Introduction to Ethernet

If you’ve ever plugged a cable into a switch port and watched that little amber light turn green, you’ve already had your first hands-on moment with Ethernet. It’s everywhere — from the 48-port Catalyst 9300 sitting in a datacenter rack to the cheap unmanaged switch under someone’s desk. Understanding Ethernet properly isn’t just an exam requirement; it’s foundational knowledge you’ll lean on every single day as a network engineer.

In this lesson we’re going to look at what Ethernet actually is, how it evolved over the decades, how frames are structured, and what all of this means when you’re staring at a switch interface that’s misbehaving at 2 AM.

What Is Ethernet?

Ethernet is a collection of standards — originally developed in the 1970s at Xerox PARC by Robert Metcalfe and his colleagues — that define how devices communicate over a shared or dedicated physical medium. Today it’s maintained and published by the IEEE (Institute of Electrical and Electronics Engineers) under the 802.3 family of standards.

The short version: Ethernet is the language your network devices speak on a local area network (LAN). When PC-A sends a file to PC-B across a switch, that data is wrapped in an Ethernet frame. The switch reads that frame, makes a forwarding decision based on the destination MAC address, and ships it out the right port. Simple in concept, but there’s a lot going on underneath.

(Related Article: “Introduction to LANs“)

A Brief History Worth Knowing

I know what you’re thinking — history? Just tell me the commands. But here’s the thing: if you understand where Ethernet came from, the design decisions it made will actually make sense to you. That understanding is what separates engineers who can troubleshoot from engineers who just Google error messages.

Ethernet 1.0 (1980) ran at 10 Mbps and used thick coaxial cable — the stuff people called “thicknet” or “yellow garden hose.” Every device literally tapped into a single shared cable. You can imagine how that went when multiple devices tried to transmit at the same time.

That collision problem led to the adoption of CSMA/CD — Carrier Sense Multiple Access with Collision Detection. Before transmitting, a device would “listen” to the wire. If it heard nothing, it would send. If two devices transmitted simultaneously and a collision occurred, both would detect the collision, stop, wait a random back-off period, then retry. It worked, but it was inherently inefficient on busy networks.

Over the years, Ethernet went through some big leaps:

Standard	Speed	Medium	Notes
10BASE-T	10 Mbps	UTP Cat3+	Half or full duplex
100BASE-TX (Fast Ethernet)	100 Mbps	UTP Cat5+	Replaced 10BASE-T in most LANs
1000BASE-T (Gigabit Ethernet)	1 Gbps	UTP Cat5e+	Now the baseline for enterprise access layer
10GBASE-T	10 Gbps	UTP Cat6a+	Common in distribution/core layer
40GBASE-SR4 / 100GBASE-SR4	40/100 Gbps	Fiber (OM3/OM4)	Datacenter and spine-leaf fabrics

One of the most important milestones was the move from hubs to switches. A hub is a dumb repeater — it sends every frame out every port, meaning all devices share the same collision domain. A switch is smarter — it learns MAC addresses and forwards frames only to the correct destination port. Each port on a switch is its own collision domain. The moment switches became affordable and ubiquitous in the 1990s, CSMA/CD essentially became irrelevant in practice. Modern switched networks with full-duplex links don’t experience collisions at all.

(Internal link suggestion: “Collision Domains”)

Ethernet Standards: The 802.3 Family

You’ll sometimes see Ethernet standards referenced as “802.3” followed by a letter or letters. That naming convention can be confusing at first. Here’s how to read it:

The 802.3 part identifies the working group within IEEE responsible for Ethernet. The suffix (like “ab”, “z”, “ae”) just represents the task group that developed that particular amendment or standard. For the CCNA, you don’t need to memorize every variant — but you should know the common physical layer types because you’ll deal with them when ordering cables and SFPs.

Common notation format:

[Speed][Signaling]-[Medium/Distance]
Example: 1000BASE-T
         1000 = 1000 Mbps (1 Gbps)
         BASE = Baseband signaling
         T    = Twisted pair (UTP)

1000BASE-SX → 1 Gbps, multimode fiber, short wavelength (up to ~550m on OM2)
1000BASE-LX → 1 Gbps, single-mode fiber, long wavelength (up to 10km)
10GBASE-SR → 10 Gbps, multimode fiber, short range
10GBASE-LR → 10 Gbps, single-mode fiber, long range (up to 10km)

In my experience, the fiber type mismatch is one of those things that trips up junior engineers on their first datacenter project. You order an SFP+ for a 10G uplink, plug it into an OM2 patch panel, and wonder why the interface won’t come up — then realize you grabbed an LR module designed for single-mode. Always match your optic to your fiber type.

The Ethernet Frame

This is the really important part. Everything Ethernet does revolves around the frame — the unit of data that gets transmitted on the wire. Let’s look at the structure of an Ethernet II frame (the format you’ll see almost exclusively in modern networks):

+------------------+------------------+--------+------------------+-----+
|  Destination MAC |   Source MAC     |EtherType|    Payload (Data)|FCS  |
|  (6 bytes)       |   (6 bytes)      |(2 bytes)| (46–1500 bytes)  |(4B) |
+------------------+------------------+--------+------------------+-----+

Let’s break each field down:

Destination MAC Address (6 bytes)

This tells the switch (and the receiving NIC) where the frame is going. It’s a 48-bit address written in hexadecimal — you know it as something like 00:1A:2B:3C:4D:5E. The destination can be:

Unicast: a single specific device
Multicast: a group of devices (e.g., 01:00:5E:xx:xx:xx for IPv4 multicast)
Broadcast: all devices on the segment — the famous FF:FF:FF:FF:FF:FF

Source MAC Address (6 bytes)

The MAC address of the sending device. Switches use this field to learn and populate their MAC address tables. Every time a frame arrives on a port, the switch looks at the source MAC and records which port that device is reachable on.

(Internal link suggestion: “How a Switch Learns MAC Addresses”)

EtherType (2 bytes)

This field identifies the Layer 3 protocol carried inside the frame. Common values:

0x0800 → IPv4
0x0806 → ARP
0x86DD → IPv6
0x8100 → 802.1Q VLAN tag

When you’re capturing traffic with Wireshark and you see “EtherType: 0x0800,” that’s the frame telling you it’s carrying an IPv4 packet inside.

Payload (46–1500 bytes)

This is where the actual data lives — the IP packet, ARP request, or whatever Layer 3 PDU is being transported. The maximum payload size of 1500 bytes is what we call the MTU (Maximum Transmission Unit) for standard Ethernet. If a packet exceeds 1500 bytes, it needs to be fragmented.

A note on jumbo frames: in datacenter environments, you’ll often configure a higher MTU — typically 9000 bytes (jumbo frames) — on server-facing ports and storage interconnects. This reduces overhead and improves throughput for large data transfers. Just make sure the MTU is consistent end-to-end or you’ll get some really fun troubleshooting scenarios involving silent packet drops.

FCS – Frame Check Sequence (4 bytes)

The FCS is a CRC (Cyclic Redundancy Check) value computed by the sender. The receiver recalculates the CRC and compares it to the FCS field. If they don’t match, the frame is silently dropped — it means the frame got corrupted in transit. A high FCS error count on an interface is a red flag: bad cable, damaged connector, faulty NIC, or a duplex mismatch.

MAC Addresses Explained

MAC addresses are 48 bits long, typically displayed as six groups of two hexadecimal digits separated by colons or hyphens:

00:1A:2B:3C:4D:5E
^^^^^^^  ^^^^^^^^^
OUI      Device Identifier

The first 3 bytes (24 bits) are the OUI (Organizationally Unique Identifier), assigned by IEEE to the manufacturer. The last 3 bytes are assigned by the manufacturer to uniquely identify that specific NIC. So when you see a MAC starting with 00:50:56, you know it’s a VMware virtual machine. 00:1C:73 is Arista. This comes in handy more often than you’d think when you’re staring at a MAC table trying to figure out what a mystery device is.

You can look up OUIs at the IEEE registry, or just use Wireshark — it does the lookup automatically.

Unicast, Multicast, and Broadcast

The least significant bit of the first byte in the destination MAC address tells you whether the frame is unicast or multicast:

Bit = 0 → Unicast (going to one specific device)
Bit = 1 → Multicast or Broadcast

FF:FF:FF:FF:FF:FF is all-ones in binary, which means every device on the segment receives and processes the frame. You’ll see broadcasts all the time with ARP — when a device needs to find the MAC address of an IP it wants to reach, it sends an ARP request to the broadcast address.

Full Duplex vs Half Duplex

This is one of those things that’s simple in theory but causes real headaches in production.

Half duplex means a device can either transmit or receive at any given moment — not both simultaneously. This is the old hub-era model. CSMA/CD was necessary here to manage collisions.

Full duplex means transmit and receive happen simultaneously over separate pairs of wires. There are no collisions, CSMA/CD is disabled, and throughput is dramatically better. Every modern switch port running at 100 Mbps or higher supports full duplex.

Here’s where the trouble starts: duplex mismatches. If one end of a link is set to full duplex and the other end negotiates or is hard-coded to half duplex, you get a mismatch. The half-duplex side will detect collisions (because the full-duplex side transmits whenever it wants), and the full-duplex side will see late collisions and FCS errors.

The symptoms are subtle — the link stays up, both sides can ping each other, but performance is terrible and you’ll see a steady climb in interface errors. I’ve seen this cause intermittent slowness in a production environment for weeks before someone bothered to check interface counters.

The fix is almost always to hard-code speed and duplex on both ends, or make sure both ends are set to auto for clean autonegotiation.

Ethernet Cabling

UTP Cables

Unshielded Twisted Pair (UTP) cable is what you’ll find in virtually every access layer deployment. The wire pairs are twisted together specifically to cancel out electromagnetic interference (EMI) — the twist rate varies between pairs, which helps prevent crosstalk between them.

For the CCNA, you need to know these categories:

Category	Max Speed	Max Length	Notes
Cat5e	1 Gbps	100m	Minimum for gigabit Ethernet
Cat6	10 Gbps	55m (10G) / 100m (1G)	Common in modern builds
Cat6a	10 Gbps	100m	Better shielding, full 10G at 100m
Cat8	25/40 Gbps	30m	Short runs in datacenters

The 100-meter rule is fundamental: the maximum distance for a copper Ethernet segment is 100 meters (about 328 feet). This applies to Cat5e, Cat6, and Cat6a for their rated speeds. If you need to go farther, you either add a switch in the middle or switch to fiber.

Straight-Through vs Crossover Cables

Older equipment required you to use the right cable type depending on what you were connecting:

Straight-through: connects unlike devices (PC to switch, switch to router)
Crossover: connects like devices (switch to switch, PC to PC)

Modern Cisco gear (and basically everything manufactured in the last 15+ years) supports Auto-MDIX, which automatically detects the cable type and adjusts accordingly. You can use a straight-through for everything and Auto-MDIX will sort it out. That said, if you’re ever working on older gear — some legacy Catalyst 2950s in a lab environment, for example — you might still need to think about this.

Fiber Cables

When you need to go beyond 100 meters, or you need electrical isolation between buildings, fiber is your answer. Two main types:

Multimode fiber (MMF): uses an LED or VCSEL light source, larger core diameter (50 or 62.5 micron), suitable for shorter distances (typically up to 300–550 meters depending on the fiber grade and speed). OM3 and OM4 are what you’ll find in modern datacenters.

Single-mode fiber (SMF): uses a laser light source, much smaller core (9 micron), designed for long-distance transmission — we’re talking kilometers. SMF is what you’ll use for building-to-building links or WAN handoffs.

Verifying Ethernet on Cisco Devices

Let’s get to the part where you actually interact with this on IOS/IOS-XE. Here are the key commands you’ll use to verify Ethernet interfaces.

show interfaces

This is your first stop when troubleshooting any interface issue:

Switch# show interfaces GigabitEthernet0/1
GigabitEthernet0/1 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 0023.ea12.3401 (bia 0023.ea12.3401)
  Description: Uplink to Distribution SW
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  5 minute input rate 1234000 bits/sec, 187 packets/sec
  5 minute output rate 876000 bits/sec, 132 packets/sec
     14523190 packets input, 2918450623 bytes, 0 no buffer
     Received 12341 broadcasts (4201 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 4201 multicast, 0 pause input
     10234567 packets output, 1874321098 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

The things to focus on:

“is up, line protocol is up” — this means the physical link is good and Layer 2 is operational
Full-duplex, 1000Mb/s — confirms speed and duplex negotiated correctly
0 CRC, 0 input errors — clean frame reception, no corruption
0 collisions, 0 late collision — confirms no duplex mismatch

show interfaces status

Great for getting a quick overview of all ports:

Switch# show interfaces status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1     Uplink to Dist SW  connected    trunk        full   1000 10/100/1000BaseTX
Gi0/2     PC-Finance-01      connected    10           full   1000 10/100/1000BaseTX
Gi0/3     IP Phone           connected    voice        full    100 10/100/1000BaseTX
Gi0/4                        notconnect   1            auto   auto 10/100/1000BaseTX
Gi0/5                        err-disabled 20           full   1000 10/100/1000BaseTX

A few things stand out in this output: notconnect means nothing is plugged in (or the cable is bad). err-disabled is a port that IOS has shut down automatically due to a security or protocol violation — you’ll need to figure out why before re-enabling it.

show interfaces counters errors

When you suspect errors but don’t want to wade through the full show interfaces output for every port:

Switch# show interfaces GigabitEthernet0/1 counters errors

Port         Align-Err    FCS-Err   Xmit-Err    Rcv-Err  UnderSize  OutDiscards
Gi0/1                0          0          0          0          0            0

All zeros is what you want to see. Persistent FCS errors usually mean a physical layer problem — bad cable, connector, or optic.

Common Ethernet Troubleshooting Scenarios

Interface Keeps Flapping

You see a flood of syslog messages: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down followed almost immediately by the up message. The interface is bouncing.

Causes and how to check:

Bad cable — swap the cable first, it’s the fastest test
Faulty SFP or optic — show interfaces GigabitEthernet0/2 transceiver can tell you if the receive power is within spec
Duplex/speed mismatch causing one side to give up — check show interfaces on both ends
Remote device cycling — show cdp neighbors detail to see if the neighbor is stable

Speed/Duplex Mismatch

Symptoms: link is up, pings work, but throughput is terrible. Copying files is slow. Maybe some packet loss under load.

Switch# show interfaces GigabitEthernet0/3
GigabitEthernet0/3 is up, line protocol is up (connected)
  ...
  Half-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  ...
     0 input errors, 0 CRC, 0 frame
     0 output errors, 847 collisions, 3 interface resets
     0 babbles, 312 late collision, 0 deferred

There it is — 847 collisions and 312 late collisions on a switch port. That should never happen on a modern switched network. One side is running half duplex. Fix it:

Switch(config)# interface GigabitEthernet0/3
Switch(config-if)# duplex full
Switch(config-if)# speed 1000

Or, if both ends support autonegotiation properly, set both to auto:

Switch(config-if)# duplex auto
Switch(config-if)# speed auto

My preference in production: I hard-code speed and duplex on uplink ports between switches and on server-facing ports. For user access ports, I leave them on auto. The risk of autoneg failure on a user desktop is minor; the risk on a trunk carrying 200 VLANs is not.

High CRC / Input Errors

If you see climbing CRC errors, the problem is almost always physical:

Check the cable — replace it with a known-good one
Check the connector — a damaged RJ45 crimp is very common
Check the SFP or fiber connector — dirty connectors are a real issue with fiber
Check the cable length — are you over 100m on copper?
Check for interference — cables running parallel to fluorescent lights or motors can introduce EMI

Switch# show interfaces GigabitEthernet0/4
  ...
  1247 input errors, 1247 CRC, 0 frame, 0 overrun, 0 ignored

1247 CRC errors and climbing. Swap the cable, clear the counters with clear counters GigabitEthernet0/4, and watch if the errors return.

err-disabled Port

A port that shows as err-disabled has been shut down by IOS automatically. Common reasons:

Port Security violation — an unauthorized MAC address connected
BPDU Guard — a switch or rogue device sent a BPDU on a PortFast-enabled port
Loopback detected — someone plugged both ends of a cable into the same switch
UDLD — unidirectional link detected

To see the reason:

Switch# show interfaces status err-disabled

Port      Name               Status       Reason               Err-disabled Vlans
Gi0/5                        err-disabled Bpduguard

Fix the underlying cause first — in this case, remove whatever device triggered the BPDU Guard. Then re-enable the port:

Switch(config)# interface GigabitEthernet0/5
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

Or if you’ve configured err-disable recovery:

Switch(config)# errdisable recovery cause bpduguard
Switch(config)# errdisable recovery interval 300

Ethernet vs Wi-Fi: A Quick Note

Ethernet defines the wired LAN standard (802.3). Wireless LAN is a completely separate standard — 802.11 — maintained by the same IEEE. The two share some concepts (MAC addresses, frames) but differ significantly in how they handle the physical medium, access control, and security.

The reason this matters: when a wireless client sends data through an access point to a wired host, the 802.11 wireless frame gets converted to an 802.3 Ethernet frame at the AP before it hits the wired network. They’re not the same frame format. Knowing where that boundary is helps when you’re troubleshooting end-to-end connectivity issues involving both wired and wireless devices.

Conclusion

Ethernet has come a long way from 10 Mbps coax cables and collision-filled hubs. Today it’s a mature, well-understood technology running everything from your home network to 400 Gbps datacenter fabrics. The fundamentals though — MAC addresses, frame structure, full duplex, cabling rules — haven’t changed all that much in concept.

The key things to take away from this lesson:

Ethernet is standardized by IEEE under the 802.3 family
The Ethernet frame contains Destination MAC, Source MAC, EtherType, Payload, and FCS
MAC addresses are 48-bit hardware addresses with an OUI identifying the manufacturer
Modern switched networks run full duplex — CSMA/CD is effectively obsolete
Copper UTP runs a maximum of 100 meters; fiber extends this to hundreds or thousands of meters
show interfaces is your go-to command for verifying speed, duplex, and error counters

In the next lesson we’ll look at collision domains — an important concept for understanding how hubs and switches differ in the way they handle network traffic.