Ethernet Processes

Ethernet is the original Local Area Network technology. Other LAN technologies have
competed with Ethernet, but Ethernet is really the only LAN technology left in the market place.
At one time, it looked like Ethernet would fade because of performance issues, but Layer 2
switching technology saved Ethernet. The problem was collisions. Before layer 2 switching,
Ethernet LANs (10Base2, 10Base5, 10BaseT) lost up to 70% of its bandwidth because of
collisions.

Layer 2 switches create a collision-free network. A switch has a very high speed back plane that
connects to each port on the switch. The back plane is much faster than the speed of an
individual port. Data from a computer is “stored” in the port and is “forwarded” when the back
plane can accept the data without a collision. Think of the back plane as a very fast, but very
safe, interstate highway. Cars wait for an opening before entering the flow of traffic. The car
then travels to its destination and exits without having a wreck, or collision. The data travels on
the back plan much faster than the port speed where it entered the switch, freeing up the back
plane for data from other ports. Before layer 2 switches, Ethernet was more like the interstate
highways that most of us travel, the one where about 70% of the cars are affected by wrecks and
we are late for work about three times a week.

With the development of layer 2 switching, Ethernet became the fastest, most reliable, and, more
importantly, the least expensive LAN technology on the market. Today, Ethernet ports on our
computers are essentially “free” since it is installed on almost every new computer. Most laptops
have both copper Ethernet such as 100BaseT or even Gigabit Ethernet, and wireless Ethernet,
and the increase in cost for the Ethernet connections is minimal.

Layer 2 switch ports on a 2950 switch cost about $100 per port. If you need a few switch ports
at home, they cost even less. Your $50 internet router has them for as little as $12 each, though
the primary cost of your router is not ports but rather the routing function (as strange as it may
seem that you bought a router to route). An eight-port switch can cost as little as $20, or $2.50 a
port. Enhanced functionality such as full duplex and 100BaseT, or increasingly, 1000BaseT,
produce speeds that were unimaginable only a few years ago, and at low prices also
unimaginable. With Layer 2 switching, data rates increased while cost decreased. The result:
Ethernet survived and other LAN technologies disappeared.

While understanding the physical aspects of Ethernet are important for the CCNA exam, that is
not the purpose of this document. Both the Cisco CCNA and Sybex CCNA books cover the
historical and physical aspects of Ethernet very well. Even more complete explanations of
Ethernet can be found on the Internet, so there is no need to reinvent the wheel here. Make sure
you completely understand the physical aspects of Ethernet technology as well as processes
such as collision detection, broadcasts, etc., before you take the CCNA exam. We will not
cover CSMA-CD, for example, though it is coming back with wireless LANs. This document
covers Ethernet addressing, how computers use the addresses, and more importantly for your
exam, how Cisco switches use Ethernet addresses. This explanation is important for
understanding future labs and switch function.
Ethernet Addressing

Each Ethernet device has an address coded into the hardware. Each address is six bytes, 48 bits,
12 hexadecimal digits in length. The first three bytes identify the manufacturer and is called the
“Organizationally Unique Identifier” or OUI. The last three bytes keep the card unique, a serial
number, if you like. Just don't call it a serial number. The address has several names, and you
should know them all:
1. Unicast address, as in a frame addressed to a single, or “uni” address.
2. MAC Address (Media Access Control)
3. Ethernet address
4. “burned in address” since it is “burned in” to the controller on the card.
5. Layer 2 address

MAC address and unicast address seem to the the most common terms, and have the most value
when working with Cisco equipment.

An Ethernet frame has the following format:

Preamble or Destination Source Type/ Data FCS

Preamble + Address – Address - Length
Start Frame computer Computer
Delimiter receiving transmitting
(SFD) data data
8 bytes 6 bytes 6 bytes 2 bytes 48 – 1500 bytes 4 bytes
SFD -7
bytes + 1
byte

The International Electrical and Electronics Engineers (IEEE) oversee a number of standards
related to data communication: cabling, voltages, protocols, etc. The IEEE made three changes
to the original Ethernet standard, but none to Ethernet addressing.

1. The new standard was named 802.3, using the 802 naming convention.

2. Part of the preamble were renamed. Ethernet defined the preamble as 64 bits: 62 “one”
bits followed by “01”. The “01” bits indicated that the next bits were meaningful data,
the destination address. Basically, the “01” was for framing, or indicating where
meaningful data started.

The IEEE defined the Preamble as two parts. The first 7 bytes, or 56 bits, are “one” bits,
and are called the Preamble. However, the last byte, 8 bits, differed in the last two bits:
11111101. This byte was named the “Start Frame Delimiter,” or “SFD.” Actually, the
term SFD is more accurate, since the data is “delimited,” or starts after this byte.
Everyone calls it the Preamble, and everyone knows what it means, but it might be an
issue on an exam. Or not.

3. Another change was the 2 byte type field. The IEEE used used it as a length field, to
 indicate the amount of data, and used other bits to define the type of data.

While there are more complete explanations available for the changes, the address fields were
not changed.

Since all Ethernet computers originally shared the same coax cable or hub network, every
computer had to evaluate every frame. Each device processed the destination address to
determine if the frame had been sent to them. The computer that had the destination address then
had to “remember” the source address in order to reply if necessary.

Preamble Destination Address Source address Type/ Data FCS

Length
11111...01 00-18-37-9A-48-12 00-16-D4-EE-D1-E6 2 bytes 48 – 1500 bytes 4 bytes

Often the transmitting computer needs access to a service, but does not know the MAC address
of the computer that provides the service. When the MAC address of the destination computer
is not known, the source computer will send a broadcast request for the information. A broadcast
frame uses all 1 bits, or hexadecimal FF-FF-FF-FF-FF-FF, in the Destination address. It puts its
own address, 00-16-D4-EE-D1-E6, in the source address field so that the servicing computer will
know how to address the reply.

Preamble Destination Address Source address Type/ Data FCS

Length
11111...01 FF-FF-FF-FF-FF-FF 00-16-D4-EE-D1-E6 2 bytes Request for service or address 4 bytes

Every computer that “sees” the broadcast will evaluate the request. The computer that can
service the request will reply. In this example, the computer with the address 00-18-37-9A-48-
12 services the request. The acknowledgment frame uses the source MAC address of the
request as the destination address for the reply, and its own address in the source address field.

Preamble Destination Address Source address Type/ Data FCS

Length
11111...01 00-16-D4-EE-D1-E6 00-18-37-9A-48-12 2 bytes Reply 4 bytes

The original computer that requested the information will use the source address in the reply
frame to send another frame, this time with data.

Preamble Destination Address Source address Type/ Data FCS

Length
11111...01 00-18-37-9A-48-12 00-16-D4-EE-D1-E6 2 bytes Data 4 bytes

This process of alternating the source and destination addresses is the key to understanding
Ethernet data transfer. Each receiving computer uses the source address in the received frame as
the destination address for the reply, and puts its own address in the source address field. If a
computer does not know the address of the destination computer, it uses a broadcast, all 1's bits,
or FF-FF-FF-FF-FF-FF hexadecimal. The reply to the broadcast will have the needed MAC
address.
Computers store the MAC addresses that they learn in a table. Windows- and UNIX/Linux-
based computers and Cisco routers store the information in an ARP table (ARP, Address
Resolution Protocol, is an IP function and will be discussed later). Cisco switches store the
information in a MAC address table, called a mac-address-table. Each devices finds the
information in the same way: by reading the Source address field in an Ethernet frame.

The format of how the address is displayed varies between operating systems. The address is not
different, only the way the address is displayed. All MAC addresses are simply 48 bits.
– Windows uses the format xx-xx-xx-xx-xx-xx
– UNIX/Linux uses the format xx:xx:xx:xx:xx:xx
– Cisco uses the format xxxx.xxxx.xxxx

To display the MAC address of the local Ethernet card/interface:

– Windows: ipconfig /all
– UNIX/Linux: ifconfig -a (some systems require -a, some do not)
– Cisco: show interface x/y, show version

To display the table of known MAC addresses:

– Windows: arp -a
– UNIX/Linux: netstat
– Cisco switches: show mac-address-table
– Cisco routers: show arp

Layer 2 switching and Ethernet Addresses

It will be difficult to understand Cisco switching processes without completely understanding the
information above. The CCNA exam will have questions that use all of this information.
Unfortunately, it will not be simple questions about the format of an Ethernet frame, or the parts
of an Ethernet address. Instead it will be questions that apply your knowledge of Ethernet
processes.

The rules for Layer 2 switching were developed long before layer 2 switches were developed.
Layer 2 forwarding was developed for devices called “bridges.” Bridges were basically
computers with multiple Ethernet ports. The forwarding/filtering decisions were made in
software, a slow process by today's standards. However, the process has survived, except now
the decisions are made in hardware, and happen much faster.

Switching involves two processes: MAC Address learning and deciding whether to forward or
filter.

Address Learning

A switch or a bridge learns the Ethernet MAC addresses of the devices that are connected to it,
and create a table of the MAC addresses and the ports that MAC addresses are connected to.
The process of building the MAC address table is the same for all computer: determine the
source address in the frame. When a frame enters the switch, the switch will examine the source
address and determine if it is already in the MAC address table. If the source MAC address is
not in the MAC Address table, the switch will create another entry for the address and the port
that it came into the switch on. So a MAC address table is just a list of the ports and the MAC
addresses connected to the ports.

So far, so good. A switch learns the addresses by examining source addresses and records them
with the port they are connected to. This table has various names: ARP table, ARP cache, MAC
address table,

Forward vs. Filter

The switch uses the MAC address table to determine whether to forward the frame to another
port, or filter the frame. Filtering is simply ignoring or dropping the frame. When a frame enters
a switch, the switch examines the destination address.
– If the destination MAC address and the source MAC address are on different ports, the
switch will forward the frame to the port that supports the destination MAC address.
– If both the source and destination MAC addresses are on the same port, the switch will
filter, or drop the frame. The reason for filtering is that there is no need to transmit the
frame again. The destination device should see the frame since it is on the same media.

Some frames are forwarded automatically. Broadcast frames are forwarded, or transmitted, on
all ports EXCEPT the port that the frame entered the switch on. Any devices supported by the
same port should see the broadcast when the switch does. There is no need to retransmit it on the
same port.

Frames with unknown destination MAC addresses are also forwarded on all ports EXCEPT the
port that the frame entered the switch on. This guarantees that the device with the unknown
address will receive the frame.

You may wonder how a device would send a frame to an unknown MAC address. The term
“unknown MAC address” applies to the switch, not to the source computer. The answer is found
in how the switch manages its MAC address table. All devices, switches and computers, age the
entries in their tables based on use. Each time a MAC address is used in a transmission, the
computer restarts the timer for that MAC address. If an address is not used in a specified amount
of time, the device, switch or computer, will delete the entry from the table to save memory. If a
switch deletes an entry before a computer does, the computer can still know the MAC address,
but the switch does not. The computer knows the MAC address, and it will create and transmit a
frame to the MAC address, but the switch will have to transmit it on all ports to make sure that
the frame is delivered to the destination device.

Summary

1. A switch learns the MAC addresses of the devices connected to it by reading the source
 MAC address in every Ethernet frame.
2. The switch creates a table, the mac-address-table, that has the source MAC addresses and
their switch ports.
3. When an Ethernet frame enters the switch, the switch compares the destination MAC
address to the entries in the mac-address-table. If the destination address is on a different
port than the source address, the switch forwards the frame to the destination port.
4. If the destination address is on the same port as the source address, the switch filters the
port.
5. If the frame is a broadcast or to an unknown MAC address, the frame is forwarded on all
ports.

Below is a partial display of the mac-address-table from an enterprise switch.

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- ----- -----
All 000f.9041.9b00 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 0011.9354.7230 DYNAMIC Fa0/2
1 0018.18df.3281 DYNAMIC Fa0/1
202 0000.0c07.acc6 DYNAMIC Fa0/6
202 000e.0cc7.04d2 DYNAMIC Fa0/16
202 0012.1ea2.6cb0 DYNAMIC Fa0/19
202 0060.2e02.aee3 DYNAMIC Fa0/15
202 0080.8c02.70e1 DYNAMIC Fa0/23
202 00e0.1eae.cdc8 DYNAMIC Fa0/14
202 c288.6060.0d83 DYNAMIC Fa0/12
203 0000.0c07.ac03 DYNAMIC Fa0/3
203 00e.0c5c.d8b0 DYNAMIC Fa0/10
203 0010.db65.66c0 YNAMIC Fa0/8
203 0018.19c1.0ac1 DYNAMIC Fa0/9
204 0011.9354.7241 DYNAMIC Fa0/4
210 0011.9354.7242 DYNAMIC Fa0/5

Reading the display

– Column 1 is the VLAN assignment for the interface (shown on the far right). VLANs
will be covered in future labs.
– Column 2 is the MAC address of the computer connected to the interface
– Column 3, Type, indicates how the MAC address was discovered.
– Static MAC addresses are internal addresses for the switch. Internal switch
MAC addresses will be covered in future labs.
– Dynamic addresses are addresses that were discovered by the process
described in this document: examining the source MAC address fields of
Ethernet frames
– Ports is the interface that supports the computer with the recorded MAC address.
If you are using Packet Tracer, the “show mac-address-table“ display will not show static MAC
addresses, only dynamic addresses.

The primary emphasis in this document is on unicast addresses, or data addressed to a single
remote address. However, Cisco will include questions about addresses to multiple remote
devices simultaneously, both broadcast and multicast addressing. You have seen the most
common type of addressing used to communicate with multiple remote hosts: broadcast. Not
discussed in this document is the multicast address, an address that is intended for multiple, but
not necessarily all, remote hosts.

Copyright by Hedgehog Technical Institute®.