ARP (Address Resolution Protocol) is the protocol that bridges Layer 2 and Layer 3 of the OSI model. In the typical TCP/IP stack, this binds the Ethernet and Internet Protocol layers. This critical function allows for the discovery of a device’s MAC address based on its known IP address.

An ARP table is the method for storing the info discovered through the protocol. An ARP table is the method for storing the info discovered through the protocol. It’s used to record the discovered MAC and IP address pairs connected to a network. Each device that’s connected to a network has its own ARP table, and it stores address pairs that the specific device has communicated with.

ARP makes it so pairs of MAC and IP addresses don’t need to be rediscovered every time data is sent. Once a MAC and IP address pair is learned, it’s kept in the ARP table for a specified period of time. If there’s no record on the table for a specific IP address, ARP will need to send out a broadcast message. This is to all devices in that specific subnet to determine what the receiver MAC address should be.

How do ARP tables work?

We need to start with a quick explanation of what MAC and IP addresses are. Then look at how they relate to specific OSI model layers, Layer 2—the data link layer, and Layer 3—the network layer.

A MAC is a unique ID assigned to every network-connected device by its manufacturer. It’s a 48-bit address that doesn’t change as the device moves from network to network. It’s used at the data link layer to handle device-to-device communication.

An IP is a 32-bit address that’s assigned (either manually or with DHCP) to a device when it’s connected to a network. It’s used at the network layer to communicate with devices both in and outside of the local network. IP addresses are unique within a network but can change over time. This is why ARP, and ARP tables, exist!

Let’s look at a simple example. Say you have a device (Host 1) that needs to communicate with another device (Host 2) on the same subnet. Host 1 will know Host 2’s IP address (192.168.0.10 in our example). But to communicate with Host 2, Host 1 also needs to know Host 2’s MAC address.

Enter the ARP table. Host 1 can use ARP to discover Host 2’s MAC address.

Since Host 1 doesn’t know exactly where Host 2 is, Host 1 broadcasts an ARP protocol request to all the devices on the local subnet asking, “What’s the MAC address for Host 2’s IP address?”. All the hosts on the network will receive the message, and most will discard it. They’re not Host 2, so they don’t need to do anything. Host 2, though, will respond to Host 1 with, “What’s up? My MAC address is AB:CD:EF:01:23:45.”

Diagram of an ARP table function in a network

When Host 1 gets the reply, the MAC address for Host 2 updates on its ARP table. Now it knows how to reach Host 2 for the next message. Host 1 can now send the message.

As you can see, ARP is a necessary protocol to bridge Layer 2 and Layer 3. Without the ARP table recording these address pairs, every time devices sent packets to one another, they’d have to ask, “What’s your MAC address?”. This would slow down network communication!

Difference between ARP and MAC table

It’s important to understand the difference between these two tables and the fundamental roles they play.

An ARP table comprises devices’ IP and MAC addresses. The MAC table holds info on the physical switch port a specific device connects to. When a switch makes packet-switching decisions, the MAC table shows which port a packet should forward to.

While there are a lot of similarities between these two, they serve different purposes. MAC and ARP tables work on different OSI model layers. ARP tables map a Layer 3 address to a Layer 2 address configuration, and MAC tables map a Layer 2 address to a Layer 1 (physical layer) interface.

Some devices can have one, but not the other. For example, a device that operates at Layer 2 only, like a Layer 2 switch, will have a MAC address table, but no ARP table – it has no need to translate addresses between Layer 3 and Layer 2.

At any given time, you can view the status of either one of these tables through a device’s CLI or GUI. Network management tools such as Auvik also keep track of the contents of these tables in an easy-to-use format.

What’s contained in ARP tables?

The most important data in an ARP table is the MAC and IP address pairs of the devices on the network. It also contains the specific interface a MAC address is connected to, and how long to keep an ARP entry.

ARP table example

Let’s break down the table components above:

  • Neighbor: The IP address of another device on the same network.
  • Link layer address: The MAC address of the device on the same network.
  • Expire: A timer, counting down until the specific entry is no longer considered valid and is flushed from the ARP table.
  • Netif: The specific interface where the MAC address was discovered.

ARP is widely used in IPv4 on Ethernet-compatible networks. For IP data carried over networks built on different data link layer protocols, different address mapping protocols will be defined. In IPv6 networks, for example, the ARP table’s functionality is provided instead by the Neighbor Discovery Protocol (NDP).

How to create ARP tables

ARP tables are often created through the ARP call and response process discussed earlier. There may yet be times when manual changes to the ARP table need to happen. Make sure you understand the impact these changes will have on the network. And make sure you follow the right process to add or remove manual entries, which may vary from device to device.

You can change ARP entries through a CLI or through a device’s graphical user interface. The process for each will vary, but the steps and information required to change entries are similar.

Viewing an ARP table

How you view the ARP table on your device will depend on the specific device type and operating system.

On most systems that are *nix (UNIX and Linux flavors), use a command prompt to access the ARP table. To display the ARP table in this system, enter “arp -a.” This command will also show the ARP table in the Windows command prompt.

Adding an ARP entry

To add an entry to the ARP table, select the “Add” option. You’ll need the following information to add an ARP entry:

  • Interface. This specifies which interface the IP and MAC address pair associate with.
  • MAC address. The MAC address of the device you are looking to add an entry for.
  • IP address. The IP address of the device you are looking to add an entry for.
  • Expiry: The period of time the entry should remain in the ARP table. For manual additions, this period would be indefinite. There may also be an option to specify a static (permanent) entry.

Modifying an ARP entry

There may be instances where you want to make changes to an ARP table, which you can do by modifying an ARP entry. You’ll need to specify which entry you’d like to edit. Generally, you’re able to edit any of the options that can be added manually.

Deleting an ARP entry

To delete a single, most systems support a command like “arp -d ” to remove a specific entry. You can then replace this entry with a manual one, or wait until the entry is updates with the next ARP request.

Deleting (flushing) an entire ARP table

A corrupted ARP table can sometimes be hectic and troublesome. It can stop a device from communicating on the network. While this may seem like a big deal, flushing the ARP cache is not that detrimental to the device. The table will be rebuilt through ARP requests. If you suspect an ARP issue, it’s straightforward to clear the ARP table and have it rebuilt.

To delete the ARP cache using the command prompt option on Windows, use the same “arp -d ” command. But specify a wildcard “*” for the host. Or, you can use “arp -a -d”, or the netsh command “netsh interface ip delete arpcache”.

On most Unix variants including MacOS, you can use a similar “arp -a -d” command. And on many Linux machines you can use an IP utility that has a command such as “ip -s -s neigh flush all”.

Auvik logo

See Auvik in Action on Your Network

Deploy Auvik and monitor as many sites and devices as you like in this 14-day free trial.

START TRIAL

Auvik screenshot on laptop
Steve Petryschuk

About Steve Petryschuk

As Auvik’s Director of New Product Sales, Steve works with prospects, clients, and the IT community at large to identify, research, and analyze complex IT Operations challenges, helping guide the Auvik roadmap to better serve the IT community.


4 comments on “What is an ARP Table?”

  1. Kevin Trumbull says:

    Regarding flushing the ARP cache, on Unix machines it’s “arp -d -a” on all Unix variants I’m aware of.

    Where you stated *nix, you should have specified “Linux” since AFAIK, it’s the only unix-like OS that uses this.

    1. “Hey Kevin! Thanks for pointing that out. We’ve made a few changes to the article to make it more clear which commands are used for which OS.”

  2. Andrew says:

    What protocols work with ARP tables?

    1. Hi Andrew – ARP is itself a protocol. Pretty well every device on a network leverages ARP to translate a Layer 3 IP address into a Layer 2 MAC address for a specific device. You can review the ARP tables on a specific device in a number of different ways, depending on what the device allows – though I wouldn’t call these protocols. Its more access methods. Most of the time, the data will be accessed via SNMP. Alternatively, you can review the data via command line, such as via SSH or (on Windows) PowerShell. Finally, some vendors have made ARP data available via API as well – although it will not be presented in the same “Table” format. Hope that helps.

Leave a comment

Got something to say? Name and email are required, but don't worry, we won't publish your email address.

*