Loading learning content...
When an application sends data to an IP address, the operating system knows the destination IP—but Ethernet frames require MAC addresses, not IP addresses. How does the sender determine the MAC address of the device behind that IP?
This is the address resolution problem, and its solution is one of the most fundamental operations in IP networking. The Address Resolution Protocol (ARP) provides this critical translation layer, dynamically discovering MAC addresses for known IP addresses on the local network.
Without address resolution, IP-based communication over Ethernet would be impossible. Every packet you send, every web request you make, every network connection you establish depends on this process working correctly—usually invisibly, in the background.
By the end of this page, you will understand the address resolution problem; how ARP works (requests, replies, caching); ARP table management; proxy ARP and gratuitous ARP; security implications including ARP spoofing attacks; and the IPv6 equivalent—Neighbor Discovery Protocol (NDP).
To understand why address resolution is necessary, we must recognize that IP addresses and MAC addresses serve different purposes at different network layers.
The fundamental disconnect:
| Property | IP Address (Layer 3) | MAC Address (Layer 2) |
|---|---|---|
| Purpose | End-to-end logical delivery | Hop-by-hop physical delivery |
| Scope | Global (routable across internet) | Local (single network segment) |
| Assignment | Configured or DHCP-assigned | Hardware burned-in or virtualized |
| Stability | May change on different networks | Generally permanent (per-device) |
| Who uses it | Routers, applications, OS stack | Switches, NICs, Ethernet frames |
The problem in action:
Consider sending a packet to 192.168.1.50:
The critical question: How do we find the MAC address for 192.168.1.50?
The answer: Address Resolution Protocol (ARP) for IPv4, or Neighbor Discovery Protocol (NDP) for IPv6.
Local vs remote destinations:
The resolution approach differs based on destination:
| Destination | IP Route Decision | ARP Resolution Target |
|---|---|---|
| Same subnet | Direct delivery | Destination IP's MAC |
| Different subnet | Send to gateway | Default gateway's MAC |
This means for remote destinations, we ARP for the router, not the final destination. The router then handles further resolution on its connected networks.
Before any ARP occurs, the IP layer compares the destination IP against its configured subnet. If the destination is local (same subnet), ARP finds the destination's MAC. If remote (different subnet), ARP finds the default gateway's MAC. This single decision determines the entire delivery path.
The Address Resolution Protocol (defined in RFC 826, 1982) uses a simple request-response mechanism to discover MAC addresses.
ARP message format:
+------------------+------------------+
| Hardware Type | Protocol Type |
| (2 bytes) | (2 bytes) |
+------------------+------------------+
| HW Addr Len | Proto Addr Len | Opcode |
| (1 byte) | (1 byte) | (2 bytes) |
+------------------+------------------+
| Sender Hardware Address (6 bytes) |
+-------------------------------------+
| Sender Protocol Address (4 bytes) |
+-------------------------------------+
| Target Hardware Address (6 bytes) |
+-------------------------------------+
| Target Protocol Address (4 bytes) |
+-------------------------------------+
Key field values:
| Field | Size | Typical Value | Meaning |
|---|---|---|---|
| Hardware Type | 2 bytes | 0x0001 | Ethernet |
| Protocol Type | 2 bytes | 0x0800 | IPv4 |
| Hardware Address Length | 1 byte | 6 | MAC = 6 bytes |
| Protocol Address Length | 1 byte | 4 | IPv4 = 4 bytes |
| Opcode | 2 bytes | 1 = Request, 2 = Reply | Message type |
| Sender HW Addr | 6 bytes | Sender's MAC | Source MAC address |
| Sender Proto Addr | 4 bytes | Sender's IP | Source IP address |
| Target HW Addr | 6 bytes | 00:00:00:00:00:00 (request) | Destination MAC (unknown in request) |
| Target Proto Addr | 4 bytes | Target IP | IP we're resolving |
ARP request-reply sequence:
Step 1: ARP Request (Broadcast)
Host A (192.168.1.10, MAC AA:AA:AA:00:00:01) wants to send to 192.168.1.50
Ethernet Frame:
Destination MAC: FF:FF:FF:FF:FF:FF (broadcast)
Source MAC: AA:AA:AA:00:00:01
EtherType: 0x0806 (ARP)
ARP Payload:
Opcode: 1 (Request)
Sender HW Addr: AA:AA:AA:00:00:01
Sender IP: 192.168.1.10
Target HW Addr: 00:00:00:00:00:00 (unknown - what we're asking)
Target IP: 192.168.1.50
Human readable: "Who has 192.168.1.50? Tell 192.168.1.10"
Step 2: All hosts receive the broadcast
Step 3: ARP Reply (Unicast)
Host D (192.168.1.50, MAC DD:DD:DD:00:00:04) responds:
Ethernet Frame:
Destination MAC: AA:AA:AA:00:00:01 (unicast to requester)
Source MAC: DD:DD:DD:00:00:04
EtherType: 0x0806 (ARP)
ARP Payload:
Opcode: 2 (Reply)
Sender HW Addr: DD:DD:DD:00:00:04
Sender IP: 192.168.1.50
Target HW Addr: AA:AA:AA:00:00:01
Target IP: 192.168.1.10
Human readable: "192.168.1.50 is at DD:DD:DD:00:00:04"
Step 4: Host A caches and sends
ARP broadcasts are Layer 2 and never cross routers. ARP only operates within a single broadcast domain (VLAN/subnet). This is why destination IP decision (local vs. remote) comes before ARP—if the destination is remote, we ARP for the router, not the remote host.
Every host maintains an ARP cache (also called ARP table) that stores recently resolved IP-to-MAC mappings. This cache is essential for performance—without it, every packet would require a broadcast ARP request.
ARP cache characteristics:
12345678910111213141516171819202122232425262728293031323334
# View ARP cache (modern method)ip neighbor show# Sample output:# 192.168.1.1 dev eth0 lladdr 00:11:22:33:44:55 REACHABLE# 192.168.1.50 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE # Legacy arp commandarp -a# Sample output:# ? (192.168.1.1) at 00:11:22:33:44:55 [ether] on eth0 # View detailed ARP table with timingsip -s neighbor show # ARP entry states:# REACHABLE - Recently confirmed reachable# STALE - Entry is old, next use will trigger refresh# DELAY - Waiting for confirmation after STALE access# PROBE - Actively probing for confirmation# FAILED - Resolution failed (no response)# PERMANENT - Statically configured # Add static ARP entrysudo ip neighbor add 192.168.1.100 lladdr 00:11:22:33:44:55 nud permanent dev eth0 # Delete ARP entrysudo ip neighbor del 192.168.1.100 dev eth0 # Flush entire ARP cache (careful!)sudo ip neighbor flush all # ARP cache timeout settings (in /proc)cat /proc/sys/net/ipv4/neigh/eth0/gc_stale_time # Default: 60 secondscat /proc/sys/net/ipv4/neigh/eth0/base_reachable_time_ms # Reachable timeoutARP cache entry states explained:
| State | Description | Typical Duration |
|---|---|---|
| INCOMPLETE | ARP request sent, waiting for reply | Until reply or timeout |
| REACHABLE | Recently confirmed reachable | 30-60 seconds (varies) |
| STALE | Not recently confirmed; will refresh on use | Until accessed |
| DELAY | Accessed recent entry; waiting for confirmation | Few seconds |
| PROBE | Actively sending confirmations | Until reply or failure |
| FAILED | All probes failed; entry invalid | Until purged |
| PERMANENT | Statically configured; never expires | Forever (until removed) |
Static ARP entries can prevent ARP spoofing attacks but require manual maintenance. If the target device's MAC changes (hardware replacement, VM migration), the static entry becomes invalid, causing connectivity loss. Use static ARP only for critical, stable infrastructure (default gateway, DNS servers) where the security benefit outweighs the maintenance cost.
Beyond standard ARP requests and replies, several special ARP message types serve specific purposes.
1. Gratuitous ARP (GARP)
A gratuitous ARP is an ARP message sent without being requested, typically to announce or verify an address:
Gratuitous ARP Request/Announcement:
Sender IP: 192.168.1.50
Sender MAC: AA:BB:CC:DD:EE:FF
Target IP: 192.168.1.50 (same as sender!)
Target MAC: 00:00:00:00:00:00 or FF:FF:FF:FF:FF:FF
Gratuitous ARP purposes:
2. Proxy ARP
Proxy ARP occurs when a device (typically a router) responds to ARP requests on behalf of another host—usually because the requesting host has an incorrect subnet mask or the architecture requires it.
Proxy ARP scenario:
Host A: 192.168.1.10/24 (thinks entire .1.0 is local)
Host B: 192.168.1.200/24 (actually on different segment, behind router)
Router: Interface on 192.168.1.1, also connected to where Host B lives
When Host A ARPs for 192.168.1.200:
- Router recognizes it can reach 192.168.1.200
- Router responds with its OWN MAC address
- Host A sends packets to router's MAC, thinking it's reaching Host B
- Router forwards packets to actual Host B
Proxy ARP configuration (Cisco IOS):
interface GigabitEthernet0/0
ip proxy-arp ! Enable proxy ARP (often on by default)
!
! Or disable:
no ip proxy-arp
3. Reverse ARP (RARP) — Historical
RARP allowed diskless workstations to discover their IP address based on their MAC address. It's obsolete, replaced by BOOTP and then DHCP.
4. Inverse ARP (InARP)
Used in Frame Relay networks to discover the IP address associated with a known DLCI (virtual circuit identifier). The reverse of standard ARP.
While proxy ARP enables flexible addressing, it also enables certain attacks and obscures network boundaries. Many security guidelines recommend disabling proxy ARP on router interfaces unless specifically required.
ARP was designed in a more trusting era—it has no authentication. Any host on the network can claim any IP address, and other hosts will believe it. This fundamental weakness enables several attacks.
ARP Spoofing/Poisoning Attack:
An attacker sends fake ARP replies (or gratuitous ARPs) to redirect traffic:
Legitimate Network:
Gateway: 192.168.1.1 → MAC: GW:GW:GW:GW:GW:GW
Victim: 192.168.1.50 → MAC: VI:VI:VI:VI:VI:VI
Attacker: 192.168.1.99 → MAC: AT:AT:AT:AT:AT:AT
Attack Steps:
1. Attacker sends to Victim:
"192.168.1.1 is at AT:AT:AT:AT:AT:AT"
→ Victim updates cache: gateway = attacker's MAC
2. Attacker sends to Gateway:
"192.168.1.50 is at AT:AT:AT:AT:AT:AT"
→ Gateway updates cache: victim = attacker's MAC
3. Result: Attacker is now "man in the middle"
- All traffic from victim to internet goes through attacker
- All traffic from internet to victim goes through attacker
- Attacker can intercept, modify, or block traffic
ARP attack types:
| Attack | Description | Impact |
|---|---|---|
| ARP Spoofing | Send fake replies to redirect traffic | Man-in-the-middle, eavesdropping |
| ARP Cache Poisoning | Corrupt cache to misdirect traffic | Traffic interception, session hijacking |
| Gateway Impersonation | Claim to be the default gateway | Intercept all internet-bound traffic |
| ARP Flood/DoS | Overwhelm with ARP traffic | Switch CAM overflow, network disruption |
| Clone Attack | Duplicate legitimate MAC address | Connection hijacking, session theft |
Defense mechanisms:
1234567891011121314151617181920212223242526272829
! Dynamic ARP Inspection (DAI) configuration example ! Step 1: Enable DHCP snooping (DAI uses its binding table)ip dhcp snoopingip dhcp snooping vlan 10,20,30 ! Step 2: Configure trusted ports (uplinks, DHCP server)interface GigabitEthernet0/1 description Uplink to Distribution Switch ip dhcp snooping trust ip arp inspection trust!interface GigabitEthernet0/2 description DHCP Server ip dhcp snooping trust ip arp inspection trust ! Step 3: Enable DAI on VLANsip arp inspection vlan 10,20,30 ! Step 4: Configure rate limiting (prevent ARP floods)interface range GigabitEthernet0/3-24 description User Access Ports ip arp inspection limit rate 100 ! Drops ARP if > 100 per second ! Step 5: Verifyshow ip arp inspection vlan 10show ip arp inspection interfacesNo single mechanism fully prevents ARP attacks. Combine DAI, 802.1X, network monitoring, and encryption for robust security. Assume the local network may be hostile—especially on shared or guest networks—and encrypt sensitive communications.
IPv6 replaces ARP with the Neighbor Discovery Protocol (NDP), defined in RFC 4861. NDP runs over ICMPv6 and provides additional functionality beyond simple address resolution.
NDP message types:
| Type | Name | Function | Equivalent in IPv4 |
|---|---|---|---|
| 133 | Router Solicitation (RS) | Request router advertisements | N/A (DHCP used) |
| 134 | Router Advertisement (RA) | Router announces presence, prefix info | N/A (DHCP used) |
| 135 | Neighbor Solicitation (NS) | Request MAC for IPv6 address | ARP Request |
| 136 | Neighbor Advertisement (NA) | Response with MAC address | ARP Reply |
| 137 | Redirect | Inform host of better first hop | ICMP Redirect |
Neighbor Solicitation/Advertisement (Address Resolution):
Host A wants MAC for 2001:db8::50:
Neighbor Solicitation (NS):
Source IP: fe80::1 (Host A's link-local)
Destination IP: ff02::1:ff00:0050 (solicited-node multicast)
Target Address: 2001:db8::50
Neighbor Advertisement (NA):
Source IP: 2001:db8::50
Destination IP: fe80::1 (unicast to requester)
Target Address: 2001:db8::50
Target Link-Layer Address: AA:BB:CC:DD:EE:FF
Key differences from ARP:
| Feature | ARP (IPv4) | NDP (IPv6) |
|---|---|---|
| Transport | Raw Ethernet frames | ICMPv6 over IP |
| Security | None built-in | SEND (Secure ND) available |
| Solicitation scope | Broadcast (all hosts) | Multicast (specific group) |
| Router discovery | Separate (DHCP/manual) | Integrated (RA/RS) |
| DAD | Optional (RFC 5227) | Mandatory (Duplicate Address Detection) |
| Redirect | ICMP (separate) | Integrated |
12345678910111213141516
# View IPv6 neighbor cache (same command as IPv4)ip -6 neighbor show# Sample output:# fe80::1 dev eth0 lladdr 00:11:22:33:44:55 router REACHABLE# 2001:db8::50 dev eth0 lladdr aa:bb:cc:dd:ee:ff STALE # Add static IPv6 neighbor entrysudo ip -6 neighbor add 2001:db8::100 lladdr 00:11:22:33:44:55 dev eth0 # Delete entrysudo ip -6 neighbor del 2001:db8::100 dev eth0 # Monitor NDP messagessudo tcpdump -i eth0 icmp6# Look for types: Router Solicitation, Router Advertisement,# Neighbor Solicitation, Neighbor AdvertisementRFC 3971 defines Secure Neighbor Discovery (SEND), which uses cryptographic protection for NDP messages. However, SEND has seen limited deployment due to complexity and the availability of alternative security measures like RA Guard and DHCPv6 Guard on switches.
Address resolution issues cause 'destination unreachable' problems even when IP configuration appears correct. Here's a systematic approach to diagnosing ARP-related issues.
Common symptoms of ARP problems:
Diagnostic workflow:
| Step | Command/Action | What to Look For |
|---|---|---|
| ip neigh show or arp -a | Entry exists? State? Correct MAC? |
| Delete entry, ping again | Does resolution succeed now? |
| tcpdump -i eth0 arp | Request sent? Reply received? Multiple replies? |
| Check target host status | NIC active? IP correctly assigned? |
| Both hosts on same VLAN? | ARP won't cross VLANs/routers |
| show mac address-table | Switch knows where target MAC is? |
| Check ARP for conflicting MACs | Two hosts claiming same IP? |
Capturing ARP traffic for analysis:
123456789101112131415161718192021
# Capture all ARP trafficsudo tcpdump -i eth0 arp -n # Sample output for successful resolution:# 10:15:32.123456 ARP, Request who-has 192.168.1.50 tell 192.168.1.10# 10:15:32.123789 ARP, Reply 192.168.1.50 is-at aa:bb:cc:dd:ee:ff # Capture ARP for specific hostsudo tcpdump -i eth0 arp host 192.168.1.50 # Save to file for Wireshark analysissudo tcpdump -i eth0 arp -w /tmp/arp_capture.pcap # Watch for gratuitous ARP (same source and target IP)sudo tcpdump -i eth0 arp -n | grep -E "who-has ([0-9.]+) tell \1" # Monitor for potential spoofing (multiple MACs for one IP)# Use arpwatch daemon for continuous monitoringsudo apt install arpwatchsudo arpwatch -i eth0 -f /var/lib/arpwatch/arp.dat# Check /var/log/syslog for arpwatch alertsMany transient ARP issues resolve by clearing the cache entry and retrying: sudo ip neigh del 192.168.1.50 dev eth0 then ping 192.168.1.50. This forces a fresh ARP lookup and often resolves stale cache problems.
This page has provided a comprehensive examination of address resolution—the critical translation between Layer 3 IP addresses and Layer 2 MAC addresses. Let's consolidate the key points:
Module Complete:
This concludes Module 2: MAC Addressing. You have now mastered the fundamentals of MAC address format, unicast and broadcast addressing, address assignment mechanisms, OUI identification, and address resolution. These concepts are foundational for understanding Ethernet switching, network troubleshooting, and Layer 2 security.
Congratulations! You now understand the complete MAC addressing ecosystem—from the 48-bit format through assignment mechanisms, vendor identification via OUI, and the address resolution protocols that make IP-over-Ethernet communication possible. This knowledge is essential for network design, administration, security, and troubleshooting.