Introduction to Ethernet Networking

Questions and Answers

Which layer of the OSI model does Ethernet primarily operate in?

• Network Layer
• Data Link Layer (correct)
• Transport Layer
• Application Layer

The Preamble field is included in the Ethernet frame size calculation.

False (B)

What is the minimum Ethernet frame size in bytes?

64

Frames smaller than 64 bytes are known as a 'collision fragment' or __________ frame.

runt

Match the following sublayers with their IEEE standard:

LLC Sublayer = IEEE 802.2 MAC Sublayer = IEEE 802.3, 802.11, or 802.15

What is the main function of the LLC sublayer in Ethernet?

Identifying which network layer protocol is used in the frame (C)

The MAC sublayer is responsible for data encapsulation and media access control.

True (A)

What is the length of an Ethernet MAC address in bits?

48

What is the purpose of the Frame Check Sequence (FCS) trailer in an Ethernet frame?

To perform error detection (A)

The first 24 bits (3 bytes) of a MAC address called the ___________, which identifies the manufacturer.

organizationally unique identifier

Match the MAC address types with their description:

Unicast = Unique address for a single destination device Multicast = Address used to send frames to a group of devices Broadcast = Address used to send frames to all devices on the network

What is the destination MAC address for an Ethernet broadcast frame?

FF-FF-FF-FF-FF-FF (D)

A switch forwards a frame with a destination MAC address that is not in its MAC address table to only the intended port.

False (B)

What is the default refresh time for a MAC address entry in most Ethernet switches, in minutes?

5

Which switching method forwards the frame before it is entirely received?

Cut-through (B)

The store-and-forward switching method uses ___________ to verify frame integrity before forwarding.

CRC

Match the following duplex settings with their descriptions:

Full-duplex = Both ends can send and receive simultaneously Half-duplex = Only one end can send or receive at a time

What is the key characteristic of 'auto-MDIX' feature in modern switches?

Automatically detects and configures the interface based on the cable type (C)

MAC addresses are a Layer 3 (Network Layer) address.

False (B)

What type of address is used to send a packet from a source device to a destination device on a different network?

IP address

What does ARP do?

Associates IPv4 addresses with MAC addresses (B)

If a device cannot locate an IPv4 address in its ARP table, it initiates an ___ request.

ARP

ARP table entries are permanent and persist until manually removed by an administrator.

False (B)

What is a potential consequence of excessive ARP broadcasts on a local network?

Reduced network performance (D)

What type of attack exploits vulnerabilities in ARP to perform malicious actions?

ARP poisoning

Which MAC address represents a multicast address?

01-00-5E-XX-XX-XX (C)

Full-duplex communications require access control through CSMA/CD.

False (B)

Jumbo frames which contain more than ________ bytes are usually supported by Fast Ethernet and Gigabit Ethernet switches and NICs.

1500

In the context of Ethernet, what does 'unknown unicast' refer to?

A frame sent to a MAC address not present in the switch's MAC address table (B)

What command is used to re-enable the auto-MDIX feature on a Cisco switch interface?

mdix auto

Match the following Ethernet standards with their corresponding speeds:

Fast Ethernet = 100 Mbps Gigabit Ethernet = 1 Gbps 10 Gigabit Ethernet = 10 Gbps

Which of the following is a primary reason for using store-and-forward switching over cut-through switching?

To improve bandwidth efficiency by discarding frames with errors (D)

What is the significance of matching duplex and bandwidth settings between a switch port and a connected device?

Avoid performance issues

Which address is used to deliver frames from one NIC to another NIC on the same network?

MAC address (C)

The destination MAC address for communication with a device on a remote network is that of the device's ___________.

default gateway

ARP is used by IPv6 to associate the IPv6 address of a device with the MAC address of the device NIC.

False (B)

Which cut-through switching method performs an error check on the first 64 bytes of the frame?

Fragment-free switching (B)

In hexadecimal representation, what range of values can each byte (8 bits) assume?

00 to FF

Explain the concept of ARP spoofing with one short sentence.

Network attacker manipulates ARP by sending falsified ARP messages over a local area network, linking the attacker's MAC address with the IP address of a legitimate server or host on the network.

In a network using IPv6, where a host needs to determine the MAC address of another host on the same link, which protocol is used to perform this function?

NDP (Neighbor Discovery Protocol) (D)

Flashcards

Ethernet

A family of networking tech that operates in the data link and physical layers.

LLC Sublayer

Places information in the Ethernet frame to identify which network layer protocol is used.

MAC Sublayer

Responsible for data encapsulation and media access control; it provides data link layer addressing.

Ethernet Frame

The internal structure of the Ethernet frame.

Ethernet Addressing

Includes source and destination MAC addresses for frame delivery on the same LAN.

Frame Check Sequence (FCS)

A trailer used for error detection in Ethernet frames.

Ethernet Media Access

The IEEE 802.3 MAC sublayer's framework for various comms standards over different media.

Half-Duplex Medium

A shared communication medium using a bus topology or hubs.

Full-Duplex

Communications that allow devices to send and receive data simultaneously on Ethernet LANs.

Collision Fragment

Ethernet frame size that is considered too small and automatically discarded.

Jumbo/Baby Giant Frames

Ethernet frame sizes larger than the standard maximum.

Ethernet MAC Address

A 48-bit binary value expressed using 12 hexadecimal values to identify devices.

MAC Address

The address send frames within a LAN.

Organizationally Unique Identifier (OUI)

A unique 6 hexadecimal code assigned to vendors by the IEEE.

Unicast MAC Address

Delivers frames to a specific destination.

Multicast MAC Address

Received and processed by a group of devices that belong to the same group.

Broadcast MAC Address

Received and processed by every device on the Ethernet LAN.

MAC Address Table

A table on switches used to make forwarding decisions, is empty when a switch is turned on.

Switch Learning

Process where a switch examines the source MAC address and port number of incoming frames to learn new network information.

Switch Forwarding

When the destination MAC address is located in MAC address table it is forwarded to specified port.

Unknown Unicast

Switch sends the frame out all ports except the incoming port when the destination MAC address is not present in MAC address table.

Store-and-Forward Switching

Method where the switch receives the entire frame and computes the CRC before forwarding.

Cut-Through Switching

A methods that forwards the frame before it is received.

Fast-Forward Switching

Offers lowest level of latency by forwarding without receiving complete packet

Fragment-Free Switching

Compromise between store-and-forward and fast-forward.

Full-Duplex

Connections both send and receive simultaneously.

Half-Duplex

Connections operate one direction at a time

Autonegotiation

Allows devices to automatically negotiate the best speed and duplex capabilities.

Duplex Mismatch

Occurs when one port on link operates at half-duplex while other port operates at full-duplex

Auto-MDIX

Automatically detects cable type and configures the interfaces accoringly

MAC and IP Addresses

Two primary addresses assigned to device on an Ethernet LAN

Layer 2 Physical Address

Used NIC to NIC communications on the same Ethernet network.

Layer 3 Logical Address

Used to send packet from source device to ultimate destination device.

Address Resolution Protocol (ARP)

Protocol that helps determine the MAC address of device when its IPv4 Address is known.

ICMPv6

A method uses to associate the IPv6 address of a device with the MAC address of the device.

ARP Table

The storage of local IPv4 to Mac Address Mappings

ARP Spoofing

Network attact that spoofs threat actors, used for ARP poisoning attack

Study Notes

Introduction to Networking

• The presentation introduces Ethernet frames

Ethernet Encapsulation

• Ethernet operates at the data link and physical layers of the OSI model
• Ethernet is defined by IEEE 802.2 and 802.3 standards

Data Link Sublayers within Ethernet

• 802 LAN/MAN standards use two separate sublayers in the data link layer:
  • LLC Sublayer (IEEE 802.2) places information in the frame to identify the network layer protocol
  • MAC Sublayer (IEEE 802.3, 802.11, 802.15) handles data encapsulation, media access control, and data link layer addressing

MAC Sublayer Responsibilities

• The MAC sublayer handles data encapsulation (frames) and media access
• IEEE 802.3 Data encapsulation includes:
  • Ethernet frame structure
  • Source and destination MAC addresses to deliver the Ethernet frame between NICs on the same LAN
  • Frame check sequence (FCS) trailer for error detection

MAC Sublayer: Media Access

• The IEEE 802.3 MAC sublayer specifies different Ethernet communication standards using copper and fiber media
• Legacy Ethernet, which uses bus topology or hubs, is a shared, half-duplex medium using contention-based access (CSMA/CD)
• Modern Ethernet LANs use switches that operate in full-duplex mode
• Full-duplex communication with Ethernet switches does not need access control via CSMA/CD

Ethernet Frame Fields

• The minimum Ethernet frame size is 64 bytes, and the maximum is 1518 bytes (excluding the preamble field)
  • Frames less than 64 bytes are "collision fragments" or "runt frames" so they're discarded
  • Frames with more than 1500 bytes of data are considered "jumbo" or "baby giant frames"
• If a frame is smaller/larger than the limits, the receiving device drops it as it's considered invalid
• Jumbo frames are commonly supported by Fast Ethernet, Gigabit Ethernet switches, and NICs

MAC Address and Hexadecimal Representation

• MAC addresses are used at Layer 2 by switches for frame transmission in a LAN
• An Ethernet MAC address is a 48-bit binary value expressed using 12 hexadecimal values.
• 8 bits (one byte) can be represented in hexadecimal from 00 to FF.
• Leading zeroes are always displayed for 8-bit hexadecimal as such, 0000 1010 is represented in hexadecimal as 0A
• Hexadecimal numbers are represented with a 0x prefix in documentation (e.g. 0x73)
• They are also represented by a subcript 16, or the hex number followed by an H (e.g. 73H).
• Example of a MAC address: 00-B0-D0-63-C2-26
• Use IPCONFIG /ALL to view your PC's MAC address

Ethernet MAC Address Details

• In an Ethernet LAN, network devices connect to a shared medium; MAC addressing identifies devices at the data link layer (OSI model)
• Ethernet MAC address:
  • Is a 48-bit address using 12 hexadecimal digits (6 bytes)
  • Are unique
  • Ensure unique addresses, vendors register with IEEE to obtain a unique 6 hexadecimal (24-bit or 3-byte) code called the Organizationally Unique Identifier (OUI)
  • Includes a 6 hexadecimal vendor OUI code and a 6 hexadecimal vendor-assigned value

Frame Processing using MAC Addresses

• When forwarding a message, the Ethernet header includes a Source MAC address and a Destination MAC address
• When a NIC receives an Ethernet frame:
  • The destination MAC is checked against the physical MAC in RAM If it does not match, the device discards the frame If it matches, the device passes the frame to the OSI layers for de-encapsulation
• Ethernet NICs accept frames with a broadcast or multicast destination MAC address if a member
• All source/destination devices on an Ethernet frame have an Ethernet NIC; and therefore, a MAC address

Unicast MAC Addresses

• Unicast MAC addresses are unique addresses used for single-device to single-device frame transmission
• A source host uses a process known as Address Resolution Protocol (ARP) to determine the destination MAC address associated with an IPv4 address
• The process that a source host utilizes to determine the destination MAC address associated with an IPv6 address is known as Neighbor Discovery (ND)
• The source MAC address is always a unicast

Multicast MAC Address specifics

• Multicast MAC frames are received and processed by a group of devices in the same multicast group
• Encapsulated data destination MAC addresses:
  • IPv4 Multicast Packet: 01-00-5E
  • IPv6 Multicast Packet: 33-33
• Reserved Multicast Destination MAC addresses exist for non-IP data (i.e., Spanning Tree Protocol (STP))
• Multicast packets are flooded out of switch ports except for the incoming port, unless multicast snooping is configured
• Multicast addresses can only be the destination of a packet because they are a group address
• Multicast IP address requires a corresponding multicast MAC address

Broadcast MAC Address Overview

• Ethernet broadcast frames are received and processed by every device on the Ethernet LAN with features as follows.
  • It utilizes FF-FF-FF-FF-FF-FF in hexadecimal (48 ones in binary) as a destination MAC Address
  • All ethernet switch ports except the incoming port are flooded. It is not forwarded by a router.
  • IPv4 broadcast packets contain a destination IPv4 address with all ones (1s) in the host portion, so all hosts in the broadcast domain receive and process it

Switch Fundamentals and MAC Address Tables

• Layer 2 Ethernet switches use Layer 2 MAC addresses for forwarding decisions
• Switches are unaware of data type carried in the frame (IPv4 packet, ARP Message etc)
• Ethernet switches examine their MAC address table to make forwarding decisions
• Unlike legacy Ethernet hubs, switches don't just repeat bits out all ports (except the incoming port)
• MAC address tables are empty after being turned on
• The MAC address table is also called the Content Addressable Memory (CAM) table

Switch Learning and Forwarding - Source MAC Address Learning

• Each frame entering a switch is checked for new information by examining the source MAC address and the incoming port
• If the source MAC address is not in the table, it is added with the incoming port number
• If the source MAC address exists, the switch updates the refresh timer; Ethernet switches keep entries for 5 minutes by default
• Switches treat a source MAC that exists on a different port as a new entry, replacing with the more current port

Switch Learning and Forwarding - Destination MAC Address

• For a unicast address, a switch finds a match to the destination MAC in a MAC address table If in the table, the frame is forwarded out the specified port If not in the table, the switch forwards frame out all ports except for the incoming port, called an unknown unicast
• The frame is flooded out, as well as; if the destination MAC address is a broadcast/multicast

Filtering Frames in MAC Address Tables

• Switches populate MAC address tables and filter frames
• Switches populate their MAC address tables from source MAC addresses of incoming frames
• Switches filter the frame and forward out a single port using the destination MAC address

Frame Forwarding: Store-and-Forward

• The store-and-forward switching method receives the entire frame, computes the CRC (Cyclic Redundancy Check)
• If the CRC is valid, the switch finds the destination MAC address and forwards the fame out of the correct port

Frame Forwarding: Cut-Through

• Before it is entirely received, the frame is forwarded via the cut-through switching method
• The destination MAC address must be read

Store-and-Forward Switching Advantages

• Can find if a frame contains errors before propagation
  • Switch discards frames if errors are detected, reducing bandwidth consumption by corrupt data
• Required for Quality of Service (QoS) because it requires traffic prioritization through the analysis of converged networks (voice over IP)

Two variants of Cut-Through Switching

• Fast-forward switching:

  • Offers the lowest level of latency by immediately forwarding a packet that has had its destination address read
  • Starts forwarding before the packet is received resulting in some relayed packets containing errors and those are discarded the destination NIC

• Fragment-free switching:

  • Is a compromise between high integrity/high latency, with the low latency/reduced integrity
  • Compares against store-and-forward by storing and checking the first 64 bytes if the first 64 bytes contain a collision and if so errors have most often have occurred

Duplex and Speed Settings Important points

• Bandwidth ("speed") and duplex settings match between the switch port and connected devices
• Only one end of the a half-duplex connection can send
• Full-duplex connections are where both ends of connections send and receive simultaneously
• Autonegotiation automatically negotiates speed/duplex
• Gigabit Ethernet ports operate in full-duplex

Duplex Mismatch

• Exists when 10/100 Mbps Ethernet links operate at half-duplex while the other operates at full duplex
• Occurs when the autonegotiation process fails (ports reset)
• Happens when forgetful or unaware users reconfigure, but forget
• Best Practice includes having autonegotiation on/off
• Best practice is to configure both Ethernet switch ports as full-duplex

Auto-MDIX specific points

• Crossover/straight through cable use depended on the type of interconnecting devices
• A direct connection between a router and a host required cross-over cable
• Most switch devices support auto-MDIX medium-dependent interface crossover
• The switch identifies which cable is attached and configures according the interface Enabled by default with Cisco IOS Release 12.2(18)SE or later Can be re-enabled via the "mdix auto" interface configuration command

Addressing on the Same Network

• Two addresses:

  • Layer 2 physical address (MAC Address) is used for NIC to NIC communications on the same Ethernet network Layer 3 logical address (IP address) is used to send the packet from the source device to the destination device

• Layer 2 addresses are used to deliver frames from one NIC to another on the same network if they share a destination IP address then, the destination MAC will match the destination device

Addressing on a Remote Network

• When the destination IP is on a remote network, the destination MAC is that of the default gateway (the connected router).
• IPv4 uses ARP to associate the IPv4 address of a device with the MAC address of the device NIC.
• IPv6 uses ICMPv6 to associate the IPv6 address of a device with the MAC address of the device NIC.

ARP Details

• When a device uses ARP, it determines the destination MAC address of a local device when its IPv4 address is known
• Provides two basic functions:
  • Resolving IPv4 addresses to MAC addresses
  • Maintaining an ARP table of IPv4 to MAC address mappings

ARP Functionality

• A device searches for a destination IPv4 address and a corresponding MAC address in order to send a frame
  • If the packet is on the same network, the ARP table will be searched or the destination IPv4 address
  • If the destination IPv4 address is on a different network, the ARP table will be searched for the IPv4 address of the default gateway
  • If the device is located, its corresponding MAC address is used as the destination MAC address in the frame If there isn't a found ARP table entry, send an ARP request

Removing Entries from an ARP Table

• Are not permanent and are removed when an ARP cache timer expires (varies by OS)
• Entries can be manually removed by the administrator

ARP Issues and Broadcasting Details

• Devices on the local network will and receive and process ARP requests
• Excessive ARP broadcasts can cause a reduction in performance
• Attackers can spoof ARP replies and perform ARP poisoning attacks
• Enterprise level switches include mitigations to defend agains ARP attacks

Summary of Ethernet

• Ethernet operation
• How switches operate
• How the address resolution protocol enables communication on a network