ARP cache: What is it and how can it help you?
What is ARP?
The Address Resolution Protocol (or ARP) is a very important part of IP networking. ARP is used to connect OSI Layer 3 (Network) to OSI Layer 2 (Data-Link). For most of us, that means that ARP is used to link our IP addressing to our Ethernet addressing (MAC Addressing). For you to communicate with any device on your network, you must have the Ethernet MAC address for that device. If the device is not on your LAN, you go through your default gateway (your router). In this case, your router will be the destination MAC address that your PC will communicate with.
What is an ARP Cache?
There are two types of ARP entries- static and dynamic. Most of the time, you will use dynamic ARP entries. What this means is that the ARP entry (the Ethernet MAC to IP address link) is kept on a device for some period of time, as long as it is being used. The opposite of a dynamic ARP entry is static ARP entry. With a static ARP entry, you are manually entering the link between the Ethernet MAC address and the IP address. Because of management headaches and the lack of significant negatives to using dynamic ARP entries, dynamic ARP entries are used most of the time.
So how is the dynamic ARP entry created? The answer is that the ARP protocol is used. Let’s say that a PC wants to communicate with host Myserver.Bluecrabfood.com. Before it can do that, it has to first resolve the hostname with the DNS server. Let’s say that it is successfully resolved to 10.10.10.10. Before the PC can communicate with that IP address, it must first resolve the IP address to the MAC address. To do this, it does an ARP request. This is a broadcast to the local LAN that says who has IP address 10.10.10.10 and what is your Ethernet MAC address? Say that server responds and says I have IP address 10.10.10.10 and my MAC address is 1234.4567.890A.
The PC will put that entry into its local ARP cache and it will stay there until the entry has not been used and the ARP cache timeout has expired. Here is an ARP cache looks like on a Windows PC:
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
If a router is communicating with a device, it will have its own ARP cache. Here is an example of the show arp command on a Cisco IOS router:
In this example, you can see how IP address 126.96.36.199 is mapped to Ethernet MAC address 0003.e39b.9220. Notice the Incomplete entry; this is a sign of trouble.
Switches will have their own ARP cache but they will also keep track of which MAC address is connected to which port on the switch. This can be seen with the show mac-address-table commands on a Cisco IOS switch:
However, notice that this table is for devices that are communicating THROUGH the switch, not to the switch (like a regular ARP cache).
Additionally, there is also the Inverse ARP protocol. This protocol performs the opposite task that the ARP protocol performs. Inverse ARP asks all devices if they have the MAC address xxxx.xxxx.xxxx and, if so, what their IP address is.
How can an ARP cache help me?
No matter what IP device you are using, it will have an ARP cache. This ARP cache can be used in your troubleshooting of network connectivity. If everything is working fine with ARP, you will have a dynamic ARP entry that is complete (both MAC and IP values are there). If you do not have a complete entry, you can clear your ARP cache and attempt communication again (ping the device you are trying to communicate with).
If the communications you are attempting is coming from a Cisco router or switch, you can perform a show arp, then clear arp, like this:
You can then attempt communications again to see if your issue is resolved.
If your communication is originating from a PC, you can do a arp d *, like this:
Keep a lookout for invalid ARP entries that go to 00-00-00-00-00-00, like this:
This tells you that ARP resolution is not working, perhaps because the device isn’t even on the network.
On the switch that is tracking the MAC addresses, you can also clear the switching table, or just the entry for a particular MAC address. Keep in mind that if you clear the entire switching table, communications to and from the devices on the switch can be disconnected. To clear the entire switching table, just type clear mac-address-table dynamic, like this:
In this article, we learned the following:
- ARP is what maps OSI Layer 2 addresses to Layer 3 addresses. In other words, ARP maps IP addresses to Ethernet MAC Addresses.
- That inverse ARP is used to map MAC addresses to IP addresses.
- How important ARP is to communicating on an IP network.
- How you can use the arp command in Windows, and the show arp and clear arp commands in the Cisco IOS, to help view and troubleshoot the ARP cache.
For more information on the Address Resolution Protocol (ARP), see this Wikipedia article covering ARP