Chapter 1 - Packet Forwarding - Day 2

 Ports can be manually configured as access ports with the command switchport mode access.

switchport access (vlan-id/vlan name) associates a specific VLAN to that port

    IE:

        SW1# config t

        SW1(config) # vlan 99

        SW1 (config-vlan) # name Guests

        SW1 (config-vlan) # Interface gi1/0/15

        SW1 (config-if) # switchport mode access

        SW1 (config-if) # switchport access vlan 99

        

Trunk ports can carry mulitple VLANS. 

Trunk ports are used when need to connect multiple VLANS to another switch, a router or firewall using one port. (Think router on a stick)

Trunking using the 802.1Q tag to encapsulate the packet and assign to the correct VLAN

To setup a trunking port use command switchport mode trunk

Use command show interfaces trunk to provide info for troubleshooting connectivity issues on a switch

Native VLANS are used with any traffic that is advertised or received on a trunk port without the 802.1Q tag

Default native vlan is VLAN 1.

Native vlans should match on both trunking ports or VLAN traffic has the potential to switch VLANs

Native VLAN is a port-specific config and is changed using command switchport trunk native vlan (vlan-id)

All switch control plane traffic is advertised uusing VLAN 1. It s recommended for security purposes changing the native VLAN to something other than VLAN 1. This should be a VLAN that has no host attached to it and not used within the network

VLANs can be restricted from trunk ports as a method of traffic engineering. However this can cause problems if traffic is expected between 2 host ports via a trunk link.

Using command switchport trunk allowed vlan (vlan-ids) limits the VLANS that are allowed to traverse that particular trunk port.

This can be modified using switchport mode trunk allowed (vlan-id, all, none, add(vlan-id), remove(vlan-id), or except(vlan-id) 

When scripting config changes its best to use add or remove as it is more prescriptive.


MAC address table is responsible for identifying the switch ports and VLANs with which devices are associated.

Table is built by examining source MAC address for all traffic received. This info is kept to shrink collision domains by reducing unknown unicast flooding.

To see the MAC address table use command show mac address-table

Using the specific command show mac address-table (address (mac address) | dynamic | vlan (vlan-id))

Troubleshooting network traffic problems from a L2 perspective involves locating the source and destination device as well as the port. 

Some older technologies require a static MAC address entry in the table to prevent unknown unicast flooding.

Using this command clear mac address table flushes the table for the entire switch. Use optional keywords to flush specific MAC addresses.

MAC table resides in the CAM (Content addressable memory)

CAM table provides a binary result for any query of 0 for true or 1 for false.

CAM is used with other functions to analyze or forward packets very quickly. Switches are built with large CAMs to accommodate all the L2 hosts for which they maintain forwarding tables.

To view switchport statuses use commands show interfaces (interface id) switchport or show interfaces switchport

To view a specific interface use show interface status


2 main methodologies for L3 forwarding are:

Forwarding traffic to devices on the same subnet

Forwarding traffic to devices on different subnet

ARP (Address resolution protocol) provides a method of mapping L3 IP addresses to L2 MAC addresses by storing the IP addresses of hosts with its MAC address. 

ARP is used to add the L2 headers to the packet before sending to L2 for processing and forwarding.

ARP table contains entries for remote devices that the host has communicated with recently on the same IP network segment.

ARP Table does not contain entries for devices on a remote network but does contain the entries for the next hop to reach the remote network.

If an entry becomes stale it is removed from the local ARP table

an ARP request is broadcast to the entire L2 switching segment for unknown entries. All hosts in the L2 segment get the request but only the device with the matching IP address responds to request.

The response is unicast and includes the MAC and IP address of the requestor. The local ARP table is then updated once recieves the ARP reply adding the appropriate L2 headers then sends the packet to L2 for processing and forwarding. 

The ARP table is viewed with show ip arp




Comments

Post a Comment

Popular posts from this blog

Google CyberSecurity Course so far

Hello Fellow Tech People!  As I discussed in my last post I am currently working through Google's course on cybersecurity. I have to say that I'm fairly impressed with this course and am only half way through so far. This course covers a lot of foundational concepts for security and the cybersecurity field. As you progress through each module it builds on the foundation of the previous module giving you a solid place to continue to learn and build from. Right now I have covered foundation of security, managing risk, networking and network security and am working on tools of Linux and SQL. All of these have been fantastic and as I've stated a great primer for jumping into the field. Coursera has built a terrfic course and is worth the money on spending to obtain the certification from Google. The cost is fairly inexpensive if you can dedicate time everyday to the course in a steady pace. I was fortunate enough to get cousera for a month for $1 so I thought I would try it out...
Read more

Building a Wifi mesh with Eeros

Image
I run sound at my church and them knowing that I am a Network Engineer approached me about the Wifi. See the Wifi was outdated and could not handle the amount of traffic it was getting from staff, guest and devices accessing it so it was time for an update. I did some research to find the least expensive option with the least amount of tech savvy needed to continue administration of it should something happen. This research lead me to the eero and its extenders with its ability to have a primary network wand a sub network on it as well using wifi 6 as its base. As you can see below I created 5 different networks that span several buildings and large areas across the the church. This has helped to segment the network for security reasons, but also to break up the amount of traffic that was being sent across a single network.  In each of the networks shown above I have deployed at minimum 2 extenders in each network and each network has its own password and IP pool that does not matc...
Read more

Certified in Cybersecurity from ISC2

 Hello Fellow Learners! A couple weeks ago I sat for ISC2 Certified in Cybersecurity exam and passed! While this exam was not crazy hard it was difficult however and honestly by the end when I hit submit I thought I had failed (which is exactly how I felt taking my CCNA exams LOL). The course offer by ISC2 for online training is rather engaging and covers a lot of info, but as with any certification you are studying for multiple resources are your friend. In addition to the course I used  https://www.udemy.com/course/certified-in-cybersecurity-cc-exam-preparation/   which was a tremendous help in having me learn what the exam would be like and to consider not just the information, but the spirit of it as well.  This exam serves as a great primer to leap frog you in all that is security in the Information Technology field. I was able to take the exam for free due to ISC2 is offering free course and exam fees for up to 1million people.  https://www.isc2.org/landin...
Read more