Ethernet #
Ethernet (IEEE 802.3) has survived nearly 50 years as effectively the only choice for wired LAN at L2. What began at Xerox PARC in 1973 — Bob Metcalfe et al.'s design "everyone hangs off the same fat coax cable; on a collision, back off and retry" — has scaled speed by 10,000× (10 Mbps → 100 Gbps), swapped media (coax → twisted pair → fiber), and swapped topology (shared bus → switched), all while keeping the frame format compatible.
The starting point: modern Ethernet is almost a different thing from 1985 Ethernet. CSMA/CD is essentially a dead word; in modern switched networks, collisions don't happen at all. Yet everything still rides the same single frame format, which is what makes Ethernet the L2 common language every OS and app on Earth speaks without coordination.
This article goes "frame format → MAC address → the shared-bus-to-switched shift → inside a switch → VLAN → speed generations → attack surface and defenses" — the things worth knowing about Ethernet, in that order.
1. The frame format — Ethernet's unchanging center #
Ethernet has stayed compatible for 50 years because the IEEE 802.3 frame format barely changed after standardization. ip, arp, VLAN — all of them are payloads inside this single envelope.
The takeaways:
- Preamble (7 B) + SFD (1 B) + IPG (12-byte equivalent) are handled by NIC hardware and never visible to the OS or Wireshark. When people say "Ethernet frame," they usually mean Dst MAC through FCS, excluding those.
- EtherType (2 bytes) is the key to "how to interpret the Payload."
tcpdumpseparating "IP packet" vs "ARP packet" is just reading this field. - Payload is 46 to 1500 bytes. The 46-byte minimum exists to satisfy the 64-byte minimum frame size required for collision detection — meaningless today, but kept for format compatibility. A CSMA/CD legacy.
- FCS (4-byte CRC-32) is loss detection only. On mismatch, the receiving NIC silently drops the frame. Retransmission is the upper layer's (TCP's) job — Ethernet itself doesn't retransmit.
- An 802.1Q VLAN tag inserts 4 bytes (TPID + TCI) between Src MAC and EtherType. TPID=0x8100 is the "this is a VLAN tag" marker; the lower 12 bits of TCI are the VID (VLAN ID, 1 to 4094). The EtherType is just pushed back one slot — same format otherwise.
2. The MAC address — a 48-bit hardware identifier #
One layer deeper into Dst/Src MAC. 48 bits (6 bytes), written like 00:1A:2B:3C:4D:5E. The first 24 bits are the OUI (Organizationally Unique Identifier — a vendor block IEEE assigns); the last 24 bits are vendor-internal serials.
00:1A:2B : 3C:4D:5E
└─OUI──┘ └─NIC-uniq─┘
(Cisco) (serial)
The lowest 2 bits of the first byte carry meaning:
| bit | Name | Meaning |
|---|---|---|
| bit 0 (I/G bit) | Individual / Group | 0 = unicast / 1 = multicast or broadcast |
| bit 1 (U/L bit) | Universal / Local | 0 = globally unique (vendor-assigned OUI) / 1 = locally administered (virtual NICs etc.) |
Hence:
ff:ff:ff:ff:ff:ff= broadcast (everyone on the LAN; ARP requests etc.)01:00:5e:xx:xx:xx= IPv4 multicast (the IPv4 multicast → MAC mapping)33:33:xx:xx:xx:xx= IPv6 multicast- Addresses with bit 1 set like
02:xx:xx:xx:xx:xx= VM / Docker / WSL virtual NICs or macOS / iOS Private Wi-Fi Address (rotated periodically)
# View MAC addresses on Linux
ip link show # MAC of each NIC
ip neigh # ARP table (IP → MAC mapping)
ethtool -P eth0 # Permanent MAC (differs from current MAC = it's been changed)
# Temporarily change a MAC (anonymity, validation, recovery)
sudo ip link set dev eth0 address 02:11:22:33:44:55
A MAC address only has meaning within a single LAN (one hop). Cross a router and the source / destination MAC gets rewritten (the IP stays). This is a direct consequence of IP and MAC identifying things at different layers, and it's a place beginners commonly trip.
3. Shared bus to switched — the same name, a different inside #
Older textbooks teach "Ethernet = CSMA/CD: collide, back off, retry." Almost irrelevant to modern Ethernet — the topology shifted at the root.
1980s–90s (shared-bus era):
- Coax (10BASE5 thicknet / 10BASE2 thinnet) or a hub (10BASE-T), with everyone hanging off it
- One physical wire = one collision domain = only one party can transmit at a time (half-duplex)
- Simultaneous transmissions = collision → both sides back off random time and retry = CSMA/CD (Carrier Sense Multiple Access with Collision Detection)
- Throughput degrades as host count grows, because collisions multiply
Today (switched full-duplex):
- A switch treats each port as an independent point-to-point link = collision domains separated per port
- Each link uses separate transmit and receive pairs (full-duplex) → collisions cannot occur → CSMA/CD is disabled
- Internally the switch keeps a MAC address table that learns "this MAC lives on this port" and forwards accordingly
- Result: N hosts can saturate N links simultaneously at full bandwidth
The shift happened in the late 1990s through early 2000s. Twisted pair + RJ-45 (10BASE-T onward) became the assumption, and hubs disappeared in favor of switches. The reason "half-duplex" / "full-duplex" / "auto-negotiation" still appear in NIC settings is shared-bus residue — but modernity is essentially always full-duplex.
Worth knowing: CSMA/CD is dead, but Wi-Fi (802.11) still uses a similar mechanism (CSMA/CA, Collision Avoidance). The reason congested Wi-Fi slows down is that the problem Ethernet shed only survives in wireless.
4. Inside a switch — MAC learning and flooding #
How does the switch know "this MAC is on this port"? It just looks at the source MAC of every incoming frame and records it against the port the frame arrived on (= MAC learning). No prior configuration required, which is what "plug-and-play" really means.
In words, what a switch does:
- Frame arrives → look at the source MAC, pair it with the ingress port, register in the FDB (Forwarding Database) (or refresh the timer)
- Look up the destination MAC in the FDB:
- Hit (known) → forward only on that port (= forwarding)
- Miss (unknown unicast) → copy to every port except the ingress (= flooding, "unknown unicast flood")
- Broadcast (
ff:ff:ff:ff:ff:ff) → always flood to all ports
- The aging timer (a typical default of 300 sec) cleans out old entries so a moved host can be relearned
STP (Spanning Tree Protocol, IEEE 802.1D) prevents the broadcast storm that occurs when redundant inter-switch links form a physical loop. Switches exchange BPDUs and logically block one link to form a tree. Convergence used to take 30–50 seconds (RSTP/802.1w cut it to seconds). At datacenter scale, STP convergence is intolerable, and TRILL / SPB / EVPN-VXLAN designs that "use all links concurrently without looping" have replaced it.
# View the FDB of a Linux bridge (= software L2 switch)
bridge fdb show
ip link show type bridge
# View the MAC table on a Cisco IOS switch
show mac address-table # All entries
show mac address-table address aa.aa.aa
show spanning-tree # STP state
5. VLAN (802.1Q) — many L2s on one physical wire #
Instead of separating LANs physically, VLAN (Virtual LAN, 802.1Q) separates them logically by attaching a 12-bit tag (VID) to each frame. On the same switch, on the same wire, frames with different VIDs are completely separate L2 worlds.
Key concepts:
- VID (VLAN ID) — 12 bits (1 to 4094). 0 and 4095 are reserved. Only 4094 VLANs total, which proved insufficient at cloud scale and led to VXLAN (24 bits, ~16 million) as a successor.
- Access port — the host-side port. Belongs to one VLAN, frames carry no VLAN tag (the VID lives only inside the switch).
- Trunk port — switch-to-switch or router-to-switch. Carries multiple VLANs as tagged frames.
- Native VLAN — the VLAN sent untagged on a trunk (default VLAN 1). A common breeding ground for VLAN-hopping attacks, so the rule is: don't use the native VLAN for production traffic.
# Create a VLAN sub-interface on Linux (VLAN 100 on eth0)
sudo ip link add link eth0 name eth0.100 type vlan id 100
sudo ip addr add 10.100.0.5/24 dev eth0.100
sudo ip link set eth0.100 up
# Cisco IOS: access and trunk port configuration
interface Gi0/1
switchport mode access
switchport access vlan 10
interface Gi0/24
switchport mode trunk
switchport trunk allowed vlan 10,20,30
switchport trunk native vlan 999 ! Don't make a production VLAN the native VLAN
VLAN serves "broadcast-domain partitioning," "per-department isolation (finance / engineering / guest Wi-Fi)," and "carrying VoIP and PC traffic on one cable (Voice VLAN)." Inter-VLAN traffic always requires L3 routing (a router or L3 switch) — VLAN only splits L2; spanning across needs an IP-layer decision.
6. Speed generations and media — from 10M to 400G #
Ethernet kept the same frame format while scaling speed 10,000× because the physical layer (PHY) was swapped per speed generation. A win for the clean separation of L2 (frame) from L1 (signaling).
| Speed | Standard | Year | Media | Cabling |
|---|---|---|---|---|
| 10 Mbps | 10BASE-T | 1990 | UTP | Cat3+ |
| 100 Mbps | 100BASE-TX | 1995 | UTP | Cat5+ |
| 1 Gbps | 1000BASE-T | 1999 | UTP | Cat5e+ |
| 2.5 / 5 Gbps | 2.5G/5GBASE-T | 2016 | UTP | Cat5e/6 (existing cabling at short range) |
| 10 Gbps | 10GBASE-T / -SR | 2006 | UTP / fiber (MMF) | Cat6a+ / OM3+ |
| 25 / 40 / 100 Gbps | 25G/40G/100GBASE | 2010s | fiber (MMF/SMF) / DAC | OM4 / OS2 |
| 400 Gbps | 400GBASE | 2017 | fiber (SMF) | OS2 |
Twisted pair (UTP) speed is bounded by category (Cat):
- Cat5e = 1 Gbps (the modern LAN floor)
- Cat6 = 1 Gbps full-length / 10 Gbps short-range (55 m)
- Cat6a = 10 Gbps full-length (100 m)
- Cat8 = 25/40 Gbps (intra-DC short distance)
Fiber comes in two flavors: MMF (multimode) for short distance (up to several hundred meters, cheaper, intra-DC), and SMF (singlemode) for long distance (kilometers to tens of kilometers, carrier / inter-site).
PoE (Power over Ethernet, 802.3af/at/bt) delivers up to 90 W (802.3bt) of power alongside data over Cat cabling. IP phones / Wi-Fi APs / surveillance cameras / door controllers can be installed without an AC outlet — a modern enterprise essential.
7. Auto-negotiation and MTU — the classic traps #
Auto-negotiation has both ends agree on "this speed, full-duplex." If both sides are auto, alignment is automatic. But if one side is auto and the other is forced, the auto side falls back to half-duplex while the forced side stays full-duplex, and you get the classic duplex mismatch — every frame triggers spurious collision detection and throughput collapses.
# Current speed / duplex / auto-negotiation status
ethtool eth0
# Force both ends to 1G full-duplex (disable auto) — usually unnecessary; "auto/auto" is the right default
sudo ethtool -s eth0 speed 1000 duplex full autoneg off
MTU (Maximum Transmission Unit) is the maximum payload bytes per frame. Ethernet defaults to 1500. Inside datacenters, 9000 (jumbo frames) is common and significantly impacts iSCSI / NFS / NVMe-oF throughput.
But on paths where PMTU (Path MTU Discovery) is broken (firewalls dropping ICMP "Fragmentation Needed"), packets get black-holed and you see the ugly symptom "ping passes but large transfers stall." The standard workaround is to lower MTU to 1492 (PPPoE) or around 1450 (VPN/tunnel paths).
8. The L2 attack surface — install the basic defenses every time #
The "learn MAC and forward" model is directly vulnerable to L2-layer attacks. The minimum attacks to know and the defenses modern switches provide:
| Attack | How it works | Defense |
|---|---|---|
| MAC flooding (CAM overflow) | Flood the switch with frames bearing fake source MACs to overflow the FDB → it can't learn → all frames get flooded = degrades to a shared hub → all traffic is sniffable | Port security (cap learned MACs per port; on excess, shut/drop) |
| ARP spoofing (ARP poisoning) | Send fake ARP replies claiming "the gateway IP is at my MAC" to MitM the victim's traffic | DAI (Dynamic ARP Inspection) — verify against the DHCP-snooping binding table, drop forged ARP |
| DHCP starvation / rogue DHCP | Exhaust the DHCP pool with fake MACs / stand up a fake DHCP server handing out wrong gateway / DNS | DHCP snooping — only permit DHCP offers from trusted ports (uplinks); drop on untrusted |
| VLAN hopping (Double Tagging) | Apply two 802.1Q tags; the first switch strips the outer (treating it as native VLAN) and forwards, the next switch delivers based on the inner VID — into a different VLAN | Don't use the native VLAN for production + don't include unused VLANs in trunk allowed lists |
| VLAN hopping (Switch Spoofing) | Send forged DTP (Dynamic Trunking Protocol) on an access port to promote it to a trunk and snoop every VLAN | Force switchport mode access + disable DTP (switchport nonegotiate) |
| STP attack (BPDU attack) | Send forged BPDUs claiming to be the root bridge → rewrite the topology to MitM | BPDU guard — if a host-side port receives a BPDU, immediately err-disable |
The minimum baseline: a template that bundles port security + DHCP snooping + DAI + BPDU guard + forced switchport mode access on every access port has become the de facto standard of enterprise switch operations.
! Cisco IOS — recommended template for an end-host access port
interface GigabitEthernet0/1
switchport mode access
switchport access vlan 10
switchport nonegotiate ! Disable DTP
switchport port-security ! Enable port security
switchport port-security maximum 2 ! Up to 2 MACs (PC + IP phone)
switchport port-security violation restrict
spanning-tree portfast ! Host-facing port; no BPDU expected
spanning-tree bpduguard enable ! err-disable on BPDU receipt
ip dhcp snooping limit rate 15 ! Rate-limit DHCP
ip dhcp snooping vlan 10
ip arp inspection vlan 10 ! Enable DAI
There's also MACsec (802.1AE), an L2 encryption standard, but per-pair key management and switch-wide support keep adoption limited even in enterprises. The pragmatic default is to protect at L3 or above (IPsec, TLS).
9. Relationship with Wi-Fi — continuous on the same frame format #
The reason "a Wi-Fi laptop can directly see the wired printer" at home or work is that Wi-Fi (802.11) and Ethernet (802.3) share the same MAC + EtherType + Payload frame format. An AP (access point) acts as "an L2 bridge that translates wireless frames to wired frames" — incoming 802.11 frames become 802.3 frames and go out the wired side (and vice versa).
Consequences:
- The same subnet can mix Wi-Fi and wired clients
- L2 broadcast protocols (ARP / DHCP / mDNS / NetBIOS) reach both sides
- From a switch's perspective, the AP is just "a port on which several MACs live"
The reason "a Wi-Fi-only network without Ethernet" essentially doesn't exist (the AP is wired uplinked) is that Ethernet is the L2 lingua franca. Wi-Fi handles the wireless physical and MAC layers; above that, it rides the same single frame format as Ethernet.
Ethernet has lasted 50 years as the only choice for wired LAN, and the way it pulled that off was by keeping the frame format as the unchanging center while swapping out speed (10,000×), media (coax → twisted pair → fiber), and topology (shared → switched). 1985 Ethernet and 2026 Ethernet have almost nothing in common internally — but the Dst/Src/EtherType/Payload/FCS layout you see in tcpdump is the same.
The practical reading order: "read the frame format and MAC" → "know what the switch learns and what it floods" → "carve L2 with VLAN" → "template port security / DHCP snooping / DAI / BPDU guard." Lining up those four covers nearly every L2 problem an enterprise will hit, and lets you reason from your own judgment.
