your computer needs to find the MAC address of the gateway router to send the request to the internet. ARP is used for this purpose.
VoIP Phones: VoIP phones use ARP to find the MAC address of the PBX server or other VoIP devices on the network.
Network Printers: Computers use ARP to find the MAC address of network printers before sending print jobs.
Virtualization: Virtual machines (VMs) on the same host use ARP to discover each other’s MAC addresses, enabling communication between them.

6. Common Issues

ARP Spoofing/Poisoning: An attacker sends fake ARP replies to poison the ARP caches of other devices on the network, allowing them to intercept traffic. Solution: Implement Dynamic ARP Inspection (DAI) on network switches.
ARP Cache Exhaustion: An attacker floods the network with ARP requests, causing devices to fill their ARP caches with invalid entries, leading to denial-of-service. Solution: Rate-limiting ARP requests.
Duplicate IP Address: Two devices configured with the same IP address will cause ARP conflicts, resulting in intermittent connectivity issues. Solution: Use DHCP to dynamically assign IP addresses and implement duplicate IP address detection.
Network Misconfiguration: Incorrect subnet masks or gateway settings can prevent ARP from working correctly. Solution: Verify network configurations and ensure devices are on the same subnet.
Firewall Blocking ARP: Firewalls may sometimes block ARP traffic, preventing devices from discovering each other. Solution: Configure the firewall to allow ARP traffic within the local network.

7. Configuration Examples

Linux (using ip command):

View ARP cache:
Terminal window
```
ip neigh
```
Delete an ARP entry:
Terminal window
```
sudo ip neigh del 192.168.1.20 dev eth0
```

Add a static ARP entry:

sudo ip neigh add 192.168.1.20 lladdr FF:11:22:33:44:55 dev eth0

Windows (using arp command):

View ARP cache:
Terminal window
```
arp -a
```
Delete an ARP entry:
Terminal window
```
arp -d 192.168.1.20
```
Add a static ARP entry:
Terminal window
```
arp -s 192.168.1.20 FF-11-22-33-44-55
```

Cisco Switch (Dynamic ARP Inspection - DAI):

! Enable DAI on VLAN 10
ip arp inspection vlan 10

! Enable DAI globally
ip arp inspection validate src-mac dst-mac ip

! Configure a trusted port (where legitimate ARP traffic comes from, e.g., a router)
interface GigabitEthernet0/1
 ip arp inspection trust

! Enable DAI on all VLANs
ip arp inspection vlan 1-4094

8. Interview Questions

Q: What is ARP, and why is it used?

A: ARP (Address Resolution Protocol) is a protocol used to map IP addresses to MAC addresses on a local network. It’s essential because devices communicate using MAC addresses within a local network segment, while IP addresses are used for routing packets across networks. ARP acts as the bridge between these two addressing systems.

Q: Explain the ARP process from the perspective of Device A wanting to communicate with Device B on the same network.

A: Device A first checks its ARP cache for Device B’s IP address. If found, it uses the corresponding MAC address. If not found, Device A broadcasts an ARP request containing Device B’s IP address and its own MAC and IP addresses. Device B, upon receiving the request, responds with an ARP reply containing its MAC address. Device A then updates its ARP cache and sends the data using Device B’s MAC address.

Q: What is Gratuitous ARP (GARP), and what are its uses?

A: Gratuitous ARP is an ARP request sent by a device to announce its IP-to-MAC address mapping, even if it hasn’t received a request. It’s used for two primary purposes: duplicate IP address detection and high availability failover (e.g., when a standby server takes over the IP address of a failed primary server).

Q: What is ARP spoofing, and how can it be mitigated?

A: ARP spoofing (or ARP poisoning) is a type of attack where an attacker sends fake ARP replies to poison the ARP caches of other devices on the network, allowing them to intercept traffic. It can be mitigated using techniques like Dynamic ARP Inspection (DAI) on network switches, which validates ARP packets to ensure they are legitimate.

Q: What is the difference between ARP and RARP?

A: ARP resolves IP addresses to MAC addresses. RARP (Reverse ARP) resolves MAC addresses to IP addresses. RARP is largely obsolete and has been replaced by BOOTP and DHCP.

Q: What is Proxy ARP?

A: Proxy ARP is a technique where a device (typically a router) responds to ARP requests on behalf of another device. While it can be used in specific network configurations, it’s generally discouraged due to security and complexity issues. It hides the true network topology.

Q: How does ARP work with a router?

A: When a device on a local network wants to communicate with a device on a different network, it sends an ARP request to find the MAC address of the router (gateway). Once it obtains the router’s MAC address, it encapsulates the IP packet destined for the remote network within an Ethernet frame addressed to the router’s MAC address. The router then handles the routing to the destination network.

TCP/IP Model: ARP operates at the Data Link Layer (Layer 2) and the Network Layer (Layer 3) of the TCP/IP model.
OSI Model: Similar to TCP/IP, ARP is situated at Layer 2 (Data Link) and Layer 3 (Network) of the OSI model.
DHCP (Dynamic Host Configuration Protocol): DHCP assigns IP addresses to devices, which can then use ARP to communicate with other devices on the network.
ICMP (Internet Control Message Protocol): Used for network diagnostics (e.g., ping). Relies on ARP to discover MAC addresses.
VLAN (Virtual LAN): ARP operates within a VLAN. DAI is often configured on a per-VLAN basis.
MAC Address Filtering: A security mechanism that restricts network access based on MAC addresses.
Network Segmentation: Isolating network segments to limit the impact of security breaches and improve performance. ARP is confined to the local network segment.

This cheatsheet provides a solid foundation for understanding and working with ARP. Remember to practice with network tools and packet captures to solidify your knowledge. Good luck!