Advanced

5 MIN READ

Apr 13, 2026

How ARP Maps IP Addresses to MAC Addresses: The Complete Flow

ARP (Address Resolution Protocol) translates IP addresses into MAC addresses so packets can be delivered on local network segments. Understanding the ARP process, caching, and ARP spoofing is essential for any network engineer.

The Gap Between IP and Hardware

IP addresses exist in software. They are logical identifiers that the network layer assigns to interfaces. MAC addresses exist in hardware. They are physical identifiers burned into (or programmatically assigned to) network interface cards. When you want to send data from one device to another on the same network segment, you need to know the MAC address of the destination—because Ethernet switches and Wi-Fi access points forward frames based on MAC addresses, not IP addresses.

The problem is that applications work with IP addresses. Your browser connects to 192.168.1.1; it has no idea what the MAC address of that IP is. ARP (Address Resolution Protocol), defined in RFC 826 in 1982, bridges this gap. It is the protocol that answers the question: "I know the IP address. What is the corresponding MAC address?"

ARP is one of the most active protocols on any local network, yet most people never think about it. Every time you access a new device on your LAN for the first time—a new printer, a freshly booted server, any device whose ARP cache entry has expired—ARP fires off before your actual data can move.

The Four-Step ARP Resolution Process

The complete ARP flow when Computer A (IP: 192.168.1.10, MAC: AA:BB:CC:DD:EE:01) wants to reach Computer B (IP: 192.168.1.20):

Check the ARP cache: Before sending any ARP message, Computer A checks its local ARP cache (viewable with arp -a on Windows/Linux). The cache stores recent IP-to-MAC resolutions with a timeout (typically 20 minutes on Linux, ~2 minutes on Windows by default). If 192.168.1.20 is in the cache with a valid entry, the ARP request is skipped entirely and the frame is sent immediately using the cached MAC.
ARP Request broadcast: If there is no cache entry, Computer A constructs an ARP Request message and broadcasts it on the local segment. The destination MAC in the Ethernet frame header is the broadcast address FF:FF:FF:FF:FF:FF, which every device on the segment will receive and process. The message content states: "I am 192.168.1.10 with MAC AA:BB:CC:DD:EE:01. Who has 192.168.1.20? Tell me your MAC address."
ARP Reply: Every device on the segment receives the broadcast. Computer B recognizes its own IP in the request and sends a unicast ARP Reply directly to Computer A. The reply states: "I am 192.168.1.20, my MAC address is AA:BB:CC:DD:EE:02." All other devices discard the broadcast without responding.
Cache update and data transmission: Computer A receives the reply, stores the mapping (192.168.1.20 → AA:BB:CC:DD:EE:02) in its ARP cache, and transmits the original data frame with the now-known destination MAC address.

The entire resolution process typically completes in under 1 millisecond on a local network. It is nearly invisible in normal operation but becomes apparent when the cache is cold (freshly booted device) or after ARP entries expire.

ARP Packet Structure

An ARP packet is not transported inside an IP header—it rides directly in an Ethernet frame with EtherType 0x0806. The key fields are:

Hardware type (HTYPE): Identifies the network type. Value 1 means Ethernet.
Protocol type (PTYPE): Identifies the protocol being resolved. Value 0x0800 means IPv4.
Hardware address length (HLEN): 6 bytes for Ethernet MAC addresses.
Protocol address length (PLEN): 4 bytes for IPv4 addresses.
Operation code (OPER): 1 for ARP Request, 2 for ARP Reply.
Sender hardware address (SHA): MAC address of the sender.
Sender protocol address (SPA): IP address of the sender.
Target hardware address (THA): MAC address of the target (all zeros in a request).
Target protocol address (TPA): IP address being queried.

Gratuitous ARP

A gratuitous ARP (GARP) is an ARP Reply sent without any preceding ARP Request. A device sends a GARP to announce its own IP-to-MAC mapping to all devices on the segment. GARPs are used for:

Duplicate IP detection: After a device configures its IP, it sends a GARP. If any other device has the same IP, it will respond, alerting the sender to the conflict.
Cache updates after failover: When a router or server fails over to a standby with a different MAC address but the same IP, the standby sends a GARP to force all devices on the segment to update their ARP caches with the new MAC. This is how VRRP and HSRP implementations signal failover.
Load balancer virtual IP announcements: When a virtual IP migrates between cluster nodes, the new node sends a GARP to update the network.

Proxy ARP

When a router has Proxy ARP enabled, it responds to ARP requests on behalf of hosts on other networks. If Computer A asks for the MAC of an IP on a different subnet and the router has a route to that IP, the router responds with its own MAC address. Computer A sends all traffic for that remote IP to the router, which then forwards it normally.

Proxy ARP allows hosts without a configured default gateway to reach remote networks. It is enabled by default on many Cisco interfaces but should generally be disabled in well-designed networks where all hosts have proper default gateways configured, because it masks subnet boundary problems and increases ARP traffic.

ARP in Switched vs Routed Networks

Scenario	ARP Behavior	Notes
Same subnet, same switch	Full ARP resolution between hosts	Switch learns MACs and forwards frames based on MAC table
Same subnet, different switches	ARP broadcast floods across trunk links to reach all ports in the VLAN	STP must be correctly configured to prevent broadcast storms
Different subnets (routed)	Host ARPs for the default gateway MAC; gateway routes to destination subnet and ARPs for final host	IP address never directly resolved across router; only MAC of next-hop changes at each Layer 3 hop
VLAN with SVI (Layer 3 switch)	Layer 3 switch resolves ARP per-VLAN, routes between SVIs internally	Same behavior as routing through a separate router; ARP table maintained per VLAN

ARP Spoofing: The Security Vulnerability

ARP has no authentication mechanism. When a device receives an ARP Reply (or a gratuitous ARP), it updates its cache without verifying that the sender actually owns the claimed IP address. This trust is exploited by ARP spoofing (also called ARP poisoning).

An attacker sends unsolicited ARP Replies claiming to be both the default gateway and a target host simultaneously. Computer A updates its cache to map the gateway's IP to the attacker's MAC. The gateway updates its cache to map Computer A's IP to the attacker's MAC. All traffic between Computer A and the gateway now passes through the attacker's machine, who can read, modify, or forward it—a classic man-in-the-middle attack.

On a switched network with 802.1Q trunking, ARP poisoning only affects the broadcast domain (VLAN) the attacker is in. Cross-VLAN attacks require router compromise. The defenses against ARP spoofing include:

Dynamic ARP Inspection (DAI): A switch feature that validates ARP packets against the DHCP snooping binding table. ARP Replies with IP-MAC mappings that don't match the binding table are dropped.
Static ARP entries: Manually configured ARP entries cannot be overwritten by incoming ARP packets. Practical only for small, static environments like a management VLAN with a handful of devices.
802.1X port authentication: While not ARP-specific, authenticating devices before allowing them network access limits who can send ARP traffic on the segment.

Common Misconceptions

Your ISP can see your ARP traffic

ARP messages never cross a router. Routers operate at Layer 3 and forward IP packets. ARP operates at Layer 2 and is confined to a single broadcast domain. Your router terminates ARP on the LAN side and issues its own ARP messages when communicating with your ISP's equipment. Your ISP has no visibility into ARP exchanges inside your home or office network.

ARP works between different subnets

ARP resolves addresses within a broadcast domain. A router boundary separates broadcast domains. If you are on 192.168.1.0/24 and want to reach 192.168.2.0/24, ARP cannot span the router. Your device ARPs for the router's MAC (its default gateway), and the router handles routing to the other subnet and issues its own ARP on that segment.

Disabling ARP will improve security

Disabling ARP on a network segment prevents all communication between devices on that segment. There is no practical way to run a standard LAN without ARP. Security controls for ARP should be applied at the switch level (DAI, IPSG) rather than by disabling ARP itself.

IPv6 uses ARP

IPv6 replaces ARP with NDP (Neighbor Discovery Protocol), which uses ICMPv6 messages instead. Specifically, Neighbor Solicitation messages (ICMPv6 Type 135) replace ARP Requests, and Neighbor Advertisement messages (ICMPv6 Type 136) replace ARP Replies. NDP is multicast-based rather than broadcast-based, reducing the flooding behavior that makes large ARP broadcast domains expensive.

Pro Tips for Working With ARP

Use 'arp -a' and 'ip neigh' to diagnose local connectivity problems. If a device shows a valid IP route but connections fail, check whether the ARP entry for the next-hop is in a 'REACHABLE', 'STALE', or 'INCOMPLETE' state. An INCOMPLETE entry means ARP resolution is failing—the device may be down or there is a Layer 2 connectivity problem.
Clear ARP caches manually after IP address changes. When you reassign an IP address from one device to another, stale ARP cache entries on other hosts will continue sending traffic to the old MAC address for up to 20 minutes. Use arp -d (Windows/Linux) or send a GARP from the new device to force immediate cache updates.
Enable DAI on all access-layer switches in production networks. ARP spoofing is a trivially easy attack requiring only a laptop with a tool like arpspoof or Ettercap. DAI blocks it at the switch level with no performance impact on modern hardware.
Monitor ARP table size on large flat networks. A single VLAN with thousands of devices generates significant ARP broadcast traffic. If your ARP table on the default gateway router is growing toward its hardware limit, it is time to segment the network into smaller VLANs with inter-VLAN routing.
In VMware and other hypervisor environments, check for ARP suppression. NSX-T and other SDN platforms implement ARP suppression at the virtual switch layer, where the controller responds to ARP requests using cached entries instead of flooding broadcasts. This dramatically reduces ARP traffic in large-scale virtual environments.
Document known ARP table anomalies during incident response. During a security incident, compare current ARP tables against a known-good baseline. Two IP-to-MAC entries where the IP is the default gateway but the MAC differs from your router's actual MAC is a textbook ARP poisoning indicator.

ARP is the invisible glue between the logical IP layer and the physical Ethernet layer. Most of the time it works perfectly and you never need to think about it. But when it fails—due to bugs, misconfiguration, or attack—it prevents all communication on the affected segment regardless of how perfect your IP routing is. See your current IP address and network connection details here.

Frequently Asked Questions

Q.What is ARP and what does it do?

ARP (Address Resolution Protocol) is defined in RFC 826 and maps IP addresses to MAC addresses on local network segments. When a device knows the IP address of another host on the same subnet but needs the MAC address to construct an Ethernet frame, it uses ARP to discover it. Without ARP, IP packets cannot be delivered at the hardware level.

Q.What is the ARP cache and how long do entries last?

The ARP cache stores recent IP-to-MAC address mappings to avoid repeated ARP requests for frequently contacted devices. Entry timeout varies by operating system: Linux defaults to approximately 20 minutes for reachable entries, Windows typically 2 minutes. You can view ARP cache contents with 'arp -a' on both Windows and Linux.

Q.Does ARP work between different subnets?

No. ARP operates within a single broadcast domain (subnet). When traffic must cross a router, the sender ARPs for the router's MAC address (the default gateway), not the final destination's MAC. The router then performs its own ARP on the destination subnet to find the target host's MAC.

Q.What is a gratuitous ARP?

A gratuitous ARP (GARP) is an unsolicited ARP Reply sent by a device announcing its own IP-to-MAC mapping to all hosts on the segment. GARPs are used for duplicate IP detection during startup, to force cache updates after failover events in VRRP/HSRP clusters, and when virtual IPs migrate between load balancer nodes.

Q.What is ARP spoofing?

ARP spoofing (or ARP poisoning) is an attack where a malicious host sends unsolicited ARP Replies claiming to be a legitimate device (usually the default gateway). Victims update their ARP caches with the attacker's MAC mapped to the gateway's IP, causing all their traffic to be redirected through the attacker's machine for interception or modification.

Q.How does Dynamic ARP Inspection (DAI) protect against ARP spoofing?

DAI is a switch feature that validates ARP packets against the DHCP snooping binding table. When a device sends an ARP Reply, the switch checks whether the claimed IP-to-MAC mapping matches the binding table entry for that port. Replies with inconsistent mappings (spoofed) are dropped before they can update other devices' ARP caches.

Q.Does my ISP see my ARP traffic?

No. ARP is a Layer 2 protocol confined to a single broadcast domain. Your router terminates ARP on your local network and never forwards ARP messages to your ISP. Traffic leaving your router toward the ISP is pure IP—all ARP resolution has already happened within your local network.

Q.What replaces ARP in IPv6?

IPv6 uses NDP (Neighbor Discovery Protocol) instead of ARP. NDP uses ICMPv6 Neighbor Solicitation (Type 135) and Neighbor Advertisement (Type 136) messages. Unlike ARP, NDP is multicast-based rather than broadcast-based, which reduces flooding on large segments and makes the protocol more efficient.

Q.What is Proxy ARP?

Proxy ARP allows a router to respond to ARP requests on behalf of hosts on other networks. If a host without a default gateway configured asks who has an IP on another subnet, the router replies with its own MAC. The host sends traffic to the router, which forwards it. Proxy ARP should generally be disabled in well-designed networks where all hosts have proper gateways.

Q.Why do I sometimes see 'INCOMPLETE' entries in the ARP table?

An INCOMPLETE entry means the device sent an ARP Request but received no reply. The most common causes are: the target device is powered off, a firewall is blocking ARP or ICMP on the target, a Layer 2 connectivity problem prevents the broadcast from reaching the target, or the target IP does not exist on that subnet. INCOMPLETE entries resolve or expire within seconds.

Q.How does ARP behavior differ in a VLAN environment?

Each VLAN is a separate broadcast domain. ARP broadcasts sent in one VLAN are not seen by devices in other VLANs. A Layer 3 switch or router routes between VLANs and maintains separate ARP tables per VLAN interface. Traffic crossing VLAN boundaries requires the MAC of the router/SVI interface, which is resolved via ARP within each VLAN.

Q.What is RARP and is it still used?

RARP (Reverse ARP) performed the opposite of ARP: given a MAC address, it returned an IP address. It was used for diskless workstations to discover their IP at boot. RARP was obsoleted by BOOTP and then DHCP, which provide more information and work across routers. RARP is effectively extinct in modern networks.

Q.How do I clear the ARP cache on Linux and Windows?

On Linux, use 'ip neigh flush all' or 'arp -d IP_ADDRESS' to remove specific entries. On Windows, use 'arp -d *' to clear all entries or 'arp -d IP_ADDRESS' for a specific entry. Administrative privileges are required. After clearing, ARP will re-resolve entries as needed when communication resumes.

TOPICS & TAGS

ip to mac mappingarp processnetworking flowlayer 2 vs layer 3mac address tablehow arp maps ip to mac addresseslocal networking address resolution flowsoftware vs hardware address correlationthe 4 step arp handshake technical guidearp cache and broadcast domain logichow packets land on specific chipsdetecting and preventing arp spoofingman in the middle attacks on local wifiit guide to layer 2 and 3 synergyanalyzing your local arp table resultshow routers convert ip data for chipsunderstanding abstract vs physical addresseslast mile of internet communication arptroubleshooting address resolution errorsmac address table management in switchesARP RFC 826gratuitous ARP GARPARP cache poisoning attackDynamic ARP Inspection DAIproxy ARParp -a command outputRARP reverse ARP