What is Ethernet?

The term Ethernet refers to an entire family of standards that define wiring, signaling,
connectors, frame formats, protocol rules, etc. Ethernet is standardized by the Institute of
Electrical and Electronics Engineers (IEEE) as the 802.3 standard. The standard defines several
wiring variants, such as coaxial, twisted pair and fiber optic cabling. Coaxial cables are rarely used
anymore, while twisted pair cables are usually used in SOHO environments. Optical fibers are the
most expensive option, but they allow longer cabling distances and greater speeds.
Ethernet uses the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) access
method and supports speeds up to 100 Gbps. It is by far the most popular LAN technology today.

Basic Concepts of Ethernet LAN Explained

An Ethernet LAN is the combination of components that allows users to access applications and
data, share resources and connect with other networks.

Common components of an Ethernet LAN are; User devices (such as Computers, PCs, Servers and
Network printers), Network devices (LAN switches, hubs, firewalls, so on) and different types of
media (such as Coaxial, UTP, and STP). Usually, these components are owned by the same
company or organization which builds the Ethernet LAN.

Based on scalability, an Ethernet LAN can be categorized in two types; SOHO LAN and the
Enterprise LAN.

SOHO Ethernet LAN

SOHO stands for Small Office/ Home Office. This is the smallest form of an Ethernet LAN. To build
this LAN a device known as Ethernet LAN Switch is used. An Ethernet LAN Switch has many ports.
To connect an end device or user device on one of these ports, a cable known as Ethernet cable is
used.

The following image shows an example of a simple SOHO Ethernet LAN.

Besides end devices, to enhance the functionalities, several other network devices can also be
connected with the Ethernet switch. One such a device is router. A router is used to connect the
LAN network with the WAN network or with the Internet.

Nowadays, connecting to the Internet has become an integral part of any network. To get benefit
from this requirement, vendors also sell consumer-grade integrated networking devices that
work both as router and Ethernet switch. Typically these devices have four to eight LAN switch
ports. Some models also have wireless LAN access points.

The following image shows a graphical representation of such a device.

The above drawing shows the router, wireless LAN access point and the Ethernet switch as three
separate devices as well as a single device so that you can better understand how these three
devices are integrated into a single device. This integrated single device is known as the wireless
router.

Enterprise Ethernet LAN

Enterprise Ethernet LAN also uses the same technologies and protocols to build the network, but
on a much larger scale. An Enterprise Ethernet LAN can span in entire building, campus or even
a large geographical area.
Unlike the SOHO network which usually connects a small number of computers, an Enterprise
LAN network can connect a large number of computers. Basically, an Enterprise Ethernet LAN is
the extended version of SOHO LAN. For, example there are five SOHO LANs. If we connect all of
these LANs together to create a large LAN, we create an Enterprise Ethernet LAN.

The following image shows an example of the Enterprise LAN network.

Besides Ethernet LAN switches, based on requirements, several other networking devices such
as the firewall and distribution switches are also used in the Enterprise LAN. Usually, these
devices are used in the middle of traffic flow.

For example, the following image shows a typical enterprise LAN spanned in four rooms. First
three rooms have Ethernet LAN switches and the last room has a wireless LAN access point. To
allow communication between all rooms, the switch of each room is connected to the centralized
distribution switch. PC located in any room can send data to the PC located in another room, but
its data will go through the distribution switch (SWD).
SOHO Ethernet LAN vs Enterprise Ethernet LAN
Both the SOHO Ethernet LAN and the Enterprise Ethernet LAN are defined in the data link layer
of the OSI Layer model.

Both LANs use the same standards for data transportation. These standards pack data in a format,
known as the frame. A frame contains a common Ethernet header and trailer.

No matter whether the data flows over a UTP cable or any kind of fiber cable, and no matter at
what speed it flows, the data link header and trailer remains the same.

The required number of devices and the size of the network are the two major differences
between the SOHO LAN and the Enterprise LAN. SOHO LAN requires fewer devices while, to
support additional functionalities, the Enterprise LAN requires more devices. In terms of network
size, SOHO LAN is much smaller than the Enterprise LAN.

MAC Addresses Explained with Examples

In network, an address provides a unique identity to an end device. Unless an end device has a
unique address, it can’t communicate with other devices in the network. A unique address
enables an end device to send and receive data in the network.

In the LAN network, a unique address is the combination of two addresses; software address and
hardware address.

Addressing in Networking Reference models

A networking reference model defines the standards, characteristics, definitions, and
functionalities of the network. There are two popular networking models; the OSI Seven Layers
model and the TCP/IP model.

In both models, the software address and hardware address are defined in the network layer and
data link layer, respectively. In both models, the network layer and data link layer stand on the
third and second positions, respectively. Because of this, both layers are also known as layer 3
and layer 2, respectively.

Software address
The software address is also known as the network layer address or layer 3 address. This address
is manageable and configurable. Based on network requirements and layout, this address can be
configured and assigned to an end device. Almost all modern LAN implementations use the IP
protocol in the network layer. The IP protocol uses the term IP address to define the software
address.

Hardware address
The hardware address is also known as the data link layer address or layer 2 address or MAC
(Media Access Control) address. From these terms, the term MAC address is commonly used to
 refer to the hardware address. Unlike the IP address or software address, this address can’t be
configured or managed. When you purchase a new NIC (Network Interface Card), or any device
which has onboard NICs, it comes with a pre-configured MAC address.

A MAC address is 6 bytes (48 bits) long address in the binary numbers. MAC addresses are written
in the hexadecimal format. The hexadecimal format uses the base-16 to refer to numbers. If we
divide the total available length (48 bits) in binary numbers by the base (base-16) that is used to
write a number in hexadecimal format, we get the total digits (12 = 48 ÷ 16) of that number in
the hexadecimal format. Thus, if we write a 6 bytes (48bits) long binary MAC address in
hexadecimal format, we get a 12 digits long hexadecimal number.

For convenience and easier readability, when writing a MAC address in hexadecimal format, extra
space or periods or colons are added after every two or four digits. For example, you can write a
MAC address in the following ways.

 Without any separator: - 00000ABB28FC

 Extra space after every two digits: - 00 00 0A BB 28 FC
 Extra space after every four digits: - 0000 0ABB 28FC
 Colon after every two digits: - 00:00:0A:BB:28:FC
 Colon after every four digits: - 0000:0ABB:28FC
 Period after every two digits: - 00.00.0A.BB.28.FC
 Period after every four digits: - 0000.0ABB.28FC

No matter which style you use to write the MAC address, or an application or networking
software uses to display the MAC address, a MAC address is always processed in binary numbers
only. NIC converts hexadecimal numbers of the MAC address in binary numbers before
processing and using it.

Structure or format of the MAC address

As mentioned above, you can’t assign MAC address to a NIC or onboard NICs. When you purchase
a new NIC or a device with onboard NICs, it arrives with a pre-configured MAC address or MAC
addresses, respectively. Before we understand how manufacturers select MAC addresses for
NICs, let’s briefly understand why a MAC should be unique in the LAN network.

If a LAN network has two or more NICs configured with the same MAC address then that network
will not work. Let’s understand this with an example.

Suppose in a network three PCs; PC-A (11000ABB28FC), PC-B (00000ABB28FC) and PC-C
(00000ABB28FC) are connected through a switch. NICs of PC-B and PC-C have the same MAC
address 00000ABB28FC.

If PC-A sends a frame to the destination MAC address 00000ABB28FC, the switch fails to deliver
this frame as it has two recipients of this frame.
The following image shows this example.

A LAN network does not work unless each device in the LAN network has a unique MAC address.

Now let's be back to our main question. How do manufacturers assign a unique MAC address to
each NIC?

Before manufacturing NICs, every manufacturer obtains a universally unique 3-byte code, known
as the organizationally unique identifier (OUI), from the IEEE. The IEEE is an international
organization that regulates and maintains the namespace of MAC addresses.

After obtaining the OUI bytes, the manufacturer uses these OUI bytes at the beginning of the
MAC address of all its NICs or on-board NIC devices. The manufacturer also assigns a unique
hexadecimal value in the remaining bytes.

6 bytes MAC address = 3 bytes OUI number obtained from the IEEE + 3 bytes unique number
assigned by the manufacturer
MAC addresses of all NICs or onboard NIC devices manufactured by the same manufacturer
always start with the same 3-bytes OUI numbers. For example, suppose the IEEE assigns an OUI
“0000AA” to the xyz company. Now the xyz company will use the OUI number 0000AA as the first
24 bits to build MAC addresses for its NICs or onboard NICs devices.

To keep each product separately from others, the manufacturer uses the remaining 3-bytes.
Manufacturers are free to use any sequence or method on the remaining three bytes. For
example, the xyz company can assign the MAC addresses to its NICs in the incremental order.

The following table extends this example and adds two more demo companies (ABC and JKL) in
the example. It also shows MAC addresses of 5 NICs from each company.

Thus, this procedure ensures that no two NICs use the same MAC address in the universe.

Types of MAC address

There are three types of MAC address; unicast, multicast, and broadcast.
Unicast MAC address
Unicast MAC address represents a specific NIC or onboard NIC ports in the network. The inbuilt
MAC address of a NIC is the unicast MAC address of that NIC.

Multicast MAC address

Multicast MAC address represents a group of devices (or NICs in Layer 2). The IEEE has reserved
the OUI 01-00-5E (first 3-bytes or 24 bits) for the multicast MAC addresses. The remaining 24 bits
are set by the network application or device that wants to send data in the group. A multicast
MAC address always starts with the prefix 01-00-5E.

Broadcast MAC address

Broadcast MAC address represents all devices in the network. The IEEE has reserved the
address FFFF.FFFF.FFFF as the broadcast MAC address. Any device that wants to send the data to
all devices of the network, can use this address as the destination MAC address.

That’s all for this tutorial. If you like this tutorial, please don’t forget to share it with friends
through your favorite social channel.

Ethernet Frame Format Explained

What is the Ethernet frame?
An Ethernet frame is a piece of data along with the information that is required to transport and
deliver that piece of data. In networking reference models, such as; OSI Seven Layers model and
TCP/IP, the Ethernet frame is defined in the Data link layer.

Ethernet format
An Ethernet frame contains three parts; an Ethernet header (Preamble, SFD, Destination, Source,
and Type), Encapsulated data (Data and Pad), and an Ethernet trailer (FCS).

The following image shows an example of an Ethernet frame.

Ethernet header
Ethernet header contains five fields; Preamble, SFD, Destination, Source, and Type. Let's
understand each field in detail.

The preamble field

The preamble field is 7 bytes long. It contains a string of 7 bytes. Each byte alternatively stores 1
and 0 to make the pattern '10101010'. Preamble bytes help the receiving device to identify the
beginning of an Ethernet frame. When a device receives 7 continuous bytes of the same pattern
(10101010), it assumes that the incoming data is an Ethernet frame and it locks the incoming bit-
stream.

The SFD field

The SFD (Start Frame Delimiter) field is 1 byte long. It contains a string of 1 byte. This byte also
stores the same pattern, except the last bit. In the last bit, it stores 1 instead of the 0. The
following image shows both fields with their related bytes respectively.

The SFD byte indicates the receiving device that the next byte is the destination MAC address of
the Ethernet frame.
Destination MAC address
This field is 6 bytes long. It contains the MAC address of the destination device. MAC address is 6
bytes or 48 bits (1 byte = 8 bits, 6x8 = 48bits) long. For convenience, usually, it is written as 12-
digit hexadecimal numbers (such as 0000.0A12.1234).

The destination MAC address allows the receiving device to determine whether an incoming
frame is intended for it or not. If a frame is not intended for the receiving device, the receiving
device discards that frame.

Source MAC address

This field is also 6 bytes long. It contains the MAC address of the source device. It helps the
receiving device in identifying the source device. The following image shows an example of both
types of address in the frame.

Type field
This field is 2 bytes long. This field stores information about the protocol of the upper layer
(network layer).

The Data Link layer of the source computer prepares, packs and loads the Ethernet frame in the
media. The Data link layer of the destination computer picks the Ethernet frame from the media.
After picking the Ethernet frame, the Data link layer of the destination computer unpacks,
processes, and hands over that Ethernet frame to the upper layer for further processing.

If multiple protocols are running in the upper (network) layer of the destination computer, the
data link layer will fail to hand over the received frame to the upper layer as it does not know to
which protocol it should give the received frame.

Data Encapsulation and De-encapsulation Explained

The type field solves this issue. This field allows the sender computer to insert the information of
the upper layer protocol. Through this information, the data link layer of the destination
computer can easily determine the upper layer protocol to which it should hand over the received
frame.

Modern LAN implementations mostly use the IP protocol in the network layer. There are two
variants of the IP protocol; IPv4 and IPv6. If the type field has value IP or ox800, the frame is
carrying the data of the IPv4 protocol. If the type field has value IPv6 or 0x86dd, the frame is
carrying the data of the IPv6 protocol.

The following image shows an example of the type field for both IP variants.

Data and Pad field

This field stores the encapsulated data of the upper layer. This field has a size limit of 46 bytes
(minimum) to 1500 bytes (maximum). Due to this limit, the network (upper) layer can't pack more
or less data in a single packet (encapsulated data of the upper layer). If data is less than the
minimum requirement, padding is added. If data is more than the maximum limit, extra data is
packed in the next packet.

FCS (Frame Check Sequence)

This field is 4 bytes long. This field stores a 4 bytes value that is used to check whether the
received frame is intact or not. The sender device takes all fields of the frame except the FCS
field, and runs them through an algorithm, known as the CRC (Cyclic Redundancy Check). The
CRC algorithm generates a 4-byte result, which is placed in this FCS field.

When the destination device receives a frame, it takes the same fields and runs them through
the same algorithm. If the result matches with the value stored in the FCS field, the frame is
considered good and is processed further. If both values do not match, the frame is considered
bad and is dropped.

That's all for this tutorial. If you like this tutorial, please don't forget to share it with friends
through your favorite social platform.
How switches learn MAC addresses

As you probably already know, each network card has a unique identifier called Media Access
Control (MAC) address. MAC addresses are used in LANs for communication between devices on
the same network segment. Devices that want to communicate need to know the MAC address
of other device before sending out packets.
Switches also use MAC addresses to make accurate forwarding and filtering decision. When the
switch receives a frame, it associates the media access control (MAC) address of the sending
device with the interface on which it was received. The table that stores such associations is know
as the MAC address table. This table is stored in the volatile memory, so associations will be
erased after the switch is restarted.

You can also enter a MAC address manually into the table. These static entries are retained even
after the switch is rebooted.

To better understand how switches learn MAC addresses, consider the following example:

When SW1 is first powered on, the MAC address table will be empty:

But, when Host A sends a frame to Host B, the switch will add the HostA’s MAC address to its
MAC address table, associating it with the interface Fa0/1. The switch will also learn the Host B’s
MAC address when Host B responds to Host A and associate it with its interface Fa0/2:
How switches forward frames

When a frame arrives at a switch interface, the switch looks for the destination hardware (MAC)
address in its MAC table. If the destination MAC address is found in the table, the frame is only
sent out of the appropriate interface. The frame won’t be transmitted out any interface.
However, if the destination MAC address isn’t listed in the MAC table, then the frame will be sent
(flooded) out all active interfaces, except the interface it was received on. If a device answers the
flooded frame, the MAC table is then updated with the corresponding interface.
We will explain the switch forwarding process using the following example network:

Host A is trying to communicate with Host B and sends a frame. The frame arrives at the switch,
which looks for the destination MAC address in its MAC address table:
 Since the MAC address is listed in the MAC address table, the switch forwards the frame only to
the port that connected to the frame’s destination (Fa0/2 in our case).
Note that, however, if the MAC address was not found, the switch would flood the frame out all
other ports (Fa0/2, Fa0/3, Fa0/4), except the port the frame was received on (Fa0/1). The Host
B would receive the flooded frame and respond to Host A. The switch would then receive this
frame on the port Fa0/2 and place the source hardware address in its MAC address table.

Port security feature

All interfaces on a Cisco switch are turned on by default. This means that an attacker could
connect his laptop to your network through a wall socket and potentially perform an attack on
your network. Luckily, there is a feature on Cisco switches called port security that can help you
mitigate the threat.
With port security, you can associate specific MAC addresses with specific interfaces on your
switch. This enables you to restrict access to an interface so that only the authorized devices can
use it. If an unathorized device is connected, you can decidethe action that the switch will take,
such as discarding the traffic, sending an alert, or shutting down the port.
Three steps are required to configure port security:

 Defining the interface as an access interface using the switchport mode access interface
subcommand.
 Enabling port security using the switchport port-security interface subcommand.
 Defining which MAC addresses are allowed to send frames through this interface using
the switchport port-security mac-address MAC_ADDRESS interface subcommand or using
the switchport port-security mac-address sticky interface subcommand. The sticky keyword
instruct the switch to dynamically learn the MAC address of the currently connected host.

Two steps are optional:

 Defining the action that the switch will take when a frame from an unauthorized device is
received. This is done using the port security violation {protect | restrict | shutdown}
interface subcommand. All three options discard the traffic from the unauthorized device.
 The restrict and shutdown options send a log messsages when a violation
occurs. Shutdown mode also shuts down the port.
 defining the maximum number of MAC addresses that can be received on the port using
the switchport port-security maximum NUMBER interface submode command

Here is a simple example:

Host A is connected to Fa0/1 on SW1. To enable port security on Fa0/1, we need to define the
port as an access port, enable port security and define which MAC addresses are allowed to send
frames through this interface. We can do this with the following set of commands:

Using the show port-security interface fa0/1 command on SW1, we can see that the switch has
learned the MAC address of Host A:

By default, the maximum number of allowed MAC addresses is one. Consider what happens if we
connect a different host to the same port:
By default, if a security violation occurs, the switch will shut down the offending port. In the
picture above, you can see the status code of err-disabled on Fa0/1, which means that the
security violation has occured on the port.

Assign static MAC address

Although Cisco switches dynamically build the MAC address table by using the MAC source
address of the received frames, you can also specify a static address to add to the MAC address
table. The static MAC entries are retained even if the switch is restarted.
To configure a static MAC address, the following command is used:
mac-address-table static MAC_ADDRESS vlan ID interface INTERFACE
For example, the following set of commands will assign the MAC address
of 1111.1111.1111 permanently to the interface Fa0/2, VLAN 1:

To verify the configuration, we can use the show mac address table command:

Layer 2 switching
Layer 2 switching (also known as the Data Link layer switching) is the process of using devices’
MAC addresses to decide where to forward frames in a LAN. Layer 2 switching is efficient because
there is no modification to the data packet, only to the frame encapsulation of the packet.
In a typical LAN, all computers are connected to one central device. In the past, the device was
usually a hub. But hubs have many disadvantages; they are not aware of traffic that passes
through them, they create only a single collision domain, etc. To overcome these problems,
bridges were created. They were better than hubs because they created multiple collision
domains, but they had limited number of ports. Finally, switch were created and are still widely
used in modern LANs. Switches have more ports than bridges and can inspect incoming traffic
and make forwarding decisions accordingly.
 Layer 2 switches are much faster than routers because they don’t take up time looking at the
Network layer header information. Instead, they look at the frame’s hardware addresses to
decide whether to forward, flood, or drop the frame. Here are the major advantages of Layer 2
switching:

 Hardware-based bridging (using ASICs)

 Wire speed
 Low latency
 Low cost

Switches usually perform these three functions:

 Address learning – switches learn MAC addresses by examining the source MAC address of
each frame received by the switch.
 Forward/filter decisions – switches decide whether to forward or filter a frame, based on the
destination MAC address.
 Loop avoidance – switches use Spanning Tree Protocol (STP) to prevent network loops while
still permitting redundancy.

Layer 2 Switching Loops in Network Explained

For backup purposes, we usually create redundant links. A redundant link is an additional link
that we create as the backup link of the primary link. If the primary link fails, the redundant link
prevents the network from getting down due to the primary link failure.

The redundant or backup link is helpful only when the primary link fails. Until the primary link is
functioning, the backup link should be disabled. If both the primary and backup links are active
at the same time, they will create a switching loop.

Basic concepts of the switching

To know which device is connected to which port of the switch, the switch learns and stores the
MAC addresses of all connected devices in a table that is known as the CAM table.

When the switch receives a frame, it looks at the destination MAC address of the received frame
in the CAM table. If it finds an entry for the destination MAC address in the CAM table, it forwards
the frame from the port that is mentioned in the entry. If it does not find an entry, it forwards
that frame from all of its ports except the port on which that frame arrived. This process is known
as the frame forwarding.

To build the CAM table or make entries in the CAM table, the switch uses the source MAC address
field of the incoming frames. There are three types of address; unicast, multicast and broadcast.
From these, only the unicast address is used in the source address field.
Multicast and broadcast addresses are the destinations only addresses and these addresses are
never used in the source address field of the frame. Since these addresses are not used in the
source address field of any frame, a switch never learns and stores these addresses in the CAM
table.

Switch takes forwarding decisions based on the CAM table entries. Since both the multicast and
broadcast address can’t be added in the CAM table, frames which have these addresses in the
destination field are always flooded through the switch.

Besides broadcast and multicast frames, a switch also floods the unknown unicast frame. An
unknown unicast frame is a frame that’s destination address is not learned by the switch.

Layer 2 Switching Loop

A switching loop occurs when more than one link exists between the source and destination
devices. As explained above, a switch always floods three types of frames; unknown unicast,
multicast and broadcast.

If a switch receives any frame of these types, it will forwards that frame from all of its ports except
the port on which the frame arrived. If the switching loop exists, the forwarded frame will be
switched in the network endlessly.

Disadvantages or side effects of the loop

When a frame loops around the network indefinitely, it is known as the broadcast storm. A
broadcast storm can saturate all bandwidth of the network by creating and forwarding the
multiple copies of the same frame. It also significantly decreases the performance of the end
devices by forcing them to process duplicate copies of the same frame.

Besides this, a looping frame also makes the CAM table unstable. As explained above, when a
switch receives a frame, it checks the source address field of the frame and associates the
interface or port on which the frame arrived with the MAC address that it finds in the source
address field of the frame.

If a loop exists in the network, a switch can receive the looped frame from multiple interfaces.
Each time, the switch receives the looped frame from the different interface, it assumes that the
device has been moved and updates the CAM table entry.

The following image shows how the switch S0 updates the entry of MAC address 1111.1111.1111.
In nutshell, a layer 2 switching loop creates three major problems; broadcast storm, duplicate
frames, and unstable CAM table. If a loop exists, a single looped frame is sufficient to decrease
the performance of the entire network by consuming the bandwidth and CPU power of the
affected devices.