Ethernet Explained — Frame Format, MAC Addresses, and Switching thumbnail

Ethernet Explained — Frame Format, MAC Addresses, and Switching

⏱ approx. 20 min views 152 likes 0 LOG_DATE:2026-05-10
TOC

Ethernet (IEEE 802.3) is the L2 protocol that has survived nearly 50 years as the only practical choice for wired LAN. It's grown its speed by 10,000×, swapped its media from coax to twisted pair to fiber, and changed its topology from shared bus to switched — and still kept the frame format compatible the whole way. This article aims for "read it, configure it, defend it," walking through the unchanging center of Ethernet and the operational knowledge needed today.

01

The frame format — Ethernet's unchanging center #

The reason Ethernet has stayed compatible for half a century is that the frame format has barely changed since standardization in IEEE 802.3. IP, ARP, VLAN — they all exist as the contents of this one envelope.

Region Size Role
Preamble 7 bytes 10101010 × 7. Handled by NIC hardware; invisible to the OS
SFD 1 byte 10101011. Start-of-frame marker
Dst MAC 6 bytes Destination hardware address
Src MAC 6 bytes Source hardware address
EtherType 2 bytes Payload type (0x0800=IPv4 / 0x0806=ARP / 0x86DD=IPv6 / 0x8100=VLAN)
Payload 46–1500 bytes Upper-layer protocol (IP / ARP etc.)
FCS 4 bytes CRC-32. Receiver recomputes and compares → drops on mismatch
IPG 12 bytes equivalent Inter-frame gap (HW-managed)

What to remember:

  • Preamble + SFD + IPG are handled by NIC hardware. "Ethernet frame," in normal usage, means Dst MAC through FCS.
  • EtherType is the key to "how should the payload be read." When tcpdump separates "IP packet" from "ARP packet," it's just reading this field.
  • The 46-byte minimum payload is a CSMA/CD-era legacy meant to satisfy the 64-byte minimum frame length needed for collision detection. It carries no practical meaning today but remains for compatibility.
  • FCS only detects corruption. On a mismatch the NIC silently discards the frame, and retransmission is the upper layer's (TCP's) job. Ethernet itself does not retransmit.
▸ The 802.1Q VLAN tag inserts 4 bytes between Src MAC and EtherType

TPID=0x8100 marks "VLAN tag starts here," followed by 2 bytes of TCI carrying PCP + DEI + VID (12 bit, 1-4094). EtherType simply gets pushed one slot deeper; everything else is the same format. The tagged maximum frame length is 1522 bytes.

02

MAC addresses — the 48-bit hardware identifier #

Drilling into Dst/Src MAC. It's 48 bits (6 bytes), written in hex as 00:1A:2B:3C:4D:5E. The upper 24 bits are the OUI (a per-vendor number assigned by IEEE), and the lower 24 bits are a serial within that vendor.

The lower 2 bits of the first byte carry special meaning:

bit Name Meaning
bit 0 (I/G) Individual / Group 0 = unicast / 1 = multicast or broadcast
bit 1 (U/L) Universal / Local 0 = globally unique (OUI-assigned) / 1 = locally administered (virtual NICs etc.)

Common patterns to recognise:

  • ff:ff:ff:ff:ff:ffbroadcast (ARP request etc.)
  • 01:00:5e:xx:xx:xx — IPv4 multicast
  • 33:33:xx:xx:xx:xx — IPv6 multicast
  • 02:xx:xx:xx:xx:xx etc. — virtual NICs on VMs / Docker / WSL, or macOS / iOS Private Wi-Fi Address
Inspect and change MAC addresses on Linux
$ ip link show # MAC per interface $ ip neigh # ARP table (IP → MAC) $ ethtool -P eth0 # permanent MAC (differs from current if changed) # Temporarily change MAC (anonymization / testing / recovery) $ sudo ip link set dev eth0 address 02:11:22:33:44:55
▸ MAC addresses only have meaning within one LAN (one hop)

Every time a router is crossed, the source and destination MACs are rewritten (the IPs stay the same). The IP and MAC "identify different things at different layers" — a layering distinction that often trips up beginners.

03

Shared bus to switched — same name, different thing inside #

Older textbooks teach "Ethernet = CSMA/CD: wait and retry on collision," but that has almost nothing to do with modern Ethernet. The topology changed fundamentally.

1. Shared bus era (1980s-90s)
All hosts attached to one coax (10BASE5 / 10BASE2) or hub (10BASE-T). One physical wire = one collision domain, half-duplex, simultaneous transmission = collision → retry via CSMA/CD. Performance degraded as hosts grew.
2. Transition (late 1990s onward)
10BASE-T and later twisted pair + RJ-45 became default; hubs disappeared and were replaced by switches.
3. Switched full-duplex (today)
The switch treats each port as an independent point-to-point link. Send and receive run on separate pairs, so collisions don't happen and CSMA/CD is disabled. N hosts run N links at full bandwidth simultaneously.

The "half-duplex / full-duplex / auto-negotiation" toggles still on NICs are leftovers from the shared-bus era. In practice today, the answer is always "full-duplex."

▸ CSMA/CD died, but it lives on in Wi-Fi

Wi-Fi (802.11) still runs on a closely-related CSMA/CA (Collision Avoidance). Wi-Fi slowing down on a crowded channel is exactly because "the problem Ethernet threw away survived only on the wireless side".

04

Inside a switch — MAC learning and flooding #

How does a switch know "this MAC is on this port"? It simply records the source MAC of every incoming frame against the port it came in on (= MAC learning). No pre-configuration needed — this is exactly what makes Ethernet "plug-and-play."

1. Learn the source MAC
On frame arrival, the src MAC and the arrival port are written to (or refreshed in) the FDB (Forwarding Database).
2. Look up the destination MAC in the FDB
Hit → forward only out that port (forwarding). Miss (unknown unicast) → copy to every port except the arrival port (unknown unicast flood).
3. Broadcast is always flooded
Anything to ff:ff:ff:ff:ff:ff always goes out every port. ARP requests reach hosts via this mechanism.
4. Age out stale entries
Default ~300 seconds removes old entries, so mobile hosts can be tracked when they move ports.
Peek into the FDB / MAC table
# Linux bridge (= a software L2 switch) $ bridge fdb show $ ip link show type bridge # Cisco IOS switch# show mac address-table switch# show mac address-table address aa.aa.aa switch# show spanning-tree # STP state
▸ Loop prevention — without STP the network melts

Connect multiple switches with redundant links and broadcasts loop and multiply forever. STP (Spanning Tree Protocol, 802.1D) exchanges BPDUs among switches and blocks one link logically to enforce a tree topology. Classical STP converges in 30-50 seconds; RSTP (802.1w) shortened that to a few seconds. At data-center scale, STP has been replaced by TRILL / SPB / EVPN-VXLAN.

05

VLAN (802.1Q) — multiplexing many L2s on one wire #

Instead of physically separating LANs, attach a 12-bit tag (VID) to frames to separate them logically — that's VLAN. Even on the same switch and the same wire, different VIDs are different L2 worlds.

  • VID — 12 bits (1-4094). 0 and 4095 reserved. Capped at 4094 entries, which became insufficient at cloud scale, leading to VXLAN (24-bit, ~16M) as the successor.
  • Access port — host-facing port. Belongs to a single VLAN and passes untagged frames.
  • Trunk port — switch-to-switch / router-to-switch port. Carries multiple VLANs with tags.
  • Native VLAN — the VLAN sent untagged on a trunk (default VLAN 1). It's a breeding ground for VLAN hopping, so the standard practice is to never use it for production traffic.
Create a VLAN sub-interface on Linux
$ sudo ip link add link eth0 name eth0.100 type vlan id 100 $ sudo ip addr add 10.100.0.5/24 dev eth0.100 $ sudo ip link set eth0.100 up
Configure access / trunk ports on Cisco IOS
(config)# interface Gi0/1 (config-if)# switchport mode access (config-if)# switchport access vlan 10 (config)# interface Gi0/24 (config-if)# switchport mode trunk (config-if)# switchport trunk allowed vlan 10,20,30 (config-if)# switchport trunk native vlan 999 # never make a production VLAN the native

VLANs are used for many things — splitting broadcast domains, isolating departments, voice VLAN carrying IP phone + PC on one cable. Communication between VLANs requires L3 routing (a router or L3 switch) — VLAN only separates at L2, and crossing the boundary needs an IP-layer routing decision.

06

Speed generations and media — from 10M to 400G #

Ethernet pushed speeds up by 10,000× while keeping the same frame format because the physical layer (PHY) gets swapped wholesale at each speed. It's the victory of a design that cleanly separated L2 (the frame) from L1 (the signalling).

Speed Standard Year Media Cable
10 Mbps 10BASE-T 1990 UTP Cat3+
100 Mbps 100BASE-TX 1995 UTP Cat5+
1 Gbps 1000BASE-T 1999 UTP Cat5e+
2.5 / 5 Gbps 2.5G/5GBASE-T 2016 UTP Cat5e/6 (existing OK)
10 Gbps 10GBASE-T / -SR 2006 UTP / fiber (MMF) Cat6a+ / OM3+
25 / 40 / 100 Gbps 25/40/100GBASE 2010s fiber / DAC OM4 / OS2
400 Gbps 400GBASE 2017 fiber (SMF) OS2

Twisted pair (UTP) speed ceilings are determined by category (Cat):

  • Cat5e — 1 Gbps (the floor for modern LAN)
  • Cat6 — 1 Gbps at full length / 10 Gbps over short runs (55m)
  • Cat6a — 10 Gbps at full length (100m)
  • Cat8 — 25 / 40 Gbps (short runs in DCs)

Fiber comes in two kinds — MMF (multi-mode) for short runs (hundreds of m, cheaper, intra-DC) and SMF (single-mode) for long runs (km to tens of km, carrier / inter-site).

▸ PoE (Power over Ethernet, 802.3af/at/bt)

A standard for carrying up to 90W (802.3bt) of power alongside data on a Cat cable. IP phones, Wi-Fi APs, surveillance cameras, and door controllers can be installed without AC power — a must-have feature for modern enterprise.

07

Auto-negotiation and MTU — classic pitfalls #

Auto-negotiation is the mechanism by which both ends of a link agree on "this speed and this duplex." If both ends are auto, it's fine — but if one side is fixed and the other is auto, the auto side falls back to half-duplex while the fixed side stays full-duplex. Every frame transmitted triggers a false collision and performance drops off a cliff — the classic duplex mismatch.

Inspect speed / duplex / auto-negotiation with ethtool
$ ethtool eth0 # current state # Fix both ends at 1G full-duplex (disable auto) — usually unnecessary $ sudo ethtool -s eth0 speed 1000 duplex full autoneg off

MTU (Maximum Transmission Unit) is the maximum payload size per frame. Ethernet's default is 1500 bytes. Inside data centers, 9000 bytes (jumbo frames) are common and have a big effect on iSCSI / NFS / NVMe-oF throughput.

▸ The PMTU black hole

If a firewall on the path drops ICMP "Fragmentation Needed," packets get black-holed and you see the nasty symptom of "ping works but large transfers stall". The standard workaround is dropping MTU from 1500 to 1492 (PPPoE) or 1450 (VPN/tunnel).

08

L2 attack surface and defenses — always deploy the baseline #

The switch's naïve "learn MAC and forward" mechanism is directly vulnerable to attacks operating at L2. The minimum attacks to know and the defenses modern switches provide:

Attack Mechanism Defense
MAC flooding (CAM overflow) Flood with frames carrying fake src MACs, overflow the FDB, learning fails → all frames flooded = hub-mode regression → eavesdropping possible port security (cap the number of MACs learned per port)
ARP spoofing Send forged ARP replies claiming "the gateway IP is my MAC" → MITM DAI (Dynamic ARP Inspection) — cross-check against the DHCP snooping binding table
DHCP starvation / rogue DHCP Exhaust the DHCP pool with fake MACs / distribute wrong GW/DNS via a fake DHCP DHCP snooping — accept DHCP offers only from trusted ports
VLAN hopping (Double Tagging) Stack two 802.1Q tags; the first switch strips the outer, the next routes by the inner VID to a different VLAN Don't use the native VLAN for production + don't allow unused VLANs on trunks
VLAN hopping (Switch Spoofing) Send forged DTP on an access port to auto-negotiate it into trunk → spy on every VLAN Explicit switchport mode access + disable DTP (switchport nonegotiate)
STP attack (BPDU spoofing) Spoof BPDUs to claim root bridge, rewrite topology → MITM BPDU guard — host-facing ports err-disable immediately on receiving a BPDU
Cisco IOS — recommended template for host-facing ports
(config)# interface GigabitEthernet0/1 (config-if)# switchport mode access (config-if)# switchport access vlan 10 (config-if)# switchport nonegotiate # disable DTP (config-if)# switchport port-security # enable port security (config-if)# switchport port-security maximum 2 # PC + IP phone case (config-if)# switchport port-security violation restrict (config-if)# spanning-tree portfast (config-if)# spanning-tree bpduguard enable # err-disable on BPDU arrival (config-if)# ip dhcp snooping limit rate 15 (config)# ip dhcp snooping vlan 10 (config)# ip arp inspection vlan 10 # enable DAI
▸ The minimum defense template

Bundling port security + DHCP snooping + DAI + BPDU guard + forced switchport mode access into a template for access ports is the de facto standard for enterprise switch operations. There is also an L2 encryption standard called MACsec (802.1AE), but it requires per-pair key management and broad switch support, so most organizations protect above L3 (IPsec, TLS) as the practical answer.

09

The relationship with Wi-Fi — a single frame format across both #

The reason a Wi-Fi-connected phone at home or work can see a wired printer directly is that Wi-Fi (802.11) and Ethernet (802.3) share the same MAC + EtherType + Payload frame format. The access point (AP) acts as an "L2 bridge that translates wireless frames into wired frames" — it converts incoming 802.11 frames into 802.3 frames and forwards them on the wire (and the reverse).

This means:

  • IPs in the same subnet can coexist between Wi-Fi and wired
  • L2-broadcast protocols like ARP / DHCP / mDNS / NetBIOS reach both sides
  • From the switch's view, the AP is "a port hosting multiple MACs"

The reason "a Wi-Fi-only network without Ethernet" practically doesn't exist (every AP uplinks via wire) is that Ethernet is the common L2 language. Wi-Fi handles the wireless PHY and MAC layers, but above that, everything rides on the same single Ethernet frame format.

▸ Summary — what to nail in operational order

"Read the frame format and MACs" → "understand what a switch learns and what it floods" → "split L2 with VLANs" → "deploy port security / DHCP snooping / DAI / BPDU guard as templates." With these four in place, you can address most enterprise-L2 problems with your own decision axes.

𝕏 Post B! Hatena