What is ARP and how does it actually work? I’m surprised at the amount of people who don’t know exactly what it does and how important it is.

To illustrate, I’m going to use this extremely simple network:


Both of these systems are really just connected to a home router. Remember that these ports are really just switched ports. The only time they traverse a layer3 port is when they are sending traffic outside the local LAN.

ARP is the Address Resolution Protocol. Essentially all it does is resolve a logical IP address to a physical Hardware (MAC) address.

In the above diagram, if wants to send traffic to, it will move down the IOS layers. It will eventually get down to layer2. The layer2 header needs to have both a source and a destination MAC address. has the layer3 address already, but not layer2. This is where ARP comes into the picture. will send a broadcast out onto the lan asking that whoever holds respond with its MAC address (In that broadcast it’ll let everyone know what the MAC address of is – so they can reply). When get’s that broadcast, it’ll respond with it’s OWN MAC address with a unicast.

Once has received′s MAC address, it will add that mapping to it’s own local ARP cache. As long as that value is in the cache, it’ll know exactly how and where to send traffic bound for

As an example, I’ve run the above through wireshark to see exactly what is happening (Click the image to see the full request and response):


The first ARP packet was a broadcast to the local lan asking for the owner of the address. It also asks to respond to (this ARP request also contains′s own MAC address) – The second packet is a simple unicast back to letting it know that′s MAC address is 00:11:32:06:0c:8a

This can be verified as follows:

C:\Windows\system32>arp -a

Interface: --- 0xb
  Internet Address      Physical Address      Type            00-11-32-06-0c-8a     dynamic
ARP is one of the fundamental parts of TCP/IP – Make sure you know it :)