ARP and the arp -a Command

1. What Is ARP (Address Resolution Protocol)?

ARP (Address Resolution Protocol) is a Layer 2 protocol defined in RFC 826 that maps a device's known IPv4 address to its MAC (hardware) address on the same local network segment. It operates between the Network layer (Layer 3) and the Data Link layer (Layer 2) of the OSI model.

When a device wants to communicate with another device on the same subnet, it needs the destination's MAC address to construct an Ethernet frame. If that MAC address is not already in the ARP cache, ARP is used to discover it automatically.

Scope: ARP only works within a single Layer 2 broadcast domain (subnet). Traffic destined for a different subnet is sent to the default gateway — the router's MAC address is what the device ARPs for, not the remote host's MAC. See VLANs for how broadcast domains are segmented in switched networks.

Related pages: MAC Addresses Explained | MAC vs IP Address | IP Addressing | How DHCP Works | DHCP Snooping & Dynamic ARP Inspection

2. How ARP Works — Step by Step

Every ARP exchange consists of a broadcast ARP Request and a unicast ARP Reply. Here is the complete process:

  1. Cache check: Before sending anything, the device checks its local ARP cache. If the destination IP already has a MAC address entry, the device uses it immediately — no ARP needed.
  2. ARP Request (broadcast): If the MAC is not cached, the device sends an ARP Request frame to the broadcast MAC address FF:FF:FF:FF:FF:FF. The frame contains the sender's IP and MAC, and the target IP. The target MAC field is set to all zeros — it is unknown.
  3. All devices receive it: Every device on the local subnet receives the broadcast and checks the target IP. Devices that do not match the target IP silently discard the frame.
  4. ARP Reply (unicast): The device whose IP matches the target sends a unicast ARP Reply directly back to the requester, containing its MAC address.
  5. Cache update: The requesting device stores the IP-to-MAC mapping in its ARP cache for future use. The replying device also caches the requester's mapping.
  6. Communication begins: With the MAC address now known, the original device constructs and sends the Ethernet frame.

ARP Request and Reply — Packet Flow

  PC-A (10.1.1.10 / AA:AA:AA:AA:AA:AA) wants to reach PC-B (10.1.1.20)
  PC-A does not know PC-B's MAC address.

  Step 1: PC-A sends ARP Request (BROADCAST)
  ┌────────────────────────────────────────────────────────┐
  │  Ethernet Header:                                      │
  │    Src MAC:  AA:AA:AA:AA:AA:AA  (PC-A)                │
  │    Dst MAC:  FF:FF:FF:FF:FF:FF  (broadcast)           │
  │  ARP Payload:                                          │
  │    "Who has 10.1.1.20? Tell 10.1.1.10"               │
  │    Sender IP:  10.1.1.10  Sender MAC: AA:AA:AA:AA:AA:AA│
  │    Target IP:  10.1.1.20  Target MAC: 00:00:00:00:00:00│
  └────────────────────────────────────────────────────────┘
  → Sent to ALL devices on subnet

  Step 2: PC-B responds with ARP Reply (UNICAST)
  ┌────────────────────────────────────────────────────────┐
  │  Ethernet Header:                                      │
  │    Src MAC:  BB:BB:BB:BB:BB:BB  (PC-B)                │
  │    Dst MAC:  AA:AA:AA:AA:AA:AA  (PC-A — unicast)      │
  │  ARP Payload:                                          │
  │    "10.1.1.20 is at BB:BB:BB:BB:BB:BB"               │
  └────────────────────────────────────────────────────────┘
  → Sent only to PC-A

  Step 3: PC-A's ARP cache is updated:
  10.1.1.20  →  BB:BB:BB:BB:BB:BB  (dynamic)

3. The ARP Cache

The ARP cache (also called the ARP table) is a local memory table maintained by every networked device — hosts, routers, and switches — that stores recently resolved IP-to-MAC address mappings. It avoids the overhead of broadcasting an ARP Request every time a packet needs to be sent.

  • Improves efficiency: Cached mappings allow immediate frame construction without ARP broadcasts for known devices.
  • Reduces broadcast traffic: ARP Requests are broadcasts — a large ARP cache means far fewer broadcasts on a busy LAN.
  • Temporary by design: Dynamic entries expire after a timeout (typically 2–20 minutes depending on OS/device), ensuring stale entries do not persist if a device's MAC changes (e.g., NIC replacement).

Dynamic vs. Static ARP Entries

Property Dynamic Entry Static Entry
How created Automatically learned via ARP Request/Reply exchange Manually added by an administrator
Lifetime Expires after inactivity timeout (OS-dependent: ~2–20 min) Persists until manually removed or system reboot
ARP cache label dynamic static
Use case Normal day-to-day communication with any device Critical systems (gateway, server) where MAC must never change unexpectedly
Security risk Can be poisoned by ARP spoofing attacks Immune to ARP spoofing for that specific entry — but can cause issues if MAC changes
Caution with static entries: If a device's NIC is replaced and its MAC address changes, any static ARP entry pointing to the old MAC will cause communication failure to that device. Use static ARP entries carefully and only for truly critical, stable systems.

4. The arp -a Command — Platform Reference

The arp -a command displays the current ARP cache on the local device. It is available on Windows, Linux, and macOS, though the output format differs slightly between platforms.

Windows — arp -a

C:\> arp -a

Interface: 192.168.1.10 --- 0x3
  Internet Address      Physical Address      Type
  192.168.1.1           00-14-22-01-23-45     dynamic
  192.168.1.20          00-25-96-ab-cd-ef     dynamic
  192.168.1.30          00-13-ce-12-34-56     static
  224.0.0.22            01-00-5e-00-00-16     static
  255.255.255.255        ff-ff-ff-ff-ff-ff     static

Linux — arp -a or ip neigh show

# Classic command (older systems)
$ arp -a
router.local (192.168.1.1) at 00:14:22:01:23:45 [ether] on eth0
fileserver (192.168.1.30) at 00:13:ce:12:34:56 [ether] on eth0

# Modern replacement (iproute2)
$ ip neigh show
192.168.1.1 dev eth0 lladdr 00:14:22:01:23:45 REACHABLE
192.168.1.20 dev eth0 lladdr 00:25:96:ab:cd:ef STALE
192.168.1.30 dev eth0 lladdr 00:13:ce:12:34:56 PERMANENT

macOS — arp -a

$ arp -a
router.local (192.168.1.1) at 00:14:22:01:23:45 on en0 ifscope [ethernet]
? (192.168.1.20) at 00:25:96:ab:cd:ef on en0 ifscope [ethernet]

Cisco IOS Router/Switch — show arp

Router# show arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.1             -   0014.2201.2345  ARPA   GigabitEthernet0/0
Internet  192.168.1.10            3   0025.96ab.cdef  ARPA   GigabitEthernet0/0
Internet  192.168.1.20            1   0013.ce12.3456  ARPA   GigabitEthernet0/0

Interpreting ARP Cache Fields

Field Description Notes
Internet Address / IP The Layer 3 IPv4 address of the device. See IP Addressing. This is what the device was ARPed for
Physical / Hardware Address The Layer 2 MAC address of the device Format: xx-xx-xx-xx-xx-xx (Windows) or xxxx.xxxx.xxxx (Cisco)
Type / State dynamic = learned automatically; static = manually configured Linux uses REACHABLE, STALE, DELAY, PROBE, PERMANENT
Age (Cisco) Minutes since this entry was last updated A dash (—) means the entry is for a local interface
Interface Which network interface this mapping applies to. See show interfaces. Important on multi-homed devices with multiple NICs

Linux ip neigh State Reference

State Meaning
REACHABLE Entry is valid and confirmed reachable — recently verified
STALE Entry exists but has not been recently confirmed — may need re-verification
DELAY Waiting for confirmation of reachability before expiring
PROBE Actively sending ARP requests to verify the entry is still valid
PERMANENT Static entry — never expires
FAILED ARP resolution failed — device did not respond

5. Managing the ARP Cache — Full Command Reference

Windows ARP Commands

Action Command Notes
View all ARP entries arp -a Shows all interfaces and their cached mappings
View specific interface arp -a -N 192.168.1.10 Filter by local interface IP address
Add static entry arp -s 192.168.1.50 00-aa-bb-cc-dd-ee Requires admin/elevated prompt; lost on reboot
Delete specific entry arp -d 192.168.1.20 Removes one IP entry from the cache
Clear all dynamic entries arp -d * Flushes entire ARP cache; static entries remain

Linux ARP Commands

Action Command
View ARP cache arp -a or ip neigh show
Add static entry arp -s 192.168.1.50 00:aa:bb:cc:dd:ee
Delete specific entry arp -d 192.168.1.20 or ip neigh del 192.168.1.20 dev eth0
Flush entire ARP cache ip neigh flush all

Cisco IOS ARP Commands

! View the ARP table
Router# show arp
Router# show ip arp

! View ARP for a specific IP
Router# show ip arp 192.168.1.10

! Clear the entire ARP cache
Router# clear arp-cache

! Add a static ARP entry
Router(config)# arp 192.168.1.50 0050.56ab.cdef arpa

! View ARP entries only (no incomplete)
Router# show arp | include Internet

When to Clear the ARP Cache

  • After replacing a device's NIC (new MAC address — stale cache will fail)
  • After changing a device's IP address
  • After replacing a router or switch in the path
  • When troubleshooting intermittent connectivity issues on a LAN — use ping to confirm before and after
  • After a HSRP/VRRP failover where the active gateway MAC changes

6. ARP and the Default Gateway — A Critical Relationship

One of the most important ARP interactions is between a host and its default gateway. When a host sends traffic to any IP address outside its own subnet, it must first ARP for the gateway's MAC address. The Ethernet frame carries the gateway's MAC as destination, even though the IP destination is the remote host. 

  PC-A (10.1.1.10) wants to reach Web Server (8.8.8.8)

  Step 1: PC-A checks routing: 8.8.8.8 is NOT on local subnet
          → Must send to default gateway (10.1.1.1)

  Step 2: PC-A checks ARP cache for 10.1.1.1
          → Not found — sends ARP Request for gateway MAC

  Step 3: Gateway (10.1.1.1) replies with its MAC: CC:CC:CC:CC:CC:CC

  Step 4: PC-A constructs Ethernet frame:
          Src MAC: AA:AA:AA:AA:AA:AA (PC-A)
          Dst MAC: CC:CC:CC:CC:CC:CC (Gateway)  ← ARP result used here
          Src IP:  10.1.1.10
          Dst IP:  8.8.8.8                       ← Remains unchanged

  Result: Frame delivered to gateway, which routes it toward 8.8.8.8
Key insight: ARP is only used for the next-hop MAC address, never for the final destination IP across routers. The IP destination never changes as packets traverse the network, but the MAC addresses change at every router hop. See MAC vs IP Address for a full explanation of how Layer 2 and Layer 3 addressing interplay.

7. ARP Variants — Gratuitous ARP and Proxy ARP

Gratuitous ARP

A Gratuitous ARP is an ARP reply sent by a device for its own IP address without first receiving an ARP Request. The sender and target IP are both the device's own IP.

Used for:

  • IP conflict detection: At boot, a device sends a Gratuitous ARP for its IP. If another device replies, an IP conflict exists. See How DHCP Works for how DHCP also uses this mechanism.
  • ARP cache updates: Tells all devices on the subnet to update their ARP cache with the new MAC. Used after NIC replacement or when a device restarts.
  • HSRP/VRRP failover: When the active gateway changes (failover), the new active router sends a Gratuitous ARP to update the ARP caches of all hosts so traffic redirects immediately.
  • Network-based storage and clustering: Virtual IPs (VIPs) use Gratuitous ARP to announce themselves when migrating between physical hosts.

Proxy ARP

Proxy ARP allows a router to answer ARP requests on behalf of devices that are on a different subnet. When a host ARPs for an IP that is not on its local segment, the router — if Proxy ARP is enabled — responds with its own MAC address, effectively acting as a proxy.

  • Enabled by default on Cisco router interfaces (ip proxy-arp).
  • Allows hosts with incorrect subnet masks to still communicate — the router intercepts misaddressed ARP requests and replies on behalf of remote hosts.
  • Can be a security concern in some designs — disable with no ip proxy-arp on interfaces where it is not needed.
! Disable Proxy ARP on an interface (security best practice on external interfaces)
Router(config)# interface GigabitEthernet0/0
Router(config-if)# no ip proxy-arp

8. ARP Security — Spoofing, Poisoning, and Defences

ARP has no built-in authentication mechanism — any device on the LAN can send ARP replies claiming to be any IP address. This fundamental weakness enables ARP spoofing (also called ARP poisoning), one of the most common Layer 2 attacks.

ARP Spoofing Attack — How It Works

  Normal operation:
  PC-A (10.1.1.10) ──ARP──▶ Gateway (10.1.1.1) MAC: CC:CC:CC:CC:CC:CC

  ARP Spoofing attack:
  Attacker sends unsolicited ARP replies to PC-A:
  "10.1.1.1 is at EE:EE:EE:EE:EE:EE" (attacker's MAC)

  PC-A updates ARP cache:
  10.1.1.1 → EE:EE:EE:EE:EE:EE  ← POISONED (attacker's MAC)

  Result: Man-in-the-Middle (MitM) attack
  PC-A ──traffic──▶ Attacker ──traffic──▶ Real Gateway
  Attacker intercepts, reads, or modifies all traffic!

What attackers can do with ARP spoofing:

  • Man-in-the-Middle (MitM): Intercept traffic between hosts and the gateway.
  • Credential theft: Capture unencrypted HTTP, FTP, or Telnet credentials — use SSH and HTTPS instead to protect against this.
  • Session hijacking: Take over authenticated sessions.
  • Denial of Service: Drop all traffic to/from a victim by pointing the ARP entry to a non-existent MAC.

Detecting ARP Spoofing

  • Run arp -a and look for the same MAC address mapped to multiple IP addresses — especially for the gateway IP.
  • Monitor for rapidly changing MAC addresses for the same IP in the ARP cache.
  • Use tools like arpwatch (Linux), XArp (Windows), or Wireshark ARP filter to alert on unexpected ARP changes.
  • On Cisco switches, check for MAC flapping: show mac address-table — look for multiple port associations for one MAC.

ARP Spoofing Defences

Defence How It Works Notes
Dynamic ARP Inspection (DAI) Switch validates ARP packets against the DHCP Snooping binding table — drops ARP replies where IP-to-MAC doesn't match the binding Most effective switch-level defence; requires DHCP Snooping enabled first. See DHCP Snooping & DAI.
Static ARP entries Manually configure critical IP-to-MAC mappings so they cannot be overwritten by spoofed ARP replies Only practical for a small number of devices (gateway, servers); does not scale
Port Security Limits the number of MAC addresses allowed on a switch port — prevents rogue devices from connecting Complements DAI; doesn't prevent spoofing from authorised devices. See Port Security.
Encrypted protocols Use HTTPS, SSH, TLS — even if ARP is poisoned and traffic intercepted, encryption prevents reading credentials Defence-in-depth; doesn't stop the attack but limits its impact
VLANs and network segmentation Limit broadcast domains — ARP spoofing is confined to the same VLAN Reduces attack surface but doesn't eliminate the risk within a VLAN

See: DHCP Snooping & Dynamic ARP Inspection (Step-by-Step)

9. Dynamic ARP Inspection (DAI) — How It Works

DAI is a Cisco switch feature that intercepts and validates all ARP packets on untrusted ports. It cross-references ARP reply contents against the DHCP Snooping binding table — which maps IP addresses to MAC addresses and switch ports. ARP replies that don't match are dropped. 

! Step 1: Enable DHCP Snooping (required for DAI binding table)
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10

! Step 2: Mark uplink/trunk ports as trusted (DHCP server side)
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# ip dhcp snooping trust

! Step 3: Enable Dynamic ARP Inspection on the VLAN
Switch(config)# ip arp inspection vlan 10

! Step 4: Mark trusted ports (uplinks) as DAI trusted
Switch(config)# interface GigabitEthernet0/24
Switch(config-if)# ip arp inspection trust

! Verify DAI
Switch# show ip arp inspection vlan 10
Switch# show ip arp inspection statistics
DAI trust model: User-facing access ports are untrusted by default — all ARP packets are validated. Uplink ports to routers, DHCP servers, or other trusted switches are marked as trusted — ARP packets pass without validation. Without this distinction, DAI would block ARP from the router itself. For static IP hosts, create an ARP ACL and apply it with ip arp inspection filter.

10. ARP Troubleshooting Scenarios

Scenario 1 — Host Cannot Reach Default Gateway

Symptom: A host can ping devices on its local subnet but cannot reach the internet or any other subnet. Default gateway ping also fails.

Troubleshooting with arp -a: 
C:\> arp -a
Interface: 192.168.1.10 --- 0x3
  Internet Address      Physical Address      Type
  192.168.1.1           00-00-00-00-00-00     (incomplete)
Diagnosis: The gateway entry shows an incomplete or all-zero MAC — ARP resolution failed. The gateway is not responding to ARP Requests.

Resolution steps:
  1. Verify physical connectivity — cable, switch port status. Use show interfaces on the switch.
  2. Confirm gateway IP is correct: ipconfig (Windows) or ip route (Linux).
  3. Ping gateway: ping 192.168.1.1 — if it fails, proceed to step 4.
  4. Clear ARP cache: arp -d * and retry.
  5. Check VLAN assignment — host and gateway may be on different VLANs.
  6. Try from a different host — if others can reach the gateway, the issue is host-specific.

Scenario 2 — Detecting ARP Spoofing via arp -a

Symptom: Intermittent connectivity loss; users report slow speeds; security concern raised.

Investigation: 
C:\> arp -a
  192.168.1.1    aa:bb:cc:11:22:33   dynamic   ← Gateway MAC
  192.168.1.50   aa:bb:cc:11:22:33   dynamic   ← SAME MAC as gateway!
Diagnosis: Two different IP addresses share the same MAC address in the ARP cache. This strongly suggests ARP spoofing — 192.168.1.50 is advertising the gateway's MAC, or the gateway MAC is being forged by a device at .50.

Resolution:
  1. Enable DAI on the switch to validate ARP packets.
  2. Check switch port 192.168.1.50 is connected to — use show mac address-table.
  3. Add a static ARP entry for the gateway: arp -s 192.168.1.1 [real-MAC].
  4. Investigate the device at 192.168.1.50 for ARP spoofing tools. Capture with Wireshark.

Scenario 3 — Stale ARP After Device Replacement

Symptom: After replacing a router, some hosts can reach it but others cannot — even though the IP address is the same.

Cause: The old router's MAC is still in some hosts' ARP caches. The new router has a different MAC but the same IP. Hosts with stale entries send frames to the old MAC — which no longer exists — and receive no response.

Resolution:
  • Clear ARP cache on affected hosts: arp -d * (Windows) or ip neigh flush all (Linux).
  • The new router should send a Gratuitous ARP to proactively update all hosts. Verify this is happening or trigger it manually.
  • Alternatively, wait for the ARP timeout to expire (2–20 minutes) — hosts will re-ARP naturally.
  • Verify resolution with ping to the gateway after clearing the cache.

11. ARP Limitations and IPv6 Replacement

  • IPv4 only: ARP is exclusively used for IPv4. IPv6 uses Neighbor Discovery Protocol (NDP) — specifically the Neighbor Solicitation and Neighbor Advertisement messages — which replaces ARP functionality with better security via ICMPv6.
  • Local subnet only: ARP broadcasts are limited to the local Layer 2 domain. Routers do not forward ARP broadcasts — they mark a subnet boundary.
  • No authentication: Any device can claim any IP-to-MAC mapping. This is the root cause of all ARP-based attacks.
  • Broadcast overhead: In large flat Layer 2 networks with many hosts, ARP broadcast traffic can consume significant bandwidth — a reason to use VLANs to segment broadcast domains.
  • Scalability: As subnet size grows, ARP broadcast traffic grows linearly. This is why large data centres use techniques like ARP suppression (in VXLAN/EVPN) to reduce ARP flooding.

See: IPv6 Overview | IPv6 Link-Local vs Global Addresses

12. Common Misconceptions About ARP

  • "ARP is used to reach devices on other subnets."
    ARP only resolves MAC addresses on the local subnet. For traffic destined to a different subnet, ARP is used to find the gateway's MAC address — not the remote host's. The remote host's IP is in the packet header, but its MAC is never directly ARPed for. See MAC vs IP Address.
  • "The ARP cache always has the correct MAC address."
    Dynamic ARP entries can be poisoned by ARP spoofing — a malicious device sends fake ARP replies overwriting legitimate entries. Always validate the ARP cache when troubleshooting suspicious network behaviour. Use Wireshark or arpwatch to detect anomalies.
  • "Clearing the ARP cache disconnects active connections."
    Clearing the cache does not drop existing TCP connections — it only removes cached IP-to-MAC mappings. On the next packet send, the device simply ARPs again to rebuild the mapping, usually within milliseconds.
  • "Static ARP entries are more secure because they can't be spoofed."
    Static ARP entries for critical hosts (like the gateway) do resist spoofing for those specific entries. However, they must be maintained manually and cause outages if the MAC changes. DAI is the scalable, correct solution for ARP security.
  • "IPv6 uses ARP."
    IPv6 uses Neighbor Discovery Protocol (NDP), not ARP. NDP uses ICMPv6 Neighbor Solicitation and Neighbor Advertisement messages — equivalent functions but with cryptographic extensions available (SEND — Secure Neighbor Discovery).

13. Key Points & Exam Tips

  • ARP resolves IPv4 to MAC on the local subnet — used at Layer 2 to build Ethernet frames.
  • ARP Request is a broadcast (FF:FF:FF:FF:FF:FF); ARP Reply is unicast back to the requester.
  • ARP only operates within the local broadcast domain — routers don't forward ARP broadcasts. Use VLANs to control broadcast domain size.
  • For traffic to remote subnets, a host ARPs for the gateway's MAC — not the remote host's. See MAC vs IP Address.
  • Dynamic entries expire automatically (2–20 min); static entries persist until manually removed or reboot.
  • arp -a — view cache; arp -d * — clear all; arp -s — add static; Cisco: show arp / clear arp-cache.
  • Gratuitous ARP — device ARPs for its own IP; used for conflict detection, cache updates, and HSRP/VRRP failover.
  • Proxy ARP — router answers ARP on behalf of another device; enabled by default on Cisco; can be disabled with no ip proxy-arp.
  • ARP spoofing exploits ARP's lack of authentication — attacker sends fake ARP replies to poison caches and intercept traffic (MitM attack). Detect with Wireshark.
  • DAI (Dynamic ARP Inspection) is the primary switch-level defence against ARP spoofing — requires DHCP Snooping to be enabled first. See DHCP Snooping & DAI.
  • IPv6 uses NDP (Neighbor Discovery Protocol), not ARP.
  • Protect against ARP MitM by using SSH and HTTPS — even if traffic is intercepted, encrypted sessions prevent credential theft.

Related pages: MAC Addresses | MAC vs IP Address | IP Addressing | How DHCP Works | IPv6 Overview | show mac address-table | HSRP | VLANs | Wireshark | ping | DHCP Snooping & DAI | Port Security

14. ARP and arp -a Quiz

1. A host wants to send a packet to 10.0.0.50 on the same subnet but does not have its MAC address. What happens first before the packet is transmitted?

Correct answer is C. When a host needs to communicate with a device on the same subnet but doesn't know its MAC address, it first checks the ARP cache. If not found, it sends an ARP Request as a broadcast (FF:FF:FF:FF:FF:FF) to all devices on the subnet. Only the device with IP 10.0.0.50 responds with a unicast ARP Reply containing its MAC address. DNS resolves names to IPs — not IPs to MACs.

2. A user runs arp -a on their Windows PC and notices the entry for the default gateway (192.168.1.1) has a MAC address of 00-00-00-00-00-00. What does this indicate?

Correct answer is D. An incomplete or all-zero MAC in the ARP cache means the ARP Request was sent but no ARP Reply was received. The gateway is not responding — this could indicate the gateway is down, on a different VLAN, the wrong IP was configured, or a physical link issue. Troubleshoot by verifying physical connectivity, VLAN assignments, and gateway interface status. Use ping and show interfaces for further diagnosis.

3. A network admin replaces a router. Some hosts immediately reach the new router while others cannot — even though the IP address is unchanged. What is the most likely cause and quickest fix?

Correct answer is B. The old router's MAC address is still cached by some hosts. When they try to reach the gateway IP, they construct Ethernet frames with the old MAC — which no longer exists — and receive no response. Clearing the ARP cache (arp -d * on Windows, ip neigh flush all on Linux) forces those hosts to re-ARP and discover the new router's MAC. The new router should also send a Gratuitous ARP to proactively update all hosts. Verify with ping after clearing.

4. During a security investigation, an analyst runs arp -a and finds that both 192.168.10.1 (gateway) and 192.168.10.55 (unknown host) map to the same MAC address aa:bb:cc:11:22:33. What attack does this most likely indicate?

Correct answer is A. When two different IP addresses share the same MAC address in the ARP cache, it strongly indicates ARP spoofing. The attacker at 192.168.10.55 is sending unsolicited ARP replies claiming to be the gateway (192.168.10.1) with its own MAC address. This poisons the ARP cache, redirecting traffic intended for the gateway through the attacker — enabling a Man-in-the-Middle attack. Mitigate with DAI and verify with Wireshark.

5. Host A (10.1.1.5) wants to send an email to a server at 203.0.113.20. Which device's MAC address does Host A ARP for?

Correct answer is C. The email server (203.0.113.20) is on a completely different subnet. Host A's routing logic determines the packet must go through the default gateway. Host A therefore ARPs for the gateway's MAC address — not the server's. The Ethernet frame will have the gateway's MAC as destination, but the IP packet inside will carry 203.0.113.20 as the destination IP. ARP never crosses subnet boundaries. See MAC vs IP Address.

6. What is a Gratuitous ARP and which scenario makes it essential?

Correct answer is B. A Gratuitous ARP is sent by a device for its own IP address (sender IP = target IP) without being asked. It is critical during HSRP/VRRP failover — when the active gateway role moves from one router to another, the new active router immediately sends a Gratuitous ARP to tell all hosts on the segment to update their ARP caches with the new MAC address. Without this, hosts would continue sending traffic to the failed router's MAC until the ARP timeout expired.

7. Dynamic ARP Inspection (DAI) is enabled on a switch, but a host with a statically assigned IP (not from DHCP) is having its ARP packets dropped. What is the most likely cause and fix?

Correct answer is D. DAI validates ARP packets against the DHCP Snooping binding table. Statically configured hosts never go through DHCP and therefore have no entry in the binding table — their ARP packets are dropped. The fix is to create a static ARP ACL mapping the host's IP to its MAC and apply it using ip arp inspection filter [acl-name] vlan [vlan-id]. This tells DAI to accept ARP packets from that specific static IP-to-MAC binding. See DHCP Snooping & DAI.

8. A Cisco router has Proxy ARP enabled on its LAN interface. Host A (192.168.1.10/24) sends an ARP Request for 192.168.2.20 — a device on a different subnet. What does the router do?

Correct answer is A. With Proxy ARP enabled, the router intercepts the ARP Request for 192.168.2.20 (which is on a different subnet it has a route to) and replies with its own MAC address. Host A then sends all traffic for 192.168.2.20 to the router's MAC, and the router routes it correctly. This allows hosts with misconfigured subnet masks to still communicate, but it generates extra ARP traffic. Disable with no ip proxy-arp on interfaces where it's not needed.

9. An engineer runs show arp on a Cisco router and sees an entry with an age of "—" (dash). What does this indicate?

Correct answer is C. In Cisco's show arp output, a dash (—) in the Age column indicates the entry belongs to one of the router's own interface IP addresses. The router knows its own MAC addresses directly — it does not need to ARP for itself, and these entries never age out. All other (remote) hosts show an age in minutes counting up from when the entry was last refreshed.

10. A host's ARP cache shows 192.168.1.1 resolving to the correct gateway MAC. The host clears the ARP cache with arp -d * and immediately tries to access a website. What happens to the existing TCP connection during the ARP cache clear?

Correct answer is B. Clearing the ARP cache removes cached IP-to-MAC mappings but does not affect active TCP sessions — TCP connections exist at Layer 4 and are not tied to the ARP cache state. On the very next packet that needs to be sent, the host performs a new ARP Request to re-resolve the gateway MAC. This takes only milliseconds and the TCP connection continues seamlessly. This is why arp -d * is safe to run on a live host when troubleshooting — it does not disrupt existing sessions. Verify with ping after clearing to confirm the new ARP entry is correct.

← Back to Home