Data Link Layer Protocols
Ethernet, MAC addressing, ARP, switching, VLANs, 802.1X, and Layer 2 security fundamentals
Chapter 3: Data Link Layer Protocols
The Hospital That Lost Its Network
In 2016, a hospitalβs entire network crashed during a critical surgery. The cause? An engineer had connected both ends of a patch cable to the same switch, creating a Layer 2 loop. Within seconds, broadcast storms overwhelmed every switch in the building. Monitoring systems went dark. Infusion pumps lost connectivity. For eight terrifying minutes, the surgical team worked blind while network engineers frantically traced cables.
The network had no Spanning Tree Protocol enabledβa basic Layer 2 safeguard. This incident, fortunately ending without patient harm, illustrates a crucial truth: Layer 2 might seem simple compared to routing and applications, but its failures can be catastrophic and immediate.
The Data Link layer sits at a critical junction in the network stack. Itβs where raw bits become structured frames, where local addressing happens, and where many of the most devastating network attacks occur. ARP spoofing, MAC flooding, VLAN hoppingβthese attacks exploit fundamental assumptions about local network trust.
In this chapter, weβll explore Ethernet, MAC addressing, ARP, switching, VLANs, and the security mechanisms that protect (or fail to protect) Layer 2 networks.
The Bridge Between Physical and Logical
The Physical layer deals in raw bitsβelectrical pulses, light flashes, or radio waves. The Network layer deals in global addresses and routing across the internet. Between them sits the Data Link layer, providing the crucial service of organizing bits into meaningful units and delivering them between devices on the same local network.
What the Data Link Layer Does
When your computer sends data to your router, that data doesnβt magically appear at the router. The Data Link layer:
- Packages data into frames with structured headers and trailers
- Addresses frames using MAC addresses (hardware addresses)
- Detects transmission errors using CRC checksums
- Coordinates access to the shared physical medium
Understanding this layer is essential for network security because many powerful attacks exploit how the Data Link layer operates on trust assumptions that were never designed for hostile environments.
Ethernet: The Foundation of Wired LANs
A Brief History
Ethernet was invented at Xerox PARC in the early 1970s by Robert Metcalfe and David Boggs. The name comes from βluminiferous etherββthe hypothetical medium once thought to carry light waves through space.
The original Ethernet used coaxial cable in a bus topology, with all devices sharing a single cable. When one device transmitted, all others could hear it. This created the fundamental challenge Ethernet needed to solve: what happens when two devices try to transmit simultaneously?
Ethernet Evolution
Ethernet has evolved dramatically since then:
| Generation | Speed | Media | Year | Notes |
|---|---|---|---|---|
| Original | 10 Mbps | Coax (10BASE5) | 1973 | Thick Ethernet |
| 10BASE-T | 10 Mbps | Twisted pair | 1990 | Star topology begins |
| Fast Ethernet | 100 Mbps | Cat5 | 1995 | 100BASE-TX |
| Gigabit | 1 Gbps | Cat5e/Fiber | 1999 | 1000BASE-T |
| 10 Gigabit | 10 Gbps | Cat6a/Fiber | 2002 | Data centers |
| 25/40/100 Gb | 25-100 Gbps | Fiber | 2010s | Cloud/HPC |
| 200/400 Gb | 200-400 Gbps | Fiber | 2020s | Hyperscale |
Throughout this evolution, the basic frame structure and addressing scheme have remained remarkably consistent.
The Ethernet Frame
Ethernet organizes data into units called frames. A frame is a structured sequence of bytes with a defined format that both sender and receiver understand.
Ethernet II Frame Format
Ethernet II Frame Format:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββ¬βββββββββββ¬βββββββββββ¬βββββββββββ¬ββββββββββββββββββββ¬βββββββ
β Preamble β Dest β Source βEtherType β Payload β FCS β
β 7 bytes β MAC β MAC β 2 bytes β 46-1500 bytes β4 byteβ
β + SFD β 6 bytes β 6 bytes β β β β
β 1 byte β β β β β β
ββββββββββββ΄βββββββββββ΄βββββββββββ΄βββββββββββ΄ββββββββββββββββββββ΄βββββββ
β β β β β β
β β β β β β
β β β β β β
βΌ βΌ βΌ βΌ βΌ βΌ
Synchronize Where to Who sent What's The actual Error
receiver's send this this inside? data check
clock frame frame (IPv4/ARP/ (CRC)
IPv6/VLAN)Preamble and Start Frame Delimiter (SFD) - 8 bytes: The preamble is a series of alternating 1s and 0s (10101010β¦) that allows the receiving NIC to synchronize its clock with the incoming signal. The final byte, the SFD (10101011), signals that the actual frame is about to begin. These bytes are typically stripped by the hardware before the frame reaches higher layers.
Destination MAC Address - 6 bytes: The hardware address of the intended recipient. This can be a unicast address (specific device), broadcast address (all devices on the segment), or multicast address (group of devices).
Source MAC Address - 6 bytes: The hardware address of the sending device. This is always a unicast address.
EtherType - 2 bytes: Indicates which protocol is encapsulated in the payload. Common values:
| EtherType | Protocol | Description |
|---|---|---|
| 0x0800 | IPv4 | Internet Protocol v4 |
| 0x0806 | ARP | Address Resolution Protocol |
| 0x86DD | IPv6 | Internet Protocol v6 |
| 0x8100 | 802.1Q | VLAN-tagged frame |
| 0x88A8 | 802.1ad | Q-in-Q (double VLAN tag) |
| 0x8847 | MPLS | Multiprotocol Label Switching |
Payload - 46 to 1500 bytes: The actual data being carried, typically an IP packet. The minimum payload size of 46 bytes ensures frames are long enough to detect collisions in original Ethernet designs. If the data is smaller, padding is added. The maximum of 1500 bytes is the standard Maximum Transmission Unit (MTU) for Ethernet.
Frame Check Sequence (FCS) - 4 bytes: A CRC-32 (Cyclic Redundancy Check) value calculated over the frame. The receiver recalculates the CRC and compares it to detect transmission errors. If they donβt match, the frame is silently discarded.
Security Note: Ethernet provides error detection but not error correction or authentication. Frames can be easily crafted with any source MAC addressβthe hardware doesnβt verify ownership. This fundamental lack of authentication enables MAC spoofing attacks.
** COMMON MISTAKE**
Confusing MTU with frame size. The MTU (1500 bytes) is the maximum payload size. The actual frame on the wire is larger due to headers (14 bytes) and trailer (4 bytes), plus preamble (8 bytes). For jumbo frames (MTU 9000), ensure all devices in the path support themβone non-jumbo device causes fragmentation or black-holing.
CSMA/CD: Handling Collisions
In shared Ethernet (hubs and the original bus topology), all devices compete for the same transmission medium. Ethernet uses CSMA/CD (Carrier Sense Multiple Access with Collision Detection) to manage this:
- Carrier Sense: Before transmitting, a device listens to check if the medium is in use
- Multiple Access: If the medium is quiet, the device transmits. Multiple devices can attempt access
- Collision Detection: While transmitting, the device monitors for collisions (another device transmitting simultaneously)
- Collision Handling: If a collision is detected, both devices stop, wait a random time (binary exponential backoff), and try again
CSMA/CD Process
CSMA/CD Process:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Device A Shared Medium Device B
ββββββββ βββββββββββββ ββββββββ
β β
β 1. Listen - is anyone transmitting? β
β (Carrier Sense) β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββΊβ
β TRANSMIT β
βββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 2. Collision detected! β
β Both stop transmitting β
β β
β 3. Wait random backoff (0-2^n slots) β
β Device A: 3 slot times β
β Device B: 1 slot time β
β β
β Device B retries β
βββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SUCCESS β
β β
β Then Device A retries β
ββββββββββββββββββββββββββββββββββββββββββββββββββββΊβ
β SUCCESS βWith modern switched Ethernet, each port has its own collision domain, and full-duplex connections eliminate collisions entirely. CSMA/CD is largely historical, but understanding it explains why Ethernet has minimum frame sizes and certain timing constraints.
MAC Addresses
Structure and Format
A MAC address (Media Access Control address) is a unique identifier assigned to network interfaces. Every Ethernet NIC in the world has a unique 48-bit (6-byte) MAC address burned into it during manufacture.
MAC addresses are typically written in hexadecimal, with bytes separated by colons or hyphens:
MAC Address Formats
MAC Address Formats:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
00:1A:2B:3C:4D:5E (Colon notation - Linux/macOS)
00-1A-2B-3C-4D-5E (Hyphen notation - Windows)
001A.2B3C.4D5E (Cisco notation)
MAC Address Structure (48 bits):
βββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββ
β OUI β Device Identifier β
β (First 24 bits/3 bytes)β (Last 24 bits/3 bytes) β
β β β
β Assigned by IEEE β Assigned by vendor β
β to manufacturers β (unique per device) β
βββββββββββββββββββββββββββ΄ββββββββββββββββββββββββββ
Example: 00:1A:2B:3C:4D:5E
ββββββββ€ ββββββββ€
OUI Device
(Vendor) ID
Special bits in first octet:
Bit 0 (I/G): 0 = Unicast, 1 = Multicast
Bit 1 (U/L): 0 = Universally administered (vendor), 1 = Locally administeredOUI (Organizationally Unique Identifier): The first 24 bits identify the manufacturer. IEEE assigns OUIs to vendors. You can look up a MAC address prefix to identify the manufacturerβuseful for network reconnaissance.
Device Identifier: The last 24 bits are assigned by the manufacturer, ensuring uniqueness within their allocation.
Special MAC Addresses
Broadcast Address: FF:FF:FF:FF:FF:FF A frame sent to the broadcast address is received by all devices on the local network segment. ARP requests, for example, use broadcast to find the MAC address corresponding to an IP.
Multicast Addresses: MAC addresses with the least significant bit of the first byte set to 1 are multicast addresses. These deliver frames to a group of interested receivers rather than all devices.
Unicast vs Multicast (first byte)
Unicast vs Multicast (first byte):
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Unicast: 00000000 (even number: 0x00, 0x02, 0x04...)
^
βββ LSB = 0 means unicast
Multicast: 00000001 (odd number: 0x01, 0x03, 0x05...)
^
βββ LSB = 1 means multicast
Common multicast MACs:
01:00:5E:xx:xx:xx - IPv4 multicast
33:33:xx:xx:xx:xx - IPv6 multicast
01:80:C2:00:00:00 - Spanning Tree Protocol (STP)
01:00:0C:CC:CC:CC - Cisco Discovery Protocol (CDP)Locally Administered Addresses: The second least significant bit of the first byte indicates whether the address is globally unique (manufacturer-assigned) or locally administered (set by network administrator). Virtual machines often use locally administered addresses.
MAC Address Lookup
Knowing that MAC addresses contain manufacturer information enables network reconnaissance:
# Online OUI lookup (many tools available)
# Example output for 00:1A:2B:xx:xx:xx
Vendor: Ayecom Technology Co., Ltd.
# Common manufacturer OUIs (memorize these for quick identification):
Apple: 00:03:93, 00:0A:27, 00:0D:93, 3C:15:C2, F0:18:98
Intel: 00:02:B3, 00:03:47, 00:1B:21, 3C:A9:F4
Cisco: 00:00:0C, 00:01:42, 00:17:94, 00:1E:BD
Dell: 00:06:5B, 00:08:74, 00:14:22, 18:03:73
VMware: 00:0C:29, 00:50:56 (virtual machines!)
VirtualBox: 08:00:27TRY IT YOURSELF
Look up MAC addresses on your network:
# Find your MAC address ip link show # Linux ifconfig | grep ether # macOS getmac # Windows # See MAC addresses of other devices (from ARP cache) arp -a # Look up vendor online # https://macvendors.com/ or use wireshark's OUI database
Security Note: MAC addresses can be easily changed (spoofed) in software, despite being βburned inβ to hardware. Most operating systems allow setting arbitrary MAC addresses. This enables MAC spoofing attacks and can defeat MAC-based access controls. Never rely solely on MAC addresses for security.
Address Resolution Protocol (ARP)
The Problem ARP Solves
Imagine youβre on your computer at IP address 192.168.1.100, and you want to communicate with your router at 192.168.1.1. You know the routerβs IP address, but to actually send an Ethernet frame, you need its MAC address. IP addresses mean nothing at Layer 2βswitches and NICs only understand MAC addresses.
ARP (Address Resolution Protocol) bridges this gap, translating IP addresses (Layer 3) to MAC addresses (Layer 2). Itβs a simple yet critical protocol, and its lack of authentication makes it a prime target for attacks.
How ARP Works
ARP uses two message types: ARP Request and ARP Reply.
ARP Request (Broadcast): When a device needs to find the MAC address for an IP, it sends an ARP request to the broadcast MAC address (FF:FF:FF:FF:FF:FF). The request says, essentially: βWho has IP 192.168.1.1? Tell 192.168.1.100.β
ARP Reply (Unicast): The device with the requested IP responds directly to the requester with its MAC address: β192.168.1.1 is at 00:11:22:33:44:55.β
ARP Resolution Process
ARP Resolution Process:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Device A (192.168.1.100) Router (192.168.1.1)
MAC: AA:AA:AA:AA:AA:AA MAC: 00:11:22:33:44:55
β β
β 1. ARP Request (Broadcast) β
β "Who has 192.168.1.1?" β
β Destination: FF:FF:FF:FF:FF:FF β
βββββββββββββββββββββββββββββββββββββββββββββΊβ
β β β
β βββββββββββββββ΄ββββββββββββββββ β
β β All devices receive this β β
β β (it's broadcast) β β
β β β β
β β Only the owner of β β
β β 192.168.1.1 responds β β
β βββββββββββββββββββββββββββββββ β
β β
β 2. ARP Reply (Unicast) β
β "192.168.1.1 is at 00:11:22:33:44:55" β
ββββββββββββββββββββββββββββββββββββββββββββββ€
β Destination: AA:AA:AA:AA:AA:AA β
β β
β 3. Device A updates ARP cache β
β 192.168.1.1 β 00:11:22:33:44:55 β
β βARP Packet Structure
ARP Packet Format
ARP Packet Format:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββββ¬ββββββββββββββββ¬βββββββββ¬ββββββββββββ¬βββββββββββ
β Hardware Type β Protocol Type β HW Len β Proto Len β Opcode β
β (2 bytes) β (2 bytes) β(1 byte)β (1 byte) β(2 bytes) β
β 0x0001=Eth β 0x0800=IPv4 β 0x06 β 0x04 β 1=Req β
β β β β β 2=Reply β
ββββββββββββββββββ΄ββββββββββββββββ΄βββββββββ΄ββββββββββββ΄βββββββββββ€
β Sender MAC Address (6 bytes) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Sender IP Address (4 bytes) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Target MAC Address (6 bytes) β
β (00:00:00:00:00:00 for requests) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Target IP Address (4 bytes) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββThe ARP Cache
To avoid constant ARP requests, devices maintain an ARP cacheβa table mapping IP addresses to MAC addresses. When a device receives an ARP reply (or sees ARP traffic), it updates its cache. Entries typically expire after 2-20 minutes, depending on the operating system.
# View ARP cache on Linux/macOS
arp -a
# or
ip neigh show
# Example output:
192.168.1.1 at 00:11:22:33:44:55 on en0 ifscope [ethernet]
192.168.1.50 at aa:bb:cc:dd:ee:ff on en0 ifscope [ethernet]
# View ARP cache on Windows
arp -a
# Clear ARP cache (requires admin/root)
# Linux:
sudo ip -s -s neigh flush all
# macOS:
sudo arp -a -d
# Windows (elevated):
netsh interface ip delete arpcacheARP Security Vulnerabilities
ARP was designed in an era when networks were small, trusted environments. It has no authenticationβany device can claim to own any IP address. This fundamental weakness enables ARP spoofing (also called ARP poisoning), one of the most powerful Layer 2 attacks.
ARP Spoofing Attack
ARP Spoofing Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Normal Operation:
βββββββββββββββββ
Victim βββββββββββΊ Gateway
192.168.1.100 192.168.1.1
Victim's ARP cache:
192.168.1.1 β 00:11:22:33:44:55 (legitimate gateway MAC)
During ARP Spoofing Attack:
βββββββββββββββββββββββββββ
Attacker sends fake ARP replies:
"192.168.1.1 is at AA:BB:CC:DD:EE:FF" (attacker's MAC)
Victim βββββXββββββΊ Gateway
β
βββββββββββββΊ Attacker
AA:BB:CC:DD:EE:FF
Victim's ARP cache (poisoned):
192.168.1.1 β AA:BB:CC:DD:EE:FF (attacker's MAC!)
Now all traffic intended for gateway goes to attacker!In ARP spoofing, an attacker sends fake ARP replies to associate their MAC address with another deviceβs IP (commonly the gateway). Victims update their ARP cache with the false information and start sending traffic to the attacker instead of the legitimate destination. This enables man-in-the-middle attacks.
Security Note: ARP spoofing is covered in detail in Part II, Chapter 2. Defenses include static ARP entries, Dynamic ARP Inspection (DAI) on switches, and monitoring for ARP anomalies.
THINK ABOUT IT
ARP has no authentication because it was designed for trusted academic networks. If you were designing a protocol today to solve the same problem, what security measures would you include?
Switches and Switching
From Hubs to Switches
As discussed in Chapter 1, hubs are simple devices that repeat all traffic to all portsβevery device sees every frame. This creates congestion, security issues, and collision problems. Switches solved these problems by learning which devices are connected to which ports and forwarding traffic only where it needs to go.
How Switches Learn
Switches build a MAC address table (also called a CAM tableβContent Addressable Memory) by observing the source MAC address of frames arriving on each port. When a switch receives a frame:
- Learning: Record the source MAC address and the port it arrived on
- Forwarding Decision:
- If the destination MAC is in the table β forward to that port only (unicast)
- If the destination MAC is not in the table β flood to all ports except source (unknown unicast)
- If the destination MAC is broadcast/multicast β flood appropriately
Switch Learning Process
Switch Learning Process:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Initial State: Empty MAC table
βββββββββββββββββββββββββββ
β MAC Address Table β
ββββββββββββββββ¬βββββββββββ
β MAC β Port β
β (empty) β β
ββββββββββββββββ΄βββββββββββ
Step 1: Device A (MAC AA:AA) sends frame from Port 1
Switch learns: AA:AA is on Port 1
ββββββββββββββββ¬βββββββββββ
β MAC β Port β
β AA:AA:AA:AA β 1 β
ββββββββββββββββ΄βββββββββββ
Step 2: Device B (MAC BB:BB) sends frame from Port 2
Switch learns: BB:BB is on Port 2
ββββββββββββββββ¬βββββββββββ
β MAC β Port β
β AA:AA:AA:AA β 1 β
β BB:BB:BB:BB β 2 β
ββββββββββββββββ΄βββββββββββ
Step 3: A wants to send to B
Switch looks up BB:BB β Port 2
Forwards ONLY to Port 2 (not flooding!)
Port 1 Port 2 Port 3
β β β
[Device A] ββββΊ [Device B] [Device C]
(doesn't see
this traffic)MAC Address Table Details
# View MAC address table on Cisco switch
show mac address-table
# Example output:
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0011.2233.4455 DYNAMIC Gi0/1
1 aabb.ccdd.eeff DYNAMIC Gi0/2
10 0022.3344.5566 DYNAMIC Gi0/5
# Table aging: Entries expire after 300 seconds (default)
# This is important - if a device moves to a different port,
# the old entry must age out or be replacedCollision Domains and Broadcast Domains
Collision Domain: A network segment where collisions can occur if two devices transmit simultaneously. In hub-based networks, all ports share one collision domain. Switches create separate collision domains for each portβdevices on different ports can transmit simultaneously without collision.
Broadcast Domain: A network segment where broadcast frames are received by all devices. A standard switch is one broadcast domainβbroadcasts reach all ports. Routers (Layer 3 devices) separate broadcast domains.
Collision Domains and Broadcast Domains
Collision Domains and Broadcast Domains:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Hub-Based Network: Switch-Based Network:
ββββββββββββββββββ βββββββββββββββββββββ
ββββββββββββββββ ββββββββββββββββ
β HUB β β SWITCH β
ββ¬ββββ¬ββββ¬ββββ¬ββ ββ¬ββββ¬ββββ¬ββββ¬ββ
β β β β β β β β
A B C D A B C D
1 Collision Domain 4 Collision Domains
1 Broadcast Domain 1 Broadcast Domain
All devices compete Each port has its own
for same bandwidth full bandwidth
Router Separates Broadcast Domains:
βββββββββββββββββββββββββββββββββββ
ββββββββββββββ ββββββββββββββ
β Switch 1 β β Switch 2 β
βββββββ¬βββββββ ββββββββ¬ββββββ
β ββββββββββ β
βββββββ€ ROUTER ββββββββββ
ββββββββββ
Broadcast Domain 1 Broadcast Domain 2
(Broadcasts don't (Separate from BD1)
cross the router)Security Note: The MAC address table has finite size (typically 8K-128K entries depending on switch model). In a MAC flooding attack, an attacker sends frames with thousands of fake source MAC addresses, filling the table. When the table is full, the switch canβt learn new addresses and must flood all trafficβturning it into a hub and allowing the attacker to see all traffic. We cover this attack in Part II, Chapter 2.
VLANs (Virtual Local Area Networks)
The Problem VLANs Solve
Imagine a company with multiple departmentsβEngineering, Sales, HRβall on the same floor, connected to the same switches. Without any separation, a broadcast from an Engineering computer reaches everyone. More concerning, any compromised device can potentially access traffic from any department.
VLANs solve this by creating logical network segments within a physical switch infrastructure. Devices in different VLANs cannot communicate directly, even if theyβre connected to the same switchβtraffic between VLANs must go through a router (Layer 3 device).
How VLANs Work
Each switch port is assigned to a VLAN. Frames are tagged internally with their VLAN ID, and the switch only forwards frames within the same VLAN.
VLAN Example
VLAN Example:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Same Physical Switch, Logically Separated:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SWITCH β
β βββββββββββββ ββββββββββββ ββββββββββββ β
β β VLAN 10 β β VLAN 20 β β VLAN 30 β β
β βEngineeringβ β Sales β β HR β β
β ββββββ¬βββββββ ββββββ¬ββββββ ββββββ¬ββββββ β
β β β β β
βββββββββΌβββββββββββββββββΌββββββββββββββββΌββββββββββββββββββ
β β β
ββββββ΄βββββ βββββββ΄βββββ ββββββ΄βββββ
β Eng β β Sales β β HR β
βComputersβ βComputers β βComputersβ
βββββββββββ ββββββββββββ βββββββββββ
Broadcasts in VLAN 10 don't reach VLAN 20 or 30
Traffic between VLANs must go through a router
VLAN 10 Router VLAN 20
β β β
βββββββββββββββββββββββββ΄βββββββββββββββββββββββββ
Inter-VLAN routing
(Layer 3 required)802.1Q VLAN Tagging
When frames need to travel between switches, they must carry their VLAN information. IEEE 802.1Q defines how VLAN tags are inserted into Ethernet frames.
802.1Q Tagged Frame
802.1Q Tagged Frame:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Standard Ethernet Frame:
βββββββββββ¬ββββββββββ¬βββββββββββ¬ββββββββββββββββββββββββββ¬ββββββββββ
βDest MAC βSrc MAC βEtherType β Payload β FCS β
β 6 bytes β6 bytes β 2 bytes β β 4 bytes β
βββββββββββ΄ββββββββββ΄βββββββββββ΄ββββββββββββββββββββββββββ΄ββββββββββ
802.1Q Tagged Frame (4 bytes inserted):
βββββββββββ¬ββββββββββ¬ββββββββββββββββββββββ¬βββββββββββ¬βββββββββββββββ¬ββββββββββ
βDest MAC βSrc MAC β 802.1Q Tag βEtherType β Payload β FCS β
β 6 bytes β6 bytes β (4 bytes) β 2 bytes β β 4 bytes β
βββββββββββ΄ββββββββββ΄ββββββββββββββββββββββ΄βββββββββββ΄βββββββββββββββ΄ββββββββββ
β
βββββββββββ΄ββββββββββ
β β
βββββββββ΄ββββββββ¬ββββββββββββ΄ββββββββ
β TPID β TCI β
β (2 bytes) β (2 bytes) β
β 0x8100 β β
βββββββββββββββββ΄ββββββββββββββββββββ
β
βββββββββββββββββΌββββββββββββββββ
β β β
ββββββ΄βββββ ββββββ΄βββββ ββββββ΄βββββ
βPriority β β DEI β βVLAN ID β
β 3 bits β β 1 bit β β 12 bits β
β(0-7 QoS)β β(discard)β β(1-4094) β
βββββββββββ βββββββββββ βββββββββββ
VLAN ID range: 1-4094 (0 and 4095 reserved)Access Ports vs Trunk Ports:
| Port Type | Connects | Frames | VLAN Handling |
|---|---|---|---|
| Access | End devices | Untagged | Switch adds/removes tags internally |
| Trunk | Switches | Tagged (802.1Q) | Tags preserved across link |
| Native VLAN | N/A | Untagged on trunk | Default VLAN for untagged frames |
Access vs Trunk Ports
Access vs Trunk Ports:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Access Port Trunk Port
βββββββββββ ββββββββββ
[Computer] ββββ [Switch 1] ββββββββββββ [Switch 2]
β β
Access Port Trunk Port
β
Computer sends β Frames on trunk
untagged frames β carry 802.1Q tags
β (except native VLAN)
βΌ
Switch internally assigns
VLAN based on port configVLAN Security Considerations
While VLANs provide network segmentation, theyβre not a perfect security boundary:
VLAN Hopping Attacks:
- Switch Spoofing: Attacker configures their NIC to act like a trunk port, potentially accessing multiple VLANs
- Double Tagging: Attacker sends frames with two 802.1Q tags; outer tag is stripped by first switch, inner tag routes to victim VLAN
Double Tagging Attack
Double Tagging Attack:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Attacker is on VLAN 10 (native VLAN)
Target is on VLAN 20
Attacker sends double-tagged frame:
ββββββββββ¬βββββββββββββ¬βββββββββββββ¬ββββββββββββββ
βEth Hdr βOuter Tag βInner Tag β Payload β
β βVLAN 10 βVLAN 20 β β
β β(native) β(target) β β
ββββββββββ΄βββββββββββββ΄βββββββββββββ΄ββββββββββββββ
Switch 1 (receiving on native VLAN):
- Strips outer tag (it's native VLAN, untagged expected on trunk)
- Forwards with only inner tag (VLAN 20)
Switch 2:
- Receives frame tagged VLAN 20
- Delivers to VLAN 20!
Frame reached VLAN 20 from VLAN 10!
(Note: Only works one-way, no return path)VLAN Security Best Practices:
- Never use VLAN 1 for production traffic
- Change native VLAN to unused VLAN
- Explicitly configure access ports (donβt rely on DTP)
- Disable unused ports and put them in unused VLAN
- Use Private VLANs for additional isolation
- Prune unnecessary VLANs from trunks
Security Note: VLAN hopping attacks are covered in Part II, Chapter 2. Proper switch hardening can prevent most of these attacks.
802.1X: Network Access Control
The Problem 802.1X Solves
Traditional network access is simple: plug in a cable, get network access. But in enterprise environments, this is a security nightmare. Anyone who gains physical access can connect to the network.
802.1X provides port-based Network Access Control (NAC). Before a device can access the network, it must authenticate. Until then, only authentication traffic is allowed.
802.1X Components
802.1X Architecture
802.1X Architecture:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β Supplicant β β Authenticatorβ βAuthenticationβ
β (Client) β β (Switch) β β Server β
β β β β β (RADIUS) β
ββββββββ¬ββββββββ ββββββββ¬ββββββββ ββββββββ¬ββββββββ
β β β
β 1. EAPOL-Start β β
βββββββββββββββββββββΊβ β
β β β
β 2. EAP-Request β β
β Identity β β
ββββββββββββββββββββββ€ β
β β β
β 3. EAP-Response β β
β Identity β β
βββββββββββββββββββββΊβ β
β β β
β β 4. RADIUS Access- β
β β Request β
β βββββββββββββββββββββΊβ
β β β
β β 5. RADIUS Access- β
β β Challenge β
β ββββββββββββββββββββββ€
β β β
β 6. EAP-Request β β
β (Method) β β
ββββββββββββββββββββββ€ β
β β β
β 7. EAP-Response β β
β (Credentials) β β
βββββββββββββββββββββΊβ β
β β β
β β 8. RADIUS Access- β
β β Request β
β βββββββββββββββββββββΊβ
β β β
β β 9. RADIUS Accept β
β β (with VLAN) β
β ββββββββββββββββββββββ€
β β β
β 10. EAP-Success β β
ββββββββββββββββββββββ€ β
β β β
β PORT AUTHORIZED β β
β (Network Access) β β
βββββββββββββββββββββΊβ βSupplicant: The client device requesting access (computer, phone, IoT device)
Authenticator: The network device controlling access (switch, wireless AP)
Authentication Server: Validates credentials (typically RADIUS server)
EAP Methods
EAP (Extensible Authentication Protocol) is a framework supporting multiple authentication methods:
| EAP Method | Description | Security Level |
|---|---|---|
| EAP-MD5 | Password hash | Low (no mutual auth) |
| EAP-TLS | Certificate-based | High (mutual auth, PKI required) |
| EAP-TTLS | TLS tunnel + inner method | High |
| PEAP | TLS tunnel + MSCHAPv2 | High (most common) |
| EAP-FAST | Cisco, uses PAC | High |
PEAP (Protected EAP) is most common in enterprises:
- Establishes TLS tunnel to RADIUS server
- User authenticates within tunnel (usually username/password)
- Server certificate validates server identity
802.1X Security Benefits
- Identity-based access: Know who/what is on your network
- Dynamic VLAN assignment: Users can be placed in appropriate VLAN based on identity
- Guest access control: Unauthenticated devices can be redirected to captive portal
- Endpoint compliance: Can check device health before granting access (NAC)
- Audit trail: Authentication events are logged
802.1X Bypass Techniques
Attackers have developed techniques to bypass 802.1X:
- MAC Authentication Bypass (MAB): If enabled for devices that canβt do 802.1X, attacker spoofs authorized MAC
- Hub insertion: Place hub between authenticated device and switch
- Transparent bridge: Bridge traffic through authenticated device
- VLAN manipulation: If dynamic VLAN assignment isnβt properly secured
Security Note: 802.1X bypass techniques are covered in Part II, Chapter 2. Defense requires proper configuration and additional controls like MACSec.
Spanning Tree Protocol (STP)
The Loop Problem
Network designers often want redundant paths for reliabilityβif one link fails, traffic can use another. However, creating physical loops in a switched network causes serious problems:
- Broadcast Storms: Broadcasts loop endlessly, multiplying and consuming all bandwidth
- MAC Table Instability: The switch sees the same MAC on multiple ports, constantly updating its table
- Multiple Frame Delivery: Unicast frames can be delivered multiple times
How STP Works
The Spanning Tree Protocol (IEEE 802.1D and later 802.1w for Rapid STP) prevents loops by logically disabling redundant paths while keeping them available for failover.
Spanning Tree Protocol
Spanning Tree Protocol:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Physical Topology (has loops):
ββββββββββββββ ββββββββββββββ
β Switch A βββββββββββββ Switch B β
β(Root Bridgeβ β β
β BID: 1000) β β BID: 2000 β
βββββββ¬βββββββ βββββββ¬βββββββ
β β
β β
β ββββββββββββββ β
ββββββ Switch C ββββββββ
β BID: 3000 β
ββββββββββββββ
STP Logical Topology (loop-free):
ββββββββββββββ ββββββββββββββ
β Switch A βββββββββββββ Switch B β
β (ROOT) β RP DP β β
βββββββ¬βββββββ βββββββ¬βββββββ
β DP β RP
β β
β ββββββββββββββ β
ββββββ Switch C βββββββX β BLOCKED PORT
DP β β (prevents loop)
ββββββββββββββ
RP = Root Port (best path to root)
DP = Designated Port (forwards traffic)
Blocked = Neither (breaks the loop)STP works by:
- Electing a Root Bridge: One switch becomes the βrootβ of the spanning tree (lowest Bridge ID wins)
- Calculating Paths: Each switch determines its best path to the root
- Blocking Redundant Ports: Ports that would create loops are put in βblockingβ state
- Monitoring: If a link fails, blocked ports can transition to forwarding
STP Versions
| Version | Standard | Convergence | Notes |
|---|---|---|---|
| STP | 802.1D | 30-50 seconds | Original, slow |
| RSTP | 802.1w | 1-2 seconds | Rapid, most common |
| MSTP | 802.1s | 1-2 seconds | Multiple spanning trees per VLAN |
STP Security Implications
STP manipulates traffic flow, which attackers can exploit:
Root Bridge Manipulation: By advertising a lower Bridge ID, an attackerβs device can become the root bridge, forcing all traffic to flow through it.
STP Denial of Service: Sending topology change notifications can cause network instability as switches constantly recalculate.
Defenses:
- BPDU Guard: Disable port if BPDU received (use on access ports)
- Root Guard: Prevent port from becoming root port
- BPDU Filter: Stop sending/receiving BPDUs (use with caution)
Security Note: STP attacks are covered in Part II, Chapter 2.
Layer 2 Security Summary
Defense in Depth at Layer 2
| Threat | Attack | Defense |
|---|---|---|
| MAC Spoofing | Attacker changes MAC | Port Security, 802.1X |
| ARP Spoofing | Fake ARP replies | DAI, Static ARP, ARP inspection |
| MAC Flooding | Overflow CAM table | Port Security limits |
| VLAN Hopping | Double tagging, switch spoofing | Proper VLAN config, no native VLAN |
| STP Manipulation | Become root bridge | BPDU Guard, Root Guard |
| Unauthorized Access | Physical connection | 802.1X, NAC |
Switch Hardening Checklist
Basic Switch Hardening
Basic Switch Hardening:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β‘ Change default passwords
β‘ Enable SSH, disable telnet
β‘ Configure management VLAN (not VLAN 1)
β‘ Disable unused ports
β‘ Put unused ports in "black hole" VLAN
β‘ Configure all ports as access (not auto/trunk)
β‘ Enable port security with MAC limits
β‘ Enable BPDU Guard on access ports
β‘ Enable Root Guard on non-root ports
β‘ Enable Dynamic ARP Inspection (DAI)
β‘ Enable DHCP Snooping
β‘ Configure native VLAN (not VLAN 1)
β‘ Enable logging to central syslog
β‘ Enable NTP for synchronized timestamps
β‘ Regular firmware updatesKey Takeaways
-
Ethernet frames data with addressing and error detection, forming the foundation of wired LANs
-
MAC addresses provide hardware-level device identification but can be easily spoofed
-
ARP translates IP addresses to MAC addresses, but lacks authenticationβmaking it vulnerable to spoofing attacks
-
Switches intelligently forward traffic based on MAC addresses, creating efficient networks, but their CAM tables can be overwhelmed
-
VLANs provide logical segmentation but arenβt a complete security boundaryβproper configuration is essential
-
802.1X provides identity-based network access control, significantly improving security
-
STP prevents loops but can be manipulated if not properly secured
Self-Assessment
-
Comprehension: Why can an attacker send ARP replies for IP addresses they donβt own?
-
Application: A switch suddenly starts flooding all unicast traffic to all ports. What attack might be occurring?
-
What if: If 802.1X is deployed but MAB (MAC Authentication Bypass) is enabled for IoT devices, what risk remains?
Review Questions
- What information does an Ethernet frame header contain?
- How does a switch learn which devices are connected to which ports?
- Why is ARP vulnerable to spoofing attacks?
- Whatβs the difference between a collision domain and a broadcast domain?
- How do VLANs improve network security, and what are their limitations?
- What is the purpose of 802.1X, and what are its three main components?
Key RFCs and Standards
- RFC 826 - An Ethernet Address Resolution Protocol (ARP)
- RFC 5227 - IPv4 Address Conflict Detection
- IEEE 802.3 - Ethernet
- IEEE 802.1Q - Virtual LANs
- IEEE 802.1X - Port-Based Network Access Control
- IEEE 802.1D/w/s - Spanning Tree Protocol variants