ARP Explained: How Devices Find Each Other on a LAN
ARP (Address Resolution Protocol) answers one question on a local network: "which MAC address owns this IP?" Before a device can send a frame to a neighbour, it broadcasts an ARP request; the owner replies with its MAC, which the sender caches.
How ARP works
- Host A wants to reach 192.168.1.20 on the same LAN but only knows the IP.
- A broadcasts: "Who has 192.168.1.20? Tell 192.168.1.10."
- Host B replies (unicast) with its MAC address.
- A stores the IP-to-MAC pair in its ARP cache and sends the frame.
To reach a device on a different network, A instead ARPs for its default gateway's MAC.
ARP security: spoofing
Because ARP has no authentication, an attacker can send forged replies to poison caches and intercept traffic (a man-in-the-middle attack). Switches defend against this with Dynamic ARP Inspection (DAI), which validates ARP against the DHCP snooping table — a CyberOps and CCNP security topic.
Frequently asked questions
What does ARP do?
ARP maps a known IP address to the MAC address of a device on the same local network, so frames can be delivered at Layer 2.
What is stored in the ARP cache?
Recently learned IP-to-MAC address mappings, so the device doesn't have to broadcast an ARP request for every packet.
What is ARP spoofing?
An attack where forged ARP replies poison a device's cache, redirecting traffic to the attacker — mitigated by Dynamic ARP Inspection.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.