Ethernet (IEEE 802.3) is the L2 protocol that has survived nearly 50 years as the only practical choice for wired LAN. It's grown its speed by 10,000×, swapped its media from coax to twisted pair to fiber, and changed its topology from shared bus to switched — and still kept the frame format compatible the whole way. This article aims for "read it, configure it, defend it," walking through the unchanging center of Ethernet and the operational knowledge needed today.
The frame format — Ethernet's unchanging center #
The reason Ethernet has stayed compatible for half a century is that the frame format has barely changed since standardization in IEEE 802.3. IP, ARP, VLAN — they all exist as the contents of this one envelope.
| Region | Size | Role |
|---|---|---|
| Preamble | 7 bytes | 10101010 × 7. Handled by NIC hardware; invisible to the OS |
| SFD | 1 byte | 10101011. Start-of-frame marker |
| Dst MAC | 6 bytes | Destination hardware address |
| Src MAC | 6 bytes | Source hardware address |
| EtherType | 2 bytes | Payload type (0x0800=IPv4 / 0x0806=ARP / 0x86DD=IPv6 / 0x8100=VLAN) |
| Payload | 46–1500 bytes | Upper-layer protocol (IP / ARP etc.) |
| FCS | 4 bytes | CRC-32. Receiver recomputes and compares → drops on mismatch |
| IPG | 12 bytes equivalent | Inter-frame gap (HW-managed) |
What to remember:
- Preamble + SFD + IPG are handled by NIC hardware. "Ethernet frame," in normal usage, means Dst MAC through FCS.
- EtherType is the key to "how should the payload be read." When
tcpdumpseparates "IP packet" from "ARP packet," it's just reading this field. - The 46-byte minimum payload is a CSMA/CD-era legacy meant to satisfy the 64-byte minimum frame length needed for collision detection. It carries no practical meaning today but remains for compatibility.
- FCS only detects corruption. On a mismatch the NIC silently discards the frame, and retransmission is the upper layer's (TCP's) job. Ethernet itself does not retransmit.
TPID=0x8100 marks "VLAN tag starts here," followed by 2 bytes of TCI carrying PCP + DEI + VID (12 bit, 1-4094). EtherType simply gets pushed one slot deeper; everything else is the same format. The tagged maximum frame length is 1522 bytes.
MAC addresses — the 48-bit hardware identifier #
Drilling into Dst/Src MAC. It's 48 bits (6 bytes), written in hex as 00:1A:2B:3C:4D:5E. The upper 24 bits are the OUI (a per-vendor number assigned by IEEE), and the lower 24 bits are a serial within that vendor.
The lower 2 bits of the first byte carry special meaning:
| bit | Name | Meaning |
|---|---|---|
| bit 0 (I/G) | Individual / Group | 0 = unicast / 1 = multicast or broadcast |
| bit 1 (U/L) | Universal / Local | 0 = globally unique (OUI-assigned) / 1 = locally administered (virtual NICs etc.) |
Common patterns to recognise:
ff:ff:ff:ff:ff:ff— broadcast (ARP request etc.)01:00:5e:xx:xx:xx— IPv4 multicast33:33:xx:xx:xx:xx— IPv6 multicast02:xx:xx:xx:xx:xxetc. — virtual NICs on VMs / Docker / WSL, or macOS / iOS Private Wi-Fi Address
$ ip link show # MAC per interface
$ ip neigh # ARP table (IP → MAC)
$ ethtool -P eth0 # permanent MAC (differs from current if changed)
# Temporarily change MAC (anonymization / testing / recovery)
$ sudo ip link set dev eth0 address 02:11:22:33:44:55Every time a router is crossed, the source and destination MACs are rewritten (the IPs stay the same). The IP and MAC "identify different things at different layers" — a layering distinction that often trips up beginners.
Shared bus to switched — same name, different thing inside #
Older textbooks teach "Ethernet = CSMA/CD: wait and retry on collision," but that has almost nothing to do with modern Ethernet. The topology changed fundamentally.
CSMA/CD. Performance degraded as hosts grew.CSMA/CD is disabled. N hosts run N links at full bandwidth simultaneously.The "half-duplex / full-duplex / auto-negotiation" toggles still on NICs are leftovers from the shared-bus era. In practice today, the answer is always "full-duplex."
Wi-Fi (802.11) still runs on a closely-related CSMA/CA (Collision Avoidance). Wi-Fi slowing down on a crowded channel is exactly because "the problem Ethernet threw away survived only on the wireless side".
Inside a switch — MAC learning and flooding #
How does a switch know "this MAC is on this port"? It simply records the source MAC of every incoming frame against the port it came in on (= MAC learning). No pre-configuration needed — this is exactly what makes Ethernet "plug-and-play."
ff:ff:ff:ff:ff:ff always goes out every port. ARP requests reach hosts via this mechanism.# Linux bridge (= a software L2 switch)
$ bridge fdb show
$ ip link show type bridge
# Cisco IOS
switch# show mac address-table
switch# show mac address-table address aa.aa.aa
switch# show spanning-tree # STP stateConnect multiple switches with redundant links and broadcasts loop and multiply forever. STP (Spanning Tree Protocol, 802.1D) exchanges BPDUs among switches and blocks one link logically to enforce a tree topology. Classical STP converges in 30-50 seconds; RSTP (802.1w) shortened that to a few seconds. At data-center scale, STP has been replaced by TRILL / SPB / EVPN-VXLAN.
VLAN (802.1Q) — multiplexing many L2s on one wire #
Instead of physically separating LANs, attach a 12-bit tag (VID) to frames to separate them logically — that's VLAN. Even on the same switch and the same wire, different VIDs are different L2 worlds.
- VID — 12 bits (1-4094). 0 and 4095 reserved. Capped at 4094 entries, which became insufficient at cloud scale, leading to VXLAN (24-bit, ~16M) as the successor.
- Access port — host-facing port. Belongs to a single VLAN and passes untagged frames.
- Trunk port — switch-to-switch / router-to-switch port. Carries multiple VLANs with tags.
- Native VLAN — the VLAN sent untagged on a trunk (default VLAN 1). It's a breeding ground for VLAN hopping, so the standard practice is to never use it for production traffic.
$ sudo ip link add link eth0 name eth0.100 type vlan id 100
$ sudo ip addr add 10.100.0.5/24 dev eth0.100
$ sudo ip link set eth0.100 up(config)# interface Gi0/1
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config)# interface Gi0/24
(config-if)# switchport mode trunk
(config-if)# switchport trunk allowed vlan 10,20,30
(config-if)# switchport trunk native vlan 999 # never make a production VLAN the nativeVLANs are used for many things — splitting broadcast domains, isolating departments, voice VLAN carrying IP phone + PC on one cable. Communication between VLANs requires L3 routing (a router or L3 switch) — VLAN only separates at L2, and crossing the boundary needs an IP-layer routing decision.
Speed generations and media — from 10M to 400G #
Ethernet pushed speeds up by 10,000× while keeping the same frame format because the physical layer (PHY) gets swapped wholesale at each speed. It's the victory of a design that cleanly separated L2 (the frame) from L1 (the signalling).
| Speed | Standard | Year | Media | Cable |
|---|---|---|---|---|
| 10 Mbps | 10BASE-T | 1990 | UTP | Cat3+ |
| 100 Mbps | 100BASE-TX | 1995 | UTP | Cat5+ |
| 1 Gbps | 1000BASE-T | 1999 | UTP | Cat5e+ |
| 2.5 / 5 Gbps | 2.5G/5GBASE-T | 2016 | UTP | Cat5e/6 (existing OK) |
| 10 Gbps | 10GBASE-T / -SR | 2006 | UTP / fiber (MMF) | Cat6a+ / OM3+ |
| 25 / 40 / 100 Gbps | 25/40/100GBASE | 2010s | fiber / DAC | OM4 / OS2 |
| 400 Gbps | 400GBASE | 2017 | fiber (SMF) | OS2 |
Twisted pair (UTP) speed ceilings are determined by category (Cat):
- Cat5e — 1 Gbps (the floor for modern LAN)
- Cat6 — 1 Gbps at full length / 10 Gbps over short runs (55m)
- Cat6a — 10 Gbps at full length (100m)
- Cat8 — 25 / 40 Gbps (short runs in DCs)
Fiber comes in two kinds — MMF (multi-mode) for short runs (hundreds of m, cheaper, intra-DC) and SMF (single-mode) for long runs (km to tens of km, carrier / inter-site).
A standard for carrying up to 90W (802.3bt) of power alongside data on a Cat cable. IP phones, Wi-Fi APs, surveillance cameras, and door controllers can be installed without AC power — a must-have feature for modern enterprise.
Auto-negotiation and MTU — classic pitfalls #
Auto-negotiation is the mechanism by which both ends of a link agree on "this speed and this duplex." If both ends are auto, it's fine — but if one side is fixed and the other is auto, the auto side falls back to half-duplex while the fixed side stays full-duplex. Every frame transmitted triggers a false collision and performance drops off a cliff — the classic duplex mismatch.
$ ethtool eth0 # current state
# Fix both ends at 1G full-duplex (disable auto) — usually unnecessary
$ sudo ethtool -s eth0 speed 1000 duplex full autoneg offMTU (Maximum Transmission Unit) is the maximum payload size per frame. Ethernet's default is 1500 bytes. Inside data centers, 9000 bytes (jumbo frames) are common and have a big effect on iSCSI / NFS / NVMe-oF throughput.
If a firewall on the path drops ICMP "Fragmentation Needed," packets get black-holed and you see the nasty symptom of "ping works but large transfers stall". The standard workaround is dropping MTU from 1500 to 1492 (PPPoE) or 1450 (VPN/tunnel).
L2 attack surface and defenses — always deploy the baseline #
The switch's naïve "learn MAC and forward" mechanism is directly vulnerable to attacks operating at L2. The minimum attacks to know and the defenses modern switches provide:
| Attack | Mechanism | Defense |
|---|---|---|
| MAC flooding (CAM overflow) | Flood with frames carrying fake src MACs, overflow the FDB, learning fails → all frames flooded = hub-mode regression → eavesdropping possible | port security (cap the number of MACs learned per port) |
| ARP spoofing | Send forged ARP replies claiming "the gateway IP is my MAC" → MITM | DAI (Dynamic ARP Inspection) — cross-check against the DHCP snooping binding table |
| DHCP starvation / rogue DHCP | Exhaust the DHCP pool with fake MACs / distribute wrong GW/DNS via a fake DHCP | DHCP snooping — accept DHCP offers only from trusted ports |
| VLAN hopping (Double Tagging) | Stack two 802.1Q tags; the first switch strips the outer, the next routes by the inner VID to a different VLAN | Don't use the native VLAN for production + don't allow unused VLANs on trunks |
| VLAN hopping (Switch Spoofing) | Send forged DTP on an access port to auto-negotiate it into trunk → spy on every VLAN | Explicit switchport mode access + disable DTP (switchport nonegotiate) |
| STP attack (BPDU spoofing) | Spoof BPDUs to claim root bridge, rewrite topology → MITM | BPDU guard — host-facing ports err-disable immediately on receiving a BPDU |
(config)# interface GigabitEthernet0/1
(config-if)# switchport mode access
(config-if)# switchport access vlan 10
(config-if)# switchport nonegotiate # disable DTP
(config-if)# switchport port-security # enable port security
(config-if)# switchport port-security maximum 2 # PC + IP phone case
(config-if)# switchport port-security violation restrict
(config-if)# spanning-tree portfast
(config-if)# spanning-tree bpduguard enable # err-disable on BPDU arrival
(config-if)# ip dhcp snooping limit rate 15
(config)# ip dhcp snooping vlan 10
(config)# ip arp inspection vlan 10 # enable DAIBundling port security + DHCP snooping + DAI + BPDU guard + forced switchport mode access into a template for access ports is the de facto standard for enterprise switch operations. There is also an L2 encryption standard called MACsec (802.1AE), but it requires per-pair key management and broad switch support, so most organizations protect above L3 (IPsec, TLS) as the practical answer.
The relationship with Wi-Fi — a single frame format across both #
The reason a Wi-Fi-connected phone at home or work can see a wired printer directly is that Wi-Fi (802.11) and Ethernet (802.3) share the same MAC + EtherType + Payload frame format. The access point (AP) acts as an "L2 bridge that translates wireless frames into wired frames" — it converts incoming 802.11 frames into 802.3 frames and forwards them on the wire (and the reverse).
This means:
- IPs in the same subnet can coexist between Wi-Fi and wired
- L2-broadcast protocols like ARP / DHCP / mDNS / NetBIOS reach both sides
- From the switch's view, the AP is "a port hosting multiple MACs"
The reason "a Wi-Fi-only network without Ethernet" practically doesn't exist (every AP uplinks via wire) is that Ethernet is the common L2 language. Wi-Fi handles the wireless PHY and MAC layers, but above that, everything rides on the same single Ethernet frame format.
"Read the frame format and MACs" → "understand what a switch learns and what it floods" → "split L2 with VLANs" → "deploy port security / DHCP snooping / DAI / BPDU guard as templates." With these four in place, you can address most enterprise-L2 problems with your own decision axes.