protocolsnetworkingnetwork-plusBeginner24 min read

What Is Address Resolution Protocol in Networking?

Also known as: Address Resolution Protocol, ARP definition, ARP protocol, CCNA ARP, Network+ ARP

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

ARP is a method your computer uses to find the hardware address of another device on the same network. Think of it as asking a neighbor for their exact street number when you only know their name. Without ARP, your computer would not know where to send messages on the local network. It is a fundamental building block of all Ethernet and Wi-Fi communication.

Must Know for Exams

ARP is heavily tested in both the CompTIA Network+ (N10-008 or N10-009) and the Cisco CCNA (200-301) certification exams. In Network+, candidates are expected to explain the purpose of ARP, describe the ARP process step by step, and understand how ARP operates within a broadcast domain. Exam objectives specifically mention ARP as a key protocol for IPv4 communication, and questions often ask about the difference between ARP requests and ARP replies, the role of the ARP cache, and the default timeout values.

In CCNA, ARP appears in multiple domains, including network fundamentals, IP connectivity, and network security. Candidates must know how ARP functions on Cisco routers and switches, how to verify ARP entries using show ip arp, how to clear the ARP cache, and how to troubleshoot ARP-related issues. CCNA also covers Proxy ARP, which occurs when a router responds to an ARP request on behalf of a host, enabling communication across subnets without explicit gateway configuration.

Security-related ARP topics are also tested, including ARP spoofing and the use of Dynamic ARP Inspection (DAI) to mitigate such attacks. Both exams may include scenario-based questions where a user cannot reach a server on the same subnet, and the candidate must identify that a missing or incorrect ARP entry is the root cause. Another common question pattern asks what happens when a host needs to send a packet to a device on the same local network but has no ARP entry.

The correct answer is that the host sends an ARP broadcast to all devices on the local network. Exam traps often involve confusing ARP with DNS, as both are resolution protocols, but DNS resolves hostnames to IP addresses, while ARP resolves IP addresses to MAC addresses. Understanding these distinctions and being able to apply ARP concepts in troubleshooting scenarios is essential for passing these certification exams.

Simple Meaning

Imagine you live in a large apartment building and you want to send a letter to your friend Maria who lives in the same building. You know Maria's name, but you do not know her apartment number. To get the letter to her, you need her apartment number.

You could ask the building manager, who has a directory that matches names to apartment numbers. In computer networking, every device has two key addresses: an IP address, which is like a person's name (logical and assigned by the network), and a MAC address, which is like a fixed apartment number (hardware-based and burned into the network card). When your computer wants to send data to another device on the same local network, it knows the destination IP address (the name) but it does not know the destination MAC address (the apartment number).

The data cannot be delivered without that MAC address because Ethernet and Wi-Fi networks use MAC addresses to identify the specific device that should receive the data. ARP is the process of asking the local network, Who has this IP address? and receiving the answer that provides the corresponding MAC address.

Your computer then stores that answer in a small table called the ARP cache, so it does not have to ask again right away. This process happens automatically and very quickly, often in milliseconds, every time you open a web page, send an email, or stream a video. Without ARP, your device would be unable to send any data to another device on the same network, making the internet unusable.

The protocol is defined in RFC 826 and is a core part of IPv4 networking. It is so fundamental that many network troubleshooting steps begin with checking ARP tables to verify that devices can find each other on the local segment.

Full Technical Definition

Address Resolution Protocol (ARP) is a communication protocol used for discovering the link-layer address (MAC address) associated with a given internet-layer address (IPv4 address). It is defined in RFC 826 and operates at the interface between Layer 2 (Data Link Layer) and Layer 3 (Network Layer) of the OSI model. When a host or router needs to send an IPv4 packet to another device on the same broadcast domain, it first checks its ARP cache, a local table that stores recent IP-to-MAC mappings.

If no entry exists for the target IP, the host broadcasts an ARP request packet to the entire local network. This request contains the sender's own IP and MAC addresses, and asks the device with the target IP to reply. The device that owns that IP responds with a unicast ARP reply containing its MAC address.

The requesting host then updates its ARP cache with this mapping and can proceed to encapsulate the IP packet in an Ethernet frame destined for that MAC address. ARP entries are dynamic and time out after a certain period, typically 2 to 4 minutes on most operating systems, though this can vary. A host may also send gratuitous ARP announcements to inform other devices of its own IP-to-MAC mapping, commonly used in failover scenarios or when a network interface comes online.

ARP operates only within a single broadcast domain, meaning it cannot traverse routers. For devices on different subnets, the host sends the IP packet to its default gateway, and ARP resolves the gateway's MAC address instead. There are related protocols such as Inverse ARP, used in Frame Relay, and Proxy ARP, where a router responds to ARP requests on behalf of another device.

ARP is also a common target for security attacks, including ARP spoofing and ARP poisoning, where an attacker sends falsified ARP messages to associate their MAC address with the IP of a legitimate device, enabling man-in-the-middle attacks. Modern networks often use Dynamic ARP Inspection (DAI) on managed switches to validate ARP packets and prevent such attacks. Understanding ARP is essential for CCNA and Network+ certification candidates, as it appears in questions about network communication, troubleshooting, and security.

Real-Life Example

Think of a large office building with many employees. Each employee has a name (IP address) and a desk number (MAC address). The desk number is fixed and printed on a plaque on the desk, but the employee's name may change or they may sit at different desks on different days.

One day, you need to deliver an important document to the person named David in the IT department. You know David's name, but you do not know where his desk is located in the building. To find his desk number, you walk to the central lobby and use the intercom system.

You press the all-call button and announce, Would David from IT please tell me your desk number? Everyone in the building hears your announcement, but only David responds: I am David from IT, and my desk number is 307. You write down that information on a sticky note and put it in your pocket, so you do not have to ask the intercom again the next time you need to find David.

This is exactly how ARP works. Your computer is like you, the intercom system is the broadcast network, and the announcement is the ARP request. David is the target device, and his desk number is the MAC address.

The sticky note in your pocket is your ARP cache. The next time you need to send a message to David, you look at your sticky note first, and if the information is still there, you do not need to use the intercom again. This analogy also illustrates why ARP only works within the same building, because the intercom only reaches people in that building.

If David were in a different building, you would need to go through a mail room or a receptionist who knows how to forward your document to the other building. That receptionist is your default gateway, and the process of finding the gateway's desk number also uses ARP. This everyday scenario helps you understand why ARP is essential for local network communication and why it has limitations that require routers for communication across different networks.

Why This Term Matters

ARP is a fundamental protocol that makes local network communication possible, and understanding it is critical for anyone working in IT, networking, cybersecurity, or system administration. When a device on a network cannot resolve an IP address to a MAC address, that device is effectively invisible to other devices on the same network segment. This means that basic operations like file sharing, printer access, and even web browsing can fail.

Network administrators frequently use ARP tables to troubleshoot connectivity issues. For example, if a user complains that they cannot reach a printer, a quick check of the ARP cache on the user's computer can reveal whether the printer's IP address has been resolved to a MAC address. If there is no ARP entry, the problem may be a missing or incorrect IP configuration, a faulty network cable, or a misconfigured switch.

In cybersecurity, ARP is a double-edged sword. Attackers exploit ARP's lack of authentication through ARP spoofing, where they send fake ARP replies to associate their MAC address with the IP of a legitimate device. This allows them to intercept, modify, or block traffic intended for that device.

Security professionals must understand how ARP poisoning works to implement defenses such as Dynamic ARP Inspection (DAI), ARP spoofing detection tools, and port security on switches. In cloud infrastructure, ARP still matters within virtual networks. Virtual machines on the same hypervisor use ARP to communicate, and misconfigurations can lead to connectivity issues.

Even in software-defined networking, the concept of address resolution persists, though it may be handled by newer protocols like VXLAN or ARP suppression in overlay networks. For system administrators, knowing how to view and clear the ARP cache using commands like arp -a on Windows or ip neigh show on Linux is a routine troubleshooting skill. Understanding ARP also helps in designing networks with proper segmentation, since ARP broadcasts do not cross routers and can cause performance issues in large broadcast domains.

Overall, ARP is a small but mighty protocol that underpins nearly every interaction on a local network, and its importance cannot be overstated.

How It Appears in Exam Questions

In certification exams, ARP appears in several distinct question types. The first is the definition question, where you are asked directly: What is the purpose of ARP? or Which protocol resolves an IP address to a MAC address?

These are straightforward but require you to differentiate ARP from DNS, DHCP, and ICMP. The second type is the process question: What is the first thing a host does when it wants to send data to another host on the same local network? The correct answer is that the host checks its ARP cache, and if no entry exists, it sends an ARP broadcast request.

You may also be asked about the contents of an ARP request packet, such as the source IP, source MAC, target IP (known), and target MAC (unknown, usually filled with zeros). The third type is the troubleshooting scenario: A user reports that they cannot access a network printer on the same subnet. You check the IP configuration and everything looks correct.

What should you check next? The correct answer is to verify the ARP cache on the user's computer to see if the printer's IP address has been resolved to a MAC address. If not, the problem might be a disconnected cable, a switch issue, or the printer being powered off.

Another common scenario involves network security: An attacker on the local network is able to intercept traffic between a client and a server. Which type of attack is likely being used? The answer is ARP spoofing or ARP poisoning.

You may also be asked about mitigation techniques, such as Dynamic ARP Inspection (DAI) and how it works by validating ARP packets against a trusted database. In CCNA, you may see configuration questions: Given a topology, you need to identify which device will respond to an ARP request from a host trying to reach a destination on a different subnet. The answer is the default gateway router.

There are also conceptual questions about the difference between ARP and Inverse ARP, or about the behavior of Proxy ARP. Some advanced questions ask about the impact of clearing the ARP cache or the effect of a network loop on ARP traffic. The key to answering these questions correctly is to understand not just what ARP does, but also how it interacts with other protocols like IP, Ethernet, and ICMP, and how it behaves in different network configurations.

Practise Address Resolution Protocol Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a junior network technician at a small company. An employee, Sarah, calls the help desk because she cannot print a document to the office printer. The printer has a static IP address of 192.

168.1.50, and Sarah's computer is on the same subnet with an IP address of 192.168.1.25. You ask Sarah to open a command prompt and ping the printer's IP address. The ping command returns Destination Host Unreachable.

This tells you that the communication is failing at the local network level. You then ask Sarah to type arp -a in the command prompt to view her ARP cache. The output shows only her default gateway's IP address and MAC address, but there is no entry for the printer's IP.

This means her computer tried to send an ARP request for the printer, but received no reply. You walk over to the printer and notice that the network cable is unplugged. After plugging the cable back in, you ask Sarah to ping the printer again.

The ping succeeds, and you check her ARP cache again. This time, it shows an entry for 192.168.1.50 with the printer's MAC address. Sarah can now print her document. This scenario illustrates how ARP is used in real troubleshooting: without an ARP entry, no data can be sent to the target device, and the first step is to verify whether the device is reachable at the physical layer.

It also shows that ARP failures often point to Layer 1 or Layer 2 issues, such as a disconnected cable or a powered-off device.

Common Mistakes

Thinking ARP resolves hostnames to IP addresses.

Hostname resolution is done by DNS, not ARP. ARP works at a lower level, translating IP addresses to MAC addresses, not user-friendly names to IP addresses.

Remember that DNS handles name-to-IP resolution. ARP handles IP-to-MAC resolution on the same local network. They are different protocols operating at different layers.

Believing ARP works across routers and different subnets.

ARP requests are broadcasts that do not cross routers. A router will not forward an ARP broadcast to another subnet. ARP only operates within a single broadcast domain or local network segment.

When a device needs to communicate with a host on a different subnet, it sends the packet to its default gateway. The device uses ARP to find the gateway's MAC address, not the destination host's MAC address.

Confusing ARP requests with ARP replies in terms of delivery method.

An ARP request is a broadcast frame sent to all devices on the local network. An ARP reply is a unicast frame sent directly back to the requesting device, not broadcast to everyone.

The request goes to everyone (broadcast) because the sender does not know who has the target IP. The reply goes only to the requester (unicast) because the sender now knows the requester's MAC address from the request packet.

Assuming ARP is used in IPv6 networks.

ARP is specific to IPv4. IPv6 uses a different protocol called Neighbor Discovery Protocol (NDP), which performs similar functions but with additional features like stateless address autoconfiguration and router discovery.

For IPv6, remember to use Neighbor Discovery instead of ARP. The commands and concepts are different, so do not apply ARP thinking to IPv6 networks.

Forgetting that the ARP cache has a timeout and entries can become stale.

If a device's IP address changes or the device is replaced, the old ARP entry in other hosts' caches will cause communication failures until the cache is cleared or the entry times out.

Always clear the ARP cache after making IP address changes on a network. Use arp -d on Windows or ip neigh flush on Linux to remove stale entries, or wait for the timeout period.

Exam Trap — Don't Get Fooled

In an exam scenario, a question describes a host trying to communicate with another host on the same subnet. The host checks its ARP cache and finds an entry for the destination IP. The question asks what happens next.

Many learners incorrectly select that the host sends an ARP request to reconfirm the MAC address. Understand that the ARP cache is designed to avoid sending unnecessary broadcasts. If a valid ARP entry exists, the host uses it directly to encapsulate the IP packet in an Ethernet frame and sends the data.

No new ARP request is sent until the entry expires or is cleared. This is a performance optimization.

Commonly Confused With

Address Resolution ProtocolvsDNS

DNS resolves human-readable domain names like www.example.com into IP addresses. ARP resolves IP addresses into MAC addresses. DNS operates across the entire internet, while ARP only works on the local network.

When you type a website name into a browser, DNS finds the server's IP address. Then, if that server is on your local network, ARP finds its MAC address. If it is remote, ARP finds your router's MAC address instead.

Address Resolution ProtocolvsDHCP

DHCP automatically assigns IP addresses to devices on a network. ARP does not assign anything; it only discovers the MAC address that corresponds to an already-assigned IP address. DHCP and ARP often work together but perform different functions.

When a new laptop connects to a Wi-Fi network, DHCP gives it an IP address. Later, when that laptop wants to send data to a printer, ARP finds the printer's MAC address so the data can be delivered.

Address Resolution ProtocolvsNeighbor Discovery Protocol (NDP)

NDP is the IPv6 equivalent of ARP. It performs address resolution, router discovery, and other functions using ICMPv6 messages. Unlike ARP, NDP does not use broadcasts and includes built-in security features.

On an IPv6-only network, NDP replaces ARP entirely. You would use commands like ip -6 neigh show to view neighbor entries instead of arp -a.

Address Resolution ProtocolvsInverse ARP

Inverse ARP does the opposite of ARP: it resolves a known MAC address to an unknown IP address. It is used primarily in Frame Relay networks to map Layer 2 DLCI numbers to Layer 3 IP addresses.

In a Frame Relay network, Inverse ARP automatically discovers the IP address of a device connected to a specific virtual circuit, so no manual configuration is needed.

Step-by-Step Breakdown

1

Host checks ARP cache

When Host A wants to send an IP packet to Host B on the same local network, it first checks its local ARP cache table. This table contains recent IP-to-MAC address mappings. If a valid entry exists for Host B's IP address, Host A uses that MAC address immediately and skips the rest of the process. This saves time and reduces network traffic.

2

Host sends ARP request broadcast

If no entry exists in the ARP cache, Host A constructs an ARP request packet. The packet includes its own IP and MAC addresses (as the sender), and the target IP address it wants to resolve. The target MAC address field is set to all zeros because it is unknown. This packet is encapsulated in an Ethernet frame with a destination MAC address of FF:FF:FF:FF:FF:FF, which is the broadcast address, ensuring all devices on the local network receive it.

3

All hosts on the network receive the request

Every device with a network interface on the same broadcast domain receives the ARP request. Each host processes the packet and checks if the target IP address matches its own IP address. Hosts that do not match simply discard the packet silently. Only the device that owns the target IP address proceeds to the next step.

4

Target host sends an ARP reply

The host that owns the target IP address (Host B) responds with an ARP reply packet. This reply is a unicast frame sent directly to Host A's MAC address, which was included in the request. The reply contains Host B's IP address and its MAC address. This is not broadcast, so only Host A receives it.

5

Host A updates its ARP cache

Upon receiving the ARP reply, Host A extracts the IP and MAC address pair and adds it to its ARP cache. The entry is timestamped and will remain valid for a period typically between 2 and 4 minutes, though this can be configured. Host A can now encapsulate the original IP packet in an Ethernet frame with Host B's MAC address as the destination and transmit the data.

6

Data frame is sent to the destination

Host A now has the necessary MAC address and constructs the Ethernet frame. The frame contains Host A's MAC address as the source, Host B's MAC address as the destination, and the original IP packet as the payload. This frame is sent out onto the network medium and is received only by Host B, since the destination MAC address is unique to that interface.

Practical Mini-Lesson

In real-world IT practice, ARP is a protocol you will interact with regularly, even if indirectly. Every time a device on your network communicates with another device on the same subnet, ARP is involved. As a network professional, you need to know how to verify and manage ARP entries on various systems.

On Windows, you use the arp command with options like arp -a to display the cache, arp -d to delete a specific entry or the entire cache, and arp -s to add a static entry. Static ARP entries are useful for security-critical devices like routers or servers, as they prevent spoofing, but they also require manual updates if hardware changes. On Linux and macOS, the equivalent commands are ip neigh show, ip neigh del, and ip neigh add.

On Cisco devices, you use show ip arp to view the ARP table, clear arp-cache to delete all dynamic entries, and arp ip_address mac_address arpa to create a static entry. Understanding ARP timeouts is crucial for troubleshooting. Most operating systems expire ARP entries after 2 to 4 minutes of inactivity.

This means if a device is replaced or its network card is changed, the ARP cache on other devices will still have the old MAC address until the entry times out or is manually cleared. A common troubleshooting step after replacing a faulty network card is to clear the ARP cache on all other devices that communicate with it. In larger enterprise networks, ARP broadcasts can become a performance issue.

A broadcast domain with hundreds or thousands of devices can be flooded with ARP requests, consuming bandwidth and CPU cycles on every device. This is one reason why network segmentation with VLANs and routers is important. Each VLAN creates a separate broadcast domain, limiting ARP traffic to only devices within that VLAN.

Another practical concern is ARP security. ARP spoofing attacks are relatively easy to execute and difficult to detect without proper tools. As a security measure, you should enable Dynamic ARP Inspection (DAI) on managed switches if your network supports it.

DAI works by intercepting all ARP packets and verifying them against a trusted database of IP-to-MAC bindings, typically learned from DHCP snooping. Any ARP packet that does not match is dropped. On smaller networks without managed switches, you can use static ARP entries for critical devices as a manual defense.

You should also monitor for unusual ARP traffic using tools like Wireshark or arpwatch, which can alert you to potential spoofing attempts. From a broader perspective, ARP is a key concept that connects the logical world of IP addresses with the physical world of network interfaces. It is a simple protocol with no authentication or encryption, which is both its strength and its weakness.

Understanding how ARP works, how to troubleshoot it, and how to secure it will serve you well throughout your IT career, whether you are a system administrator, network engineer, or security analyst.

Memory Tip

ARP is like a phone book for IP addresses. DNS finds the person's name, but ARP finds their exact seat number on the local network floor. Remember: ARP resolves IP to MAC, not name to IP.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)

Related Glossary Terms

Frequently Asked Questions

What does ARP stand for?

ARP stands for Address Resolution Protocol. It is a network protocol used to map an IPv4 address to a physical MAC address on a local network.

Is ARP used in IPv6?

No, IPv6 uses a different protocol called Neighbor Discovery Protocol (NDP) to perform address resolution. NDP is more feature-rich and uses ICMPv6 messages instead of broadcasts.

How long do ARP cache entries last?

The default timeout varies by operating system. Windows typically expires entries after 2 to 4 minutes, while Linux often uses a timeout of about 30 seconds for incomplete entries and several minutes for complete ones. You can configure these values.

What is the difference between an ARP request and an ARP reply?

An ARP request is a broadcast sent to all devices on the local network asking who has a specific IP address. An ARP reply is a unicast response sent directly to the requesting device with the answer.

Can ARP work across a router?

No, ARP broadcasts are not forwarded by routers. ARP only works within a single broadcast domain or subnet. For communication across routers, the host sends packets to the default gateway, and ARP resolves the gateway's MAC address.

What is ARP spoofing?

ARP spoofing is an attack where a device sends fake ARP replies to associate its MAC address with the IP address of a legitimate device. This allows the attacker to intercept, modify, or block traffic intended for that device.

How can I view the ARP cache on my computer?

On Windows, open a command prompt and type arp -a. On Linux or macOS, open a terminal and type ip neigh show or arp -a. This will display all current IP-to-MAC address mappings.

What is Proxy ARP?

Proxy ARP is a technique where a router responds to ARP requests on behalf of a device on another subnet. This makes the remote device appear as if it is on the same local network, enabling communication without configuring a default gateway on the requesting host.

Summary

Address Resolution Protocol (ARP) is a fundamental networking protocol that bridges the gap between logical IP addresses and physical MAC addresses on a local network. It allows devices to discover each other's hardware addresses automatically through a process of broadcast requests and unicast replies, storing the results in an ARP cache for efficiency. Understanding ARP is essential for anyone pursuing IT certifications like CompTIA Network+ or Cisco CCNA, as it appears in questions about network communication, troubleshooting, and security.

You must remember that ARP works only within a single broadcast domain, that it is specific to IPv4, and that it has no built-in security, making it vulnerable to spoofing attacks. Practical skills like viewing and clearing the ARP cache, verifying connectivity using ARP entries, and implementing security measures like Dynamic ARP Inspection are valuable in real-world network administration. By mastering ARP, you gain a deeper understanding of how data travels from one device to another on the same network, and you equip yourself with the knowledge to diagnose and resolve common connectivity issues.

Keep in mind that while ARP is simple, it is also powerful and pervasive, making it a key topic for both exams and daily IT work.