ARP (Address Resolution Protocol) explained

Hi Laz ,
Please share the etherswitch image download link asap .I want to do some labs of switching from basic to advance

And share me some stuff about Cisco virl like how to set up lab and image process ,so that a basic idea will help me to do some configuration .

Shivam Chahal

Hello Shivam

For Cisco VIRL, you can find out all the information you need, such as cost, system requirements, as well as how to set it up at Cisco’s official VIRL site. Unlike GNS3, VIRL is not free.

For GNS3, you can go to the GNS3 site which is also very comprehensive and clear for both installation, system requirements as well as basic information needed to get you up and running quickly. For GNS3, you can also find many prepared labs that will help you along the way at Rene’s GNS3 Vault web site found here:

There you will find many many labs that will be very useful to you, so you don’t have to start every lab from scratch.

I hope this has been helpful! Stay healthy and safe!


Hello Shivam

Concerning MPLS TP and Traffic Engineering, there are no lessons on this topic in the site, as NetworkLessons focuses on the content of the Cisco certifications. However, you can find extensive information on these topics at this official Cisco documentation:

I hope this has been helpful! Stay healthy and safe!


I need help…i am having a weid problem here with the arp.

I have host within the same subnet unable to communicate with the server and subjected to ACL configured which should not be happening.Essentially,from the traffic capture we can see destination mac address of the svi vlan24 gateway,this is wrong its mapping to its gateway and not the intended server.

I took a inbound control plane capture on c9200L and confirmed ip phone 10.20.X.X along with other hosts on vlan24 are being processed on the CPU of the c9200L even though that traffic is destined to server 10.20.28.X, as explained the destination mac of that traffic is 78:ad:1a:0c:ab:c2 which is the mac address of SVI vlan24 on the c9200L.

Traffic destined to 10.20.28.X should have the mac address of 10.20.28.X, this issue could be caused by a possible corruption of the arp packets being distributed along the network.

Please what could possibly be why the ip phone is mapping to its vlan gateway and not the destination server.hence traffic within the same subnet is blocked by the ACL.

please be aware that we have a GPON platform at the GPON core, and then the device that the phone connects to is a Zhone 2804GPON ONT.our phone is on vlan 24.The ACL is blocking traffic within the same subnet.

When this issue happens, those phones are sending traffic to the destination mac of their gateway regardless of the destination ip. We took several captures and confirmed this. We also took more captures and confirmed that the gateway is not sending arp replies with incorrect data to the phone.
We disabled proxy arp on the switch which would cause this behavior and the issue persisted

How else can i resolve this issue?

Hello Temitope

So from my understanding, you have an IP phone with an IP address of 10.20.X.X that is unable to communicate with the server at 10.20.28.X. Both of these devices are on the same subnet, and in the same VLAN 24 on a Cisco c9200L. Correct?

With such a setup, the IP phone should be able to communicate with the server without the use of any default gateway, since both devices are on the same subnet. However, you are finding that the attempted communication is resulting in an attempt by the device to reach the default gateway (SVI VLAN24) , and hit an ACL configured on it. You are also seeing SVI VLAN24 MAC address attempting to communicate with the server instead of the MAC of the phone.

The IP phone will only send traffic to the default gateway if it considers the destination outside of its own subnet. How will it determine this? Using its own subnet mask. I suspect that the subnet mask of the phone is incorrect, and is excluding the IP address of the server from its own subnet mask.

For example, if the IP phone’s IP address/subnet mask combination is, and it is trying to reach the server at, then it considers the destination address outside of its own subnet ( and will send traffic to the default gateway, as you describe in your problem. If however, the subnet mask on the phone is configured like so:, then the destination of is within the IP phone’s subnet ( so it will not send traffic to the gateway, but directly to the server.

Otherwise, there is no other way for the ARP response to return the MAC of the SVI, or for traffic to be hitting an ACL.

Now you do have a GPON topology, which is a special case, but this is something that operates at Layers 1 and 2, and should not affect the way that ARP/IP routing takes place. I hope this helps you along in your troubleshooting procedures.

I hope this has been helpful!


Hi Reze/Laz,

Is it true that Routers don’t broadcast or suppress any broadcast frames it recieves on an Interface, assuming we have two routers connected to each other w/ subnet, initially the Mac address tables on R1 and R2 are empty. Now R1 tries sending an packet to R2 so it encapsulates ip packet inside an ethernet frame, since the sending router doesn’t know the Mac address it is expected to do an ARP, hence it sends an broadcast frame. Can you explain how this handled also can you explain what is gratuitous arp?

Thanks in advance.

Hello Teja

Routers that receive broadcast packets on one of their interfaces will process that packet, but will not broadcast it out of any other interfaces. Routers act as a border for a broadcast domain. You can find out more about this at the following lesson.

In the particular topology that you describe, R1 tries sending a packet to R2 and it has the destination IP but not the destination MAC. So it sends an ARP request. This request is indeed a broadcast, and it reaches R2, but it is not broadcast beyond that interface of R2. R2 responds, R1 receives the MAC address, continues the encapsulation, and places the frame on the wire.

The fact that R1 sends a broadcast is not in violation of its role as a border to a broadcast domain. Routers are able to generate broadcasts such as ARP requests, but they are generated only from one single interface, since each interface of a router corresponds to a different subnet, and thus a different broadcast domain.

(In your post, you mentioned MAC address table. I assume you meant ARP table, since MAC address tables only exist in switches).

Finally, gratuitous ARP is a special ARP reply that is not a response to an ARP request. A gratuitous ARP reply is an ARP reply without an ARP request so no reply is expected for a Gratuitous ARP. Gratuitous ARPs are broadcast frames that are bound within collision domains according to the same rules as all other broadcast frames/packets.

I hope this has been helpful!


1 Like

Hi Laz,

Thanks a lot.


1 Like

Hi Rene,

I was wondering why i dint find anything about GARP being explained anywhere when it comes to ARP. Isnt it the most essential part of ARP, could you please explain GARP in more detail or probably direct me towards the lesson where you have already explained about it.


Hi rene,

Now, the IP packet encapsulated to data link layer with source Mac address , source IP address and destination IP address so now it has to broadcast the Mac address to get the destination mac address through which layer the broadcast signal will be sent? Through physical layer?

Hello Harsha

True, Gratuitous ARP is not included within the content of the lessons. It is definately a vital part of what ARP is, but it is not central to the operation of ARP. Typically, gratuitous ARP is used:

  • when attempting to detect duplicate IPv4 addresses
  • when updating an ARP table after an IPv4 or MAC address change
  • in conjunction with FHRPs such as HSRP

You can find some information about it in a part of the following post. Note the first part of the post deals with something other than Gratuitous ARP, but the second part explains it in some detail.

If you would like to see more information or a lesson about Gratuitous ARP, feel free to submit your suggestion at the following Member Ideas link:

I hope this has been helpful!


Hello Rajaram

It is important to understand that the process of encapsulation of a particular packet, and the ARP request that is sent out are two different operations. A device will encapsulate data, and place a source and destination IP address in the IP header. As it encapsulates this into a frame, it will place the source MAC address (which it knows because it is the address of itself) and the destination MAC address. The destination is obtained either from the ARP table or using a new ARP request.

The encapsulation process is paused, and the device sends out an ARP request, as you correctly stated as a broadcast. This is done on the data-link layer. This means that the ARP request will have a source MAC (the device’s own MAC) and a broadcast destination MAC. This frame is then placed on the wire (the physical layer) just like any other frame that is ready to be sent. Receiving devices will respond, and once the MAC address has been obtained, the encapsulation process of the original packet is resumed, with the appropriate destination MAC, and the frame is then placed on the wire.

I hope this has been helpful!



Thanks for this deep explanation

1 Like

Nice explanation about GARP. I have one query in the topic, you mentioned the 4th characteristic of GARP packet that “No reply is expected” I am having a hard time understanding that particular point. Could you give a practical example/scenario or packet capture to support that characteristic? That would be a great help.

Actually, I captured a GARP reply packet while assigning the IP address to Cisco IOS for the very first time, I guess it happens to check whether our given IP is locally unique in our subnet or not? Right? Correct me if I’m wrong.

I have attached the packet capture here.

Thank you.

Hello Varun

In order to understand GARP and its place within the framework of networking, it’s important to understand the two procedures involved with ARP. When regular ARP is employed, there is an ARP request and an ARP reply. GARP is exactly the same thing as an ARP reply, there is absolutely no difference in the packet itself. There’s no field that says "this is a GARP packet and not an ARP reply packet.

What differentiates a GARP from a regular ARP reply is that an ARP reply has a corresponding ARP request. A GARP does not. A GARP is initiated by a host for the reasons stated in my previous post.

So if you see an ARP reply in a packet capture like the one above, you can’t actually tell if it is a simple ARP reply or a GARP. Wireshark labels it as Address Resolution Protocol (reply/gratuitous ARP) meaning it may be a reply or a GARP.

If you see a previous ARP request in the Wireshark packet capture that corresponds to this, then it is an ARP reply. If not, then it is a GARP.

An example of when GARP is used is when a backup NIC of a server becomes active with the same IP address as the primary NIC. The MAC address has changed, so a GARP is sent informing all of the devices on the segment that they must update their ARP tables. No initial ARP request was sent so such a message is indeed a GARP.

I hope this has been helpful!


When we will ping google at how my laptop will get MAC address of google’s server in order to put in layer 2 header as a destination MAC address?

Hello ntlipcore

Remember that the IP address provides you with end-to-end connectivity, while the MAC address provides you with “next hop” connectivity. In other words, the destination IP address will remain the same for the whole journey of your ping echo request, but the destination MAC address will change for every hop.

Having this in mind, when you ping, this is the destination IP that is used in the IP header. However, the MAC address you need is that of the next-hop router, which in your case is your default gateway. Your PC will look in the ARP table to see if the configured gateway’s MAC address is there. If it is, it will use that MAC address. If it is not, it will send an ARP request for the MAC address of your gateway.

This process is repeated by every router along the path. Your default gateway will receive the packet, decapsulate it to layer 3, read the destination IP address, determine the next-hop IP address, and will then request the MAC address of the next hop address. Each router will do the same until the last router, which is directly connected to the network of requests the MAC address corresponding to this IP address. Only then will the MAC address of Google’s DNS server be inserted in the destination MAC address field.

I hope this has been helpful!


1 Like

does by default gratuitous arp is enabled in cisco devices ??
i means to say that , i have a network …A L3 switch is connected to the 2 computer and the gateway of the 2 computer is the SVI of that switch , lets say the host 1 has 2 lan port and host-1 primary port fails , so once the host-1 primary port fails the secondary port will activate , in that case who will send the gratuitous ARP reply within that broadcast domain , the switch or the host-1 ?? …if the Host-1 will sent it then Host-2 will update his ARP cache ?

Hello Narad

In the scenario that you describe in your post, the gratuitous ARP would be sent by the secondary port of host 1 that has just been enabled. All devices (including host 2) that recieve the gratuitous ARP will update their ARP caches. You can find more information about this process at the following post:

I hope this has been helpful!


I great explanation. I had the same question as Willy. Thanks a lot.


1 Like