Designing a switching environment Network Best practices workshop Sirag Mahgoob Sirag SudREN Switch • Switch is : • ASIC (application specific integrated circuit) • • • • • • An intelligent device Layer 2 device, Works with physical address (MAC addresses). Work with flooding and unicast. Maintains a MAC address table. One Broadcast domain. X Collision domain , X = numbers of ports Switch • According to configuration • Manageable switch: • An IP address can be assigned to virtual interfaces and configurations can be made. It has a consol port • Unmanageable switch: • Configuration cannot be made, an IP address cannot be assigned as there is no console port Switch • Using Address Resolution Protocol (ARP) • Working of Switch • example you have Host A (10.0.0.1) connected to fa0/1 and Host B (10.0.0.2) connected to fa0/2, imagine a ping request from Host A to Host B in this scenario. 1. Host A - ping 10.0.0.2, Host A does not currently have an entry in the arp table for this ip address so it sends an arp r equest, asking "who has ip address 10.0.0.2? what is your mac address" 2. SW1 sees this arp request, the first thing it does is make an entry in it's mac-address table for Host A's ip to mactranslation and marks it reachable via fa0/1. Now SW1 forwards the arp broadcast out every other available port, except the port on which it was received (this action is know as flooding) Switch 3. Host B sees the arp broadcast and replies with an arp unicast response to Host A containing Host B's ip address and mac-address. 4. SW1 sees this arp response so it makes an entry in it's macaddress table for Host B's ip to mac translation, and marks it reachable via fa0/2. 5. Host A eventually get the arp response from Host B and packages the initial ping request with the correct mac-address for Host B Switch Layer 2 Security • VLANs • Port Security. Vlans • Virtual Local Area Network. • Needs of vlans: • • • • Security restrict access by certain users to some areas of the LAN. Divide network to segments. Avoided problems. …. Vlans • Solution using routers • Routers are expensive. • Routers are slower than switches. • Subnets are restricted to limited physical areas Vlans • Solution using VLANs • VLAN membership can be by function and not by location. • VLANs managed by switches. • Router needed for communication between VLANs. Vlans • All hosts in a VLAN have addresses in the same subnet. A VLAN is a subnet. • The switch has a separate MAC address table for each VLAN. Traffic for each VLAN is kept separate from other VLANs. • Layer 2 switches cannot route between VLANs. Vlans • Each switch port intended for an end device is configured to belong to a VLAN. • Any device connecting to that port belongs to the port’s VLAN. • VLAN 1: default Ethernet LAN, all ports start in this VLAN. • Numbers 2 to 1001 can be used for new VLANs. • Ports that link switches can be configured to carry traffic for all VLANs (trunking) Port Security • The switchport security feature offers the ability to configure a switchport so that traffic can be limited to only a specific configured MAC address or list of MAC addresses. • Port security limits the number of addresses that can be learned on an interface Port Security MAC A 0/1 Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C 0/2 0/3 MAC A Port Security • Port Security options • Number: port-security maximum value • Sets the maximum number of secure MAC addresses for the access. The catch is that these addresses are only put into the secure address table, and not saved in any way in either the running or startup configuration. • Static: port-security mac-address • Specify a secure MAC address for the port by entering a 48-bit MAC aaddreses. You can add additional secure MAC addresses up to the maximum value configured, and it will save in either the running or startup configuration. Port Security • Daynamic: switchport port-security • the switch looks at source MAC addresses and adds them into the secure table automatically up to the maximum number of addresses you have defined. The catch is that these addresses are only put into the secure address table, and not saved in any way in either the running or startup configuration. When you reload the switch, it loses all this information and has to relearn all the addresses. Port Security • mac-address sticky • Enable the interface for sticky learning by entering only the macaddress sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Port Security • Port Security Violation • Protect :Once the maximum number of MAC addresses has been hit, any frames coming from unsecured MAC addresses are simply dropped. • Restrict – This mode is very similar to protect, but with three notable differences. A syslog message is logged, an SNMP trap is sent, and the violation counter increases in the show portsecurity interface output • Shutdown – The default action. The port goes to err-disabled state and is effectively shutdown and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. Layer 2 Redundancy • IT administrators have to implement redundancy in their hierarchical networks. • Adding extra links to switches in the network introduces traffic loops that need to be managed in a dynamic way; when a switch connection is lost, another link needs to quickly take its place without introducing new traffic loops. Layer 2 Redundancy • Loops • Layer 2 redundancy improves the availability of the network by implementing alternate network paths by adding equipment and cabling. • Redundancy is an important part of the hierarchical design. Although it is important for availability, there are some considerations that need to be addressed before redundancy is even possible on a network. • Ethernet frames do not have a time to live (TTL) like IP packets traversing routers. As a result, if they are not terminated properly on a switched network, they continue to bounce from switch to switch endlessly or until a link is disrupted and breaks the loop. Layer 2 Redundancy • Broadcast frames are forwarded out all switch ports, except the originating port. This ensures that all devices in the broadcast domain are able to receive the frame. If there is more than one path for the frame to be forwarded out, it can result in an endless loop. • Broadcast Storms • A broadcast storm occurs when there are so many broadcast frames looping in the Broadcast domain, these frames used all available bandwidth. Consequently, no bandwidth is available for the traffic, and the network becomes unavailable for data communication. Layer 2 Redundancy • Duplicate Unicast Frames • Broadcast frames are not the only type of frames that are affected by loops. Unicast frames sent onto a looped network can result in duplicate frames arriving at the destination device. Spanning Tree Protocol • STP • You can prevent loops, Broadcast Storms and Duplicate Unicast Frames by using the Spanning Tree Protocol (STP). However, if STP has not been implemented in preparation for a redundant topology, loops can occur unexpectedly. • STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a problems. A port is considered blocked when network traffic is prevented from entering or leaving that port. Spanning Tree Protocol • Blocking the redundant paths is critical to preventing loops on the network. The physical paths still exist to provide redundancy, but these paths are disabled to prevent the loops from occurring. If the path is ever needed to compensate for a network cable or switch failure, STP recalculates the paths and unblocks the necessary ports to allow the redundant path to become active Spanning Tree Protocol • The Root Bridge : • Every spanning-tree instance (switched LAN or broadcast domain) has a switch designated as the root bridge. The root bridge serves as a reference point for all spanning-tree calculations to determine which redundant paths to block. • An election process determines which switch becomes the root bridge using BID. • BID is made up of a priority value, and the MAC address of the switch. Spanning Tree Protocol • STP Algorithm • STP uses the Spanning Tree Algorithm (STA) to determine which switch ports on a network need to be configured for blocking to prevent loops from occurring. • The STA designates a single switch as the root bridge and uses it as the reference point for all path calculations. • The root bridge, switch S1, is chosen through an election process. All switches participating in STP exchange bridge protocol data unit (BPDU) frames to determine which switch has the lowest bridge ID (BID) on the network. Spanning Tree Protocol • The switch with the lowest BID automatically becomes the root bridge for the STA calculations. • After the root bridge has been determined, the STA calculates the shortest path to the root bridge. The STA considers both path and port costs when determining which path to leave unblocked. • The path costs are calculated using port cost values associated with path speeds for each switch link along a given path. The sum of the port cost values determines the overall path cost to the root bridge. If there is more than one path to choose from, STA chooses the path with the lowest path cost. Spanning Tree Protocol • Best Paths to the Root Bridge : • When the root bridge has been designated for the spanning-tree instance, the STA starts the process of determining the best paths to the root bridge from all destinations in the broadcast domain. The path information is determined by summing up the individual port costs along the path from the destination to the root bridge. • The default port costs are defined by the speed at which the port operates Spanning Tree Protocol • Although switch ports have a default port cost associated with them, the port cost is configurable. The ability to configure individual port costs gives the administrator the flexibility to control the spanning-tree paths to the root bridge. Root ports : Switch ports closest to the root bridge, the root port on switch S2 is F0/1. The root port on switch S3 is F0/1. Designated ports : All non-root ports that are still permitted to forward traffic on the network, switch S1 F0/1 and F0/2 are designated ports. Switch S2 F0/2 as a designated port. Non-designated ports : All ports configured to be in a blocking state to prevent loops, port F0/2 on switch S3 in the non-designated role ”blocking state”. Spanning Tree Protocol Spanning Tree Protocol • Configure and Verify the BID : • When a specific switch is to become a root bridge, the bridge priority value needs to be adjusted to ensure it is lower than the bridge priority values of all the other switches on the network. There are two different configuration methods that you can use to configure the bridge priority value on a Cisco Catalyst switch. Spanning Tree Protocol • Rules 1. One Root Bridge per network 2. One root port per Nonroot bridge 3. One Designated port per segment Spanning Tree Protocol One Root Bridge per network : • Bpdu =bridge protocol data unit send every 2 second • Root bridge with lowest bridge ID • Bridge id = bridge priority (1-65535) default 32768+ MAC Address MAC Address example (0c00.2222.2222 & 0c00.1111.1111) • All ports at root bridge is designated forward (send and receive) • One Root Port per Nonroot Bridge : • The lowest cost to root bridge • If equal the lowest bridge id • If equal the lowest port no. Spanning Tree Protocol • One Designated Port per Segment : • The lowest cost to root bridge • If equal the lowest bridge id • If equal the lowest port no. Spanning Tree Protocol • Port state: • Listening : 15 Second,Send/Receives BPDU. • Learning : 15 learning MAC addresses. • Forwarding OR Blocking. • Moving from Blocking to listening take max 20 seconds. Spanning Tree Protocol • The spanning tree algorithm provides the following benefits: • • • • • Eliminates bridging loops Provides redundant paths between devices Enables dynamic role configuration Recovers automatically from a topology change or device failure Identifies the optimal path between any two network devices. Spanning Tree Protocol • Disavantage !!! • Unused links. • Wasted bandwidth. Transparent Interconnection of Lots of Links Transparent Interconnection of Lots of Links Link aggregation • LAG is used for increasing link reliability. • LAG is a process of inter-connecting two switches with two or more links between them (or between a switch and a server), so that multiple links are combined into one bigger virtual link that can carry a higher (combined) bandwidth. Link aggregation • allows automatic redirection of network traffic from the failed link to the remaining links. • load shearing. • allows load sharing of traffic among the links in the channel as well as redundancy in the event that one or more links in the EtherChannel fail. Link aggregation • two protocols used for negotiating EtherChannel and Link Aggregation. • Port Aggregation Protocol (PAgP) - Cisco Proprietary protocol • IEEE Link Aggregation Protocol (LACP) - Industry Standard • LACP • Standard. • Modes: • Active • Passive. • PAgP • Csico proprietary • Modes: • Desirable • Auto