3.6 MAC vs IP in Addressing Troubleshooting

Layer 2 and Layer 3 addresses in one conversation

A common beginner mistake is treating MAC addresses and IP addresses as interchangeable identifiers. They are not. A MAC address belongs to a network interface at Layer 2. It is used inside Ethernet and Wi-Fi frames on the local link. An IP address belongs to Layer 3. It identifies a logical source or destination that can be routed across multiple networks. Both are needed in normal LAN communication, but they appear in different headers and are used by different devices.

Switches primarily learn and forward by MAC address. When a frame enters a switch port, the switch records the source MAC address in its MAC address table for that port and VLAN. When the switch knows the destination MAC, it forwards the frame out the correct port. When it does not know the destination MAC, it may flood the frame within the VLAN. This is local behavior. A Layer 2 switch does not decide how to reach 8.8.8.8 across the internet by reading a routing table.

Routers forward by IP address. A router receives a frame, removes the Layer 2 header, examines the destination IP address, chooses a route, then builds a new Layer 2 frame for the next hop. The source and destination IP addresses usually stay the same from end to end, but the source and destination MAC addresses change at every routed hop. This is why a packet to a website leaves your laptop in a frame addressed to the default gateway MAC, not to the website server MAC.

Address resolution connects the two layers. For IPv4, ARP asks, in effect, who has this IPv4 address on the local network, and the owner replies with a MAC address. For IPv6, Neighbor Discovery performs the local neighbor mapping. If ARP or NDP fails for a local destination or gateway, IP communication fails even if the numeric IP settings look reasonable. Causes include wrong VLAN, duplicate IP, host firewall behavior, sleep state, cabling, Wi-Fi isolation, or security features such as port security.

Default gateway logic is the technician bridge between local and routed communication. A host compares the destination IP against its own prefix. If the destination is local, it resolves the destination host MAC. If the destination is remote, it resolves the default gateway MAC. Therefore, when a client can ping its gateway but cannot reach remote networks, suspect routing, firewall, NAT, or DNS beyond the local link. When it cannot ping the gateway, suspect local addressing, mask, VLAN, link, gateway availability, or local filtering.

Useful evidence should be specific. On Windows, ipconfig /all shows address, mask, gateway, DHCP, DNS, and adapter MAC address. arp -a shows the IPv4 ARP cache. On Linux and macOS, ip addr, ip route, ifconfig, netstat -rn, arp -a, and ip neigh or ndp -a provide similar clues depending on the platform. A support ticket should avoid vague notes such as "network down" when the real finding is "client has 192.168.30.55/24, gateway 192.168.30.1, can ARP gateway, DNS server unreachable."

MAC addresses can also help find physical or VLAN placement issues. If an engineer asks you to check a switch MAC table, they are trying to learn which port last saw a device. If the MAC appears on an unexpected port or VLAN, the endpoint may be plugged into the wrong jack, patched incorrectly, connected through an unmanaged switch, or using a wireless bridge. The IP address still matters for routing, but the MAC table points to the local attachment point.

Study Checkpoint

• Topic: 3.6 MAC vs IP in Addressing Troubleshooting.
• Verify the official Cisco concept before memorizing a shortcut.
• Practice the technician action: observe, document, test, fix when supported, or escalate.