This lesson focuses on how data travels through local area networks using Ethernet LAN switching technology. We are examining Layer 2 operations of the OSI model, specifically how switches receive and forward Ethernet frames within a LAN. The Physical Layer (Layer 1) was covered in previous lessons with topics like UTP cables and fiber optics, so now we concentrate on the Data Link Layer (Layer 2) operations.
A Local Area Network is a network contained within a relatively small geographical area, such as an office floor or home network. The key distinguishing factor is that switches expand LANs while routers separate them. When multiple switches are connected together, they still form a single LAN. However, when switches connect to different router interfaces, they form separate LANs. This is a fundamental concept because it determines how traffic flows and which devices can communicate directly without routing.
Data undergoes a transformation process as it moves down the OSI model layers. At the application layer, we simply have data. When a Layer 4 header is added, it becomes a segment. Adding a Layer 3 header transforms it into a packet. Finally, when Layer 2 adds both a header and trailer, it becomes a frame. This encapsulation process is essential because each layer adds information necessary for that layer's function. The frame is what actually travels across the physical network medium.
The Ethernet frame consists of multiple fields that serve specific purposes. The Preamble is seven bytes of alternating ones and zeros (10101010 repeated seven times) that allows receiving devices to synchronize their clocks. The Start Frame Delimiter (SFD) is one byte (10101011) that marks where the actual frame data begins. The Destination and Source MAC addresses are each six bytes and identify the sending and receiving devices. The Type or Length field is two bytes and either indicates the protocol type of the encapsulated data or its length, depending on the value. The payload contains the actual data being transmitted. Finally, the Frame Check Sequence (FCS) is four bytes used for error detection through a Cyclic Redundancy Check algorithm.
An important detail about frame sizing is that the Preamble and SFD are sometimes not counted as part of the Ethernet header. When excluded, the header plus trailer totals eighteen bytes. The minimum frame size is sixty-four bytes, which means the minimum payload must be forty-six bytes. If the payload is smaller, padding bytes consisting of zeros are automatically added to meet this requirement.
A MAC address is a forty-eight-bit physical address permanently assigned to network devices during manufacturing. This is why it's also called a Burned-In Address (BIA). The address structure is divided into two parts: the first twenty-four bits form the Organizationally Unique Identifier (OUI), which identifies the manufacturer, while the remaining twenty-four bits uniquely identify the specific device. MAC addresses are globally unique, meaning no two devices worldwide should have identical MAC addresses. They are written as twelve hexadecimal characters, often grouped in different formats like 0C2F.B011.9D00 or 0C:2F:B0:11:9D:00.
The broadcast MAC address FFFF.FFFF.FFFF is special because it's used when a device needs to send a frame to all devices on the local network.
Switches operate by maintaining a MAC address table, also called a CAM (Content Addressable Memory) table. The learning process is elegant in its simplicity: when a switch receives a frame, it examines the source MAC address and creates an entry associating that MAC address with the interface where the frame arrived. This is called dynamic learning because the switch learns automatically without manual configuration.
The forwarding decision depends on whether the destination MAC address exists in the table. For a known unicast frame, where the destination is in the MAC address table, the switch forwards the frame only out the specific interface associated with that MAC address. For an unknown unicast frame, where the destination is not in the table, the switch must flood the frame out all interfaces except the one where it was received. Broadcast frames are always flooded to all interfaces except the receiving interface.
Dynamic MAC address entries age out after five minutes of inactivity on Cisco switches. This aging process keeps the table current and removes entries for devices that are no longer active or have been disconnected.
ARP solves a critical problem in networking: users work with IP addresses (Layer 3), but switches need MAC addresses (Layer 2) to forward frames. ARP bridges this gap by discovering the MAC address associated with a known IP address.
The ARP process uses two messages. The ARP Request is broadcast to all devices on the network with a destination MAC address of FFFF.FFFF.FFFF. It essentially asks "Who has IP address X? Tell me at IP address Y." Every device receives this broadcast, but only the device with the matching IP address responds. The ARP Reply is unicast, sent directly back to the requesting device, providing the MAC address that corresponds to the requested IP address.
Once learned, devices store these IP-to-MAC mappings in an ARP table. On Windows, macOS, and Linux systems, you view this with the "arp -a" command. On Cisco IOS devices, you use "show arp" from privileged EXEC mode. Entries can be static (manually configured or default entries) or dynamic (learned through ARP requests and replies).
Ping is a fundamental network troubleshooting tool that tests reachability between devices and measures round-trip time. It uses the Internet Control Message Protocol (ICMP) with two message types: Echo Request and Echo Reply. Unlike ARP requests, ping messages are unicast, sent to a specific destination, which means the sender must already know the destination's MAC address through ARP.
On Cisco IOS devices, the ping command sends five 100-byte ICMP echo requests by default. A period (.) in the output indicates a failed ping, while an exclamation mark (!) indicates success. The first ping often fails because the device must perform ARP to learn the destination MAC address, and this process takes time. Subsequent pings succeed because the MAC address is now cached in the ARP table.
MAC Address (Media Access Control Address): A 48-bit physical address assigned to a network interface card during manufacturing, written as twelve hexadecimal digits.
OUI (Organizationally Unique Identifier): The first 24 bits of a MAC address that identifies the manufacturer of the network device.
Dynamic MAC Address: A MAC address entry learned automatically by a switch through examining source MAC addresses of received frames.
Unicast Frame: An Ethernet frame destined for a single specific host, identified by that host's MAC address.
Broadcast Frame: An Ethernet frame sent to all devices on a local network, using the destination MAC address FFFF.FFFF.FFFF.
Unknown Unicast Frame: A unicast frame whose destination MAC address is not present in the switch's MAC address table.
Known Unicast Frame: A unicast frame whose destination MAC address exists in the switch's MAC address table.
Flooding: The switch behavior of sending a frame out all interfaces except the one where it was received.
MAC Address Table Aging: The process by which switches remove inactive MAC address entries after a period of inactivity (5 minutes default on Cisco switches).
CRC (Cyclic Redundancy Check): An error-detection algorithm used in the Frame Check Sequence field to detect transmission errors.
Pitfall 1: Confusing Source and Destination MAC Address Roles Many students incorrectly believe switches learn from the destination MAC address. This is wrong. Switches always learn by examining the SOURCE MAC address of received frames and associating it with the receiving interface. The destination MAC address is used for forwarding decisions, not learning. Remember: "Learn from SOURCE, forward to DESTINATION."
Pitfall 2: Misunderstanding Frame Flooding Students often think switches flood only unknown unicast frames. However, switches flood both unknown unicast frames AND broadcast frames. Known unicast frames are never flooded—they are forwarded only out the specific interface in the MAC address table. A helpful memory aid: "BUU floods" (Broadcast and Unknown Unicast flood).
Pitfall 3: Incorrect Frame Size Calculations The Preamble and SFD are sometimes counted and sometimes not, depending on context. For CCNA purposes, remember that the minimum frame size of 64 bytes does NOT include the Preamble and SFD. The 18-byte header/trailer count also excludes them. If you include Preamble and SFD, the total overhead is 26 bytes.
Pitfall 4: Type/Length Field Confusion The Type/Length field serves dual purposes based on its value. Values of 1500 or less indicate the payload length in bytes. Values of 1536 or greater indicate the protocol type (like IPv4 or IPv6). Students often forget this threshold and misinterpret the field's purpose.
Pitfall 5: ARP Message Direction Confusion ARP Requests are broadcast (sent to everyone), while ARP Replies are unicast (sent only to the requester). Students sometimes think both are broadcast. Similarly, ICMP Echo Requests (ping) are unicast, not broadcast. Only the ARP Request is broadcast because the requester doesn't yet know the destination's MAC address.
Pitfall 6: MAC Address Structure Students sometimes reverse the OUI and device-specific portions. Remember: the FIRST 24 bits (first half) are the OUI identifying the manufacturer. The LAST 24 bits (second half) identify the specific device.
Pitfall 7: Command Syntax Errors Cisco IOS commands have specific syntax. The command is "show mac address-table" (note: space before "address," hyphen before "table"). Older IOS versions used "show mac-address-table" with hyphens, but newer versions changed the first hyphen to a space. For clearing, it's "clear mac address-table dynamic" with various optional parameters.
Example 1: Basic Switch Learning Process Consider PC1 (MAC: AA00.0001) connected to SW1 port F0/1, sending its first frame to PC2 (MAC: AA00.0002) on port F0/2. When SW1 receives the frame, it examines the source MAC address AA00.0001 and creates an entry: "AA00.0001 → F0/1" in its MAC table. Since PC2's MAC isn't in the table yet, this is an unknown unicast frame, so SW1 floods it out all ports except F0/1. When PC2 replies, SW1 learns "AA00.0002 → F0/2" and now has both entries, enabling efficient forwarding.
Example 2: ARP in Action PC1 (IP: 192.168.1.1) wants to ping PC3 (IP: 192.168.1.3). PC1 knows the destination IP but not the MAC address. It sends an ARP Request: "Who has 192.168.1.3? Tell 192.168.1.1" with destination MAC FFFF.FFFF.FFFF. All devices receive this broadcast. PC2 ignores it because the IP doesn't match. PC3 recognizes its IP and sends an ARP Reply: "192.168.1.3 is at 0C2F.B06A.3900" directly to PC1. Now PC1 can send the ping with the correct destination MAC address.
Example 3: Multi-Switch Environment PC1 connects to SW1, which connects to SW2, which connects to PC3. When PC1 sends a frame to PC3, SW1 learns PC1's MAC on its interface. SW1 floods the frame (unknown unicast) to SW2. SW2 also learns PC1's MAC, but associates it with the interface connecting to SW1, not directly to PC1. This is important: the MAC table entry shows how to REACH a device, not necessarily where it's directly connected. When PC3 replies, both switches learn PC3's MAC and can forward efficiently in both directions.
Example 4: Padding in Action You send a 36-byte ping. The minimum payload is 46 bytes, so the system automatically adds 10 bytes of padding (all zeros). In Wireshark, you would see these as hexadecimal zeros at the end of the frame. Each pair of hex digits represents one byte, so 20 hex digits = 10 bytes of padding. This ensures the frame meets the minimum 64-byte requirement.
Example 5: Why First Ping Fails When you ping 192.168.1.3 from PC1, Cisco IOS sends 5 pings. The output shows: .!!!! (one period, four exclamation marks). The first ping failed (.) because PC1 had to send an ARP Request and wait for the reply to learn the destination MAC address. During this ARP process, the first ICMP Echo Request timed out. After learning the MAC address, the remaining four pings succeeded (!).
What is the purpose and size of the Ethernet Preamble?
The Preamble is 7 bytes (56 bits) of alternating 1s and 0s (pattern: 10101010 repeated). It allows receiving devices to synchronize their receiver clocks to prepare for incoming data.
What is the SFD and how does it differ from the Preamble?
SFD stands for Start Frame Delimiter. It is 1 byte with the pattern 10101011 (note the two 1s at the end). It marks the end of the Preamble and the beginning of the actual frame data.
What is the total size of Ethernet overhead (header + trailer) excluding the Preamble and SFD?
18 bytes total: Destination MAC (6) + Source MAC (6) + Type/Length (2) + FCS (4) = 18 bytes.
What is the minimum Ethernet frame size and minimum payload size?
Minimum frame size is 64 bytes (not including Preamble/SFD). Minimum payload is 46 bytes. If payload is less than 46 bytes, padding (zeros) is added.
What is the FCS and what does it do?
FCS stands for Frame Check Sequence. It is 4 bytes (32 bits) at the end of the frame that uses a CRC (Cyclic Redundancy Check) algorithm to detect transmission errors.
How do you determine if the Type/Length field indicates type or length?
If the value is 1500 or LESS, it indicates the LENGTH of the payload in bytes. If the value is 1536 or GREATER, it indicates the TYPE of encapsulated protocol.
What are the Ethernet Type values for IPv4, IPv6, and ARP?
IPv4 = 0x0800 (2048 decimal), IPv6 = 0x86DD (34525 decimal), ARP = 0x0806.
What is a MAC address and what is its size?
A MAC address (Media Access Control address) is a 48-bit (6-byte) physical address permanently assigned to a network device during manufacturing. Also called a Burned-In Address (BIA).
What is the structure of a MAC address?
First 24 bits (3 bytes) = OUI (Organizationally Unique Identifier) identifying the manufacturer. Last 24 bits (3 bytes) = Device-specific identifier unique to that device.
What is the broadcast MAC address and when is it used?
FFFF.FFFF.FFFF is the broadcast MAC address. It is used when a device wants to send a frame to ALL devices on the local network.
How are MAC addresses written?
As 12 hexadecimal characters, often formatted as: 0C2F.B011.9D00 or 0C:2F:B0:11:9D:00 or 0c-2f-b0-11-9d-00.
What does OUI stand for and what does it identify?
OUI stands for Organizationally Unique Identifier. It is the first 24 bits (first half) of the MAC address and identifies the manufacturer of the device.
How do switches learn MAC addresses?
Switches examine the SOURCE MAC address of received frames and create an entry associating that MAC address with the interface where the frame was received. This is called dynamic learning.
What is a dynamic MAC address?
A MAC address entry that was learned automatically by the switch (not manually configured). The switch learned it by examining the source MAC address of received frames.
What is the default aging time for dynamic MAC addresses on Cisco switches?
5 minutes (300 seconds) of inactivity. If no frames are received from that MAC address for 5 minutes, the entry is removed from the MAC address table.
Which MAC address field does a switch use to populate its MAC address table?
The SOURCE MAC address field. The switch learns "this MAC address can be reached via this interface" based on where frames FROM that source arrive.
Which MAC address field does a switch use to forward frames?
The DESTINATION MAC address field. The switch looks up the destination MAC in its table to determine which interface to forward the frame out of.
What is a unicast frame?
A frame destined for a single specific host, identified by that host's unique MAC address (not broadcast or multicast).
What is an unknown unicast frame and how does a switch handle it?
A unicast frame whose destination MAC address is NOT in the switch's MAC address table. The switch FLOODS it out all interfaces except the one it was received on.
What is a known unicast frame and how does a switch handle it?
A unicast frame whose destination MAC address IS in the switch's MAC address table. The switch FORWARDS it out only the specific interface associated with that MAC address.
How does a switch handle broadcast frames?
Broadcast frames (destination MAC: FFFF.FFFF.FFFF) are FLOODED out all interfaces except the one the frame was received on.
What does "flooding" mean in switch operations?
Flooding means forwarding a frame out ALL interfaces except the interface where the frame was received.
What types of frames does a switch flood?
Two types: (1) Broadcast frames (destination MAC = FFFF.FFFF.FFFF) and (2) Unknown unicast frames (destination MAC not in MAC address table).
What does ARP stand for and what is its purpose?
Address Resolution Protocol. It discovers the Layer 2 (MAC) address of a device when you know its Layer 3 (IP) address.
What are the two ARP messages?
(1) ARP Request - asking "who has this IP address?" and (2) ARP Reply - answering "that IP address belongs to this MAC address."
Is an ARP Request broadcast or unicast? Why?
BROADCAST. The ARP Request uses destination MAC FFFF.FFFF.FFFF because the requester doesn't yet know the target's MAC address, so it must ask everyone on the network.
Is an ARP Reply broadcast or unicast? Why?
UNICAST. The ARP Reply is sent directly to the device that sent the request because the replying device learned the requester's MAC address from the source MAC field of the ARP Request.
What information is stored in an ARP table?
Mappings between IP addresses (Layer 3) and MAC addresses (Layer 2). Each entry shows which MAC address corresponds to which IP address.
What command views the ARP table on Windows/macOS/Linux?
arp -a (note the space and lowercase)
What command views the ARP table on Cisco IOS devices?
show arp (from privileged EXEC mode)
In an ARP table, what does "dynamic" type mean?
The entry was learned by sending an ARP Request and receiving an ARP Reply (not manually configured or a default entry).
What is ping and what does it test?
Ping is a network utility that tests reachability between devices and measures round-trip time. It verifies if two devices can communicate.
What protocol does ping use and what are its two messages?
ICMP (Internet Control Message Protocol). Messages: (1) ICMP Echo Request and (2) ICMP Echo Reply.
Are ping messages broadcast or unicast?
UNICAST. Ping is sent to a specific destination IP address, which means the sender must already know the destination's MAC address (learned through ARP).
What are the default ping settings on Cisco IOS?
Sends 5 ICMP Echo Requests, each 100 bytes in size.
In Cisco ping output, what do "!" and "." symbols mean?
! (exclamation mark) = successful ping reply received. . (period) = failed ping, no reply or timeout.
Why does the first ping often fail when pinging a new destination?
The first ping fails because the device must first send an ARP Request to learn the destination's MAC address. During this ARP process, the first ICMP Echo Request times out. Subsequent pings succeed.
What is the relationship between ARP and ping?
ARP must complete BEFORE ping can work. Ping requires knowing the destination's MAC address, which is learned through ARP.
What command displays the MAC address table on a Cisco switch?
show mac address-table (note: SPACE after "mac", HYPHEN before "table")
What fields appear in the "show mac address-table" output?
Four fields: VLAN, MAC Address, Type, and Ports (interface).
What command clears all dynamic MAC addresses from the MAC address table?
clear mac address-table dynamic
What command clears a specific MAC address from the MAC address table?
clear mac address-table dynamic address [mac-address]
What command clears all MAC addresses learned on a specific interface?
clear mac address-table dynamic interface [interface-id]
Example: clear mac address-table dynamic interface gi0/1
What is the default VLAN shown in the MAC address table?
VLAN 1 (we'll learn more about VLANs in later lessons)
How many digits does the hexadecimal system use and what are they?
16 digits: 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E,F
What decimal values do hex digits A through F represent?
A=10, B=11, C=12, D=13, E=14, F=15
How many bits does one hexadecimal digit represent?
4 bits (also called a "nibble")
How many bits do two hexadecimal digits represent?
8 bits = 1 byte
How do you identify a hexadecimal number?
Often prefixed with "0x" (like 0x0800) or followed by "h" (like 0800h). In networking documentation, context usually makes it clear.
What OSI layer do switches operate at?
Layer 2 (Data Link Layer). Switches use MAC addresses, which are Layer 2 addresses.
What is the difference between Layer 2 and Layer 3 addressing?
Layer 2 = MAC addresses (physical, assigned at manufacturing). Layer 3 = IP addresses (logical, configured by administrators).
What is a LAN?
Local Area Network - a network contained in a relatively small area like an office floor or home network.
Do switches separate LANs or expand LANs?
Switches EXPAND LANs. Multiple switches connected together still form ONE LAN. Routers SEPARATE LANs.
What are the PDU names at each layer?
Layer 4 = Segment, Layer 3 = Packet, Layer 2 = Frame, Layer 1 = Bits
When a PC receives a unicast frame with a destination MAC that doesn't match its own, what happens?
The PC drops/ignores the frame. It does not process it further.
When a switch receives a frame, what is the first thing it does?
It examines the SOURCE MAC address and updates its MAC address table (learning process).
When a switch receives a frame, what is the second thing it does?
It examines the DESTINATION MAC address and makes a forwarding decision (forward to specific port, or flood).
If padding is added to a frame, what values are used?
All zeros (0x00 in hexadecimal). Padding is added when the payload is less than 46 bytes.
What is the MAC address table also called?
CAM table (Content Addressable Memory table)
Does a MAC address table entry mean the device is directly connected to that interface?
Not necessarily. The entry means "to reach this MAC address, send frames out this interface." The device might be multiple switches away.
PC1 sends a frame to PC2 for the first time. What does the switch do?
(1) Learns PC1's MAC from the source field, (2) Doesn't know PC2's MAC (unknown unicast), (3) Floods the frame out all ports except the receiving port.
After flooding, PC2 replies to PC1. What does the switch do?
(1) Learns PC2's MAC from the source field, (2) Already knows PC1's MAC (known unicast), (3) Forwards the frame only out the port associated with PC1's MAC.
What happens if PC1 doesn't send traffic for over 5 minutes?
The switch removes PC1's MAC address entry from the MAC address table (aging). If PC1 sends traffic again, the switch will re-learn it.
You ping a device and see output: .!!!! What happened?
First ping failed (.) due to ARP delay learning the MAC address. Remaining four pings succeeded (!!!!) because the MAC address was cached.
In a multi-switch environment, which switches learn a source MAC address?
EVERY switch that the frame passes through learns the source MAC address and associates it with the interface where the frame arrived.
Last changed15 days ago