Skip to main content

Documentation Index

Fetch the complete documentation index at: https://resources.devweekends.com/llms.txt

Use this file to discover all available pages before exploring further.

Module 3: Physical & Data Link Layers

These layers are responsible for moving bits across the wire (or air) and organizing them into frames for local delivery. If the network is a postal system, these two layers are the physical roads and the local delivery trucks — they handle the last mile of actually getting data from one device to the device next to it.

3.1 Layer 1: Physical Layer

The Physical Layer defines the hardware elements involved in transmitting data. This is the only layer that deals with actual physical signals — everything above is logical abstraction.

Key Concepts

  • Media: Copper cables (Cat5e, Cat6), Fiber Optic, Wireless (Radio waves). Each has different speed limits, distance limits, and interference characteristics.
  • Signals: Digital (bits — discrete 0s and 1s) vs Analog (waves — continuous signals). Copper and fiber carry digital signals; Wi-Fi uses analog radio waves that encode digital data.
  • Topologies: Bus (one shared cable), Star (central hub/switch), Ring (devices in a loop), Mesh (every device connected to every other). Modern LANs almost universally use the star topology with a switch at the center.

Practical Considerations

Cable TypeMax SpeedMax DistanceUse Case
Cat5e1 Gbps100 metersOffice LAN (legacy)
Cat610 Gbps55 meters (10G) / 100m (1G)Modern office LAN
Cat6a10 Gbps100 metersData centers, new builds
Single-mode Fiber100+ Gbps80+ kmLong-distance, ISP backbone
Multi-mode Fiber10-100 Gbps300-550 metersData center interconnects
Troubleshooting Layer 1: The majority of “network down” incidents trace back to Layer 1 — an unplugged cable, a damaged fiber strand, or Wi-Fi interference from a microwave oven. Always check the physical layer first. Look for link lights on the switch port and the NIC. No light means no physical connection, and no amount of software debugging will fix a broken cable.
The Data Link Layer ensures error-free transmission between two directly connected nodes. While Layer 3 (IP) handles end-to-end delivery across the entire internet, Layer 2 only cares about the next hop — getting the frame to the next directly connected device. Think of it this way: IP is the full postal address (city, street, house number). MAC is the name of the person handing the letter to the next person in the chain. At each hop, the MAC addresses change, but the IP addresses stay the same.

MAC Addresses

  • Media Access Control (MAC) address is a unique identifier assigned to a network interface controller (NIC).
  • Format: 00:1A:2B:3C:4D:5E (48-bit hex, 6 bytes).
  • The first 3 bytes (00:1A:2B) identify the manufacturer (OUI - Organizationally Unique Identifier). You can look up the vendor at macvendors.com — handy when troubleshooting unknown devices on your network.
  • The last 3 bytes (3C:4D:5E) are assigned by the manufacturer to be unique per device.
MAC vs IP — a common confusion: MAC addresses are used for local delivery (within the same network segment). IP addresses are used for global routing (across the internet). When you send a packet to Google, the destination IP is Google’s server, but the destination MAC is your local router — because that is the next hop. Your router then changes the destination MAC to the next router’s MAC, and so on, hop by hop.

Ethernet Frames

Data is packaged into frames — the Layer 2 unit of data.
  • Preamble (8 bytes): Synchronization pattern that tells the receiver “a frame is coming.” Think of it as the ringing before a phone call.
  • Destination MAC (6 bytes): Where it is going on the local network.
  • Source MAC (6 bytes): Where it came from.
  • Type/Length (2 bytes): Identifies the protocol of the payload (e.g., 0x0800 = IPv4, 0x0806 = ARP, 0x86DD = IPv6).
  • Payload (46-1500 bytes): The actual data — an IP packet at Layer 3. The maximum payload size (1500 bytes) is called the MTU (Maximum Transmission Unit).
  • FCS (4 bytes): Frame Check Sequence — a CRC checksum for error detection. If the FCS does not match, the frame is silently dropped. There is no retransmission at Layer 2; that is TCP’s job at Layer 4.
┌──────────┬──────────┬──────────┬──────────┬─────────────────┬─────────┐
│ Preamble │ Dst MAC  │ Src MAC  │  Type    │    Payload      │   FCS   │
│ 8 bytes  │ 6 bytes  │ 6 bytes  │ 2 bytes  │  46-1500 bytes  │ 4 bytes │
└──────────┴──────────┴──────────┴──────────┴─────────────────┴─────────┘
MTU matters more than you think. If your application sends a 4,000-byte message, it must be split into multiple packets that each fit within the 1500-byte MTU. If a VPN or tunnel adds extra headers (reducing the effective MTU), packets that were fine before may now need fragmentation — causing slowdowns or mysterious connection failures. This is one of the first things to check when a VPN is “slow.”

3.3 Switching

A Switch operates at Layer 2. It uses MAC addresses to forward frames to the correct port. Unlike a hub (which blindly copies every frame to every port), a switch is intelligent — it learns which devices are on which ports and sends frames only where they need to go.

How a Switch Learns and Forwards

  1. Learning: When a frame arrives on port 1 with Source MAC AA:BB:CC:DD:EE:FF, the switch records: “MAC AA:BB:CC:DD:EE:FF is reachable via port 1.” This builds the MAC address table (also called CAM table) over time.
  2. Forwarding: When a frame arrives with Destination MAC 11:22:33:44:55:66, the switch looks up its MAC table. If there is an entry saying that MAC is on port 5, the frame is sent only to port 5 — no other device sees it.
  3. Flooding: If the Destination MAC is unknown (not in the table yet) or is a broadcast address (FF:FF:FF:FF:FF:FF), the switch sends the frame to all ports except the one it arrived on. This ensures delivery even when the switch has not yet learned the destination.

Practical Scenario

Port 1: PC-A (MAC AA:AA)    Port 3: PC-C (MAC CC:CC)
Port 2: PC-B (MAC BB:BB)    Port 4: PC-D (MAC DD:DD)

1. PC-A sends frame to PC-C
2. Switch sees Source MAC AA:AA on Port 1 → learns it
3. Switch looks up Dest MAC CC:CC → found on Port 3
4. Frame sent ONLY to Port 3 → PC-C receives it
5. PC-B and PC-D never see this frame
This is why switches are more secure and more efficient than the old hubs they replaced. On a hub, every device saw every frame — which meant any device could eavesdrop on all traffic.
Troubleshooting tip: If a device cannot reach anything on the local network, check if its switch port link light is on (Layer 1). If it is on but traffic still fails, check if the switch has learned the device’s MAC address: show mac address-table on managed switches. A missing entry suggests a VLAN mismatch or cable issue.

Next Module

Module 4: Network Layer

Dive into IP addressing and Routing.

Interview Deep-Dive

Strong Answer:
  • A hub is a Layer 1 device that simply repeats every incoming electrical signal on every port. It is a shared medium — every device connected to the hub sees every frame, regardless of whether it is the intended recipient. This creates a single collision domain where only one device can transmit at a time, and it means any device can eavesdrop on all traffic.
  • A switch is a Layer 2 device that learns which MAC addresses are reachable on which ports by inspecting the source MAC of incoming frames. It builds a MAC address table (CAM table) and then forwards frames only to the port where the destination MAC resides. This creates a separate collision domain per port, dramatically increasing throughput.
  • Switches replaced hubs because the performance difference is enormous. On a 24-port hub with 1 Gbps, all 24 devices share that 1 Gbps bandwidth. On a 24-port switch, each device gets a dedicated 1 Gbps connection. In a busy office, that is the difference between unusable and perfectly fine.
  • There is also a security angle: on a hub, any device can capture all traffic with a packet sniffer. On a switch, traffic is isolated per port. Although ARP spoofing and MAC flooding attacks can still be used to circumvent this, a switch provides significantly better baseline security than a hub.
Follow-up: You mentioned MAC flooding. What is that attack and how does a switch behave when its CAM table is full?MAC flooding is an attack where an attacker sends thousands of frames with random, spoofed source MAC addresses. The switch tries to learn each one and fills its CAM table. Once the table is full, the switch can no longer learn new entries and falls back to its default behavior for unknown destinations: flooding. That means it starts sending frames to all ports, effectively turning itself into a hub. At that point, the attacker can sniff all traffic on the switch, just like the old hub days. The defense is port security — configuring the switch to limit the number of MAC addresses allowed per port (for example, 2-3 per port). If the limit is exceeded, the port is shut down or violations are logged. Enterprise switches from Cisco, Arista, and others all support this feature.
Strong Answer:
  • MTU (Maximum Transmission Unit) is the largest payload size a Layer 2 frame can carry — typically 1500 bytes for standard Ethernet. If an IP packet exceeds the MTU of a link in the path, it must either be fragmented into smaller packets or, if the “Don’t Fragment” (DF) bit is set, the router drops the packet and sends back an ICMP “Fragmentation Needed” message.
  • MTU problems most commonly surface with VPNs and tunnels. When you add a VPN encapsulation (say IPsec, which adds roughly 50-70 bytes of overhead), the effective MTU drops from 1500 to around 1430-1450 bytes. Packets that fit fine at 1500 bytes now exceed the tunnel’s effective MTU. If the DF bit is set and the ICMP “Fragmentation Needed” message is blocked by a firewall (which is depressingly common), you get a “black hole” — the connection appears to hang on large payloads while small packets (like pings) work fine.
  • To diagnose, I would use ping -M do -s 1472 target on Linux (or ping -f -l 1472 target on Windows). This sends a 1472-byte payload with DF set. If it works, try 1473, and keep increasing. When it fails, you have found the path MTU. The total packet size is payload + 8 bytes ICMP header + 20 bytes IP header, so a 1472 payload means a 1500-byte packet.
  • To fix: reduce the MTU on the interface (ip link set dev eth0 mtu 1400), or if using a VPN, configure TCP MSS clamping so that TCP connections negotiate a smaller maximum segment size that fits within the reduced MTU. Most VPN software has this as a configuration option.
Follow-up: What are jumbo frames and when would you use them?Jumbo frames are Ethernet frames with an MTU larger than the standard 1500 bytes, typically 9000 bytes. They are used in data center and storage networks where large data transfers are common — think NFS, iSCSI, or VM live migration. The benefit is efficiency: with a 9000-byte MTU, you send 6 times more data per frame while incurring the same per-frame overhead (header processing, interrupt handling). This can improve throughput by 10-30% for bulk transfers. The catch is that every device in the path must support and be configured for the same jumbo frame size. If one switch in the middle has a 1500-byte MTU, jumbo frames will be fragmented or dropped. In practice, jumbo frames are reliable within a controlled data center environment but should never be used across the internet or between sites, where you cannot guarantee every hop supports them.
Strong Answer:
  • ARP (Address Resolution Protocol) translates a known IP address into the corresponding MAC address on the local network segment. This is necessary because Layer 2 switching uses MAC addresses, but applications only know IP addresses.
  • When Device A (192.168.1.10) wants to send a packet to Device B (192.168.1.20) on the same subnet for the first time, A checks its ARP cache. Finding no entry for 192.168.1.20, it broadcasts an ARP Request to the broadcast MAC address (FF:FF:FF:FF:FF:FF): “Who has 192.168.1.20? Tell 192.168.1.10.” Every device on the local segment receives this frame.
  • Device B recognizes its own IP in the request and sends an ARP Reply directly (unicast) back to Device A: “192.168.1.20 is at MAC AA:BB:CC:DD:EE:FF.” Device A caches this mapping and uses it for all subsequent frames to 192.168.1.20 until the cache entry expires (typically 60-300 seconds depending on the OS).
  • If Device A wants to reach an IP on a different subnet (say 8.8.8.8), it does not ARP for 8.8.8.8. Instead, it ARPs for the default gateway’s IP (192.168.1.1) to get the gateway’s MAC address. It then sends the frame to the gateway’s MAC with the destination IP set to 8.8.8.8. The gateway handles routing from there. This is a subtlety that many people miss — the destination MAC is always the next hop, not the final destination.
Follow-up: How does ARP spoofing work, and what are the real-world defenses?ARP has no authentication mechanism. Any device can send an unsolicited ARP Reply claiming “I am 192.168.1.1” (the gateway) and associate their own MAC address with the gateway’s IP. All devices that receive this gratuitous ARP update their caches. Now traffic intended for the gateway flows to the attacker instead, enabling a man-in-the-middle attack. The attacker forwards traffic to the real gateway after inspecting or modifying it, so the victims do not notice a disruption. Defenses include Dynamic ARP Inspection (DAI) on enterprise switches, which validates ARP packets against DHCP snooping bindings. Static ARP entries work but do not scale. On modern networks, 802.1X port authentication (which verifies device identity before granting network access) combined with DAI is the standard approach. In cloud and container environments, ARP spoofing is generally mitigated by the hypervisor or CNI plugin, which controls which MAC and IP addresses a virtual interface can use.