Notes: CCENT – Switching – Part 3

Notes: Switching: STP and basic Switch Security.

Where Switches are:
Application
Presentation
Session
Transport<- Segments
Network <- Routers /Packets / IP addresses
Data Link <- Switches, Bridges / Frames / MAC Addresses
Physical < – Hubs, Repeaters / Bits / Ethernet

I will be using this network I built in Packet Tracer as an example for these notes:
Figure 1:


STP

STP, IEEE 802.1d or Spanning Tree Protocol is used on switches to prevent switching loops. Switching loops occur when frames are constantly “looped” through redundant links that connect switches to one another.

When you look at Figure1, you’ll notice a triangle topology where all the switches are connected to each other.

Well lets say that there was no STP running on these switches. Host 192.168.10.11 sends out a broadcast frame (ffff.ffff.ffff). Maybe it was sending out a DHCP request. Well, what happens with broadcast frames? They are flooded of course. This means the switch will send out a copy of that frame out every port. This means, the broadcast would also be sent out the trunk ports of SW5 to SW3 and SW4. Well, SW3 and SW4 will see that this is a broadcast frame.
What will those switches do? They will also flood this frame as well. It’s destination is ffff.ffff.ffff, so it is sent out every port. The rule of switching is that it will never send a frame back out the same port it received it on. Well, this means SW3 won’t send the broadcast back to SW5, instead, it will send it to SW4. The same thing goes with S4, it won’t send the broadcast back to SW5, instead it will be sent to SW3. This is where your problem becomes more noticeable, the broadcast, that was once originating from SW5, has gone to SW4 and SW3, and those switches are send each other those broadcasts. Those switches will then take the broadcast it just received from each other, and guess what? They’re broadcast frames! They’re going to keep flooding them out and now SW5 is going to get that broadcast back! What is SW5 going to do with the broadcast it just received from SW3 and SW4? Hey, its a broadcast! Gotta send these broadcasts out! They’re destined for ffff.ffff.ffff! (Remember, a group of switches (layer2 network) is still a broadcast domain.)

This is were insanity starts, and this all happens in about a second. And this will keep happening until either the redundant links are disconnected, or worse… the switches crash. Then office pandemonium ensues.

This is the reason STP was invented, and runs on switches by default. To close redundant links to keep switching loops from occurring. The broadcast that 192.168.10.11 sent out won’t be able to cross the link from SW5 to SW4, so it stops the loop from occuring. Notice in the switch topology in Figure1, that there are green dots and an orange dot. That orange dot indicates the link that STP has closed off. When redundant links are closed by STP, it means they have been placed into “blocking mode”.

This is SW4’s output of ‘show spanning-tree’:

SW4#show spanning-tree
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    1
             Address     0002.4A11.C0A3
             Cost        4
             Port        25(GigabitEthernet1/1)
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8193  (priority 8192 sys-id-ext 1)
             Address     0006.2A99.5DA7
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi1/1            Root FWD 4         128.25   P2p
Gi1/2            Altn BLK 4         128.26   P2p

You will notice here, that Gi1/2, the ‘Sts’ (Status), is ‘BLK'(Blocking). This is the redundant link that STP decided to close off.

STP also calculates the best path to hosts according to it’s MAC table based on how fast the links are. You could have a switched network with 5 switches, and you could have a path that a frame would have to traverse of 2 links(path1), and a path of 3 links(path2). But based on whether a port is 10mbps, 100mbps, or 1000mpbs (even 10gb), stp will always choose the fastest. Path1 could be 2 links of 100mbps, but path2 could be 3 links of 1000mbps. Well, it would prefer path2 over path1 because those three gigabit hops actually provide a faster data throughput than the two 100mbps hops. (Once I get to my CCNA portion, there will be a lot more about STP Mechanics, how it determines cost, the costs of links, what it does while it is busy converging, rootbridges, election, etc. What you’re seeing here is only the CCENT (ICND1) portion.)

Summary:

  • STP is a mechanism on switches to prevent switching loops
  • STP stops switching loops by closing off redundant links
  • It determines optimal paths across it’s destination based on cost
  • STP, Spanning-Tree Protocol, 802.1d
  • Runs on switches by default.
  • Switching loops are bad mmmkay?

Basic Switch Security

There are plenty of reasons you need to take your switch security seriously. Actually, you should take every bit of network security seriously. Never undermine the importance of security, because if you do, you’re going to have a hell of a time dealing with security problems. Security isn’t just there to keep intruders out, its also there to keep someone who has no idea what they are doing from messing up your configurations.

Lock up your switches, routers, or any networking hardware. You definitely don’t want someone walking in on your network and thinking “hmm what does this mode button do?” Oh look, the lights are flashing in a neat pattern now. Seriously, you need to keep networking hardware safe. Keep it in a locked room. Keep faceplates over your network racks. Lock your network/server cabinets. This is common sense. Would you go park your car in a parking lot downtown and just leave the keys in your car with all your windows rolled down?

There are many well known defaults on switches that need to be addressed upon completion of configuration. These are things that people look for when they intend to break into your network. There are tons of security parameters on switches, but basically, these are what you need to know for the CCENT.

Ports:

  • By Default, they are turned on. On routers they aren’t. When you are finished with a switch, you should shutdown all your unused ports using the ‘shutdown’ command at the specified interface:
    SW5#conf t
    SW5(config)#interface fastEthernet 0/5
    SW5(config-if)#shutdown
    
    %LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down
    SW5(config-if)#
  • Another default posing a security risk is that they are all set to ‘dynamic‘, meaning they are actively either going to trunk, or they are going become an access port to an end device. This means someone can use one of their own switches and gain access this way. Some hackers also know how to get the NIC on a PC to try and trunk with a switch, this can cause lots of problems as well.:
    SW5(config)#interface fastEthernet 0/5
    SW5(config-if)#switchport mode ?
      access   Set trunking mode to ACCESS unconditionally
      dynamic  Set trunking mode to dynamically negotiate access or trunk mode
      trunk    Set trunking mode to TRUNK unconditionally
    SW5(config-if)#switchport mode access
  • By default, they are part of a well-known VLAN. They are in VLAN1. This can also pose as a security risk. Unused ports should be moved to fake VLANs that lead to nowhere.:
    SW5(config-if)#switchport access ?
      vlan  Set VLAN when interface is in access mode
    SW5(config-if)#switchport access vlan ?
      <1-1005>  VLAN ID of the VLAN when this port is in access mode
    SW5(config-if)#switchport access vlan 321

_______________________________________

MAC Addresses: There are a few ways to tighten a switch’s security by managing the MAC Addresses that are allowed on the switch. Doing this will allow you to configure parameters for each port on a switch to only allow one MAC from a host to be plugged into that port. This is to keep people from plugging other devices into, lets say, their cubicle’s ethernet port. Or it will stop people with malicious intent to try and plug in other switches even. This is done through the ‘switchport port-security’ at the interface level on switches.

SW5#
SW5#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SW5(config)#interface fastethernet 0/5
SW5(config-if)#switchport port-security ?
  mac-address  Secure mac address
  maximum      Max secure addresses
  violation    Security violation mode
  <cr>

Now, before you can even use this feature, you need to go in and switch the port’s mode from ‘dynamic’ to ‘access’. This tells the switch there will be an end device on this port and not another switch. Then, you need to enable the feature on the switch first. You need to go to the interface level to add this option.

SW5(config-if)#interface fastEthernet 0/5
SW5(config-if)#switchport ?
  access         Set access mode characteristics of the interface
  mode           Set trunking mode of the interface
  native         Set trunking native characteristics when interface is in
                 trunking mode
  nonegotiate    Device will not engage in negotiation protocol on this
                 interface
  port-security  Security related command
  priority       Set appliance 802.1p priority
  trunk          Set trunking characteristics of the interface
  voice          Voice appliance attributes
SW5(config-if)#switchport mode access
SW5(config-if)#switchport port-security

Simply by entering ‘switchport port-security’, you’ll enable the option on this switch to use this feature on the specified port.

Here I will be talking about the options.

  • mac-address: – This parameter is where you can either manually add an end device’s or host’s ethernet MAC address.
    SW5(config-if)#switchport port-security mac-address ?
      H.H.H   48 bit mac address
      sticky  Configure dynamic secure addresses as sticky

    -H.H.H is where you would add the host’s MAC address. Now, of course, if you were working IT in a large company this would be a bit of a pain because would have to go to each individual interface, grab the mac address and input them yourself. But your threat of an enormous workload is taken away with ‘sticky’. This switch in the syntax allows you to use the mac that  is currently connected to the switch, it will automatically add it for you.

    I would really only use this feature if you know your company has a strict policy for end users to not fiddle with their workstations or plug anything else in.

  • maximum – This parameter is used to specify the quantity of allowed mac addresses on a given interface. This means you could say a port can only be allowed to have a maximum of 2 devices on it because maybe the end user also brings, say, a laptop from home and they want to plug it in. This could also be because the end user also has an IP Phone in their office as well, and the PC has to connect to the IP phone to get connectivity to the switch.
    SW5(config-if)#switchport port-security maximum ?
      <1-132>  Maximum addresses
  • violation – This is a parameter that you can specify what a switch must do if it detects an unauthorized mac address on a port.  This is a rather powerful part of  switchport security.
    SW5(config-if)#switchport port-security violation ?
      protect   Security violation protect mode
      restrict  Security violation restrict mode
      shutdown  Security violation shutdown mode

    As you can see there are three switches for this syntax. ‘Protect’, ‘restrict’, and ‘shutdown’.

    Shutdown – This is the default of ‘switchport port-security’. When an un-authorized mac address is detected on that port, the switch will shutdown the port adds an entry to the log stating that it shut that port down. When you go to check on the status of that port, it won’t say ‘administratively down’ rather it will say ‘err-disabled’. If the port goes into ‘err-disabled’ mode, you have to log into the switch and manually turn the port back on.

    Protect – This tells the switch to drop the frames that are coming in on that port. Nothing more, none of the traffic from the un-authorized mac address is allowed to traverse the switch.

    Restrict – This tells the switch to drop the frames that are coming in on that port. None of the traffic from the un-authorized mac address is allowed to traverse the switch. Additionally, the switch will then add an entry to the log stating that there has been an un-authorized mac address on that port.

Checking The Parameters:

So you’ve gone through and set all these options, and you need to make sure you have configured everything correctly. Well, there is a nice, quick and simple way to make sure you’ve set everything.
The output below is ‘show port-security interface fastEthernet 0/5’ after configuring a maximum of one allowed mac address, shutdown is the violation mode, and is set to authorize the first and only mac address it first learns about on fastethernet 0/5. If you look to Figure1, you can see that host 192.168.10.11 is on that port.:

SW5#show port-security interface fastEthernet 0/5
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0060.47BA.7250:10
Security Violation Count   : 0

What Happens?:

Lets say that the switch does actually detect an un-authorized mac address on that port. Say for instance, that user 192.168.10.11 (yeah, I know, I’m not being really creative for names at the moment.), tries to plug in a different device into that ethernet port in his cubicle. Maybe its his laptop. Well, from the output shown above ‘Maximum MAC Addresses : 1’ means, there is one and only one mac address allowed, and currently authorized on that port. And the violation mode is to shutdown that port. So what will the switch show if it actually happens?:

Well, first you would see in the log:

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down

Then, when we check on the port-security status:

SW5#show port-security interface fastEthernet 0/5
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 0007.EC6D.C364:10
Security Violation Count   : 1

Notice in the field ‘Security Violation Count’, the value has changed from 0 to 1. The ‘Last Source Address’ has changed as well. Port security has been triggered on this port and is now shutdown.

This is the output of ‘show interfaces fastEthernet 0/5’:

FastEthernet0/5 is down, line protocol is down (err-disabled)
  Hardware is Lance, address is 00d0.9740.9e01 (bia 00d0.9740.9e01)
 BW 100000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
------------OUTPUT OMITTED------------

Here you can see the port is now down, next to ‘line protocol’ you see ‘(err-disabled), this means the switch brought this port down on it’s own because of a certain error. There are parameters on Cisco’s switches that can cause it to be shutdown because of errors.
Again, once a port is shutdown because of an error, an administrator has to go in and manually  turn the port back on with ‘no shutdown’ on the interface level.

Advertisements

Notes: CCENT – Switching – Part 2

Notes: CCENT – Switching, & VLANS Pt 2:

Where Switches are:
Application
Presentation
Session
Transport<- Segments
Network <- Routers /Packets / IP addresses
Data Link <- Switches, Bridges / Frames / MAC Addresses
Physical < – Hubs, Repeaters / Bits / Ethernet


I will be using this network I built in Packet Tracer as an example for these notes:
Figure 1:

On a Cisco switch, showing the MAC address table is as easy as:

 
SW4#show mac-address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

   1    0001.4250.0901    DYNAMIC     Gig1/1
   1    0001.638c.5a01    DYNAMIC     Gig1/1
  10    0001.4250.0901    DYNAMIC     Gig1/1
  10    0001.638c.5a01    DYNAMIC     Gig1/1
  10    0090.2b46.aa2a    DYNAMIC     Fa0/1
  20    0001.4250.0901    DYNAMIC     Gig1/1
  20    0001.638c.5a01    DYNAMIC     Gig1/1
  20    0001.c7a1.1843    DYNAMIC     Fa0/10

This is switch 4’s (SW4) output.

As you can see here, there are two hosts currently on this switch. 0090.2b46.aa2a in VLAN10 (192.168.10.10) off port 1 (Fa0/1), and 0001.c7a1.1843 in VLAN 20 (192.168.20.10) off port 10 (Fa0/10)
You’ll also notice that 0001.638c.5a01 is showing multiple entries as being off Gig1/1. Well that is because this is actually a trunk link to SW3 that is opened by STP and acting as a trunk for VLAN 1,10, and 20. Notice another trunk link in there? The trunk link between SW4 and SW5 has been closed off by STP to prevent switching loops. (More about STP and VLANs will come later.


A MAC Table has other names as well:

  • CAM Table (Acronym for ‘content addressable memory’
  • MAC Table
  • Bridging Table
  • Switching Table

MAC addresses in MAC tables do have an age to them, and will actually delete the entry for a MAC address if nothing is heard from it in 300 seconds.

Yes its 5 minutes, but Cisco Switches like to use seconds. Cisco’s equipment likes using base measurements for just about everything. Instead of kilobits, you’ll find yourself using bits, instead of minutes, you’ll be breaking those down to seconds. i.e. 256kbs to a Cisco device is usually projected as 250,000bps. Or clock rates for instance on serial links, you would normally think of 128k, but it’s actually expressed in the command line as “128000”. One thing you need to watch out for is consistency however, because it’s not always true across all of IOS. This is why it’s important to use the IOS help feature, ALL the time. This will usually display whether you need to specify seconds, or bits, or minutes, or kilobits, etc.

Properties of MAC Tables:

  • When there is a change in the network, and new hosts are found on other ports, it will add them as well.
  • If a host is moved from one port to another, it will dynamically update it’s MAC Table to accommodate the change. It will notice that the mac address that was once coming out one port is now coming out of another, it will update it’s table accordingly.
  • It’s always best use dynamic entries, it’s better for the switch to update itself rather than have to do it every time you make a change on the network.

__________________________________

There are 3 methods a switch uses (depending on what the switch is configured to do) once it’s decided what to do with a frame. (Filter, Flood, or Forward.)

  1. Store-And-Forward – Highest level of error detection, Highest Latency- A switch will store an entire frame before it is forwarded. While this method is best for error checking, its the slowest of the three. This gives the switch a chance to inspect and detect any errors in the frame before sending it to it’s destination. The switch does this by checking the FCS (Frame Check Sequence) of the frame.
  2. Cut-Through – No Error Detection, lowest latency. – Faster than store and forward. Does not check for bad frames, it completely ignores the FCS, all it reads of the frame is the Destination MAC Address.
  3. Fragment-Free – Not as slow as Store-And-Forward, but still slower that Cut-Through. This method is more of a middle ground for the other two methods by storing the first 64-bytes of a frame and checking for any type of corruption. If it sees no problems in those first 64bytes, it will forward the frame.

__________________________________

Broadcast Storm – A Broadcast storm is usually when there are too many hosts sending out broadcasts into a broadcast domain, bogging down the CPU and memory. This is where VLANs can come in. When you have about 20 hosts in a broadcast domain, its no big deal. A switch worth it’s weight can easily handle that. But when you’ve got a broadcast domain or an entire filled /24 subnet for example with 254 devices, the switch is eventually going to crash because it simply can’t handle all that.

Switching Loop – A switching loop occurs when packets (usually broadcast) are repeatedly sent through redundant links that connect routers. If you take 2 regular un-managed switches, and connect them to each other with 2 cables, and you plug in an end device that sends out broadcasts, you will see a switching loop in action. Frames are constantly sent back and forth between the switches because what does a switch do with broadcasts? It floods them out every port. Because both switches are considered to be in the same broadcast domain, the broadcast is going to reach every host plugged into those switches. A frame will go out the port connected to the other switch, and the other switch will send it out the redundant connection back to the first switch, and it will keep returning, back and forth. This will bring a network to a crawl and eventually crash all the switches. If you are working with a production network, don’t cause one.

There is however a mechanism in place to stop this sort of thing and close down redundant links to switches, STP and RSTP. These are enabled by default on Cisco switches for the obvious reasons. There will be more on this later.

[If you are working with two redundant connections to a switch however, why not just bundle them with Etherchannel? Super fast convergence upon link failure, and the added benefit of extra bandwidth all while keeping your redundancy in place. 🙂 ]

__________________________________

VLANs

VLAN stands for “Virtual Local Area Network” This is where a broadcast domain is segmented, into logical broadcast domains. There are many uses for VLANs, such as in networks using VOIP phones and PCs, they like to move all VOIP traffic into it’s own VLAN. Companies also like to move different departments into VLANs as well. A VLAN for Engineering, another for Sales, another for Quality Control, another for customer service, etc. They are also used for security purposes, such as hiding hosts from the outside.

Hosts in separate VLANs cannot communicate with each other without Layer 3 intervention, such as a router. Switches do not allow broadcasts to bleed into other VLANs. If you have a group of hosts in different VLANs, and nothing to ‘route’ them, or ‘intervlan routing’, they can’t communicate with each other. You can’t ping, ARP won’t reach into other VLANs, etc. Its basically logical grouping of hosts that are usually in the same geographic location.

(There are L3 switches that can do interVLAN routing, but we’re not concerned with them, that is out of the scope of the CCENT/CCNA)

Through the magic of VTP (Virtual Trunking Protocol), you can have a group of switches using the same VLANs, across an entire ‘VTP Domain’.

You’ll notice from Figure 1 that I have three switches connected to each other. Well these 3 switches are participating in a VTP domain. The name for this VTP domain is CEREALGUY (yes, ok, I used memes for names, go ahead and laugh it all out, I’m too busy to be creative elsewhere.) I have two VLANs here, VLAN 10 and 20, but lets not forget the switch’s default VLAN1, VLAN1002-1005. 1002-1005 are there by default, but are not covered in the CCNA.

VLAN1 is Cisco’s default VLAN. In the output below, you’ll find that VLAN1 is labeled default. This VLAN is primarily used as the management VLAN on most switches today. Usually by setting up Telnet Access, a default gateway (ip default-gateway) and assigning VLAN1 an IP, you can remote in. (all this is covered in later notes)

This however, does present a security issue that you need to watch out for. By default, all ports on a switch are assigned to VLAN1. They are all set to “dynamic” by default, meaning that ALL switchports are actively trying to either negotiate trunks to other switches, or negotiating access to end devices:

SW3(config-if-range)#switchport mode ?
  access   Set trunking mode to ACCESS unconditionally
  dynamic  Set trunking mode to dynamically negotiate access or trunk mode
  trunk    Set trunking mode to TRUNK unconditionally

And this is also known a switch’s default management VLAN. Its best practice, that after you have finished configuring a switch, that you reassign all non used ports to another random vlan, and shut them all down. I’ll cover more about switch security in later notes.

This is SW3’s output for “show vtp status”:

SW3#show vtp status
VTP Version                     : 2
Configuration Revision          : 5
Maximum VLANs supported locally : 255
Number of existing VLANs        : 7
VTP Operating Mode              : Server
VTP Domain Name                 : CEREALGUY
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xCB 0xC6 0x46 0x4F 0xDA 0x22 0x09 0xAB
Configuration last modified by 192.168.4.2 at 3-1-93 00:02:02
Local updater ID is 192.168.4.2 on interface Vl1 (lowest numbered VLAN interface found)
SW3#

Also, the output for “show vlan brief”:

SW3#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12
                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16
                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20
                                                Fa0/21, Fa0/22, Fa0/23
10   MEGUSTA                          active
20   Y_U_NO_GUY                       active
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
SW3#

__________________________________

SW4#show vtp status
VTP Version                     : 2
Configuration Revision          : 5
Maximum VLANs supported locally : 255
Number of existing VLANs        : 7
VTP Operating Mode              : Client
VTP Domain Name                 : CEREALGUY
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0xCB 0xC6 0x46 0x4F 0xDA 0x22 0x09 0xAB
Configuration last modified by 192.168.4.2 at 3-1-93 00:02:02
SW4#
SW4#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
10   MEGUSTA                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4
                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8
                                                Fa0/9
20   Y_U_NO_GUY                       active    Fa0/10, Fa0/11, Fa0/12, Fa0/13
                                                Fa0/14, Fa0/15, Fa0/16, Fa0/17
                                                Fa0/18, Fa0/19, Fa0/20, Fa0/21
                                                Fa0/22, Fa0/23, Fa0/24
1002 fddi-default                     active
1003 token-ring-default               active
1004 fddinet-default                  active
1005 trnet-default                    active
SW4#

We are using SW4’s output for reference here, you can see the topology in  Figure1.

As you can see, on this switch, as opposed from the output of SW3, all the ports are in different VLANs. However,  when you look at “show VTP status”, you can see that the VTP domain name is the same as SW3.  Notice “VTP Operating Mode” as Client, and in SW3, it was Server, this is because SW4 is a client in the domain of “CEREALGUY”. (VTP will be talked about later.)

Moving ports on switches around to VLANs is pretty easy. These settings are simply changed at the interface level:

SW4#conf t
SW4(config)#interface fastethernet 0/1
OR SW4(config)#interface range fastethernet 0/1 - 5
SW4(config-if-range)#switchport access ?
  vlan  Set VLAN when interface is in access mode
SW4(config-if-range)#switchport access vlan ?
  <1-1005>  VLAN ID of the VLAN when this port is in access mode

(Noticed how I used “range” there, well, in Cisco’s IOS for switches, to go to each individual port and change it’s parameters, that are going to be identical to others, its pretty time consuming. This is why Cisco’s switch IOS has the “range” switch on the syntax. This allows you to make configurations to a “range” of ports, not just one individual one.)

Notes: CCENT – Switching – Part 1

Notes: CCENT – Switching and Concepts. Pt 1:

Where Switches are:
Application
Presentation
Session
Transport<- Segments
Network <- Routers /Packets / IP addresses
Data Link <- Switches, Bridges / Frames / MAC Addresses
Physical < – Hubs, Repeaters / Bits / Ethernet

Layer 1 Devices:

  • Repeaters and Hubs. They all work at Layer1, they are all physical layer devices.
  • They do not look at MAC addresses, they just take electrical signals and “Repeat” them, or distribute them. They are dumb devices, they make any decisions on switching frames.
  • Uses CSMA/CD
  • 1 Hub = 1 Entire Collision Domain
  • A hub is basically just a Multiport Repeater.
  • Half Duplex (Hosts can only send or receive at one time, it can’t do both on a hub)
  • Shared Segments, every device on a hub has to share the hub’s bandwidth with other hosts.
  • On hubs, only one host can transmit at a time.

Properties of Switches:

  • Switches work at Layer 2
  • 1x 24 port switch = 24 collision domains. 1x 16 port switch = 16 collision domains
  • Switches are just multi-port bridges. (Bridges were once used to segment collision domains.)
  • Data Collisions do not occur on switches because each host has their own individual CD and do not share a segment with other hosts.
  • Its one host, one collision domain.
  • Switches DO NOT segment broadcast domains. This means, if one host sends a broadcast, all the devices on the switch will still receive a broadcast. (Remember, a broadcast MAC is ffff.ffff.ffff, which means it’s destined for all hosts.)
  • They make forwarding decisions based on MAC Addresses.
  • Switches learn MAC addresses of devices based on the SOURCE address in the frames.
  • They use MAC Tables (Also CAM Tables) to map the ports the hosts are sitting on to their MAC address.
  • Full Duplex. Hosts can send and receive at the same time.
  • On switches, every host can send and receive simultaneously at the same time.
  • Throughput is doubled because of this. Usually when a vendor talks about a switch, they would call it a “100 Mbps switch”, this means that each host actually has 200mbps of bandwidth available to them. 100mbps for sending and 100mbps for receiving.
  • Hosts do not share bandwidth. However, switches have what is called a “switch fabric”,  “switching plane” or “switching capacity”, where all the data is stored right before its forwarded. Decent switches will usually have a good size switching plane according to it’s number of ports. For example, a 24-port 1000mbps switch, would have a  48Gb switching capacity. If it were only a 24-port 10/100, it should have a 4.8Gb switching capacity.
  • There are switches that do L3 routing, (for instance, routing between VLANs without the need for a router.) L3 switches, as far as the CCENT-CCNA is concerned, don’t even exist. Switches are all L2 when you’re doing your CCENT/CCNA. Same with Auto-MDIX. You need a crossover cable to connect like-devices.
My amazing skill at labeling broadcast domains and collision domains in MS-Paint. 🙂
See how much more awesome switches are than hubs? 🙂

Forwarding, Flooding, and Filtering – What a switch will do with incoming frames:

Remember: A switch never sends a frame back out the same port it received it on.

  • If a switch sees an entry for a mac address in it’s table for a specific host, it will Forward it. Simply send the frame. (Known Unicast Frames)
  • If a switch doesn’t see an entry for a mac address in it’s table, it will Flood it. It will send the frame out every port except the one it received it on. An “unknown unicast frame” is flooded. These are frames that contain destinations that switches don’t know about.
  • The only time a frame is flooded, is if the destination is broadcast, or ffff.ffff.ffff. This frame destination means “all hosts” in a broadcast domain.
  • If a switch sees an entry for a mac address in it’s table, but the destination MAC address is off the same port it came in, it will filter it. (This may occur for example if there are other hosts off that port that are connected to a hub.) (quite rare.)