How to Add a Static ARP Entry in Batch Script
In a standard network, IP addresses and MAC addresses are dynamically mapped through ARP (Address Resolution Protocol). However, for security-sensitive environments or fixed hardware setups, you may want to bind an IP to a specific physical hardware address permanently. This creates a static ARP entry, which prevents another device from claiming that IP address and mitigates ARP spoofing attacks where a malicious actor tries to intercept your traffic by impersonating a legitimate device.
This guide will explain how to use the arp and netsh commands to create static network mappings in a Batch script.
The Tool: ARP -S vs. NETSH
There are two ways to add a static entry. The traditional arp -s command is simple but has a significant limitation: entries added with arp -s are lost on reboot. The netsh interface ipv4 add neighbors command is more robust, as it allows you to specify exactly which network interface should hold the mapping, and its entries persist across reboots by default.
Method 1: The Traditional ARP -S Command
The syntax is arp -s [IPAddress] [MACAddress]. This method is quick for temporary entries but does not survive a reboot.
@echo off
setlocal
set "TargetIP=192.168.1.50"
set "TargetMAC=00-11-22-33-44-55"
rem --- Admin check: modifying the ARP table requires elevation ---
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] This script must be run as Administrator.
endlocal
pause
exit /b 1
)
rem --- Validate MAC format (basic check for hyphens) ---
echo %TargetMAC% | findstr /r /c:"^[0-9a-fA-F][0-9a-fA-F]-[0-9a-fA-F][0-9a-fA-F]-" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Invalid MAC address format: %TargetMAC%
echo [INFO] Use hyphen-separated format: 00-11-22-33-44-55
endlocal
pause
exit /b 1
)
echo [ARP] Adding static mapping: %TargetIP% -^> %TargetMAC%
rem --- Remove any existing entry to prevent "already exists" errors ---
arp -d %TargetIP% >nul 2>&1
arp -s %TargetIP% %TargetMAC%
if %errorlevel% equ 0 (
echo [SUCCESS] Static entry added.
echo [WARN] This entry will be lost on reboot.
echo [WARN] For persistent entries, use Method 2 (netsh).
) else (
echo [ERROR] Failed to add static ARP entry.
echo [INFO] On modern Windows versions, arp -s may fail.
echo [INFO] Use Method 2 (netsh) instead.
)
rem --- Verify the entry ---
echo.
echo [VERIFY] Current ARP entry for %TargetIP%:
arp -a | findstr /c:" %TargetIP% "
endlocal
pause
Persistence limitation: Static entries added with arp -s exist only in memory and are lost when the computer restarts. On some modern Windows versions (Windows 10/11), arp -s may also fail entirely due to changes in how the network stack handles static entries. The netsh method (Method 2) is recommended for all current Windows versions.
Method 2: The Modern NETSH Method (Recommended)
The netsh interface ipv4 add neighbors command is more reliable on modern Windows, allows you to target a specific network adapter, and creates entries that persist across reboots by default. The command name, parameters, and behavior are language-independent.
@echo off
setlocal
set "Adapter=Ethernet"
set "TargetIP=192.168.1.10"
set "TargetMAC=aa-bb-cc-dd-ee-ff"
rem --- Admin check ---
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] This script must be run as Administrator.
endlocal
pause
exit /b 1
)
rem --- Verify the specified adapter exists ---
netsh interface ipv4 show interfaces 2>nul | findstr /i /c:"%Adapter%" >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] Adapter "%Adapter%" not found.
echo [INFO] Available interfaces:
netsh interface ipv4 show interfaces
endlocal
pause
exit /b 1
)
echo [ARP] Binding %TargetIP% to %TargetMAC% on "%Adapter%"...
rem --- Remove any existing entry to prevent "already exists" errors ---
netsh interface ipv4 delete neighbors "%Adapter%" "%TargetIP%" >nul 2>&1
rem --- Add the static neighbor entry ---
netsh interface ipv4 add neighbors "%Adapter%" "%TargetIP%" "%TargetMAC%"
if %errorlevel% equ 0 (
echo [SUCCESS] Static ARP entry added.
echo [INFO] This entry persists across reboots.
) else (
echo [ERROR] Failed to add static ARP entry.
echo [INFO] Verify the adapter name and IP/MAC format.
)
rem --- Verify the entry ---
echo.
echo [VERIFY] ARP entry for %TargetIP%:
arp -a | findstr /c:" %TargetIP% "
endlocal
pause
Finding adapter names: Run netsh interface ipv4 show interfaces to see all available network adapters and their names. Common names include Ethernet, Wi-Fi, Ethernet 2, or Local Area Connection. Adapter names are user-defined or Windows defaults, they are not translated by the display language.
Method 3: Securing the Default Gateway
One of the most important security applications of static ARP is binding your default gateway's IP to its real MAC address. This prevents ARP spoofing attacks where an attacker impersonates your router to intercept all your traffic (man-in-the-middle attack).
@echo off
setlocal enabledelayedexpansion
set "Adapter=Ethernet"
rem --- Admin check ---
net session >nul 2>&1
if %errorlevel% neq 0 (
echo [ERROR] This script must be run as Administrator.
endlocal
pause
exit /b 1
)
rem --- Detect the default gateway IP ---
rem --- The gateway is typically the value on a line containing "0.0.0.0" ---
rem --- in the routing table with the lowest metric ---
set "GatewayIP="
for /f "tokens=1,* delims=:" %%a in ('ipconfig 2^>nul') do (
set "Value=%%b"
if defined Value (
rem --- Look for gateway-like values (IPs that are not subnet masks) ---
rem --- We use a simple approach: find the last IP-format value in ipconfig ---
rem --- that is not a subnet mask (does not start with 255) ---
for /f "tokens=1" %%g in ("%%b") do (
echo %%g | findstr /r /c:"^[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9]" >nul
if !errorlevel! equ 0 (
echo %%g | findstr /c:"255." >nul
if !errorlevel! neq 0 (
set "GatewayIP=%%g"
)
)
)
)
)
if not defined GatewayIP (
echo [ERROR] Could not detect default gateway.
endlocal
pause
exit /b 1
)
echo [INFO] Detected gateway: !GatewayIP!
rem --- Get the current MAC address for the gateway from the ARP cache ---
rem --- Ping first to ensure the entry exists ---
ping -n 1 -w 1000 !GatewayIP! >nul 2>&1
set "GatewayMAC="
for /f "tokens=1,2" %%a in ('arp -a ^| findstr /c:" !GatewayIP! "') do (
set "GatewayMAC=%%b"
)
if not defined GatewayMAC (
echo [ERROR] Could not find MAC address for gateway !GatewayIP!
echo [INFO] The gateway may be unreachable.
endlocal
pause
exit /b 1
)
echo [INFO] Gateway MAC: !GatewayMAC!
echo.
echo [SECURITY] Binding gateway !GatewayIP! to !GatewayMAC! on "%Adapter%"...
rem --- Remove existing entry ---
netsh interface ipv4 delete neighbors "%Adapter%" "!GatewayIP!" >nul 2>&1
rem --- Add static entry ---
netsh interface ipv4 add neighbors "%Adapter%" "!GatewayIP!" "!GatewayMAC!"
if %errorlevel% equ 0 (
echo [SUCCESS] Gateway is now protected with a static ARP entry.
echo [INFO] ARP spoofing attacks targeting this gateway will be blocked.
) else (
echo [ERROR] Failed to secure the gateway.
)
rem --- Verify ---
echo.
echo [VERIFY] Gateway ARP entry:
arp -a | findstr /c:" !GatewayIP! "
endlocal
pause
Important: This script reads the gateway's current MAC address from the ARP cache and makes it static. You should only run this when you are confident the ARP cache is clean (i.e., not already poisoned). On a freshly booted machine connected to a trusted network, the MAC in the cache is authentic.
Why Use Static ARP?
- Security: Prevents ARP poisoning/spoofing attacks on the local network segment. By binding your gateway's MAC address statically, attackers cannot redirect your traffic through their machine.
- Reliability: Ensures consistent connectivity to specialized hardware (industrial PLCs, medical devices, older printers) that may not respond reliably to dynamic ARP requests.
- Speed: Eliminates the brief delay on first connection when the machine would normally broadcast an ARP request and wait for a reply.
How to Avoid Common Errors
Wrong Way: Using Colons Instead of Hyphens
Windows expects MAC addresses with hyphen separators. The colon format used by Linux and macOS will cause the command to fail or misinterpret the address.
rem *** BAD - colons are not accepted by Windows arp/netsh ***
arp -s 192.168.1.50 00:11:22:33:44:55
Correct Way: Always use hyphens.
rem *** GOOD - hyphen-separated format ***
arp -s 192.168.1.50 00-11-22-33-44-55
Wrong Way: Not Specifying the Interface
On machines with multiple adapters, arp -s may apply the entry to the wrong interface, or it may fail entirely because the system cannot determine which interface to use.
rem *** RISKY - ambiguous on multi-adapter machines ***
arp -s 192.168.1.50 00-11-22-33-44-55
Correct Way: Use the netsh method with an explicit adapter name.
rem *** GOOD - explicit interface ***
netsh interface ipv4 add neighbors "Ethernet" "192.168.1.50" "00-11-22-33-44-55"
Wrong Way: Not Removing Existing Entries First
If a static or dynamic entry already exists for the target IP, adding a new one may produce an "object already exists" error.
rem *** BAD - fails if entry already exists ***
netsh interface ipv4 add neighbors "Ethernet" "192.168.1.50" "00-11-22-33-44-55"
Correct Way: Delete the existing entry first, suppressing errors if it does not exist.
rem *** GOOD - clean slate ***
netsh interface ipv4 delete neighbors "Ethernet" "192.168.1.50" >nul 2>&1
netsh interface ipv4 add neighbors "Ethernet" "192.168.1.50" "00-11-22-33-44-55"
Wrong Way: Running Without Administrator Privileges
Both arp -s and netsh interface ipv4 add neighbors require elevation. Without it, the command fails with an "access denied" or "requested operation requires elevation" error.
Correct Way: Always check for admin rights at the start of the script.
Best Practices and Rules
1. Use netsh Over arp -s on Modern Windows
The arp -s command has limitations on modern Windows versions, as it does not persist across reboots and may fail entirely on Windows 10/11. The netsh interface ipv4 add neighbors command is the supported, reliable alternative.
2. Persistence Comparison
| Method | Survives Reboot | Multi-Adapter Support |
|---|---|---|
arp -s | No | Limited |
netsh interface ipv4 add neighbors | Yes | Yes (explicit interface) |
3. Always Verify After Adding
After adding a static entry, run arp -a | findstr /c:" targetIP " to confirm the entry appears and is marked as static. A successful errorlevel from the add command does not always guarantee the entry is active.
4. Secure Your Gateway First
The most impactful use of static ARP is protecting the default gateway. This single entry blocks the most common form of local network attack (gateway impersonation).
5. The arp and netsh Commands Are Language-Independent
The command names, flags, and parameters are identical across all Windows display languages. MAC address format (hyphen-separated hex pairs) and IP address format are also universal. Only descriptive output text is translated.
6. Use setlocal / endlocal
Always wrap scripts in setlocal and endlocal to prevent variables from leaking into the parent environment.
Final Thoughts
Adding static ARP entries is a powerful way to harden your network configuration against spoofing attacks and ensure reliable communication with fixed-address devices.
The netsh interface ipv4 add neighbors command is the recommended method for modern Windows, as it supports explicit interface targeting, persists across reboots, and works reliably where arp -s may not.
By combining this with pre-checks (admin rights, adapter verification, existing entry cleanup) and post-verification, you build a robust script that locks down the physical-layer identity of critical network devices.