# ARP table

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/arp-table

## Quick definition

An ARP table is like an address book that your computer uses to find the correct hardware address of another device on your network. When your computer wants to send data to a specific IP address, it first checks this table. If the table has the matching hardware address, it sends the data directly. If not, it uses a special request to find the address and then updates the table.

## Simple meaning

Imagine you live in a large apartment building where each apartment has both a number (like Apartment 301) and a specific doorbell button that rings only inside that apartment. When you want to deliver a letter to your friend in Apartment 401, you could just walk around pressing doorbells until your friend answers. That would be slow and annoying for everyone. A better way is to have a little notebook that lists each apartment number next to the correct doorbell button. This notebook is exactly like an ARP table. 

 In the world of computer networks, every device has two important addresses. The first is the IP address, which is like the apartment number. It identifies the device on the network and helps figure out where data should go across the internet. The second is the MAC address, which is like the doorbell button. It is a unique hardware identifier burned into the network card of every device. For data to actually travel from one device to another on the same local network, the sending device must know the MAC address of the destination device. 

 Your computer builds and maintains an ARP table automatically. Whenever it needs to send data to a device whose MAC address it does not know, it broadcasts a message to the entire local network saying, He, who has this IP address? Please tell me your MAC address. The device that owns that IP address replies with its MAC address, and your computer stores this information in its ARP table for future reference. The table is temporary because network configurations can change. Entries typically expire after a few minutes or hours, so the table stays fresh and accurate. 

 Devices like your home router, your laptop, a network printer, or a server in a data center all have ARP tables. Even switches and firewalls maintain them. The ARP table is a critical piece of the networking puzzle because without it, devices would have to shout for every single packet they send, which would flood the network with unnecessary traffic. By keeping a cached record of recent address mappings, the ARP table makes local network communication fast and efficient. 

 Think of it this way. You are a postal worker in a small town. You have a list of residents and their house numbers. When a letter arrives for Jane Doe, you look up her street address in your list. If you have it, you deliver the letter directly. If not, you ask around until you find her house, then you add it to your list for next time. That list is your ARP table. It saves you from asking around for every single letter, which would waste time and annoy the townspeople.

## Technical definition

The ARP table, also known as the ARP cache, is a dynamic database maintained by network devices that stores mappings between Internet Protocol (IP) addresses and Media Access Control (MAC) addresses. This table is fundamental to the operation of the Address Resolution Protocol (ARP), which is defined in RFC 826. ARP operates at the interface between the network layer (Layer 3) and the data link layer (Layer 2) of the OSI model. When a device needs to send an IP packet to another device on the same local network, it must know the destination device's MAC address to encapsulate the packet in a frame for transmission over the physical medium. The ARP table provides this mapping, avoiding the need for an ARP request for every single packet. 

 The ARP table contains several fields for each entry. The primary fields include the IP address, the corresponding MAC address, the interface through which the device is reachable, and a timestamp indicating when the entry was learned. Entries are classified as dynamic or static. Dynamic entries are learned automatically through ARP request and reply messages. Static entries are manually configured by a network administrator and do not expire. Dynamic entries have a Time To Live (TTL) value, which is the duration the entry remains valid before it is removed. On most operating systems, the default TTL for dynamic ARP entries is between 20 seconds and 2 minutes for incomplete entries, and between 2 to 20 minutes for complete entries, depending on the implementation. After the TTL expires, the entry is deleted, and the device must perform a new ARP request the next time it needs to communicate with that IP address. 

 When a device wants to send data to a destination IP address on the same subnet, it first examines its ARP table. If a matching entry is found, the device uses the stored MAC address to create an Ethernet frame with the destination MAC address set to that value. If no entry exists, the device generates an ARP request packet. This packet has the source MAC and IP addresses filled in, and the destination MAC address is set to the broadcast address FF:FF:FF:FF:FF:FF. The ARP request is encapsulated in an Ethernet frame and sent to all devices on the local broadcast domain. Every device on the network receives the frame because the destination MAC is the broadcast address. However, only the device whose IP address matches the target IP in the ARP request processes it and responds. The responding device sends an ARP reply packet, which is a unicast frame directly to the requesting device's MAC address, containing its own MAC address. The requesting device then updates its ARP table and proceeds with data transmission. 

 In modern networks, the ARP table plays a critical role in both IPv4 and IPv6 environments, though IPv6 uses Neighbor Discovery Protocol (NDP) instead of ARP. ARP table entries are also monitored for security purposes. Spoofed ARP replies, known as ARP poisoning, can be used by attackers to redirect traffic, perform man-in-the-middle attacks, or cause denial of service. Network administrators use tools like dynamic ARP inspection (DAI) on switches to validate ARP packets and prevent malicious entries from being added to the ARP tables of other devices. The ARP table can be viewed and managed on various operating systems using commands such as arp -a on Windows and Linux or show ip arp on Cisco IOS. Entries can be cleared entirely with arp -d or cleared per interface or IP address. Static ARP entries can be added using arp -s on many systems, though this is less common in modern dynamic networks. 

 The size of the ARP table is usually limited by memory. On enterprise switches and routers, the ARP table can hold thousands of entries. On a typical client device, the table is much smaller, often holding only a few dozen entries at a time. When the table is full, the device may remove the oldest entries to make room for new ones, a process known as garbage collection. Understanding the ARP table is essential for network troubleshooting. Common issues include duplicate IP addresses causing ARP conflicts, stale entries after a device's network card is replaced, and excessive ARP traffic in large broadcast domains leading to network congestion. The ARP cache is a fundamental component that every IT certification candidate must understand thoroughly.

## Real-life example

Think of a large conference center where there are hundreds of rooms, each with a unique room number and a specific door. You are a staff member who needs to deliver packages to various rooms throughout the day. You have a master list that tells you, for each room number, exactly which hallway and which door to go to. This list is your ARP table. When you get a package for Room 405, you check your list. If Room 405 appears with directions, you go straight there. If you dont have it, you go to the central information desk and announce loudly, I need directions to Room 405. Everyone can hear you, but only the person managing Room 405 will come and give you the specific directions. You then write those directions down for next time. 

 In this analogy, the room numbers are like IP addresses. They are logical identifiers that tell you where the package should ultimately go, but they do not tell you the physical path. The specific door and hallway are like MAC addresses. They are the exact physical location you need to reach. Your master list is the ARP table that maps the logical room numbers to the physical door locations. The central information desk is like your network switch or router that facilitates communication. When you shout for directions, that is an ARP request a broadcast message to all devices. The reply from the room manager is the ARP response. 

 Now imagine that some rooms are occupied by VIPs who change rooms often. If you rely on your old list, you might walk to the wrong door. Thats why you regularly update your list. In networking, dynamic ARP entries expire after a set time so that the table stays accurate. If you never updated, you might keep delivering packages to the old room, and the VIP would never get them. This is exactly what happens in a network when a device moves to a different subnet or if its network card is replaced without clearing the ARP cache. 

 Another part of this analogy is the risk of someone giving you false directions on purpose. A malicious person at the information desk could tell you that Room 405 is actually the door to their own room, and then they would receive all packages meant for Room 405. In networking, this is ARP spoofing or ARP poisoning. An attacker sends fake ARP replies to associate their MAC address with the victims IP address, thus intercepting traffic. This analogy shows why network security measures like dynamic ARP inspection are important to verify that ARP replies are legitimate. 

 So, in everyday terms, the ARP table is your personal directory that keeps your network communication efficient and accurate. Without it, every packet would require a broadcast, and the network would grind to a halt. With it, you can send data directly to the right physical device quickly and without disturbing everyone else on the network.

## Why it matters

The ARP table is a core component of local area network communication. Without it, no device would be able to send data directly to another device on the same network without broadcasting every single packet. That would cause massive network congestion because every broadcast would need to be processed by every device. The ARP table makes communication efficient by caching resolved addresses so that devices can send frames directly to the correct MAC address after the first lookup. 

 For IT professionals, understanding the ARP table is essential for troubleshooting connectivity issues. If a computer cannot communicate with a network printer, one of the first things to check is the ARP table on the computer. Maybe the entry is stale because the printer had a new network card installed. Maybe there is a duplicate IP address causing an ARP conflict. Examining the ARP table often reveals the problem quickly. 

 From a security perspective, the ARP table is a target for attacks. ARP poisoning is a common technique used in man-in-the-middle attacks on local networks. Network administrators must know how to protect ARP tables using tools like dynamic ARP inspection on switches, which validates ARP packets before allowing them to update the table. Understanding the ARP table also helps in forensic analysis. When a network intrusion is investigated, unusual ARP entries can be a sign of malicious activity. 

 In professional practice, commands like arp -a are part of the daily toolkit of network engineers. Whether configuring a static ARP entry for a critical server or clearing the cache after a network change, the ARP table is a practical reality. Its importance is reflected in the fact that it is tested in all major networking and IT certification exams, from CompTIA Network+ and Security+ to Cisco CCNA and AWS Certified Solutions Architect. A solid grasp of the ARP table is not optional for an IT professional.

## Why it matters in exams

The ARP table appears in several major certification exams, each testing different aspects of the concept. In the CompTIA Network+ exam (N10-008), candidates must understand the purpose of the ARP cache, how it is populated, and common issues like ARP cache poisoning. Questions may ask you to interpret the output of arp -a or identify the correct order of operations when a device sends a packet to another device on the same subnet. The exam objectives list ARP under network protocols and services. 

 In the Cisco CCNA exam (200-301), the ARP table is a fundamental concept tested in multiple domains. Candidates must know how ARP works, how to view the ARP table on a Cisco device using show ip arp, and how ARP interacts with other protocols like ICMP and Ethernet switching. Troubleshooting scenarios often require analyzing the ARP table to determine why a device cannot ping another device on the same VLAN. Static ARP entries and proxy ARP are also tested. 

 The CompTIA Security+ exam (SY0-601) focuses on ARP poisoning as a network attack. Candidates need to understand how an attacker can manipulate the ARP table to perform man-in-the-middle attacks and what mitigation techniques exist, such as dynamic ARP inspection, ARP spoofing detection software, and VLAN segmentation. You may be asked to identify the type of attack based on a description of ARP table manipulation. 

 For AWS Certified Solutions Architect (SAA-C03), the concept of ARP is less directly tested, but understanding it is necessary to fully grasp how Virtual Private Clouds (VPCs) work at the network level. In AWS, the virtualization layer handles ARP for Elastic Network Interfaces (ENIs), but knowing the fundamentals helps with troubleshooting connectivity between EC2 instances in the same subnet. 

 The Microsoft Azure Administrator exam (AZ-104) may also touch on ARP in the context of Azure Virtual Networks, though it is not a primary focus. The Google ACE exam similarly expects a working knowledge of basic networking concepts, including ARP. The A+ exam covers ARP at a basic level, primarily the Windows command arp -a and the concept of the MAC address. In all these exams, the ARP table is often tested through scenario-based questions where you need to determine why communication fails or which protocol is used to resolve an address. Being comfortable with the ARP table will help you answer these questions confidently.

## How it appears in exam questions

Exam questions about the ARP table typically fall into three categories: theory, configuration, and troubleshooting. Theory questions may ask directly, What is the purpose of the ARP cache? or Which protocol is used to map an IP address to a MAC address? These are straightforward and reward memorization. Another common type gives you a scenario where a device is trying to communicate with another device on the same subnet and asks what happens first. The correct answer is that the device checks its ARP cache. 

 Configuration questions often require you to know the correct command to view or clear the ARP table. On the Network+ exam, you might be shown output from arp -a and asked to identify the MAC address corresponding to a specific IP address. On the CCNA, you might be given a show ip arp output and asked to determine if the entry is dynamic or static, or why a particular entry is missing. You may also be asked to configure a static ARP entry, though this is less common. 

 Troubleshooting questions are the most challenging. A typical scenario: A user reports that they cannot access a network printer. The printer has a static IP address. The user's computer can ping the IP address of the printer successfully. What is the most likely problem? The answer might be that the ARP cache on the computer has a stale entry pointing to the wrong MAC address. Another common scenario involves ARP poisoning where an attacker is intercepting traffic. The question might ask, Which command would you use to confirm that an ARP poisoning attack is happening? The answer is arp -a to look for multiple IP addresses mapping to the same MAC address. 

 Some questions test your understanding of ARP behavior across routers. For example, a question might say, A host wants to send data to another host on a different subnet. Will it use ARP? The correct answer is yes, but only to find the MAC address of its default gateway, not the remote host's MAC address. This distinction is critical. You may also see questions about gratuitous ARP, which is used when a device announces its MAC address to the network proactively, and how this can be used in high-availability failover scenarios. 

 Finally, some questions on the Security+ exam present a log entry showing a suspicious ARP cache with multiple MAC addresses for a single IP. The question asks you to identify the attack type. The answer is ARP poisoning. Being able to read and interpret ARP table output is a valuable skill for any IT exam candidate.

## Example scenario

A small office has 10 computers, one network printer, and one router. The printer has a static IP address of 192.168.1.100. A user on Computer A, with IP 192.168.1.20, tries to print a document. The computer must first send the print job to the printer. Since they are on the same network, Computer A checks its ARP table for an entry matching 192.168.1.100. If it finds one, it uses the stored MAC address to send the data directly to the printer. The printer receives the Ethernet frame, processes the print job, and the document prints successfully. 

 However, suppose the printer's network card was recently replaced due to a hardware failure. The new network card has a different MAC address. The printer still uses the same IP address 192.168.1.100. Computer A still has the old MAC address in its ARP table. When Computer A tries to send the print job, it uses the old MAC address. The printer with the new MAC address never receives the frame. The print job fails, and the user sees an error message like Printer not responding. 

 The IT technician is called. The technician first opens a command prompt on Computer A and types arp -a. The output shows an entry for 192.168.1.100 with the old MAC address. The technician clears the ARP cache using arp -d 192.168.1.100 or arp -d. Then the technician has the computer try to print again. This time, Computer A does not find an entry in its ARP table, so it sends an ARP request for 192.168.1.100. The printer with the new card responds with its new MAC address. Computer A updates its ARP table and sends the print job successfully. 

 This simple scenario illustrates why understanding the ARP table is crucial for real-world IT support. It shows how a stale ARP entry can break communication even though the IP address remains the same. It also shows the practical steps to resolve such an issue: view the table, identify the stale entry, clear it, and let the network re-resolve the mapping. This scenario is the basis for many exam questions that test troubleshooting methodology.

## Common mistakes

- **Mistake:** Assuming the ARP table is the same as a DNS cache.
  - Why it is wrong: DNS resolves domain names to IP addresses, while ARP resolves IP addresses to MAC addresses. They are completely different protocols and operate at different layers of the OSI model.
  - Fix: Remember that DNS works at Layer 7 (application) and ARP works at Layer 2/3 boundary. DNS maps names to IPs, ARP maps IPs to MACs.
- **Mistake:** Thinking ARP is used to communicate across different subnets to find the remote host's MAC address.
  - Why it is wrong: ARP only works within the same broadcast domain (subnet). For traffic destined to a different subnet, the device uses ARP to find the MAC address of its default gateway, not the remote host.
  - Fix: When sending to a different subnet, the device uses ARP for the next-hop router's MAC address only.
- **Mistake:** Believing that ARP table entries are permanent and never expire.
  - Why it is wrong: Most ARP table entries are dynamic and have a TTL. They expire after a few minutes to hours unless refreshed. This prevents stale entries from causing communication failures.
  - Fix: Remember that dynamic ARP entries have a timeout. They must be refreshed regularly. Static entries are the only ones that are permanent (and need manual deletion).
- **Mistake:** Confusing ARP requests with broadcast traffic for all IP-related queries.
  - Why it is wrong: ARP requests are broadcast at Layer 2 (MAC broadcast), not at Layer 3. The IP layer is not involved in the broadcast. The ARP request is sent to the MAC broadcast address FF:FF:FF:FF:FF:FF.
  - Fix: ARP broadcasts happen at the data link layer. The IP address is merely a payload in the ARP request packet.
- **Mistake:** Thinking that only switches have ARP tables.
  - Why it is wrong: Any device that uses IP and communicates on a local network has an ARP table. This includes computers, servers, routers, printers, smartphones, and IoT devices.
  - Fix: Every IP-enabled device on a local network has an ARP table. Switches may have them if they are Layer 3 switches, but Layer 2 switches do not use IP for switching.
- **Mistake:** Assuming that clearing the ARP table is a permanent fix for communication issues.
  - Why it is wrong: Clearing the ARP table only removes the cached entries. If the underlying problem, like a duplicate IP address or a misconfigured network, is not resolved, the same issue will reappear after the next ARP resolution.
  - Fix: Use ARP table clearing as a diagnostic step, not a permanent solution. Investigate the root cause of why the ARP entry became stale or incorrect.

## Exam trap

{"trap":"On the CCNA exam, a question might show a ping from Host A to Host B on a different subnet and ask how many ARP requests are sent. Many learners incorrectly answer that Host A sends an ARP request for Host B's IP address.","why_learners_choose_it":"They assume that ARP is used to find the MAC address of the ultimate destination IP, regardless of subnet boundaries. They also forget the role of the default gateway.","how_to_avoid_it":"Always identify whether the destination is on the same subnet. If it's on a different subnet, the source host uses ARP only to find the MAC address of its default gateway. The gateway then uses its own ARP table to forward the packet. In most cases, only one ARP request is sent from the source, and it is for the gateway's MAC address."}

## Commonly confused with

- **ARP table vs DNS cache:** A DNS cache stores mappings between domain names (like google.com) and IP addresses. An ARP table stores mappings between IP addresses and MAC addresses. DNS operates at the application layer, while ARP operates at the interface between network and data link layers. (Example: When you type www.google.com, your computer checks its DNS cache for the IP address. Then, to send the packet to that IP, it checks its ARP table to find the MAC address of the next hop device.)
- **ARP table vs MAC address table:** A MAC address table is maintained by switches to record which MAC addresses are reachable through which switch ports. It is used for frame forwarding decisions. An ARP table is maintained by end devices and routers to map IPs to MACs. Switches do not use ARP tables for Layer 2 forwarding. (Example: A switch uses its MAC address table to send a frame to the correct port. The sending computer uses its ARP table to know which MAC address to put in the frame in the first place.)
- **ARP table vs Routing table:** A routing table stores information about network paths (subnets and next-hop addresses) used by routers to make Layer 3 forwarding decisions. An ARP table stores Layer 2 address mappings. The routing table determines which interface and next-hop IP to use, and the ARP table provides the MAC address for that next-hop IP. (Example: A router looks at its routing table to decide where to send a packet. It then uses its ARP table to find the MAC address of the next-hop router before forwarding the frame.)
- **ARP table vs Neighbor cache (IPv6):** The neighbor cache is the IPv6 equivalent of the ARP table. It stores mappings between IPv6 addresses and MAC addresses, but it uses the Neighbor Discovery Protocol instead of ARP. The concept is similar, but the underlying protocol and message formats differ. (Example: On an IPv6 network, instead of ARP, devices use Neighbor Solicitation and Neighbor Advertisement messages to populate the neighbor cache.)

## Step-by-step breakdown

1. **Step 1: Application sends data** — An application, such as a web browser or a file transfer program, needs to send data to another device on the network. The data is passed down to the transport layer (Layer 4) and then to the network layer (Layer 3). At the network layer, the data is encapsulated into IP packets. The source IP address is added, and the destination IP address is determined from the application request.
2. **Step 2: Check if destination is on the same subnet** — The sending device examines its own IP address and subnet mask to determine its network portion. It compares the destination IP address against its own subnet. If both are in the same subnet, the destination is directly reachable. If not, the destination is on a different subnet, and the device must use its default gateway.
3. **Step 3: Determine the target IP for ARP** — If the destination is on the same subnet, the target IP for ARP is the destination host's IP address. If the destination is on a different subnet, the target IP for ARP becomes the IP address of the default gateway (router) configured on the sending device. This is because the packet must first go to the router.
4. **Step 4: Check the ARP table** — The device searches its ARP table for an entry matching the target IP address. The ARP table is stored in memory and contains a list of IP-to-MAC mappings. If a valid (non-expired) entry is found, the device proceeds to Step 7. If no entry exists or the entry has expired, the device moves to Step 5.
5. **Step 5: Send an ARP request broadcast** — The device creates an ARP request packet. This packet contains the sender's IP and MAC address and the target IP address. The ARP request is encapsulated in an Ethernet frame with a destination MAC address of FF:FF:FF:FF:FF:FF (broadcast). The frame is sent out on all interfaces within the broadcast domain. Every device on that LAN segment receives and processes the frame.
6. **Step 6: Process ARP reply** — Only the device that owns the target IP address processes the ARP request and sends back an ARP reply. The reply is a unicast frame sent directly to the requesting device's MAC address, containing the target IP and its corresponding MAC address. The requesting device receives the reply, updates its ARP table with the new mapping, and sets a TTL for the entry.
7. **Step 7: Encapsulate the IP packet** — With the MAC address known (either from the ARP table or from the reply), the device encapsulates the IP packet into an Ethernet frame. The source MAC address is its own, the destination MAC address is the resolved MAC address. The frame also includes the EtherType field set to 0x0800 for IPv4.
8. **Step 8: Transmit the frame** — The Ethernet frame is sent out through the physical network interface onto the network medium. The network switches forward the frame based on the destination MAC address until it reaches the destination device. The destination device decapsulates the frame, processes the IP packet, and delivers the data to the appropriate application.
9. **Step 9: Cache management** — The ARP table entry is stored with a timer. Each time the entry is used for outgoing traffic, the timer may be reset to the full TTL value. If the entry is not used for the duration of the TTL, it is automatically removed from the cache. The device may also implement gratuitous ARP, where a device announces its own IP-to-MAC mapping without being asked, to update the ARP tables of other devices proactively.

## Practical mini-lesson

In practice, the ARP table is a tool you will use daily as an IT professional. On Windows, the command arp -a displays the current ARP cache. On Linux and macOS, the same command works. On network switches and routers, commands like show ip arp on Cisco or show arp on Juniper show the table. Knowing how to interpret this output is essential. Each row typically shows an IP address, a MAC address, an interface, and a type (dynamic or static). If you see multiple IP addresses mapping to the same MAC address, that is a red flag for ARP poisoning. 

 Configuring static ARP entries is sometimes necessary for critical servers where you want to prevent ARP spoofing. For example, on a Linux machine, the command arp -s 192.168.1.100 00:11:22:33:44:55 adds a static entry. This entry will not expire and cannot be overwritten by dynamic ARP traffic. However, it also means that if the server's MAC address changes, you must manually update the entry. In modern networks, dynamic entries are preferred for flexibility, but static entries still have their place in secure environments. 

 One common issue professionals face is the ARP table filling up on switches in large VLANs. When the table is full, the switch may fail to learn new entries, causing communication failures. This can be mitigated by tuning the ARP timeout values or increasing the table size if the platform supports it. On Cisco switches, you can adjust the ARP timeout per interface with the command arp timeout seconds under interface configuration mode. 

 Another practical consideration is the interaction between ARP and virtualization. In virtualized environments like VMware or Hyper-V, each virtual machine has its own virtual NIC with a MAC address. The hypervisor handles ARP on behalf of the VMs. If you migrate a VM from one host to another, its MAC address may stay the same, but the ARP table on the physical switch needs to be updated. This is often handled by gratuitous ARP sent by the VM after migration. If the gratuitous ARP is not sent, connectivity may be lost until the ARP timeout expires on the switch. 

 Troubleshooting with ARP: If a user cannot reach a server, ping the server by IP. If ping succeeds, the issue is likely not ARP. If ping fails, check the ARP table on the user's computer. Is there an entry for the server? Is it the correct MAC address? Check the server's MAC address on its network interface configuration. If they match, the problem is elsewhere. If they don't match, clear the ARP entry and try again. This simple troubleshooting step often resolves the issue quickly. 

 Security professionals also use the ARP table for detection. Tools like arpwatch monitor ARP table changes and alert on anomalies. If a new MAC address appears for an existing IP, it could be a sign of ARP spoofing. Dynamic ARP Inspection (DAI) on switches prevents ARP poisoning by validating ARP packets against a trusted database of IP-to-MAC bindings (DHCP snooping database). Understanding how to configure and verify DAI is a valuable skill for network security roles.

## Commands

```
arp -a
```
Displays the current ARP cache on Windows, showing IP addresses mapped to MAC addresses for all interfaces.

*Exam note: Commonly tested as the basic command to view ARP entries; exam questions may ask for the output format or how to interpret the mapping.*

```
arp -d <IP address>
```
Deletes a specific ARP entry from the cache by IP address, forcing a new ARP request on the next communication.

*Exam note: Tests understanding of cache management; scenarios where stale entries cause connectivity issues, used in CCNA and Network+ troubleshooting.*

```
arp -s <IP address> <MAC address>
```
Adds a static ARP entry, permanently associating an IP with a MAC address until removed.

*Exam note: Appears in security exams (Security+) to discuss ARP spoofing prevention; CCNA tests when static entries are needed for security or specific devices.*

```
show ip arp
```
Cisco IOS command to display the ARP table on a router or switch, showing protocol, IP, age, MAC, and interface.

*Exam note: Essential for CCNA troubleshooting; exam questions often ask to identify incomplete entries or mismatched MACs from this output.*

```
arp -n
```
Linux/Unix command to display the ARP cache numerically, showing IP-to-MAC mappings without hostname resolution.

*Exam note: Frequent in Linux-based exam labs (AWS SAA, Google ACE); tests ability to parse ARP entries for network verification.*

```
clear arp-cache
```
Cisco IOS command to clear the entire ARP cache on a router, forcing all entries to be re-learned.

*Exam note: CCNA scenario: used after topology changes; exam questions ask when to use this vs. individual deletion to fix stale entries.*

```
Get-NetNeighbor
```
PowerShell cmdlet on Windows to retrieve the ARP table (neighbor cache) with detailed properties.

*Exam note: Appears in AZ-104 and Azure context; tests familiarity with modern Windows networking commands for troubleshooting.*

```
ip neigh show
```
Linux command to display the neighbor table (ARP cache), often used with 'ip' tool instead of 'arp'.

## Troubleshooting clues

- **Stale ARP entry after IP change** — symptom: Cannot reach a device after its IP address was changed, even though other devices can ping it.. The ARP cache still holds the old IP-to-MAC mapping; the device's MAC is now associated with a different IP, so frames are sent to the wrong MAC. (Exam clue: CCNA or Network+ scenario: after changing a server's IP, pings fail until ARP cache is cleared; tests understanding of cache aging vs manual flush.)
- **ARP spoofing / poisoning** — symptom: Intermittent connectivity or traffic goes to wrong destination; security warnings on network.. An attacker sends forged ARP replies to associate a legitimate IP with the attacker's MAC, redirecting traffic intended for the victim. (Exam clue: Security+ and CCNA security topics: question asks to identify mitigation like Dynamic ARP Inspection (DAI) or static ARP entries.)
- **Incomplete ARP entry** — symptom: Ping fails, and 'arp -a' shows the entry as 'incomplete' or '<incomplete>'.. The device sent an ARP request but never received a reply; possible causes: wrong subnet, host down, or firewall blocking ARP. (Exam clue: Network+ troubleshooting: given an incomplete ARP entry, select the most likely cause (e.g., host powered off or VLAN mismatch).)
- **Duplicate MAC addresses in ARP table** — symptom: Two different IPs in the ARP table have the same MAC address; network traffic to one IP affects the other.. A device with multiple IPs or a misconfigured NIC can cause duplicate MAC entries; also possible with network virtualization. (Exam clue: AZ-104 or AWS SAA: question about IP conflicts in virtual networks; tests understanding that MAC duplication indicates configuration overlap.)
- **ARP table overflow** — symptom: New ARP entries fail to be added; errors like 'ARP: no memory' or devices unreachable intermittently.. The device's ARP cache has reached its maximum size, causing oldest entries to be dropped or new entries rejected. (Exam clue: CCNA or Network+ advanced: scenario with a busy network and limited switch/router memory; tests knowledge of cache size limits and aging timers.)
- **Mismatched MAC address in static ARP** — symptom: After adding a static ARP entry with a wrong MAC, traffic to that IP fails or reaches wrong device.. Static entries bypass ARP resolution; a typo or outdated MAC causes frames to be sent to the incorrect hardware address. (Exam clue: Security+ scenario: an administrator accidentally adds a static entry with an attacker's MAC; tests concept that static ARP overrides dynamic learning.)
- **ARP requests not crossing VLANs** — symptom: Devices in different VLANs cannot communicate even though routing is configured; ARP table shows no entries for remote IPs.. ARP is broadcast-only within a VLAN; routers perform proxy ARP or the host must have a default gateway to forward packets. (Exam clue: CCNA: question about inter-VLAN routing and ARP behavior; tests understanding that ARP requests are not forwarded across VLANs without a router.)
- **Proxy ARP misconfiguration** — symptom: Hosts can ping remote IPs but not local ones; ARP table shows same MAC for multiple remote IPs.. A router with proxy ARP enabled replies to ARP requests on behalf of other hosts, causing local devices to think remote IPs are directly reachable. (Exam clue: Network+ or CCNA: identifying proxy ARP behavior from an ARP table output; tests knowledge of why multiple IPs map to one MAC.)

## Memory tip

ARP table: The bridge between IP and MAC. Think Address Resolution Protocol remembers the hardware address for IP addresses.

## FAQ

**What is the difference between ARP and ARP table?**

ARP is the protocol used to discover MAC addresses. The ARP table is the database on a device that stores the results of those discoveries for quick reference.

**How often does the ARP table update?**

Dynamic entries are updated whenever a new ARP reply is received or when an existing entry is used for communication. The TTL varies by operating system, typically 2 to 20 minutes.

**Can I manually add an entry to the ARP table?**

Yes, you can add static ARP entries using the arp -s command on most systems. These entries do not expire and are not overwritten by dynamic ARP traffic.

**What does it mean if I see multiple IP addresses for the same MAC address in the ARP table?**

This could indicate an ARP poisoning attack, where a single device is claiming multiple IP addresses. It could also be a misconfigured proxy ARP setup.

**Does ARP work across routers?**

No, ARP requests are broadcast only within the same subnet. Routers do not forward ARP broadcasts across subnets. Each router has its own ARP table for the networks it is directly connected to.

**What is gratuitous ARP?**

A gratuitous ARP is an ARP reply sent without being requested. It is used to announce a device's IP-to-MAC mapping to the entire network, often after an IP address change or network interface replacement.

**How do I clear the ARP table on Windows?**

Open Command Prompt as Administrator and type netsh interface ip delete arpcache. Alternatively, arp -d clears all entries.

## Summary

The ARP table is a fundamental component of local network communication. It acts as a cache that maps IP addresses to MAC addresses, allowing devices to send data directly to the correct hardware destination without broadcasting for every packet. Understanding how the ARP table works is essential for network troubleshooting, security analysis, and certification success. 

 In exams such as the CompTIA Network+, Security+, and Cisco CCNA, the ARP table appears in theory questions, configuration scenarios, and troubleshooting simulations. You must know how to view, clear, and interpret the table, as well as understand the security implications of ARP poisoning. The ARP table is also the basis for understanding more advanced concepts like dynamic ARP inspection and neighbor discovery in IPv6. 

 The key takeaway for learners is that the ARP table is the bridge between Layer 3 (IP) and Layer 2 (MAC). It is a small but powerful piece of networking that makes local data transmission efficient. Practice viewing the ARP table on your own devices, experiment with clearing it, and observe how the network responds. This hands-on experience will solidify your understanding and help you ace exam questions related to this topic.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/arp-table
