CISCO SWITCHING
Hussein Salameh
Network Administrator
ATS Automation Tooling Systems Inc.
AGENDA
• Switch Operation
• VLANs and Trunks
• Link Aggregation
• Multilayer Switching
• IP Telephony
• Quality of Service
• Voice QoS
• Securing Switches
• Demo
• Questions
Cisco Switching
SWITCH OPERATION
Cisco Switching
Layer 2 Switch Operation
CAM Table
D. MAC
Node A (VLAN 20)
Port
VLAN
Node D (VLAN 30)
FOLLOW THE FRAME!
• Switch learns the source MAC and add it to CAM table
• Switch makes decisions based on destination MAC and finds
VLAN and port
• Found: Forwards the frame on specific port
• Not Found: Floods the frame on access & trunk ports
Node B (VLAN 20)
Node C (VLAN 30)
Security ACLs
(TCAM)
QoS ACLs
Ingress
Queues
(TCAM)
L2 Forwarding
Table (CAM)
Egress
Queues
SWITCH OPERATION
Cisco Switching
Layer 3 Switch Operation
FIB Table
CAM Table
D. MAC
Port
VLAN
D. IP
Next IP
Node A (VLAN 20)
Next MAC
Port
Node D (VLAN 30)
FOLLOW THE PACKET!
• Layer 3 engine maintains routing information which is
reformatted and copied into FIB table
• An update is sent to FIB if there is a change in the routing table
• If frame contains layer 3 packet to be forwarded, consult FIB
• In FIB, longest match is found and next IP is obtained
• Entire Ethernet frame is rewritten (TTL & Header Checksum)
Node B (VLAN 20)
Node C (VLAN 30)
Layer 3 Engine
Control Plane
Ingress
Queues
Routing Table
ARP Table
Reorder entries according to
longest prefix match
Resolve MAC of each next
hop in the FIB
FIB Table
Adjacency Table
Data Plane
Layer 3
Forwarding Engine
Packet
Rewrite
Egress
Queues
VLANS & TRUNKS
Cisco Switching
• A VLAN is a broadcast domain
•
All devices connected to the VLAN receive broadcasts from members on the same VLAN
• Static VLANS offer port-based membership, devices assume VLAN connectivity
• VLAN Numbers
•
1 to 1005 (VLAN 1, 1002 to 1005 are used for special cases)
•
Extended range of VLANs: 1006 to 4094
• Port Configuration (Access Mode)
•
Create a VLAN
•
Configure the interface for layer 2 operation
•
Force the port to be assigned to only a single VLAN
•
Assign a static VLAN membership to the port
VLANS & TRUNKS
Cisco Switching
• A trunk link can transport more than one VLAN through a single port
•
Beneficial when switches are connected to other switches, routers or servers
• VLAN Identification (Encapsulation):
•
•
ISL (Inter-Switch Link)
•
Cisco Proprietary; referred as Double Tagging
•
Switch adds a header and a trailer (VLAN id in the header)
IEEE 802.1Q
•
Open Standard
•
Embeds its tagging within the layer 2 frame (Single Tagging)
•
Concept of native VLAN
• Port Configuration (Trunk Mode)
•
Create VLANs
•
Configure the interface for layer 2 operation
•
Configure the trunk encapsulation
•
Configure the native VLAN (no tagging)
•
Define which VLANs to be trunked over the link
•
Force the port to be in the trunk mode
LINK AGGREGATION
•
Cisco Switching
Aggregation means scaling link bandwidth by bundling parallel links also called
EtherChannel Technology
•
Bundled ports must have the same speed/duplex, belong to the same VLAN (Access)
or pass the same VLANs (Trunk)
•
Frames are forwarded on specific link as a result of a hashing algorithm (using IP
address, MAC address, TCP/UDP port numbers)
•
EtherChannel Negotiation Protocols:
•
Port Aggregation Protocol (PAgP) – Cisco Proprietary
•
Link Aggregation Control Protocol (LACP) – Open Standard
Negotiation Mode
Negotiation Packets Sent?
Characteristics
LACP
PAgP
On
On
No
Port-Channeling
Passive
Auto
Yes
Waits until asked
Active
Desirable
Yes
Actively asks
LINK AGGREGATION
Cisco Switching
Layer 2 EtherChannel
Layer 2
Interfaces
PortChannel
Interface
PortChannel
Interface
Create
Portchannel
Layer 2
Interfaces
Hashing
Algorithm
src-mac
Create
Portchannel
Configure as
Access or
Trunk
Layer 3 EtherChannel
Layer 2
Interfaces
Convert to Layer 3
+
Create Portchannel
PortChannel
Interface
PortChannel
Interface
Configure
IP Address
Layer 2
Interfaces
Convert to Layer 3
+
Create Portchannel
Hashing
Algorithm
src-dst-IP
MULTILAYER SWITCHING
Cisco Switching
Transporting packets between VLANs requires a layer 3 device -> interVLAN Routing
VLAN 10
VLAN 20
VLAN 30
Gi0/1.10
10.10.10.1
Trunk Link
Gi0/1.20
10.10.20.1
Gi0/1
VLANs 10, 20, 30
ROAS
Layer 2
Switch
SVI VLAN 10
10.10.10.1/24
Gi0/1.30
10.10.30.1
Layer 2
Access Ports
Layer 3
Port
Layer 2
Trunk Port
Multilayer
Switch
Layer 2
Access Ports
SVI VLAN 20
10.10.20.1/24
Multilayer
Switch
IP TELEPHONY
Cisco Switching
Detecting a Powered Device:
•
Power is always disabled when a switch port is down
•
A switch continually detects whether a powered device is connected to a port
•
IEEE 802.3af – Open Standard:
•
•
Switch supplies small voltage across the Tx and Rx pairs and measures the resistance
•
If resistance = 25K ohm -> Power device is detected
•
Power budget can be changed by detecting the device’s power class
Cisco Inline Power (ILP) – Cisco Proprietary:
•
Switch sends out a 340 kHz test tone on the Tx pair
•
If a PoE device is connected then the switch can hear its test tone looped back
•
Power budget can be changed by receiving CDP information from the PoE device
Power Class
Max Power at 48V DC
0
15.4 W (Default Class)
1
4.0 W
2
7.0 W
3
15.4 W
4
Up to 50 W
IP TELEPHONY
Cisco Switching
Distribution - Core
Layers
Call Manager
Switch
CDP
Packets
Data VLAN
Interface Gi1/0/1
switchport access vlan 20
switchport voice vlan 25
Voice VLAN
Phone
Special Case 802.1Q Trunk
Data VLAN: Untagged Data Packets
Voice VLAN: Tagged Voice Packets
VLAN Isolation: Security, QoS
Non-Cisco Phone
Data VLAN Scope - DHCP
Voice VLAN
Data VLAN
PC
Voice VLAN Scope - DHCP
Voice VLAN
Call Manager IP
QUALITY
QoS
OF SERVICE
Cisco Switching
• Typical Network: Best effort delivery and equal chance of packets being dropped
• Protect and prioritize time-critical or important traffic
• Voice Packets must be delivered with little delay, jitter and loss
• Types of QoS:
•
Best Effort
•
Integrated services model (per flow basis)
•
Differentiated services model (per hop basis)
QoS Basic Model
In profile or
out of
profile
Generate QoS
label
Based on QoS
Label
Classification
Policing
Marking
Inspect packet
and determine
QoS label based
on ACL or config.
Compare
incoming traffic
with configured
policer
Determine whether
to pass through,
mark down or drop
the packet
Queueing &
Scheduling
Determine into
which of the egress
Queues to place
the packet and
schedule
QUALITY OF SERVICE
Cisco Switching
Layer 2 QoS (CoS)
IEEE 802.1Q
Priority Field: CoS Value
Inter-Switch Link (ISL)
User Field: CoS Value
CoS
Layer 3 QoS (DSCP)
DS5
DS4
DS3
Class Selector
DS2
DS1
DS0
Drop Precedence
0 ….. Low Priority
1
2
3
4
5
6
7 …… High Priority
CoS – DSCP Map
0
1
2
3
4
5
6
7
-------------------------------------------------------------------------------------------------------------------------
0
8
16
24
32
46
48
56
VOICE QoS
Cisco Switching
• Switch can decide whether to trust CoS and DSCP values and use them to make QoS
decisions
• Classify the traffic at the edge of the QoS Domain by using Trust State on ports
I see you are an IP Phone
So I will trust your CoS
Trust Boundary
Phone VLAN 110
PC VLAN 10
Voice=5; Signaling=3
CoS 5 = DSCP 46
CoS 3 = DSCP 24
CoS 0 = DSCP 0
All PC traffic is reset to CoS 0
• Extend the trust boundary
•
Switchport priority extend {cos value | trust}
PC Sets CoS to 5 for all traffic
SECURING SWITCHES
Cisco Switching
Best Practices for Securing Switches
• Enable port security: Identify a set of allowed MAC addresses & violation type
• Enable 802.1x Port-Based Authentication
• Configure secure passwords
• Use system banners: warn unauthorized users
• Secure the web interface
• Secure the switch console
• Use SSH instead of Telnet
• Secure SNMP access
• Secure unused switch ports
• Secure STP operation
DEMO
• Create VLANs
• Configure Access interfaces
• Configure security on Access ports
• Configure EtherChannel
• Configure Trunk interfaces
• Configure interVLAN Routing
• Configure DHCP Server
• Configure QoS trust boundary
• Test the topology
• Erase configuration
Cisco Switching
THANK YOU!
QUESTIONS