ARP (Address Resolution Protocol) explained

Hi Rene,
The ARP protocol will start working after the boot completed by the switch or when ever a ICMP or any particular communcation start happening. and if we resrart the switch , will the ARP table will erase and need the same operation do again ? Please explain

Hello Thanseerahammed

First of all, a device will have an ARP table populated whenever it needs to know the MAC address of the destination with a particular IP address. So a PC will send an ARP packet to find out what the MAC address is of the destination that it wants to send a packet to. A switch will also have an ARP table, but it will only be populated by traffic that is sent to and from the switch itself Examples of such traffic is a telnet session with the SVI of the switch. The switch will not populate its ARP table with the MAC/IP address pairs of the traffic that is going through the switch.

To answer your second question, any ARP entries that have been dynamically learned will be erased if a switch (or any network device) is turned off and on again. The ARP packets are resent to learn the MAC/IP address pairs for future transmissions.

I hope this has been helpful!


Than why do we need ARP in between 2 routers that is not LAN . Why do we need ethernet
frame there ??

Hello Satish

I’m not certain I understand your question. Regardless of what devices communicate, both an IP address and a MAC address are required. As information is encapsulated, a destination IP address is necessary to populate the appropriate field in the IP header. Once that is done, an ARP request is sent to get the MAC address of the very next device in the path between the source and destination. If that is a default gateway, it will go to the router. If it is a host, it will go directly to the host.

I hope this has been helpful.


Hi Rene

I came across some tutorial that stated that arp work on layer 3 of OSI Model but some stated that it works on Layer2 , i myself think that it will be layer 2 because it uses Broadcast MAC Address in order to find MAC address , second layer 3 devices doesn’t forward Broadcast frame while layer 2 does. Please clarify me. Thanks

Hello Muhammad

ARP is indeed a layer 2 protocol. An ARP request has a source MAC address and as you said, uses a broadcast destination address. There is no IP header involved. ARP does however use an IP address in that it requests the MAC address that corresponds to that IP address. But the IP address is contained within the payload of the ARP request and not in a header. So ARP is indeed a layer 2 protocol.

I hope this has been helpful!


Hi Rene,
When a device receives ARP request , it will copy source IP and source MAC to its ARP table only when it owns the requested IP .? Pls clarify.

Hello Aravind

Yes, you are correct. If a device receives an ARP request that is not for itself, even though it sees the ARP request, it does not populate it’s own ARP cache with the IP-to-MAC mapping of the sender.

It’s interesting however the reason why this is the case. Remember that ARP was first developed in the early 1980s and the whole philosophy of networking was much different at the time. Devices had much MUCH fewer resources such as CPU power, memory etc…

InRFC 826 which defines ARP, the author makes the following point:

The workstations aren’t generally going to be talking to each other (and therefore have 100 useless entries in a table); they will be mainly talking to a mainframe, file server or bridge, but only to a small number of other workstations (for interactive conversations, for example). The protocol described in this paper distributes information as it is needed, and only once (probably) per boot of a machine.

Now for a network device to add such an ARP entry into its ARP cache would be less than trivial in terms of computing resources. However, at the time, it was a very wise precaution. No one felt the need to update this functionality of ARP over the years, so it remained like that to this day.

I hope this has been helpful (and interesting!)


Rene I do not have any network equipment yet, can i ping or arp something on the internet and see arp capture with wireshark.

Hello Brian,

Sure, that is no problem. Keep in mind that ARP only works within a broadcast network. On your home network (if you don’t use VLANs) then that’s your local network.

If you try to reach something on the Internet from your PC then it will use your home router as the default gateway. Take a look at the ARP table of your PC and you will see the MAC address and IP address of your router there. Same thing for other devices on your local network (like a network printer).


Hi Rene,
I have a doubt about ARP table.
Where is it? IN SW, in hosts?

Hi Braulio,

Every device that has an IP address builds an ARP table. They somehow need to map a L3 IP address to a L2 MAC address.

A computer (host) will have an ARP table. A switch that you configure with an IP address for remote management also has an ARP table.



Hi Rene and everyone in here,

Would you tell me please, what is the command that is showing ARP Table in DOS …?


Hi Nasser,

On Windows, it’s arp -a:

c:\arp -a

Interface: --- 0x1a
  Internet Address      Physical Address      Type         00-11-32-3e-59-8b     dynamic         f4-cf-e2-10-e4-88     dynamic         ff-ff-ff-ff-ff-ff     static            01-00-5e-00-00-16     static           01-00-5e-00-00-fb     static           01-00-5e-00-00-fc     static       01-00-5e-7f-ff-fa     static


1 Like

Hi Rene,
Could you please give me a detailed explanation on how arp should work for the below scenario


Host 1: IP address: Vlan:10
Host 2: IP address: Vlan:10

Hello Akshay

So Host 1 wants to send some data to Host 2. It encapsulates the data into a TCP segment, which is then encapsulated into an IP packet. Host 1 knows the IP address of Host 2 (either from a DNS lookup or because it was manually configured in the service being used), so the appropriate source and destination IP addresses are placed in the IP header.

Now Host 1 wants to encapsulate this into a frame. It places its own MAC address as the source address and requires the MAC address of the destination. It will follow these steps:

  1. Host 1 will ask “Is the destination IP address in the same subnet as my own?” If yes, then the MAC address of that particular IP address must be determined. If not, then it is the MAC address of the default gateway that must be determined. In your scenario, the destination IP address is in the same subnet. Go to step 2.
  2. Is there an entry for this IP address already stored in the local ARP table? If yes, that MAC address is used as the destination MAC, encapsulation is complete, and the frame is placed on the medium. If there is no entry, go to step 3.
  3. Since there is no entry in the ARP table, an ARP request must be sent. An ARP request is a broadcast (to MAC address FF:FF:FF:FF:FF:FF) that contains as its payload the IP address of the host it is looking for. All devices on VLAN 10 will receive this ARP request. All of them will discard it except for Host 2, because Host 2 has the IP address in the payload. Host 2 will prepare a response to the ARP request which will include its own MAC address. Host 1 will receive this and do two things: populate the destination MAC address in the header of the Ethernet frame and send the frame along its way, and populate the local ARP table with the MAC/IP address pairing that it has now learned.

As you can see, the intervening network devices, whether they are a single switch or two switches that are connected with a trunk will have no bearing on how ARP will function. ARP will function between all devices within a VLAN/subnet/broadcast domain regardless of the devices in between.

I hope this has been helpful!


Then i understand that FF:FF:FF:FF:FF:FF is in the frame header, and 00:00:00:00:00:00 is in the payload of the frame, which is also the "arp header " (even if an arp packet has actually no header) (and which is not an ip header, in which a mac_address can’t be 00:00:00:00:00:00)

Hello Hugues

Yes, you are correct. The FF:FF:FF:FF:FF:FF is in the header of the frame, which means it will be used for the purposes of delivering the frame. In this case, it is a broadcast, so all devices on the network segment will recieve it. The 00:00:00:00:00:00 address is found within the payload of the ARP frame, and is not used for delivery, but for the operation of the ARP protocol itself. Because this field is populated with the MAC address of the host in question, which we do not know yet, it makes sense that this field is essentially left blank, or made all zeros.

I hope this has been helpful!


Dear Rayan
i have Cisco switch is connecting with 6 hosts
when i type show ip arp command
it show me only 3 ip with 3 mac address
when i do ping to another host that are not appear
after that when i type show ip arp
it will show me that host after ping
why ?
it should show me all connected hosts
why when i do ping it will show me !!?

Hello Ridhwan

When you have several hosts connected to a switch, and these hosts are communicating with each other, the ARP table of the switch itself is not populated. It is the MAC Address Table that is populated which provides a correspondence between MAC addresses of hosts and the ports on which they are connected.

The ARP table of the switch is only updated when there is communication between a host and the switch directly. In other words, when a packet has the IP address of the switch in the source or destination IP address field of its header. Only then will the ARP table be populated.

When you sent a ping from the switch to a host, ARP is used to determine the MAC address of the host you are pinging. This will then populate the ARP table. Because there is rarely IP communication between the switch and a host, the ARP table of the switch will often time out and entries will be removed. This is why you don’t normally see the ARP table of a switch populated with the hosts that are connected to it.

I hope this has been helpful!