6.1.1 Introduction to Ethernet

Now the same protocol that transported data at 3 Mbps in 1973 can carry data at 10 Gbps.

The success of Ethernet is due to the following factors:

• Simplicity and ease of maintenance
• Ability to incorporate new technologies
• Reliability
• Low cost of installation and upgrade

The introduction of Gigabit Ethernet has extended the original LAN technology to distances that make Ethernet a MAN and WAN standard.

The first Ethernet standard was published in 1980 by a consortium of Digital Equipment Company, Intel, and Xerox (DIX).

In 1985, the IEEE standards committee for Local and Metropolitan Networks published standards for LANs. These standards start with the number 802. The standard for Ethernet is 802.3.

The differences between the two standards were so minor that any Ethernet NIC can transmit and receive both Ethernet and 802.3 frames. Essentially, Ethernet and IEEE 802.3 are the same standards.

In 1995, IEEE announced a standard for a 100-Mbps Ethernet. This was followed by standards for Gigabit Ethernet in 1998 and 1999.

All the standards are essentially compatible with the original Ethernet standard. An Ethernet frame could leave an older coax 10-Mbps NIC in a PC, be placed onto a 10-Gbps Ethernet fiber link, and end up at a 100-Mbps NIC. As long as the packet stays on Ethernet networks it is not changed. For this reason Ethernet is considered very scalable.

6.1.2 IEEE Ethernet naming rules

Ethernet is a family of networking technologies that includes Legacy, Fast Ethernet, and Gigabit Ethernet.

Ethernet speeds can be 10, 100, 1000, or 10,000 Mbps.

The basic frame format and the IEEE sublayers of OSI Layers 1 and 2 remain consistent across all forms of Ethernet.

When Ethernet needs to be expanded to add a new medium or capability, the IEEE issues a new supplement to the 802.3 standard. The new supplements are given a one or two letter designation such as 802.3u. An abbreviated description, called an identifier, is also assigned to the supplement.

The abbreviated description consists of the following elements:

• A number that indicates the number of Mbps transmitted
• The word base to indicate that baseband signaling is used
• One or more letters of the alphabet indicating the type of medium used. For example, F = fiber optical cable and T = copper unshielded twisted pair

Ethernet relies on baseband signaling. The data signal is transmitted directly over the transmission medium.

In broadband signaling, the data signal is no longer placed directly on the transmission medium. Ethernet used broadband signaling in the 10BROAD36 standard. 10BROAD36 is the IEEE standard for an 802.3 Ethernet network using broadband transmission with thick coaxial cable running at 10 Mbps. 10BROAD36 is now considered obsolete.

Ethernet operates in two areas of the OSI model. These are the lower half of the data link layer, which is known as the MAC sublayer, and the physical layer.

Data that moves from one Ethernet station to another often passes through a repeater. All stations in the same collision domain see traffic that passes through a repeater.  A collision domain is a shared resource.

To guarantee minimum bandwidth and operability, standards specify the maximum number of stations per segment, maximum segment length, and maximum number of repeaters between stations.

Stations separated by bridges or routers are in different collision domains.

Ethernet at Layer 1 involves signals, bit streams that travel on the media, components that put signals on media, and various topologies.

Data link sublayers contribute significantly to technological compatibility and computer communications. The MAC sublayer is concerned with the physical components that will be used to communicate the information. The Logical Link Control (LLC) sublayer remains relatively independent of the physical equipment that will be used for the communication process.

Ethernet uses MAC addresses that are 48 bits in length and expressed as 12 hexadecimal digits.

The first six hexadecimal digits, which are administered by the IEEE, identify the manufacturer or vendor. This portion of the MAC address is known as the Organizational Unique Identifier (OUI).

The remaining six hexadecimal digits represent the interface serial number or another value administered by the manufacturer.

MAC addresses are sometimes referred to as burned-in MAC addresses (BIAs) because they are burned into ROM and are copied into RAM when the NIC initializes.

The NIC uses the MAC address to determine if a message should be passed on to the upper layers. The NIC does not use CPU processing time to make this assessment.

When a device sends data on an Ethernet network, the source device attaches a header with the MAC address of the intended destination and sends data through the network. As this data travels along the network media the NIC in each device checks to see if the MAC address matches the physical destination address carried by the data frame. If there is no match, the NIC discards the data frame. When the data reaches the destination node, the NIC makes a copy and passes the frame up the OSI layers. On an Ethernet network, all nodes must examine the MAC header.

All devices that are connected to the Ethernet LAN have MAC addressed interfaces. This includes workstations, printers, routers, and switches.

Framing is the Layer 2 encapsulation process. A frame is the Layer 2 protocol data unit.

There are many different types of frames described by various standards. A single generic frame has sections called fields. Each field is composed of bytes. The names of the fields are as follows:

• Start Frame field
• Address field
• Length/Type field
• Data field
• Frame Check Sequence (FCS) field

Regardless of the technology, all frames begin with a sequence of bytes to signal the data transmission.

All frames contain naming information, such as the name of the source node, or source MAC address, and the name of the destination node, or destination MAC address.

Most frames have some specialized fields. In some technologies, a Length field specifies the exact length of a frame in bytes. Some frames have a Type field, which specifies the Layer 3 protocol used by the device that wants to send data.

Frames are used to send upper-layer data. The data package includes the message to be sent, or user application data.

The FCS field contains a number that is calculated by the source node based on the data in the frame. This number is added to the end of a frame that is sent. When the destination node receives the frame the FCS number is recalculated and compared with the FCS number included in the frame. If the two numbers are different, an error is assumed, the frame is discarded.

Because the source cannot detect that the frame has been discarded, retransmission has to be initiated by higher layer connection-oriented protocols providing data flow control. Because these protocols, such as TCP, expect frame acknowledgment, ACK, to be sent by the peer station within a certain time, retransmission usually occurs.

There are three primary ways to calculate the FCS number:

• Cyclic redundancy check (CRC) – performs calculations on the data.
• Two-dimensional parity – places individual bytes in a two-dimensional array and performs redundancy checks vertically and horizontally on the array, creating an extra byte resulting in an even or odd number of binary 1s.
• Internet checksum – adds the values of all of the data bits to arrive at a sum.

At the data link layer the frame structure is nearly identical for all speeds of Ethernet from 10 Mbps to 10,000 Mbps. 

At the physical layer almost all versions of Ethernet are very different. Each speed has a distinct set of architecture design rules.

The Preamble and Start-of-Frame (SOF) Delimiter were combined into a single field.

The field labeled Length/Type was only listed as Length in the early IEEE versions and only as Type in the DIX version.

These two uses of the field were officially combined in a later IEEE version since both uses were common. (The Ethernet II)

The Ethernet II Type field is incorporated into the current 802.3 frame definition. When a node receives a frame it must examine the Length/Type field to determine which higher-layer protocol is present. If the two-octet value is equal to or greater than 0x0600 hexadecimal, 1536 decimal, then the contents of the Data Field are decoded according to the protocol indicated.

An 802.3 Ethernet frame are as follows:

• Preamble
• SOF Delimiter
• Destination Address
• Source Address
• Length/Type
• Header and Data
• FCS
• Extension

The preamble is an alternating pattern of ones and zeros used to time synchronization in 10 Mbps and slower implementations of Ethernet. Faster versions of Ethernet are synchronous so this timing information is unnecessary but retained for compatibility.

A SOF delimiter consists of a one-octet field that marks the end of the timing information and contains the bit sequence 10101011.

The destination address can be unicast, multicast, or broadcast.

The Source Address field contains the MAC source address. The source address is generally the unicast address of the Ethernet node that transmitted the frame. However, many virtual protocols use and sometimes share a specific source MAC address to identify the virtual entity.

The Length/Type field supports two different uses. If the value is less than 1536 decimal, 0x600 hexadecimal, then the value indicates length. The length interpretation is used when the LLC layer provides the protocol identification. The type value indicates which upper-layer protocol will receive the data after the Ethernet process is complete. The length indicates the number of bytes of data that follows this field.

The Data field and padding if necessary, may be of any length that does not cause the frame to exceed the maximum frame size. The maximum transmission unit (MTU) for Ethernet is 1500 octets, so the data should not exceed that size. The content of this field is unspecified. An unspecified amount of data is inserted immediately after the user data when there is not enough user data for the frame to meet the minimum frame length. This extra data is called a pad. Ethernet requires each frame to be between 64 and 1518 octets.

A FCS contains a 4-byte CRC value that is created by the device that sends data and is recalculated by the destination device to check for damaged frames. The corruption of a single bit anywhere from the start of the Destination Address through the end of the FCS field will cause the checksum to be different. Therefore, the coverage of the FCS includes itself. It is not possible to distinguish between corruption of the FCS and corruption of any other field used in the calculation.

MAC refers to protocols that determine which computer in a shared-media environment, or collision domain, is allowed to transmit data.

The two categories of MAC are deterministic and non-deterministic.

Examples of deterministic protocols include Token Ring and FDDI.

In a Token Ring network, hosts are arranged in a ring and a special data token travels around the ring to each host in sequence. When a host wants to transmit, it seizes the token, transmits the data for a limited time, and then forwards the token to the next host in the ring. Token Ring is a collisionless environment since only one host can transmit at a time.

Non-deterministic MAC protocols use a first-come, first-served approach. CSMA/CD is a simple system.

The NIC listens for the absence of a signal on the media and begins to transmit. If two nodes transmit at the same time a collision occurs and none of the nodes are able to transmit.

Three common Layer 2 technologies are Token Ring, FDDI, and Ethernet.

All three specify Layer 2 issues, LLC, naming, framing, and MAC, as well as Layer 1 signaling components and media issues.

The specific technologies for each are as follows:

• Ethernet – uses a logical bus topology to control information flow on a linear bus and a physical star or extended star topology for the cables
• Token Ring – uses a logical ring topology to control information flow and a physical star topology
• FDDI – uses a logical ring topology to control information flow and a physical dual-ring topology

Ethernet is a shared-media broadcast technology.

In the CSMA/CD access method, networking devices with data to transmit work in a listen-before-transmit mode.

When a node wants to send data, it must first check to see whether the networking media is busy.

     If the node determines the network is busy, the node will wait a random amount of time before retrying.

     If the node determines the networking media is not busy, the node will begin transmitting and listening. The node listens to ensure no other stations are transmitting at the same time.

After completing data transmission the device will return to listening mode.

Networking devices detect a collision has occurred when the amplitude of the signal on the networking media increases.

When a collision occurs, each node that is transmitting will continue to transmit for a short time to ensure that all nodes detect the collision.

When all nodes have detected the collision, the backoff algorithm is invoked and transmission stops.

The nodes stop transmitting for a random period of time, determined by the backoff algorithm.

When the delay periods expire, each node can attempt to access the networking media.

In full duplex, the station may send and receive simultaneously and collisions should not occur. Full-duplex operation also changes the timing considerations and eliminates the concept of slot time. Full-duplex operation allows for larger network architecture designs since the timing restriction for collision detection is removed.

In half duplex, assuming that a collision does not occur, the sending station will transmit 64 bits of timing synchronization information that is known as the preamble. The sending station will then transmit the following information.

10 Mbps and slower versions of Ethernet are asynchronous. Asynchronous means that each receiving station will use the eight octets of timing information to synchronize the receive circuit to the incoming data, and then discard it.

100 Mbps and higher speed implementations of Ethernet are synchronous. Synchronous means the timing information is not required, however for compatibility reasons the Preamble and Start Frame Delimiter (SFD) are present.

slot time:

For all speeds of Ethernet transmission at or below 1000 Mbps, the standard describes how a transmission may be no smaller than the slot time.

Slot time for 10 and 100-Mbps Ethernet is 512 bit-times, or 64 octets. Slot time for 1000-Mbps Ethernet is 4096 bit-times, or 512 octets.

Slot time is calculated assuming maximum cable lengths on the largest legal network architecture. All hardware propagation delay times are at the legal maximum and the 32-bit jam signal is used when collisions are detected.

The actual calculated slot time is just longer than the theoretical amount of time required to travel between the furthest points of the collision domain, collide with another transmission at the last possible instant, and then have the collision fragments return to the sending station and be detected.

For the system to work the first station must learn about the collision before it finishes sending the smallest legal frame size.

To allow 1000-Mbps Ethernet to operate in half duplex the extension field was added when sending small frames purely to keep the transmitter busy long enough for a collision fragment to return. This field is present only on 1000-Mbps, half-duplex links and allows minimum-sized frames to be long enough to meet slot time requirements. Extension bits are discarded by the receiving station.

On 10-Mbps Ethernet one bit at the MAC layer requires 100 nanoseconds (ns) to transmit. At 100 Mbps that same bit requires 10 ns to transmit and at 1000 Mbps only takes 1 ns. As a rough estimate, 20.3 cm (8 in) per nanosecond is often used for calculating propagation delay down a UTP cable. For 100 meters of UTP, this means that it takes just under 5 bit-times for a 10BASE-T signal to travel the length the cable.

For CSMA/CD Ethernet to operate, the sending station must become aware of a collision before it has completed transmission of a minimum-sized frame. For this reason half duplex is not permitted in 10-Gigabit Ethernet.

The minimum spacing between two non-colliding frames is also called the interframe spacing. This is measured from the last bit of the FCS field of the first frame to the first bit of the preamble of the second frame.

After a frame has been sent, all stations on a 10-Mbps Ethernet are required to wait a minimum of 96 bit-times (9.6 microseconds) before any station may legally transmit the next frame.

On faster versions of Ethernet the spacing remains the same, 96 bit-times, but the time required for that interval grows correspondingly shorter. This interval is referred to as the spacing gap. The gap is intended to allow slow stations time to process the previous frame and prepare for the next frame.

Some Ethernet chipsets are sensitive to a shortening of the interframe spacing, and will begin failing to see frames as the gap is reduced.

After a collision occurs and all stations allow the cable to become idle (each waits the full interframe spacing), then the stations that collided must wait an additional and potentially progressively longer period of time before attempting to retransmit the collided frame.

The waiting period is intentionally designed to be random so that two stations do not delay for the same amount of time before retransmitting, which would result in more collisions.

If the MAC layer is unable to send the frame after sixteen attempts, it gives up and generates an error to the network layer. Such an occurrence is fairly rare and would happen only under extremely heavy network loads, or when a physical problem exists on the network.

The most common error condition on Ethernet networks are collisions.

Collisions result in network bandwidth loss.

The considerable majority of collisions occur very early in the frame, often before the SFD. Collisions occurring before the SFD are usually not reported to the higher layers, as if the collision did not occur.

As soon as a collision is detected, the sending stations transmit a 32-bit “jam” signal that will enforce the collision. This is done so that any data being transmitted is thoroughly corrupted and all stations have a chance to detect the collision.

The most commonly observed data pattern for a jam signal is simply a repeating one, zero, one, zero pattern, the same as Preamble.

When viewed by a protocol analyzer this pattern appears as either a repeating hexadecimal 5 or A sequence.

The corrupted, partially transmitted messages are often referred to as collision fragments or runts.

A single collision is a collision that was detected while trying to transmit a frame, but on the next attempt the frame was transmitted successfully.

Multiple collisions indicate that the same frame collided repeatedly before being successfully transmitted.

Three types of collisions are:

• Local
• Remote
• Late

To create a local collision on coax cable (10BASE2 and 10BASE5), the signal travels down the cable until it encounters a signal from the other station. The waveforms then overlap, canceling some parts of the signal out and reinforcing or doubling other parts. The doubling of the signal pushes the voltage level of the signal beyond the allowed maximum. This over-voltage condition is then sensed by all of the stations on the local cable segment as a collision.

On UTP cable, such as 10BASE-T, 100BASE-TX and 1000BASE-T, a collision is detected on the local segment only when a station detects a signal on the RX pair at the same time it is sending on the TX pair. Since the two signals are on different pairs there is no characteristic change in the signal.

Collisions are only recognized on UTP when the station is operating in half duplex.

 If the station is not engaged in transmitting it cannot detect a local collision.

A cable fault such as excessive crosstalk can cause a station to perceive its own transmission as a local collision.

The characteristics of a remote collision are a frame that is less than the minimum length, has an invalid FCS checksum, but does not exhibit the local collision symptom of over-voltage or simultaneous RX/TX activity.

This sort of collision usually results from collisions occurring on the far side of a repeated connection. A repeater will not forward an over-voltage state, and cannot cause a station to have both the TX and RX pairs active at the same time.

The station would have to be transmitting to have both pairs active, and that would constitute a local collision.

On UTP networks this is the most common sort of collision observed.

There is no possibility remaining for a normal or legal collision after the first 64 octets of data has been transmitted by the sending stations.

Collisions occurring after the first 64 octets are called “late collisions".

The most significant difference between late collisions and collisions occurring before the first 64 octets is that the Ethernet NIC will retransmit a normally collided frame automatically, but will not automatically retransmit a frame that was collided late. The upper layers of the protocol stack must determine that the frame was lost.

Other than retransmission, a station detecting a late collision handles it in exactly the same way as a normal collision.

The following are the sources of Ethernet error:

• Collision or runt – Simultaneous transmission occurring before slot time has elapsed
• Late collision – Simultaneous transmission occurring after slot time has elapsed
• Jabber, long frame and range errors – Excessively or illegally long transmission 
• Short frame, collision fragment or runt – Illegally short transmission
• FCS error – Corrupted transmission
• Alignment error – Insufficient or excessive number of bits transmitted
• Range error – Actual and reported number of octets in frame do not match
• Ghost or jabber – Unusually long Preamble or Jam event

While local and remote collisions are considered to be a normal part of Ethernet operation, late collisions are considered to be an error.

The presence of errors on a network always suggests that further investigation is warranted.

A handful of errors detected over many minutes or over hours would be a low priority. Thousands detected over a few minutes suggest that urgent attention is warranted.

Jabber is defined in several places in the 802.3 standard as being a transmission of at least 20,000 to 50,000 bit times in duration. However, most diagnostic tools report jabber whenever a detected transmission exceeds the maximum legal frame size. Most references to jabber are more properly called long frames.

A long frame is one that is longer than the maximum legal size, and takes into consideration whether or not the frame was tagged.

A short frame is a frame smaller than the minimum legal size of 64 octets, with a good frame check sequence. Some protocol analyzers and network monitors call these frames “runts". In general the presence of short frames is not a guarantee that the network is failing.

The term runt may refer to short frames with a valid FCS checksum although it usually refers to collision fragments.

A received frame that has a bad Frame Check Sequence, also referred to as a checksum or CRC error, differs from the original transmission by at least one bit.

The checksum calculated by the receiving station does not match the checksum appended to the end of the frame by the sending station. The frame is then discarded.

High numbers of FCS errors from a single station usually indicates a faulty NIC and/or faulty or corrupted software drivers, or a bad cable connecting that station to the network.

 If FCS errors are associated with many stations, they are generally traceable to bad cabling, a faulty version of the NIC driver, a faulty hub port, or induced noise in the cable system.

A message that does not end on an octet boundary is known as an alignment error. Instead of the correct number of binary bits forming complete octet groupings, there are additional bits left over (less than eight). This is often caused by bad software drivers, or a collision, and is frequently accompanied by a failure of the FCS checksum.

A frame with a valid value in the Length field but did not match the actual number of octets counted in the data field is known as a range error.  This error also appears when the length field value is less than the minimum legal unpadded size of the data field. A similar error, Out of Range, is reported when the value in the Length field indicates a data size that is too large to be legal.

Fluke Networks has coined the term ghost to mean energy (noise) detected on the cable that appears to be a frame, but is lacking a valid SFD. To qualify as a ghost, the frame must be at least 72 octets long, including the preamble. Otherwise, it is classified as a remote collision.

Ground loops and other wiring problems are usually the cause of ghosting. Most network monitoring tools do not recognize the existence of ghosts.

As Ethernet grew from 10 to 100 and 1000 Mbps, one requirement was to make each technology interoperable, even to the point that 10, 100, and 1000 interfaces could be directly connected.

A process called Auto-Negotiation of speeds at half or full duplex was developed.

The Fast Ethernet standard included a method of automatically configuring a given interface to match the speed and capabilities of the link partner.

It has the additional advantage of only involving the lowest part of the physical layer.

10BASE-T required each station to transmit a link pulse about every 16 milliseconds, whenever the station was not engaged in transmitting a message.

Auto-Negotiation is accomplished by transmitting a burst of 10BASE-T Link Pulses from each of the two link partners.

Auto-Negotiation adopted this signal and renamed it a Normal Link Pulse (NLP).

When a series of NLPs are sent in a group for the purpose of Auto-Negotiation, the group is called a Fast Link Pulse (FLP) burst.

Each FLP burst is sent at the same timing interval as an NLP, and is intended to allow older 10BASE-T devices to operate normally in the event they should receive an FLP burst.

If Auto-Negotiation only exists at one end of the link, the Auto-Negotiation protocol is designed to detect that condition and respond correctly using a mechanism called Parallel Detection.

The Auto-Negotiation protocol provides mechanisms for hub ports and connected interfaces to negotiate the highest common  performance over a given link.

For example:

If a dual-speed 10/100 Ethernet interface with Auto-Negotiation is connected to a 10BASE-T hub that does not have Auto-Negotiation, the interface will generate FLPs but will only receive NLPs from the 10BASE-T hub.

The Auto-Negotiation protocol in the interface will detect the presence of Normal Link Pulses and automatically place the interface in 10BASE-T mode.

For example:

When an Auto-Negotiation hub with multiple capabilities in its ports is connected to an interface that only supports 100BASE-TX and is not equipped with Auto-Negotiation, the Auto-Negotiation protocol will set the hub port to operate in 100BASE-TX mode.

For example:

If the 10BASE-T hub in the previous example is later replaced with a 100BASE-T repeater hub, then the dual-speed interface will receive FLPs when the hub is turned on, and the Auto-Negotiation protocol will result in the interface and hub port both operating at 100-Mbps.

If a link is established through parallel detection, it is required to be half duplex.

6.2.10 Link establishment and full and half duplex