Embedded Files
Virtual Local Area Network (VLAN)
A Virtual LAN (VLAN) allows the segmentation of physically connection components on switches to be logically divided.
A Virtual Local Area Network (VLAN) creates multiple subnets and smaller broadcast domains.
VLANs can scale to entire layer 2 network, however it is stopped by a router.
VLANs help us segment the network on a per interface basis and isolate traffic.
Benefits of using VLANs
Improved security
Reduce cost on network infrastructure
Improve network performance
Create smaller broadcast domains
Improve IT efficiency and management
Types of VLANs
Data VLAN – The Data VLAN is usually configured to transport traffic generated by end devices such as computers, servers, printers, access points, etc.
Default VLAN – The Default VLAN is the primary VLAN which is loaded onto a managed switch after booting up. A new out-of-box switch normally has all it ports assigned to VLAN 1 by default. This means, if you connect multiple devices on any number of physical ports on the switch, by default, all devices will be able to communication with each other.
Native VLAN – The Native VLAN is used for carrying untagged traffic on an IEEE 802.1Q trunk link. Whenever and end device such as a computer sends traffic into a switch, the receiving switch port inserts an IEEE 802.1Q tag (VLAN ID) into the frame, this is known as tagged traffic. Untagged traffic does not originate from a switch port, so where does it come from? An example of untagged traffic is self-generated traffic from the switch themselves such as Cisco Discovery Protocol (CDP) messages.
Management VLAN – The Management VLAN is used to remotely access the switch over a network for management purposes. To put simply, it is the Switch Virtual Interface (SVI) which is configured with an IP address and subnet mask. A network administrator can use HTTP, HTTPS, Telnet or SSH to remote connect to the use via its IP address on the SVI.
Voice VLAN – Voice traffic uses the User Datagram Protocol (UDP) which does not provide any reliability of the delivery for this packets. Since a converged network is the most recommended type of network infrastructure, having a dedicated network for all voice traffic is recommended. Using a dedicated VLAN for voice traffic will ensure all traffic is keep separated from the other traffic types on the physical network.
Port configurations
On network switches, each interface/port can be configured with various features by a network professional to perform specialized tasks.
Port tagging/802.1Q
When a source device such as a computer sends a frame into a switch port, the switch will insert an IEEE 802.1Q tag into the frame.
Access Points allows network professionals to configure one data VLAN on to an interface.
The IEEE 802.1Q tag contains the VLAN ID that is assigned on the switch's interface. This tag helps the switch to isolate one VLAN traffic from another VLAN, therefore each VLAN is logically separated from each other.
The IEEE 802.1Q tag is kept on the frame as long as it is passing between switches.
The IEEE 802.1Q tag is removed only when the switch is sending outbound traffic from an Access Port.
Trunks are special interfaces that are configured on a switch to transport multiple VLAN traffic between switches.
Port aggregation
An EtherChannel allow us to combine multiple physical ports on a switch in a single port. This is known as Layer 2 EtherChannel.
Additionally, Layer 3 EtherChannels can be created on logical interfaces such as sub-interfaces.
This technique allows us to create Link aggregation, which allows the traffic to a share across all combined ports for a EtherChannel between devices.
The configurations can be done directly on the EtherChannel rather than the individual physical ports on the device.
EtherChannel uses the existing ports on the switch, therefore no need to upgrade hardware.
EtherChannel create load balancing and aggregation of traffic.
Provide redundancy on the network.
Link Aggregation Control Protocol (LACP) is an open source protocol defined by IEEE 802.3ad that allows any vendor of switches to form EtherChannels.
Duplex
Half - Allows one device to communicate at a time.
Full - Allows two (2) or more devices to communicate simultaneously.
Auto - Interface will negotiate a mutual mode of operation.
Speed
10 - Interface operating at 10Mb/s.
100 - Interface operating at 100Mb/s.
1000 - Interface operating at 1000Mb/s.
Auto - Interface will negotiate a mutual speed to operate.
Port mirroring
Switch Port Analyzer (SPAN) is a feature that is built into the switch.
Since the switch has to create a copy of the traffic, the layer 1 and layer 2 pieces of data are dropped from each packet before it is sent out to the network security monitoring device.
Configuration is required on the switch to create the mirror interfaces.
Since the switch has to create a copy of the traffic, there can be contention on the link.
Remote SPAN (RSPAN) allows a security engineer to capture traffic between switches on the network that share a virtual local area network (VLAN).
Port security
Port Security is use to defend against a CAM table overflow attack.
Filters access to the switch network based on a devices source MAC address.
Port security can be applied to Access or Trunk ports.
Jumbo frames
Any Ethernet packet that is greater than 1,518 bytes.
Auto-medium-dependent interface crossover (MDI-X)
Auto MDIX is an auto-sensing features which is built-in to the switch's firmware or operating system which detects the type of cable being used to connect the switch to another device.
Long ago, you needed a crossover Ethernet cable to interconnect 2 switches together.
Using Auto MDIX, the feature can make the adjustment within it's firmware to allow a straight-through cable or even a crossover cable to interconnect the switch.
Media access control (MAC) address tables
Each frame entering a switch port has a source and destination MAC address in the Frame Header.
The source MAC address is records in the CAM table and is associated with the port it enters.
The aging time specifies how long the switch will retain the entries in the CAM table before aging out due to inactivity.
The default age timer on a Cisco switch is 300 seconds, however this value can be configured ranging from 0 - 1000000.
If you enter the value 0, this will disable the aging timer.
If a VLAN is not specified during the configuration, the timer is applied to all VLANs on the switch.
Power over Ethernet (PoE)/Power over Ethernet plus (PoE+)
Power provided on an Ethernet cable
One wire for both network and electricity
Phones, cameras, wireless access points
Power provided at the switch
Power modes
Mode A - Power on the data pairs
Mode B - Power on the spare pairs
PoE: IEEE 802.3af-2003
The original PoE specification
Included in 802.3at
Now part of 802.3-2012
15.4 watts DC power
Maximum current of 350 mA
POE+: IEEE 802.3at-2009
The updated PoE specification
Now also part of 802.3-2012
25.5 watts DC power
Maximum current of 600 mA
Spanning Tree Protocol (STP)
The Spanning-Tree Protocol (STP) is defined by IEEE 802.1D and was designed to prevent layer 2 loops on a network.
Switches interconnected with each other on a network to provide redundancy, however this can create loops and generate broadcast storms on the network.
STP creates a single active path to all devices on the network.
Carrier-sense multiple access with collision detection (CSMA/CD)
CSMA/CD defines how a network will respond when two devices are attempting to communicate simultaneously on a wired Ethernet network.
Before a devices sends a message onto the network, it checks for any signals on the wire. If a signal is found, the device will wait and checks again until no signal is found, then transmits it's message.
When a device is transmitting a message on the network, a signal will be present on the same segment. This method prevents collisions on a wired network. However, on a network with switches, this techniques is not needed.
Address Resolution Protocol (ARP)
ARP is used on a local network to resolve an IP address to a MAC address.
Cisco switches forward frames in one of three methods: store-and-forward, cut-through or fragment-free.
Using the store-and-forward method, the switch stores the entire frame in its memory and checks the frame for any errors before forward the frame to its destination. This methods ensure a high level of error-free frames sent across the network.
The cut-through method is where the switch copies the destination MAC address of frame into memory, this part of the frame is the first 6 bytes of the entire frame. The switch then looks up the destination MAC address in the CAM table and forward the frame to the destination port. This method reduces delay in forwarding traffic.
Fragment-free switching works similar to the cut-through method, except it stores the first 64 bytes of the frame in memory before forwarding. Most errors and collisions occur in the first 64 bytes of a frame.
Each frame has a source and destination MAC address.
When a frame enters the switch, it is forwarded to only the destination port.
If the destination address is unknown by the switch, the frame is flooded out of all ports expect the port it was originated.
Neighbor Discovery Protocol
Network discover protocols are used to help network devices such as a switch to learn about the characteristics of any other networking device which is connected to the switch.
Cisco Discovery Protocol (CDP)
The Cisco Discovery Protocol (CDP) is a proprietary protocol which operates between Layers 2 & 3.
CDP is used to assist Cisco switches to learn about their directly connected neighbors such as other switches and routers.
CDP is enabled by default on Cisco switches and routers.
Devices exchange advertisements (message) using a multicast address 01:00:0C:CC:CC:CC.
A CDP message contains the following:
IOS version
Device model and type
Connected interfaces for both local and remote device
Hostnames
Link-Layer Discovery Protocol (LLDP)
LLDP is another discovery protocol which operates over layer 2, LLDP is supported on non-Cisco devices.
LLDP is defined by IEEE 802.1AB which makes it interoperable on other vendor devices.
Page updated
Google Sites
Report abuse