Embedded Files
TCP/IP CHAPTER 3 – LINK LAYER
Ethernet & IEEE 802 Standards
If the Internet is a global highway system, Ethernet is the asphalt we drive on.
Originally designed for shared cables where everyone yelled over each other, it has evolved into the high-speed, dedicated fiber and copper infrastructure that powers every office and data center on the planet.
I. The Origin of the Species: DIX and 802.3
Ethernet wasn't born in a vacuum. It was a Big Three collaboration between Digital Equipment Corp, Intel, and Xerox (DIX) in 1980.
The Legacy: Originally 10Mb/s Ethernet.
The Transition: The IEEE (Institute of Electrical and Electronics Engineers) took the DIX standard, tweaked it slightly, and branded it IEEE 802.3.
The Evolution: We’ve gone from 3 Mb/s (research) → 10 Mb/s → 100 Mb/s (Fast Ethernet) → 1 Gb/s → 10 Gb/s → 100 Gb/s+
II. The Mechanics of Shared Ethernet (CSMA/CD)
In the early days, everyone was on the same wire.
Imagine a dinner party where only one person can talk at a time.
If two people speak at once, it’s noise. To fix this, Ethernet used CSMA/CD.
Breakdown of the Acronym:
Carrier Sense (CS): Listen before you speak. The station checks if there is an electrical signal on the wire.
Multiple Access (MA): Multiple computers are attached to the same physical medium.
Collision Detection (CD): If two stations talk at the same time, the signals overlap and collide.
What happens during a collision?
Both stations stop immediately.
They wait a random amount of time (Binary Exponential Backoff).
They try again.
After 16 failed attempts, they give up.
III. From Shared Cables to Switched Stars
The Shared model was messy.
As computers got faster, the collisions became a bottleneck.
The industry moved from a Bus Topology (one long cable) to a Star Topology (everyone plugs into a central hub/switch).
Analogy: Shared Ethernet is like a walkie-talkie (one person talks, others listen). Switched Ethernet is like a smartphone call (both can talk and listen at the same time without interference).
IV. The IEEE 802 Family Tree
While 802.3 is the king of wires, the IEEE 802 committee handles a whole neighborhood of standards. Interestingly, they all share a similar language (frame format), making it easy for them to talk to each other.
802.3 (Ethernet): The wired standard.
802.11 (Wi-Fi): Often called Wireless Ethernet. It borrows the 802.3 frame format but uses a different way to handle collisions (since you can't always hear everyone on a wireless frequency).
802.16 (WiMAX): For Metropolitan Area Networks (MANs).
802.21: Handles handoffs between different networks (like moving from Wi-Fi to a Cellular data network).
V. Key Takeaways for the Wire-Level Nerd
MAC Protocols: These are Media Access Control rules. CSMA/CD is a contention-based protocol (everyone fights for the wire).
Full-Duplex: This is the standard today. Because switches provide a dedicated path for each device, we no longer need CSMA/CD to manage collisions—there simply aren't any!
Frame Compatibility: The reason your laptop can switch from a Wi-Fi connection to an Ethernet cable without your browser crashing is that the higher-level protocols (TCP/IP) see the same basic frame structure regardless of the medium.
IEEE 802 LAN/MAN STANDARDS📡
The IEEE 802 family is basically the rulebook for how devices talk to each other in local and metropolitan areas.
If you are digging into malware analysis or reverse engineering network protocols, understanding these layers is like knowing how the envelope is constructed before you read the letter inside.
The IEEE 802 standards focus on the Data Link Layer (Layer 2) of the OSI model. However, they do something clever: they split Layer 2 into two distinct sublayers to make networking more flexible.
I. The LLC (Logical Link Control - 802.2)
Think of the LLC as the Universal Translator. Its job is to provide a common interface for the Network Layer (like IP) regardless of what kind of physical hardware you are using. Whether you are on a wired Ethernet connection or a Wi-Fi signal, the LLC makes sure the data looks the same to the layers above it. It handles:
Framing: Wrapping the data in a consistent format.
Error Control: Making sure bits didn't get fried during transmission.
II. The MAC (Media Access Control)
This is the Traffic Cop. This sublayer is hardware-specific. It determines how a device actually gains access to the physical medium (the wire or the radio waves) to send data. If you are reverse engineering a network driver, this is where you’ll spend most of your time.
THE HEAVY HITTERS: KEY STANDARDS
802.3 (Ethernet)
This is the king of wired networking. It was born from the original Ethernet II (also called the DIX format, named after DEC, Intel, and Xerox).
The Mechanic: It uses CSMA/CD (Carrier Sense Multiple Access with Collision Detection).
How it works: Devices listen for silence on the wire before talking. If two devices talk at once (a collision), they both stop, wait a random amount of time, and try again.
802.11 (Wi-Fi)
The standard for wireless LANs. Because radio waves are trickier than wires, it can't easily detect collisions while it's transmitting.
The Mechanic: It uses CSMA/CA (Collision Avoidance).
How it works: Instead of listening for a crash, it tries to avoid one altogether by sending a small signal to reserve the airtime before sending the actual data.
802.16 (WiMAX)
WiMAX is a high-speed wireless internet technology that works like long-range Wi-Fi to provide broadband over many miles.
This is for Metropolitan Area Networks (MANs).
Think of it like Wi-Fi on steroids.
It's designed to provide wireless internet access over long distances, like across an entire city, rather than just inside your house.
THE EVOLUTION OF THE FRAME
In the early days, there was a bit of a format war between the industry standard (Ethernet II) and the official IEEE standard (802.3).
Ethernet II (DIX): Uses a Type field to tell the receiver what kind of protocol is inside (like IPv4 or IPv6).
Original 802.3: Replaced that Type field with a Length field and added the 802.2 LLC header to handle the protocol identification.
The Fix: This caused major compatibility issues for years. Finally, the 802.3x (2008 revision) unified them. Now, if the value in that field is 1536 or greater, it's treated as a Type (Ethernet II style). If it's less, it's treated as a Length (802.3 style).
TCP/IP ENCAPSULATION: THE RULES OF THE ROAD
To keep everything organized, we use RFCs (Request for Comments) to define how IP packets should be stuffed into these frames:
Why This Matters for You
When you are learning reverse engineering, especially when looking at how malware phones home to a C2 server, you need to know why a packet looks the way it does.
Consistency: Because of these standards, an IP datagram doesn't care if it's traveling over a fiber optic cable or a coffee shop's Wi-Fi. The LLC keeps the interface consistent.
Flexibility: It allows the tech to evolve. We moved from 10Mbps Ethernet to 100Gbps Ethernet, and from 802.11b to 802.11ax, without having to reinvent how the internet (IP) works. Everything just plugs into the existing 802 framework.
✅ Key Takeaway
The IEEE 802 standards family provides the link-layer foundation for TCP/IP, ensuring interoperability across Ethernet, Wi-Fi, and MAN technologies.
The evolution from Ethernet II → 802.3 → unified formats highlights how the Internet adapted to diverse hardware while keeping IP encapsulation consistent.
THE ETHERNET FRAME FORMAT
If a raw bitstream is a continuous wall of text with no spaces or punctuation, the Ethernet Frame is what carves it into sentences.
Or
It provides the envelope that tells the receiver exactly where a message starts, who it’s for, and if it got banged up during transit.
THE OVERLOADED TYPE/LENGTH FIELD (2 BYTES)📦
The Dual Personality of the EtherType Field
In the early days of networking, two different groups had two different ideas for how to label a data packet.
Instead of fighting forever, they eventually agreed on a magic number system that allows both styles to live in the same wire.
I. The Length Interpretation (IEEE 802.3)
If the value in this field is 1500 or less, the frame is following the IEEE 802.3 standard.
What it means: The number tells the receiving hardware exactly how many bytes of data are in the payload.
The Logic: This was designed to be self-describing. If the field says 0x0050 (which is 80 in decimal), the computer knows to read exactly 80 bytes and then stop.
The Catch: Because this field is used for Length, it doesn't tell you what kind of data is inside (like IPv4 vs. IPv6). To figure that out, you have to look further into the packet at the 802.2 LLC header.
II. The Type Interpretation (Ethernet II / DIX)
If the value is 1536 or greater ($0x0600$ in hex), the frame is following the Ethernet II (or DIX) format.
What it means: The number acts as an identifier for the protocol inside. It doesn't care about the length; it cares about the content type.
Common Identifiers:
0x0800: This is IPv4.
0x86DD: This is IPv6.
0x0806: This is an ARP request (Address Resolution Protocol).
Why we use it: This is the format that TCP/IP prefers. It's faster because the computer immediately knows which mailbox to send the data to (the IPv4 handler or the IPv6 handler) without having to peel back extra LLC layers.
III. Why the Gap Matters
You might notice there’s a weird no-man's land between 1500 and 1536.
1500 is the maximum size of a standard Ethernet payload (the MTU).
1536 (0x0600) was chosen as the starting point for Types to ensure there was never any overlap.
Because of this gap, there is zero ambiguity. If a network card sees 0x0800, it knows that 2048 > 1536, so it must be an IPv4 Type. If it sees 0x0020, it knows 32≤1500 , so it must be a Length.
IV. The Historical Why
This happened because of a classic industry split:
The IEEE wanted a very formal, structured way to handle any kind of traffic (802.3). They prioritized knowing the exact size of the data.
2. The TCP/IP Engineers (Digital, Intel, Xerox) wanted speed and simplicity. They wanted to know the Type of data immediately so they could process it faster.
Eventually, the IEEE realized that the Type method was winning in the real world. In the 802.3x-1997 amendment, they officially acknowledged both uses. Today, your NIC (Network Interface Card) just checks the number and switches gears automatically.
V. Quick Reference Table
VI. The Shipping Box Analogy
Think of it like a label on a cardboard box:
Small Numbers (Weight): You see the number 50. You assume this means the box weighs 50 pounds. You don't know what's inside yet, but you know how heavy it is. (Length)
Large Numbers (Category): You see the number 9000. Nobody has a box that weighs 9000 pounds, so you realize it's a code. You look at your clipboard and see that 9000 = Electronics. Now you know exactly what is inside without weighing it. (Type)
VII. Common EtherType Hex Values
To identify what's inside the frame, we look for these specific magic numbers:
0x0800: Internet Protocol version 4 (IPv4)
0x86DD: Internet Protocol version 6 (IPv6)
0x0806: Address Resolution Protocol (ARP)
0x8100: VLAN Tag (Used to segment networks virtually).
THE PAYLOAD AND THE SAFETY CHECK
After the header comes the Meat of the frame.
Data (Payload): This is where your IP packet lives. Usually, this is between 46 and 1500 bytes.
Padding: Ethernet has a minimum size requirement. If your data is too small (like a tiny Yes or No packet), Ethernet will stuff it with extra zeros to make sure the frame is long enough for the hardware to detect collisions properly.
Frame Check Sequence (FCS): A 4-byte CRC32 (Cyclic Redundancy Check). The sender runs a math formula over the whole frame and sticks the result at the end. The receiver runs the same math; if the numbers don't match, the frame is corrupt and gets tossed in the digital trash bin.
MODERN ADDITIONS: TAGS AND EXTENSIONS
As networking grew up, the frame had to grow too.
VLAN Tags (802.1Q): These are inserted right after the Source Address. They allow a single wire to carry traffic for multiple Virtual networks, keeping the Accounting department's data away from the Guest Wi-Fi.
Carrier Extension: In high-speed half-duplex networks, extra bits are sometimes tacked onto the end of short frames just to keep the wire busy long enough for collision detection to work.
ETHERNET ENVELOPE FRAMES & CRC
Two important details in Ethernet’s evolution: envelope frames (extended frame formats with tags) and the Frame Check Sequence (CRC) for error detection. Let’s break them down clearly:
📨 Envelope Frames (802.3-2008)
Traditional Ethernet MTU: 1500 bytes payload.
Envelope frames: allow up to 2000 bytes total length.
Purpose: carry extra tags (metadata) alongside the payload.
Q-tagged frames: a common type of envelope frame, used for VLAN tagging (802.1Q) and priority tagging (802.1p).
Not all envelope frames are Q-tagged, but all Q-tagged frames are envelope frames.
👉 Think of envelope frames as oversized shipping boxes that can carry both the package (payload) and extra labels (tags).
🔑 Frame Check Sequence (CRC32)
Final field in the Ethernet frame.
32-bit CRC (Cyclic Redundancy Check).
Detects transmission errors by performing modulo-2 division with a standardized generator polynomial.
For Ethernet, the polynomial is:
Process:
Sender appends 32 zero bits to the message.
Divides the augmented message by the polynomial (mod-2).
Takes the remainder, flips it (one’s complement), and places it in the CRC field.
Receiver repeats the division → if remainder matches, frame is valid; if not, frame is discarded.
👉 Analogy: CRC is like a tamper seal on a package. If the seal doesn’t match when checked, you know the box was damaged in transit.
⚙️ Example (CRC4 Simplified)
Sender Side: Generating the CRC
1. Append Zeroes: Take the message 1001111000101111 and add 4 zeroes (because the polynomial 10011 is 5 bits long, meaning a 4th-degree polynomial). Result: 1001111000101111****
2. Perform XOR Division: Divide the extended message (10011110001011110000) by the polynomial (10011) using binary XOR long division.
3. Get Remainder (CRC): The remainder of this division is. This is your CRC checksum.
4. Form Transmitted Message: Replace the 4 appended zeroes in the extended message with the calculated CRC (). Transmitted Message: 1001111000101111****
Receiver Side: Checking for Corruption
1. Receive Message: The receiver gets the entire transmitted message: 10011110001011111111.
2. Perform XOR Division (Again): Divide this entire received message by the same polynomial (10011) using binary XOR long division.
3. Check Remainder:
If the remainder is (all zeroes): The data is likely uncorrupted. This is where One's complement: 0000 comes in, as it's the expected result for a good message.
If the remainder is anything other than: A mismatch occurs, meaning the message is corrupted.
✅ Key Takeaway
Envelope frames extend Ethernet’s capacity to carry tags (VLANs, priorities).
CRC32 provides a strong integrity check, ensuring corrupted frames don’t propagate.
Together, they make Ethernet both flexible (tags) and robust (error detection).
I. MINIMUM FRAME SIZE
64 bytes total (including header + CRC).
Payload must be at least 48 bytes (without tags).
If payload is smaller → pad bytes (zeros) are added.
Why 64 bytes?
Original 10 Mb/s Ethernet used CSMA/CD (Carrier Sense Multiple Access with Collision Detection).
Minimum frame size ensures that a transmitting station is still sending when a collision is detected.
With max cable length (2500m) and propagation speed (~0.77c), the 64-byte frame guarantees collision detection before transmission ends.
If collision occurs → station sends a jamming signal and initiates binary exponential backoff.
II. MAXIMUM FRAME SIZE
1518 bytes (includes 14-byte header + 4-byte CRC).
Payload (MTU) = 1500 bytes.
Trade-off:
If error occurs → only 1.5 KB retransmitted.
Larger messages (e.g., 64 KB TCP segment) require multiple frames (≈44 frames).
⚡ Efficiency Considerations
Each frame has fixed overhead:
14-byte header.
4-byte CRC.
8-byte preamble + SFD.
12-byte inter-packet gap (IPG).
Efficiency at most:
JUMBO FRAMES
Jumbo frames are essentially larger than Ethernet Frames. Think of an Ethernet frame as a package of data that gets sent across a network.
Normally, a standard Ethernet frame has a maximum size of about 1518 bytes (including headers and trailers). Jumbo frames significantly extend this.
They can typically carry up to 9000 bytes of payload data, plus the usual Ethernet overhead. This makes them nonstandard because they exceed the traditional Ethernet specification.
Used in Gigabit Ethernet switches for high-throughput environments.
Improves efficiency for large data transfers (less overhead per byte).
Super jumbo frames are 9000 bytes (rare, specialized).
Caution → not interoperable with legacy equipment limited to 1518 bytes.
✅ Key Takeaway
Minimum size (64 bytes) → ensures reliable collision detection in CSMA/CD.
Maximum size (1518 bytes) → balances retransmission cost and efficiency.
Jumbo frames (9000 bytes) → boost efficiency for modern high-speed networks, but require compatible infrastructure.
LINK LAYER NOTES — VLANS AND QOS
We begin with a critical look at the Link Layer, focusing on how large-scale switched Ethernet networks are managed using Virtual LANs (VLANs) and Quality of Service (QoS).
VIRTUAL LANs (IEEE 802.1Q)
At first glance, interconnecting every computer on a site into one massive Ethernet LAN sounds efficient. In practice, it leads to serious problems:
Broadcast storms that waste bandwidth
Security risks, since all hosts share the same broadcast domain
Poor scalability
To address these issues, the IEEE introduced the 802.1Q VLAN standard.
1. The Core Concept
A VLAN allows a single physical switch to behave as multiple, isolated logical switches.
Key properties:
Isolation - Traffic from one VLAN cannot leak into another VLAN at Layer 2.
Separate broadcast domains - Broadcasts are confined to their VLAN, preventing network-wide flooding.
Routing requirement - If Host A (VLAN 10) needs to communicate with Host B (VLAN 20), the traffic must be routed by a Layer 3 device—even if both hosts are plugged into the same physical switch.
In effect, VLANs impose Layer 3 boundaries on a Layer 2 network.
2. VLAN Mapping Methods
A switch must determine which VLAN an incoming frame belongs to. This can be done in several ways:
Port-based VLANs (most common)
The administrator assigns a physical port to a VLAN.
Anything plugged into that port automatically becomes part of the assigned VLAN.
MAC-address-based VLANs
The switch maps source MAC addresses to VLANs using an internal table.
This allows devices to retain VLAN membership even when moved between ports.
IP-address-based VLANs
VLAN membership is determined using Layer 3 information.
This method is rare and requires deeper packet inspection.
TRUNKING AND THE VLAN TAG
When a VLAN must span multiple switches, the switches must preserve VLAN identity across inter-switch links.
This is accomplished using trunking.
A trunk link carries traffic from multiple VLANs simultaneously, which requires frames to be explicitly labeled.
This labeling is done using the 802.1Q VLAN tag.
1. The 802.1Q Header Structure
The 802.1Q VLAN tag is a 32-bit (4-byte) field inserted into the Ethernet frame immediately after the Source MAC address.
To signal the presence of a VLAN tag, the frame uses a special EtherType value of 0x8100.
VLAN Tag Fields
The VLAN ID (VID) is the most important field: it tells the receiving switch which VLAN the frame belongs to.
Access Ports vs. Trunk Ports
Access ports connect to end devices such as PCs, printers, and servers.
Frames transmitted through access ports are untagged, and VLAN membership is determined by the port’s configuration.
Trunk ports
Connect switches to other switches or routers
Frames are 802.1Q tagged
Multiple VLANs share a single physical link
End hosts never see VLAN tags; only networking devices process them.
QUALITY OF SERVICE (IEEE 802.1P)
The 802.1p standard, now incorporated into 802.1Q, provides traffic prioritization at Layer 2 (Data Link Layer).
This mechanism allows network devices such as switches to handle time-sensitive traffic more efficiently by assigning priority levels to frames.
It is especially important for latency-sensitive applications like VoIP (Voice over IP) and video streaming, where delays or packet loss can significantly affect performance.
PRIORITY LEVELS
The Priority Code Point (PCP) field uses 3 bits, allowing for 8 Classes of Service (CoS), ranging from 0 to 7. Each value represents a different priority level used by switches to decide which traffic to forward first.
Class 0 — Best-effort traffic (default for normal data like web browsing)
Class 7 — Highest priority (used for network control traffic and routing updates)
Intermediate values (1–6) are typically assigned to:
Voice traffic (higher priority to reduce delay)
Video traffic (to maintain smooth playback)
Critical business applications (to ensure reliability)
NOTE: 802.1p can operate without full VLAN segmentation by setting the VLAN ID (VID) to 0. This is known as priority tagging, where frames carry priority information without being assigned to a specific VLAN.
LINUX IMPLEMENTATION: VCONFIG
Linux systems support VLAN configuration through tools such as vconfig, which allows administrators to directly manipulate VLAN tags.
Using vconfig, you can:
Create virtual VLAN interfaces linked to a physical network interface
Assign specific VLAN IDs to these interfaces
Enable systems to handle traffic from multiple VLANs on a single network card
This is particularly useful in server environments where one machine needs to communicate across multiple VLANs efficiently.
Common Commands
I. Add a VLAN - Creates a virtual interface for VLAN 2 on physical interface eth1.
II. Remove a VLAN
Naming Conventions
By default, Linux names VLAN interfaces using the format:
Example:
This naming scheme can be customized (e.g., vlan0002) depending on system configuration.
🔗 802.1AX LINK AGGREGATION
I. The Definition: Power in Numbers
Link Aggregation (also known as NIC Teaming or Port Trunking) is the process of bonding multiple physical network interfaces into one single logical link. To the operating system, it looks like one giant network card with one IP address.
What it Provides:
Reliability (Redundancy): If you have four cables plugged in and someone trips over one, the connection doesn't drop. The traffic just shifts to the remaining three cables instantly.
Performance (Bandwidth): It uses load balancing to stripe traffic across all available links. If you bond four 1Gbps ports, you don't necessarily get a single 4Gbps stream, but you can handle 4Gbps of total throughput across multiple conversations.
The Rulebook: It was originally part of 802.3ad, but it was moved to its own dedicated standard: IEEE 802.1AX (2008).
II. LACP: The Negotiator
The Link Aggregation Control Protocol (LACP) is the brain that makes sure both ends of the cables are on the same page. Without it, you’d have to manually configure every port, which is a recipe for a network loop.
How it Works:
LACPDUs: Devices send special Ethernet frames called Link Aggregation Control Protocol Data Units. These are like handshake packets sent to a specific multicast MAC address (01:80:C2:00:00:02).
The Roleplay: One side is the Actor (the one initiating) and the other is the Partner (the one responding).
The Data Exchange: They swap critical info like:
System ID: Usually the MAC address + a priority value.
Operational Key: A number that identifies which ports are allowed to group together.
Port ID: To keep track of the specific physical hardware.
The LAG: If the keys and settings match on both ends, the ports are bundled into a Link Aggregation Group (LAG).
III. The Big Benefits (and Constraints)
Cost-Effective Scalability: Instead of buying an expensive 10Gbps switch and new NICs for all your servers, you can just plug in two or four 1Gbps cables you already have.
Broad Support: You’ll find this on high-end Ethernet switches and it's natively supported by most server OSs (Windows Server, Linux, ESXi).
Homogeneity Requirement: You can't usually mix and match. The links typically need to be the same speed (all 1Gbps), the same duplex mode (Full Duplex), and often connected to the same physical switch (unless using advanced tech like vPC or MLAG).
IV. Linux Implementation: The Bonding Driver
In the Linux world, this is handled by the bonding kernel module. If you were reverse engineering a Linux-based firmware, you’d likely see these configurations in /etc/network/interfaces or via nmcli.
There are different modes for how the traffic is handled:
Mode 0 (balance-rr): Round-robin. Packs are sent sequentially (1, 2, 3, 4) across the links. Great for bandwidth but can cause out-of-order packets.
Mode 1 (active-backup): Only one link is alive. If it dies, the backup takes over. Safe, but doesn't increase speed.
Mode 4 (802.3ad): This is the LACP mode we talked about. It requires a switch that supports LACP.
Loads bonding driver.
Creates bond0 interface with IP info.
eth0 and wlan0 enslaved under bond0.
bond0 = MASTER, slaves = SLAVE.
Traffic sent via bond0 distributed across slaves depending on bonding mode.
V. Bonding Modes in Linux
Round-robin → packets sent alternately across interfaces.
Active-backup → one interface active, others standby (high availability).
XOR (MAC-based) → traffic pinned to interface based on MAC source/destination.
Broadcast → frames copied to all interfaces (fault tolerance).
802.3ad (LACP) → dynamic aggregation with switch support.
Advanced load-balancing → minimizes reordering, balances flows.
VI. Use Cases
High availability → failover if one link fails.
Load balancing → distribute traffic across multiple NICs.
Enterprise networks → aggregate switch ports for bandwidth.
Data centers → redundancy + throughput scaling.
✅ Key Takeaway
802.1AX link aggregation allows multiple physical links to act as one logical interface, improving bandwidth, reliability, and scalability.
LACP automates grouping.
Linux bonding driver supports multiple modes for different needs (performance vs fault tolerance).
ETHERNET EVOLUTION
Originally, Ethernet operated in half-duplex mode:
Shared medium (single coaxial cable or hub-based network) → all devices used the same communication channel.
Only one station could transmit at a time → if two devices transmitted simultaneously, a collision occurred.
Required CSMA/CD (Carrier Sense Multiple Access with Collision Detection) → devices listened before transmitting and detected collisions to retransmit data.
Network performance decreased as more devices were added → higher collision probability meant lower efficiency.
With the introduction of switched Ethernet:
Each device connects to a dedicated switch port → eliminates shared collision domains.
Multiple independent links → several pairs of devices can communicate at the same time without interfering with each other.
Full-duplex communication introduced → devices can send and receive simultaneously on separate transmit and receive paths.
CSMA/CD is no longer required → collisions do not occur in full-duplex switched environments.
Improved performance and bandwidth utilization → each link gets the full available bandwidth.
Greater scalability and support for higher speeds (Fast Ethernet, Gigabit, and beyond).
🔑 Key Features
Full Duplex
Data can be transmitted and received at the same time on the same link.
Separate transmit and receive paths eliminate shared media conflicts.
No collisions occur → CSMA/CD is not needed.
Results in higher efficiency and full utilization of link bandwidth.
Autonegotiation (802.3u)
Network interfaces automatically exchange their supported capabilities.
They agree on the best common settings (speed and duplex mode).
Operates at the physical layer using Fast Link Pulses (FLPs).
Example: A NIC and switch port negotiate whether to use 10, 100, or 1000 Mbps, and whether to operate in half-duplex or full-duplex mode.
Prevents configuration mismatches and improves compatibility.
Power Save (Wake-on-LAN / Wake-on features)
The Network Interface Card (NIC) can remain partially powered while the system is in sleep or low-power mode.
The NIC monitors the network for specific packets (e.g., a magic packet).
When the correct packet is received, the system automatically wakes up.
Helps reduce energy consumption while maintaining remote accessibility.
802.1X Flow Control
Provides authentication before a device is allowed to access the network.
Works at the switch port level (port-based control).
Only authenticated devices are granted normal network access.
Commonly integrated with RADIUS servers in enterprise environments.
Enhances security by preventing unauthorized devices from connecting.
📊 Linux Example (ethtool)
eth0: Half-duplex, 10 Mbps, supports autonegotiation.
eth1: Full-duplex, 100 Mbps, supports autonegotiation, wake-on features.
ethtool shows:
Supported link modes.
Current speed/duplex.
Autonegotiation status.
Wake-on capabilities.
Windows Example
Access via Control Panel → Network Connections → Properties → Configure → Advanced tab.
📌 Options include:
Speed & duplex (manual or autonegotiation).
Flow control.
Wake-on-LAN.
VLAN tagging (802.1p/q).
✅ Key Takeaway:
Modern Ethernet interfaces support full duplex, autonegotiation, power-saving features, and 802.1X flow control.
Tools like ethtool (Linux) or adapter properties (Windows) let you inspect and configure these features.
DUPLEX MISMATCH — WHY IT HURTS PERFORMANCE
A duplex mismatch happens when one end of a link (say, your computer) is set to full-duplex and the other end (say, the switch port) is set to half-duplex.
This often occurs when autonegotiation is disabled on one side but not the other, or when manual settings don’t match.
What Happens in a Duplex Mismatch
Half-duplex side: expects collisions and uses CSMA/CD (Carrier Sense Multiple Access with Collision Detection).
Full-duplex side: assumes it can send and receive simultaneously without collisions.
When traffic flows both ways under load:
The half-duplex side sees incoming traffic while sending → treats it as a collision.
It triggers exponential backoff (delays retransmission).
Packets are lost → higher-layer protocols like TCP must retransmit.
Result: connection doesn’t fail outright, but throughput drops dramatically.
⚙️ Symptoms (Duplex Mismatch)
I. Works fine under light load (few collisions).
When traffic is minimal (e.g., simple browsing or small data transfers), the problem may not be obvious.
Because little data is being transmitted, collisions and retransmissions are limited, so the network appears to function normally.
II. Severe performance degradation under heavy bidirectional traffic
(large file transfers, backups, streaming).
When both devices try to send significant amounts of data at the same time, the mismatch becomes visible.
The full-duplex side sends continuously, while the half-duplex side expects collision detection.
This results in late collisions, frame errors, and retransmissions, causing very slow speeds and unstable performance.
III. Can be tricky to diagnose because the link stays up.
The physical connection remains active (link light is on), and devices show as connected.
There is no complete link failure — only poor performance — which makes troubleshooting more difficult.
🛠️ How to Avoid It
I. Always use autonegotiation on both ends
Modern hardware handles this well.
Modern switches and NICs correctly negotiate speed and duplex settings automatically.
Leaving both sides on autonegotiation prevents mismatched configurations in most cases.
II. If you must configure manually, ensure both ends match (full/full or half/half).
If one side is manually set to full duplex and the other remains auto (or defaults to half duplex), a mismatch can occur.
Always verify both sides are configured identically.
III. Network analysis tools can sometimes detect duplex mismatches by monitoring collision patterns.
High late-collision counts, frame check sequence (FCS) errors, and excessive retransmissions are common indicators that help identify a duplex mismatch during monitoring.
✅ Key Takeaway
A duplex mismatch is like two people using walkie-talkies with different expectations, one thinks both can talk and listen at the same time (full duplex), while the other believes only one person can speak at a time (half duplex).
Communication still happens, but it becomes inefficient, error-prone, slow, and frustrating.
WAKE-ON LAN (WOL)
Purpose → Wi-FI/Ethernet standard that allows a computer or Network Interface Card (NIC) to wake from a low-power state when a specific network packet is received.
Wake-on-LAN is a power management feature that enables a computer to be turned on or awakened remotely over a network connection.
Even when the system is shut down or in sleep/hibernate mode, the NIC remains partially powered so it can continue listening for a special signal.
How it works:
The NIC stays in a low-power listening mode.
It monitors incoming network traffic.
When it detects a specially formatted packet called a magic packet, it triggers the system to power on or wake up.
The magic packet contains the target device’s MAC address repeated multiple times for identification.
Why it is used:
Remote system administration (IT support can power on machines after hours).
Performing updates, backups, or maintenance during off-hours.
Energy efficiency, systems can remain powered off when not in use but still be remotely accessible.
Key Idea:
Wake-on-LAN allows centralized, remote control of device power states without requiring someone to physically press the power button.
Trigger types (Linux, via ethtool):
p → any physical-layer activity.
u → unicast frames destined for the station.
m → multicast frames.
b → broadcast frames.
a → ARP frames.
g → magic packet frames.
s → magic packet frames with password.
Example:
Configures NIC eth0 to wake on unicast, multicast, magic packet, or broadcast frames.
Windows → similar capability, but UI typically exposes only magic packets and a subset of u/m/b/a triggers.
Magic Packets
Special Ethernet frames (often sent inside UDP packets) designed specifically to wake a computer using Wake-on-LAN (WoL). The network interface card (NIC) listens for this unique pattern even when the system is in a low-power state.
I. Structure:
6 bytes of 0xFF → This acts as a synchronization stream, marking the beginning of the magic packet.
Target MAC address repeated 16 times → The destination device’s MAC address is repeated consecutively to ensure accurate identification. If the NIC detects its own MAC address in this pattern, it triggers the wake-up process.
Often encapsulated in a UDP broadcast frame.
The magic packet is commonly sent as a broadcast so it reaches all devices on the local network segment. Only the NIC with the matching MAC address responds.
Arbitrary UDP port numbers may be used (commonly 7 or 9, but not required).
There is no strict port requirement for Wake-on-LAN. Ports 7 (Echo) and 9 (Discard) are traditionally used, but the NIC primarily looks for the magic packet pattern itself, not a specific port number.
II. Example (Linux wol tool):
Generates a magic packet for the NIC with MAC 00:08:74:93:C8:3C.
Captured in Wireshark, the payload looks like:
III. Power-Saving Integration⚡
NICs and operating systems (Linux, Windows) allow configuration of which packet types trigger wake-up.
Useful for remote management, scheduled updates, and energy savings in enterprise environments.
WoL can be abused if attackers send spoofed magic packets, so it’s often restricted to trusted networks.
WoL enables remote wake-up from sleep states using network traffic.
Magic packets are the most common trigger, defined by a simple repeated MAC pattern.
Linux offers fine-grained control over wake triggers, while Windows primarily focuses on magic packets.
While powerful for management and energy efficiency, WoL requires careful security controls to prevent misuse.
BRIDGES AND SWITCHES (IEEE 802.1D)
The IEEE 802.1D standard defines the operation of bridges, and by extension Ethernet switches, which are essentially high-performance, multiport bridges.
Bridges and switches are used to interconnect multiple physical link-layer networks (for example, separate Ethernet segments) into a single extended LAN.
At a basic level, a bridge joins two or more LAN segments and forwards frames between them based on MAC addresses, operating entirely at Layer 2.
I. Extended LANs and Switch Interconnection
A simple extended LAN can be formed by interconnecting two switches. In this configuration:
Each switch connects a group of end systems (clients, servers, etc.)
The switches themselves are connected via a link
The entire setup behaves as a single logical Ethernet LAN
Every network element—including each switch, has its own MAC address.
End hosts are unaware that multiple switches exist; from their perspective, they are simply connected to Ethernet.
II. Learning and Filtering Databases
Switches do not require manual configuration to determine where stations are located. Instead, they use a process called learning.
Learning Process
When a switch receives a frame:
It examines the source MAC address
It records the MAC address and the port on which the frame arrived
This information is stored in a filtering database (also called a forwarding table)
Each entry maps: MAC address → switch port
These databases are maintained per port, and in VLAN-enabled networks, possibly per VLAN.
Over time, as frames flow through the network, the switch learns the location of all reachable stations.
Example: Learned Databases
Once learning is complete:
Switch A knows which ports lead to local stations and which port leads to Switch B
Switch B similarly knows how to reach stations connected to Switch A
As a result, frames are forwarded only where needed, instead of being broadcast everywhere.
III. Flooding Behavior and Optimization
When a switch is first powered on, its filtering database is empty. In this state:
The switch does not know where destination MAC addresses are located
Any frame destined for an unknown MAC address is flooded
Flooding means the frame is sent out every port except the one it arrived on
Flooding guarantees delivery but is inefficient.
The learning mechanism dramatically reduces this overhead and is a core feature of Ethernet switching.
Importantly, learning is a performance optimization, not a correctness requirement.
Even with empty tables, the network still functions, just less efficiently.
IV. Software Bridges in Operating Systems
Modern operating systems can act as Layer 2 bridges.
Windows Bridging
In Windows:
Multiple network interfaces can be bridged through the Network Connections control panel
Once bridged, a new bridge device appears
Most network configuration options move from the individual interfaces to the bridge itself
The bridge behaves like a virtual switch inside the OS.
Linux Bridging
Linux provides bridging functionality via the brctl utility.
Consider a Linux system with two Ethernet interfaces acting as a bridge between two LAN segments.
Creating the Bridge
This creates a bridge device named br0 and attaches interfaces eth0 and eth1 to it.
Interfaces can be removed later using:
V. Inspecting the Forwarding Database
Linux refers to filtering databases as forwarding databases (FDBs).
To view bridge status:
To inspect learned MAC addresses:
This output shows:
MAC addresses learned by the bridge
The port through which each MAC is reachable
Whether the MAC address is local to the bridge
The ageing timer for each entry
VI. Ageing and MAC Address Mobility
MAC address mappings cannot be assumed to remain correct forever. Devices may:
Move to different ports
Be replaced
Change network interfaces
To handle this, each learned MAC address is associated with an ageing timer.
If a MAC address is not seen again before the timer expires, the entry is removed
Default ageing time is typically 300 seconds (5 minutes)
In Linux, the ageing time can be adjusted:
When an entry expires:
Frames destined for that MAC are once again flooded
The correct mapping is relearned when traffic resumes
VII. Flooding, Loops, and the Next Problem
Flooding works correctly only if the network topology has no loops.
When multiple bridges are interconnected with redundant links, flooding can cause frames to:
Circulate indefinitely
Multiply exponentially
Bring the network to a halt
This situation leads to a broadcast storm.
To prevent this, Ethernet requires a loop-avoidance mechanism, this is the motivation for the Spanning Tree Protocol (STP), which is the next major topic.
SPANNING TREE PROTOCOL (STP)
Bridges and switches usually work together rather than alone.
When multiple switches are connected, particularly if there are redundant paths, there is a risk of creating Layer 2 loops.
Unlike routers, which use a hop count (TTL) to eventually discard packets, switches forward Ethernet frames endlessly.
This means that if a loop exists, frames can circulate repeatedly, multiplying with each pass and potentially overwhelming the network.
I. The Problem: Loops and Broadcast Storms
Consider a network with multiple switches connected by redundant paths.
When the switches are first powered on:
Their forwarding (filtering) databases are empty
Unknown-destination frames are flooded
Each switch replicates frames out all ports except the incoming one
In a looped topology, this leads to:
Frame amplification (one frame becomes many)
Frames circulating endlessly
Forwarding databases oscillating as switches see the same source MAC on different ports
A broadcast storm that can overwhelm the network
Without a loop-prevention mechanism, Ethernet switching would be unusable in any non-trivial topology.
II. The Solution: Spanning Tree Protocol
The Spanning Tree Protocol (STP) exists to prevent Layer 2 loops while still allowing redundancy.
STP works by:
Disabling certain switch ports
Ensuring there is only one active path between any two switches
Preserving connectivity so all stations remain reachable
The result is a loop-free logical topology built on top of a potentially looped physical topology.
III. What Spanning Tree Means
In graph-theory terms:
Switches are nodes
Links between switches are edges
A spanning tree:
Includes all nodes in the graph
Uses only some of the edges
Has no loops
Guarantees exactly one path between any two nodes
There can be many possible spanning trees for a given network.
STP selects one and enforces it by blocking ports.
IV. Port States and Frame Forwarding
Once STP converges:
Only links that are part of the spanning tree are used for forwarding
All other redundant links are blocked
Frames are forwarded only along tree paths
This eliminates:
Frame amplification
Infinite looping
Broadcast storms
If a link or switch fails, STP can recompute the tree and activate previously blocked ports, restoring connectivity.
V. Distributed Operation and Adaptation
STP is a distributed protocol:
Every bridge runs the algorithm independently
Bridges exchange special control frames called Bridge Protocol Data Units (BPDUs)
BPDUs are used to:
Elect a root bridge
Discover topology
Maintain the spanning tree over time
STP adapts automatically to changes such as:
Switches being powered on or off
Interface failures
Network reconfiguration
VI. The Root Bridge
One bridge is elected as the root bridge.
The spanning tree is conceptually grown outward from the root
All path calculations are made toward the root bridge
Every other bridge determines its least-cost path to the root
The choice of root bridge has a significant impact on the resulting topology.
VII. Link Costs and Path Selection
STP assigns a cost to each link:
Costs are integers
Recommended to be inversely proportional to link speed
Typical recommended values:
10 Mb/s → cost 100
100 Mb/s → cost 19
1 Gb/s → cost 4
If a path includes multiple links, the total path cost is simply the sum of the individual link costs.
STP selects paths that minimize the total cost to the root bridge, ensuring higher-speed links are preferred when possible.
VIII. Classic STP vs. Rapid STP
Traditional STP (IEEE 802.1D):
Correct but slow to converge
Can take tens of seconds to respond to failures
Modern networks use Rapid Spanning Tree Protocol (RSTP):
Defined in later revisions of 802.1D
Converges much faster
Uses the same fundamental concepts
We first study classic STP to understand why loop prevention is necessary, then build on that foundation with RSTP.
IX. Key Takeaway
Ethernet switching relies on flooding and learning, which work only in loop-free topologies.
STP makes large switched networks possible by:
Preventing loops
Controlling flooding
Preserving redundancy
Automatically adapting to change
Without STP (or RSTP), modern Ethernet networks simply would not scale.
🌉 Spanning Tree Protocol (STP) — Port States & Roles
To understand how STP prevents loops in Ethernet networks, you need to know both the states a port can be in and the roles it can play.
🔑 Port States in Classic STP
Blocking
Default state after initialization.
Doesn’t forward frames or learn addresses.
Only listens for BPDUs (Bridge Protocol Data Units).
Listening
Can send/receive BPDUs.
Still doesn’t forward frames or learn addresses.
Waits ~15 seconds (forward delay).
3. Learning
Learns MAC addresses.
Still doesn’t forward frames.
Waits another ~15 seconds.
4. Forwarding
Fully active: forwards frames, learns addresses, sends/receives BPDUs.
Normal state for active ports carrying traffic.
5. Disabled
Administratively shut down.
No participation in STP.
👉 Transitions: Blocking → Listening → Learning → Forwarding (with delays).
⚙️ Port Roles (especially important in RSTP)
Root Port → the port on a switch that leads toward the root bridge (lowest-cost path).
Designated Port → forwards traffic for a segment; chosen as the best path to the root for that segment.
Alternate Port → backup path to the root, but not forwarding.
Backup Port → redundant port on the same segment as a designated port (can take over if the designated port fails).
✅ Key Takeaway
States describe what a port is doing (blocking, learning, forwarding).
Roles describe what a port means in the spanning tree (root, designated, alternate, backup).
Together, they ensure Ethernet networks avoid loops while still providing redundancy.
🌉 Bridge Protocol Data Units (BPDUs) — The Heart of STP
BPDUs are Layer 2 management frames used by switches to share information about themselves and their connections.
Think of them as a constant status update that switches use to elect a leader (the Root Bridge) and decide which ports should stay open and which should be blocked to prevent loops.
🔑 BPDU Structure (Key Fields)
Encapsulation: How it’s Wrapped
Before we even get to the data, the envelope has specific markings so switches know this isn't regular user traffic:
Destination MAC: 01:80:C2:00:00:00. This is a special multicast address. Switches are programmed not to forward this to other ports; they consume it, read it, and then generate their own if needed.
LLC/SNAP Header: You'll see 0x424203. This is the classic Spanning Tree signature in the Logical Link Control layer.
Core Fields: The ID Card
Protocol ID: Always set to 0 for Spanning Tree.
Version: This tells you the flavor of STP. 0 is the original (802.1D), while 2 is the much faster RSTP
(Rapid Spanning Tree).
Type:
0x00: Configuration BPDU (standard I'm here heartbeat).
0x80: TCN (Topology Change Notification).
Flags: These are the control bits that tell other switches what's happening.
TC (Topology Change): Something moved, clear your MAC tables!
RSTP Extensions: Uses bits to signal Proposals and Agreements to transition ports to forwarding in milliseconds rather than seconds.
Bridge & Path Info: The Logic
Root ID: The MAC address and Priority of the switch everyone thinks is the boss.
Bridge ID: The MAC and Priority of the switch that actually sent this specific packet.
Root Path Cost: This is a cumulative number. Every time a switch passes the BPDU along, it adds its own cost (based on link speed) to this value.
Port ID (PID): The specific physical port number the BPDU came out of.
Timers: The Clock
Message Age (MsgA): Think of this as a hop count. It starts at 0 at the Root Bridge and increments by 1 at every switch it passes through.
Max Age (MaxA): Usually 20 seconds. If a switch doesn't hear a BPDU for this long, it panics and assumes the path is dead.
Hello Time: How often BPDUs are sent (default is every 2 seconds).
Forward Delay: The waiting room time (default 15s) a port spends in Listening and Learning states before it's allowed to send actual data.
⚙️ How It Works: The Flow of Info
The Source: The Root Bridge is the only one that originates Configuration BPDUs. It sends them out with a Message Age of 0.
The Relay: Other switches receive it, update the Root Path Cost (adding their own link's weight), increment the Message Age, and send it out their own ports.
The Death Timer: If a switch stops receiving BPDUs, it counts down. Once the Max Age minus the Message Age hits zero, the switch declares the Root Bridge dead and starts a new election to find a new leader.
✅ Key Takeaway
BPDUs aren't just data; they are the consensus mechanism of a local network.
They define the Root ID, so everyone knows who the leader is.
They calculate Path Cost, so the network knows the shortest way home.
RSTP uses the extra flags to make the network heal much faster (usually under 1 second) compared to the old-school 30-50 second wait.
BUILDING THE SPANNING TREE (STP)
Once we understand why STP is needed, the next step is to see how the spanning tree is actually built and maintained.
STP has two primary responsibilities:
Elect a root bridge
Adapt to topology changes quickly and safely
I. Root Bridge Election
The very first task of STP is to elect a root bridge.
Bridge Identifier (Bridge ID)
Each bridge has a unique Bridge ID, composed of:
Priority (configurable)
MAC address (used as a tie-breaker)
The bridge with the smallest Bridge ID becomes the root bridge.
Election Process
When a bridge first starts up:
It assumes it is the root bridge
It sends configuration BPDUs claiming itself as the root
If a bridge receives a BPDU advertising a smaller root ID than its own:
It accepts that bridge as the root
Stops advertising itself as root
Forwards BPDUs that reference the better (smaller) root ID
The port on which the best BPDU is received is marked as the root port:
The root port is the port that leads toward the root bridge.
Port Roles (High-Level View)
After root election:
Root port: Best path toward the root bridge
Designated ports: Forwarding ports on each link
Blocked ports: Disabled to prevent loops
Only ports in the forwarding state carry user traffic.
II. Handling Topology Changes
Networks are not static. Links fail, switches reboot, and cables get unplugged.
STP must respond much faster than normal MAC address aging would allow.
Why Aging Alone Is Not Enough
Default MAC aging time ≈ 5 minutes
Waiting that long would cause:
Blackholed traffic
Frames sent down invalid paths
Poor convergence
STP introduces a topology change notification mechanism to fix this.
III. Topology Change Notifications (TCNs)
A topology change occurs when a port transitions into the forwarding or blocking state.
When this happens:
The detecting bridge sends a Topology Change Notification (TCN) BPDU
The TCN is sent up the spanning tree toward the root
Each upstream bridge:
Acknowledges the TCN
Forwards it closer to the root
Root Bridge Reaction
Once the root bridge is informed:
It sets the Topology Change (TC) flag in its configuration BPDUs
These flagged BPDUs are flooded throughout the network
When bridges receive BPDUs with the TC flag set:
They temporarily reduce MAC aging time
Aging time is lowered to roughly the forward delay (seconds, not minutes)
This allows:
Incorrect entries to be flushed quickly
Active stations to be relearned safely
IV. Why This Works Well
STP’s topology-change mechanism:
Avoids long outages
Prevents stale forwarding entries
Preserves active communication
Allows fast adaptation without destabilizing the network
This is a careful balance between speed and stability.
V. STP in Practice: Linux Bridges
In Linux, STP is disabled by default for bridge devices, under the assumption that:
Many software bridges are simple
No redundant paths exist
To enable STP on a Linux bridge:
Once enabled, STP state can be inspected using:
VI. Interpreting STP State (Conceptually)
STP state is maintained at two levels:
Bridge-Level Information
Includes:
Bridge ID
Root bridge ID
Timers (hello time, max age, forward delay)
Topology change indicators
These values define the global behavior of the bridge in the spanning tree.
Port-Level Information
Each port tracks:
Its role (root, designated, or blocked)
Its state (forwarding or blocking)
Path cost toward the root
Ports connected to higher-speed links naturally have lower path costs, making them preferred paths in the tree.
VII. Link Cost and Speed (Reinforced)
STP path cost reflects link speed:
Slower links → higher cost
Faster links → lower cost
This ensures that:
High-speed paths are preferred
Redundant low-speed links remain available as backups
VIII. BPDUs on the Wire (Big Picture)
Bridges communicate exclusively using Bridge Protocol Data Units (BPDUs).
Conceptually, BPDUs carry:
Root bridge identity
Path cost to the root
Sender bridge and port information
Timer values
They are sent to a special multicast MAC address reserved for bridges and are never forwarded as regular data frames.
You usually only inspect raw BPDUs when:
Debugging STP issues
Learning protocol internals
Verifying convergence behavior
For conceptual understanding, knowing what BPDUs represent matters far more than their byte layout.
IX. Big Picture Takeaway
STP builds and maintains a loop-free Layer 2 topology by:
Electing a root bridge
Selecting least-cost paths to that root
Blocking redundant links
Reacting quickly to topology changes
All of this happens automatically, distributed, and without configuration in most cases.
This is why Ethernet can safely support redundancy, and why STP (or RSTP) is non-negotiable in real networks.
RAPID SPANNING TREE PROTOCOL (RSTP)
(Formerly IEEE 802.1w)
Classic STP solved the loop problem, but it had a major weakness: slow convergence. In many cases, the network had to wait for timers to expire before reacting to a failure. That delay could last tens of seconds, which is unacceptable for modern networks.
The Rapid Spanning Tree Protocol (RSTP) was designed to fix this.
RSTP is defined in IEEE 802.1w and later incorporated into 802.1D-2004.
I. The Core Problem with Classic STP
In traditional STP:
Failures are detected indirectly
A bridge assumes something is wrong only after it stops receiving BPDUs
Recovery depends heavily on timers (max age, forward delay, etc.)
If those timers are conservative (which they usually are), convergence is slow.
RSTP replaces this timer-driven behavior with event-driven detection.
II. Key Design Goal of RSTP
RSTP focuses on immediate reaction.
Instead of waiting:
Ports monitor their link state directly
When a failure is detected, a topology change is triggered immediately
This single shift—from timer-based to state-based operation—dramatically reduces convergence time.
III. BPDU Enhancements
RSTP improves how bridges communicate by enhancing the BPDU format and behavior.
One BPDU Type
RSTP uses only one type of BPDU
No special Topology Change Notification (TCN) BPDUs
All control information is carried in standard RSTP BPDUs
RSTP BPDUs use:
Version = 2
Type = 2
Flag Field Usage
RSTP makes use of all 6 usable bits in the BPDU flag field.
These bits support:
Rapid handshakes between neighboring bridges
Agreement on port roles and states
Reduced dependence on long timers
This allows bridges to synchronize quickly and safely.
IV. Simplified Port States
Classic STP defines five port states.
RSTP simplifies this to three:
The discarding state replaces:
Disabled
Blocking
Listening
This simplification reduces protocol complexity and speeds transitions.
V. New Port Roles: Alternate Ports
RSTP introduces a new port role called the alternate port.
An alternate port provides a backup path to the root bridge
If the active root port fails, the alternate port can immediately take over
No need to wait for STP recalculation or long delays
This is one of the biggest contributors to RSTP’s fast convergence.
VI. Edge Ports and Fast Forwarding
RSTP explicitly recognizes that not all ports are equal. In a standard setup, some ports go to other switches (risky for loops), and some go to PCs or printers (safe).
Edge Ports
These are the safe zones of your network.
Definition: Ports connected only to end stations (like your PC, a server, or a VoIP phone).
Why they are safe: End stations do not generate BPDUs. Since BPDUs are the tools used to detect loops, their absence suggests there isn't another switch on the other end.
The Assumption: Edge ports are assumed loop-free by default because a PC can't bridge two network segments and create a broadcast storm on its own.
Behavior of Edge Ports:
Speed: They skip listening and learning delays entirely.
Instant Access: They transition directly to forwarding the moment you plug the cable in. This is essentially the PortFast feature you might see in Cisco configurations.
The Safety Switch: If an edge port ever receives a BPDU (meaning someone just plugged a rogue switch into a wall jack):
It is reclassified immediately as a normal spanning tree port.
Loop protection is restored automatically, and it will go through the full state transitions to ensure it doesn't take down the network.
Point-to-Point Links
RSTP also looks at the physical nature of the cable to decide how fast it can move. It distinguishes between two types:
Point-to-point links: Operating in full-duplex (dedicated lanes for sending and receiving).
Shared links: Operating in half-duplex (old-school hubs where devices have to take turns).
Why Point-to-Point (P2P) is Faster:
Assumption: Since there are only two devices on the wire (you and the switch), it’s assumed loop-free at the physical level.
The Handshake: Instead of waiting for timers, P2P links support rapid handshakes (Proposal and Agreement flags in the BPDU). One switch says, I want to be the designated port, and the other says, Agreed, and they transition in milliseconds.
Convergence: This is the secret sauce that enables faster convergence, making RSTP feel instant compared to the original STP.
Automatic Detection: The link type is inferred automatically based on the hardware negotiation:
Full-duplex → Point-to-point (Modern switches, high speed).
Half-duplex → Shared (Old hubs or forced legacy settings).
Why this matters for your learning:
When you're reverse engineering or monitoring network traffic, you'll see that Edge Ports won't be spamming BPDUs out to the PCs, but Point-to-Point links between switches will be constantly whispering to each other to ensure the path is still valid.
VII. BPDU Keepalives and Failure Detection
Unlike classic STP:
All bridges send BPDUs periodically
BPDUs act as keepalives
If a bridge fails to receive BPDUs from a neighbor within:
…it assumes the link has failed and reacts immediately.
This behavior mirrors higher-layer routing protocols and greatly improves responsiveness.
VIII. Topology Change Handling in RSTP
Topology change handling is much faster than in STP.
When a topology change is detected:
The detecting bridge sends BPDUs with the Topology Change (TC) bit set.
These BPDUs are sent to:
The root bridge
All other bridges, not just upstream
When a bridge receives a TC BPDU:
It flushes its filtering database immediately
Entries associated with edge ports are preserved
MAC learning restarts immediately
No waiting for:
TCN propagation
Root acknowledgment
Forward delay timers
IX. Convergence Time: The Big Win
Convergence time is one of the major advantages of Rapid Spanning Tree Protocol (RSTP) over the classic Spanning Tree Protocol (STP).
In classic STP, convergence typically takes tens of seconds, which can lead to noticeable network delays during topology changes.
In contrast, RSTP significantly improves this performance, achieving convergence in sub-second time in most cases.
This faster response is a key reason why RSTP has become the default choice in modern Ethernet networks.
X. Compatibility and Evolution
RSTP was not invented in isolation.
Many features originated as vendor-specific enhancements (notably Cisco)
IEEE standardized these ideas in updated 802.1D
RSTP is:
Backward compatible with classic STP
Can interoperate in mixed environments (with reduced benefits)
XI. Beyond RSTP: Multiple Spanning Tree Protocol (MSTP)
RSTP was later extended to support VLAN-aware operation.
MSTP (Multiple Spanning Tree Protocol) builds on RSTP
Supports multiple spanning trees, typically one per VLAN or group of VLANs
Retains the same BPDU format for compatibility
MSTP is the natural evolution for large, VLAN-rich networks.
XII. Key Takeaway
RSTP keeps the core idea of STP—loop-free Layer 2 topologies—but modernizes it by:
Detecting failures immediately
Using rapid handshakes instead of long timers
Providing instant backup paths
Treating edge ports intelligently
Notifying the entire network of changes quickly
In short: STP makes Ethernet safe. RSTP makes it fast.
MULTIPLE REGISTRATION PROTOCOL (MRP)
Think of MRP as a standard form that different protocols can use to tell the rest of the network what they need. It’s the engine under the hood for both VLAN and Multicast management.
Purpose: It provides a generic framework for devices to register and deregister attributes (like VLAN IDs or Multicast MACs) across a bridged LAN.
Standard: Officially defined in IEEE 802.1ak-2007.
The Upgrade: It replaces the older, clunkier GARP (Generic Attribute Registration Protocol). MRP is much faster and more efficient, especially in large networks where GARP used to struggle with churn.
Key Applications
MVRP (Multiple VLAN Registration Protocol): The modern replacement for the old GVRP.
MMRP (Multiple MAC Registration Protocol): The modern replacement for GMRP.
MVRP (VLAN Registration)
In a traditional setup, if you add VLAN 10 to a switch, you have to manually trunk it to the next switch, and the next. MVRP does this automatically.
The Trigger: When an end station (like a server) is configured as a member of a specific VLAN, it informs its local switch.
The Propagation: That switch then shouts this membership info to every other switch in the network using MVRP.
Dynamic Updating: Switches automatically update their filtering databases (FDB) and trunk ports to allow that VLAN's traffic.
The Big Benefit: It avoids recalculating the Spanning Tree (STP) when the VLAN topology changes. This keeps the network stable while you're adding or moving devices.
Scalability: It allows for much more flexible VLAN management without the risk of human configuration errors.
MMRP (Multicast MAC Registration)
Switches are naturally dumb when it comes to multicast; they often treat it like a broadcast and send it to everyone.
MMRP fixes this at the hardware level.
Registration: Stations register their interest in specific Group MAC addresses (the Layer 2 version of a multicast address).
Precision Delivery: Switches use these registrations to build a map. They only send the multicast traffic to the specific ports that actually asked for it.
The Efficiency Gap: Without MMRP, switches flood multicast traffic everywhere, which can kill bandwidth on a busy network.
✅ How it compares:
Layer 3 Cousins: It’s similar to IGMP (IPv4) and MLD (IPv6) but works strictly at the Link Layer.
Snooping: It serves a similar goal to IGMP/MLD Snooping, but instead of the switch spying on Layer 3 packets, MMRP is a direct, formal request at Layer 2.
✅ Key Takeaway
MRP is the modern, high-speed foundation that moved us past the limitations of the old GARP framework.
MVRP handles the Where does this VLAN go? question automatically.
MMRP ensures multicast traffic stays in its lane and doesn't flood your entire network.
Together, they make modern Ethernet switching scalable and adaptive.
If you move a server to a new port, the network learns and reroutes the VLAN/Multicast attributes in milliseconds.
Wi-Fi is based on the IEEE 802.11 standard...continues in TCP007.
Page updated
Google Sites
Report abuse