1. Library
  2. Computer Networks
  3. Routing and Networks
  4. Network Models

Layer 2: The Data Link Layer

Updated 8 hours ago

The Physical layer moves raw bits. But bits alone are chaos—a stream of ones and zeros with no beginning, no end, no meaning. The Data Link layer takes that chaos and creates conversation.

This is Layer 2: where bits become frames, where devices get names, where errors get caught before they spread. It's the layer of the local network—the neighborhood where everyone knows each other by address.

The Problem Layer 2 Solves

Imagine a wire connecting several computers. They all share it. When one sends bits, everyone receives them. How do you know which bits are meant for you? How do you know where a message starts and ends? How do you know if something got corrupted in transit?

Layer 2 answers all of this:

  • Framing: Wrapping bits into structured packages with clear boundaries
  • Addressing: Giving every device a unique name (MAC address) so messages find the right recipient
  • Error detection: Catching corrupted frames before they cause problems upstream
  • Access control: Coordinating who speaks when on shared media

This is hop-by-hop communication. Layer 2 doesn't care about the final destination across the Internet—it only cares about getting the frame to the next directly connected device. The journey of a thousand miles handled one hop at a time.

MAC Addresses: Names for Network Interfaces

Every network interface has a MAC address—a 48-bit identifier written as six pairs of hexadecimal digits:

00:1A:2B:3C:4D:5E

The first three pairs (00:1A:2B) identify the manufacturer. The last three (3C:4D:5E) identify the specific device. Apple devices start with certain prefixes. So do Dell, Cisco, Intel. You can often guess a device's manufacturer from its MAC address.

Three types of MAC addresses matter:

  • Unicast: One specific device. Most traffic.
  • Broadcast (FF:FF:FF:FF:FF:FF): Every device on the local network. Used when you need everyone's attention.
  • Multicast: A group of interested devices. Used for streaming, routing protocols, and other group communication.

Ethernet Frames: The Envelope

Ethernet dominates Layer 2. An Ethernet frame is the envelope that carries your data:

FieldSizePurpose
Preamble & Start8 bytesSynchronization—"message incoming"
Destination MAC6 bytesWho should receive this
Source MAC6 bytesWho sent this
Type2 bytesWhat's inside (IPv4? IPv6? ARP?)
Payload46-1500 bytesThe actual data
Frame Check Sequence4 bytesError detection checksum

The minimum payload is 46 bytes. Smaller messages get padded. The maximum is 1500 bytes—the famous MTU (Maximum Transmission Unit) that causes fragmentation headaches at Layer 3.

The Frame Check Sequence is a CRC checksum. The sender calculates it over the frame contents. The receiver recalculates it. If they don't match, the frame is corrupted and gets silently discarded. No retransmission at this layer—that's TCP's job, higher up the stack.

Switches: The Neighborhood Gossips

Switches are gossips with perfect memory. They learn who's where by eavesdropping on every conversation.

When a frame arrives on port 3 from MAC address AA:BB:CC:DD:EE:FF, the switch thinks: "Ah, that device is behind port 3." It writes this down in its MAC address table. Over time, it builds a complete map of the neighborhood.

When a frame needs forwarding:

  1. Look up the destination MAC in the table
  2. If found, send the frame out that specific port only
  3. If not found, flood the frame out every port except where it came from
  4. If it's a broadcast, flood it everywhere

This is why switches are smarter than the hubs they replaced. Hubs were stupid repeaters—every frame went everywhere. Switches learn and forward selectively. Your private conversation stays private (mostly).

MAC table entries age out after about 5 minutes of silence. This handles devices that move or disconnect. The switch forgets them and relearns when they speak again.

VLANs: Virtual Neighborhoods

One physical switch can become many logical switches through VLANs (Virtual LANs).

Think of it like apartment buildings. One building, many separate units. Residents in unit 10 can't walk into unit 20. VLANs create the same separation—devices in VLAN 10 can't directly reach devices in VLAN 20, even though they're plugged into the same physical switch.

This matters for:

  • Security: Keep the accounting department's traffic separate from guest WiFi
  • Performance: Contain broadcast storms to smaller domains
  • Organization: Group by function, not physical location

When VLANs need to span multiple switches, frames get tagged with a VLAN ID (802.1Q tagging). Trunk ports carry tagged traffic for multiple VLANs. Access ports connect end devices and handle a single VLAN.

Spanning Tree: Preventing Infinite Loops

Redundancy is good. Two paths between switches means if one fails, traffic takes the other. But loops are catastrophic.

A frame in a loop never dies. It circulates forever, getting duplicated at every switch, spawning copies that also loop forever. Within seconds, the network drowns in an exponentially growing flood of the same frame. This is a broadcast storm, and it will take down your network.

Spanning Tree Protocol (STP) prevents this. Switches elect a root bridge, calculate shortest paths, and strategically block redundant links. The network becomes a tree—no loops possible. When a link fails, STP recalculates and unblocks a previously blocked path.

Original STP was slow (30-50 seconds to reconverge). Modern networks use Rapid Spanning Tree (RSTP), which recovers in seconds.

ARP: Introducing Strangers

Your computer knows it needs to reach 192.168.1.100. But Ethernet frames need MAC addresses, not IP addresses. How do you find the MAC address for an IP?

You ask everyone.

Every network conversation starts with a question that sounds almost polite: "Who has 192.168.1.100? Tell 192.168.1.50." That's an ARP request—broadcast to every device on the local network.

The device with that IP responds: "That's me. My MAC address is 00:1A:2B:3C:4D:5E."

Now your computer knows. It caches this mapping in its ARP table so it doesn't have to ask again. ARP is the handshake that lets IP work over Ethernet—the bridge between Layer 3 addresses and Layer 2 addresses.

What Breaks at Layer 2

Duplex mismatches: One device thinks it's full-duplex (can send and receive simultaneously), the other thinks it's half-duplex (must take turns). The result: terrible performance, mysterious errors, and late collisions that make no sense until you check the settings.

VLAN misconfigurations: Device is on VLAN 10, server is on VLAN 20, nobody told the router. Packets go nowhere. "It's plugged in but can't reach anything" is often a VLAN problem.

Spanning tree issues: Wrong root bridge elected, suboptimal paths, or worse—STP disabled and someone accidentally creates a loop. See: broadcast storm above.

MAC flooding attacks: Attacker sends frames with thousands of fake source MACs. Switch's table fills up. Switch can't learn new legitimate entries, starts flooding everything everywhere. Security problem and performance disaster.

Key Takeaways

  • Layer 2 provides hop-by-hop delivery between directly connected devices
  • MAC addresses are 48-bit hardware identifiers that name network interfaces
  • Ethernet frames wrap data with addresses and error-detection checksums
  • Switches learn MAC locations and forward frames selectively—much smarter than hubs
  • VLANs create logical network separation on shared physical infrastructure
  • Spanning Tree prevents loops in redundant topologies
  • ARP maps IP addresses to MAC addresses, bridging Layer 3 and Layer 2

Frequently Asked Questions About the Data Link Layer

Was this page helpful?

😔
🤨
😃
Layer 2: The Data Link Layer • Library • Connected