This chapter covers ARP table troubleshooting, a critical skill for network administrators and a frequent topic on the CompTIA Network+ N10-009 exam. You will learn how the ARP cache works, common issues that arise, and systematic troubleshooting methods. Approximately 5-10% of exam questions in domain 5.0 (Network Troubleshooting) involve ARP-related problems, often in conjunction with scenarios like IP conflicts, duplicate MACs, or connectivity failures.
Jump to a section
Imagine a large corporate campus where every building has a unique street address (IP address) but also a specific building number (MAC address) painted on the side. The campus directory at the main gate (ARP table) maps each employee's name (IP) to their building number (MAC). When a new employee arrives (a host joins the network), they must first check in at security (broadcast an ARP request) to announce their presence and learn the building numbers of others. Security then updates the directory (ARP cache) with the new mapping. If an employee moves to a different building (IP address changes or is reassigned), the directory must be updated; otherwise, mail (packets) will be delivered to the wrong building. The directory entries have a timeout (ARP cache timeout) to automatically clear out stale information. If the directory is too small (ARP cache size limit), older entries may be removed to make space for new ones. An attacker could trick security by claiming to be in a different building (ARP spoofing) to intercept mail, so security must be vigilant (use dynamic ARP inspection).
What is the ARP Table?
The Address Resolution Protocol (ARP) table, also called the ARP cache, is a data structure maintained by every device with an IP stack (hosts, routers, switches with Layer 3 capabilities). It maps IPv4 addresses to MAC addresses on a local network segment. The ARP table is essential for delivering frames at Layer 2; without it, a device cannot determine the destination MAC address for a frame sent to another device on the same subnet.
How ARP Works Internally
When Host A wants to send an IP packet to Host B on the same Ethernet network, it must encapsulate the packet in an Ethernet frame. The frame requires a destination MAC address. Host A first checks its ARP cache for an entry matching Host B's IP address. If a mapping exists, it uses that MAC address. If not, Host A must discover it via ARP.
ARP Request: Host A broadcasts an ARP request frame (destination MAC: FF:FF:FF:FF:FF:FF) to all devices on the local network. The request includes Host A's IP and MAC (sender protocol/hardware address) and the target IP address (Host B). The target MAC is set to 00:00:00:00:00:00 (unknown).
ARP Reply: Host B, seeing its own IP as the target, sends a unicast ARP reply directly to Host A. The reply includes Host B's MAC address. Other hosts ignore the request if the target IP is not theirs.
Cache Update: Host A receives the reply and adds an entry to its ARP cache: Host B's IP -> Host B's MAC. The entry has a timer (typically 120-300 seconds for dynamic entries on Windows, 20-60 seconds on Cisco routers).
Frame Transmission: Host A now has the MAC address and can construct the Ethernet frame with destination MAC = Host B's MAC.
ARP Cache Timers and Defaults
Windows (10/11/Server): Default ARP cache timeout for dynamic entries is 120 seconds (2 minutes). For static entries, it is infinite unless removed manually.
Linux: Default ARP cache timeout varies by distribution; commonly 60 seconds for base_reachable_time (the time an entry remains valid after last use). The kernel uses a garbage collection mechanism (gc_stale_time) of 60 seconds.
Cisco IOS: Default ARP cache timeout is 14400 seconds (4 hours) for dynamic entries. This long timeout can cause issues if a device's NIC is replaced (MAC changes) or if IP addresses are reassigned.
macOS: Default timeout is 1200 seconds (20 minutes) for dynamic entries.
ARP Table Structure
Each entry contains: - IP address (IPv4) - MAC address (48-bit hardware address) - Interface (which network interface the entry is associated with) - Type: Dynamic (learned via ARP), Static (manually configured), or Incomplete (ARP request sent but no reply yet) - Timer: Remaining time before the entry is removed (if dynamic)
Verification Commands
Windows: arp -a (shows all entries)
Linux/macOS: arp -n (shows entries without resolving hostnames) or ip neigh show
Cisco IOS: show ip arp or show arp
Cisco NX-OS: show ip arp
Juniper JunOS: show arp
Example output from arp -a on Windows:
Interface: 192.168.1.10 --- 0x5
Internet Address Physical Address Type
192.168.1.1 00-1a-2b-3c-4d-5e dynamic
192.168.1.20 00-1a-2b-3c-4d-5f dynamic
192.168.1.100 00-1a-2b-3c-4d-60 staticCommon ARP Issues
#### Incomplete ARP Entries
When a host sends an ARP request but never receives a reply, the entry remains in "Incomplete" state (on Linux/Windows, it may not appear at all). This indicates that the target host is unreachable (down, wrong subnet, or firewall blocking ARP).
#### Duplicate IP Addresses
If two hosts have the same IP address, ARP requests will receive replies from both, causing the ARP cache to flip-flop between two MAC addresses. This results in intermittent connectivity. The arp -a output will show the same IP with different MACs over time.
#### ARP Spoofing/Poisoning
An attacker sends forged ARP replies to associate their MAC with the IP of a legitimate host (e.g., the default gateway). This allows man-in-the-middle attacks. Dynamic ARP Inspection (DAI) on switches can prevent this by validating ARP packets against a trusted database (DHCP snooping binding).
#### Stale ARP Entries
If a device's NIC is replaced or its IP is reassigned, the old ARP entry remains until it times out. During that period, traffic is sent to the old MAC, causing connectivity failure. Clearing the ARP cache manually (arp -d <IP> on Windows, arp -d <IP> on Linux, clear arp-cache on Cisco) resolves the issue.
ARP and Subnet Masks
ARP is only used for communication within the same broadcast domain (same subnet). If a host wants to send to a different subnet, it sends the packet to its default gateway. The ARP table will contain the gateway's IP and MAC, not the remote host's MAC.
Proxy ARP
A router can be configured to answer ARP requests on behalf of another device (e.g., a host on a different subnet). This is called proxy ARP. It allows hosts to behave as if they are on the same subnet even when they are not. Proxy ARP is enabled by default on Cisco routers. Troubleshooting proxy ARP involves checking show ip interface for "Proxy ARP is enabled".
Gratuitous ARP
A host sends an ARP reply without being asked, typically when its IP address changes or it boots up. This updates other hosts' ARP caches. Gratuitous ARP is used for IP address conflict detection (if you see a reply for your own IP, there is a conflict).
ARP and VLANs
In a switched network with VLANs, ARP broadcasts are confined to the VLAN. The ARP table on a router-on-a-stick will have entries for each VLAN subinterface.
Troubleshooting Methodology
Check ARP table on source device: Use arp -a to see if the destination IP has an entry. If not, ping the destination to trigger ARP.
Check ARP table on destination device: Ensure it has an entry for the source.
Look for incomplete entries: Indicates no reply received; check Layer 1/2 connectivity.
Check for duplicate IPs: Use arp -a repeatedly to see if MAC changes.
Clear ARP cache: If stale entries suspected, clear and retest.
Check firewalls: Some firewalls block ARP on certain interfaces.
Check switch MAC table: Ensure the switch knows which port the destination MAC is on.
Interaction with Related Technologies
DHCP: When a device obtains an IP via DHCP, it may send a gratuitous ARP to check for conflicts. The DHCP server can use ARP to verify address availability.
NAT: NAT devices maintain ARP entries for the inside and outside interfaces. Troubleshooting NAT often involves verifying ARP for the outside interface's IP.
VRRP/HSRP: Virtual gateway IPs use a virtual MAC; ARP entries point to this virtual MAC. If the active router changes, gratuitous ARP updates the cache.
Identify the Problem
Determine the specific symptom: host cannot reach another host on the same subnet, intermittent connectivity, or complete failure. Use ping to test. If ping fails with 'Destination Host Unreachable', the issue may be ARP-related (no MAC mapping) or Layer 2. If ping works but higher-layer apps fail, ARP is likely fine. Document the source and destination IPs, and the subnet mask to confirm they are on the same subnet.
Check ARP Cache on Source
Run `arp -a` (Windows) or `arp -n` (Linux) on the source device. Look for an entry for the destination IP. If the entry exists and shows a MAC address, note the type (dynamic/static) and timer. If the entry is incomplete or missing, the source has not received an ARP reply. If the entry shows a different MAC than expected (e.g., from a known device), there may be an IP conflict or spoofing.
Verify Layer 1 and 2 Connectivity
Check physical cabling, switch ports, and VLAN membership. Ensure both devices are on the same VLAN (broadcast domain). Use `show interfaces` on the switch to verify port status and VLAN. Check the switch's MAC address table (`show mac address-table`) to see if the destination MAC is learned on the expected port. If the MAC is on a different port or missing, there may be a loop or misconfiguration.
Send and Capture ARP Traffic
Use a packet capture tool (e.g., Wireshark) on the source to see if ARP requests are sent. Filter for 'arp'. If no ARP request is seen, the source is not generating one (check IP stack). If ARP requests are sent but no reply, the destination may be down, firewalled, or on a different subnet. If replies are received, verify the MAC in the reply matches the expected destination MAC.
Clear ARP Cache and Retest
If a stale entry is suspected, clear the ARP cache on the source using `arp -d <IP>` (Windows) or `ip neigh flush dev <interface>` (Linux). Then retest connectivity. This forces a fresh ARP request. On routers, use `clear arp-cache` (Cisco IOS). After clearing, check the ARP table again to see if the correct MAC is learned. If the problem persists, move to next step.
Check for Duplicate IPs
If the ARP cache shows the destination IP with a MAC that is not the intended host, there may be a duplicate IP. Use `arp -a` repeatedly and see if the MAC changes. On Windows, you can use `ping -a <IP>` to see the hostname. On the switch, check the ARP table (`show ip arp`) for the same IP on multiple interfaces. Use `show mac address-table address <MAC>` to find the port. If two ports have the same MAC, there is a MAC duplication.
Examine Proxy ARP and Router Config
If the destination is on a different subnet but proxy ARP is enabled, the source may think the destination is local. Check the router's interface configuration with `show ip interface` for 'Proxy ARP is enabled'. If proxy ARP is misconfigured, disable it with `no ip proxy-arp`. Also verify that the default gateway is correctly configured on the source. On the gateway, check its ARP table for the destination IP – if missing, the gateway cannot route.
Scenario 1: IP Address Conflict in a Corporate LAN
A large organization uses DHCP to assign IP addresses. A user complains of intermittent network drops. The network engineer runs arp -a on the user's machine and sees the default gateway's MAC address changing every few seconds. Checking the DHCP server logs reveals that two devices were assigned the same IP due to a misconfigured reservation. The engineer clears the ARP cache on both devices and corrects the DHCP reservation. To prevent recurrence, they enable DHCP snooping and Dynamic ARP Inspection (DAI) on access switches. DAI validates ARP packets against the DHCP snooping binding table, dropping any ARP reply that claims an IP not assigned by DHCP. This scenario is common in BYOD environments where users may manually set static IPs.
Scenario 2: Stale ARP After NIC Replacement
A server administrator replaces a failed NIC in a database server. The server retains its same IP address. However, clients on the same subnet cannot connect for up to 4 hours (Cisco default ARP timeout). The network engineer clears the ARP cache on the core switch (clear arp-cache) and on critical clients (arp -d <server-IP>). To minimize future impact, they reduce the ARP timeout on the switch to 300 seconds (arp timeout 300). They also implement gratuitous ARP on the server (Windows sends gratuitous ARP by default after NIC change; Linux may require arping -U -I eth0 <IP>). This scenario highlights the importance of understanding ARP timers and the need for quick cache clearing in troubleshooting.
Scenario 3: Proxy ARP Causing Routing Issues
A branch office has two subnets (192.168.1.0/24 and 192.168.2.0/24) connected by a router. A host on subnet A (192.168.1.10) cannot reach a host on subnet B (192.168.2.20). The engineer pings 192.168.2.20 from the host and gets replies, but traceroute shows only one hop (the router). The router has proxy ARP enabled on both interfaces, causing the host to think the remote host is local. The engineer checks show ip arp on the router and sees 192.168.2.20's MAC on the interface for subnet A, confirming proxy ARP. They disable proxy ARP on both interfaces (no ip proxy-arp). After clearing ARP caches on the host and router, the host now sends traffic to the default gateway for remote subnets. This scenario is common in networks where proxy ARP is left enabled by default, causing confusion in routed environments.
What N10-009 Tests on ARP Table Troubleshooting
CompTIA Network+ N10-009 objective 5.3 (Given a scenario, troubleshoot common network issues) includes ARP table issues as part of 'Common network issues' (e.g., IP address conflicts, duplicate MACs, missing routes). The exam expects you to:
Identify symptoms of ARP cache poisoning (intermittent connectivity, man-in-the-middle).
Use arp -a to view the cache and interpret entries.
Understand default ARP timeout values (Windows 120s, Cisco 14400s).
Recognize that clearing the ARP cache is a troubleshooting step.
Know that ARP is only for same-subnet communication.
Common Wrong Answers and Why Candidates Choose Them
"ARP resolves IP to MAC on different subnets" – Candidates confuse ARP with DNS or routing. ARP is local only.
"The ARP cache is stored on the switch" – Switches maintain a MAC address table, not an ARP table (unless they are Layer 3 switches). The ARP cache is on the host/router.
"Clearing the ARP cache will delete the IP address" – Candidates think ARP is tied to IP configuration. Clearing ARP only removes MAC mappings.
"ARP requests are unicast" – They are broadcast (destination MAC FF:FF:FF:FF:FF:FF).
Specific Numbers and Terms to Memorize
ARP cache timeout: Windows 120 seconds, Cisco 14400 seconds (4 hours), Linux 60 seconds.
ARP request broadcast MAC: FF:FF:FF:FF:FF:FF.
Gratuitous ARP: Used for duplicate IP detection and updating other caches.
Proxy ARP: Router answers ARP for remote hosts; enabled by default on Cisco.
Dynamic ARP Inspection (DAI): Security feature to prevent ARP spoofing.
Edge Cases the Exam Loves
Duplicate IP with same MAC: If two hosts have same IP but different MACs, the ARP cache flips. Exam may ask: "What happens when two devices have the same IP but different MACs?" Answer: Intermittent connectivity.
ARP and VLANs: ARP broadcasts stay within VLAN. A host on VLAN 10 cannot ARP for a host on VLAN 20 without a router.
ARP and IPv6: IPv6 uses Neighbor Discovery Protocol (NDP) instead of ARP. The exam may test NDP as an alternative.
How to Eliminate Wrong Answers
If a question mentions "same subnet" and ARP, the answer is likely about ARP. If "different subnet", ARP is not used.
For symptoms like "intermittent connectivity" and "MAC address flips", suspect IP conflict or ARP poisoning.
Commands: arp -a (Windows/Linux), show ip arp (Cisco). Know which OS uses which.
Timers: Long timeout on Cisco can cause stale entries; short timeout on Windows can cause frequent ARP requests.
ARP resolves IPv4 addresses to MAC addresses only on the same subnet.
Default ARP cache timeout: Windows 120 seconds, Cisco 14400 seconds, Linux ~60 seconds.
Common ARP issues: incomplete entries, duplicate IPs, stale entries, ARP spoofing.
Use `arp -a` (Windows) or `arp -n` (Linux) to view the ARP cache.
Clear the ARP cache with `arp -d <IP>` (Windows) or `ip neigh flush dev <interface>` (Linux).
Gratuitous ARP is used for duplicate IP detection and updating other devices' caches.
Proxy ARP allows a router to answer ARP requests for hosts on other subnets; often misconfigured.
Dynamic ARP Inspection (DAI) on switches prevents ARP spoofing by validating ARP packets against DHCP snooping bindings.
These come up on the exam all the time. Here's how to tell them apart.
ARP (IPv4)
Uses broadcast frames (FF:FF:FF:FF:FF:FF).
Separate request and reply messages.
Default timeout 120s (Windows) or 14400s (Cisco).
Vulnerable to spoofing; no built-in security.
No duplicate address detection (DAD) by default; uses gratuitous ARP.
NDP (IPv6)
Uses multicast (solicited-node multicast address).
Combines address resolution and neighbor reachability detection in ICMPv6 messages.
Neighbor cache timeout based on reachability state (usually 30s).
Includes Secure Neighbor Discovery (SEND) and RA Guard for security.
Built-in DAD using Neighbor Solicitation messages.
Mistake
ARP is used for all IP communication, including across routers.
Correct
ARP is only used for communication within the same subnet (broadcast domain). For traffic to a different subnet, the source uses ARP to find the MAC of its default gateway, not the remote host.
Mistake
The ARP table is stored on switches.
Correct
Switches maintain a MAC address table (CAM table) that maps MAC addresses to ports, not an ARP table. ARP tables are stored on end hosts and routers (Layer 3 devices). Layer 3 switches have both.
Mistake
An ARP request is sent as a unicast frame.
Correct
ARP requests are broadcast frames with destination MAC FF:FF:FF:FF:FF:FF. ARP replies are unicast to the requester.
Mistake
Clearing the ARP cache removes the IP address configuration.
Correct
Clearing the ARP cache only removes the IP-to-MAC mappings. The IP address, subnet mask, and gateway remain configured. The device will need to re-ARP for any destination it needs to reach.
Mistake
ARP entries are permanent and never expire.
Correct
Dynamic ARP entries have a timeout (e.g., 120 seconds on Windows, 14400 seconds on Cisco). Static entries are permanent until manually removed or the device reboots.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Open Command Prompt as Administrator and run `arp -d *` to clear all entries, or `arp -d <IP>` to clear a specific entry. This forces the device to re-ARP for any destinations it needs to reach. On Windows, dynamic entries will be re-learned automatically when traffic is sent.
An incomplete entry means an ARP request was sent but no reply was received. This typically indicates the target host is unreachable (powered off, disconnected, or on a different subnet). Check Layer 1/2 connectivity and ensure the target is on the same VLAN. Firewalls may also block ARP.
The ARP table maps IP addresses to MAC addresses and is stored on hosts and routers. The switch's MAC address table (CAM table) maps MAC addresses to switch ports. ARP is used to find the MAC for a given IP; the switch uses the MAC table to forward frames to the correct port.
Use Dynamic ARP Inspection (DAI) on managed switches. DAI validates ARP packets against the DHCP snooping binding table, dropping any ARP reply that does not match the expected IP-MAC pair. Additionally, use static ARP entries for critical devices and implement port security.
A gratuitous ARP is an ARP reply sent without a corresponding request. It is used to announce an IP-to-MAC mapping to other hosts, typically when a device boots up or its IP address changes. It also helps detect IP address conflicts: if a host receives a gratuitous ARP for its own IP, a conflict exists.
This could be due to ARP spoofing, a duplicate IP address, or a stale entry after the gateway's NIC was replaced. Clear the ARP cache and check the gateway's actual MAC. If the problem persists, investigate for an attacker on the network or a misconfigured device.
No. ARP broadcasts are confined to the VLAN (broadcast domain). For communication between VLANs, a router or Layer 3 switch is required. The host sends traffic to its default gateway, which then routes to the other VLAN. The ARP table on the host contains the gateway's MAC, not the remote host's.
You've just covered ARP Table Troubleshooting — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?