How ARP Resolves IP to MAC Addresses and Secures Your Network

ARP Address Resolution Protocol

In Ethernet each network interface card (NIC) has a unique MAC address, while hosts communicate using IP addresses. When a host needs to send data it must resolve the destination IP to a MAC address.

Early Ethernet required static MAC‑IP mappings, which was error‑prone and hard to maintain. ARP (Address Resolution Protocol) was introduced to automate this mapping, simplifying network management. ARP was first specified in 1982 and documented in RFC 826. IPv6 replaces ARP with Neighbor Discovery Protocol (NDP).

Every host maintains an ARP table (cache) that stores recent IP‑to‑MAC mappings.

When a host receives a frame, it checks the destination MAC; if it matches its own MAC the frame is processed, otherwise it is discarded.

When a host wants to send a frame it knows the destination IP but not the MAC, so it broadcasts an ARP request to discover the corresponding MAC address.

ARP is primarily used in Ethernet LANs; point‑to‑point links without MAC addresses do not require ARP.

ARP Protocol Stack

The ARP stack consists of the Ethernet frame protocol and the ARP protocol.

Frame Header

srcMAC (8 Byte) : MAC address of the sending host.

dstMAC (8 Byte) : In an ARP request this is FF:FF:FF:FF:FF:FF, the broadcast address.

Type (2 Byte) : Indicates the payload type.

ARP Type: 0x0806

IP Type: 0x0800

Frame Data

ARP Header

Hardware type : Network type, typically 1 for Ethernet (MAC).

Protocol type : Upper‑layer protocol, usually 0x0800 for IPv4.

Hardware size : Size of hardware address; 6 Byte for MAC.

Protocol size : Size of protocol address; 4 Byte for IPv4.

Opcode : Operation code of the ARP message.

1 – ARP Request

2 – ARP Reply

3 – RARP Request

4 – RARP Reply

ARP Data

Sender MAC address : MAC of the ARP sender.

Target MAC address : MAC of the ARP target; set to all zeros in a request.

Sender IP address : IP of the ARP sender.

Target IP address : IP of the ARP target.

Because the ARP header + data is only 28 Byte, Ethernet frames must be padded to at least 46 Byte, requiring a minimum of 18 Byte of padding.

ARP Operation Example

Consider host A (192.168.38.10) sending data to host B (192.168.38.11).

Host A checks its ARP table for B’s IP. If found, it uses the cached MAC (e.g., 00‑BB‑00‑62‑C2‑02) as dstMAC and sends the frame.

If not found, A broadcasts an ARP Request with dstMAC FF:FF:FF:FF:FF:FF asking “What is the MAC for 192.168.38.11?”.

ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 53.53.53.53 tell 192.168.200.10, length 28

All hosts receive the broadcast; only B’s IP matches the Target IP, so B fills its MAC into the Target MAC field and sends an ARP Reply directly to A.

A updates its ARP table with the new mapping.

The ARP entry ages out after about 20 minutes of inactivity.

ARP Proxy (Proxy ARP)

In cross‑LAN scenarios a router cannot forward broadcast ARP requests. The router can act as a Proxy ARP, answering on behalf of the destination host, effectively bridging the broadcast domain.

Proxy ARP is also used by NAT devices, which act as gateways between LANs.

ARP Probe (Address Conflict Detection)

Defined in RFC 5227, ARP Probe checks whether an IP address is already in use on the LAN.

An ARP Probe packet is an ARP request with the following characteristics:

srcMAC = host’s own MAC (to receive any reply).

dstMAC = FF:FF:FF:FF:FF:FF (broadcast).

Sender IP = 0.0.0.0 (invalid, not cached).

Target IP = the address being probed.

If a host already uses the probed IP, it replies with an ARP Reply, indicating a conflict. If no reply is received, the probing host can safely claim the address and optionally send a Gratuitous ARP (gARP) to inform the network.

MAC Address Conflict

When two devices on the same LAN share the same MAC address (often in virtual environments), a conflict occurs, leading to ambiguous routing and ICMP error messages.

ARP Spoofing (ARP Poisoning)

ARP is stateless and unauthenticated; a host updates its ARP table with any received ARP Reply without verification. An attacker can send forged ARP replies, causing victims to associate the attacker’s MAC with a legitimate IP (e.g., the gateway), enabling man‑in‑the‑middle or denial‑of‑service attacks.

Mitigation includes static ARP entries (binding IP‑MAC pairs) and DHCP snooping, which records legitimate MAC‑IP bindings and drops forged ARP packets.

For gateways: statically bind each client’s MAC to its IP.

For clients: bind the gateway’s MAC address.

Gratuitous ARP (gARP)

gARP is a special ARP request used to announce a host’s own IP‑MAC mapping.

Sender MAC = host’s MAC.

Target MAC = FF:FF:FF:FF:FF:FF (broadcast).

Sender IP = Target IP = host’s IP.

gARP is used for:

Announcing a node’s existence after an ARP Probe.

Updating ARP mappings when a host changes its IP.

Link redundancy in high‑availability setups (e.g., VIP failover).

Link Redundancy

Redundancy aims to provide failover for high‑availability systems. Two common patterns are:

IP‑only redundancy: two MACs share one IP.

IP‑and‑MAC redundancy: each MAC has its own IP.

VIP Switching

Tools like Keepalived and Pacemaker use gARP to refresh other hosts’ ARP caches after a virtual IP (VIP) moves from one MAC to another.

Some firewalls block gARP traffic; in such cases a shared virtual MAC (VMAC) can be used instead.

Keepalived 1.2.20+ supports the following gARP configuration options:

# delay for second set of gratuitous ARPs after transition to MASTER
vrrp_garp_master_delay 10   # seconds, default 5, 0 for no second set

# number of gratuitous ARP messages to send at a time after transition to MASTER
vrrp_garp_master_repeat 1    # default 5

# delay for second set of gratuitous ARPs after lower priority advert received when MASTER
vrrp_garp_lower_prio_delay 10

# number of gratuitous ARP messages to send at a time after lower priority advert received when MASTER
vrrp_garp_lower_prio_repeat 1

# minimum time interval for refreshing gratuitous ARPs while MASTER
vrrp_garp_master_refresh 60  # secs, default 0 (no refreshing)

# number of gratuitous ARP messages to send at a time while MASTER
vrrp_garp_master_refresh_repeat 2  # default 1

# delay in ms between gratuitous ARP messages sent on an interface
vrrp_garp_interval 0.001      # decimal, seconds (resolution usecs). Default 0.

# delay in ms between unsolicited NA messages sent on an interface
vrrp_gna_interval 0.000001    # decimal, seconds (resolution usecs). Default 0.

Switch Link Switching

When two NICs share the same MAC and IP and connect to different switch ports, a gARP can be used to update the switch’s MAC table, ensuring traffic follows the new path.

ARP Client on Linux

Linux provides the arp utility for managing the ARP cache.

arp --help
-a               Show all entries in the cache
-s, --set        Add a new ARP entry (no arguments shows static MACs)
-d, --delete     Delete a static entry
-v, --verbose    Verbose output
-n, --numeric    Do not resolve names
-i, --device     Specify network interface (e.g., eth0)
-D, --use-device Read <hwaddr> from given device
-A, -p, --protocol Specify protocol family
-f, --file       Read new entries from a file or /etc/ethers

Display ARP cache:

$ arp -a
? (172.18.22.205) at 08:9e:01:fc:48:7d [ether] on br0
? (172.18.22.10) at 52:54:00:bd:23:9e [ether] on br0
gateway (172.18.22.1) at ac:7e:8a:6c:41:c4 [ether] on br0

Show detailed ARP cache:

$ arp -nv
Address               HWtype  HWaddress            Flags Mask            Iface
172.18.22.205         ether   08:9e:01:fc:48:7d   C                     br0
172.18.22.10          ether   52:54:00:bd:23:9e   C                     br0
172.18.22.1           ether   ac:7e:8a:6c:41:c4   C                     br0
Entries: 3  Skipped: 0  Found: 3

Add a static ARP entry:

$ arp -s 157.55.85.212 00:aa:aa:56:2c:6:09
# Add a temporary entry
$ arp -s 211.161.17.21 00:00:00:00:00:00 temp

Disable ARP on an interface (requires static ARP entries to communicate):

$ ip link set dev eth0 arp off

Send a Gratuitous ARP to update other hosts:

$ arping -A -I eth0 172.16.42.161