Real world example of what ARP is used for

I know what ARP is, what it does and how it works for the most part.  But can someone give me a real world explanation of why it is needed in todays networks?

If I have DNS entries for all my machines, do I still need arp?
LVL 23
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I think that ARP table in Layer 3 switches is used to map IP addresses to MAC addresses. In other words it is a map of physical addresses to logical addresses. Arp table is cached in a switch so every time client IP connects it does not have to make ARP request for the hardware address.
correction: The ARP request is not made by "IP" as I stated in my previous comment. ARP request is initiated by host. If the ARP to IP is cached in the ARP table, Broadcast for ARP is not necessary therefore the presence of cached table minimizes broadcast traffic.
BTW,  DNS is not aware of MAC addresses it is only processing IP to name translation..
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ARP is used within a local network to resolve IP addresses to hardware MAC addresses. For example, if you've got a computer that is connected to the internet via a wireless router, when you load the webpage, the following steps happen:


Your computer (lets say needs to perform a DNS lookup on, so it prepares a packet for the DNS server (lets say


Your computer looks up its routing table to figure out where to send the DNS packet to.  As is not on the local network, this will return the default route, which will be your Wifi router (lets say But to send the packet over Wifi, it needs the actual hardware MAC address of the router to send it to.


Your computer looks for in its local ARP cache table. If not found, it sends out an ARP request: "who has". The router would then respond with its own MAC address "I am".


Your computer then stores the IP and MAC combination for your router for future reference, and forwards the DNS packet to the router's MAC address.


Once the packet gets to the router, it will be forward over your point-to-point link to the ISP's router. Generally, point-to-point links don't need ARP since there are only two endpoints.


The ISP router will presumably be on an ethernet network, and will look up its own routing tables for for the DNS server ( It will then look up its own ARP cache and may need to perform an ARP request for the next router in the chain. This process continues until the packet reaches the DNS server.
The HTTP request packet for would then follow the same steps, but on your local network at least, your computer will already have the IP/MAC address for your router in its cache. In practice, most TCP/IP packets don't result in ARP requests because of the ARP cache (ie. most network traffic consists of multiple packets being sent, so subsequent packets will have ARP cache hits.)

Hope this explains it for you. :-)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
savoneAuthor Commented:
@timshel, That is great information and laid out very nicely, I appreciate that.  To continue the conversation, can you explain why we need two addresses (MAC and IP)?  

I think this all stems from the way I have learned things.  If I would have learned the OSI model first I would probably know this.

So I am going to take a guess and try to answer my own question.

We need two addresses because they are  used at different layers in the OSI network model.  IP addresses are used at layer 3 and MAC addresses at layer 2.  

Is this correct?  Can you expand on it for me?  

BTW, I know this is a lot to tell someone for points, I appreciate it.

savoneAuthor Commented:
So just to try to explain my question above better.  If a packet knows it has to go to, why does it also need to know that belongs to XX:XX:XX:XX:XX:XX ???

Keep in mind I may be wrong here, but from what I know ...

Switches and routers communicate using MAC Addresses (Physical Addresses), so yes the packet has to get to, but the routers and switch need to find that computer using its mac address which is stored in the ARP Cache. Every time you ping something, its address is stored in the ARP Cache for some specified ammount of time, it essentially is like an address book in that when you need to find PC122 at address or whatever, it sends a broadcast address across the network saying "Where is this computer", then it gets a reply with the computers MAC Address and then it knows where to send the information.

One big reason is that MAC Addresses are unique and never change, but there are millions of addresses out there (Granted they are reserved private addresses for internal use only, but still). In addition, IP Addresses move from host to host when their lease expires, so while PC122 might be today, it might be tomorrow.

As for a real world use of ARP? I have to use it every once in a while to track down the location of a computer.

Lets say you have a computer with the name DefaultName-PC and you have no idea where this computer is. But you are receiving alerts that the system is infected and you want to find it and clean it. Well, you probably have the IP Address of the computer, but that doesn't tell you where the computer is, and going to DHCP would only tell you the host name ... which you already know is DefaultName-PC. So, you go to a switch and you ping the IP Address, then when ping completes you type arp -a and look at the arp cache. This will tell you what the MAC Address for that computer is. Then, using the MAC Address, you can look at the MAC Address Table (by using the cisco command show mac-address-table) of that switch. That will give you a list of every MAC Address which that switch knows about (Its theoretical address book). From there you can find the mac address of the system you are looking for and it will tell you what port on the switch it is plugged into. This may lead you to a port which goes to another switch, but you can continue to trace it until you find the switchport that the computer is plugged into. Then from there you should be able to trace that switch port back to your mystery computer.

If I am wrong, someone please feel free to correct me.
@Grasty86 is right, Ethernet communications only use MAC addresses. Basically IP is a layer that works over the top of the low-level communications (ie Ethernet) and allows traffic to traverse across different physical networks. So your traffic could go from your computer via wireless Ethernet (802.11) to your router, then via PPPoE to your ISP, which may then use other protocols (ATM etc) to send the IP packet on to its destination. So the Ethernet packet (or "frame" in Ethernet-speak) with the MAC address only exists between your computer and the router; only its contents (ie. the IP packet) are forwarded on to your ISP.

1. DNS has nothing to do with it.

2. Like mentioned before it's a layer 2 vs layer 3 thing. Hubs (layer 1) will forward all traffic to all ports (why they're bad), switches (layer 2) forward based on MAC (hence arping), router (layer 3) forward based on IP address. When you use IP addresses the lower levels of the OSI model are still used, just behind the scenes.

The thing to keep in mind is that ARPs and mac addresses are only known inside the broadcast domain of the network segment you're on. So if you're trying to talk to a machine in your subnet/vlan, or more specifically in your broadcast domain your machine arps for it, "Who has" And will say "ME, my address is this...". If you're talking to a computer outside your network (say you want to load google's website) your computer will logically AND the destination IP with its subnet mask to tell if it's in the same network. If not, it'll ARP for the default gateway,  get the GW MAC and address the packets with the Google's destination IP address but the default GW's MAC. This way the packet will get sent do the default gateway. The GW will receive the packet see it'sMAC but not its IP, so it knows it has to forward it along. It does the same thing and ARPs for its default gateway sending it along until it gets to a router who knows where google is and sends it that direction.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.