Sunday, 21 May 2017

BASIC INFORMATION ON LAN SWITCHING (ETHERNET SWITCHING):

Some Topics That You Might Want To Pursue On Your Own That We Did Not Cover In This Article Are Listed Here: 

ETHERNET LAN SWITCHING :


In The Early 1990s, Kalpana, Grand Junction, And Bay Networks Started To Ship Some Of The First Ethernet Switches. The Bay Networks 28115 Was One Of The First Switches To Introduce 10/100 Auto-Sensing Ports And VIRTUAL LANS (VLANS). 

More Importantly, All Switches Put An End To The Old Ethernet Repeater Rules, While Increasing Bandwidth. Until This Point, Many People Were Predicting That ATM Would Be The Only High-Speed Protocol In Use On The LAN, And If It Hadn't Been For The Ethernet Switch, They Might Have Been Right. 

ETHERNET SWITCHES PROVIDE SEVERAL KEY ADVANTAGES OVER TRADITIONAL SHARED MEDIA LANS:


• Significant Bandwidth Improvement By Limiting A Collision Domain To A Single Port. 

• Scalability. Repeater Rules Are Limited To A Single Port. 

• VLAN Capability. Broadcast Domains Can Be Located Logically And Are Not Limited By Geographical Boundaries. 

• Enhanced Security. 

• Full-Duplex Capability. 

A Switch Functions Much Like A Multiport Bridge. When Vlans Are Created, Virtual Bridges Are Created To Join The Ports In The VLAN. Broadcast, Unicast, And Multicast Traffic Is Forwarded To Each Member Of The VLAN. The Catalyst 5500 Series Switch Builds An Address Table By Recording The Source MAC Address Of Frames That It Received From Its Interfaces. 

When A Frame Destined For An Address Not Yet In The Address Table Is Received, The Switch Floods The Frame Out All Ports And Trunks In The Same VLAN As The Frame Was Received. The Switch Does Not Forward The Frame Out The Interface That It Received It. When A Reply For That Frame Is Received, The Switch Records The New Address In The Address Table. The Switch Forwards Subsequent Frames To A Single Port, Without Flooding It To All Ports. Traffic Can Leave The VLAN Only With The Aid Of A Router Or A Layer 3 Switch Providing Routing Functionality. 

SWITCHES FORWARD TRAFFIC IN THREE PRIMARY MODES:


STORE AND FORWARD : The Port Adapter Reads The Entire Frame Into Memory And Then Determines Whether The Frame Should Be Forwarded. The Frame Is Forwarded Only If It Does Not Contain Any Errors. Store-And-Forward Mode Reduces The Amount Of Errors On The LAN, But There Is A Delay Associated With Reading And Verifying The Frame Before Forwarding It. In Modern ASIC-Based Switches, The Speed Of The ASIC Has Become So Great That The Latency Associated With Store-And-Forward Switches Is A Nonissue. 

CUT-THROUGH : In This Mode, The Port Receives The First Few Bytes Of A Frame And Analyzes The Packet Header To Determine The Destination Of The Frame And Immediately Begins To Forward That Frame. The Frame Is Not Checked For Any Errors Before Forwarding, So This Mode Does Propagate Bad Frames On The Network. 

ADAPTIVE CUT-THROUGH : This Mode Combines Both Aspects Of Cut-Through And Store-And-Forward Modes. In This Mode, The Port Operates In Cut-Through Mode Until A User-Defined Threshold Of Frame Errors Is Detected. When The Threshold Is Exceeded, The Port Switches To Store-And-Forward Mode. 

BROADCAST DOMAINS AND COLLISION DOMAINS


Two Key Concepts In Switched Networks Are Broadcast Domains And Collision Domains. A Broadcast Domain Is The Area Of The Network That Forwards Broadcasts From One Portion Of Network To The Next. A Practical Example Of A Broadcast Domain Is An IP Or IPX Subnet. A Collision Domain Is A Function Of The Physical Properties Of A Device. Devices In The Same Collision Domain Reside On The Same "Wire" Or Hub/Repeater. 

THREE PRIMARY TRUNKING ENCAPSULATIONS ARE AVAILABLE FOR ETHERNET :


INTER-SWITCH LINK (ISL): ISL Is A Cisco Proprietary Trunking Encapsulation. ISL Is A Frame-Tagging Protocol; The Frames On The Link Contain The Standard Ethernet, FDDI, Or Token Ring Frame And The VLAN Information Associated With That Frame. ISL Is Supported On Links That Are 100 Mbps Or Greater In Speed. ISL Is An Extremely Efficient Protocol, And It Is The Protocol That Cisco Uses Internally For Catalyst To Communicate With The Route Switch Modules (RSMS) Or Other Layer 3 Switching Fabric. Spanning Tree Is Run On A Per-VLAN Basis (PVST) On ISL Trunks. This Means That Every VLAN Has A Root Bridge, And Trunks Go Into A Forward/Blocking Mode For Each VLAN On Each Trunk. PVST Is Critical To Control On Large Networks, As Discussed In Upcoming Sections. 

IEEE 802.1Q : 802.1q Is The Industry-Standard Trunking Protocol. 802.1q Operates Slightly Differently Than ISL. It Runs Mono Spanning Tree (MST) On The Default VLAN For All Vlans In The VTP Domain. In MST, One Root Bridge Is Elected For The Entire VTP Domain; This Is Called The Common Spanning Tree (CST). All VLAN Information Follows One Path In This Type Of Configuration. Cisco, Understanding The Need To Control Spanning Tree On Large Networks While Controlling Load, Implements PVST On All 802.1q VLANS. The Following Is A List Of Other Restrictions On 802.1q Trunks: 

- The Default VLAN Needs To Be The Same On Both Ends Of The Trunk. MST Will Run In This VLAN. It Is Critical That The Default VLAN Be The Same On Third-Party Switches Interacting With Cisco Switches. 

- As Mentioned, 802.1q Uses MST. Cisco Overrides This, By Default, With PVST. Because The BPDUS Are Handled Differently Between Cisco And Third-Party Switches, Care Should Be Taken Whenever Integrating These Domains That Spanning Tree And The Default VLANs Are Consistent In Both Switches. The Entire Cisco VTP Domain Looks Like A Single Broadcast/ Spanning Tree Domain To The Third-Party Switches. 

- BPDUS On The Native VLAN Of The Trunk Are Sent Untagged To The Reserved IEEE 802.1d Spanning Tree Multicast MAC Address (0180.C200.0000). The BPDUS On All Other VLANS On The Trunk Are Sent And Tagged On The Reserved Cisco Shared Spanning Tree (SSTP) Multicast MAC Address (0100.0ccc.Cccd). 

IEEE 802.10 : 802.10 Was Actually The First Protocol That The Industry Tried To Use For A VLAN Trunking Protocol. It Originally Was Developed For Extra Security On Defense Networks Or Large Mans. It Primarily Is Used On FDDI Networks Today Because Of Its Limitations. 

VLAN TRUNKING PROTOCOL (VTP): :


Before You Create VLANS You Must Decide What VTP Mode To Use In Your Network. With VTP You Can Make VLAN Configuration Changes Centrally On One Or More Switches And Have Those Changes Automatically Communicated To All The Other Switches In The Network. 

VTP Is A Layer 2 Messaging Protocol That Maintains VLAN Configuration Consistency By Managing The Addition, Deletion, And Renaming Of Vlans On A Network-Wide Basis. VTP Minimizes Mis-Configurations And Configuration Inconsistencies That Can Result In A Number Of Problems Such As Duplicate VLAN Names, Incorrect VLAN-Type Specifications, And Security Violations. The VLAN Database Built Is Stored In NVRAM, Separately The Configuration. 

AS Recommends Transparent Mode. As The Majority Of Customers Do Not Create Or Delete VLANS Frequently, When A New VLAN Is Needed It Is Not Much Effort To Update All Switches In A Domain, Usually Numbering 20 Or Less. 

• This Practice Encourages Good Change Control. 

• Limits The Risk Of A User Error, Such As Deleting A VLAN, Impacting The Entire Domain. 

• Eliminated The Risk Of Any VTP Bug Affecting The Entire Network. 

• There is no risk from a new switch being introduced into the network with a higher VTP revision number and over-writing the entire domain's VLAN configuration. There is a positive and negative side to VTP being able to make changes very easily on a network - most enterprises prefer a cautious approach. 

• STP per VLAN and unnecessary flooding should be limited by explicit configuration (i.e. pruning) of what VLANs are propagated on what trunks. A per switch VLAN configuration also encourages this practice. 

• The extended VLAN range in CatOS 6.x, numbers1025-4094, can only be configured in this way. 

TRUNKING MODE :


Purpose : DTP Is The Second Generation Of DISL (DYNAMIC ISL) And Exists To Ensure That The Different Parameters Involved In Sending ISL Or 802.1Q Frames, Like The Configured Encapsulation Type, Native VLAN, Hardware Capability, Etc. 

Are Agreed By The Catalysts At Either End Of A Trunk. This Also Helps Protect Against Non-Trunk Ports Flooding Tagged Frames, A Potentially Serious Security Risk, By Ensuring Ports And Their Neighbors Are Either In A Safe Trunking Or Non-Trunking State. 

Operational Overview : DTP Is A Layer-2 Protocol That Negotiates Configuration Parameters Between A Switch Port And It's Neighbor. It Uses Another Well-Known Multicast MAC Address Of 01-00-0c-Cc-Cc-Cc And A SNAP Protocol Type Of 0x2004. Here Is A Summary Of The Configuration Modes: 

Note : ISL And 802.1Q Encapsulation Type Can Be Set Or Negotiated - ISL Will Be Preferred Over Dot1q, But Is Recommended To Be Set. 

• DTP Assumes Point-To-Point Connection, And Cisco Devices Will Support 802.1Q Trunk Ports That Are Only Point-To-Point. 

• During DTP Negotiation, The Ports Will Not Participate In STP. Only After The Port Type Becomes One Of The Three Types (Access, ISL Or 802.1Q), The Port Will Be Added To STP. (If Pagp Is Running That Is The Next Process To Run Prior To The Port Participating In STP). 

• VLAN 1 Will Usually Be There On The Trunk Port. If The Port Is Trunking In ISL Mode, DTP Packets Are Sent Out On VLAN 1, Otherwise (For 802.1Q Trunking Or Non-Trunking Ports) On The Native VLAN. 

HIERARCHICAL (MULTILAYER) NETWORK DESIGN:


• In Desirable Mode DTP Packets Transfer The VTP Domain Name, Which Must Match For A Negotiated Trunk To Come Up, Plus Trunk Configuration And Admin Status. 

• Messages Are Sent Every 1s During Negotiation, And Every 30s After That. 

• Be Careful That It Is Understood Modes (On, Nonegotiate, Off) Explicitly Specify In Which State The Port Will End Up. A Bad Configuration Can Lead To A Dangerous Inconsistent State Where One Side Is Trunking And The Other Is Not. A Port In On, Auto, Or Desirable Sends DTP Frames Periodically. If A Port In Auto Or Desirable Mode Doesn't See A DTP Packet In 5min It Will Be Set To Non-Trunk.

.

NCAR DESIGN REVIEW AND RECOMMENDATIONS V1.0 18:


By Default, Trunking Ports Will Propagate Information About All Vlans, But AS Recommends Limiting That To The Vlans Defined On The Wiring Closet Switches. This Practice Has Many Advantages, Most Importantly, Is The Ability To Isolate Issues, Broadcasts, And Loops To One Wiring Closet Instead Of The Entire Network. 

INFORMATION ON LAN SWITCHING FOR EXTENDED REFERENCE :


UPLINKFAST, PORTFAST, BACKBONEFAST : These Are Ways To Help The STP Process Deal With User Traffic During Initialization Or Failure While STP Is Converging. These Technologies Are Simple To Configure And Can Avoid Lost Throughput During STP Convergence. 

FAST ETHERCHANNEL/GIGABIT ETHERCHANNEL: Etherchannel Provides A Way For The Router To Aggregate Up To Four Fast Ethernet Ports In A Bundle. The Technology Also Applies To Gigabit Ethernet. We Like To Think Of Etherchannel As The PPP Multilink Of Ethernet. Etherchannel Treats The Bundle As One Large Physical Link And Can Distribute Traffic In Different Ways Across The Bundle. With Full-Duplex Mode, Etherchannel Bundles Can Reach Speeds Of 800 Mbps To 8,000 Mbps. Etherchannel Can Help Avoid Some STP Issues Because It Offers Resiliency Between Switches. When A Link Goes Down, The Bundle Simply Loses Bandwidth And Does Not Need To Wait For STP To Converge Before Sending User Traffic. There Are Rules To Etherchannel And How Ports Can Be Bundled, And They Are Different For The Various Families Of Switches. There Is Also The Drawback That Etherchannel Can Be Used Only To Connect Two Switches—For Example, Bundles Cannot Be Split Across Switches. 

PORT SECURITY An Advanced Security Function Of All Cisco Switches Is Port Security. Port Security Allows You To Limit The Access On A Port To A Single MAC Address. When Another User Plugs Into The Port With A Different MAC Address, The Port Can Be Shut Down, Or Traps Can Be Sent To A Network-Management Station. This Is A Helpful Feature In The Field Because It Strictly Controls Physical Access To The Switch And Unwanted Moves Or Changes. 



CONCLUSION:


The Goal Of This Article Is To Give An Easy Way To Understand The “BASIC INFORMATION ON LAN SWITCHING (ETHERNET SWITCHING)". Hope This Article Will Help Every Beginners Who Are Going To Start Cisco Lab Practice Without Any Doubts. 

Some Topics That You Might Want To Pursue On Your Own That We Did Not Cover In This Article Are Listed Here, Thank You And Best Of Luck. 

This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+. 

DISCLAIMER:


This Document Carries No Explicit Or Implied Warranty. Nor Is There Any Guarantee That The Information Contained In This Document Is Accurate. Every Effort Has Been Made To Make All Articles As Complete And As Accurate As Possible. 

It Is Offered In The Hopes Of Helping Others, But You Use It At Your Own Risk. The Author Will Not Be Liable For Any Special, Incidental, Consequential Or Indirect Any Damages Due To Loss Of Data Or Any Other Reason That Occur As A Result Of Using This Document. But No Warranty Or Fitness Is Implied. The Information Provided Is On An "As Is" Basic. All Use Is Completely At Your Own Risk. 

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...