Basic Data Transmission in Networks: MAC Tables and ARP Tables
Date: May 12, 2015
Overview
A number of different information types, terms, and names for data are thrown at all new networking students. Two of these information sources are vital to basic networking: Media Access Control (MAC) tables and Address Resolution Protocol (ARP) tables. Without at least a basic understanding of how these tables are used, it is hard to comprehend how information passes through a network. This article takes a look at each of these information sources, how they are used in the transmission of network traffic, and how they work together to move data from point A to point B.
Media Access Control (MAC) Tables
The term Media Access Control (MAC) probably sounds familiar. This term is typically introduced in lessons on the Open Systems Interconnection (OSI) model's Layer 2—data link layer addressing. Each Ethernet device that is manufactured is assigned a MAC address. This address is split into two different parts, the Organizationally Unique Identifier and the device ID:
- Organizationally Unique Identifier (OUI). The OUI is purchased by a manufacturer and assigned by the IEEE. In turn, a 24-bit OUI is given to be used in the manufacture of networking equipment (network interface card, switch, router, and so on).
- Device ID. The device ID is also a 24-bit number; it is assigned by the manufacturer to uniquely identify each device.
This means that every Ethernet networking device that is manufactured has a unique identifier, consisting of the OUI plus the device ID. As an example, let's take a look at the MAC address 5478.1a15.cf19, which breaks down to an OUI of 5478.1a and a device ID of 15.cf19. If you take the OUI 5478.1a and perform an OUI lookup, you will find that it links back to Cisco Systems, which is the manufacturer of the equipment from which I obtained that MAC address. This information is not used in the transmission of networking traffic, but it is helpful if you are troubleshooting a networking problem and you don't recognize a specific device; you can use the MAC address to look up the device's manufacturer.
MAC Address Tables
A MAC address table, sometimes called a Content Addressable Memory (CAM) table, is used on Ethernet switches to determine where to forward traffic on a LAN. Now let's break this down a little bit to understand how the MAC address table is built and used by an Ethernet switch to help traffic move along the path to its destination. We will use the graphic in Figure 1.
Figure 1 Basic switched network.
In Figure 1, a switch is surrounded by a number of common devices. Let's assume that all of the devices are powered on but have not sent any traffic. In this case, the MAC address table of the switch would be empty (ignoring any system MAC addresses shown in the table by default).
Now suppose PC1 wants to send traffic to the server that has a MAC address of 00:00:00:00:00:01. It would encapsulate an Ethernet frame and send it off toward the switch. The first thing the switch would do when receiving the traffic is create a new entry in its MAC address table for PC1's MAC address (PC1 -> Fa0/3). The switch would then perform a lookup on its MAC address table to determine whether it knows which port to send the traffic to; since no matching entries exist in the switch's tables, it would flood the frame out all of its interfaces (except the receiving port).
Because the frame was sent out to all of the switch's other ports, it would be received by the target server. Assuming that the server wants to respond to PC1, it would sent a new frame back toward the switch. The switch would receive the frame and create a new entry in its MAC address table for the server's MAC address (Server -> Fa0/2). It would then perform a lookup of its MAC address table to determine whether it knows which port to send the server's traffic to; in this case it does, so it sends the return traffic out only its Fa0/3 port (PC1), without flooding. Listing 1 shows what the MAC address table would look like at this point.
Listing 1—MAC address table example.
2960-1#show mac address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 00ld.70ab.5d60 DYNAMIC Fa0/2
1 00le.f724.al60 DYNAMIC Fa0/3
Total Mac Addresses for this criterion: 2
2960-1#
This process repeats as devices continue to send traffic to each other. An important detail to remember is that the MAC address table timeout is typically short (Cisco's default is five minutes), so an entry is left in the table itself only for that specified amount of time before the timeout expires and the entry is removed from the table.
Now we will move on to the question of how the devices get the destination MAC addresses to begin this process; in a word, ARP.
Address Resolution Protocol (ARP) Tables
The Address Resolution Protocol (ARP), as you might guess, is designed for resolving addresses. To tie together the data link (Layer 2) layer and the network (Layer 3) layer, a mechanism must exist that maps data-link layer addressing to network layer addressing; this mechanism is ARP. In the earlier example, PC1 just “knew” the MAC address for the server, but how is that possible? This is where ARP enters the picture. Typically a user who wants to connect to a server must already have the name of the server. (There are mechanisms to get around this need as well, but they are outside the scope of this article.) The server name is typically in the shape of a hostname and/or domain combination (for example, mail.testing.com). When the user presses Enter to send the request to connect to the server, a higher-level lookup is performed by the Domain Name System (DNS), resulting in the form of an IP address. Assuming that the server is on the local subnet, a second lookup is performed to search for the MAC address of the server, using ARP.
What ARP does is provide a lookup mechanism and table to store the information found in these lookups. Using the previous example as a guide, let's assume again that PC1 wants to send traffic to the server. The only piece of information that PC1 has is the IP address (network layer address) of the server (which was looked up from DNS), but to send traffic to the server it must also learn the server's MAC address. To find this information, PC1 must form an ARP request that includes the IP address of the intended destination. The ARP request is then sent to the MAC broadcast address (ff.ff.ff.ff.ff.ff), so that all local devices will receive it. If the server is listening on the network (and wants to answer), it responds with an ARP reply. In this reply, the server includes its MAC address; PC1 then uses that MAC address to send its Ethernet traffic destined for the server, starting the MAC address table process detailed earlier. Listing 2 shows an example of how the ARP table might look in this situation.
Listing 2—ARP table example.
C:\Windows\system32\arp -a Interface: 192.168.1.100 --- 0x11 Internet Address Physical Address Type 192.168.1.200 00-0c-29-92-81-3e dynamic C:\
Unlike the MAC address table timeout, which is short, the ARP table timeout is typically much longer. (Cisco's default timeout is four hours.)
Summary
A good understanding of the MAC address learning process on a switch and the MAC lookup process performed via ARP by network devices is vital when learning about networking. Since almost all networking traffic is sourced from and destined to an Ethernet network, these processes are integrated into almost all types of network usage. The advantage is that they work, and work well; but this is also a disadvantage, because networking beginners are used to having the network “just work,” without having to understand the mechanics. This low-level understanding will make the networking student aware of how networking communication begins. This knowledge is often called upon as students rise on the networking career ladder.