The MAC factor

Last month we talked about domain name resolution — the process of resolving a host name to an IP address. This month, we will discuss core network routing protocols and Media Access Control (MAC) addresses.

The ISO model

You may recall the ISO seven-layer network model. For this tutorial, we will use a simplified version of the ISO model. (See Figure 1.)

The first layer is the physical layer. It consists of the wires, connectors and the specifications for the electrical signals sent over a network. While Layer 1 is a necessary component of the network, it is not responsible for routing packets.

The second layer is the data link layer, in which networking transport technologies are differentiated. Examples of Layer 2 protocols include Ethernet and token ring. Clearly, the dominant Layer 2 protocol today is Ethernet.

The third layer is the IP layer. We discussed Layer 3 in depth in last month's article.

The fourth layer is the transport layer. Layer 4 transports application data from one place to the other over a network. In the case of TCP, this means requesting the retransmission of lost packets and correcting for other errors on the network.

MAC addresses

MAC addresses are Layer 2 addresses assigned by the manufacturer of the network card. A MAC device might be a network interface card (NIC), or more commonly, the device is built into the motherboard of the computer.

MAC addresses take the form nn:nn:nn:nn:nn:nn. The first three numbers designate the manufacturer. The last three numbers uniquely identify the particular NIC card or network device. For example, a MAC address of 00:03:47:d6:bb:52 indicates that the card is made by Intel because 00:03:47 is Intel's registered number. Intel assigned the number d6:bb:52 to uniquely identify this card.

In last month's article, we discussed Dynamic Name System (DNS). As you probably know, you can manually assign an IP address to a machine, or you can use Dynamic Host Configuration Protocol (DHCP) to assign the address automatically. Your computer may be assigned many different IP addresses over its useful lifetime. But the manufacturer assigns Ethernet MAC addresses. These addresses cannot be changed. So why would a computer have two types of addresses, and why do they have different properties?

It is important to have both types of identifiers on a network. The Layer 2 MAC address ensures that there is one globally unique identifier for each computer on the system. The Layer 3 address allows computers to be organized into groups or networks. This permits the efficient routing of traffic across network boundaries, thus keeping local network traffic local and reducing the amount of traffic on the Internet at large.

Why would a system need a MAC address if it knows the IP address of a target computer? A Layer 2 switch sends packets to various outputs based on where the target resides. By associating the IP address with the hardware MAC address, the switch knows where to send the IP packets.

Also, remember that IP runs over a multitude of hardware, including Ethernet, SONET and token ring. If you know the IP address of a particular computer, you still do not know what sort of network the target is on, or what packetizing system it uses. The way a switch or router determines this is by sending out an Address Resolution Protocol (ARP) request.

ARP in action

Let us look at a simple example with two computers on a network. A person at one computer wants to use the ping command to see if a second computer is available on the network. At the outset, the first computer does not know the MAC address of the second computer, but it does know its IP address ( The person types the ping command and sees the response below:

C:\> ping
Pinging with
32 bytes of data:

Reply from
bytes=32 time
<1ms TTL=127

To the person at the first computer, it looks as if all that has happened is that their computer sent a ping to the second computer and received a reply. But an Ethernet packet sniffer reveals a conversation. (See Figure 2.)

SourceDestinationTypeDescription Intel_03:26:b3 Broadcast ARP Who has Tell IBM_53:dc:22 Intel_03:26:b3 ARP is at 00:23:4c:53:dc:22 ICMP Echo (ping) request ICMP Echo (ping) reply Figure 2. After using a ping command to see if another computer is available on the network, a computer will generate an ARP request, as shown above

The first computer generates a broadcast ARP request. This request says, “Who has Tell” The initial message contains the source IP address (in this case and the source MAC address. It includes the target IP address, but the target destination MAC address is all zeros “Broadcast.”

The ARP request is broadcast to everyone on the network. The computer known as receives this ARP request, recognizes that it is the target of the request and responds with an ARP reply, which is directed to the source of the request. The reply is identical to the request, with the exception that the target computer fills in its own MAC address. Now the first computer knows where to send the ping request. The ping is sent, and the target generates a reply.

The first computer is not finished though. It makes a note of the MAC address of the second computer in its ARP table. The ARP table contains the IP and MAC addresses of computers on its network. By storing the information locally, it will not have to issue another ARP request when it receives more packets for the same target. Figure 3 shows what the ARP table looks like for the first computer. The ARP entries are dynamic — they expire over time. Otherwise the first computer would remember this association forever.

C:\> arp –a Internet address Physical address Type IBM_53:dc:22 Dynamic Cisco_03:26:b3 Dynamic Figure 3. An example of what an ARP table looks like

Let us look at two interesting cases. First, what happens if the target fails to respond? The ARP request is sent, and the request times out. The ping request fails, and the user is notified.

Second, what if the user pings an IP address that is not on the local network —, for example? When you configure the IP stack of a computer, one of the entries is for a default gateway. Any traffic destined for an address that is not on the local network is sent to this gateway. In Figure 3, you can see the default gateway is a Cisco router located at The ping to is sent to the default gateway and from there to the Internet.

Brad Gilmer is executive director of the Video Services Forum, executive director of the AAF Association and is president of Gilmer & Associates.

Send questions and comments