Layer 2 Concepts

Tue Apr 26 2022

Layer 2 Addressing

At layer 2 is where our Ethernet Frame exists, and first up let's talk about the type of address that we use at layer 2. At layer 2 is our **MAC address ,**that's the Media Access Control address. This address is a 48-bit address that is written in hexadecimal. Typically it's written with colons in between each two characters:

01:23:45:67:89:AB

Cisco though, writes it as a group of four characters and a period between:

0123.4567.89ab

You'll see it written in different ways, based on the vendor that you're working with and just preference. Regardless, it is a 48-bit address that consists of 12 hexadecimal characters. We have broadcast, unicast, and multicast mac addresses, and although you don't need to worry about the multicast address ranges for the CCNA exam, it's good to know that your broadcast address is all Fs:

FF:FF:FF:FF:FF:FF

ARP

The Address Resolution Protocol. this is what's used to resolve a MAC address from an IP address. Since ARP is used when the device doesn't know the MAC address for a given IP address, it sends the ARP with the destination MAC address being all Fs, the broadcast address, so that all devices in the broadcast domain receive the message. The ARP Request can be thought of as the device asking "Who owns this IP address?". As we can see in the Wireshark capture below, this is how Wireshark presents the ARP request as well. The corresponding response is "That IP is as this MAC address".

Wireshark capture of ARP

Switching concepts

What is it exactly that a switch does? What role does it play in the network? As discussed briefly in the Network Components lesson, a switch's primary purpose is to learn what MAC addresses live on each of its ports and to forward frames out its ports accordingly. A switch also breaks up each of their ports into their own collision domain. For example, in the case of the basic topology below, we have a switch with 4 connected devices. In this topology we have 4 collision domains. We'll also assume that there's a single VLAN, or broadcast domain.

4 nodes connected to a switch

The switch looks up the source of the MAC address of incoming frames and that's how it learns where devices are.

What does it mean to be in the same broadcast domain? Well for example, let's say PC1 sends out an ARP request for 10.10.10.1, that is going to be sent with a destination MAC address of all Fs, so a broadcast address. This broadcast is sent asking "Will the device who owns 10.10.10.1 please reply". The switch will flood this frame out all ports which are in the same broadcast domain, or VLAN, except the one it came in on. So all 3 of the other computers will receive that frame, and say PC2 will reply "10.10.10.1 is at 22:22:22:22:22:22" though with the correct MAC. A switch's primary job is to learn what port that MAC address specifically lives off of, so that when PC1 sends in a frame that is destined for the mac address of PC2 that the switch will send that frame out the port towards PC2, and not to any of the other ports. That helps maintain your bandwidth, since you don't have a bunch of unneeded traffic going to other devices that don't need to see it, and it helps maintain security to make sure that only the devices who the traffic is destined for are the ones that are actually receiving that traffic. The switch looks up the source of the MAC address of incoming frames and that's how it learns where devices are.

B.U.M. Traffic

You may be asking yourself "what does a switch do with traffic when it doesn't know where the destination is?". Switches typically handle B.U.M. traffic the same. That's Broadcast, unknown Unicast, and Multicast. When any of these frames are received, the switch will usually flood the frame out all ports in the same broadcast domain except the port it came in on.

CAM Table

So, when that frame comes in, the switch first records the source MAC address and the port it came in on in the CAM table, or resets the aging timer if it already knew of this entry.

Next, it looks up the destination MAC address in its CAM table, the Content Addressable Memory table, to see if it already knows that that MAC address lives. If it does know, it will forward that frame out that port and all is well. If it doesn't have a CAM table entry for the destination MAC address, it will by default flood the frame out all ports except the one it came in on, in the same broadcast domain.

As for the aging timer, when a frame comes into the switch and it learns what port that the source MAC address lives on, the switch only trusts that information for a certain period of time before it decides that the information may not be accurate anymore. By default on Cisco switches, that amount of time is 5 minutes, or 300 seconds. When it receives another frame with the same source MAC on the same port, it'll go ahead and reset that timer back to five minutes again. That way if there's 5 minutes of inactivity, 5 minutes of no frames being received then that entry in the table is removed. Though, now what happens when it receives a frame destined for that MAC? It no longer knows which port it lives on. It is treated as BUM traffic, it floods the frame out all of its ports to ensure delivery.