Routing, Default Gateway, and ARP

Switching Versus Routing

Switching and routing solve different problems at different layers. Switching forwards Ethernet frames inside one VLAN using MAC addresses (Layer 2). Routing forwards IP packets between different IP networks using a routing table (Layer 3). When you load an Internet page, the local switch moves the frame to the gateway, then a router or firewall moves the packet beyond your subnet, hop by hop.

The local-versus-remote decision

Every IPv4 host uses its own IP address and subnet mask to decide whether a destination is local or remote. It performs a bitwise AND of its address and mask, and of the destination and mask, and compares the results:

• Same network number -> destination is local; deliver the frame directly to that host's MAC.
• Different network number -> destination is remote; send the frame to the default gateway.

The default gateway is the router, firewall, or Layer 3 switch interface for that VLAN — typically the .1 of the subnet. Without a correct gateway, local traffic may still work but anything off-subnet, including the Internet, fails.

Worked example

A laptop is 192.168.10.25/24, gateway 192.168.10.1.

For both remote destinations the IP packet keeps its real destination; only the Layer 2 frame is addressed to the gateway.

ARP: Bridging IP and Ethernet

A host cannot put an IPv4 packet on Ethernet without a destination MAC address. ARP (Address Resolution Protocol) supplies it. When the host needs a local MAC it does not know, it broadcasts an ARP request ("who has 192.168.10.1? tell 192.168.10.25") to ff:ff:ff:ff:ff:ff. The owner replies with a unicast ARP reply containing its MAC, which the sender stores in its ARP cache for a few minutes.

For remote traffic the target of ARP is different. The laptop at 192.168.10.25 going to 8.8.8.8 knows 8.8.8.8 is off-subnet, so it does not ARP for 8.8.8.8. It ARPs for the gateway 192.168.10.1, frames the packet to the gateway's MAC, and lets the router forward it. At each routed hop the Layer 2 frame is rewritten for the next link, but the end-to-end IP destination never changes.

Failure patterns that fit this model

Technician check order

1. Read the client IP, mask/prefix, and default gateway (ipconfig / ip addr).
2. View the ARP cache (arp -a).
3. Ping the gateway first, then test the Internet.

If the gateway does not answer, the fault is local: cabling, Wi-Fi association, VLAN, addressing, gateway interface, or host firewall. If the gateway answers but external traffic fails, shift focus to routing, DNS, NAT, the upstream link, or filtering.

Common traps

• ARPing for the remote Internet IP instead of the gateway.
• Calling APIPA a 'valid' address — it means DHCP failed.
• Ignoring the subnet mask; the mask, not the address alone, defines what is local.

Reading a Routing Path and an ARP Trace

A router keeps a routing table of networks it knows how to reach, each entry pairing a destination network with a next-hop or exit interface. A small office router typically holds two kinds of entries: directly connected networks (its own interface subnets) and a default route 0.0.0.0/0 pointing at the ISP. When a packet arrives, the router finds the most specific match; if nothing else matches, the default route sends it toward the Internet.

Per-hop frame rewriting

The end-to-end IP addresses do not change as a packet crosses routers, but the Layer 2 frame is rewritten at every hop. From the laptop to the gateway, the frame's destination MAC is the gateway; from the gateway to the next router, a new frame carries that router's MAC; and so on. This is why ARP and switching are local to each link while routing is end-to-end.

Using ping and traceroute

A disciplined gateway-first test isolates the layer fast:

1. ping 192.168.10.1 (gateway). Success proves your IP, mask, ARP, switch path, and the gateway interface are all healthy.
2. ping 8.8.8.8 (a known public IP). Success proves routing and NAT to the Internet work.
3. tracert/traceroute to a destination shows each router hop; the hop where replies stop often locates the break.

If step 1 fails, stay local — cabling, Wi-Fi, VLAN, addressing, or the gateway interface. If step 1 passes but step 2 fails, look outward — routing, NAT, the ISP link, or filtering.

Duplicate IP and gratuitous ARP

If two hosts share one IP, each may answer ARP, so the switch and senders cache whichever MAC replied last. Connectivity then becomes intermittent and 'follows' whichever device most recently spoke. A gratuitous ARP (a host announcing its own mapping) helps neighbors update caches but also exposes duplicates when two devices announce the same IP. Recognizing flapping, address-conflict warnings, and 'it works for a while then drops' as duplicate-IP signatures is squarely within CCST troubleshooting expectations.