How to: Use ARP commands to bind IP addresses and MAC addresses

Source: Internet
Author: User

Source: ISA Chinese site

ISA Server does not provide MAC address control function, why? This is because the MAC address can only be used in the local network. When a packet crosses the router, the source MAC address of the host in the packet will be replaced by the MAC address of the router's outbound interface, in this case, MAC address control is not applicable. Therefore, enterprise-level hardware or software firewalls do not provide MAC address control functions.

However, Microsoft has long considered this. In Windows, if you have installed the TCP/IP network protocol component, You can execute the command arp. The ARP command is used to view the local ARP cache, statically bound IP addresses and MAC addresses, and delete static bindings. In fact, the intention of binding IP addresses and MAC addresses is to reduce ARP broadcast traffic, but this function can be used to control the use of IP addresses.

Here, I will briefly describe how ARP works in windows. Address Resolve Protocol (ARP) works on the Layer 2-data link layer of TCP/IP protocol, which is used to convert IP addresses into hardware addresses of network interfaces (Media Access Control addresses, MAC address ). Communication of any high-level protocol will eventually be converted into communication of the hardware address at the data link layer. Each host has an ARP cache list for caching MAC addresses. You can use the ARP-A or ARP-G command to view the current ARP cache list. The ARP cache list is dynamically updated. By default, when the cache entry exceedsTwo minutesWhen there is no activity, this cache item will be deleted timeout. You can use ARP-s to statically bind IP addresses and MAC addresses. However, in Windows systems before Windows Server 2003 and XP, even if you set static MAC Address binding items, the bound items will also be updated by receiving data packets from other hosts. In Windows Server 2003 and XP, static binding items are not dynamically updated until the TCP/IP protocol is terminated, for example, restarting the computer. If you want to create a permanent static MAC Address binding item, you can write a script file to execute ARP static binding, and then use the scheduled task to execute this script when starting the computer.

For example, if host a's IP address is and needs to communicate with host B whose IP address is, perform the following actions:

  1. Host a queries its own ARP cache list. If it finds a MAC address entry corresponding to the destination IP address, it constructs and sends an Ethernet packet using this MAC address entry, if no corresponding MAC address is found, proceed to the next step;

  2. Host a sends an ARP resolution request broadcast. The target MAC address is FF: FF. The request IP address is and the host replies to the MAC address;

  3. After receiving the ARP resolution request broadcast, host B replies to host a with an ARP response packet, which includes its own IP address and MAC address;

  4. After receiving the ARP reply from host B, A puts the MAC address of host B into its own ARP cache list, and then uses the MAC address of host B as the destination MAC address, host B's IP address ( serves as the destination IP address to construct and send Ethernet packets;

  5. If host a still sends data packets to, host a uses this MAC address to send data packets directly because the IP address already exists in the ARP cache list, instead of sending ARP resolution request broadcasts. When the cached address item is not active for more than two minutes (unused), the ARP cache will be deleted after timeout.

By default, the ARP cache timeout period is two minutes. You can modify it in the registry. Two key values that can be modified are located


Modified key value:

Key value 1: arpcachelife; Type: DWORD; Unit: Second; default value: 120

Key Value 2: arpcacheminreferencedlife; Type: DWORD; Unit: seconds; default value: 600

Note: These key values do not exist by default. If you want to modify them, you must create them by yourself. The modification takes effect after you restart the computer.

If the value of arpcachelife is greater than that of arpcacheminreferencedlife, set the ARP cache timeout value to the value of arpcachelife. If the value of arpcachelife does not exist or is smaller than that of arpcacheminreferencedlife, for unused ARP caches, the timeout value is set to 120 seconds. For ARP caches in use, the timeout value is set to the value of arpcacheminreferencedlife.



The TCP/IP Settings of each computer are as follows. This test does not involve DNS resolution. The DNS servers of each server are set to null. Before the test, the network connection has been confirmed to work properly:

ISA 2004 Firewall:

LAN interface:

  • IP:

  • DG: None

  • Mac: 00: 03: 47: F4: FC: E7


True (offline ):

  • IP:

  • DG:

  • Mac: 00: 0d: 60: C3: 05: 34


Fake (change the IP address to ):

  • IP:

  • DG:

  • Mac: 00: 06: D0: 06: 05: 47



First, I use ARP-S on the ISA Server to bind a true IP address and a MAC address. Run the following command:

ARP-s 00-0d-60-c3-05-34

Run ARP-a to view the ARP cache list. The result is shown in. You can see that the IP address type in the ARP cache list is static, which indicates that it is a static item. In this case, the binding on the ISA Server is successful.




Now we are at the clientFake, Change your IP address to, and ping the ISA Server:

C:/Documents and Settings/admin> ipconfig/all

Windows IP configuration

Host Name ......: Anonymous
Primary DNS suffix .......:
Node Type ......: Unknown
IP routing enabled...: No
Wins proxy enabled...: No

Ethernet Adapter local connection:

Connection-specific DNS suffix .:
Description ......: Intel (r) Pro/100 ve network connection
Physical address ......: 00-06-d0-06-05-47
DHCP enabled...
IP address ......:
Subnet Mask ......:
Default Gateway...:
DNS servers ......:

C:/Documents and Settings/admin> Ping 2

Pinging with 32 bytes of data:

Request timed out.
Request timed out.

Ping statistics for
Packets: Sent = 2, received = 0, lost = 2 (100% loss ),


Ping timeout, why? The data packets captured from sniffer can be described more clearly:

Is the captured data packet, which describesFake( ping the whole process of


  1. BecauseFake(00: 06: D0: 06: 05: 47) There is no MAC address for, soFakeSend an ARP Address Resolution request broadcast and ask what the MAC address of is;
  2. ISA Server (00: 03: 47: F4: FC: E7) replies with ARPFake(00: 06: D0: 06: 05: 47), tellFakeYour own IP address ( and MAC address;
  3. After obtaining the MAC address of,Fake( Send the ping request packet to;
  4. replies Ping reply packet to;
  5. Fake( Send the ping request packet to again;
  6. replies Ping reply packet to again;

It seems that there is no problem? Why?FakePing will time out?

All of this indicates that there is no problem, but you will find the problem by carefully looking at the captured packet's Ethernet header:

First, let's look at the third packet,Fake( Ping request sent to, as shown in,FakeThere is no problem with sending data packets at the source MAC address and the MAC address of (00: 03: 47: F4: FC: E7.


So let's take a look at the ping reply packet from the fourth ISA Server. The source MAC address is the MAC address of the ISA Server (00: 03: 47: F4: FC: E7 ), this is fine, but check the target MAC address,00: 0d: 60: C3: 05: 34 is the true MAC address of the offline client.. Do you still remember to bind the IP address ( on the ISA Server to the MAC address? ISA server sends data directly using static binding items in its ARP cache, instead of using the source MAC address in the received Ping request packet as the destination address. Therefore, fake considers that the packet is not sent to itself and will not process the packet. Therefore, fake considers that the packet is timed out if no ping is returned.

Finally, we do not recommend binding static IP addresses to MAC addresses, which brings more management load. You can use the powerful authentication function of ISA Server and IP address management to achieve better results. Please do not ask me in the forum how to use ARP commands. Windows is the best teacher.

Original address: Sessid = & infoid = 264


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.