Network Tables: ARP, MAC, Routing

Any network connection is comprised of a physical and logical connection between two endpoints. There is a source endpoint and a destination endpoint with two separate unidirectional flows established. All network connectivity is based on constantly updating ARP tables, MAC address tables, routing tables and DNS tables. Network connectivity tables are comprised of addresses and associated interfaces. They are all required to enable packet forwarding between endpoints on different subnets.

The destination IP address is first resolved (learned) with a DNS request sent from source endpoint so that a destination IP address can be written to the destination field of an IP header. Any network communication requires addressing that is comprised of the following fields for source and destination endpoint. The source IP address and destination IP address do not change. It is only the source MAC address and destination MAC address that are rewritten per router or Layer 3 hop.

  • Source MAC address
  • Destination MAC address
  • Source IP address
  • Destination IP address

MAC Address Table 

The MAC address is a unique 48-bit hardware identifier number assigned to the Ethernet interface of any host. That would include both wired and wireless interfaces. There is a unique MAC address assigned to Ethernet interfaces of network devices as well. It is used for Layer 2 frame forwarding and ARP tables. Network switches build MAC address tables with entries comprised of destination MAC address, port and VLAN membership. The MAC address is used to add a source and destination MAC address to each frame header.

frame switching.png

The MAC (physical) address is 48 bits of hexadecimal numbering on an Ethernet interface. The first 24 bits is a manufacturer OUI and the last 24 bits (bold) is a unique serial number (SN). The source MAC address is a host endpoint or Layer 3 interface, and destination MAC address is MAC address of next hop Layer 3 interface or host endpoint interface.

ARP Table

ARP request is sent to learn the MAC address of a destination server after DNS has already resolved the server IP address. ARP requests are also sent for all connected neighbor devices. It is only routers, Layer 3 switches, firewalls, and hosts that create an ARP table. Layer 2 switches do not create an ARP table (video).

ARP table is a list of MAC address (Layer 2) to IP address (Layer 3) bindings. ARP requests are broadcast and sent on the shared local subnet. That is done to update (populate) each ARP table between source and destination. Remember that each router must know the destination MAC address of the next hop router to rewrite each frame. The following is a standard ARP table with MAC address and IP address association.

Serial interfaces are exempt from ARP broadcast since they do not use MAC addressing and routers are directly connected (point-to-point). Ethernet is a broadcast (shared) network where ARP must resolve MAC address of interfaces.

arp table.png

Routing Table

Layer 3 network devices rewrite each frame with a new source MAC address and destination MAC address per Layer 3 hop. That is done after performing a routing table lookup for next hop address, based on the destination IP address. The packet is then routed to the next hop neighbor. ACL, QoS and NAT policies are also applied to packets as they ingress and egress network interfaces.


The last router does an ARP table lookup, to rewrite outbound frame with the MAC address of the server to destination MAC address field. Layer 2 switches are never a MAC address destination. Switches only examine incoming frames and select a switch port for forwarding. 

Layer 3 Per Hop Frame Rewrite

There is a routing table lookup on the last router that is based on the server subnet address. The next hop to the server subnet is a directly connected router interface. That is the local router interface where a Layer 2 switch is connected. The switch examines destination MAC address of arriving frame and does a MAC address table lookup for switch port associated with server MAC address. The frame is forwarded out of the local switch port where the server is connected.