Linux networking: arp versus ip neighbour
Address resolution protocol, aka ARP, is a communication protocol used in IPv4 networks. It was developed in 1982 and has been a staple in most networks since that time. The same functionality exists for IPv6 networks in the Neighbor Discovery Protocol (NDP). In short, the protocol translates a machine's IP address into its physical address or Media Access Control (MAC) address. ARP functions with a cache or table that can be manipulated by the user to add or remove addresses. If the destination address is already in this cache, then the protocol is not needed, and the information can be sent to the desired host.
The arp
command allows users to manipulate the neighbor cache or ARP table. It is contained in the Net-tools
package along with many other notable networking commands (such as ifconfig
). The arp
command has since been replaced by the ip neighbour
command. The ip
command suite was introduced in Linux 2.2. It contains many options for accomplishing these same tasks. Let's take a look at the functionality that is offered by each of these programs.
*Note that I am running these examples on a virtual machine so your output may vary in content, but the framework should be the same*
The old
The arp
command has as many options as you would expect from a Linux networking tool. I am not going to cover them all. However, we will look at the basics and the information that is provided in each.
Displaying entries
Using the arp
command without any additional options lists the current contents of the ARP cache.
[tcarrigan@rhel ~]$ arp
Address HWtype HWaddress Flags Mask Iface
_gateway ether 51:53:00:17:34:09 C enp0s3
You should notice the following columns: Address
, HWtype
, HWaddress
, Flags
, Mask
, and Iface
. On my system, the Address
is _gateway
, however on most systems, you see IPv4 address listed (192.168.0.1 or the like). The HWtype
is specified as ether
(Ethernet), and the HWaddress
is the translated MAC address. The Flags
field indicates if the address has been learned, manually set by the user, published, or is incomplete. IFace
is simply the name of the interface that is listed.
Display entries for a specific interface
To see all arp
entries for a particular interface, you would use the following:
[tcarrigan@rhel ~]$ arp -i bondX
Display entries for a specific address
To see all arp
entries for a particular address, use the following:
[tcarrigan@rhel ~]$ arp -a 192.168.0.1
Adding a new entry
To add an entry (permanently) to the cache, use the -s
option. You need to specify the IP and MAC addresses, as well as the interface. Seen here:
[tcarrigan@rhel ~]$ arp -s 192.168.0.1 -i ethX 51:53:00:17:34:09
Removing an entry
To remove an entry from the arp
cache, simply use the -d
flag, followed by the IP address you wish to remove. Seen here:
[tcarrigan@rhel ~]$ arp -d 192.168.0.1
The new
The ip neigh
(you can use neigh, neighbor, or neighbour - they're all equivalent) command allows the user to manipulate the arp
cache in the same way as before. However, the method is a little different this time. Let's take a look at some of the functionality with the new ip neigh
command suite.
Displaying entries
To display the current entries in the arp
table, use the following:
[tcarrigan@rhel ~]$ ip neigh show
192.168.0.1 dev enp0s3 lladdr 51:53:00:17:34:09 REACHABLE
Things to note here are the IP address, interface name, MAC address, and the system state. System state is the big change here, and it can range from reachable, permanent, stale, and delay. Check online for more info on these states.
Adding a new entry
To add a new entry to the table using the ip
command, use the following:
[tcarrigan@rhel ~]$ ip neigh add 192.168.0.1 dev ethX
Removing an entry
To delete an existing entry from the table, use the following:
[tcarrigan@rhel ~]$ ip neigh del 192.168.0.1 dev ethX
This is the way?
So, now that you have seen both command suites in action, what is your take on it? Which do you prefer and why? At this point, I still prefer the arp
command suite for its robust feature set. I feel as though I can do more with it. However, I do think that the command syntax and structure is easier with the ip
command.
If you can't decide between the two, keep in mind that the net-tools
package from which the arp
command originates is no longer actively developed, and most of those tools have been deprecated in favor of their ip
equivalents, so even if you're familiar with the older tool it may be a good idea to learn the new one before your older option disappears.
Feel free to write a response piece to this article and email it to the team! We would love to hear from you.
[ Want more for your network? Download a free ebook on network automation with Ansible. ]
Tyler Carrigan
Tyler is the Sr. Community Manager at Enable Sysadmin, a submarine veteran, and an all-round tech enthusiast! He was first introduced to Red Hat in 2012 by way of a Red Hat Enterprise Linux-based combat system inside the USS Georgia Missile Control Center. More about me