Mac Addressing - Learning Module

Loading content...

0/240

Unicast and Broadcast Addressing

Addressing Modes: Targeting Frames

In Ethernet networks, every transmitted frame must specify its intended recipient through the destination MAC address. But not all communication is point-to-point. Network protocols frequently need to reach multiple devices simultaneously—whether discovering services, announcing presence, or distributing real-time data.

Ethernet supports three fundamental addressing modes, each serving distinct communication patterns:

Unicast: One sender to exactly one recipient
Broadcast: One sender to all devices on the LAN segment
Multicast: One sender to a selected group of recipients

Understanding these modes is essential because they behave fundamentally differently at the switch level, have distinct performance implications, and require different handling in protocol design.

What You Will Learn

By the end of this page, you will understand how unicast, broadcast, and multicast addresses are structured; how switches handle each type differently; the performance implications of each mode; and best practices for protocol designers choosing between these communication patterns.

Unicast Addressing: Point-to-Point Communication

Unicast is the most common addressing mode in Ethernet networks. A unicast frame targets exactly one network interface—identified by its unique MAC address—and is delivered only to that specific device.

Characteristics of unicast addressing:

Destination MAC address has the I/G bit (Bit 0 of Byte 1) set to 0
The first hexadecimal digit of the MAC address is even (0, 2, 4, 6, 8, A, C, E)
Exactly one recipient receives the frame
Switches forward based on MAC address table lookup
Consumes network resources only along the path to the destination

Unicast Address Identification
Property	Unicast	Example
I/G Bit (Bit 0)	0	Binary: xxxxxxx0
First Hex Digit	Even (0,2,4,6,8,A,C,E)	`00:1A:2B:...`, `02:00:00:...`
Recipients	Exactly 1	Single NIC
Switch Behavior	Forward to learned port or flood	Efficient, targeted delivery

Switch handling of unicast frames:

When a switch receives a unicast frame, it follows a precise algorithm:

Extract destination MAC from the frame header
Search MAC address table for an entry matching the destination
If found: Forward frame only to the port where that MAC was learned
If not found: Flood frame to all ports (except source)—this is 'unknown unicast flooding'
Learn the source MAC by associating it with the ingress port

Unknown unicast flooding:

When a switch doesn't know where a destination MAC is located (the MAC isn't in its forwarding table), it must flood the frame to all ports. This is a fallback mechanism that ensures delivery even when the table is incomplete. However, excessive unknown unicast flooding indicates:

MAC table overflow (too many devices for table capacity)
Asymmetric routes causing incomplete learning
Network issues preventing the destination from responding (and being learned)

Unicast Efficiency

Once a switch has learned a MAC address location, unicast traffic flows directly to the destination port without consuming bandwidth on other switch ports. This is the key efficiency advantage of switched Ethernet over the older hub-based shared medium design where all traffic reached all ports.

Common unicast communication patterns:

Web browsing (HTTP/HTTPS requests and responses)
File transfers (FTP, SMB, NFS)
Email sending/receiving (SMTP, IMAP, POP3)
Remote shell sessions (SSH, Telnet)
Database queries between application and database server
Most point-to-point application traffic

Broadcast Addressing: Network-Wide Communication

Broadcast addressing targets all devices on a LAN segment simultaneously. The broadcast address is a special, well-known value that all Ethernet interfaces are programmed to receive and process.

The Ethernet broadcast address:

The Broadcast MAC Address

FF:FF:FF:FF:FF:FF — All 48 bits set to 1. Every Ethernet interface on the network segment accepts frames with this destination address.

Characteristics of broadcast addressing:

Destination MAC is exactly FF:FF:FF:FF:FF:FF
All 48 bits are set to 1 (255.255.255.255.255.255 in decimal)
Every device on the broadcast domain receives the frame
Switches flood broadcasts to all ports (except source)
Cannot be filtered or blocked by Layer 2 switches
Stopped at router boundaries (routers don't forward Layer 2 broadcasts)

Switch handling of broadcast frames:

Broadcast handling is unconditional:

Receive broadcast frame on any port
Flood to ALL other ports in the same VLAN/broadcast domain
No table lookup required — flooding is always performed
Learn source MAC normally from the frame's source address

This unconditional flooding is why broadcast traffic is a significant concern for network performance and scalability.

Common Broadcast Use Cases

•ARP Requests: 'Who has IP address 192.168.1.1? Tell 192.168.1.50' — The most frequent source of broadcast traffic
•DHCP Discovery: 'I need an IP address! Any DHCP servers out there?' — Clients use broadcast because they don't know the server's address yet
•NetBIOS Name Resolution: Windows workgroup name queries (legacy Windows networking)
•Wake-on-LAN: Magic packet to wake sleeping computers (or directed broadcast)
•Routing Protocol Announcements: Some routing protocols announce via broadcast (e.g., RIPv1)
•Service Discovery: mDNS/DNS-SD, SSDP (UPnP), and similar protocols for finding network services

The broadcast domain:

A broadcast domain is the set of all devices that receive each other's broadcast frames. In a flat (non-VLAN) switched network, all devices on all switch ports form a single broadcast domain. Key points:

Switches extend broadcast domains (broadcasts pass through switches)
Routers terminate broadcast domains (broadcasts don't cross routers by default)
VLANs segment broadcast domains (each VLAN is a separate broadcast domain)
Large broadcast domains = more broadcast traffic seen by every device

Broadcast domain size implications:

Domain Size	Typical Broadcasts/Second	Host Impact	Recommendation
Small (< 50 hosts)	< 10	Negligible	Fine for most uses
Medium (50-250 hosts)	10-100	Low	Monitor periodically
Large (250-1000 hosts)	100-500	Moderate	Consider VLAN segmentation
Very Large (> 1000 hosts)	500	High	VLAN segmentation mandatory

Broadcast Storms

A broadcast storm occurs when loops in the network cause broadcast frames to circulate endlessly, multiplying with each cycle. Without Spanning Tree Protocol (STP), a single broadcast frame in a looped topology can bring an entire network to its knees within seconds, as CPU and bandwidth are consumed processing exponentially growing broadcast traffic.

Multicast Addressing: Selective Group Communication

Multicast is a middle ground between unicast (one recipient) and broadcast (all recipients). It enables communication with a specific group of interested devices without burdening the entire network.

Characteristics of multicast addressing:

Destination MAC has the I/G bit (Bit 0 of Byte 1) set to 1
The first hexadecimal digit is odd (1, 3, 5, 7, 9, B, D, F)
Only devices 'subscribed' to the group address process the frame
Ethernet NICs can be programmed to accept specific multicast addresses
Switches may flood multicasts (like broadcasts) unless IGMP/MLD snooping is enabled

Multicast Address Identification
Property	Multicast	Example
I/G Bit (Bit 0)	1	Binary: xxxxxxx1
First Hex Digit	Odd (1,3,5,7,9,B,D,F)	`01:00:5E:...`, `33:33:...`
Recipients	Subscribed group members	0 to many NICs
Switch Behavior	Flood (default) or selective (with IGMP snooping)	Depends on configuration

Reserved multicast ranges:

IPv4 Multicast: Addresses in the range 01:00:5E:00:00:00 to 01:00:5E:7F:FF:FF are reserved for IPv4 multicast. Key relationships:

IPv4 multicast IPs are 224.0.0.0/4 (224.0.0.0 – 239.255.255.255)
The lower 23 bits of the IP address map directly to the lower 23 bits of the MAC
Note: The upper 5 bits of the IP address are not encoded in the MAC, creating 32-to-1 IP-to-MAC mappings (ambiguity exists)

Example mapping:

IPv4 Multicast: 224.1.2.3
Binary (lower 23 bits): 0.0000001.00000010.00000011
MAC Address: 01:00:5E:01:02:03

IPv6 Multicast: Addresses starting with 33:33: are reserved for IPv6 multicast:

Format: 33:33:XX:XX:XX:XX where the last 4 bytes come from the IPv6 multicast address
Example: IPv6 multicast ff02::1 (all nodes) maps to 33:33:00:00:00:01

Common Multicast Use Cases

•Video Streaming (IPTV): Deliver the same content to thousands of viewers efficiently
•Financial Market Data: Stock quotes and trading data to multiple clients
•Routing Protocols: OSPF (224.0.0.5, 224.0.0.6), EIGRP, RIPv2 use multicast
•Cluster Heartbeats: Database and application clusters use multicast for health checks
•Gaming: Multiplayer state updates to groups of players
•Industrial Control: Process control and sensor data distribution in factories

IGMP Snooping

Without IGMP snooping, switches treat multicast frames like broadcasts—flooding them everywhere. IGMP snooping examines IGMP group membership messages to learn which ports have interested receivers, then forwards multicast traffic only to those ports. This dramatically reduces unnecessary multicast flooding.

Comparative Analysis of Addressing Modes

Understanding when to use each addressing mode is crucial for protocol design and network planning. Each mode has fundamentally different characteristics:

Comprehensive Addressing Mode Comparison
Characteristic	Unicast	Broadcast	Multicast
Target Audience	Single device	All devices	Selected group
I/G Bit	0	1 (all bits 1)	1
Address Example	`00:1A:2B:3C:4D:5E`	`FF:FF:FF:FF:FF:FF`	`01:00:5E:00:01:02`
Switch Forwarding	To learned port only	All ports (flood)	All ports or selective
Bandwidth Efficiency	High (minimal waste)	Low (everywhere)	Medium to High
Receiver CPU Load	Only intended recipient	Every device on segment	Subscribers + others (without snooping)
Scalability	Excellent	Poor for large networks	Good with snooping
Group Membership	N/A	Implicit (everyone)	Explicit (IGMP/MLD)
Routing Scope	End-to-end routable	Local segment only	Routable with PIM, etc.

When to Use Unicast

•Point-to-point communication
•Most application data transfer
•When only one recipient needs the data
•Sensitive/confidential information
•Request-response patterns

When to Use Broadcast

•Address resolution (ARP)
•Service discovery (DHCP discovery)
•When all devices must receive
•Initial contact to unknown destination
•Must be used sparingly

NIC-Level Address Filtering

Network Interface Cards perform address filtering in hardware to protect the CPU from processing every frame on the network. Understanding this filtering is essential for network analysis and troubleshooting.

Standard NIC filtering behavior:

A NIC in its default operational mode accepts frames matching these criteria:

Destination MAC matches the NIC's own unicast address
Destination MAC is the broadcast address (FF:FF:FF:FF:FF:FF)
Destination MAC is a multicast address the NIC has been programmed to receive

Frames not matching these criteria are silently discarded by the NIC hardware without consuming CPU cycles.

NIC Filtering Modes
Mode	Description	Use Case	Security Implications
Normal (Default)	Accept own MAC, broadcast, registered multicast only	Standard operation	Cannot see others' traffic
Promiscuous	Accept ALL frames regardless of destination	Network analyzers, packet capture	Can see all traffic on segment
All-Multicast	Accept all multicast addresses	Multicast routing, snooping	Sees all multicast traffic

Promiscuous mode deep dive:

Promiscuous mode instructs the NIC to pass ALL received frames to the operating system, not just those addressed to the NIC. This is essential for:

Packet capture tools (Wireshark, tcpdump)
Network intrusion detection systems (Snort, Suricata)
Network monitoring and debugging
Bridging and switching in software
Virtual machine networking

Important limitation: On modern switched networks, promiscuous mode only sees traffic that reaches your switch port. This includes:

Traffic TO or FROM your device
Broadcast frames
Multicast frames (if flooding)
Unknown unicast floods

To see other hosts' unicast traffic, you need to configure port mirroring (SPAN) on the switch, or use a network tap.

promiscuous_mode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Enable promiscuous mode on Linux
sudo ip link set eth0 promisc on
 
# Verify promiscuous mode is active
ip link show eth0
# Look for "PROMISC" flag in output
 
# Disable promiscuous mode
sudo ip link set eth0 promisc off
 
# Alternative using ifconfig (legacy)
sudo ifconfig eth0 promisc     # Enable
sudo ifconfig eth0 -promisc    # Disable
 
# System log entries when promiscuous mode changes
dmesg | grep -i promisc

Promiscuous Mode and Switched Networks

Promiscuous mode is NOT a magic solution for network monitoring. On a properly functioning switch, you won't see other hosts' unicast traffic even in promiscuous mode. The switch filters at the hardware level before frames ever reach your port. Use SPAN/mirror ports or network taps for legitimate network monitoring.

Broadcast Domain Design Considerations

The size and structure of broadcast domains significantly impact network performance, scalability, and security. Thoughtful broadcast domain design is a key skill for network architects.

The broadcast domain problem:

Every device in a broadcast domain:

Receives every broadcast frame
Processes (at minimum, discards at NIC or OS level) each broadcast
Consumes bandwidth proportional to total broadcast traffic

As broadcast domains grow, these costs accumulate, eventually degrading performance.

Impact of Broadcast Domain Size
Factor	Small Domain (< 50)	Large Domain (> 500)
Broadcast overhead	< 1% of bandwidth	5-20%+ of bandwidth
Host CPU impact	Negligible	Measurable
Storm blast radius	Limited	Catastrophic
Troubleshooting	Easy	Complex
Security exposure	Limited	High (more visible to attackers)

Segmentation strategies:

1. VLANs (Virtual LANs)

The primary tool for broadcast domain segmentation. VLANs create logically separate networks on shared physical infrastructure:

Each VLAN is a distinct broadcast domain
Broadcasts in VLAN 10 never reach VLAN 20
Inter-VLAN traffic requires routing (Layer 3)
Can be based on port, MAC address, or protocol

2. Physical Segmentation

Using separate switches or router-separated networks:

Cleaner separation but less flexible
Higher infrastructure cost
May be required for regulatory compliance

3. Subnet-based Segmentation

Aligning Layer 2 (broadcast domain) with Layer 3 (subnet) boundaries:

One subnet per VLAN is common practice
Simplifies troubleshooting and documentation
Router serves as broadcast boundary

Broadcast Domain Design Best Practices

•Limit to 250-500 hosts maximum per broadcast domain for most environments
•Group related functions — servers in one VLAN, user workstations in another, IoT devices isolated
•Match Layer 2 and Layer 3 boundaries — one subnet per VLAN simplifies management
•Enable broadcast storm control on switch ports to limit broadcast rate
•Monitor broadcast rates — alert when exceeding baseline thresholds
•Isolate 'chatty' protocols — put devices with high broadcast needs in separate VLANs
•Document VLAN assignments clearly for troubleshooting and planning

VLANs and Security

While VLANs provide traffic separation, they are NOT a security boundary by themselves. VLAN hopping attacks can cross VLAN boundaries if switches are misconfigured. For true security isolation, use routers/firewalls with access control lists between VLANs.

Protocol Design: Choosing Addressing Modes

When designing network protocols or applications, the choice of addressing mode has significant implications. Understanding these tradeoffs leads to more efficient, scalable protocol designs.

Decision framework:

Protocol Design Decision Framework
Scenario	Recommended Mode	Rationale
Request-response between known peers	Unicast	Efficient, targeted delivery
Initial discovery (unknown target)	Broadcast	Must reach unknown destination
Same data to multiple interested receivers	Multicast	Efficient group delivery
Real-time streaming to many clients	Multicast	Single transmission serves all
Emergency notification	Broadcast or Multicast	Must reach everyone quickly
Bulk data transfer	Unicast	Flow control per-recipient

Case study: ARP — Broadcast for Discovery, Unicast for Response

The Address Resolution Protocol (ARP) elegantly combines both modes:

ARP Request (Broadcast): 'Who has 192.168.1.1? Tell 192.168.1.50'
- Destination MAC: FF:FF:FF:FF:FF:FF
- All devices receive and inspect the request
- Only the target IP owner responds
ARP Reply (Unicast): '192.168.1.1 is at 00:1A:2B:3C:4D:5E'
- Destination MAC: Requestor's MAC address
- Only the original requestor receives the reply
- Efficient—reply doesn't burden entire network

This pattern—broadcast for discovery, unicast for response—is common in well-designed protocols.

Case study: DHCP — Broadcast When Necessary

DHCP demonstrates judicious broadcast use:

DISCOVER: Broadcast (client has no address, doesn't know server)
OFFER: Broadcast or unicast (client may not have IP yet)
REQUEST: Broadcast (inform all DHCP servers of selection)
ACK: Broadcast or unicast (client may not have finalized IP)

Once the client has a valid IP address, subsequent lease renewals can use unicast.

Protocol Design Principle

Use the most specific addressing mode possible. Prefer unicast when targets are known. Use broadcast only for initial discovery or when truly everyone must receive. Use multicast when multiple known recipients need the same data simultaneously.

Summary: Unicast, Broadcast, and Multicast

This page has explored the three fundamental addressing modes in Ethernet networks. Let's consolidate the essential points:

Key Takeaways

•Unicast (I/G bit = 0) targets exactly one recipient; switches forward to learned port only, maximizing efficiency
•Broadcast (FF:FF:FF:FF:FF:FF) reaches all devices in the broadcast domain; switches flood to all ports
•Multicast (I/G bit = 1) targets a subscribing group; efficient with IGMP snooping, otherwise floods like broadcast
•NICs filter frames by default—only accepting own MAC, broadcast, and registered multicast addresses
•Promiscuous mode bypasses NIC filtering but still can't see frames the switch doesn't forward
•Broadcast domain size should be limited (250-500 hosts typical) to control overhead and blast radius
•VLANs segment broadcast domains, improving scalability and security
•Good protocol design uses unicast when possible, broadcast only for discovery, and multicast for group communication

Looking ahead:

With addressing modes understood, the next page examines MAC address assignment—how addresses are allocated at the hardware and software levels, the role of IEEE registration, and modern practices like MAC address randomization for privacy.

Page Complete

You now understand how unicast, broadcast, and multicast addressing work at the Ethernet layer, how switches handle each type, the performance implications of broadcast traffic, and design considerations for protocols and network architectures.