Most consumer (SOHO) grade switches function on layer 2, and only worry
about MAC addresses.

Most consumer (SOHO) grade routers function on layer 3, and only worry
about IP addresses. - However, they do need to worry about resolving
the MAC addresses of (directly deliverable) IPs in the locally attached
subnets. So they do care about MAC addresses for that. But that's not
what switches do.
Correct.

Switches learn the port that a source MAC address is connected to when
an Ethernet frame comes in. That way the switch (ideally) knows which
port a destination MAC address is connected to and thus what port to
send the Ethernet frame out. - I saw something from Bob come in the
yellow door, so I'll send things to Bob out the yellow door.

If a switch doesn't know what port the destination MAC address is
connected to, it will send (copies of) the Ethernet frame out all ports,
save for the port that it came in on.
That's likely the ideal place to put a firewall that deals with Ethernet
frames. That's typically a Layer 2 firewall.
Sadly, that happens all too often.

It happens because other ISP clientele (or the ISP itself) has something
misconfigured (possibly plugging a DSL modem into a switch with private
computers) such that traffic meant for a LAN makes it out into the DSL
network.

There are other reasons it can happen, but they are (almost) all
directly connected to the same DSL network.
Yes, such is possible.

Such an Ethernet frame would have to be sent by someone directly
connected to the DSL network.

MAC addresses are inherently layer 2 and do not cross a layer 3 boundary.

Usually, the ISP's router is a well behaved layer 3 boundary and would
never send an Ethernet frame like you are describing. Hence why such a
frame would need to come from someone on the same ISP network.
You're starting to see the security concerns that I was alluding to.
Not quite. See above.
Yes.
Let's say I'm on the same DSL network as you. I can configure my
computer(s) to use 192.168.1.234 and send print jobs to your network
attacked printer at 192.168.1.111.

Since both IPs are in the 192.168.1.0/24 network, it will not be routed.
Which means that it will all be layer 2 traffic. I could send an ARP
request for 192.168.1.111 to learn your printer's MAC address.

Now, my computer and your printer think that each other are on the same
LAN in your house.

Now I can send print jobs that consume your ink / toner and use all the
paper in the printer. Thus performing a denial of service.

This is all possible because the DSL network is connected at layer 2
with your private LAN. If there was something separating them, I can't
do any of this. (At least not this way.)
It depends what you mean by test, particularly how active (vs passive)
you mean.

You can use a network sniffer (tcpdump & Wireshark are good choices) to
sniff the traffic coming in from a DSL / Cable modem. If you see
private IPs or other traffic that you think shouldn't be on the
Internet, chances are good that the ISP is /not/ filtering things like
I'd like them to.
Yep. You got it.

What we typically call a "router" is really a piece of equipment that is
performing multiple functions. Usually the firewalling that is in SOHO
models is L3 filtering in the router portion. Frequently the switch is
a cheap and completely independent L2 switching chip with the physical
ports you see and a port that connects to the CPU. Thus any switching
functions are done by the basic chip and NOT the software running on the
router.

The router usually sees an outside (WAN) and an inside (LAN) interface
(which is really it's connection to the switch chip).
What are traditionally called "aliases" are weird. It also implies that
you're dealing with "ifconfig" instead of "ip". I never liked them.

You always had to know what alias number you were working with. You'd
use ifconfig to assign the main IP. Then you'd use ifconfig to assign
the alias IP to the alias interface, which was the interface name, with
a colon and an alias number appended.

ifconfig eth0 192.0.2.254
ifconfig eth0:1 192.0.2.1...
ifconfig eth0:2 192.0.2.2...

If you didn't use a unique ":#" after the physical interface name, you'd
likely get unexpected results.

To be honest, it's been so long since I've used that method, I don't
even know if it still works, or if it has somehow been broken.

Conversely adding IPs using the "ip" command is trivial and consistent.

ip addr add 192.0.2.254 dev eth0
ip addr add 192.0.2.1 dev eth0
ip addr add 192.0.2.2 dev eth0

Nice and consistent. Easily scriptable. No alias (interface) numbers
to deal with. :-)
It depends what you're trying to keep private.

If you want a way to communicate with your servers that can't (really
SHOULD NOT) cross the Internet, then private IPs are good. I'd just use
a different private subnet on the outside of the router than I'm using
on the inside of the router for my private LAN. Say 192.168.10.254 to
be able to talk to the Cable modem at 192.168.10.100 to read stats,
while my internal LAN is 192.168.0.<something>.

Private IPs are /okay/. It's important to have the layer 3 routed
boundary between them.

Or at the very least have something that can do some filtering on layer
2 for you. (Most SOHO router switch chips can't.)

Aside: If you go the route of OpenWRT et al., there are options, but
they are more complex.
:-D
Ah. I know EXACTLY what you mean. I counter with "The Bat book".
(Sendmail, from the same line of books.)
Old doesn't necessarily mean that it's wrong or bad.

I think that line of books from that publisher says more about the
following.
*nod*

I've not been impressed with O'Reilly books. At least not for learning.

Don't get me wrong. I think they are packed full of information, and a
*GREAT* /reference/ source. But I think they are a lot like man pages.
They are good for reference, but crap for learning something.
Especially for something that may be largely new to you.
I don't know. I've not read the crab book so I can't compare.

I don't know how similar the subject material is, but I will say that
I'm currently reading TCP/IP Illustrated - Volume 1 - Second Edition.
My intention is to pick up smaller details that I've over looked in my
20 years of using & administering TCP/IP for myself and clients. I've
picked up many things that I appreciate. Though I question how useful
they are for many people. Think of it like getting a masters or PhD
half way through your career because you want to learn more about what
you've been using your entire career.

For starting, I have LONG referred people back to what I used to learn.
Linux's Networking How-To, commonly referred to as "net-3 how to". (Or
something similar.) It's a relatively small text file (compared to the
aforementioned books) that has a LOT of information in it. Obviously
it's Linux specific. But it is a good read. At least that's how I
remember it.
Fair enough.
Now we get into the minutia of what the capabilities of devices are and
how they are configured.

Basic / simple DSL / Cable modem router switch combos should have the
modem component connected to the WAN interface of the router component.
The router component should have the LAN interface connected to the
switch component.
Now you have considered a malicious actor.
~chuckle~
I believe so.
ACK
Isn't learning fun. :-)
Hum.

I've found tshark to be annoying. Or maybe it's just a personal bias
for tcpdump, which I'm more familiar with.

I'm guessing that there are more tutorials on tcpdump that target a
broad range of audiences. I'd bet that many tshark tutorials are
targeting more advanced Wireshark users that are comfortable with
sniffing network traffic. More as an alternate mode of Wireshark than a
general sniffer.
If you wait long enough, you should also see "broadcast" Ethernet frames
(like ARP uses).

You might also see frames destined to (what is called) an "unknown" MAC
address, thus flooded out all ports.

Then there is "multicast", which I'd be somewhat surprised if you see.

Collectively these are generally known as "B.U.M. frames". I say this
as you should see Ethernet frames destined to your MAC and / or B.U.M.
frames.

The switch should filter anything not to you or a B.U.M. frame.
Point of order: The term "hop(s)" usually implies routers.

I tend to hear "number of switches or (L2) devices" when referring to
what I think you mean.

I'm not trying to be pedantic. It's just that the different terms tend
to make some implications.
If you are referring to the number of layer 2 devices, you can be many
""hops (L2 devices) away. As long as the modem and your sniffer are in
the same Layer 2 broadcast domain, you should be fairly good.

Note: I'm assuming that there isn't something like an L2 firewall
filtering and conditionally dividing the L2 broadcast domain. - This
is why I mentioned such as an option in a previous email.

The best way to know is to run the sniffer on a computer (device) that
is directly connected to the modem.
:-)

Yep. That layer 3 routed boundary is nice.