Networking Tutorials

ARP Explained: How Devices Find Each Other on a LAN

ARP (Address Resolution Protocol) answers one question on a local network: "which MAC address owns this IP?" Before a device can send a frame to a neighbour, it broadcasts an ARP request; the owner replies with its MAC, which the sender caches.

How ARP works

  1. Host A wants to reach 192.168.1.20 on the same LAN but only knows the IP.
  2. A broadcasts: "Who has 192.168.1.20? Tell 192.168.1.10."
  3. Host B replies (unicast) with its MAC address.
  4. A stores the IP-to-MAC pair in its ARP cache and sends the frame.

To reach a device on a different network, A instead ARPs for its default gateway's MAC.

ARP security: spoofing

Because ARP has no authentication, an attacker can send forged replies to poison caches and intercept traffic (a man-in-the-middle attack). Switches defend against this with Dynamic ARP Inspection (DAI), which validates ARP against the DHCP snooping table — a CyberOps and CCNP security topic.

Frequently asked questions

What does ARP do?

ARP maps a known IP address to the MAC address of a device on the same local network, so frames can be delivered at Layer 2.

What is stored in the ARP cache?

Recently learned IP-to-MAC address mappings, so the device doesn't have to broadcast an ARP request for every packet.

What is ARP spoofing?

An attack where forged ARP replies poison a device's cache, redirecting traffic to the attacker — mitigated by Dynamic ARP Inspection.

VS
Vipul Sir — Lead Instructor, Attila Technologies20+ years in Cisco networking. Teaching CCNA, CCNP, CCIE & CyberOps in Ahmedabad since 2004.

Want hands-on training?

Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.

Start your networking career with Attila Technologies

Hands-on Cisco training, real lab devices and placement support in Ahmedabad.