Layer 2 switches provide some innovative network traffic classification, separation, and management configurations. STP avoids switching loops by breaking up broadcast domains using VLANs. To cache address pairs, MAC address tables are utilised. These and other ideas covered in this section contribute to making Layer 2 as efficient as feasible.
VLANs
Various departments and components must be put into separate virtual local area networks in order to create a properly segmented network (VLANs). VLANs provide you considerably more control over your internetwork, as well as increased security and performance.
Some VLANs are organised by department. The quality assurance (QA) lab does not need the same level of access as the accounting department, and vice versa. The software and firmware testing lab has significantly distinct requirements than the other divisions.
However, you can take network segmentation a step further by creating separate VLANs for network services. For example, the wireless network will have its own VLAN, and we may divide it into several VLANs to enable distinct private and public networks. Visitors will have access to what they need, but not to critical internal systems. VLANs provide a huge advantage by separating resources from illegal access.
VLANs for phone lines are almost always separate. The same may be said for the industrial control systems that oversee the factory’s and warehouse’s internal operations.
Previously, all users in a grouping had to be connected to the same physical set of switches. This necessitated the relocation of equipment, rewiring, and a significant amount of administrative work. VLANs allow devices in various locations and connected to separate sets of switches to function as if they were all connected to the same set of switches.
A VLAN is created by slicing a single physical broadcast domain into several broadcast domains. You’re really configuring the switch to associate any packets entering a particular port with a specified VLAN. Frames do, in fact, belong to a VLAN. Stations aren’t allowed. Protocols are not one of them. It’s not about apps.
Protocol-based VLANs, subnet-based VLANs, and MAC address–based VLANs were all older and outmoded methods of identifying VLAN membership. Because the overhead of those dynamic approaches was too great, port-based VLANs, in which the VLAN association is statically set into the port’s configuration, are now the sole membership method utilised.
Consider a single switch that is linked to a number of PCs. A single switch has always been a single broadcast domain up until this point, but that’s going to change. You’ve made the decision to use this single switch to handle two VLANs. VLANs are denoted by the letters “VLAN” followed by a number, such as VLAN 19 or VLAN 75. In this example, the ports on my single switch will be assigned to one of two VLANs: VLAN 1 or VLAN 2 (see Figure 1.3-5). Broadcast traffic will no longer be transmitted out of all ports save the one from which the frame was received. When a frame is associated with VLAN 1, it will only be flooded out of other VLAN 1 ports. As a result, VLANs will reduce broadcast traffic while simultaneously shrinking the broadcast domain.
The simplest type of VLANs is a single switch divided into two VLANs. Multiple switches will be used in more sophisticated networks. Assume you’ve installed a switch to a basic network. VLAN 1 and VLAN 2 should be kept, but both switches should be used. You may set up VLAN 1 and VLAN 2 on the new switch, but data must be allowed to flow between the two switches regardless of VLAN. Trunking comes into play in this situation.
Trunking is a method of transporting goods (802.1q)
The technique of transmitting VLAN traffic across two or more switches is known as trunking. Consider two switches, each having a VLAN 1 and a VLAN 2 configuration.
All of the computers on VLAN 1 on one switch should be able to communicate with all of the machines on VLAN 1 on the other switch. Of course, you should do the same with VLAN 2. To do this, set up a trunk port on each switch, which is a port on a switch that is configured to transport all traffic between all switches in a LAN regardless of VLAN number.
Tagging
The previous knowledge regarding VLANs raises the following question: How does a frame from a workstation in VLAN 100 get to a target workstation in the same VLAN in a busy network with numerous switches and several VLANs? What if the workstations are separated by multiple switches? Tagging is the essential technology that allows this to happen.
Cisco used a unique type of tagging called Inter-Switch Link in the early days of VLANs (ISL). The IEEE 802.1Q tagging standard is now used by every Ethernet switch, allowing you to link switches from various manufacturers.
Workstations connect to access ports, which are normal ports that have been configured as part of a certain VLAN and are responsible for tagging traffic with the appropriate VLAN when it enters the switch and removing the tag when it exits. Access ports, like trunk ports, are ports that are set for the opposite purpose. Trunk ports link to trunk ports on other switches, whereas access ports connect to workstations.
The switch tags the frames with the appropriate VLAN when data reaches the access port.
The frames travel to the target workstation’s access port if the two workstations are linked to the same switch. The tag is removed from each frame, and traffic continues to flow normally. If the destination workstation is connected to a separate switch, the frames are sent out the trunk port of the first switch. The configuration of the trunk port determines what occurs next.
The switch leaves the tag on the frame and transmits the tagged frame to the next switch if the trunk port has a native VLAN (one of the VLANs set to be that trunk’s “native VLAN”) that varies from the tag put on the frame when it entered the access port. The switch removes the tag and transmits the untagged frame out of the trunk port if the trunk port’s native VLAN is the same as the access port’s VLAN. The absence of a VLAN tag on the next switch indicates that the frame belongs to the native VLAN, and it will only be transmitted out the appropriate port (unicast) or ports (broadcast or unknown unicast) in that VLAN.
Native VLANs exist only to offer backward compatibility with earlier or simpler non-VLAN tagging switches (which should never be seen on a LAN nowadays), but there’s a catch. The native VLAN exposes your network to a severe double-tagging vulnerability, which allows an attacker to transmit traffic to (but not receive traffic from) VLANs they shouldn’t be able to access. As a result, the native VLAN in contemporary networks is assigned to an unused VLAN, and the trunk port is configured to tag native VLAN traffic as well.
Mirroring of ports
Many managed switches may transfer data from any or all of the switch’s physical ports to a single physical port. This is referred to as port mirroring. It’s as though you’ve created a completely customizable promiscuous port. In any circumstance where an administrator wants to analyse packets arriving to or from certain machines, port mirroring is quite handy.
Local and remote port mirroring are the two types of port mirroring. Data is copied from one or more ports on a single switch to a particular port on that switch using local port mirroring. You must connect directly into the switch with the monitored ports to monitor this data. Remote port mirroring allows you to access data copied from one or more specified ports on a switch without having to connect directly into that switch.
Spanning Tree/Switching Loops
You may establish redundant connections in a network since switches can be connected in any way. Certain redundant connections might generate switching loops if there were no suitable controls in place.
Loop of switching
Switch A will flood both Switch B and Switch C with an unknown unicast delivered from a PC. Switch B will send its copy to Switch C, and Switch C will forward its copy to Switch B if none of those switches is aware of the destination MAC address. Because the destination MAC address is still unknown, both Switch B and Switch C will transmit their frames back to Switch A, and the process will continue (and repeat, and repeat…) until the switch is completely shut down!
STP (Spanning Tree Protocol) was established by the Ethernet standards committee to address the issue of possible switching loops. By default, spanning tree is enabled on switches. This enables them to identify possible loops before they occur, interact with other switches, and take preventive steps to ensure that frames are not looped.
To interact with each other, maintain track of changes, and avoid possible network loops, STP-enabled switches utilise a frame called a BPDU (bridge protocol data unit).
Ethernet-based power supply
Wireless access points need electricity, yet they’re often installed in unusual places (such as ceilings or high on walls) where power is difficult to get by. Don’t be concerned! PoE (Power over Ethernet) is an IEEE standard (802.3af) that allows WAPs to get their power from the same Ethernet connections that transmit their data. The switch that links the WAPs must support PoE, but you don’t need to do anything more than plug in Ethernet cables if both the WAP and the switches to which they connect support PoE. PoE is a plug-and-play system. WAPs and switches that enable PoE are more expensive, as you would expect, but the simplicity of PoE for wireless networks makes it a popular choice.
The first PoE standard was released in 2003 and had a positive reaction from the industry. Its success showed a major flaw: the original 802.3af standard only allowed for a maximum of 15.4 watts of DC power, which was insufficient for many devices. 802.3af was updated in 2009 to allow for a maximum output of 25.5 watts. 802.3at, PoE plus, or PoE+ is the name of the new PoE modification to 802.3.
Loop for DMZ and Firewall Placement Switching
This setup is suitable for small networks or when you need tight isolation between all clients on the firewall’s interior. But what if we have servers, such as a Web server, that need less limited Internet access? That’s where the DMZ and internal/external firewall ideas come in.
A DMZ (demilitarised zone) is a network region carved out by a single or many firewalls to offer a specific location (a zone) on the network for any servers that need public Internet access.
It’s essential to remember that, unlike small SOHO gateway routers, all traffic intended for the DMZ in non-SOHO networks is still inspected and filtered by the firewall. Just because a server is in the DMZ doesn’t imply it shouldn’t be protected by a firewall.
A single system that divides the public servers from the internal network is the most basic kind of DMZ. The public servers are all on a different security zone and network ID than the internal network in this example.
The DMZ separates our internal network from the public servers. Of course, even if you have a well-configured firewall in front of your DMZ servers, the public nature of the DMZ means that they are always under assault from the Internet. If the worst happens and any of the computers in the DMZ are hacked (and I’ve seen how quickly this can happen), the DMZ’s isolation prevents hackers from gaining access to your internal network.
The most typical DMZ architecture involves creating a perimeter network with two routers and firewalls. The two firewalls of a perimeter network carve out regions with varying degrees of trust. An external firewall is a firewall that stands between the perimeter network and the Internet and is responsible for absorbing the brunt of Internet assaults. Because all of the public-facing servers are behind it, this firewall nevertheless enables plenty of traffic to get through.
A bastion host is a computer that is completely open to the Internet. It is located outside of any firewalls or in a DMZ that has no filtering of Internet traffic. Because bastion host identification is dependent on network location, any unprotected computer may be designated a bastion host.
MAC Address Table
When you turn on a switch for the first time, it functions as a hub, sending all incoming frames out to all the other ports. The switch, however, records the source MAC addresses and ports they were heard on as it transmits all frames, and rapidly builds a database containing the MAC addresses of each connected machine. The MAC address table is the name of the table.
If the switch contains a mapping of the destination MAC address to a port, when a computer sends a frame into the switch intended for another computer on the same switch or a different switch, the switch works like a telephone operator, establishing an on-the-fly connection between the two machines. The switch only transmits the frame out of the port with which the destination MAC address is associated if the switch knows which port the destination MAC address is associated with. If the destination was previously the source of traffic, the switch would have learnt its MAC address and linked it with a port. If no record matching the destination MAC address to a port exists (a situation known as an unknown unicast), the switch floods the frame out of all ports save the one on which it originated.
The local switch will learn the MAC addresses of devices on other switches and associate them with the port that links the local switch to another switch.
ARP Table
A computer checks the target IP address to its own IP address using the subnet mask before sending any data. The transmitting computer knows the destination is local if the destination IP address matches the computer’s IP address everywhere there is a 1 in the subnet mask. The network IDs are same.
The transmitting computer recognises a long-distance call if even one bit of the destination IP address where the 1s are in the subnet mask is changed.
The network IDs are incompatible.
Let’s assume the IP address of Computer A is 192.168.5.23. Convert 11000000.10101000.00000101.00010111 to binary: 11000000.10101000.00000101.00010111
Let’s pretend Computer A wishes to transmit a packet to Computer B. The subnet mask of Computer A is 255.255.255.0. The IP address of Computer B is 192.168.5.45. Convert 11000000.10101000.00000101.00101101 to binary: 11000000.10101000.00000101.00101101
The subnet mask is used to compare Computer A’s IP address to Computer B’s IP address. I’ve added a line to the subnet mask to highlight where the ones finish and the zeroes begin for clarity.
Addresses are compared
The network IDs of Computer A and Computer B are identical! This is a local phone call. With this information, Computer A may issue an ARP request to discover Computer B’s MAC address. The Address Resolution Protocol (ARP) is used by nodes to determine the destination MAC address based on the IP address of the destination.
What happens, though, when Computer A wishes to transmit a packet to Computer C? First, Computer A uses the subnet mask to compare Computer C’s IP address to its own. It notices that the IP addresses in the 1st portion of the subnet mask do not match, implying that the network IDs do not match, indicating that this is a long-distance connection.
Comparing addresses once more
When a device wishes to send a packet to an IP address on another LAN, it knows to send it to the default gateway, which is the router interface in charge of sending packets from the network to other networks as well as receiving packets from other networks.
In this situation, Computer A still sends out an ARP to obtain the default gateway’s MAC address. After obtaining the default gateway’s MAC address, Computer A starts sending packets with the default gateway’s destination MAC address in the frame, but the destination IP address of the real distant destination in the packet.
Each device keeps its own local ARP database (also known as ARP cache) storing bindings of IP addresses to MAC addresses that were recently resolved, in order to reduce network traffic caused by ARP, particularly ARP queries, which are broadcasts. The source checks its ARP cache before making an ARP request. No ARP request is made if an entry already exists. An ARP request is issued if no entry exists. The amount of time that items remain in this cache varies depending on the operating system.