7 Layer 2 Switching Flashcards
Three distinct functions of layer 2 switching
address learning
forward/filter decisions
loop avoidance.
Address learning
Layer 2 switches remember the source hardware address of each frame received on an interface and enter this information into a MAC database called a forward / filter table. The old name for this table was called Content Addressable Memory (CAM), and the table is still sometimes referred either way.
Forward/filter decisions
When a frame is received on an interface, the switch looks at the destination hardware address, then chooses the appropriate exit interface for it in the MAC database. This way, the frame is only forwarded out of the correct destination port.
Loop avoidance
If multiple connections between switches are created for redundancy, network loops can occur. Spanning Tree Protocol (STP) is used to prevent network loops while still permitting redundancy.
What is Port Security ?
“Port security” on a switch port restricts port access by MAC address. Switches can be configured to allow only certain MAC addresses to associate with the specific port.
config t
int f0/1
switchport mode access
switchport port-security
switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
Most Cisco switches ship with their ports in desirable mode, which means those ports will desire to trunk when they sense another switch has been connected. So first, we need to change the port and make it an access port instead. If we don’t do that, we won’t be able to configure port security on it at all.
You can configure a switch to take one of the following actions when a security violation occurs by using the switchport port-security command:
■ Protect: The protect violation mode drops packets with unknown source addresses until you remove enough secure MAC addresses to drop below the maximum value.
■ Restrict: The restrict violation mode also drops packets with unknown source addresses until you remove enough secure MAC addresses to drop below the maximum value. It also generates a log message, causes the security violation counter to increment, and sends an SNMP trap.
■ Shutdown: Shutdown is the default violation mode. The shutdown violation mode puts the interface into an error-disabled state immediately. The entire port is shut down. Also, in this mode, the system generates a log message, sends an SNMP trap, and increments the violation counter. To make the interface usable, you must do a shut/no shut on the interface.
To set up a switch port to allow only one host per port use command:
switchport port-security maximum 1
To make sure the port will shut down if a rule is violated use command:
switchport port-security violation shutdown
The sticky command
switchport port-security mac-address sticky
switchport port-security maximum 2
switchport port-security violation shutdown
With the sticky command you can provide static MAC address security without having to type in every MAC address on the network. (Above) The first two MAC addresses coming into the port “stick” to it as static addresses and will be placed in the running-config, but when a third address tries to connect, the port would shut down immediately.
How to ensure that only a specific Mac address is allowed on a specific port?
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address aa.bb.cc.dd.ee.ff
What happens when you enable port security ?
It defaults to violation shutdown and a sets maximum allowed MAC addresses to 1
Loop Avoidance
Redundant links between switches are important because they prevent network failures in the event that one link stops working but frames can be flooded down all redundant links simultaneously, creating network loops.
■ If no loop avoidance schemes are put in place, the switches will flood broadcasts endlessly throughout the inter-network. This is sometimes referred to as a broadcast storm.
■ A device can receive multiple copies of the same frame because that frame can arrive from different segments at the same time.
■ A server sends a unicast frame to Router C. Because it’s a unicast frame, Switch A forwards the frame and Switch B provides the same service. This means Router C receives that unicast frame twice, causing additional overhead on the network.
Loops can occur within other loops, and if a broadcast storm were to occur simultaneously, the network wouldn’t be able to perform frame switching at all!
thrashing the MAC table
The MAC address filter table could be confused about the source device’s location because the switch can receive the frame from more than one link. The switch can be constantly updating the MAC filter table with so many source hardware address locations that it will fail to forward a frame! This is called thrashing the MAC table.
If you connect into a switch port and the switch port LED is alternating green and amber:
it means the port is experiencing errors. When this happens, check the host NIC or the cabling, possibly even the duplex settings on the port to make sure they match the host setting.
Do We Need to Put an IP Address on a Switch?
No, Switches have all ports enabled at startup but you might want to since you still need it for in-band management purposes! The only reason we’re going to do that is so we
can manage/administer it remotely; Telnet, SSH, SNMP, etc., all need an IP address in order to communicate with the switch through the network in-band. The IP address is configured under a logical interface, called a management
domain or VLAN. You can use the default VLAN 1 to manage a switched network, but you can opt to use a different VLAN for management.
