Understanding and Managing ARP Cache in Linux: A Complete Technical Guide

Managing the ARP cache effectively is essential for maintaining smooth network communication on Linux systems. Both Red Hat Enterprise Linux (RHEL) and Rocky Linux rely on the Address Resolution Protocol (ARP) to map IP addresses to MAC addresses within a local network. Understanding how to view, modify, and clear the ARP cache can help troubleshoot network issues, improve security, and optimize system performance.

This post explores ARP cache management on RHEL and Rocky Linux, providing practical command examples and explanations to help system administrators and Linux enthusiasts handle ARP entries confidently.

What Is ARP Cache and Why It Matters

The ARP cache stores mappings between IP addresses and their corresponding MAC addresses. When a Linux system needs to communicate with another device on the same local network, it uses ARP to resolve the IP address to a MAC address. The resolved address is cached to speed up future communications.

Key reasons to manage ARP cache:

• Troubleshooting connectivity issues: Stale or incorrect ARP entries can cause communication failures.

• Security: ARP spoofing attacks manipulate ARP cache entries, leading to man-in-the-middle attacks.

• Performance: Efficient cache management reduces unnecessary ARP requests and network traffic.

  
  

On RHEL and Rocky Linux, the ARP cache is maintained by the kernel and can be viewed and manipulated using standard Linux networking tools.

Viewing the ARP Cache

To check the current ARP cache entries, you can use the `ip` or `arp` commands.

The ip command is the modern and preferred tool for network management.

[root@siddhesh ~]# ip neigh show
192.168.1.1 dev eth0 lladdr 00:1a:2b:3c:4d:5e REACHABLE
192.168.1.100 dev eth0 lladdr 00:1f:2e:3d:4c:5b STALE

This output shows IP addresses, the network interface, MAC addresses, and the state of each ARP entry.

The arp command is older but still widely used.

[root@siddhesh ~]# arp -n
Address          HWtype  HWaddress           Flags Mask            Iface
192.168.1.1      ether   00:1a:2b:3c:4d:5e   C                     eth0
192.168.1.100    ether   00:1f:2e:3d:4c:5b   C                     eth0

The -n option prevents hostname resolution, showing raw IP addresses.

Understanding ARP Cache Entry States

ARP entries have different states that indicate their validity and freshness:

• REACHABLE: The entry is valid and recently confirmed.

• STALE: The entry is old but still usable; the system will verify it soon.

• DELAY: The system is waiting before verifying the entry.

• PROBE: The system is actively verifying the entry.

• FAILED: The entry is invalid or unreachable.

  
  

Knowing these states helps in diagnosing network problems.

Adding Static ARP Entries

Static ARP entries are manually added and do not expire. They are useful for devices with fixed IP-MAC mappings or for security purposes.

[root@siddhesh ~]# ip neigh add 192.168.1.200 lladdr 00:11:22:33:44:55 dev eth0 nud permanent

This command adds a permanent ARP entry for IP 192.168.1.200 with the specified MAC address on interface eth0.

[root@siddhesh ~]# ip neigh show 192.168.1.200
192.168.1.200 dev eth0 lladdr 00:11:22:33:44:55 PERMANENT

[root@siddhesh ~]# arp -s 192.168.1.200 00:11:22:33:44:55 -i eth0

Deleting ARP Cache Entries

Removing outdated or incorrect ARP entries can resolve network issues.

[root@siddhesh ~]# ip neigh del 192.168.1.100 dev eth0

[root@siddhesh ~]# arp -d 192.168.1.100 -i eth0

Flushing the Entire ARP Cache

Sometimes clearing the entire ARP cache is necessary, especially after network changes or to remove suspicious entries.

[root@siddhesh ~]# ip neigh flush all

This command removes all ARP entries, forcing the system to rebuild the cache.

[root@siddhesh ~]# ip neigh flush dev eth0

Configuring ARP Cache Parameters

Linux allows tuning ARP cache behavior through the `/proc/sys/net/ipv4/neigh/` directory.

[root@siddhesh ~]# cat /proc/sys/net/ipv4/neigh/eth0/gc_stale_time
60

This value is the time in seconds before an ARP entry is considered stale.

To change the stale time to 120 seconds:

[root@siddhesh ~]# echo 120 > /proc/sys/net/ipv4/neigh/eth0/gc_stale_time

To make this change persistent across reboots, add the following line to /etc/sysctl.conf:

net.ipv4.neigh.eth0.gc_stale_time = 120

Then reload sysctl settings:

[root@siddhesh ~]# sysctl -p

Detecting and Preventing ARP Spo

ofing

ARP spoofing attacks manipulate ARP cache entries to intercept or disrupt network traffic. Monitoring ARP cache and using static entries for critical devices can reduce risks.

Look for multiple IPs with the same MAC address or unexpected MAC addresses.

[root@siddhesh ~]# ip neigh show

If you find suspicious entries, remove them immediately.

Tools like arpwatch can monitor ARP traffic and alert on changes.

[root@siddhesh ~]# yum install arpwatch
[root@siddhesh ~]# systemctl start arpwatch

Run arpwatch manually (for testing)

[root@siddhesh ~]# arpwatch -i eth0

Monitor a specific interface (example: eth0 or ens192)

Summary:

ARP (Address Resolution Protocol) plays a critical role in mapping IP addresses to MAC addresses within a local network. Proper management of the ARP cache is essential for ensuring reliable connectivity, maintaining performance, and protecting systems from network-based attacks such as ARP spoofing.

On RHEL and Rocky Linux, administrators can view and manage ARP entries using tools like ip and arp. The modern and recommended approach is the ip neigh command, which displays ARP entries along with their states such as REACHABLE, STALE, DELAY, and FAILED.