ARP (Address Resolution Protocol) is the protocol that bridges Layer 2 and Layer 3 of the OSI model, which in the typical TCP/IP stack is effectively gluing together the Ethernet and Internet Protocol layers. This critical function allows for the discovery of a devices’ MAC (media access control) address based on its known IP address.

By extension, an ARP table is simply the method for storing the information discovered through ARP. It’s used to record the discovered MAC and IP address pairs of devices connected to a network. Each device that’s connected to a network has its own ARP table, responsible for storing the address pairs that a specific device has communicated with.

ARP is critical network communication, so pairs of MAC and IP addresses don’t need to be discovered (and rediscovered) for every data packet sent. Once a MAC and IP address pair is learned, it’s kept in the ARP table for a specified period of time.  If there’s no record on the ARP table for a specific IP address destination, ARP will need to send out a broadcast message to all devices in that specific subnet to determine what the receiver MAC address should be.

It trends 2024: industry report

Planning for the year ahead?

Find out how IT professionals are managing day-to-day operations, dealing with talent shortages, and preparing for future needs.

How ARP works

To fully wrap our heads around how the ARP table works, we need to start with a quick explanation of what MAC and IP addresses are, and how they relate to specific OSI model layers, namely Layer 2, the data link layer, and Layer 3, the network layer.

A MAC address is a unique ID assigned to every network-connected device by the manufacturer. It’s a 48-bit address that doesn’t change as the device moves from network to network. It’s used at the data link layer to handle device-to-device communication within the same network.

An IP address is a 32-bit address that’s assigned (either manually or through another service like DHCP) to a device when it’s connected to a network. It’s used at the network layer to communicate with devices both in and outside of the local network. While IP addresses are unique within a local network, they’re assigned logically, rather than physically, so a device’s IP address can change over time. This is why ARP is needed!

Let’s look at a simple example. Say you have a device (Host 1) that needs to communicate with another device (Host 2) on the same subnet. Host 1 will know Host 2’s IP address ( in our example), but to communicate with Host 2 directly, Host 1 also needs to know Host 2’s MAC address.

Enter the ARP table. Host 1 can use ARP to discover Host 2’s MAC address.

Since Host 1 doesn’t know exactly where Host 2 is, Host 1 broadcasts an ARP request to all the devices on the local subnet asking, “What’s the MAC address for Host 2’s IP address?”. All the hosts on the network will receive this broadcast message, and most will discard it – they’re not Host 2, so they don’t need to do anything. Host 2, however, will respond directly to Host 1 with, “What’s up? My MAC address is AB:CD:EF:01:23:45”.

Diagram of an ARP table function in a network

When Host 1 receives the reply, the MAC address for Host 2 is updated on Host 1’s ARP table so it knows how to reach Host 2 for the next message. Host 1 can now send the message.

As you can see, ARP is a necessary protocol to bridge Layer 2 and Layer 3. Without the ARP table recording these address pairs, every time devices sent packets to one another, they’d have to ask, “What’s your MAC address?”. This would really slow down network communication!

Difference between ARP and MAC table

It’s important to understand the difference between these two tables and the fundamental roles they play.

An ARP table is composed of devices’ IP and MAC addresses. The ARP table is built from the replies to the ARP requests, recorded before a packet is sent on the network.

The MAC address table, sometimes called a MAC Forwarding Table or Forwarding Database (FDB), holds information on the physical switch port a specific device is connected to. When a network switch is making packet switching decisions, the MAC table serves to answer which switch port a packet should be sent down.

While there are a lot of similarities between these two tables, they serve different purposes. Most importantly, MAC and ARP tables work on different OSI model layers. ARP tables map a Layer 3 address to a Layer 2 address configuration, while MAC tables map a Layer 2 address to a Layer 1 (physical layer) interface.

Some devices can have one, but not the other. For example, a device that operates at Layer 2 only, like a Layer 2 switch, will have a MAC address table, but no ARP table – it has no need to translate addresses between Layer 3 and Layer 2.

At any given time, you can view the status of either one of these tables through a device’s CLI or GUI. Network management tools such as Auvik also keep track of the contents of these tables in an easy-to-use format.

What’s contained in the ARP table

The most important data in an ARP table is the MAC and IP address pairs of the devices on the network. It also contains other valuable information, such as the specific interface a MAC address is connected to, and how long to keep the ARP entry within the table.

ARP table example

Let’s break down the table components above:

  • Neighbor: The IP address of another device connected to the same network.
  • Link layer address: The MAC address of the device connected to the same network.
  • Expire: A timer, counting down until the specific entry is no longer considered valid and is flushed (removed) from the ARP table.
  • Netif: The specific interface that a MAC address was discovered on.

ARP is widely used in IPv4 on Ethernet-compatible networks. For IP data carried over networks built on different data link layer protocols, different address mapping protocols will be defined. In IPv6 networks, for example, the ARP table’s functionality is provided instead by the Neighbor Discovery Protocol (NDP).

How to create ARP tables

ARP tables are often created automatically through the ARP call and response process discussed earlier. There may however be times when manual changes to the ARP table need to be made. Make sure you understand the impact these changes will have on the network, and make sure you follow the right process to add or remove manual entries, which may vary slightly from device to device.

ARP entries can be modified either through a CLI or through the device’s graphical user interface. The process for each will vary slightly, but generally, the steps and information required to modify the entries are similar.

Viewing an ARP table

How you view the ARP table on your device will depend on the specific device type and operating system.

On most systems that are *nix (UNIX and Linux flavors), a command prompt is required to access the ARP table. To display the ARP table in this system, enter “arp -a.” This command will also show the ARP table in the Windows command prompt.

Adding an ARP entry

To add an entry to the ARP table, select the “Add” option. You’ll need the following information to add an ARP entry:

  • Interface. This specifies which interface the IP and MAC address pair should be associated with.
  • MAC address. The MAC address of the device you are looking to add an entry for.
  • IP address. The IP address of the device you are looking to add an entry for.
  • Expiry: The period of time the entry should remain in the ARP table. For manual additions, this period would typically be indefinite. There may also be an option to simply specify a static (permanent) entry.

Modifying an ARP entry

There may be instances where you want to make changes to an ARP table, which you can do by modifying an ARP entry. You’ll need to specify which entry you’d like to edit. Generally, you’re able to edit any of the options that can be manually added.

Deleting an ARP entry

A single entry can be deleted from an ARP table if needed as well. To delete an ARP entry on the command line, most systems support a command similar to “arp -d ” to remove a specific entry.

You can then replace this entry with a manual one, or wait until the entry is repopulated with the next ARP request.

Deleting (flushing) an entire ARP table

A corrupted ARP table can sometimes be hectic and troublesome as it can stop a device from communicating on the network. While this may seem like a big deal, flushing the ARP cache is not that detrimental to the device – the table will simply be rebuilt through ARP requests. If you suspect an ARP issue, it’s fairly straightforward to clear the ARP table and have it rebuilt.

To delete the ARP cache using the command prompt option on Windows, you can use the same “arp -d ” command as before, but simply specify a wildcard “*” for the host. Alternatively, you can use “arp -a -d”, or the netsh command “netsh interface ip delete arpcache”.

On most Unix variants including MacOS you can use a similar “arp -a -d” command, and on many Linux machines you can use an IP utility that has a command such as “ip -s -s neigh flush all”.

Get templates for network assessment reports, presentations, pricing & more—designed just for MSPs.

Ebook cover - The Ultimate Guide to Selling Managed Network Services
  1. Kevin Trumbull Avatar
    Kevin Trumbull

    Regarding flushing the ARP cache, on Unix machines it’s “arp -d -a” on all Unix variants I’m aware of.

    Where you stated *nix, you should have specified “Linux” since AFAIK, it’s the only unix-like OS that uses this.

    1. Ryan LaFlamme Avatar

      “Hey Kevin! Thanks for pointing that out. We’ve made a few changes to the article to make it more clear which commands are used for which OS.”

  2. Andrew Avatar

    What protocols work with ARP tables?

    1. Steve Petryschuk Avatar
      Steve Petryschuk

      Hi Andrew – ARP is itself a protocol. Pretty well every device on a network leverages ARP to translate a Layer 3 IP address into a Layer 2 MAC address for a specific device. You can review the ARP tables on a specific device in a number of different ways, depending on what the device allows – though I wouldn’t call these protocols. Its more access methods. Most of the time, the data will be accessed via SNMP. Alternatively, you can review the data via command line, such as via SSH or (on Windows) PowerShell. Finally, some vendors have made ARP data available via API as well – although it will not be presented in the same “Table” format. Hope that helps.

Leave a Reply

Your email address will not be published. Required fields are marked *