1.4 Bridges and Switches

These functions can be accessed via the switch's management interface. A switch may support the following interfaces:

Console port Management port SNMP

VLAN Trunking Protocol On a large network, one switch will not provide enough ports for all the hosts that need to be connected to the network.

This means that multiple switches must be interconnected to build the network fabric. Multiple switches may also be deployed to provide redundant links. The interconnections between switches are referred to as trunks.

A bridge works most efficiently if the amount of intersegment traffic (traffic between devices on different segments)

is kept low.

SNMP

this enables the switch to be administered using network management software.

Blocking doesn't forward frames, doesn't learn MACS

Drops all frmes other than BPDUs.

A bridge can be used to divide an overloaded network into separate segments. Each of the segments experiences far lower traffic loads since the bridge only passes signals from one segment to another if appropriate.

Intrasegment traffic (traffic between devices on the same segment) remains within this segment and cannot affect the other segments.

Segments on either side of a bridge are in separate collision domains.

Segments on either side of a bridge are in the same broadcast domain (packets that are destined for all hosts on the network).

Disabled doesn't forward frames, doesn't learn MACs

The port has been disabled by the administrator.

STP is now more likely to be implemented as 802.1D-2004 / 802.1w or Rapid STP (RSTP).

The rapid version creates outages of a few seconds or less. In RSTP, the blocking, listening, and disabled states are aggregated into a discarding state.

Different states that a port can be in:

Blocking Listening Learning Forwarding Disabled

VLANs are defined by the IEEE 801.Q standard.

Cisco's proprietary Inter-Switch Link (ISL) was once also widely used.

Virtual LAN simply means that through the use of switching technologies, different groups of computers on the same cabling can appear to be in different LANs. creating two of more LANs.

Conversely, hosts on different local networks but connected via a WAN can be configured to be on the VLAN.

Diagnostics Most managed switches will provide diagnostic information through the management interface.

Depending on the model of switch, this may be as simple as numbers of packets into and out of each port, along with numbers of errors, or may include information such as graphs of throughput against time, or a breakdown of error statistics by type.

Switches Ethernet networks implemented with a bus or hubs rely on a contention-based technology for accessing the network.

Devices can only transmit on the network when it is free. These opportunities become less frequent as more devices are added to the network and the probability of collision increases.

Some switch models allow you to specify a maximum number of permitted addresses and automatically learn a set number of valid MAC addresses.

For example, if port security is enabled with a maximum of two MAC addresses, the switch will record the first two MACs to connect to that port but then drop any traffic from machines with different network adapter IDs that try to connect.

Power can either be supplied over pair 1/2 and 3/6 (referred to as Mode A or "phantom power" as these are the ones also used for data in 10/100BASE) or over 4/5 and 7/8 (Mode B).

Gigabit Ethernet only uses the former method.

Hubs Hubs are the central point of connection for Ethernet segments configured in a star topology. Hubs act like a repeater so that every segment receives signals sent from any other segment.

Hubs are also known as multiport repeaters (or concentrators). They work at the Physical layer of the OSI model. All ports on a hub are in the same collision domain.

Pruning refers to removing broadcasts related to a particular VLANs from a trunk to preserve bandwidth.

If a particular VLAN is not associated with a given trunk link, pruning it from the trunk reduces the amount of broadcast traffic passing over the link.

When a device is connected on a PoE switch, the switch goes through a detection phase to determine whether the device is PoE-enabled.

If not, it does not supply power over the port and therefore does not damage non-PoE devices. If so, it determines the device's power consumption and sets the supply voltage level appropriately.

Port mirroring demands a lot of processing and can lead to the switch hardware becoming overloaded and consequently crashing.

If possible,trial any security solution that requires port mirroring under typical loads before deploying it on a production network.

The mirror port would be used by management or monitoring software (such as a Network Analyzer or Intrusion Detection System [IDS]). Either ingress or egress traffic or both can be captured.

Optionally, in order to avoid overloading the monitoring system, packets may be filtered based on criteria such as layer 3 or 4 protocols.

Port-based switching is the simplest means of configuring a VLAN (static VLANs).

Others (dynamic VLANs) include using the host's MAC address, protocol type, IP address, or even authentication credentials.

Listening doesn't forward frames, doesn't learn MACS

Port is listening for BPDUs to detect loops

Learning doesn't forward frames, Does learn MACs

The port discovers the topology of the network and builds the MAC address table.

A VLAN is described as a separate broadcast domain. A busy segment can be broken into two distinct groups, each chatting amongst themselves.

The separation of these groups into separate VLANs will minimize the impact of each groups' traffic on the other group.

When all ports on all bridges are in forwarding or blocking states, the network is converged. When the network is not converged, no communications can take place.

Under the original 802.1D standard, this made the network unavailable for extended periods (10s of seconds) during configuration changes.

Each bridge then determines the path to the root bridge by exchanging information with

other bridges (Bridge Protocol Data Units [BPDU]).

802.3at(PoE+)

powered devices can draw up to about 25W. Note that various proprietary schemes were used between the ratification of 802.3af and 802.3at

A switched network means that each port is in a separate collision domain.

Collision can only occur if the port is operating in half duplex mode ( if a legacy network card is attached to it for instance) and even then collision only affect the segment between the port and that adapter; they do not slow doen the whole network.

Power over Ethernet (PoE)

Power over Ethernet (PoE) or Power over LAN is a means of supplying electrical power from a switch port over ordinary data cabling to a connected powered device, such as VoIP handset wireless access point.

The main features of a bridge are as follows: -Bridges work at the data link layer since they need to understand the MAC addresses within frames.

-Most bridges are only able to link segments of the same type (for example, Ethernet to Ethernet) -Bridges can be used to link different cable types (such as coax and twisted pair).

This works as follows: 1) Computer A transmits a frame intended for Computer B.

2) The switch receives the frame into a port buffer and obtains the destination MAC address from the Ethernet frame. The port buffer holds frames until they can be processed. The switch can also perform error checking on the frame using the CRC.

A bridge works in the following manner: 1)Computer A sends a signal to computer D. Note that the frame contains a source hardware address of M.a and a destination hardware address of M.d.

2) This bridge listens to all traffic on all attached segments (this is known as promiscous mode) and consequently it receives the signal at port 1.

3) The bridge reads the destination in the frame and, using its port address table, determines the port to which the network card with hardware address M.d is attached. The bridge is able to loacte the hardware address M.d in its port:MAC address table and transmits the signal out of port 2 only.

4) If no record of the hardware address exists or the frame is a broadcast or multicast, then the bridge forwards the frame to all segments except for the source segment (acting like a hub).

This works as follows (Continued): 3) The switch uses its MAC address table to look up the port connected to the destination MAC address. 4) The switch uses its high speed backplane to send the frame out on port 3 for computer B to receive (creating a temporary virtual circuit).

5) None of the other connected devices (such as, computer C) see any activity on the network while this process takes place. Therefore, these other devices are able to transmit and receive at the same time.

PoE is defined in two IEEE standards:

802.3af 802.3at(PoE+)

In a network with multiple bridges (implemented these days as switches and routers), there may be more than one path for a frame to take to its intended destination.

As a layer 2 protocol, Ethernet has no concept of Time To Live. Therefore layer 2 broadcast traffic could continue to loop through the network indefinitely. This situation is prevented using the Spanning Tree Protocol (STP), defined in the 802.1D MAC Bridges standard.

PoE switches are referred to as Power Sourcing Equipment (PSE).

If an existing switch does not support PoE, a device called a power injector can be used.

From a security point-of-view, each VLAN can represent a separate security zone, THese zones would typically be configured to protect the integrity and confidentiality of different departments within the organization.

If something like a virus or worm were introduced in one VLAN, it should not be able to spread to other VLANs.

Switch Operation An Ethernet (or LAN) switch performs the same sort of function as a bridge but can provide many more ports (bridges only came with up to 4 ports). Each port is a separate collision domain.

In effect, the switch establishes a point-to-point link between any two network nodes. This is referred to as microsegmentation. The basic mode of operation for a switch is referred to as "store and forward".

Autonegotiation Switches normally support a range of Ethernet standards so that older and newer network adapters can all be connected to the same network.

In most cases, the port on the switch is to autonegotiate speed and full or half duplex operation but a static configuration can be applied manually is necessary.

Powering these devices through a switch is more efficient than using a wall-socket AC adapter for each appliance.

It also allows network management software to control the devices and apply schenes, such as making unused devices go into sleep states and power capping.

Within each segment, each bridge then determines the bridge closest to the root bridge and uses that bridge to forward frames to the root.

It then blocks ports connected to other non-forwarding bridges. Subsequently, bridges exchange Topology Change Notifications if devices are added or removed, enabling them to change the status of forwarding/blocked ports appropriately.

Bridges A bridge is a device that provides communications between two or more segments. Workstations on one segment are able to communicate with those on another segment via the bridge.

Like a repeater, a bridge extends the maximum distance of network, but it may also be used to segment the network and reduce traffic.

One benefit of VLANs is traffic management. Bridge devices only forward traffic when needed, with the exception of broadcasts and multicasts.

Routers don't forward broadcasts and multicasts. Both types of device can be used for joining remote networks together and then also be used to manage the glow of network traffic.

Where VLANs are implemented, a modified version of STP must be used. If a trunk port to multiple VLANs were to be blocked, all the VLANs on that trunk would be denied access to the rest of the network.

Some means must be established to disable links on a per-VLAN basis. Originally, this was accomplished using Cisco's Per-VLAN STP Protocol (PVST) but is now implemented using Multiple Spanning Trees Protocol (MSTP), defined in 802.1Q.

These problems can be overcome by moving from this "shared Ethernet" system to "switched Ethernet". This move involves the replacement of hubs and bridges with switches.

Switches have now almost completely replaced legacy devices such as hubs and bridges. The use of switches is mandatory for Gigabit Ethernet and Ethernet 10G.

As Ethernet bridge builds the port address table in memory. When the bridge is initialized, the bridging table is empty but information is constantly added as the bridge listens to the connected segments.

The bridge can enter a particular hardware address against a port number in the bridging table by examining the source hardware address on frames and noting the port that received the frame. Entries are flushed out of the table after a period to ensure the information remains current.

Forwarding Does forward frames, Does learn MACs

The port works as normal

When VLANs are also configured on the switches, trunking means that a VLAN can be configured across more than one switch device without having to manually configure the VLANs on each device.

The protocol governing this data exchange would either be Cisco's VLAN Trunking Protocol (VTP) or Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP).

Under 801Q, traffic is identified by a VLAN tag inserted in the Ethernet frame between the Source Address and Ethertype fields.

The tag contains information about the VLAN ID (from 1 to 4094) and priority (used for Quality of Service [QoS] functions). The Ethertype value is set to identify the frame as 802.1Q.

As with a bridge though, traffic on all switch ports is in the same broadcast domain, unless the switch is configured to use the VLANs

There are many types of switches other than Ethernet switches (or "basic switches"). Some are used to implement WANs (ATM and SONET switching for instance) and some are used to forward traffic at OSI layers 3 and above.

A network designer should try to follow the 80:20 rule, which states that a well-designed network will keep 80% of traffic local (on the same segment), with only the remaining 20% of traffic needing to pass to another segment.

They need to ensure clients (resource users) and their associated servers (resource providers) are placed on the same segment whenever possible.

MAC filtering means specifying which MAC addresses are allowed to connect to a particular port.

This can be done by specifying a list of valid MAC addresses but this "static" method is difficult to keep up-to-date and relatively error-prone.

The Spanning Tree Protocol (STP) is a means for the bridges to organize themselves into a hierarchy. The bridge at the top of the hierarchy is the root bridge.

This can be selected automatically by the protocol but the administrator can pre-determine metrics to make the choice of one bridge over another more likely (unless the designated bridge happens to be offline).

Entries remain in the MAC address table for a period before being flushed.

This ensures problems are not encountered when network cards (MAC addresses) are changed.

Building the MAC Address Table If a MAC address cannot be found in the MAC address table then the switch acts like a hub and transmits the frame out of all the ports (except for the incoming port).

This is referred to as flooding. The switch builds the MAC address table by analyzing incoming frames for a source MAC address. It can then add a MAC address entry against the particular port number.

Switch Models Switches from different vendors come in a variety of different ranges to support various sizes of network.

While a basic model might feature 12-48 ports and little scope for expansion, advanced switches support interconnections via high speed backplanes and expandable capacity through plug-in modules plus power supply redundancy, manangement consoles, and media converters for fiber optic connectivity.

Some switches do not offer any configuration options or interface. These are known as unmanaged switches.

You just have to plug them in and they operate automatically. These switches are usually inexpensive and are intended only for home or small office use.

The address table is implemented as Content Addressable Memory (CAM),

a special type of memory optimized for searching rather than random access.

A switch may also support autoconfiguration using a DHCP server to obtain

addressing information and a TFTP server to obtain a configuration file.

As well as representing organizational departments and/or overcoming physical barriers between different locations, it is common practice to isolate server-to-server traffic from client-server traffic and to isolate

administration/management traffic (channels used for inbound management of appliances and servers). Another standard configuration option is to create a "null" VLAN that is non-routable to the rest of the network. This VLAN is used for any ports that do not have authorized connected equipment.

Under VTP, switches can be grouped into management domains, identifed by a domain name. Within these groups, switches are assigned the roles of either VTP server or VTP client.Modification to the VLAN topology of the network can be made on any switch that has been assigned the VLAN server role

and these changes are replicated to all switches in the management domain. In a small network with only a few switches, all switches may be configured as VTP servers. However, in a large network it is more efficient to limit the number of switches assigned this role.

Hubs and bridges are no longer widely deployed as standalone appliances but

as their role has been taken on by more advanced devices (such as Ethernet switches) it is important to understand what basic functions they provide.

The market is dominated by Cisco's Catalyst series (over 70% of sales by port)

but other notable vendors include HP (ProCurve), Nortel, Foundry, and 3Com.

Port Mirroring Unlike a hub, a switch forwards unicast traffic only to the specific port connected to the intended host. This prevents sniffing of unicast traffic by hosts attached to the same switch. There are circumstances in which capturing and analyzing network traffic is legitimate activity

however and port mirroring provides the facility to do this. Port mirroring copies all packets sent to one or more source ports to a mirror (or destination) port. On a Cisco switch, this is referred to as a Switched Port Analyzer (SPAN).

Managed switches often support more complex functions,

including configuring VLANs, port authentication, load balancing, Quality of Service (QoS), and traffic shaping, and filtering.

802.3af

powered devices can draw up to about 13W over the link. Power is supplied as 350mA@48V and limited to 15.4W but the voltage drop over the maximum 100 feet of cable results in usable power of around 13W.

Management port

this means configuring an IP address on the switch to use for management functions and connecting to it via one of the normal Ethernet ports. Most switches support a browser-based interface as well as a Command Line Interface (CLI).

Console port

this requires connecting a terminal (a laptop for instance) to the switch via a separate physical interface