~/netref / Ethernet, MAC & ARP
##

Ethernet, MAC & ARP

Layer 2 moves frames between devices on the same network using MAC addresses. Switches learn them; ARP maps them to IPs.

// Ethernet II frame

Dest MAC
6 B
Src MAC
6 B
Type / Len
2 B
Payload
46–1500 B
FCS
4 B

// MAC address anatomy — 48 bits

00:1A:2B
OUI · 24 bits · vendor
3C:4D:5E
NIC · 24 bits · device
The first byte carries two flags: I/G (bit 0 — unicast vs multicast) and U/L (bit 1 — global vs locally administered). 48 bits = 12 hex digits.
// MAC address types
UnicastI/G bit = 0 — one specific NIC
MulticastI/G bit = 1 — a group (01:00:5E.. maps IPv4 mcast)
BroadcastFF:FF:FF:FF:FF:FF — every device on the segment
U/L bit0 = globally unique (OUI) · 1 = locally administered
// switchport modes
accessSingle VLAN — end devices
trunkCarries many VLANs (802.1Q tagged)
dynamic autoBecomes a trunk only if asked
dynamic desirableActively negotiates a trunk

// key facts

  • MAC = 48 bits: 24-bit OUI (vendor) + 24-bit device
  • Broadcast MAC = FF:FF:FF:FF:FF:FF
  • Switch learns source MACs into the CAM table
  • Unknown unicast & broadcast are flooded out all ports
  • ARP resolves IP → MAC (broadcast request, unicast reply)
  • 1 switch port = 1 collision domain · 1 VLAN = 1 broadcast domain

// ARP — resolving IPv4 to MAC

“Who has 10.0.0.5? Tell 10.0.0.1”
▶ broadcast · FF:FF:FF:FF:FF:FF
“10.0.0.5 is at 00:1A:2B:3C:4D:5E”
◀ unicast reply
The mapping is cached in the ARP table for a few minutes. IPv6 has no ARP — it uses NDP (Neighbor Solicitation / Advertisement over ICMPv6).
// ARP variants
ARPResolve IPv4 → MAC: request broadcast, reply unicast
Proxy ARPA router answers on behalf of a host in another subnet
Gratuitous ARPUnsolicited reply — announce, detect IP conflicts, FHRP failover
RARPLegacy MAC → IP (long replaced by DHCP/BOOTP)
ARP cacheTimed IP→MAC table; entries age out after minutes
// common EtherTypes
0x0800IPv4
0x0806ARP
0x86DDIPv6
0x8100802.1Q VLAN tag
0x88A8802.1ad (Q-in-Q)
0x8847MPLS unicast
0x88CCLLDP
0x8863/64PPPoE disc / session
// switch forwarding methods
Store-and-forwardReads the whole frame and checks the FCS before forwarding — drops errors
Cut-throughForwards as soon as the destination MAC is read — lowest latency, no error check
Fragment-freeReads the first 64 bytes — catches collision runts
mac & arp tables 
! Cisco IOS — MAC & ARP tables
show mac address-table
show mac address-table dynamic
show ip arp
clear arp-cache

# Linux / host
ip neigh show          # modern (replaces arp)
arp -a                 # classic, all platforms
ip -s neigh flush all  # clear the cache