Courseiva
DebugPrivileged EXEC

debug arp

Enables debugging of ARP (Address Resolution Protocol) packets to troubleshoot IP-to-MAC address resolution issues on a Cisco router or switch.

Syntax·Privileged EXEC
debug arp

When to Use This Command

  • Troubleshooting connectivity issues when a device cannot reach another device on the same subnet.
  • Verifying ARP requests and replies during a network attack or misconfiguration.
  • Monitoring ARP activity when adding new devices to a VLAN or subnet.
  • Diagnosing duplicate IP address conflicts by observing ARP responses.

Command Examples

Basic ARP debug output

debug arp
IP ARP: creating entry for 192.168.1.1, interface GigabitEthernet0/0
IP ARP: sent req src 192.168.1.10 0050.7966.6800,
                 dst 192.168.1.1 0000.0000.0000 GigabitEthernet0/0
IP ARP: rcvd rep src 192.168.1.1 0011.2233.4455,
                 dst 192.168.1.10 0050.7966.6800 GigabitEthernet0/0
IP ARP: creating entry for 192.168.1.1, interface GigabitEthernet0/0, with MAC 0011.2233.4455

Line 1: Router creates an ARP entry for IP 192.168.1.1 on interface Gi0/0. Line 2: Router sends an ARP request from its own IP/MAC (192.168.1.10/0050.7966.6800) to broadcast MAC (0000.0000.0000) asking for 192.168.1.1. Line 3: Router receives an ARP reply from 192.168.1.1 with MAC 0011.2233.4455. Line 4: Router adds the resolved MAC to its ARP table.

Debug ARP with specific IP filter

debug arp 192.168.1.1
IP ARP: sent req src 192.168.1.10 0050.7966.6800,
                 dst 192.168.1.1 0000.0000.0000 GigabitEthernet0/0
IP ARP: rcvd rep src 192.168.1.1 0011.2233.4455,
                 dst 192.168.1.10 0050.7966.6800 GigabitEthernet0/0

Only ARP activity for IP 192.168.1.1 is displayed. The output shows a request and reply exchange, confirming that the target host is reachable and responding.

Understanding the Output

The debug arp command outputs lines prefixed with 'IP ARP:' indicating ARP events. Each line describes either a request (req) or reply (rep). For requests, 'src' is the sender's IP and MAC, 'dst' is the target IP with broadcast MAC (0000.0000.0000). For replies, 'src' is the responder's IP and MAC, 'dst' is the original requester's IP and MAC. The interface is shown at the end. 'creating entry' lines indicate the ARP table is being updated. A healthy network shows quick request-reply pairs; repeated requests without replies suggest the target is unreachable or does not exist. Duplicate IPs may cause multiple replies from different MACs.

CCNA Exam Tips

1.

Remember that 'debug arp' is a privileged EXEC command and can generate heavy output on busy networks; always use filters or 'undebug all' to disable.

2.

The CCNA exam may ask you to interpret debug output to identify ARP spoofing or duplicate IPs.

3.

Know that ARP requests are broadcast (MAC FFFF.FFFF.FFFF) but debug shows 0000.0000.0000 as placeholder.

4.

Be able to distinguish between ARP requests and replies in the output format.

Common Mistakes

Leaving debug enabled after troubleshooting, causing CPU overload; always use 'undebug all' or 'no debug arp'.

Confusing debug arp with 'show arp' — debug is real-time, show is static table.

Using debug arp without an access list on a busy network, flooding the console with irrelevant messages.

Related Commands

clear arp-cache

Clears the entire ARP cache on the device, forcing the router to dynamically re-learn all ARP entries, typically used to resolve connectivity issues caused by stale or incorrect ARP mappings.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions