Skip to content

MAC Addresses & ARP

MAC Addresses

A MAC (Media Access Control) address is a 48-bit hardware address burned into a network interface, written as 6 hex octets:

AC:DE:48:00:11:22
  • First 3 octets (AC:DE:48) — the OUI (Organizationally Unique Identifier), assigned to the manufacturer
  • Last 3 octets (00:11:22) — unique to that specific interface

MAC addresses operate at Layer 2 and only have meaning within a single broadcast domain — they never cross a router. This is the Layer 2 counterpart to the Layer 3 IP addressing covered in IP Subnetting.

How Switches Learn MAC Addresses

A switch builds a MAC address table (also called a CAM table — Content Addressable Memory) by watching the source MAC address of every frame it receives on each port:

  1. Frame arrives on Gi0/1 with source MAC AC:DE:48:00:11:22
  2. Switch records: "AC:DE:48:00:11:22 is out Gi0/1"
  3. Future frames destined for that MAC are forwarded only out Gi0/1, instead of flooding every port

If the destination MAC isn't yet in the table, the switch floods the frame out every port in that VLAN except the one it arrived on (this is why Port Security matters — an attacker flooding fake source MACs can exhaust the table and force the switch into flooding everything, defeating the point of switching).

show mac address-table              ! View the full MAC address table
show mac address-table interface Gi0/1   ! MACs learned on a specific port

ARP (Address Resolution Protocol)

ARP resolves an IP address to the MAC address needed to actually deliver a frame on the local segment — IP routing gets a packet to the right subnet, but Layer 2 delivery still needs a MAC address.

ARP Request/Reply

  1. Host A wants to reach 10.0.10.5 but only knows the IP, not the MAC
  2. Host A broadcasts an ARP request: "Who has 10.0.10.5? Tell 10.0.10.1" (sent to the broadcast MAC FF:FF:FF:FF:FF:FF, so every device on the segment receives it)
  3. The device with that IP replies directly (unicast) with an ARP reply containing its MAC address
  4. Host A caches the result in its ARP table and uses it for subsequent frames
show arp          ! View the switch/router's ARP table (IP-to-MAC mappings)

Gratuitous ARP

A device can broadcast an unsolicited ARP reply for its own IP (a "gratuitous ARP") — used to announce a new IP, update other devices' stale ARP caches after a failover, or detect IP conflicts (if another device replies, that IP is already in use).

ARP Spoofing

Because ARP has no built-in authentication, a malicious device can reply to ARP requests it wasn't asked to answer, claiming to own an IP it doesn't — redirecting traffic through itself (a classic man-in-the-middle technique). This is exactly what Dynamic ARP Inspection is built to prevent, by validating ARP replies against the DHCP snooping binding table.