upgrade
← back to systems approach to computer networks

systems approach to computer networks unit 15 study guides

ethernet and vlans in switched lans

15.1

Ethernet Standards and Evolution

15.2

Switches and Switch Operation

15.3

Virtual LANs (VLANs)

unit 15 review

Ethernet and VLANs form the backbone of modern local area networks. Ethernet defines the rules for communication within a LAN, using MAC addresses and frames to transmit data. It supports various data rates and employs CSMA/CD to manage access to shared media. VLANs allow network administrators to create logical subgroups within a physical LAN, improving performance and security. They enable devices to communicate as if on the same physical network, even when connected to different switches. Inter-VLAN routing requires Layer 3 devices to facilitate communication between VLANs.

Ethernet Basics

  • Ethernet is a family of wired computer networking technologies commonly used in local area networks (LANs)
  • Operates at the data link layer (Layer 2) of the OSI model and defines the rules for communication within a LAN
  • Uses a bus or star topology with devices connected to a central switch or hub
  • Employs carrier-sense multiple access with collision detection (CSMA/CD) to manage access to the shared medium
    • Devices listen for traffic before transmitting to avoid collisions
    • If a collision occurs, devices wait a random time before retransmitting
  • Supports various data rates, including 10 Mbps, 100 Mbps (Fast Ethernet), 1 Gbps (Gigabit Ethernet), and 10 Gbps (10 Gigabit Ethernet)
  • Utilizes unique 48-bit MAC addresses to identify devices on the network
  • Encapsulates data into frames, which include source and destination MAC addresses, data payload, and error-checking information

LAN Switching Fundamentals

  • LAN switches are network devices that connect multiple devices within a LAN and forward data based on MAC addresses
  • Switches operate at the data link layer (Layer 2) of the OSI model
  • Maintain a MAC address table that maps each device's MAC address to the switch port it is connected to
  • When a frame arrives, the switch examines the destination MAC address and forwards the frame to the appropriate port
    • If the destination MAC address is not in the table, the switch floods the frame to all ports except the one it arrived on
  • Switches create separate collision domains for each port, allowing full-duplex communication and reducing collisions
  • Switches can be connected to form larger networks, with each switch maintaining its own MAC address table
  • Offer benefits such as improved network performance, reduced collisions, and increased security compared to hubs

VLAN Concepts and Implementation

  • Virtual Local Area Networks (VLANs) are logical subgroups within a physical LAN that segregate devices based on function, department, or security requirements
  • VLANs allow network administrators to create smaller broadcast domains, improving network performance and security
  • Each VLAN is assigned a unique identifier (VLAN ID) ranging from 1 to 4094
  • Devices within the same VLAN can communicate with each other as if they were on the same physical LAN, even if they are connected to different switches
  • VLANs are configured on switches using management interfaces (CLI or GUI)
    • Ports are assigned to specific VLANs
    • VLAN membership can be based on port, MAC address, or IP subnet
  • Inter-VLAN communication requires a Layer 3 device, such as a router or a Layer 3 switch, to route traffic between VLANs
  • VLANs enhance network security by isolating sensitive devices and limiting the impact of broadcast storms or other network issues

Ethernet Frame Structure

  • Ethernet frames are data link layer (Layer 2) protocol data units (PDUs) that encapsulate upper-layer data for transmission over an Ethernet network
  • The Ethernet frame structure consists of several fields:
    • Preamble (7 bytes): Alternating 1s and 0s used for synchronization
    • Start Frame Delimiter (1 byte): Indicates the start of the frame
    • Destination MAC Address (6 bytes): Specifies the recipient device's MAC address
    • Source MAC Address (6 bytes): Specifies the sending device's MAC address
    • VLAN Tag (Optional, 4 bytes): Used for VLAN tagging (IEEE 802.1Q)
    • EtherType (2 bytes): Identifies the upper-layer protocol (e.g., IPv4, IPv6, ARP)
    • Payload (46-1500 bytes): Contains the upper-layer data
    • Frame Check Sequence (4 bytes): Error-checking information (CRC-32)
  • The minimum frame size is 64 bytes, while the maximum is 1518 bytes (1522 with VLAN tag)
  • If the payload is less than 46 bytes, padding is added to meet the minimum frame size requirement

Spanning Tree Protocol (STP)

  • Spanning Tree Protocol (STP) is a network protocol that prevents loops in switched Ethernet networks with redundant paths
  • Loops can cause broadcast storms, multiple frame copies, and MAC address table instability, leading to network performance issues
  • STP creates a logical tree topology by electing a root bridge and blocking redundant paths
    • Each switch is assigned a unique bridge ID (BID) based on its priority and MAC address
    • The switch with the lowest BID becomes the root bridge
  • STP uses Bridge Protocol Data Units (BPDUs) to exchange information between switches and determine the best paths
    • Root BPDU: Sent by the root bridge to announce its presence
    • Configuration BPDU: Sent by other switches to propagate STP information
  • Switches calculate the shortest path to the root bridge based on path cost and block redundant ports
  • If the root bridge or a network link fails, STP automatically recalculates the tree topology and unblocks previously blocked ports to maintain connectivity
  • Variants of STP include Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP), which provide faster convergence and support for multiple VLANs

VLAN Trunking and Tagging

  • VLAN trunking allows a single physical link to carry traffic for multiple VLANs between switches
  • Trunks are configured on switch ports connected to other switches or routers
  • VLAN tagging is used to identify the VLAN membership of frames transmitted over a trunk link
    • The IEEE 802.1Q standard defines the method for VLAN tagging
    • A 4-byte VLAN tag is inserted into the Ethernet frame, which includes a 12-bit VLAN ID and other control information
  • When a tagged frame arrives at a switch, the switch examines the VLAN tag and forwards the frame to the appropriate VLAN
  • Native VLAN: The default VLAN for untagged frames on a trunk link (usually VLAN 1)
    • Untagged frames are assumed to belong to the native VLAN
  • Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol that automatically negotiates trunking parameters between switches
  • VLAN Trunking Protocol (VTP) is another Cisco proprietary protocol that propagates VLAN configuration information between switches to maintain consistency

Inter-VLAN Routing

  • Inter-VLAN routing enables communication between devices in different VLANs
  • Requires a Layer 3 device (router or Layer 3 switch) to route traffic between VLANs
  • Two common methods for inter-VLAN routing:
    • Router-on-a-stick (RoaS): A single router interface is connected to a switch port configured as a trunk, and subinterfaces are created for each VLAN
    • Switch Virtual Interface (SVI): A virtual interface is created on a Layer 3 switch for each VLAN, and the switch performs both Layer 2 switching and Layer 3 routing
  • The Layer 3 device must have an IP address configured on each VLAN interface to route traffic between VLANs
  • When a device in one VLAN wants to communicate with a device in another VLAN, it sends the frame to the default gateway (the Layer 3 device)
    • The Layer 3 device then routes the packet to the destination VLAN based on the destination IP address
  • Inter-VLAN routing provides a way to logically segment the network while still allowing communication between VLANs when necessary

Ethernet and VLAN Security

  • Ethernet and VLAN security measures help protect the network from unauthorized access, attacks, and data breaches
  • Port security: Restricts the number of MAC addresses allowed on a switch port
    • Limits the risk of unauthorized devices connecting to the network
    • Can be configured to automatically shut down the port or send an alert when a violation occurs
  • DHCP snooping: Filters DHCP messages and builds a trusted database of DHCP bindings
    • Prevents rogue DHCP servers and unauthorized IP address assignments
  • Dynamic ARP Inspection (DAI): Validates ARP packets and discards those with invalid MAC-to-IP bindings
    • Protects against ARP spoofing and man-in-the-middle attacks
  • IP Source Guard (IPSG): Filters traffic based on the DHCP snooping database and prevents IP address spoofing
  • Private VLANs (PVLANs): Provide additional segmentation within a VLAN by creating isolated and community ports
    • Isolated ports can only communicate with promiscuous ports (usually connected to routers or servers)
    • Community ports can communicate with each other and with promiscuous ports
  • IEEE 802.1X: Provides port-based network access control and authentication
    • Devices must authenticate with a RADIUS server before being granted access to the network
  • Regularly updating switch firmware and implementing strong passwords for management interfaces are also essential for maintaining network security