Designing a switching
environment
Network Best practices workshop
Sirag Mahgoob Sirag
SudREN
Switch
• Switch is :
• ASIC (application specific integrated circuit)
•
•
•
•
•
•
An intelligent device
Layer 2 device, Works with physical address (MAC addresses).
Work with flooding and unicast.
Maintains a MAC address table.
One Broadcast domain.
X Collision domain , X = numbers of ports
Switch
• According to configuration
• Manageable switch:
• An IP address can be assigned to virtual interfaces and configurations
can be made. It has a consol port
• Unmanageable switch:
• Configuration cannot be made, an IP address cannot be assigned as
there is no console port
Switch
• Using Address Resolution Protocol (ARP)
• Working of Switch
• example you have Host A (10.0.0.1) connected to fa0/1 and Host
B (10.0.0.2) connected to fa0/2, imagine a ping request from Host
A to Host B in this scenario.
1. Host A - ping 10.0.0.2, Host A does not currently have an
entry in the arp table for this ip address so it sends an arp r
equest, asking "who has ip address 10.0.0.2? what is your mac
address"
2. SW1 sees this arp request, the first thing it does is make an
entry in it's mac-address table for Host A's ip to mactranslation
and marks it reachable via fa0/1. Now SW1 forwards the arp
broadcast out every other available port, except the port on
which it was received (this action is know as flooding)
Switch
3. Host B sees the arp broadcast and replies with an arp
unicast response to Host A containing Host B's ip address and
mac-address.
4. SW1 sees this arp response so it makes an entry in it's macaddress table for Host B's ip to mac translation, and marks it
reachable via fa0/2.
5. Host A eventually get the arp response from Host B and
packages the initial ping request with the correct mac-address
for Host B
Switch
Layer 2 Security
• VLANs
• Port Security.
Vlans
• Virtual Local Area Network.
• Needs of vlans:
•
•
•
•
Security restrict access by certain users to some areas of the LAN.
Divide network to segments.
Avoided problems.
….
Vlans
• Solution using routers
• Routers are expensive.
• Routers are slower than switches.
• Subnets are restricted to limited physical
areas
Vlans
• Solution using VLANs
• VLAN membership can be by function and
not by location.
• VLANs managed by switches.
• Router needed for communication between
VLANs.
Vlans
• All hosts in a VLAN have addresses in the same subnet. A
VLAN is a subnet.
• The switch has a separate MAC address table for each VLAN.
Traffic for each VLAN is kept separate from other VLANs.
• Layer 2 switches cannot route between VLANs.
Vlans
• Each switch port intended for an end device is configured to
belong to a VLAN.
• Any device connecting to that port belongs to the port’s VLAN.
• VLAN 1: default Ethernet LAN, all ports start in this VLAN.
• Numbers 2 to 1001 can be used for new VLANs.
• Ports that link switches can be configured to carry traffic for all
VLANs (trunking)
Port Security
• The switchport security feature offers the ability to configure a
switchport so that traffic can be limited to only a specific
configured MAC address or list of MAC addresses.
• Port security limits the number of addresses that can be
learned on an interface
Port Security
MAC A
0/1
Port 0/1 allows MAC A
Port 0/2 allows MAC B
Port 0/3 allows MAC C
0/2
0/3
MAC A
Port Security
• Port Security options
• Number: port-security maximum value
• Sets the maximum number of secure MAC addresses for the
access. The catch is that these addresses are only put into the
secure address table, and not saved in any way in either the
running or startup configuration.
• Static: port-security mac-address
• Specify a secure MAC address for the port by entering a 48-bit
MAC aaddreses. You can add additional secure MAC addresses
up to the maximum value configured, and it will save in either the
running or startup configuration.
Port Security
• Daynamic: switchport port-security
• the switch looks at source MAC addresses and adds them into the
secure table automatically up to the maximum number of
addresses you have defined. The catch is that these addresses
are only put into the secure address table, and not saved in any
way in either the running or startup configuration. When you
reload the switch, it loses all this information and has to relearn
all the addresses.
Port Security
• mac-address sticky
• Enable the interface for sticky learning by entering only the macaddress sticky keywords. When sticky learning is enabled, the
interface adds all secure MAC addresses that are dynamically
learned to the running configuration and converts these
addresses to sticky secure MAC addresses.
Port Security
• Port Security Violation
• Protect :Once the maximum number of MAC addresses has
been hit, any frames coming from unsecured MAC addresses
are simply dropped.
• Restrict – This mode is very similar to protect, but with three
notable differences. A syslog message is logged, an SNMP trap
is sent, and the violation counter increases in the show portsecurity interface output
• Shutdown – The default action. The port goes to err-disabled
state and is effectively shutdown and turns off the port LED. It
also sends an SNMP trap, logs a syslog message, and
increments the violation counter.
Layer 2 Redundancy
• IT administrators have to implement redundancy in their
hierarchical networks.
• Adding extra links to switches in the network introduces traffic
loops that need to be managed in a dynamic way; when a
switch connection is lost, another link needs to quickly take its
place without introducing new traffic loops.
Layer 2 Redundancy
• Loops
• Layer 2 redundancy improves the availability of the network
by implementing alternate network paths by adding
equipment and cabling.
• Redundancy is an important part of the hierarchical design.
Although it is important for availability, there are some
considerations that need to be addressed before redundancy
is even possible on a network.
• Ethernet frames do not have a time to live (TTL) like IP packets
traversing routers. As a result, if they are not terminated
properly on a switched network, they continue to bounce
from switch to switch endlessly or until a link is disrupted and
breaks the loop.
Layer 2 Redundancy
• Broadcast frames are forwarded out all switch ports, except the
originating port. This ensures that all devices in the broadcast
domain are able to receive the frame. If there is more than one
path for the frame to be forwarded out, it can result in an endless
loop.
• Broadcast Storms
• A broadcast storm occurs when there are so many broadcast
frames looping in the Broadcast domain, these frames used all
available bandwidth. Consequently, no bandwidth is available for
the traffic, and the network becomes unavailable for data
communication.
Layer 2 Redundancy
• Duplicate Unicast Frames
• Broadcast frames are not the only type of frames that are
affected by loops. Unicast frames sent onto a looped network
can result in duplicate frames arriving at the destination
device.
Spanning Tree Protocol
• STP
• You can prevent loops, Broadcast Storms and Duplicate
Unicast Frames by using the Spanning Tree Protocol (STP).
However, if STP has not been implemented in preparation for
a redundant topology, loops can occur unexpectedly.
• STP ensures that there is only one logical path between all
destinations on the network by intentionally blocking
redundant paths that could cause a problems. A port is
considered blocked when network traffic is prevented from
entering or leaving that port.
Spanning Tree Protocol
• Blocking the redundant paths is critical to preventing loops on
the network. The physical paths still exist to provide
redundancy, but these paths are disabled to prevent the loops
from occurring. If the path is ever needed to compensate for a
network cable or switch failure, STP recalculates the paths and
unblocks the necessary ports to allow the redundant path to
become active
Spanning Tree Protocol
• The Root Bridge :
• Every spanning-tree instance (switched LAN or broadcast
domain) has a switch designated as the root bridge. The root
bridge serves as a reference point for all spanning-tree
calculations to determine which redundant paths to block.
• An election process determines which switch becomes the
root bridge using BID.
• BID is made up of a priority value, and the MAC address of the
switch.
Spanning Tree Protocol
• STP Algorithm
• STP uses the Spanning Tree Algorithm (STA) to determine
which switch ports on a network need to be configured for
blocking to prevent loops from occurring.
• The STA designates a single switch as the root bridge and uses
it as the reference point for all path calculations.
• The root bridge, switch S1, is chosen through an election
process. All switches participating in STP exchange bridge
protocol data unit (BPDU) frames to determine which switch
has the lowest bridge ID (BID) on the network.
Spanning Tree Protocol
• The switch with the lowest BID automatically becomes the
root bridge for the STA calculations.
• After the root bridge has been determined, the STA calculates
the shortest path to the root bridge. The STA considers both
path and port costs when determining which path to leave
unblocked.
• The path costs are calculated using port cost values associated
with path speeds for each switch link along a given path. The
sum of the port cost values determines the overall path cost to
the root bridge. If there is more than one path to choose from,
STA chooses the path with the lowest path cost.
Spanning Tree Protocol
• Best Paths to the Root Bridge :
• When the root bridge has been designated for the spanning-tree
instance, the STA starts the process of determining the best paths
to the root bridge from all destinations in the broadcast domain.
The path information is determined by summing up the individual
port costs along the path from the destination to the root bridge.
• The default port costs are defined by the speed at which the port
operates
Spanning Tree Protocol
• Although switch ports have a default port cost associated with
them, the port cost is configurable. The ability to configure
individual port costs gives the administrator the flexibility to
control the spanning-tree paths to the root bridge.
Root ports : Switch ports closest to the root bridge, the root port on
switch S2 is F0/1. The root port on switch S3 is F0/1.
Designated ports : All non-root ports that are still permitted to forward
traffic on the network, switch S1 F0/1 and F0/2 are designated ports.
Switch S2 F0/2 as a designated port.
Non-designated ports : All ports configured to be in a blocking state to
prevent loops, port F0/2 on switch S3 in the non-designated role ”blocking
state”.
Spanning Tree Protocol
Spanning Tree Protocol
• Configure and Verify the BID :
• When a specific switch is to become a root bridge, the bridge
priority value needs to be adjusted to ensure it is lower than the
bridge priority values of all the other switches on the network.
There are two different configuration methods that you can use
to configure the bridge priority value on a Cisco Catalyst switch.
Spanning Tree Protocol
• Rules
1. One Root Bridge per network
2. One root port per Nonroot bridge
3. One Designated port per segment
Spanning Tree Protocol
One Root Bridge per network :
• Bpdu =bridge protocol data unit send every 2 second
• Root bridge with lowest bridge ID
• Bridge id = bridge priority (1-65535) default 32768+ MAC Address
MAC Address example (0c00.2222.2222 & 0c00.1111.1111)
• All ports at root bridge is designated forward (send and receive)
• One Root Port per Nonroot Bridge :
• The lowest cost to root bridge
• If equal the lowest bridge id
• If equal the lowest port no.
Spanning Tree Protocol
• One Designated Port per Segment :
• The lowest cost to root bridge
• If equal the lowest bridge id
• If equal the lowest port no.
Spanning Tree Protocol
• Port state:
• Listening : 15 Second,Send/Receives BPDU.
• Learning : 15 learning MAC addresses.
• Forwarding OR Blocking.
• Moving from Blocking to listening take max 20 seconds.
Spanning Tree Protocol
• The spanning tree algorithm provides the following benefits:
•
•
•
•
•
Eliminates bridging loops
Provides redundant paths between devices
Enables dynamic role configuration
Recovers automatically from a topology change or device failure
Identifies the optimal path between any two network devices.
Spanning Tree Protocol
• Disavantage !!!
• Unused links.
• Wasted bandwidth.
Transparent Interconnection of Lots of Links
Transparent Interconnection of Lots of Links
Link aggregation
• LAG is used for increasing link reliability.
• LAG is a process of inter-connecting two switches with two or
more links between them (or between a switch and a server),
so that multiple links are combined into one bigger virtual link
that can carry a higher (combined) bandwidth.
Link aggregation
• allows automatic redirection of network traffic from the failed
link to the remaining links.
• load shearing.
• allows load sharing of traffic among the links in the channel as
well as redundancy in the event that one or more links in the
EtherChannel fail.
Link aggregation
• two protocols used for negotiating EtherChannel and Link
Aggregation.
• Port Aggregation Protocol (PAgP) - Cisco Proprietary protocol
• IEEE Link Aggregation Protocol (LACP) - Industry Standard
• LACP
• Standard.
• Modes:
• Active
• Passive.
• PAgP
• Csico proprietary
• Modes:
• Desirable
• Auto