Lesson 4 - Data Link Layer


In this lesson you'll learn about layer 2, the data link layer of the TCP/IP model. You will learn what a frame is, and how it's used when transferring data. You'll also learn all about switches, VLANs and ethernet.

Preparing the Data for Transmission

In the last lesson we learned about different types of mediums and how the bits are transmitted over the medium. Before the bits can be sent they have to be prepared. The process of preparing the data includes wrapping the data in a header and trailer. This idea of wrapping your data is called encapsulation. In today's lesson we'll focus on encapsulation as it applies to the Data Link layer in the TCP/IP model.

The Data Link Layer receives data from the Internetwork layer above. The Data Link layer adds a header and trailer to the data creating a frame. When ethernet is used as the Data Link protocol an ethernet frame is created. Ethernet is a member of the IEEE (Institute of Electrical and Electronics Engineers) 802 standards found in the Data Link and Physical layers of LANs. Ethernet is known as 802.3 with many subversions depending on speeds and medium used.

The ethernet protocol uses MAC addresses for sending data between devices. A MAC address (Media Access Control) is the 48 bit physical address of a network adapter. Each network adapter has a unique MAC address. If your computer has both wired and wireless network adapters it has two MAC addresses. MAC addresses are typically written in hexadecimal (hex) format, or base 16. The first three octets, or groups of 8 bits, are used to identify the manufacturer of the NIC (Network Interface Card). The first three octets of the MAC are called the OUI (Organizationally Unique Identifier). The last three octets are used to uniquely identify the NIC. An example of a MAC address is 3c:15:c2:de:4d:fc. 3c:15:c2 is owned by Apple, and the de:4d:fc uniquely identifies the device.

When a device is plugged into a network there's the potential for a lot of noise on the line. The noise is heard by the device, but ignored. When sending data, the sending device needs to make sure the receiving device knows data's coming. It needs to distinguish itself from the noise. It does this by including the preamble as the first thing in the header. The preamble is a stream of alternating bits used to tell the destination device to get ready, data's coming! The preamble is 7 bytes long. After the preamble we find a single byte called the starting delimiter. The starting delimiter contains alternating bits just like preamble, but the last two bits are 1's. This tells the receiving device that data is here.

The next part of the header is the destination MAC address. If a device's own MAC address is in the header it pulls the data off the wire. Following the destination MAC address is the source MAC address. This is how the device knows where to send a response.

The next part of the 802.3 protocol is the frame trailer. The frame trailer contains a 4 byte block called the frame check sequence (FCS). The frame check sequence is a series of bits that is the result of a mathematical function performed on all the bits before the trailer. On the destination device the same calculation is performed, if the results don't match the value in the FCS then the destination computer knows there is something wrong in the frame. If this happens the frame will be discarded. This process of discarding the frames if a problem is detected is called error detection. At this layer all we care about is detecting errors and discarding the bad data. We will learn how we perform error recovery in a later lesson.

Network Switches

We learned in lesson 3 that a switch is a device that connects everything together. Before switches we had devices called hubs. Hubs were also devices that connected everything together but they work very differently than switches. A hub takes a frame and repeats it out all other ports creating a shared medium for all connected devices. This shared medium is referred to as a collision domain where only one device can send information at a time.

On a network with a hub your devices have to change the way they send data. When they're sending data they have to listen to the line and make sure no one else is sending at the same time. If two devices attempt to send data at the same time it's called a collision. This creates a network where you can send or receive data, but not both at the same time, or a half duplex connection.

Switches are more intelligent than hubs, they look at the frame header and use the information in the header to make sure the data's sent out only the port that contains the destination device. A switch contains a MAC address table which is a list of all the connected devices MAC addresses and ports to which they are connected. The table show an example of a MAC address table.

In the sample Mac address table it looks like port 7 has either an hub or switch plugged into it. That's why we see multiple devices plugged into port 7. When a frame is received the switch looks at the destination address in the Data Link header and compares it to the MAC address table. The information in the MAC Address table is used to direct the frame out the correct port. This process of sending the frame out the port that contains the destination is called a forward decision. This allows the switch to handle multiple connections at once. In the image below we can see a switch handling multiple connections. Each colored arrow pair represents a different connection. Alternatively you may have a switch that received a frame that should go back out the port in which it arrived. If this happens the switch will filter the frame out.

A switch uses store and forward technology where it will store the entire frame in a buffer, or memory location in the switch, until it's safe to send. This technology prevents collisions from happening on a switch. This reduces our collision domain to a single port. In the image below you can see two devices trying to send to the same device. The switch will store the frames until it can transmit them both without problem. Collisions are avoided because the switch actively prevents them from happening. Once collisions are not a concern the devices can start sending and receiving data at the same time, this is known as full duplex.

The MAC address table in a switch is built using multiple methods. The first method is learning, which is where the device looks at source MAC address in the headers of the frames coming in. If the MAC address isn't in the MAC address table it will add it.

If a frame arrives with a destination port not found in the MAC address table then the switch needs to find out where to send it. It does this by a process called flooding where a frame is sent out all other ports looking for the device. Once it responds the information is added to the MAC address table and the frames are forwarded out the correct port.

So far we've been analyzing one to one communications known as unicast. There are situations where you want to send out a message to all devices, that type of communication is called a broadcast. Every device connected to a hub or switch will receive a broadcast message creating a broadcast domain.

Virtual LANs

Virtual LANs allow you to create separate broadcast domains on a single switch using a subset of the physical ports. Before we jump into how this work we should answer the question why would we do that?

    • Reduce broadcast traffic. As your network increases so does the number of broadcasts. Broadcast messages have to be processed by every device on the network, if you have more than a couple hundred devices you may want to break up your network.

    • Layer 8 issues. The politics in your office may necessitate the creation of separate network.

      • Example: Doctors office with public WiFi. They don't want the public on the same network as their private servers.

      • Example: School district business office may want a separate network for the business office computers so they aren't on the same network as the students.

    • Layer 3 design goals. Just trust me on this one, we'll get there in lesson 7.

    • Cheaper. If you find you're in an environment where you'll need separate networks using VLANs is cheaper than buying more equipment.

Creating a VLAN in a switch involves telling the switch what ports are on which VLAN. In the image below we made the first block of ports VLAN 10 and the second block of ports VLAN 20. Once we create VLANs on our switches we create multiple broadcast domains. Each VLAN is its own broadcast domain. This means broadcast messages sent on VLAN 20 won't be seen by VLAN 10.

If you have more than one switch on your network and your using VLANs then you need to enable VLAN trunking on the ports that connect the switches together. When frames are sent over the VLAN trunk an additional trunking header will be added to identify its VLAN.

In the image below we see computers A, C, and D are all on VLAN 10. When data is sent from A to D it has to pass through the VLAN trunk. Before it enters the trunk the first switch adds a trunking header. The trunking header identifies the frame as originating on VLAN 10. When the second switch receives the frame it can tell by the trunking header that the frame needs to go to a device on VLAN 10. Using the MAC address table it will send the data out the correct port.

In the image above computers A, C and D can not talk to computer B. Computer B is on a different VLAN and is separated from the other three computers.

There are multiple VLAN trunking protocols. Cisco created their own before there was an open standard to use. Cisco's standard is called Inter Switch Link (ISL). Later the IEEE developed 802.1Q for trunking. When your are connecting multiple switches you must use the same protocol on both ends.


Ethernet was defined as a standard that ran at 10 Mbps. Over the years the speed has improved. With each change we have a new protocol with a new name. In the table below you can see the different names of the standards and their speeds.


We learned two new terms in this lesson to add to our TCP/IP diagram. MAC addresses are the types of addresses found at the Data Link layer and we call the chunks of data frames.

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8