A router uses ARP (Address Resolution Protocol) whenever it needs to deliver a packet to the next device in the path but only knows that device’s IP address, not its hardware (MAC) address. This happens every time a router forwards a packet out of one of its interfaces onto an Ethernet network. Without ARP, the router would know where to send the packet logically but have no way to actually put it on the wire.
How Packet Forwarding Triggers ARP
When a packet arrives at a router, the router reads the destination IP address in the packet’s header and checks its routing table for a match. The routing table tells the router two things: which physical interface to send the packet out of, and the IP address of the next hop (either another router or the final destination). At this point, the router knows the IP address it needs to reach on the local link, but Ethernet frames require a MAC address to actually deliver data. That’s where ARP comes in.
The router checks its ARP cache, a short-term table that maps IP addresses to MAC addresses. If the needed IP address is already in the cache, the router rewrites the frame’s destination MAC to that address, swaps the source MAC to its own, and sends the packet on its way. If there’s no cache entry, the router broadcasts an ARP request on the local network segment, essentially asking “Who has this IP address? Tell me your MAC address.” The device with that IP responds with its MAC, the router stores the result in its cache, and the packet gets forwarded.
Delivering to a Device on a Local Subnet
The simplest case is when the destination device sits on a network directly connected to one of the router’s interfaces. If a packet arrives destined for 192.168.1.50, and the router has an interface on the 192.168.1.0/24 subnet, the routing table says “this address is directly reachable.” The router then ARPs for 192.168.1.50 itself, asking the end device for its MAC address. The route entry points to the interface without specifying a separate next hop, so the router treats the packet’s final destination IP as the ARP target.
This is common in small office and home networks where the router is the gateway for all local devices. Every time a device on one subnet sends traffic to a device on another subnet connected to the same router, the router ARPs for the destination host’s MAC on the outgoing interface.
Resolving the Next-Hop Router’s MAC
In larger networks with multiple routers, the destination is usually not on a directly connected subnet. The routing table instead points to a next-hop IP address, typically another router. The forwarding router needs the MAC address of that next-hop router, not the final destination, because Ethernet only works one link at a time.
So if Router A needs to forward a packet through Router B (next hop 10.0.0.2), Router A sends an ARP request on the shared link asking for the MAC address associated with 10.0.0.2. Router B replies, Router A caches the result, and subsequent packets headed through Router B skip the ARP step entirely until the cache entry expires. On Cisco routers, ARP cache entries last four hours (240 minutes) by default, though this is configurable per interface.
This next-hop resolution is by far the most frequent use of ARP on backbone and enterprise routers. A core router might have dozens of next-hop entries, each resolved and cached through ARP.
Proxy ARP: Answering on Behalf of Other Hosts
Sometimes a router doesn’t just send ARP requests. It answers them, too, on behalf of devices that aren’t on the local network. This is called Proxy ARP. When a host on one subnet sends an ARP request for an IP address that’s actually on a different subnet, the router can respond with its own MAC address, effectively saying “send the traffic to me and I’ll forward it.”
Proxy ARP is useful in networks where hosts aren’t configured with a default gateway or lack any routing intelligence. The hosts think they’re communicating directly with the remote device, but the router silently intercepts and forwards the traffic. It’s enabled by default on many Cisco routers, though modern networks with properly configured gateways rarely depend on it.
When ARP Requests Become a Problem
ARP requests are broadcast frames, meaning every device on the local network segment has to process them. In normal operation this is trivial. But in certain failure scenarios or attacks, the volume of ARP broadcasts can spike dramatically.
A flood of ARP requests doesn’t just affect the targeted device. Research on ARP-based denial-of-service attacks has shown that massive ARP traffic exhausts CPU and memory resources on every device sharing the same network segment, not just the intended victim. For routers, this means the processor that handles ARP (which typically runs in software, not in the fast-forwarding hardware path) can become overwhelmed, slowing down all routing functions.
Network administrators can mitigate this by setting threshold limits for broadcast traffic on a per-port basis at the switch level, and by configuring rate limits on the router to cap how many ARP requests it will process per second for each connected network segment.
IPv6 Networks Use a Different Mechanism
ARP is strictly an IPv4 protocol. IPv6 replaces it with Neighbor Discovery Protocol (NDP), which accomplishes the same goal of mapping IP addresses to MAC addresses but works differently under the hood.
Instead of broadcasting a request to every device on the segment, IPv6 routers and hosts send a Neighbor Solicitation message to a special multicast address derived from the target’s IP. Only devices listening on that specific multicast group process the message, which significantly reduces unnecessary traffic. The target responds with a Neighbor Advertisement containing its MAC address.
NDP also bundles several other functions that IPv4 handles through separate protocols. Router Advertisement messages in IPv6 include the router’s own MAC address, so hosts learn it automatically without a separate address resolution step. IPv6 routers also use NDP for redirect messages and for helping hosts discover available routers on the link. If your network runs dual-stack (both IPv4 and IPv6), your router uses ARP for IPv4 traffic and NDP for IPv6 traffic simultaneously on the same interfaces.