3.6 MAC vs IP in Addressing Troubleshooting

Layer 2 and Layer 3 addresses in one conversation

A classic beginner error treats MAC and IP addresses as interchangeable. They are not. A MAC (Media Access Control) address is a 48-bit hardware identifier living at Layer 2, used inside Ethernet and Wi-Fi frames on the local link. An IP address is a logical Layer 3 identifier that can be routed across many networks. Both appear in normal LAN traffic, but in different headers and used by different devices.

Switches learn and forward by MAC. When a frame enters a port, the switch records the source MAC in its MAC address table against that port and VLAN; if it knows the destination MAC it forwards out the right port, and if not it floods within the VLAN. A Layer 2 switch never decides how to reach 8.8.8.8 across the internet — that is not its job.

Routers forward by IP. A router receives a frame, strips the Layer 2 header, reads the destination IP, picks a route, and builds a new frame for the next hop. The source and destination IPs stay constant end to end, but the source and destination MACs change at every hop. That is precisely why a packet to a website leaves your laptop in a frame addressed to the gateway's MAC, not the web server's MAC.

Resolution, the gateway bridge, and gathering evidence

Address resolution links the two layers. For IPv4, ARP asks "who has this IP?" and the owner answers with its MAC. For IPv6, Neighbor Discovery (NDP) does the local mapping. If ARP or NDP fails for a local destination or the gateway, IP communication fails even when the numeric settings look perfect — common causes are wrong VLAN, duplicate IP, host firewall, sleep state, bad cabling, Wi-Fi client isolation, or switch port security.

The default gateway is the technician's bridge between local and routed traffic. A host compares the destination IP against its own prefix:

• Destination local → resolve the destination host's MAC and send directly.
• Destination remote → resolve the gateway's MAC and send the frame there.

This gives a clean diagnostic split:

• Can ping the gateway but not remote networks → suspect routing, firewall, NAT, or external DNS beyond the local link.
• Cannot ping the gateway → suspect local addressing, mask, VLAN, link, gateway availability, or local filtering.

Commands that produce specific evidence

A support note should never say "network down." Replace it with a layered finding such as: "client 192.168.30.55/24, gateway 192.168.30.1, ARP for gateway succeeds, external DNS server unreachable." That single line tells an engineer the link and Layer 2 are healthy, the host config is sane, and the fault is upstream of the gateway — saving an entire round of back-and-forth.

MAC addresses also help pin down physical or VLAN placement. If an engineer asks you to check a switch's MAC address table, they want to learn which port last saw a device. A MAC appearing on an unexpected port or VLAN suggests the endpoint is in the wrong jack, patched incorrectly, behind an unmanaged switch, or bridged over wireless. The IP still governs routing, but the MAC table points straight to the local attachment point — and knowing which table answers which question is exactly the Layer 2 versus Layer 3 separation the 100-150 exam rewards.

Following a packet to see both addresses at work

The clearest way to lock in the distinction is to trace one packet from a laptop on 192.168.1.10/24 to a web server at 93.184.216.34. The laptop compares the destination to its own subnet, sees it is remote, and resolves the gateway's MAC via ARP. It builds a frame with destination MAC = gateway, destination IP = 93.184.216.34 and sends it to the switch, which forwards by MAC to the gateway port. The router strips that frame, reads the IP, and forwards toward the next hop in a brand-new frame with a new destination MAC — the IP never changed, the MAC changed completely.

Every hop repeats this, which is why a traceroute shows IP hops while the frames underneath are constantly rewritten.

That trace also explains the symptoms you will be asked to diagnose. If ARP for the gateway fails, the laptop cannot even build the first frame, so nothing leaves the local link — a Layer 2 problem masquerading as "no internet." If the gateway resolves fine but a downstream router lacks a route, the laptop's frames leave normally and the failure is purely Layer 3, upstream. Distinguishing those two cases is the difference between escalating to the desktop team versus the network team, and getting it wrong wastes hours.

Duplicate-IP incidents are the final scenario worth rehearsing. When two hosts claim 192.168.1.10, the switch keeps relearning that IP's MAC on different ports as each host speaks, so connectivity flickers and ARP caches show the address bouncing between two MACs. The clue lives at Layer 2 (two MACs, one IP) even though the trigger is a Layer 3 misconfiguration. Recognizing that a single symptom can have evidence at multiple layers — and gathering the address, mask, gateway, ARP entry, and switch-port data before guessing — is the disciplined troubleshooting mindset the CCST Networking exam is ultimately measuring.