ARP: Address Resolution Protocol N10-009

Slide 1 of 10  |  N10-009 Obj 1.1  |  Chapter 2
ARP: The Bridge Between
IP and MAC
How your computer finds the physical address behind every IP
A user reports they can reach the Internet but cannot access the file server at 10.0.1.50 on the local network. You check — the server IS up. Ping by IP fails. What is going on? ARP holds the answer.
10 Slides N10-009 Obj 1.1 Data Link / Network Layer Concepts + Context
Slide 2 of 10
The Problem ARP Solves
You know the IP. Your NIC needs the MAC. These are two completely different address spaces.
What You Have
10.0.1.50
Layer 3 — Network
IP addresses are logical. They identify a host on a routed network. Your application knows the destination IP from DNS or configuration. But IP alone cannot deliver a frame on Ethernet.
What You Need
AA:BB:CC:DD:EE:FF
Layer 2 — Data Link
MAC addresses are physical. Every NIC has one burned in at manufacture. Ethernet frames use MAC addresses as source and destination. Without the MAC, the frame cannot be built and sent.
IP (L3) → ARP → MAC (L2)
The Gap
IP operates at Layer 3. Ethernet operates at Layer 2. When your PC wants to send data to 10.0.1.50, the IP stack hands a packet to the Ethernet layer. Ethernet says: "I need a MAC address, not an IP." ARP is the protocol that resolves this: it asks the network "who has this IP address?" and gets the MAC back. Without ARP, IP addresses would be useless on a local Ethernet network.
The file server at 10.0.1.50 is up. But somewhere between your PC building the Ethernet frame and the server receiving it, the address translation broke down. That is the ARP layer failing.
Slide 3 of 10
How ARP Works — Request & Reply
A broadcast question followed by a unicast answer. Simple, stateless, and unauthenticated.
Your PC
10.0.1.10
00:AA:11:BB:22:CC
Broadcast
All Devices
FF:FF:FF:FF:FF:FF
10.0.1.x (everyone)
Unicast
File Server
10.0.1.50
AA:BB:CC:DD:EE:FF
Step 1 — Request
Your PC broadcasts: "Who has 10.0.1.50? Tell 10.0.1.10" Destination MAC is FF:FF:FF:FF:FF:FF — every device on the segment receives this frame.
Step 2 — Everyone Checks
Every device on the subnet reads the broadcast. Each one checks its own IP. If it does not match, the frame is silently discarded. No reply.
Step 3 — Reply
The server at 10.0.1.50 responds directly to your MAC (unicast): "10.0.1.50 is at AA:BB:CC:DD:EE:FF." Nobody else receives this reply.
Step 4 — Cache Update
Your PC stores the mapping in its ARP cache: 10.0.1.50 → AA:BB:CC:DD:EE:FF. Future packets skip the broadcast and go direct.
Key rule: ARP Request = broadcast (FF:FF:FF:FF:FF:FF). ARP Reply = unicast (back to the requester's MAC only). This is a frequent exam question — do not confuse the two directions.
Slide 4 of 10
The ARP Cache
Your PC stores recent IP-to-MAC mappings to avoid broadcasting on every single packet.
C:\> arp -a
Interface: 10.0.1.10 --- 0x3
  Internet Address    Physical Address    Type
  10.0.1.1            00-11-22-33-44-55   dynamic
  10.0.1.50           aa-bb-cc-dd-ee-ff   dynamic
  10.0.1.255          ff-ff-ff-ff-ff-ff   static
  224.0.0.22          01-00-5e-00-00-16   static
Dynamic Entries
Learned via ARP request/reply. Expire automatically after 2-10 minutes (OS-dependent). When expired, a new ARP broadcast goes out before the next packet is sent. These are the normal, everyday entries.
Static Entries
Permanent — set manually or populated by the OS for broadcast and multicast addresses. Broadcast (FF:FF:FF:FF:FF:FF) and multicast addresses (01:00:5E:xx:xx:xx) are always static. Static entries do not expire and cannot be overwritten by ARP replies.
Commands
arp -a View the ARP cache (Windows and Linux)
arp -d * Clear all dynamic entries from the cache (Windows)
ip neigh View ARP / neighbor table on Linux
The file server at 10.0.1.50 had its NIC replaced yesterday. Your ARP cache still holds the old MAC address. Every Ethernet frame you send goes to the wrong hardware address and gets dropped. Run arp -d 10.0.1.50 to clear the stale entry. The next ping triggers a fresh ARP request and discovers the new MAC.
Slide 5 of 10
ARP and the Default Gateway
When the destination is on a different network, you never ARP for the remote IP. You ARP for the gateway.
Your PC
10.0.1.10
Wants 8.8.8.8
Gateway (ARP Target)
10.0.1.1
Your PC ARPs for this IP, not 8.8.8.8
Internet
8.8.8.8
Unreachable by ARP (different network)
Why? ARP is a Layer 2 mechanism. It only works within a single broadcast domain — your local subnet. 8.8.8.8 is on a completely different network. You cannot broadcast an ARP request across a router.

So your PC checks its routing table: "10.0.1.0/24 is local — ARP directly. Everything else — send to gateway 10.0.1.1." Your PC then ARPs for 10.0.1.1 to get the router's MAC address, builds a frame to the router's MAC, and the router takes it from there.
Exam tip: "You never ARP for a remote IP. You ARP for the next hop." The destination IP in the packet stays as 8.8.8.8 all the way — but the destination MAC in the Ethernet frame is the router's MAC, not Google's.
If your default gateway IP is wrong or its ARP entry is stale, you lose Internet connectivity even though your local network works fine. Always check the gateway's ARP entry when Internet is down but local access is fine.
Slide 6 of 10
Gratuitous ARP (GARP)
A device announces its own IP-to-MAC mapping without being asked. Sent as a broadcast.
GARP Packet (Broadcast)
Sender: 10.0.1.50
Sender MAC: AA:BB:CC:DD:EE:FF
Target IP: 10.0.1.50 (same as sender)
Destination: FF:FF:FF:FF:FF:FF
"Update your caches. I am 10.0.1.50. My MAC is now AA:BB:CC:DD:EE:FF."
When GARP Is Used
IP Conflict Detection — After acquiring an IP (via DHCP), a host sends a GARP. If any device replies, there is a conflict. The host backs off.
NIC Replacement — After swapping a NIC, the admin sends a GARP to push the new MAC to all neighbor caches without waiting for them to expire.
FHRP Failover (HSRP / VRRP) — When a standby router takes over the active role, it sends a GARP so all hosts update their gateway MAC to point at the new active router.
Load Balancer Virtual IPs — A VIP moving between cluster nodes triggers a GARP so traffic follows the new owner immediately.
After the server's NIC was replaced, the admin sends a GARP from the server. Every device on the segment immediately updates its ARP cache: 10.0.1.50 now maps to the new MAC. No one needs to wait for their stale entry to expire. Problem solved at the admin level.
Slide 7 of 10
ARP Security — Spoofing & Poisoning
ARP has no authentication. Any device can claim any IP. That is a fundamental design weakness.
Normal Traffic Flow
PC → ARP for 10.0.1.1 → Router
Router → "10.0.1.1 is at 11:22:33:44:55:66 " → PC
PC → frames to 11:22:33:44:55:66 Router → Internet
Poisoned (ARP Spoof Attack)
Attacker → fake reply: "10.0.1.1 is at AA:BB:CC:00:00:01 " → PC
PC overwrites cache: 10.0.1.1 = attacker MAC
PC → all traffic → Attacker → Router (MITM)
Enables: Man-in-the-middle (MITM) attacks, traffic interception, session hijacking, credential theft, and SSL stripping. The victim sees no disruption — traffic still flows, just through the attacker.
Defenses
Dynamic ARP Inspection (DAI) on the switch — validates ARP packets against DHCP Snooping table
DHCP Snooping — builds trusted IP-MAC-port binding table that DAI checks against
Static ARP entries for critical hosts (gateway) — cannot be overwritten by spoofed replies
Exam tip: ARP poisoning is a Layer 2 attack. Dynamic ARP Inspection (DAI) on the switch is the primary defense. DAI requires DHCP Snooping to be enabled first so it has a binding table to validate against.
Slide 8 of 10
Proxy ARP
A router answers ARP requests on behalf of hosts that live on a different subnet.
Host A
192.168.1.10
No default gateway configured
Router (Proxy ARP)
192.168.1.1 / 192.168.2.1
Answers ARP for 192.168.2.x with its own MAC
Host B
192.168.2.50
On a different subnet
How It Works
Host A wants to reach 192.168.2.50. It has no default gateway configured, so it ARPs directly for that IP. Normally that broadcast cannot cross a subnet boundary. With Proxy ARP enabled, the router intercepts the request, checks its routing table, and replies with its own MAC address on behalf of 192.168.2.50. Host A sends traffic to the router's MAC, and the router forwards it to 192.168.2.50 normally. Host A never knows it is talking through a router.
Why it is generally bad practice: It masks misconfiguration (missing default gateway), inflates ARP tables, and can cause security or routing issues. Hosts should always have a properly configured default gateway. Proxy ARP is a bandage, not a solution.
Disable on Cisco: no ip proxy-arp Applied per interface. Disabled by default on modern IOS versions.
Slide 9 of 10
IPv6 — No More ARP
IPv6 replaced ARP entirely with Neighbor Discovery Protocol (NDP), which uses ICMPv6 and multicast.
IPv4 — ARP
Protocol ARP (its own Layer 2/3 protocol)
Request Type Ethernet Broadcast (FF:FF:FF:FF:FF:FF)
Scope Entire broadcast domain receives every ARP request
Security None — no authentication, trivially spoofed
Scalability Broadcast storms in large flat networks
IPv6 — NDP (Neighbor Discovery Protocol)
Protocol NDP — built on ICMPv6 (RFC 4861)
Request Type Neighbor Solicitation — sent to Solicited-Node Multicast address
Scope Only the target device (and possibly a small multicast group) receives it
Security Optional SEND (Secure Neighbor Discovery) with cryptographic signatures
Scalability Multicast is far more efficient than broadcast at scale
Solicited-Node Multicast Address
When a device joins a network with IPv6 address 2001:db8::1234:5678, it automatically joins the multicast group FF02::1:FF34:5678 (last 24 bits of its address). Neighbor Solicitations go to that multicast group, so only the target device wakes up to process them. Far more efficient than blasting every device on the subnet.
Exam tip: IPv6 does NOT use ARP. It uses NDP with ICMPv6 Neighbor Solicitation messages. If an exam question says "ARP is used to resolve addresses in IPv6," that is false.
Slide 10 of 10  |  N10-009 Obj 1.1
ARP: Solved
The file server's NIC was replaced yesterday. Your ARP cache still holds the old MAC address. Every Ethernet frame your PC builds uses that stale hardware address — the switch forwards it nowhere, the server never sees it, and ping fails. The server is up; the mapping is just wrong.

Run arp -d 10.0.1.50 to clear the stale entry. On the next ping, your PC broadcasts an ARP request: "Who has 10.0.1.50?" The server replies with its new MAC. Your PC caches the correct mapping. Frame is built, delivered, ping succeeds. Problem solved.
5 Facts to Carry Out of This Presentation
1 ARP resolves Layer 3 IP addresses to Layer 2 MAC addresses within a local broadcast domain.
2 ARP Request = broadcast (FF:FF:FF:FF:FF:FF). ARP Reply = unicast back to the requester only.
3 Dynamic ARP cache entries expire in 2-10 minutes. Clear stale entries with arp -d 10.0.1.50 or arp -d *.
4 For remote destinations, you ARP for the default gateway, not the destination IP. ARP cannot cross router boundaries.
5 ARP has no authentication — it is vulnerable to poisoning. Defense: DAI (Dynamic ARP Inspection) + DHCP Snooping on the switch. IPv6 replaced ARP with NDP.