switching vla ns_secugenius_harksh_mikemclain_secugenius security solutions
TRANSCRIPT
SwitchingSwitching&&
VLANsVLANs
Switch act as a multiport bridge and its Switch act as a multiport bridge and its basic duty is to break collision domain.basic duty is to break collision domain.
Layer 2 switches and bridges are faster Layer 2 switches and bridges are faster than routers because they don’t take up than routers because they don’t take up time looking at the Network layer header time looking at the Network layer header information.information.
Switches look at frame’s hardware Switches look at frame’s hardware addresses before deciding to either addresses before deciding to either forward the frame or drop it.forward the frame or drop it.
Switching BasicsSwitching Basics
Switches create private dedicated collision domain.Switches create private dedicated collision domain. They provide independent bandwidth on each port.They provide independent bandwidth on each port. Layer 2 switching provide the following:Layer 2 switching provide the following:
Hardware based bridging (Application Specific Integrated Hardware based bridging (Application Specific Integrated Circuit – ASIC)Circuit – ASIC)
Wire SpeedWire Speed Low latencyLow latency Low cost.Low cost.
Switching BasicsSwitching Basics
Switches do not do any modification to the data Switches do not do any modification to the data packet.packet.
They only read the frame encapsulating the packet.They only read the frame encapsulating the packet. This makes the switching process considerably This makes the switching process considerably
faster and less error-pron than routing process.faster and less error-pron than routing process.
Switching BasicsSwitching Basics
Switches create private Switches create private domaindomain
Bridges are software based, while switches are hardware Bridges are software based, while switches are hardware based because switches use ASIC chips to help make based because switches use ASIC chips to help make filtering decisions.filtering decisions.
A switch is basically a multiport bridge.A switch is basically a multiport bridge. Bridges can only have one spanning tree instance per Bridges can only have one spanning tree instance per
bridge, while switches can have many.bridge, while switches can have many. Switches have more number of ports.Switches have more number of ports.
Bridging Vs. LAN SwitchingBridging Vs. LAN Switching
Both poses multiple COLLISION DOMAIN but one Both poses multiple COLLISION DOMAIN but one BROADCAST DOMAIN.BROADCAST DOMAIN.
Both learn MAC addresses by examining the source Both learn MAC addresses by examining the source address of each frame received.address of each frame received.
Both make forwarding decisions based on layer 2 Both make forwarding decisions based on layer 2 addresses.addresses.
Bridges and SwitchesBridges and Switches
Address LearningAddress Learning: : Layer 2 switches remember the source hardware address of Layer 2 switches remember the source hardware address of
each frame received on an interface .each frame received on an interface . Switches enter this information into a MAC database called a Switches enter this information into a MAC database called a
forward/filter table.forward/filter table. Forward/Filter DecisionForward/Filter Decision::
When a frame is received on an interface, the switch looks at When a frame is received on an interface, the switch looks at the destination hardware address and fields the exit interface in the destination hardware address and fields the exit interface in the MAC database.the MAC database.
The frame is only forwarded out the specified destination port.The frame is only forwarded out the specified destination port.
Functions of SwitchFunctions of Switch
Loop AvoidanceLoop Avoidance: : If multiple connections between switches are created for If multiple connections between switches are created for
redundancy purpose, network loops can occur.redundancy purpose, network loops can occur. Spanning Tree Protocol (STP) is used to stop network Spanning Tree Protocol (STP) is used to stop network
loops while still permitting redundancy.loops while still permitting redundancy.
Functions of SwitchFunctions of Switch
When switch is first powered on, the When switch is first powered on, the MAC forward/filter table is empty.MAC forward/filter table is empty.
When an interface receives a frame, When an interface receives a frame, the switch places the frame’s source the switch places the frame’s source address in MAC forward/filter table, address in MAC forward/filter table, allowing it to remember which allowing it to remember which interface the sending device is located interface the sending device is located on.on.
Switch then floods the network with Switch then floods the network with this frame out of every port except the this frame out of every port except the source port because it has no idea source port because it has no idea where the destination device actually where the destination device actually located.located.
Address LearningAddress Learning
If a device answers this flooded frame and sends a frame If a device answers this flooded frame and sends a frame back, then:back, then: Switch takes the source address from that frame and place the Switch takes the source address from that frame and place the
mac address in the database as well.mac address in the database as well. Switch associates this address with the interface that received Switch associates this address with the interface that received
the frame.the frame. Since the switch now has both the relevant MAC address in Since the switch now has both the relevant MAC address in
its filtering table, the two devices can now make a point-t0-its filtering table, the two devices can now make a point-t0-pont connectionpont connection
Address LearningAddress Learning
When a frame arrives at a switch interface, the When a frame arrives at a switch interface, the destination hardware address in compared to the MAC destination hardware address in compared to the MAC forward/filter table.forward/filter table.
If the destination hardware is known and listed in the If the destination hardware is known and listed in the database, the frame is only sent out the correct exit database, the frame is only sent out the correct exit interface.interface.
This preserves bandwidth and is called as This preserves bandwidth and is called as frame frame filtering.filtering.
Forward/Filter DecisionsForward/Filter Decisions
If destination hardware address is not listed in the MAC If destination hardware address is not listed in the MAC database, then the frame is flooded out all active database, then the frame is flooded out all active interfaces except the interface the frame was received interfaces except the interface the frame was received on.on.
If a device answers the flooded frame, the MAC database If a device answers the flooded frame, the MAC database is updated with the device interface.is updated with the device interface.
Forward/Filter DecisionsForward/Filter Decisions
Redundant links between switches are a good idea Redundant links between switches are a good idea because they help prevent complete network failure in because they help prevent complete network failure in the event one link stops working.the event one link stops working.
But in a redundant link frames can be flooded down all But in a redundant link frames can be flooded down all redundant links simultaneously, resulting in network redundant links simultaneously, resulting in network loops.loops.
Loop AvoidanceLoop Avoidance
Redundant links may invite following Redundant links may invite following set of problems: set of problems:
If no loop avoidance schemes are put in If no loop avoidance schemes are put in place, the switches will flood broadcast place, the switches will flood broadcast endlessly. Following figure illustrates it:endlessly. Following figure illustrates it:
Broadcast Storm
A device can receive multiple copies of the A device can receive multiple copies of the same frame, since that frame can arrive from same frame, since that frame can arrive from multiple segments simultaneously. Following multiple segments simultaneously. Following figure demonstrates it best.figure demonstrates it best.
The server in this The server in this figure sends a unicast figure sends a unicast frame to router C. frame to router C.
Since it’s a unicast Since it’s a unicast frame, switch A frame, switch A forwards the frame forwards the frame and switch B provides and switch B provides the same service – it the same service – it forwards the forwards the broadcast.broadcast. This is not good because now route C will This is not good because now route C will
receive unicast frame twice, causing additional receive unicast frame twice, causing additional overhead on the network.overhead on the network.
The MAC address filter table will be totally confused about The MAC address filter table will be totally confused about the devices location because the switch can receive the the devices location because the switch can receive the frame from more than one links.frame from more than one links.
Multiple loops could be generated. This mean a loop can Multiple loops could be generated. This mean a loop can occur within other loop.occur within other loop.
Its main task is to stop routing loops from occurring on layer Its main task is to stop routing loops from occurring on layer 2. (Bridges or Switches)2. (Bridges or Switches)
It monitors the network to find all links making sure that no It monitors the network to find all links making sure that no loops occur by shutting down the redundant link.loops occur by shutting down the redundant link.
It uses Spanning Tree Algorithm (STA), to first create a It uses Spanning Tree Algorithm (STA), to first create a topology database, then search out and destroy redundant topology database, then search out and destroy redundant links.links.
With STP running, frames are only forwarded on the STP, With STP running, frames are only forwarded on the STP, picked links.picked links.
Spanning Tree ProtocolSpanning Tree Protocol
LAN Switch Types decide how a frame is handled when it’s LAN Switch Types decide how a frame is handled when it’s received on a switch port.received on a switch port.
Latency: The time switch takes for a frame to be sent out an Latency: The time switch takes for a frame to be sent out an exit port once the switch receives the frame.exit port once the switch receives the frame.
There are three switching modes:There are three switching modes: Cut – through (Fast Forward)Cut – through (Fast Forward) Fragment Free (Modified cut-through)Fragment Free (Modified cut-through) Store-and-forwardStore-and-forward
LAN Switch TypesLAN Switch Types
Cut-through (Fast Forward)Cut-through (Fast Forward):: In this mode, the switch only waits for the destination hardware In this mode, the switch only waits for the destination hardware
address to be received before it looks up the destination address in address to be received before it looks up the destination address in the MAC filter table.the MAC filter table.
Fragment Free (Modified cut-through)Fragment Free (Modified cut-through):: In this mode, the switch checks the first 64 bytes of a frame before In this mode, the switch checks the first 64 bytes of a frame before
forwarding it for fragmentation.forwarding it for fragmentation. This is the default mode for catalyst 1900 series switch.This is the default mode for catalyst 1900 series switch.
Store-and-forwardStore-and-forward:: In this mode, the complete frame is received on the switch’s buffer, In this mode, the complete frame is received on the switch’s buffer,
a CRC is run and then the switch looks up the destination address a CRC is run and then the switch looks up the destination address in the MAC forward/filter table.in the MAC forward/filter table.
Different switching modes within a frameDifferent switching modes within a frame
With cut-through switching method, the LAN With cut-through switching method, the LAN switch reads only the destination.switch reads only the destination.
That is it looks at the first six bytes following That is it looks at the first six bytes following the preamble.the preamble.
It then:It then: Looks up the hardware destination address in the Looks up the hardware destination address in the
MAC switching table.MAC switching table. Determines the outgoing interface.Determines the outgoing interface. Proceeds to forward the frame towards its Proceeds to forward the frame towards its
destination.destination. A cut-through switch helps in reducing latency, A cut-through switch helps in reducing latency,
because its begins to forward the frame as soon because its begins to forward the frame as soon as it reads the destination address and as it reads the destination address and determines the outgoing interface.determines the outgoing interface.
Cut - ThroughCut - Through
It is a modified form of cut-through switching in It is a modified form of cut-through switching in which the switch waits for the collision window which the switch waits for the collision window (64 bytes) to pass before forwarding.(64 bytes) to pass before forwarding.
This is because if a packet has a collision error, This is because if a packet has a collision error, it almost always occurs within the first 64 bytes.it almost always occurs within the first 64 bytes.
This means each frame will be checked into the This means each frame will be checked into the data field to make sure no fragmentation has data field to make sure no fragmentation has occurred. occurred.
Fragment Free mode provides better error Fragment Free mode provides better error checking than the cut-through mode with checking than the cut-through mode with practically no increase in latency.practically no increase in latency.
It is the default switching mode for 1900 It is the default switching mode for 1900 switches.switches.
Fragment Free (Modified Fragment Free (Modified Cut – Through)Cut – Through)
It is CISCO’s primary LAN switching method.It is CISCO’s primary LAN switching method. In this method, the LAN switch copies the entire In this method, the LAN switch copies the entire
frame onto its onboard buffers and then computes frame onto its onboard buffers and then computes the CRC (Cyclic Redundancy Check).the CRC (Cyclic Redundancy Check).
Since it copies the entire frame, latency through the Since it copies the entire frame, latency through the switch varies with frame length.switch varies with frame length.
The frame is discarded if it contains a CRC error:The frame is discarded if it contains a CRC error: If it is too short (Less then 64 bytes including the CRC)If it is too short (Less then 64 bytes including the CRC) If it is too long (More than 1518 bytes, including the CRC)If it is too long (More than 1518 bytes, including the CRC)
If the frame doesn’t contain any error, the LAN If the frame doesn’t contain any error, the LAN switch looks up the destination hardware address in switch looks up the destination hardware address in its MAC forward/filter table to find the correct its MAC forward/filter table to find the correct outgoing interface.outgoing interface.
Store – and – ForwardStore – and – Forward
STP:STP: It is a bridge protocol that uses the STA to find redundant links It is a bridge protocol that uses the STA to find redundant links
dynamically.dynamically. It creates a spanning tree topology database.It creates a spanning tree topology database. Bridges exchange BPDU messages with other bridgesBridges exchange BPDU messages with other bridges
Spanning Tree TermsSpanning Tree Terms
We will cover following list of tasks:We will cover following list of tasks: Setting the passwordSetting the password Setting the hostnameSetting the hostname Configuring the ip address and subnet masksConfiguring the ip address and subnet masks Setting a description on the interfaceSetting a description on the interface Erasing the switch configurationErasing the switch configuration Configuring VLANsConfiguring VLANs Adding VLAN membership to switch port.Adding VLAN membership to switch port. Creating VTP domain.Creating VTP domain. Configuring trunking.Configuring trunking.
Configuring 1900 & 2950 Configuring 1900 & 2950 catalyst switchescatalyst switches
1900 Series:1900 Series: It uses same command to set both user level password as well It uses same command to set both user level password as well
as privileged password, but with different level numbers.as privileged password, but with different level numbers. Level is 1 for user level and 15 for privilege level.Level is 1 for user level and 15 for privilege level. Password length should be from 4 to 8 characters.Password length should be from 4 to 8 characters. Setting user password:Setting user password:
switch(config)#switch(config)# enable password level 1 cisco enable password level 1 cisco Setting privileged level passwordSetting privileged level password
switch(config)#switch(config)# enable password level 15 cisco enable password level 15 cisco
Setting the passwordSetting the password
2950 Series:2950 Series: To set user mode password for the 2950 switch, we configure To set user mode password for the 2950 switch, we configure
the line just as we would do on a router.the line just as we would do on a router. Console:Console:
switch(configswitch(config))## line console 0 line console 0switch(config-lineswitch(config-line))## password password ciscociscoswitch(config-lineswitch(config-line))## login login
Telnet:Telnet: switch(configswitch(config))## line vty 0 15 line vty 0 15
switch(config-lineswitch(config-line))## password password ciscociscoswitch(config-line)#switch(config-line)# login login
Enable secret password is set in the same way as we would do Enable secret password is set in the same way as we would do for a router.for a router.
switch(config)#switch(config)# enable secret enable secret ciscocisco
Setting the passwordSetting the password
The hostname on a switch is only locally significant.The hostname on a switch is only locally significant. This means it doesn’t have any function on the network or This means it doesn’t have any function on the network or
with the name resolution. (Though it has an exception with with the name resolution. (Though it has an exception with PPP authentication)PPP authentication)
1900 Series:1900 Series: switch(configswitch(config))## hostname hostname LAN1LAN1
2950 Series:2950 Series: switch(config)#switch(config)# hostname hostname LAN1LAN1
Setting hostnameSetting hostname
Generally a switch doesn’t need any ip address at all to Generally a switch doesn’t need any ip address at all to manager a LAN.manager a LAN.
There are exceptions though.There are exceptions though. We have got two reasons where we probably do want to We have got two reasons where we probably do want to
set IP address information on the switch.set IP address information on the switch. To manage the switch via TELNET or other management To manage the switch via TELNET or other management
software.software. To configure the switch with different VLANs and other To configure the switch with different VLANs and other
network functions.network functions.
Setting IP informationSetting IP information
1900 Switch:1900 Switch: By default no ip address or default gateway information is set.By default no ip address or default gateway information is set. We can verify this by using the command We can verify this by using the command sh ipsh ip at privileged mode. at privileged mode.
Switch#sh ipSwitch#sh ip IP address and default gateway are set through GCM.IP address and default gateway are set through GCM.
Switch(config)#Switch(config)# ip address 172.16.10.16 255.255.255.0 ip address 172.16.10.16 255.255.255.0Switch(config)#Switch(config)# ip default-gateway 172.16.10.1 ip default-gateway 172.16.10.1
Setting IP informationSetting IP information
2950 Switch :2950 Switch : In 2950 switch , we consider a default VLAN with the switch.In 2950 switch , we consider a default VLAN with the switch. This VLAN is called as VLAN1.This VLAN is called as VLAN1. Every port on switch is a member of VLAN1 by default.Every port on switch is a member of VLAN1 by default. We always set ip address for VLAN1.We always set ip address for VLAN1.
Switch(config)#Switch(config)# interface vlan1 interface vlan1Switch(config-if)#Switch(config-if)# ip address 172.16.10.17 255.255.255.0 ip address 172.16.10.17 255.255.255.0Switch(config-if)#Switch(config-if)#exitexitSwitch(config)#Switch(config)# ip default-gateway 172.16.10.1 ip default-gateway 172.16.10.1
Setting IP informationSetting IP information
We can administratively set a name for each interface on the We can administratively set a name for each interface on the switches.switches.
These descriptions are only locally significant.These descriptions are only locally significant. 1900 Switch:1900 Switch:
Description command is used from interface configuration mode.Description command is used from interface configuration mode. Spaces can't be used within description.Spaces can't be used within description. Switch(config)#Switch(config)# int e0/1 int e0/1
Switch(config-if)#Switch(config-if)# description Finance_VLAN description Finance_VLANSwitch(config)#Switch(config)# int f0/26 int f0/26Switch(config-if)#Switch(config-if)# description trunk_to_building_4 description trunk_to_building_4
Configuring Interface DescriptionConfiguring Interface Description
2950 Switch:2950 Switch: Description command is used from interface configuration mode.Description command is used from interface configuration mode. Spaces can be used within description.Spaces can be used within description. Switch(config)#Switch(config)# int fastEthernet 0/1 int fastEthernet 0/1
Switch(config-if)#Switch(config-if)# description Sales Printer description Sales Printer
Switch(config)#Switch(config)# int f0/12 int f0/12
Switch(config-if)#Switch(config-if)# description trunk_to_building_4 description trunk_to_building_4
Configuring Interface DescriptionConfiguring Interface Description
1900 Switch:1900 Switch: We can’t see the content of NVRAM.We can’t see the content of NVRAM. We can only view RAM’s content.We can only view RAM’s content. When we make changes to switch’s running configuration, it When we make changes to switch’s running configuration, it
automatically copies it to the NV RAM. automatically copies it to the NV RAM. Following syntax helps us in deleting NVRAM’s contents.Following syntax helps us in deleting NVRAM’s contents.
Switch#Switch# delete nvram delete nvram
Erasing the Switch ConfigurationErasing the Switch Configuration
2950 Switch:2950 Switch: Concepts of startup config and running config holds exactly Concepts of startup config and running config holds exactly
same as they do with routers over here.same as they do with routers over here. Following syntax helps us in deleting NVRAM’s contents.Following syntax helps us in deleting NVRAM’s contents.
Switch#Switch# erase startup-config erase startup-config
Erasing the Switch ConfigurationErasing the Switch Configuration
A VLAN is a logical grouping of network users and A VLAN is a logical grouping of network users and resources connected to administratively defined ports resources connected to administratively defined ports on a switch.on a switch.
VLANs allow us to break broadcast domain in a pure VLANs allow us to break broadcast domain in a pure switched internetwork. switched internetwork.
VLANs allow us to create smaller broadcast domains VLANs allow us to create smaller broadcast domains within a layer 2 switched based internetwork.within a layer 2 switched based internetwork.
Virtual LANs (VLANs) Virtual LANs (VLANs)
Network adds, moves and changes are Network adds, moves and changes are achieved by configuring a port into the achieved by configuring a port into the appropriate VLAN.appropriate VLAN.
A group of users needing high security can be A group of users needing high security can be put into a VLAN so that no users outside of put into a VLAN so that no users outside of the VLAN can communicate with them.the VLAN can communicate with them.
VLANs are independent from their physical or VLANs are independent from their physical or logical locations.logical locations.
VLANs can enhance network security.VLANs can enhance network security. VLANs increase no. of broadcast domains and VLANs increase no. of broadcast domains and
decrease the size of each broadcast domain.decrease the size of each broadcast domain.
How VLANs simplify network How VLANs simplify network management?management?
All devices in a VLAN are member of same broadcast domain All devices in a VLAN are member of same broadcast domain and receive all broadcasts.and receive all broadcasts.
The broadcasts, by default, are filtered from all ports on a The broadcasts, by default, are filtered from all ports on a switch that are not member of the same VLAN.switch that are not member of the same VLAN.
This is one of the prime benefit that we get with a VLAN This is one of the prime benefit that we get with a VLAN based switched network, otherwise we would have faced based switched network, otherwise we would have faced serious problem if all our users were in same broadcast serious problem if all our users were in same broadcast domain. domain.
Broadcast ControlBroadcast Control
In a flat network anyone connecting to the physical In a flat network anyone connecting to the physical network could access the network resources located network could access the network resources located that physical LAN.that physical LAN.
In order to observe any/all traffic happening in that In order to observe any/all traffic happening in that network one has to simply plug a network analyzer network one has to simply plug a network analyzer into the hub.into the hub.
Users can join any workgroup by just plugging their Users can join any workgroup by just plugging their workstations into the existing hub.workstations into the existing hub.
By building VLANs and creating multiple broadcast By building VLANs and creating multiple broadcast groups, administrators can now have control over groups, administrators can now have control over each port and user.each port and user.
Since VLANs can be created in accordance with the Since VLANs can be created in accordance with the network resources a user requires, a switch can be network resources a user requires, a switch can be configured to inform a network management station configured to inform a network management station of any unauthorized access to network resources.of any unauthorized access to network resources.
During inter VLAN communication, we can During inter VLAN communication, we can implement restrictions on a router to achieve it.implement restrictions on a router to achieve it.
SecuritySecurity
By assigning switch ports or users to VLAN groups on a By assigning switch ports or users to VLAN groups on a switch or group of switches, we gain flexibility to add only switch or group of switches, we gain flexibility to add only the users we want into that broadcast domain regardless of the users we want into that broadcast domain regardless of their physical location.their physical location.
When a VLAN becomes to big, we can create more VLANs When a VLAN becomes to big, we can create more VLANs to keep broadcasts from consuming too much bandwidth.to keep broadcasts from consuming too much bandwidth.
Flexibility and ScalabilityFlexibility and Scalability
Physical LAN connected to a RouterPhysical LAN connected to a Router
Switches removing physical boundarySwitches removing physical boundary
These VLANs are created by administrators.These VLANs are created by administrators. An administrator creates static VLANs and then assigns switch An administrator creates static VLANs and then assigns switch
port to each VLAN.port to each VLAN. Static VLANs are:Static VLANs are:
Most secureMost secure Comparatively easy to set up and monitor.Comparatively easy to set up and monitor. Works well in a network where the movement of users within the Works well in a network where the movement of users within the
network is controlled.network is controlled. Switch port that is assigned a VLAN association to always Switch port that is assigned a VLAN association to always
maintains the association until an administrator changes that maintains the association until an administrator changes that port assignment.port assignment.
Static VLANStatic VLAN
When network administrator assigns, all the When network administrator assigns, all the host device's hardware addresses into a host device's hardware addresses into a database, the switches can be configured to database, the switches can be configured to assign VLANs dynamically whenever a host assign VLANs dynamically whenever a host is plugged into a switch.is plugged into a switch.
These are called as dynamic VLANs. These are called as dynamic VLANs. A dynamic VLAN determines node’s VLAN A dynamic VLAN determines node’s VLAN
assignment automatically.assignment automatically. Using intelligent management software, we Using intelligent management software, we
can base VLAN assignment on hardware can base VLAN assignment on hardware address (MAC address), protocols, or even address (MAC address), protocols, or even applications to create dynamic VLANs.applications to create dynamic VLANs.
Dynamic VLANDynamic VLAN
Suppose MAC addresses have been entered into Suppose MAC addresses have been entered into centralized VLAN management application.centralized VLAN management application.
If a node is then attached to an unassigned If a node is then attached to an unassigned switch port, the VLAN management database can switch port, the VLAN management database can look up the hardware address and assign and look up the hardware address and assign and configure the switch port to the correct VLAN. configure the switch port to the correct VLAN.
Its make management and configuration easier Its make management and configuration easier because if a user moves, the switch will assign because if a user moves, the switch will assign them to the correct VLAN automatically. them to the correct VLAN automatically.
CISCO allows us to use the VLAN Management CISCO allows us to use the VLAN Management Policy Server (VMPS) service to set up a Policy Server (VMPS) service to set up a database of MAC addresses that can be used for database of MAC addresses that can be used for dynamic addressing of VLANs. dynamic addressing of VLANs.
A VMPS database maps MAC addresses to A VMPS database maps MAC addresses to VLANs.VLANs.
Dynamic VLANDynamic VLAN
Frames are handled differently according to the type of Frames are handled differently according to the type of link they are traversing in a switch.link they are traversing in a switch.
Following two links are available in a switched network:Following two links are available in a switched network: Access LinkAccess Link Trunk LinkTrunk Link
VLAN linksVLAN links
This type of link is only part of one VLAN, This type of link is only part of one VLAN, and it’s referred to as the native VLAN of the and it’s referred to as the native VLAN of the port.port.
Any device attached to an access link is Any device attached to an access link is unaware of a VLAN membership. The device unaware of a VLAN membership. The device just assumes it’s part of a broadcast domain, just assumes it’s part of a broadcast domain, but it has no understanding of the physical but it has no understanding of the physical network.network.
Switches remove any VLAN information from Switches remove any VLAN information from the frame before it’s sent to an access-link the frame before it’s sent to an access-link device.device.
Access-link devices cannot communicate with Access-link devices cannot communicate with devices outside their VLAN unless the packet devices outside their VLAN unless the packet is routed.is routed.
Access LinkAccess Link
A trunk line is a 100 or 1000 Mbps point-to-point A trunk line is a 100 or 1000 Mbps point-to-point link between:link between: Two switchesTwo switches A switch and a routerA switch and a router A switch and a serverA switch and a server
Trunk lines carry traffic of VLANs from 1 to 1005 at Trunk lines carry traffic of VLANs from 1 to 1005 at a time.a time.
Trunking allows us to make a single port part of Trunking allows us to make a single port part of multiple VLANs at the same time.multiple VLANs at the same time.
We can actually set things up to have a server in two We can actually set things up to have a server in two broadcast domains simultaneously, so that users broadcast domains simultaneously, so that users don’t have to cross the router to log in and access it.don’t have to cross the router to log in and access it.
Another advantage of trunking is when we are Another advantage of trunking is when we are connecting switches.connecting switches.
Trunk links can carry some or all VLAN information Trunk links can carry some or all VLAN information across the link, but if the links between switches across the link, but if the links between switches aren’t trunked, only VLAN 1 information will be aren’t trunked, only VLAN 1 information will be switched across the link by default.switched across the link by default.
Trunk LinkTrunk Link
Access and Trunk Links Access and Trunk Links in a switched network in a switched network
Creating VLANs:Creating VLANs: Mode: GCMMode: GCM Syntax:Syntax:
Switch(config)# VLAN Switch(config)# VLAN VLAN numberVLAN number name name VLAN nameVLAN name
E.g. switch(config)# VLAN E.g. switch(config)# VLAN 22 name name salessales
Verifying VLANs:Verifying VLANs: Mode: Privileged Mode: Privileged Syntax:Syntax:
Switch# show VLAN Switch# show VLAN
Creating & Verifying VLANs Creating & Verifying VLANs 1900 switch 1900 switch
Creating VLANs:Creating VLANs: Mode: Privileged and switch configMode: Privileged and switch config Syntax:Syntax:
Switch# VLAN databaseSwitch# VLAN database Switch(VLAN)# VLAN Switch(VLAN)# VLAN VLAN numberVLAN number name name VLAN VLAN
namenameSwitch(VLAN)# applySwitch(VLAN)# applyE.g. Switch(VLAN)# VLAN E.g. Switch(VLAN)# VLAN 22 name name salessales
Switch(VLAN)# VLAN Switch(VLAN)# VLAN 33 name name mktmkt Switch(VLAN)# applySwitch(VLAN)# apply
Verifying VLANs:Verifying VLANs: Mode privileged Mode privileged Syntax:Syntax:
Switch# show VLAN briefSwitch# show VLAN brief
Creating & Verifying VLANs Creating & Verifying VLANs 2950 switch 2950 switch
Mode: Interface SpecificMode: Interface Specific Syntax: Syntax:
Switch(config)# int Switch(config)# int interface no.interface no. Switch(config – if)# VLAN-membership static Switch(config – if)# VLAN-membership static
VLAN no.VLAN no. Example 1: Switch(config)# int e0/2Example 1: Switch(config)# int e0/2Switch(config – if)# VLAN-membership static 2Switch(config – if)# VLAN-membership static 2Example 2: Switch(config)# int e0/3Example 2: Switch(config)# int e0/3Switch(config – if)# VLAN-membership static 3Switch(config – if)# VLAN-membership static 3Example 3: Switch(config)# int e0/4Example 3: Switch(config)# int e0/4Switch(config – if)# VLAN-membership static 2Switch(config – if)# VLAN-membership static 2
Assigning switch ports to VLANs Assigning switch ports to VLANs 1900 switch 1900 switch
Mode: Interface SpecificMode: Interface Specific Syntax: Syntax:
Switch(config)# int Switch(config)# int interface no.interface no. Switch(config – if)#switchport access VLAN Switch(config – if)#switchport access VLAN VLAN no.VLAN no. Example 1: Switch(config)# int f0/2Example 1: Switch(config)# int f0/2Switch(config – if)# switchport access VLAN 2Switch(config – if)# switchport access VLAN 2Example 2: Switch(config)# int f0/3Example 2: Switch(config)# int f0/3Switch(config – if)# switchport access VLAN 3Switch(config – if)# switchport access VLAN 3Example 3: Switch(config)# int f0/4Example 3: Switch(config)# int f0/4Switch(config – if)# switchport access VLAN 2Switch(config – if)# switchport access VLAN 2
Assigning switch ports to VLANs Assigning switch ports to VLANs 2950 switch 2950 switch
Switch fabric: It is a group of switches sharing Switch fabric: It is a group of switches sharing the same VLAN information.the same VLAN information.
Frame tagging is a frame identification method, Frame tagging is a frame identification method, which uniquely assigns a user-defined ID to each which uniquely assigns a user-defined ID to each frame.frame.
It is also called as It is also called as VLAN id VLAN id oror color color.. How does it work?How does it work?
Each switch that the frame reaches must first identify Each switch that the frame reaches must first identify the VLAN ID from the frame tag. the VLAN ID from the frame tag.
Then it finds out what to do with the frame by looking Then it finds out what to do with the frame by looking at the information in the filter table.at the information in the filter table.
If the frame reaches a switch that has another trunked If the frame reaches a switch that has another trunked link, the frame will be forwarded out the trunk-link link, the frame will be forwarded out the trunk-link port.port.
Once the frame reaches an exit to an access link Once the frame reaches an exit to an access link matching the frames VLAN ID, the switch removes the matching the frames VLAN ID, the switch removes the VLAN identifier so that the destination device receive VLAN identifier so that the destination device receive the frames without having to understand their VLAN the frames without having to understand their VLAN identification.identification.
Frame TaggingFrame Tagging