Introduction
Beneath the satisfying click of an RJ45 cable and the illusion of instant connectivity lies a chaotic electrical environment governed by strict mathematical rules and high-speed silicon. Before we can even think about “IP routing” or “web applications”, the Link Layer (Layer 2) of the OSI model must solve the fundamental physics problem of converting massive digital payloads into microscopic electrical pulses sent down a shared copper wire without colliding. In this post, we will strip away the high-level software abstractions to explore the bare-metal engineering of wired networks, tearing down the exact binary anatomy of an Ethernet frame and examining how physical switches use hardware-accelerated memory to map the topology of a room.
The Anatomy of the Wire
IEEE 802 is a family of “Institute of Electrical and Electronics Engineers (IEEE)” standards for local area networks (LANs), personal area networks (PANs), and metropolitan area networks (MANs). The IEEE 802 LAN/MAN Standards Committee (LMSC) maintains these standards.
Ethernet is a family of wired computer networking technologies commonly used in LANs, MANs and WANs.
Ethernet Frame Structure
- Preamble (7 bytes): A sequence of alternating 1s and 0s that allows the receiving hardware to synchronize its clock with the incoming signal.
- Start Frame Delimiter (1 byte): Indicates the beginning of the frame. It is 10101011 in binary.
- Destination MAC Address (6 bytes): The MAC address of the intended recipient.
- Source MAC Address (6 bytes): The MAC address of the sender.
- EtherType (2 bytes): Identifies the protocol encapsulated in the payload.
- Payload (46-1500 bytes): The actual data being transmitted.
- Frame Check Sequence (4 bytes): A cyclic redundancy check used to detect errors in the frame.
Cyclic Redundancy Check (CRC)
The frame check sequence (FCS) is a four-octet cyclic redundancy check (CRC) that allows detection of corrupted data within the entire frame as received on the receiver side. According to the standard, the FCS value is computed as a function of the protected MAC frame fields: source and destination address, length/type field, payload data and padding (that is, all fields except the FCS).
Data : 0b1010111011100110 (16 bits)
Polynomial : 0b101010101 (9 bits)
Step 1
Padding the data with zeros (one less of the polynomial length): 0b101011101110011000000000 (24 bits)
Step 2
Performing binary division (modulo 2) of the padded data by the polynomial. The remainder of this division is the CRC value.
101011101110011000000000 (Our padded frame)
^ 101010101
---------
100011001 (Result: 000001000. Bring down 11001)
^ 101010101
---------
100110010 (Result: 001001100. Bring down 10)
^ 101010101
---------
110011100 (Result: 001100111. Bring down 00)
^ 101010101
---------
110010010 (Result: 011001001. Bring down 0)
^ 101010101
---------
110001110 (Result: 011000111. Bring down 0)
^ 101010101
---------
110110110 (Result: 011011011. Bring down 0)
^ 101010101
---------
111000110 (Result: 011100011. Bring down 0)
^ 101010101
---------
100100110 (Result: 010010011. Bring down 0)
^ 101010101
---------
11100110 (Result: 001110011)The final remainder is 0b11100110, which is the CRC value that will be appended to the frame.
- Payload :
0b101011101110011011100110(24 bits)
When you run the same process on the 24 bytes payload, the CRC value will be zero.
The polynomial used for the Ethernet CRC32 is generally represented as 0x04C11DB7 in hexadecimal, which corresponds to the binary
polynomial 0b1000100110000010001110110110111. This polynomial is used in the CRC calculation to ensure data integrity.
VLANs and QoS Tagging
Normally, an Ethernet header looks like this:
[Destination MAC (6 bytes)] + [Source MAC (6 bytes)] + [EtherType (2 bytes)]
When a switch is configured for VLANs, the moment a frame enters a specific port, the switch’s hardware physically splits the frame open “right after the Source MAC” and injects a 32-bit (4-byte) 802.1Q Tag.
- Tag Protocol Identifier (TPID) : 16 bits set to 0x8100, indicating that the frame is VLAN-tagged.
- Tag Control Information (TCI) : 16 bits that include:
- Priority Code Point (PCP) : 3 bits for Quality of Service (QoS) priority.
- Drop Eligible Indicator (DEI) : 1 bit indicating if the frame can be dropped in case of congestion.
- VLAN Identifier (VID) : 12 bits that specify the VLAN to which the frame belongs.
Link Aggregation
In computer networking, link aggregation is the combining (aggregating) of multiple network connections in parallel by any of several methods. Link aggregation increases total bandwidth beyond what a single connection could sustain, and provides redundancy where all but one of the physical links may fail without losing connectivity. A link aggregation group (LAG) is the combined collection of physical ports.
Implementation may follow vendor-independent standards such as “Link Aggregation Control Protocol (LACP)” for Ethernet, defined in IEEE 802.1AX or the previous IEEE 802.3ad, but also proprietary protocols.
Duplex Mismatch
A duplex mismatch occurs when a hardcoded Full-Duplex server connects to an autonegotiating switch that defaults to Half-Duplex. The server blindly blasts data without listening, causing physical voltage collisions on the wire.
The switch silently drops these collided frames. Because the hardware hides the errors, the Layer 4 TCP stack panics over the missing data and violently throttles multi-gigabit speeds down to a crawl.
The Brains of the Operation
Hub
If you plug four computers into a 4-port hub, you have effectively just soldered all four of their copper Ethernet cables together into one giant, shared wire.
1 - The Blind Broadcast: When Computer A wants to send a frame to Computer C, it fires the electrical voltage down its transmit pins.
2 - The Amplification: The electrical signal enters Port 1 of the hub. The hub’s internal circuitry does not look for a Destination MAC address. It literally cannot read the data. It just detects voltage.
3 - The Duplication: The hub takes that incoming electrical signal, amplifies it, and physically blasts the exact same voltage out of Port 2, Port 3, and Port 4 simultaneously.
Any device plugged into a hub is strictly forced into “Half-Duplex” mode. Every computer has to constantly run its CSMA/CD collision detection, listening to the wire and waiting for total silence before it is allowed to speak.
Switch
The core of a switch is a specialized piece of hardware memory called the CAM (Content Addressable Memory) Table (also known as the MAC Address Table).
You feed the CAM chip the data (a Destination MAC address), and the hardware instantly spits out the address (the physical port number it is plugged into). It does this in a single clock cycle.
Learning Process
-
1 - Computer A (plugged into Port 1) sends an Ethernet frame to Computer C.
-
2 - The frame hits the switch.
-
3 - Before looking at where the frame is going, the switch looks at where it came from. It reads the Source MAC Address in the Ethernet header.
-
4 - The switch’s hardware instantly updates its CAM table: “I now know that MAC Address AA:AA:AA is physically located on Port 1.”
Fowarding Process
- 1 - The switch looks at the Destination MAC Address (Computer C).
- 2 - It queries the CAM table: “Do I know which port Computer C is plugged into?”
-
- If Yes (Known Unicast): The switch creates a temporary, point-to-point electrical circuit between Port 1 and Computer C’s port. The frame flies down that single wire. Computers B and D see absolutely nothing.
-
- If No (Unknown Unicast): Because the switch just booted up, it doesn’t know where C is yet. So, for this one specific frame, the switch acts exactly like a Hub. It Floods the frame out of every single port except the one it came in on.
Hardware Features
Wake On LAN (WoL) and Magic Packets
When you tell an operating system to power off, the CPU, the RAM, and the hard drives spin down. The screen goes black. But the physical ATX power supply is still feeding a microscopic trickle of 5-volt standby power (5VSB) directly into the motherboard’s PCIe bus.
Because of this, your Network Interface Card (NIC) is never truly asleep. It is still blindly listening to the electrical pulses on the copper wire.
Magic Packet
The NIC is in a low-power state. It does not have the processing power to parse complex IPv4 headers, check TCP ports, or decrypt TLS traffic. It is
looking for one very specific, mathematically impossible-to-accidentally-generate sequence of raw bytes anywhere inside an Ethernet frame.
The payload of a Magic Packet is exactly 102 bytes long, constructed with brutal simplicity:
- The Synchronization Stream: The first 6 bytes are pure hexadecimal FF (FF FF FF FF FF FF). This acts as the hardware trigger, telling the sleeping NIC: “Pay attention, a MAC address is coming.”
- The Target Lock: Immediately following the FFs, the sender takes the 6-byte MAC address of the sleeping target computer and repeats it exactly 16 times in a row.
If the sleeping NIC’s hardware logic gates scan the incoming electrical frame and detect its own MAC address repeated 16 times immediately following the sync stream, it turns the power on.
Manipulating the Topology
PPPoE
PPPoE, or Point-to-Point Protocol over Ethernet, is an encapsulation hack designed to solve a fundamental problem for ISPs: bringing dial-up style authentication and billing to modern, high-speed Ethernet networks. Because native Ethernet was built for local office environments and completely lacks the concept of user sessions or passwords, ISPs force your home router to establish a classic, secure PPP session and then essentially shove that entire connection inside a standard Ethernet frame. While this successfully grants the ISP the control they need to manage your internet access, it introduces a notorious engineering trap known as the MTU bottleneck. Because the PPPoE header steals exactly 8 bytes of space from the standard 1500-byte Ethernet payload, your router’s Maximum Transmission Unit is mathematically reduced to 1492 bytes; if a router is accidentally left at the default 1500 setting, it will send frames that are physically too large, causing the ISP’s hardware to silently drop them and leaving web pages endlessly hanging.
Spanning Tree Protocol (STP)
When building enterprise networks, physically connecting multiple switches together creates redundant paths that can instantly melt down the network with infinite broadcast storms. The IEEE solved this by introducing the Spanning Tree Protocol (STP), a hardware-level failsafe that mathematically maps the network to create a loop-free logical “tree”. When switches boot up, they hold an election to crown a single “Root Bridge” as the center of the network universe. Every other switch calculates the fastest physical path back to that root and intentionally blocks all remaining redundant cables by physically disabling the silicon transmit pins on those specific ports.
While STP perfectly prevents catastrophic loops, its classic 802.1D implementation is notorious among engineers for its agonizingly slow recovery time. If a primary cable is suddenly cut, the blocked backup port doesn’t instantly turn on to save the day; instead, it forces the network through a rigid 50-second state machine. The port cautiously moves from Blocking, to Listening for topology updates, to Learning new MAC addresses, and finally to Forwarding user data—guaranteeing absolutely no temporary loops form, but resulting in nearly a minute of total network downtime during a failover.
Multiple Registration Protocol (MRP)
Multiple Registration Protocol (MRP), which replaced Generic Attribute Registration Protocol (GARP), is a generic registration framework defined by the IEEE 802.1ak amendment to the IEEE 802.1Q standard. MRP allows bridges, switches or other similar devices to register and de-register attribute values, such as VLAN identifiers and multicast group membership across a large local area network.
