NE-04: Ethernet & Switching Fundamentals

Learning Objectives

Explain Ethernet frame structure and MAC addressing
Describe how ARP resolves IP addresses to MAC addresses
Configure and troubleshoot VLANs and trunk links
Explain Spanning Tree Protocol (STP) and its role in loop prevention
Differentiate between Layer 2 and Layer 3 switching

Ethernet Overview

Ethernet (IEEE 802.3) is the dominant LAN technology. It defines how devices on the same network segment communicate using frames. Every Ethernet device has a unique 48-bit MAC (Media Access Control) address burned into its NIC at the factory.

Modern Ethernet uses full-duplex communication with switches, eliminating the collision domains that plagued older hub-based networks. The CSMA/CD (Carrier Sense Multiple Access with Collision Detection) protocol is technically still part of the standard but rarely invoked on switched networks.

Standard	Speed	Cable	Max Distance
100BASE-TX (Fast Ethernet)	100 Mbps	Cat5 UTP	100m
1000BASE-T (Gigabit)	1 Gbps	Cat5e/Cat6	100m
10GBASE-T	10 Gbps	Cat6a/Cat7	100m
1000BASE-SX (Fiber)	1 Gbps	Multi-mode fiber	550m
1000BASE-LX (Fiber)	1 Gbps	Single-mode fiber	10km

MAC Addresses

A MAC address is 48 bits (6 bytes) written in hexadecimal. The first 3 bytes form the OUI (Organizationally Unique Identifier), assigned by IEEE to the vendor. The last 3 bytes are a vendor-assigned device identifier.

/* MAC Address Anatomy */ AA:BB:CC:11:22:33 | OUI | Device ID | /* Special MAC Addresses */ FF:FF:FF:FF:FF:FF = Broadcast (sent to ALL devices on segment) 01:00:5E:xx:xx:xx = IPv4 Multicast 33:33:xx:xx:xx:xx = IPv6 Multicast /* View your MAC addresses: */ $ ip link show # Linux C:\> ipconfig /all # Windows

ARP -- Address Resolution Protocol

When a device knows the destination IP but not the MAC address, ARP resolves it. The sender broadcasts an ARP Request to every device on the segment. The device with the matching IP responds with an ARP Reply containing its MAC address.

Step 1: Host A wants to reach 192.168.1.20 (unknown MAC) Step 2: Host A sends ARP Request (broadcast): "Who has 192.168.1.20? Tell 192.168.1.10" Dest MAC: FF:FF:FF:FF:FF:FF Step 3: Host B (192.168.1.20) responds (unicast): "192.168.1.20 is at AA:BB:CC:11:22:33" Dest MAC: Host A's MAC Step 4: Host A caches the result in its ARP table. /* View ARP cache: */ $ arp -a $ ip neigh show

Security Note:

ARP has no authentication. ARP spoofing/poisoning attacks allow an attacker to intercept traffic by sending fake ARP replies, associating their MAC with a victim's IP. Dynamic ARP Inspection (DAI) on managed switches mitigates this.

How Switches Work

A switch maintains a MAC address table (CAM table) that maps MAC addresses to physical ports. When a frame arrives, the switch reads the source MAC and associates it with the ingress port. It then looks up the destination MAC to determine the egress port.

Learn Source MAC of incoming frame is recorded in the CAM table with the port number and a timer.

Forward If the destination MAC is in the table, the frame is sent only to that specific port (unicast).

Flood If the destination MAC is unknown, the frame is sent out all ports except the source port.

Filter If source and destination are on the same port, the frame is dropped (no need to forward).

VLANs -- Virtual LANs

VLANs logically segment a physical switch into multiple broadcast domains. Devices in VLAN 10 cannot communicate with VLAN 20 at Layer 2 -- a router (or Layer 3 switch) is required to route between them. This improves security, performance, and management.

/* Cisco IOS: Create VLANs and assign ports */ Switch(config)# vlan 10 Switch(config-vlan)# name Engineering Switch(config)# vlan 20 Switch(config-vlan)# name Marketing /* Assign port to VLAN (access port) */ Switch(config)# interface fa0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 10 /* Trunk port (carries multiple VLANs between switches) */ Switch(config)# interface gi0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed vlan 10,20

802.1Q Tagging: Trunk links use 802.1Q to insert a 4-byte VLAN tag into the Ethernet frame header. The tag identifies which VLAN the frame belongs to. The native VLAN (default: VLAN 1) sends frames untagged.

STP -- Spanning Tree Protocol

When redundant links exist between switches, frames can loop forever (broadcast storms). STP (IEEE 802.1D) prevents loops by logically blocking redundant paths. It elects a Root Bridge, calculates the shortest path from every switch to the root, and blocks any alternative paths.

/* STP Port States */ Blocking: Does not forward frames. Listens for BPDUs only. Listening: Processing BPDUs. Determining root bridge and port roles. Learning: Building MAC address table. Not yet forwarding. Forwarding: Normal operation. Sending and receiving data. Disabled: Administratively shut down. /* STP Port Roles */ Root Port: Best path to the Root Bridge (one per non-root switch) Designated Port: Best path from a segment to the Root Bridge Blocked Port: Redundant path -- disabled to prevent loops /* Root Bridge election: lowest Bridge ID wins. Bridge ID = Priority (default 32768) + MAC Address */

RSTP (802.1w) is the modern replacement for STP. Convergence time drops from 30-50 seconds (STP) to under 6 seconds (RSTP) by introducing new port states and roles.

Key Takeaways

Ethernet uses MAC addresses (48-bit, hex) for Layer 2 communication
ARP resolves IP to MAC via broadcast request and unicast reply
Switches learn, forward, flood, and filter based on their MAC address table
VLANs segment broadcast domains; trunk links carry multiple VLANs with 802.1Q tags
STP prevents switching loops by blocking redundant paths and electing a Root Bridge
RSTP converges in under 6 seconds vs 30-50 seconds for classic STP