MAC Addresses and Ethernet Frames
MAC Address
So far we have covered IP addressing which is a layer 3 protocol to allow transmission of data between networks. Devices which are linked together using say a Cat5e cable will use Ethernet protocols to transmit data between the two devices. In most modern Ethernet LANs, the layer 2 traffic is managed using a switch, and traffic is forwarded to the relevant device using the MAC address learnt during frame switching. Remember that at layer 2 (where switching occurs) the PDU (Protocol Data Unit) is referred to as a frame.
In order for traffic to be forwarded to the correct device, the sender needs to know the destination MAC (Media Access Control) address for the recipient device. The MAC address is a 48-bit globally unique address represented using 12 hexadecimal values. Note the hexadecimal conversion below:
Every device that accesses the network will have a MAC address assigned by the manufacturer, and is sometimes referred to as the physical address or BIA ('burnt-in' address). The MAC address is split into two parts, the OUI (Organisationally Unique Identifier) being the first 24 bits which identifies the manufacturer (e.g.Cisco, or Dell etc) and the final 24 bits being the unique device identifier. MAC addresses are physically assigned to the network interface at the point of manufacture however it is possible (on some devices) to spoof the MAC address to be different from the original address.
The 7th bit of a MAC address is called the U/L (Universal/Local) identifier. When the bit is set to 0, it is a UAA (Universally Administered Address), meaning the MAC address was assigned by the manufacturer. If it is set to 1, it means that the MAC address is an LAA (Locally Administered Address) which indicates that the MAC address was manually assigned by an engineer.
MAC addresses look different on different devices:
-
Windows: 8E-8D-28-35-FE-67
-
Cisco: 0032.6612.fefe
-
Linux: 08:00:27:d9:0d:5b
​
To complement broadcasting in IPv4, layer 2 MAC addresses have a broadcast address of ff:ff:ff:ff:ff:ff. Any frames with a destination MAC of ff:ff:ff:ff:ff:ff will be processed by the receiving device. For example, in ARP (Address Resolution Protocol), the sender knows the IP address but not the layer 2 MAC address to facilitate link-layer communication. In this case the broadcast MAC is used for the destination and the device with the corresponding IP address will send an ARP reply back.
Ethernet (Layer 2) Frames
In order for data to be forwarded across a network it needs to be encapsulated to allow this transmission to occur. As we've already covered at layer 4 the data is encapsulated into a segment with a TCP/UDP header. Then the segment is encapsulated again into a packet with an IP header at layer 3. Then at layer 2 the packet is encapsulated into a frame with a frame header and footer. See below:
-
Preamble - made up of 7 octets of "10101010" to allow bit-level synchronisation
-
SFD - marks incoming new frame (Start Frame Delimiter), uses 1 octet of "10101011"
-
Destination MAC - destination layer 2 address of the recipient
-
Source MAC - sender's own physical address
-
EtherType - marks the upper layer protocol or the size of the payload (if less than 1500)
-
Payload - this is all of the data that has been encapsulated within the frame (including L3 and L4 headers)
-
FCS - Frame Check Sequence uses CRC (Cyclic Redundancy Check to detect corruption in the frame
-
Interpacket Gap - After the frame has been transmitted a further minimum of 12 octets are transmitted of idle line state before sending the next frame
MAC Address Table
On layer 2 devices such as switches, they keep track of MAC addresses by way of a table. The table includes the MAC address itself, how it was learnt and the port it is accessible from the switch. See below example:
nbswitch1#sh mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0090.0cd4.e1d4 DYNAMIC Fa0/24
1 00d0.973b.ae01 DYNAMIC Fa0/1
1 00d0.ff00.003a DYNAMIC Fa0/23
​
All layer 2 switches maintain a MAC address table to ensure efficient transmission of frames across the local network.
​
MAC learning and aging
MAC Address Learning
In order for switches to maintain MAC address tables it needs to not only build them but also clear them down to reduce the number of stale records. So how do switches learn the MAC addresses of devices on the network? Using the source MAC address of an incoming frame like below:
PC1 has just joined the network and been plugged into interface Fa0/24 on SW1. The user on PC1 is attempting to ping PC3. PC1 already has an ARP cache so it can already populate the the destination MAC address of PC3, however, SW1 doesn't not have PC1's MAC address in its MAC Address Table.
So PC1 generates a packet which is encapsulated into a frame and forwarded onto the switch (SW1), once the frame arrives at the switch (SW1). SW1 notes that the MAC address in the source field of the frame header is missing and thus adds the MAC address to the MAC address table as below.
The frame is then forwarded via interface Fa0/1 as the destination MAC address is listed in the table. Notice that SW2 also populates the source MAC address from the frame into it's own MAC Address Table.
The frame then arrives at PC3 for de-encapsulation and processing. Should it respond back to PC1 both of the switches now have the MAC address of PC1 in their MAC address table.
The above diagrams have shown how a switch dynamically learns MAC addresses by passively inspecting and storing the source MAC address. It is also possible to statically map MAC addresses to an interface.
MAC Address Aging
As devices may change regularly on a network, switches need to be up to date with layer 2 addressing information. By default Cisco devices will remove a MAC address entry from the table if that MAC address has shown no activity for 5 minutes.
Frame switching (Known Unicast)
When the destination MAC address is known to the switch and listed in the MAC address table, the frame is forwarded directly out of the mapped port. For example, say a frame with destination MAC address of 00:d0:97:3b:ae:01 arrives at nbswitch1. Looking at the below MAC address table for nbswitch1, the frame will be forwarded out of Fa0/1.
nbswitch1#sh mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0090.0cd4.e1d4 DYNAMIC Fa0/24
1 00d0.973b.ae01 DYNAMIC Fa0/1
1 00d0.ff00.003a DYNAMIC Fa0/23
This type of forwarding is only done with known unicast frames (the switch knows the location of the destined device).
Frame flooding (Broadcast/Unknown Unicast)
Frame flooding occurs when an unknown unicast frame (the switch doesn't list the destination MAC address in it's MAC address table) or broadcast frame arrives at the switch. Flooding is the method of sending a frame out of all switchports expect for the port where the frame was input.
Broadcast MAC
If the switch receives a frame with destination MAC address ff:ff:ff:ff:ff:ff, then it will flood the frame out of all ports except the port the frame was input. See below diagram.
In this example, PC1 sends an ARP packet into the network. The ARP frame uses the layer 2 MAC address of ff:ff:ff:ff:ff:ff as PC1 is attempting to learn the MAC address of another device on the network. Highlighting in green, PC1 forwards the frame into SW1. SW1 subsequently floods the frame out of all ports on itself and SW2. Note that the frame isn't flooded back to PC1. Once the PC with the matching IP address processes the packet, it responds with a unicast frame back to PC1.
Unknown Unicast
Like with broadcast frames, the switch floods unknown unicast frames out of all ports (expect the port where the frame was input). A frame is an unknown unicast frame if the switch does not have the destination MAC address listed within it's MAC address table. See below diagram.
This example shows PC1 attempting to ping PC2. SW1 does not have the MAC address for PC2 listed in it's MAC address table, so it will forward the frame out of all ports expect the port the frame was input.