Spanning-Tree Protocol is a function to prevent undesirable loops in the network and provides path redundancy. Only one active path can exist between two stations Automatically Detect Loop on the Network Calculate path capacities and then place high-cost ( or lowest capacity) links in a backup state automatically and deterministically
Protocol RSTP provides rapid convergence of the spanning tree in less than 1 second. Provides rapid recovery of connectivity following the failure of a Bridge, Bridge Ports, or a LAN. A new Root Port can transit rapidly to the Forwarding Port State. The use of explicit acknowledgements between Bridges allow Designated Ports to transit rapidly to the Forwarding Port State. RSTP allows Bridge Ports connected to a LAN segment that is at the edge of the Bridged LAN to be configured to transit directly to Forwarding State
ports—A port configured as an edge port will immediately transit to the forwarding state after link up Root ports—A new root port will transit immediately to forwarding state and the old root port will be blocked Point-to-point links—A port connect to another switch via a point-to-point-link will become designated port and will negotiate a rapid transition with the other port by using proposal-agreement handshake to ensure a loop-free topology
length = 36 bytes BPDU Type BPDU Flags Version Protocol ID Root ID Cost of Path Bridge ID 2 octets 1 octet 1 octets 1 octets 8 octets 4 octets 8 octets 2 octets Port ID Message Age 2 octets Max Age Hello Time Forward Delay 2 octets 2 octets 2 octets 02 RST BPDU 2 Seconds 15 Seconds 2-byte priority 6-byte MAC Cost of the path to root 20 Seconds Root Message Age =0 Ver2 RSTP TCA Agreement Fowarding Learning Port Role Proposal TC 0 1 2 3 4 5 6 7 Version 1 Length
At startup each switch assumes itself as root bridge and set bridge ID equal to Root ID in the BPDU it send out Bridge ID consist of 2-bytes priority and 6-bytes MAC Address Priority range 0-65535 Default 32,768 or 0x8000 Bridge with highest priority (lowest value) will become root bridge If all devices have the same priority, the bridge with lowest MAC address becomes the root bridge
Port The port offers the lowest cost path to the root. The port which receives BPDU from designated port Designated Port The bridge which designated port attached offer the lowest cost to the root for the LAN. Designated port regenerates BPDU to the downstream bridge Alternate Port The port neither the root port nor the designated will become blocked port. Blocked port doesn’t forward packet. Blocked port receives BPDU from the designated port but doesn’t forward it
RSTP for rapid convergence to provide loop-free network and redundant path MSTP enables VLANs to be grouped into a spanning-tree instance, with each instance having a spanning-tree topology, provides multiple forwarding paths for data traffic and enables load balancing
together as a single logical link to provide bigger uplink bandwidth Traffic load balancing and protection against link failure Port Trunk Link Down Increase Uplink bandwidth to 8Gbps full duplex Internet SW 2 192.168.1.2 SW 1 192.168.1.1 7072CF75BC86 7072CF78A019
Aggregation Control Protocol) Protocol for automatically and dynamically groups physical link of the same media type and speed together Link Down Capability to group upto 8 links as a trunk Ports with same media type and speed, duplex mode trunk automatically
The IEEE 802.1X standards is a port-based access control and authentication protocol It forces a client that is connected to a switch port to authenticate to a RADIUS Server, such as Windows Internet Authentication Services (IAS) Server , before gaining access to a network. The client must be running 802.1X compliant software, which is available in operation systems such as Windows XP Ensuring only authorized users can access the network. Centralized management of username and password on RADIUS server Automatically assign the customer’s VLAN from RADIUS server to access switch
who don’t have the access right to the corporate network still need to access the internet Visitors connect to the switch port providing incorrect or no username and password will be group to the Guest VLAN automatically so can only access the internet Automatically isolate visitor to Guest VLAN so corporate network can’t be accessed for ensuring network security In the mean time, provide prestige for visitor to surf internet
provide service of voice over IP, it is recommended to put all voice traffic into separate voice VLAN(s) for ease of management and control Automatically detect VoIP device by OUI of MAC-address or LLDP and group to Voice VLAN Automatically change port priority Switches can detect the IP phone automatically Easily associate to a logically separate VLAN for Voice used Higher CoS value be assigned for guaranteed voice quality
Security function Limit the maximum number of dynamically learned MAC addresses per subscriber interface The maximum MAC count is configurable from 1 to 1024 Dynamically learned MAC by port security will be added to static entry until the switch reboot so only devices with certain MAC addresses can access the network The Port Security learned MAC addresses is configurable to aging out with MAC-address-table aging time to make sure only certain number of MAC can access the network at a time, in cased subscriber change their device, there is no need operator intervention Port security violation action trap and shutdown MAC Notification
snooping allows a switch to protect a network from rogue DHCP servers Only DHCP Snooping trust port which connected to legal DHCP Server can offer IP to DHCP client Any rogue DHCP servers connected to un-trust port can no longer offer illegal IP to DHCP client and break down the network (By filters out DHCP-offer, DHCP ACK, DHCP NAK) The IP and MAC binding table can be used for IP source guard to avoid hackers changing the IP or MAC to fake valid customers. Automatically create the mapping table to reduce the operator expense
82 DHCP Snooping Option 82 provides a mechanism for assigning IP address based on the location where the client device is in the network Information about its location can be sent along with the request to the server. The DHCP server makes a decision on what IP should be assigned based on this information. Switch acts as a DHCP relay agent intercepting the DHCP requests, appends the circuit ID and remote ID in the option 82 field and forwards the request message to DHCP server a) remote-id mac-address [encode hex] b) circuit-id vlan ID and Unit/Port
Format Circuit ID (extra subtype included) and Remote ID (MAC (hex) 01 N 00 04 00 01 01 01 Sub-option type Length Circuit ID Type Length VLAN ID Module Port Number 1byte 1byte 1byte 1byte 2bytes 1byte 1byte 02 08 00 06 Sub-option type Length Remote ID Type Length 1byte 1byte 1byte 1byte 6byte 0e 00 c1 11 cc 00 MAC Address
A security feature that restricts IP traffic on Layer 2 interfaces by filtering traffic. based on the DHCP snooping binding database on manually configured IP source bindings Prevent traffic attacks when a host tries to attack the network by claiming neighbor host's IP address. Stop malicious people from using IP addresses that weren‘t assigned to them Stop clients from forging their MAC address. MAC address filtering makes flooding the switch impossible.
inspection uses DHCP Snooping binding database to verify the validity of received ARP packets. Use access-list arp command to create ARP ACL Use permit statement to allow valid ARP packets; use deny to reject the invalid ARP packets. Additional ARP validation for Source MAC, Destination MAC, sender/ target IP The ARP inspection is CPU intensive. Should rate limit the rate to CPU. DAI will log the dropped ARP packets. The information includes receiving VLAN, port number, source IP and source MAC.
Router Internet trust port ARP Request for gateway 192.168.1.25 4 DHCP Server ARP Reply 192.168.1.254 is at 00-1c-c4-od-15-bf ARP Reply 192.168.1.254 is at 00-1c-c4-od-15-bf 192.168.1.112 20-6a-8a-15-a2-41 192.168.1.254 00-21-91-18-52-55 192.168.1.12 00-1c-c4-0d-15-bf\ ,Man In The Middle Attack
Log Possible reason of ARP packets dropped by DHCP Snooping Static IP IP doesn’t dynamically get from DHCP server, so there is no entry in the DHCP Snooping binding table Clear dhcp snooping binding table, the arp entry age out
DHCP Snooping Binding Table Router Internet trust port ARP Request for gateway 192.168.1.25 4 DHCP Server ARP Reply 192.168.1.254 is at 00-21-91-18-52-55 ARP Request What MAC is 192.168.1.254 192.168.1.112 20-6a-8a-15-a2-41 192.168.1.254 00-21-91-18-52-55 192.168.1.12 00-1c-c4-0d-15-bf ARP Packet was dropped because 192.168.1.12 is not in DHCP binding table DHCP Snooping Table MAC IP Address 20-6a-8a-15-a2-41 192.168.1.112 xx-xx-xx-xx-xx-xx 192.168.1.113 yy-yy-yy-yy-yy-yy 192.168.1.114 ….. untrust port untrust port
ARP Inspection supports the validation of arp packet based on Destination MAC, IP or source MAC IP validation supports allow-zeros for 0.0.0.0 sender address
DSCP Preamble DEST SRC Type 0800 IP Header TCP/UDP Header DATA CRC Src Port Dest Port TOS IP Precedence TOS Preamble DEST SRC Type 0800 IP Header DATA CRC SIP DIP Preamble DEST MAC SRC MAC Type DATA CRC Preamble DEST SRC 8100 PID/VID Type DATA CRC MAC ACL IP Standard ACL IP Extended ACL
2 switches can use IGMP snooping to prevent the flooding of multicast traffic by dynamically configuring switch port so that multicast traffic is forwarded to only those ports associated with IP multicast receiver By implementing the IGMP snooping feature, it makes Layer 2 switch increase the performance of network for reducing multicast traffics flooding
port IGMP Snooping only start to work when there is a multicast router in the network, the port which connect to the multicast router and receive general query is mrouter port Mrouter port can be configured statically
ckng
takuyay0ne
yuya4
pei0804
kawaji_scratch
hikaruegashira
ymd65536
gakumura
nagisa53
jacopen
baroqueworksdev
kworkdev
vtryo
sstephenson
vanstee
colly
brettharned
tammyeverts
aki_iinuma
orderedlist
jmmastey
tenderlove
samanthasiow
jeffersonlam
sonatard
