Linux networking: arp versus ip neighbour
Address resolution protocol, aka ARP, is a communication protocol used in IPv4 networks. It was developed in 1982 and has been a staple in most networks since that time. The same functionality exists for IPv6 networks in the Neighbor Discovery Protocol (NDP). In short, the protocol translates a machine's IP address into its physical address or Media Access Control (MAC) address. ARP functions with a cache or table that can be manipulated by the user to add or remove addresses. If the destination address is already in this cache, then the protocol is not needed, and the information can be sent to the desired host.
arp command allows users to manipulate the neighbor cache or ARP table. It is contained in the
Net-tools package along with many other notable networking commands (such as
arp command has since been replaced by the
ip neighbour command. The
ip command suite was introduced in Linux 2.2. It contains many options for accomplishing these same tasks. Let's take a look at the functionality that is offered by each of these programs.
*Note that I am running these examples on a virtual machine so your output may vary in content, but the framework should be the same*
arp command has as many options as you would expect from a Linux networking tool. I am not going to cover them all. However, we will look at the basics and the information that is provided in each.
arp command without any additional options lists the current contents of the ARP cache.
[tcarrigan@rhel ~]$ arp Address HWtype HWaddress Flags Mask Iface _gateway ether 51:53:00:17:34:09 C enp0s3
You should notice the following columns:
Iface. On my system, the
_gateway, however on most systems, you see IPv4 address listed (192.168.0.1 or the like). The
HWtype is specified as
ether (Ethernet), and the
HWaddress is the translated MAC address. The
Flags field indicates if the address has been learned, manually set by the user, published, or is incomplete.
IFace is simply the name of the interface that is listed.
Display entries for a specific interface
To see all
arp entries for a particular interface, you would use the following:
[tcarrigan@rhel ~]$ arp -i bondX
Display entries for a specific address
To see all
arp entries for a particular address, use the following:
[tcarrigan@rhel ~]$ arp -a 192.168.0.1
Adding a new entry
To add an entry (permanently) to the cache, use the
-s option. You need to specify the IP and MAC addresses, as well as the interface. Seen here:
[tcarrigan@rhel ~]$ arp -s 192.168.0.1 -i ethX 51:53:00:17:34:09
Removing an entry
To remove an entry from the
arp cache, simply use the
-d flag, followed by the IP address you wish to remove. Seen here:
[tcarrigan@rhel ~]$ arp -d 192.168.0.1
ip neigh (you can use neigh, neighbor, or neighbour - they're all equivalent) command allows the user to manipulate the
arp cache in the same way as before. However, the method is a little different this time. Let's take a look at some of the functionality with the new
ip neigh command suite.
To display the current entries in the
arp table, use the following:
[tcarrigan@rhel ~]$ ip neigh show 192.168.0.1 dev enp0s3 lladdr 51:53:00:17:34:09 REACHABLE
Things to note here are the IP address, interface name, MAC address, and the system state. System state is the big change here, and it can range from reachable, permanent, stale, and delay. Check online for more info on these states.
Adding a new entry
To add a new entry to the table using the
ip command, use the following:
[tcarrigan@rhel ~]$ ip neigh add 192.168.0.1 dev ethX
Removing an entry
To delete an existing entry from the table, use the following:
[tcarrigan@rhel ~]$ ip neigh del 192.168.0.1 dev ethX
This is the way?
So, now that you have seen both command suites in action, what is your take on it? Which do you prefer and why? At this point, I still prefer the
arp command suite for its robust feature set. I feel as though I can do more with it. However, I do think that the command syntax and structure is easier with the
If you can't decide between the two, keep in mind that the
net-tools package from which the
arp command originates is no longer actively developed, and most of those tools have been deprecated in favor of their
ip equivalents, so even if you're familiar with the older tool it may be a good idea to learn the new one before your older option disappears.
Feel free to write a response piece to this article and email it to the team! We would love to hear from you.
[ Want more for your network? Download a free ebook on network automation with Ansible. ]