What Does ARP request Mean?
On This Page
What do you want to do?
Quick Definition
When your computer wants to talk to another device on the same local network, it knows the device’s IP address but needs its physical address. It sends out an ARP request to ask, 'Who has this IP address? Please tell me your MAC address.' The device with that IP replies, and the request is a core part of how devices find each other.
Common Commands & Configuration
arp -aDisplays the current ARP cache (IP-to-MAC mappings) on Windows. Used to verify if an IP address has been resolved to a MAC address.
Tested in CCNA and Network+ to check if a device has learned the MAC address of another host. If the entry is incomplete or missing, the user cannot communicate.
arp -d <IP_address>Deletes a specific ARP cache entry on Windows. Used to force a new ARP request to be sent for a specific IP address.
Common in troubleshooting scenarios where a stale ARP entry causes connectivity issues. Appears in A+ and Network+ exam questions about clearing the ARP cache.
ip neighbor show (or ip neigh show)Displays the ARP/neighbor cache on Linux/macOS systems. Shows IP-to-MAC mappings and their state (REACHABLE, STALE, etc.).
Tested in Linux-based troubleshooting for CCNA and Network+. Questions may ask the output of this command after a failed ping.
ip neighbor delete <IP_address> dev <interface>Deletes a specific neighbor (ARP) entry on Linux. Used to force a fresh ARP request for a resolved IP.
Appears in CCNA and AWS SAA scenarios when a load balancer or instance has a stale ARP entry causing intermittent connectivity.
clear arp-cacheClears the entire ARP cache on Cisco IOS routers/switches. Used when troubleshooting connectivity issues caused by outdated ARP entries.
A classic CCNA exam command. Questions test the need to clear the ARP cache after changing a device's MAC address or IP.
show arpDisplays the ARP table on Cisco IOS devices. Includes IP addresses, MAC addresses, interface, and aging time.
Frequently used in CCNA and Network+ exams to verify Layer 2 to Layer 3 mapping. Incorrect or missing entries indicate ARP resolution failure.
show ip arp <IP_address>Filters the ARP table on Cisco IOS to show a specific IP address entry. Useful to check if a specific host's MAC is learned.
Tested in CCNA troubleshooting scenarios where only one host cannot reach the gateway. Also appears in security+ questions on ARP spoofing detection.
netsh interface ip delete arpcacheDeletes the entire ARP cache on Windows from the command line (requires admin). Used in aggressive troubleshooting.
Appears in A+ and Network+ exams as a more powerful alternative to arp -d, especially when multiple entries need clearing.
ARP request appears directly in 10exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →
Must Know for Exams
ARP request is a recurring topic across multiple IT certification exams. In CompTIA Network+ and A+, you are expected to understand the role of ARP in OSI Model layers (Layer 2 and Layer 3 interaction) and how to view and clear the ARP cache using command-line tools. Questions often ask about the purpose of ARP, what happens when an ARP request fails, or why a device cannot ping a local host.
In CCNA (Cisco Certified Network Associate), ARP is tested in depth. You must know the ARP packet structure, the difference between ARP and Proxy ARP, and how ARP behaves across VLANs. Simulation questions may ask you to examine a router’s ARP table to determine why a specific route is not working. You also need to understand how switches flood ARP broadcasts and how to secure the network with DAI.
For Microsoft Azure (AZ-104) and AWS (AWS-SAA), ARP is less directly tested but appears in networking scenarios. For example, in AWS, you might be asked why an EC2 instance in one subnet cannot communicate with an instance in another subnet, and the correct answer may involve ARP resolution or misconfigured route tables. In Azure, understanding ARP helps when troubleshooting ExpressRoute or VPN connectivity, especially in virtual network peering contexts.
CompTIA Security+ covers ARP from a security standpoint. Questions may describe a man-in-the-middle attack and ask which protocol is being exploited (ARP spoofing). You need to know how ARP cache poisoning works and that enabling dynamic ARP inspection or using static ARP entries is a mitigation.
Google ACE (Google Associate Cloud Engineer) focuses less on low-level ARP, but understanding local network communication in VPCs is necessary. In general, any exam involving networking fundamentals will include ARP. The typical question types are multiple-choice definition, scenario-based troubleshooting, and ordering steps of ARP resolution. Mastering ARP request is a high-yield study area.
Simple Meaning
Imagine you are in a large office building and you need to deliver a letter to a specific person, but you only know their job title, not their exact desk location. You stand in the middle of the open floor and shout loudly, 'Will the person with the job title “Project Manager” please raise their hand and tell me where you sit?' Everyone hears you, but only the project manager responds. That shout is your ARP request.
In computer networking, devices use IP addresses to identify each other logically, but for actual communication over wired or wireless networks, they need a physical address called a MAC address. MAC addresses are like unique serial numbers embedded in network hardware. When two devices are on the same local area network (LAN), they cannot directly send data using just IP addresses. They need to know each other’s MAC addresses to encapsulate data in frames.
The ARP request is the process of asking, 'Who has this IP address?' The request is sent as a broadcast to every device on the local network segment. All devices receive the message, but only the device that owns the IP address responds with its MAC address. This response is called an ARP reply. Once the sender gets the reply, it stores the mapping of IP to MAC address in a table called the ARP cache, so it doesn’t have to ask again for a while.
Think of the ARP cache as a little address book. The first time you need to contact someone, you have to ask around. Once you know their desk number, you write it down. Next time, you just check your address book. Similarly, the ARP cache reduces network chatter, making communication faster and more efficient.
Sometimes the requested device might not be on the same network. If the destination IP is on a different subnet, the sending device will send an ARP request for the MAC address of its default gateway, which is the router that connects to other networks. The router then handles getting the data to the faraway device. This makes ARP requests essential not just for direct local communication, but also for enabling internet access through routers.
In everyday terms, every time you load a webpage, watch a stream, or send a file over a local network, ARP requests are working behind the scenes to ensure data gets to the right physical device. Without them, your data packets would be like letters addressed only to a name, with no street address, and they would never arrive.
Full Technical Definition
The Address Resolution Protocol (ARP) is a request-response protocol used in the Internet Protocol Suite (TCP/IP) to map an IPv4 address to a hardware MAC address. An ARP request is a broadcast Layer 2 frame sent to all devices on a local network segment. The protocol is defined in RFC 826, which specifies its packet structure, operation codes, and behavior.
Packet Structure: An ARP packet is 28 bytes for IPv4 and typically includes hardware type (Ethernet is 1), protocol type (IPv4 is 0x0800), hardware address length (6 bytes for MAC), protocol address length (4 bytes for IPv4), operation code (1 for request, 2 for reply), sender MAC, sender IP, target MAC (set to 00:00:00:00:00:00 for requests), and target IP. The entire ARP packet is encapsulated within an Ethernet frame, using an EtherType value of 0x0806.
How It Works in Detail: When a host needs to send an IP datagram to another host on the same local network, it first checks its ARP cache, a dynamic table storing recent IP-to-MAC mappings. If no entry exists, the host constructs an ARP request broadcast. The Ethernet destination MAC address is set to FF:FF:FF:FF:FF:FF, the broadcast address, ensuring all devices on the LAN process the frame. The request carries the sender’s IP and MAC address, and the target IP address. Every device on the LAN receives the frame, but only the device matching the target IP address processes it. That device updates its own ARP cache with the sender’s IP/MAC, then sends a unicast ARP reply directly back to the requester, containing its own MAC address. The requester adds this mapping to its cache and can now send the original data frame.
Standards and Variations: ARP is defined in RFC 826, and its behavior is further specified in RFC 1122 (Requirements for Internet Hosts). Gratuitous ARP is a special ARP request where a host announces its own IP-to-MAC mapping to the network, often used for IP address conflict detection or after a network interface comes up. Proxy ARP allows a router to respond to an ARP request on behalf of a host on another network segment, effectively making the host appear reachable on the local link. Inverse ARP is used in Frame Relay networks to map a DLCI to an IP address.
ARP Cache Management: The ARP cache entries have a timeout, typically a few minutes for dynamic entries (often 2 minutes for incomplete entries, 20 minutes for resolved entries in many OSes). The cache can also contain static entries configured manually by administrators. ARP cache poisoning is a security attack where an attacker sends forged ARP replies to associate their MAC address with another host’s IP, enabling man-in-the-middle sniffing.
Implementation in Real IT: Network switches forward ARP broadcasts to all ports within the same VLAN. Routers perform ARP requests on the outgoing interface when forwarding packets. In virtualized environments, such as AWS VPC, ARP is handled by the hypervisor’s virtual switch, not the physical network. Tools like arp (on Windows, macOS, Linux) allow users to view and manipulate the ARP cache.
Ethernet uses ARP only for IPv4. IPv6 uses Neighbor Discovery Protocol (NDP), which serves a similar function but uses multicast instead of broadcast and integrates with ICMPv6. ARP is considered a link-layer protocol, though it operates between Layer 2 and Layer 3. In exam contexts, you must understand that ARP requests never cross a router because they are local broadcast messages. They are limited to the same broadcast domain (subnet/VLAN).
Real-Life Example
Imagine you are at a huge conference with thousands of attendees. Each person has a name tag with their job title, but you need to find a specific colleague named 'Sarah' who works in the marketing department. You do not know what she looks like or where she is sitting. You walk to the center of the conference hall and shout loudly, 'Is there a marketing colleague named Sarah here? Please raise your hand and let me know where you are!' Everyone in the room hears you, but only Sarah raises her hand and says, 'I am Sarah! I am sitting at table 42.' You then walk over and talk to her directly. The initial shout is your ARP request.
Now, imagine you have a small notebook. After Sarah tells you where she is, you write down 'Sarah, Marketing, Table 42' in your notebook. The next time you need to find her, you just look in your notebook instead of shouting again. That notebook is your ARP cache. But your notebook entries expire after an hour, so if you haven’t seen Sarah in a while, you may need to shout again to confirm she hasn’t moved.
This analogy maps directly to how ARP works. Your computer is you, the network is the conference hall, every other device is a person, the IP address (like 'Marketing, Sarah') is the logical identifier, and the MAC address (like 'Table 42') is the physical location. The shout is a broadcast ARP request, and Sarah’s response is the unicast ARP reply. The notebook is the ARP cache, and the expiration time keeps the information fresh.
There is one more layer to this analogy. Suppose you actually want to find a person who is in a different building (a different network). You wouldn’t shout in your own conference hall because they cannot hear you. Instead, you would go to the building’s security desk (your default gateway router) and ask them to help you deliver your message. In networking terms, your computer sends an ARP request not for the remote IP, but for the MAC address of the router. The router then handles forwarding the data.
This analogy is powerful because it highlights the fundamental limitation of ARP requests: they are local. Just like your shout cannot be heard two buildings away, an ARP request cannot cross a router. It stays within the same broadcast domain, which is your local subnet or VLAN. Understanding this boundary is crucial for exam questions and real troubleshooting.
Why This Term Matters
ARP request is a foundational process that enables local network communication. Without ARP, devices on the same Ethernet or Wi-Fi network could not translate IP addresses into MAC addresses, and all IP-based communication would fail. It is the glue that connects the logical addressing of Layer 3 (IP) to the physical addressing of Layer 2 (MAC). Every time you ping a local device, open a file share, or stream video to a local media server, an ARP request (or cached entry) is involved.
For IT professionals, understanding ARP is essential for network troubleshooting. When a device cannot communicate with a neighbor, checking the ARP cache is often one of the first diagnostic steps. A missing or stale ARP entry can cause intermittent connectivity. Tools like 'arp -a' on Windows or Linux reveal local cache entries and help identify duplicate IP addresses or failed resolution attempts.
Security professionals also need to understand ARP because of ARP spoofing attacks, which are used in man-in-the-middle attacks on switched networks. Defenses like Dynamic ARP Inspection (DAI) on managed switches are deployed specifically to prevent such threats. In exam scenarios, you may be asked to identify the root cause of a connectivity issue by analyzing ARP behavior, or to choose the correct response to an ARP-related security question.
In cloud environments, such as AWS, ARP is abstracted, but the principle still applies internally. For example, when an EC2 instance sends traffic within its VPC, the hypervisor processes ARP requests on behalf of virtual interfaces. Understanding ARP helps you troubleshoot network interfaces, default routes, and subnet configurations in both on-premises and cloud contexts.
How It Appears in Exam Questions
Exam questions about ARP requests fall into a few patterns. The most common is direct definition: 'Which protocol is used to resolve an IP address to a MAC address?' or 'What is the purpose of an ARP request?' These are straightforward and test your basic understanding.
Scenario-based questions are more challenging. For example: 'A workstation on subnet 192.168.1.0/24 cannot communicate with a server at 192.168.1.100. The workstation’s ARP cache shows no entry for 192.168.1.100. What is the most likely cause?' The correct answer might involve a misconfigured firewall blocking ARP, network interface failure, or the server being offline. Another scenario: 'A user reports intermittent connectivity to a local printer. The IT technician clears the ARP cache on the user’s PC, and connectivity is restored. Why?' This tests your understanding of stale ARP entries.
Configuration-based questions appear in CCNA. You might be given a show output from a router: 'Router# show arp' and asked to interpret the entries, including the interface, IP, MAC, and type (dynamic/static). Or you may be asked to choose the correct command to display the ARP table on a Cisco device ('show ip arp').
Troubleshooting questions often involve an ARP request failing. For instance: 'A technician is troubleshooting connectivity between two PCs in the same VLAN. Both PCs can ping their own loopback but cannot ping each other. ARP requests are not being answered. Which device layer is most likely the issue?' The answer could be Layer 2 (switch misconfiguration, VLAN mismatch, or a port security issue).
Security questions may present a scenario where an attacker sends fake ARP replies. The exam might ask: 'What type of attack is this?' (ARP spoofing) and 'Which technology on a switch can prevent it?' (Dynamic ARP Inspection). Memorizing the attack vectors and defenses is crucial for Security+.
Ethernet frame encapsulation can also appear: 'In an ARP request, what is the destination MAC address?' (Broadcast: FF:FF:FF:FF:FF:FF). Or 'At which OSI layers does ARP operate?' (Most accurately, it bridges Layer 2 and 3, but common answers are Layer 2 or Layer 3 depending on the exam. Network+ often treats it as Layer 2.)
Finally, you may see ordering or sequence questions: 'Put the steps of ARP resolution in the correct order: ARP request broadcast, checking ARP cache, ARP reply unicast, adding entry to ARP cache.' Always lead with the cache check first, then the broadcast, reply, and cache update.
Practise ARP request Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a help desk technician supporting a small office. An employee, Jamie, reports that she cannot access the company’s shared file server. Jamie’s computer has IP address 192.168.1.15, and the file server has IP address 192.168.1.100. Both are on the same subnet with no router between them.
You first ask Jaime to try pinging the file server. She reports 'Request timed out.' You then ask her to open a command prompt and type 'arp -a' to display her ARP cache. The cache shows no entry for 192.168.1.100. This tells you that her computer does not know the MAC address of the file server.
Next, you ask Jaime to ping the file server again. While she does, you ask her to run a packet capture using Wireshark (or a simpler tool) to see if any ARP request is sent. You see that an ARP request is sent as a broadcast to the network, asking 'Who has 192.168.1.100? Tell 192.168.1.15.' But no ARP reply comes back. This indicates that either the file server is offline, its network cable is unplugged, or there is a switch port issue preventing the reply.
You walk to the file server room. The server appears powered on. You check the switch port it is connected to. The LED on the switch is not lit. You reseat the Ethernet cable on both ends, and the LED turns green. Back at Jaime’s desk, she pings the server successfully. You run 'arp -a' again, and now there is an ARP entry for 192.168.1.100. The issue was a loose cable causing the file server to be unreachable. The ARP request was sent, but the server never received it because its network interface was disconnected. This scenario shows how ARP requests are a critical diagnostic tool.
Common Mistakes
Thinking ARP requests can cross routers.
ARP requests are broadcast frames that do not cross a router because routers do not forward broadcasts by default. They are confined to the same local subnet.
Understand that ARP is only for local network communication. For remote networks, the host sends an ARP request for the gateway's MAC address, not the destination's.
Believing ARP operates only at Layer 2.
While ARP uses Layer 2 frames, it carries IP addresses which are Layer 3 information. It is often described as a Layer 2.5 or protocol that bridges Layers 2 and 3.
Know that ARP encapsulates an IP address request inside a Layer 2 broadcast frame. Most exam definitions treat it as a Layer 2 protocol, but understand the IP involvement.
Assuming ARP request is always needed before every packet.
Once the ARP cache has an entry, the host uses the cached MAC address without sending another ARP request until the entry times out or is cleared.
Remember the ARP cache reduces overhead. An ARP request is only sent when there is no cache entry for the target IP.
Confusing ARP request with DNS request.
DNS resolves domain names to IP addresses, not MAC addresses. ARP resolves IP addresses to MAC addresses.
Associate DNS with URLs, ARP with local hardware addresses. If the question mentions mapping an IP to a physical address, it is ARP.
Thinking the ARP request target MAC is set to the target device's MAC.
In an ARP request, the target MAC address field is set to 00:00:00:00:00:00 because the sender does not yet know the target's MAC.
In an ARP request, the target MAC is unknown (all zeros). The target MAC is filled in only in the ARP reply. The destination MAC of the Ethernet frame is the broadcast address.
Believing ARP works for IPv6.
IPv6 uses Neighbor Discovery Protocol (NDP) instead of ARP for MAC address resolution.
Know that ARP is IPv4 only. For IPv6, the analogous process is NDP using ICMPv6 messages.
Exam Trap — Don't Get Fooled
{"trap":"The question implies that an ARP request is sent every time a device communicates with another on the same network.","why_learners_choose_it":"Learners may assume the protocol name implies a request is always made. They might not fully grasp the caching mechanism."
,"how_to_avoid_it":"Always read the scenario: if the ARP cache already contains a valid entry, the request is unnecessary. Caching is a key performance feature."
Commonly Confused With
A DNS request resolves a human-readable domain name (like google.com) into an IP address. An ARP request resolves an IP address into a MAC address. They operate at different layers and for different purposes.
When you type a website address, your computer first does a DNS lookup to get the IP. Then, to send data on the local network, it may perform an ARP request to get the MAC address of the next-hop device.
A DHCP request is used to obtain an IP address from a DHCP server, including other configuration like subnet mask and gateway. An ARP request assumes the device already has an IP address and needs to resolve a neighbor’s MAC.
When your laptop connects to Wi-Fi, it sends a DHCP request to get an IP. After it has the IP, it uses ARP to find other devices like the router.
Ping uses ICMP (Internet Control Message Protocol) to test reachability and round-trip time. Ping does not resolve MAC addresses. However, before a ping packet can be sent, an ARP request may be needed first.
You can ping an IP address, but the ping will fail if the ARP request does not get a reply first, because the Ethernet frame cannot be built without the MAC address.
Neighbor Solicitation is the IPv6 counterpart of ARP request. It is sent as a multicast message to resolve an IPv6 address to a MAC address, but it uses ICMPv6 and does not rely on broadcast.
In an IPv6 network, instead of an ARP request, a device sends a Neighbor Solicitation message to the solicited-node multicast address.
Step-by-Step Breakdown
Application generates data
A user or application wants to send IP data to another host. The IP layer constructs a packet with source and destination IP addresses.
Check routing table
The sending host consults its routing table to determine if the destination IP is on the same local network or a remote network. If local, it proceeds to ARP resolution. If remote, it uses the gateway IP for resolution.
Check ARP cache
The host looks up the destination (or gateway) IP in its ARP cache. If a matching entry exists, it extracts the MAC address and skips the request. The data frame is built directly.
Build ARP request packet
If no cache entry is found, the host builds an ARP request. The operation code is set to 1 (request). The sender MAC and IP are its own. The target IP is set to the IP it wants to resolve. The target MAC is set to 00:00:00:00:00:00.
Encapsulate in Ethernet broadcast frame
The ARP request is placed inside an Ethernet frame with destination MAC FF:FF:FF:FF:FF:FF. This broadcast ensures every device on the local network receives the frame. The EtherType field is 0x0806.
Transmit frame
The host sends the frame out through its network interface. Switches forward this broadcast frame to all ports in the same VLAN (except the incoming port).
Target device processes request
Every device on the LAN receives the frame. The network interface checks if the destination MAC is broadcast. If so, the ARP module inspects the target IP. Only the device whose IP matches processes the request. Others discard the frame.
Update ARP cache on target
The target device records the sender's IP and MAC address from the ARP request into its own ARP cache. This helps future communication.
Build ARP reply
The target device constructs an ARP reply (operation code 2). It sets sender MAC and IP to its own, target MAC and IP to the original requester's. This is a unicast frame, directly addressed to the requester's MAC.
Receive ARP reply and update cache
The original host receives the unicast ARP reply. It extracts the MAC address associated with the target IP and adds this mapping to its ARP cache. The cached entry has a timeout (e.g., 20 minutes).
Send original data frame
With the MAC address now known, the host can encapsulate the original IP packet into an Ethernet frame with the correct destination MAC. The data is transmitted to the target device.
Practical Mini-Lesson
To practice ARP in action, open a command prompt on your computer. On Windows, type 'arp -a' to see all current ARP cache entries. You will see lines like '192.168.1.1 aa-bb-cc-dd-ee-ff dynamic'. The IP is the gateway, the MAC is its physical address, and 'dynamic' means it was learned through ARP.
Next, clear the cache by typing 'arp -d *' (on Windows) or 'sudo arp -d <IP>' on Linux. Immediately after, try pinging a device on your local network, say your router or another computer. While the ping runs, quickly run 'arp -a' again. You will likely see the entry reappear as a dynamic entry. This shows the request-reply cycle.
For deeper practice, use Wireshark to capture an ARP request and reply. Start the capture on your interface, then ping a local IP that is not in your cache. Filter the capture by typing 'arp' in the display filter. Double-click on an ARP request packet. Examine the fields: Hardware type (1 for Ethernet), Protocol type (0x0800 for IPv4), Hardware size (6), Protocol size (4), Opcode (1 for request), Sender MAC, Sender IP, Target MAC (zeros), Target IP. Then find the corresponding ARP reply (Opcode 2) and see the target MAC filled in.
Professionals often use ARP to identify devices. For example, if you have an IP that is causing a problem, you can look up its MAC in the ARP table and then check a switch's MAC address table to find the exact physical port. This is a common troubleshooting method in networking.
In a busy network, excessive ARP traffic can be a symptom of a problem. For example, a misconfigured device might send constant ARP requests, or a host might be scanning the network. Tools like 'arpwatch' can monitor ARP activity and alert on changes. Understanding how to interpret ARP packets is a core skill for network administrators.
In cloud environments, you cannot inspect the physical ARP cache directly, but AWS provides flow logs that indicate connectivity issues that essentially stem from layer 2 resolution problems. Knowing ARP helps you reason about why a packet is dropped between subnets or why a load balancer cannot reach a target.
Finally, remember that ARP is unauthenticated. Any device can respond to an ARP request, which is the basis for ARP spoofing. In a secure environment, you should implement Dynamic ARP Inspection on managed switches. This involves enabling DHCP snooping and DAI to validate ARP packets. This practical knowledge is vital for both security and network exams.
Troubleshooting Clues
Stale ARP entry after MAC address change
Symptom: Host A can ping itself but cannot ping Host B after Host B's NIC was replaced. Old MAC address still in ARP cache.
The ARP cache on Host A still has the old MAC address for Host B's IP. Since the MAC is incorrect, frames are sent to the wrong device or dropped.
Exam clue: Exams give a scenario: 'A tech replaced a NIC, but the workstation cannot reach the server. The IP is correct, ping fails.' Correct answer: clear the ARP cache.
ARP request not answered (no ARP reply)
Symptom: Ping from Host A to Host B times out. ARP -a on Host A shows 'incomplete' for Host B's IP.
Host A sent an ARP request broadcast, but Host B did not reply. Possible causes: Host B is down, VLAN mismatch, firewall blocking broadcast, or incorrect subnet mask on Host B.
Exam clue: Tested in Network+ and CCNA: 'Incomplete' ARP entry indicates the destination host did not respond. Questions ask for the next step: check if the destination is powered on or configured correctly.
Duplicate IP address causing ARP conflict
Symptom: Intermittent connectivity. ARP table shows two different MAC addresses for the same IP address.
Two devices on the same subnet have the same IP. ARP requests from different hosts may be answered by different devices, causing flapping entries.
Exam clue: Exams present a scenario with random ping failures and ask for the cause: duplicate IP. Also tested in security+ as a potential ARP spoofing symptom.
ARP timeout causing periodic disconnects
Symptom: Host A can connect to Host B initially, but after about 60 seconds of inactivity, the connection drops and needs to re-establish.
Default ARP cache timeout (e.g., 60 seconds on some OS) removes the entry. A new ARP request must be sent, causing a brief delay or drop if the reply does not arrive quickly.
Exam clue: Tested in CCNA and Network+ as a cause of periodic connectivity loss. Questions ask why VPN or SSH sessions drop after a minute of idle time.
Gratuitous ARP from a misconfigured device
Symptom: Spontaneous network disconnects for multiple hosts; ARP tables change without explanation.
A misconfigured or rogue device sends unsolicited ARP replies (gratuitous ARP) with its MAC for a different IP, overwriting legitimate entries. Causes traffic to be redirected.
Exam clue: Security+ and CCNA exam questions describe a sudden loss of connectivity to the gateway. Answer may be 'ARP spoofing/poisoning' or 'gratuitous ARP attack'.
Proxy ARP causing unexpected reachability
Symptom: Host A can ping Host B even though Host B is on a different subnet, but Host A has no gateway configured.
A router on the same subnet as Host A is configured with proxy ARP. It answers ARP requests for Host B on behalf of Host B, causing Host A to think Host B is local.
Exam clue: Tested in CCNA as a subtle issue: 'Users can communicate across subnets without a default gateway.' The correct answer is proxy ARP is enabled on the router.
ARP request blocked by switch port security
Symptom: Host A cannot ping any other host. ARP table shows no entries. Switch logs show port-security violation for Host A's MAC.
Switch port security limits the number of MAC addresses per port. If the limit is exceeded (e.g., after connecting a hub), the port is err-disabled or drops traffic, including ARP broadcasts.
Exam clue: Network+ and CCNA exam questions: 'After connecting a small switch, users cannot communicate.' The answer is port security violation causing the port to shut down.
ARP request broadcast not forwarded across VLANs without inter-VLAN routing
Symptom: Host in VLAN 10 cannot ping Host in VLAN 20, even though they are on the same physical switch. ARP cache shows 'incomplete' for the target IP.
ARP requests are broadcasts and are not forwarded across VLANs by default. To communicate, a router or Layer 3 switch must be configured with an SVI (switched virtual interface).
Exam clue: CCNA exam classic: 'Two PCs on same switch but different VLANs cannot ping each other.' The answer: configure inter-VLAN routing (router-on-a-stick or Layer 3 switch).
Memory Tip
Think 'ARP is the local phone book for IP to MAC.' When you need a number, you broadcast a request, and only the correct person replies.
Learn This Topic Fully
This glossary page explains what ARP request means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →N10-009CompTIA Network+ →SY0-701CompTIA Security+ →AZ-104AZ-104 →ACEGoogle ACE →SAA-C03SAA-C03 →220-1101CompTIA A+ Core 1 →Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Quick Knowledge Check
1.A network technician receives reports that a user cannot access the company file server. The technician pings the server's IP address from the user's workstation and receives 'Request timed out.' The technician runs 'arp -a' and sees an 'incomplete' entry for the server's IP. What is the most likely cause?
2.After replacing a faulty network interface card (NIC) in a server, several clients report that they can no longer connect to the server via its IP address. The server is online and can ping itself. What command should the network administrator run on the client machines to resolve the issue?
3.A network administrator notices that the ARP table on a router shows two different MAC addresses for the same IP address over a period of 10 minutes. Users report intermittent connectivity. What is the most likely issue?
4.A network engineer configures a router with the command 'ip proxy-arp' on an interface. What is the immediate effect on ARP behavior?
5.A user reports that their computer can connect to the network for about 60 seconds after boot, then loses connectivity. After a minute of no activity, the connection comes back briefly. What is the most likely cause?
6.A switch port is configured with port security and a maximum MAC address count of 1. A user plugs a small unmanaged switch into that port to connect two additional devices. What will happen to ARP requests from those devices?
Frequently Asked Questions
What happens if no device responds to an ARP request?
The requesting device will have an incomplete ARP cache entry for that IP. Any attempt to communicate will fail because the Ethernet frame cannot be built. The application will see a timeout or destination unreachable error.
Can I have multiple IPs resolved to the same MAC address in the ARP table?
Yes, in most cases a device with multiple IP addresses (virtual IPs) can have them all mapped to the same MAC. Each IP will have its own ARP entry.
Is ARP secure?
No, ARP has no authentication mechanism. Any device can send an ARP reply, enabling ARP spoofing attacks. Security measures like Dynamic ARP Inspection (DAI) are used to mitigate this.
How long does an ARP cache entry last?
It varies by operating system, but typical dynamic entry timeout is 2 minutes for incomplete entries and up to 20 minutes for resolved entries. Static entries can be set without expiration.
Does ARP work for wireless networks?
Yes, ARP works the same way on Wi-Fi networks. The access point forwards broadcast ARP requests to all associated stations in the same SSID and VLAN.
What is the difference between ARP and RARP?
RARP (Reverse ARP) is an older protocol that did the opposite: it asked for an IP address given a MAC address. It has been replaced by DHCP and BOOTP.
Is it possible to see ARP requests in a firewall log?
Generally, standard firewalls do not log ARP because ARP is below the IP layer. However, layer 2 security appliances or specialized network monitoring tools can capture ARP traffic.
Can I disable ARP on my computer?
Disabling ARP is not practical because your computer would not be able to communicate with other devices on the local network. Instead, you can add static ARP entries if needed for security.
Summary
An ARP request is a fundamental network process that resolves an IPv4 address to a MAC address on the same local network. It operates as a broadcast frame, eliciting a unicast reply from the device with the matching IP. The protocol is crucial because it bridges Layer 2 and Layer 3, enabling actual data transmission over Ethernet and Wi-Fi.
Without ARP, devices would not be able to send data to each other even if they knew each other IPs. The ARP cache optimizes performance by storing resolved mappings temporarily, reducing broadcast overhead. Understanding ARP is essential for network troubleshooting, as stale or missing entries are common causes of local connectivity problems.
In certification exams, ARP appears in multiple-choice, scenario, and simulation questions across CompTIA, Cisco, AWS, Azure, and Security+ exams. Key takeaways include: ARP is local only, ARP requests use broadcast MAC address, ARP replies are unicast, and ARP is vulnerable to spoofing. Clear understanding of ARP step-by-step resolution helps you troubleshoot and pass exam questions with confidence.