Layer 2 (Data Link): MAC, switches & VLANs

Acutis · plain-English network help · updated June 2026

What Layer 2 does, in plain English

Layer 2 — the Data Link layer — is how devices talk to each other on the same local network segment. Where Layer 1 carries raw bits over a wire, Layer 2 wraps those bits into Ethernet frames and addresses them using MAC addresses — the unique hardware ID burned into every network card, like a4:5e:60:1f:2c:9b. The device that makes Layer 2 work is the switch: it learns which MAC address lives on which port and forwards each frame only to the port that needs it. If your Layer 1 link light is solid but you still can't reach things, Layer 2 is the next place to look.

The pieces: MAC, the switch table, ARP and VLANs

• MAC address. A 48-bit hardware address that identifies a network card on the local segment. The first half identifies the manufacturer (the OUI), the second half is unique to the device.
• The MAC (CAM) table. The switch's memory of which MAC address it last saw on which port. This is how it knows where to send each frame instead of flooding everywhere.
• The ARP table. Your own device's map of IP address → MAC address. Before your computer can send a frame to a local IP, it uses ARP to learn that IP's MAC. A stale or wrong ARP entry can break local reachability even when everything else is fine.
• VLANs. A VLAN splits one physical switch into separate logical networks. Two devices on the same switch but in different VLANs cannot talk at Layer 2 — by design. A wrong VLAN assignment is a classic "why can't this one device reach anything" cause.
• Duplex. Both ends of a link must agree on full or half duplex. A duplex mismatch lets a little traffic through but causes errors, retransmits and dismal throughput.
• Switching loops / STP. Plug two switch ports into each other (or create a cable loop) and frames circle forever, flooding the network. Spanning Tree Protocol (STP) exists to block loops; if STP is off or misconfigured, a single loop can take down a whole segment.

Symptoms that point to Layer 2

• You can reach some devices but not others. Often a VLAN boundary — the devices you can't reach are in a different VLAN.
• One device is completely isolated despite a good link light — its switch port is in the wrong VLAN, or the port is shut down.
• Two IPs, one MAC (or duplicate MACs). An ARP conflict; your device keeps swapping which hardware it talks to.
• Slow, error-filled throughput on a good cable — a duplex mismatch.
• The whole segment goes haywire at once — lights blinking in unison, everything slow — a switching loop with no STP to stop it.

How to diagnose Layer 2

1. Check your ARP table. Run arp -a on Windows, Mac or Linux. It lists the IP-to-MAC map your device has learned. Empty or wrong entries for a local device you can't reach point straight at a Layer 2 problem. Clear a stale entry to force a fresh ARP.
2. Identify the device by its MAC. If you see an unexpected MAC, look up the manufacturer from its OUI to figure out what hardware it is — useful for spotting a rogue device or confirming you're talking to the right box.
3. Look at the switch. On a managed switch, check the MAC address table to confirm the device's MAC is learned on the port you expect. Check the port's VLAN assignment, and check the interface counters for errors or duplex mismatches.
4. Confirm VLAN membership. If a device is isolated, verify its switch port is in the right VLAN — this is the single most common managed-switch fault.
5. Hunt for loops. If the whole segment is flooded, trace recently added cables and look for two ports linked together. Confirm STP is enabled.

🔧 Inspect Layer 2 with our free tool

The fastest way to put a name to the hardware on your segment:

1. Run arp -a to list every IP-to-MAC pair your device has learned on the local network.
2. Paste any unfamiliar MAC into the MAC lookup tool. It reveals the manufacturer from the OUI — a fast way to spot a rogue or unexpected device, or to confirm which vendor a misbehaving NIC belongs to.
3. If it comes back with no vendor, the tool flags it as a randomized / locally-administered MAC — common on phones, VMs and privacy-mode devices rather than a typo.

How to fix it

Once you've named the cause, the fix is usually direct. Clear a stale ARP entry and let it relearn. Move the port into the correct VLAN. Set both ends of a link to auto-negotiate (or hard-set matching speed/duplex on both). Remove the loop cable and confirm STP is on. After each change, re-test reachability to the device that was failing. If Layer 2 is clean — the right MAC is learned on the right port, in the right VLAN, with no errors — and you still can't get out, the fault is higher up. Climb to Layer 3 and check IP addressing and the gateway.