"LAN" is short for Local Area Network: a single broadcast domain where every device can reach every other device with a link-layer frame, without involving a router. Almost every office floor, every home Wi-Fi, every server rack ToR domain is a LAN. This post is about what is going on inside one.
What you will learn
- The Ethernet frame format and what each field is for
- How MAC addresses are structured, and what the locally-administered and multicast bits mean
- Why hubs are gone and switches replaced them
- The switch learning algorithm with a step-by-step worked example
- How ARP discovers the MAC for a given IP, and how ARP spoofing breaks the whole assumption
- Broadcast storms and a peek at why Spanning Tree Protocol exists
1. The Ethernet Frame, Field by Field
Everything in this post is going to be expressed in terms of Ethernet frames moving across a LAN. So let's look at the frame.
| Field | Length | Purpose |
|---|---|---|
| Preamble | 7 bytes | Alternating 1s and 0s. Lets the receiver's clock recovery lock on to the sender's bit clock before any real data arrives. |
| SFD (Start Frame Delimiter) | 1 byte (0xAB) | Marks "the next bit is the first bit of the destination address". Without this, the receiver does not know where the preamble ends. |
| Destination MAC | 6 bytes | Who the frame is for. Can be unicast, multicast, or broadcast. |
| Source MAC | 6 bytes | Who sent it. Always unicast (no broadcast or multicast in this field). |
| EtherType / Length | 2 bytes | If value ≥ 0x0600, it identifies the upper-layer protocol (0x0800 = IPv4, 0x86DD = IPv6, 0x0806 = ARP, 0x8100 = 802.1Q VLAN tag). If < 0x0600, it is interpreted as a payload length (legacy 802.3). |
| Payload | 46 to 1500 bytes | The thing the upper layer wants to send. Minimum 46 bytes (padded if needed) because of the CSMA/CD minimum-frame requirement from Part 2. |
| FCS (Frame Check Sequence) | 4 bytes | CRC-32 over the destination MAC, source MAC, EtherType, and payload. See Part 1. |
| Inter-Frame Gap | 12 byte-times of silence | Not a field. The minimum idle time between frames on the wire. Lets receivers recover, lets buses settle. |
The preamble, SFD, and inter-frame gap live below the level the OS normally sees. When tcpdump or Wireshark show you an Ethernet frame, they start at the destination MAC and end at the FCS (and on most NICs even the FCS is stripped before the frame reaches userspace).
2. MAC Addresses, Layer by Layer
A MAC address is 6 bytes (48 bits) written as 12 hex digits, usually grouped in pairs separated by colons or hyphens:
| Notation | Example |
|---|---|
| Colon-separated (Unix, IEEE) | 3c:22:fb:5a:91:7e |
| Hyphen-separated (Windows, IETF) | 3C-22-FB-5A-91-7E |
| Cisco dot-separated (16-bit groups) | 3c22.fb5a.917e |
The 48 bits, split in two
| Bytes | Name | Role |
|---|---|---|
| First 3 bytes (3c:22:fb) | OUI (Organizationally Unique Identifier) | Assigned by the IEEE to a hardware vendor. 3c:22:fb = Apple, 00:50:56 = VMware, 52:54:00 = QEMU, b8:27:eb = Raspberry Pi Foundation. |
| Last 3 bytes (5a:91:7e) | Device identifier | Chosen by the vendor to be unique across all of their devices. 224 = 16.7 million addresses per OUI. |
You can look up an OUI in the IEEE public registry, or in /usr/share/wireshark/manuf on most Linux machines. Knowing the OUI tells you the vendor; knowing the vendor sometimes tells you everything (a frame from 00:50:56:... on your wire is almost certainly a VMware vSwitch).
Two special bits in the first octet
The first byte of a MAC address looks like an opaque vendor code, but two specific bits in it are reserved by IEEE for meaning.
| Bit position | Name | Meaning when set | Example |
|---|---|---|---|
| LSB of byte 0 (bit 0) | I/G (Individual / Group) just call it "the multicast bit" |
Multicast (or broadcast). Cleared = unicast. | 01:00:5e:xx:xx:xx = IPv4 multicast. 33:33:xx:xx:xx:xx = IPv6 multicast. FF:FF:FF:FF:FF:FF = broadcast (all bits set, including this one). |
| Second LSB of byte 0 (bit 1) | U/L (Universal / Local) | Locally administered (some sysadmin or software set this address). Cleared = globally unique IEEE-assigned. | Most Docker containers get a locally-administered MAC. Most VPN tunnel interfaces too. Hex pattern: the first hex digit is one of 2, 6, A, E. |
One sentence to remember it: look at the first hex digit. If it is 2, 6, A, or E, the MAC is locally administered. If it is 1, 3, 5, 7, 9, B, D, or F, it is a multicast or broadcast address. Anything else is a normal globally-unique unicast.
The broadcast address
| Address | Meaning |
|---|---|
FF:FF:FF:FF:FF:FF | Every device on the LAN. Used by ARP requests, DHCP DISCOVER, some discovery protocols. Switches flood broadcasts out every port (except the port they came in on). |
3. Hubs, Switches, and the Death of Shared Ethernet
In the 1990s, Ethernet was a literal shared bus or a hub-and-spoke with a hub at the centre. A hub is a layer-1 device: it takes the electrical signal on any port and copies it bit-for-bit to every other port. Every device hears every frame. Collisions are global. The MAC layer (CSMA/CD, covered in Part 2) is what kept everyone from talking over each other.
A switch is a layer-2 device. It reads the destination MAC of each incoming frame and forwards the frame only out the port where the destination lives. Two consequences:
| Property | Hub (legacy) | Switch (modern) |
|---|---|---|
| Layer | 1 (physical signal repeater) | 2 (frame-aware) |
| Forwarding | All ports always | Only the port to the destination |
| Collision domain | Whole hub is one collision domain | Each port is its own collision domain |
| Broadcast domain | Whole hub | Whole switch (and beyond, through trunk links) |
| Bandwidth | Shared across all ports | Full link rate per port (full duplex on modern hardware) |
| Need CSMA/CD? | Yes | No (full-duplex point-to-point, no collisions possible) |
| Status today | Extinct, except in museums | Universal |
That last row is the punchline. Modern wired Ethernet does not actually use the MAC protocols from Part 2, because there is no shared medium. Every link is a private point-to-point cable between one device and one switch port, full duplex, no collisions possible. The CSMA/CD circuitry on a modern NIC is silicon that has not done anything useful in twenty years.
4. How a Switch Learns
A switch starts with an empty forwarding table. It has to learn, on its own, which MAC lives behind which port. The algorithm is elegantly simple and has not changed since Radia Perlman's original work on transparent bridging.
The algorithm
- On every incoming frame, look at the source MAC and remember: "I saw this MAC on port X at time T." Store that in the forwarding table.
- To forward a frame, look up the destination MAC in the forwarding table.
- If found: send out the matching port only.
- If not found (or destination is broadcast or multicast): flood the frame out every port except the incoming one.
- Age out entries that haven't been seen in a while (typically 5 minutes), so a device that moves to a different port eventually gets relearned.
A worked example
Imagine a 4-port switch with hosts A, B, C, D plugged into ports 1, 2, 3, 4 respectively. The switch starts with an empty forwarding table. Let's trace what happens.
| Time | Event | Forwarding table after event | Action taken |
|---|---|---|---|
| t=0 | A sends a frame to B | A on port 1 | Destination B unknown. Flood out ports 2, 3, 4. B receives it; C and D also receive it but discard it (not their MAC). |
| t=1 | B sends a reply to A | A on port 1, B on port 2 | Destination A is known. Forward only out port 1. C and D do not see this frame at all. |
| t=2 | C sends a frame to A | A on port 1, B on port 2, C on port 3 | Destination A is known. Forward only out port 1. |
| t=3 | A sends a broadcast (ARP request) | (no change, A already known) | Destination is FF:FF:FF:FF:FF:FF. Flood out ports 2, 3, 4. |
| t=4 | D moves to port 1 (someone swapped cables) | (D not yet learned) | n/a |
| t=5 | D sends a frame to A from port 1 | A on port 1 conflicts with D on port 1. Switch updates: D on port 1, A is now stale. | Forward out port 1 (where A used to be). A still receives it. The next time A sends, the switch will move A back. This is the "MAC flapping" problem when the topology is unstable. |
| t=6 (5 minutes of silence from C) | Age timer expires for C | A and D on port 1, B on port 2 | If anyone sends to C now, the switch floods until C transmits again. |
That is the entire algorithm. A modern data-centre switch with millions of MAC table entries is running exactly this logic, just with a hardware-accelerated TCAM lookup instead of a software hash.
MAC table overflow attacks
A switch's MAC table has finite capacity (typically tens of thousands to a few million entries depending on the model). An attacker can flood the network with frames using random source MACs (the macof tool does exactly this) until the table fills up. After that, the switch cannot learn any new addresses and starts flooding every unknown frame out every port, turning the switched LAN back into a hub. The attacker can now sniff traffic that was previously private. The defence is port security: cap the number of MACs allowed per port, and shut down ports that exceed it.
5. ARP: How IP Finds Its MAC
The Ethernet world only knows MAC addresses. The IP world only knows IP addresses. Something has to bridge the two. That something is ARP, the Address Resolution Protocol (RFC 826, 1982).
The basic question
A host wants to send an IP packet to 192.168.1.50 on its local LAN. It checks its ARP cache for that IP. If the cache has an entry, it uses it. If not, the host has to ask: "who has 192.168.1.50?"
The two-message dance
| Step | Frame type | Destination MAC | Source MAC | Payload (in ARP packet) |
|---|---|---|---|---|
| 1. Request | ARP (EtherType 0x0806) | FF:FF:FF:FF:FF:FF (broadcast) |
Requester's MAC | "Who has IP 192.168.1.50? Tell 192.168.1.10." |
| 2. Reply | ARP (EtherType 0x0806) | Requester's MAC (unicast) | Owner's MAC | "192.168.1.50 is at 3c:22:fb:5a:91:7e." |
The request is a broadcast because the requester does not yet know the destination's MAC, so it has to ask everyone. Every device on the LAN sees the request. Only the device that owns the requested IP replies. The reply is unicast because, having just heard the broadcast, the responder already knows the requester's MAC.
Both ends store the mapping in their ARP cache for future use. On Linux you can inspect this cache with ip neigh (the modern command) or arp -n (the legacy one).
Gratuitous ARP
A device can also send an ARP request for its own IP, as a broadcast. This is called a "gratuitous ARP" or GARP. It serves two purposes:
- Duplicate IP detection: if anyone replies, there is an IP conflict on the LAN.
- Cache pre-population: every device on the LAN updates its ARP cache with this device's MAC. Used when a host's MAC changes (NIC swap, VM live migration, IP failover between HA devices).
6. ARP Spoofing, in Three Steps
Security note
ARP has no authentication. Any device on the LAN can claim to own any IP. This is not a bug in implementations, it is the protocol working exactly as designed in 1982 when nobody worried about a hostile LAN. The implications still bite us today.
The attack:
- Attacker sits on the same LAN as Alice and the gateway router.
- Attacker sends a gratuitous ARP claiming "the gateway's IP is at attacker's MAC". Alice's ARP cache updates.
- Attacker sends another gratuitous ARP claiming "Alice's IP is at attacker's MAC". The gateway's ARP cache updates.
- Now all traffic between Alice and the gateway flows through the attacker. The attacker forwards it on (so nothing seems broken) and gets a verbatim copy of every frame. This is a classic man-in-the-middle attack.
Defences live at multiple layers:
| Defence | Where it sits | What it does |
|---|---|---|
| Dynamic ARP Inspection (DAI) | Switch feature | Switches only forward ARP replies that match a trusted database (typically built from DHCP snooping). Bogus ARP is dropped at the port. |
| DHCP snooping | Switch feature | Builds the IP-to-MAC-to-port truth table that DAI consults. |
| Static ARP entries | Host config | Pin critical MAC-to-IP mappings manually (gateway, key servers). Works but does not scale. |
| End-to-end encryption (TLS, IPsec, WireGuard) | Above L2 | If the attacker can intercept frames but cannot decrypt them, the worst they can do is traffic analysis and selective drops. This is the right answer in 2026. |
| 802.1X / port-based access control | Switch feature | Authenticate the device before it can transmit anything on the port. Stops most lateral-movement attacks at the LAN layer. |
7. Broadcast Storms and the Reason Spanning Tree Exists
So far the LAN has been one switch. Real LANs are many switches, often connected with redundant links so that a single cable cut does not partition the network. Redundancy at L2 introduces a new problem.
Suppose Switch S1 and Switch S2 are connected by two cables (for redundancy). A broadcast frame arrives at S1.
- S1 floods the broadcast out every port, including both links to S2.
- S2 receives the frame on link 1, floods it out every port including link 2 back to S1.
- S2 also receives the frame on link 2 (S1 sent it there too), floods it out every port including link 1 back to S1.
- S1 receives both copies, floods them again.
The frame multiplies forever. The Ethernet frame has no TTL field, so nothing stops it. Within milliseconds the LAN is saturated with broadcasts. The switches' CPUs melt trying to keep up. Every host on the LAN becomes unreachable. This is a broadcast storm and it is a well-known LAN failure mode.
The fix is Spanning Tree Protocol (STP, IEEE 802.1D, and its faster successors RSTP and MSTP). STP runs between switches and decides, network-wide, which redundant links to block so that the active forwarding topology is a tree (no loops). When the primary topology fails, blocked links unblock automatically. We will give STP a full post in Part 4.
Takeaways
- An Ethernet frame is 14 bytes of header, 46 to 1500 bytes of payload, and a 4-byte CRC. The 14 bytes are destination MAC, source MAC, and EtherType.
- A MAC address is OUI (vendor) + device ID, with two reserved bits in the first byte: the multicast bit (LSB) and the locally-administered bit (next bit).
- Switches replaced hubs because they forward only to the destination port and turn every link into its own collision domain.
- Switch learning is a one-paragraph algorithm: learn source MAC on the incoming port, forward by destination MAC if known, flood if not.
- ARP turns "I know your IP" into "I know your MAC" with a broadcast question and a unicast answer. It has no authentication, which is the root of ARP spoofing.
- Redundant L2 links cause broadcast storms because Ethernet has no TTL. Spanning Tree Protocol exists to prune redundant links into a loop-free tree.
Next in the Link Layer Series
Part 4 will cover Spanning Tree Protocol and VLANs. STP first: how switches elect a root bridge, how each switch decides which port is "designated" and which goes into "blocking", how the protocol converges, and why people invented RSTP and MSTP to make it converge faster. Then VLANs: how 802.1Q tagging slices one physical LAN into many logical ones, why a "native VLAN" is a security trap, and how trunk links between switches carry many VLANs at once.