Packet Forwarding:
A review of basic network fundamentals and then dives deeper into technical conceptes related to how network traffic is forwarded through a router or switch architecture.
Foundation Topics:
OSI - Open Systems Interconnection is a conceptual model composed of 7 layers whereby each layer performs a specific function and a layer can be modified or chnaged without requring changes to the layers above and below it. The OSI model provides a structured approach for compatability between vendors
Layer 2 Forwarding
The second layer or Layer2 has various protocols at this layer and ETHERNET is one of them. Layer 2 traffic are called 'FRAMES' and Ethernet uses MAC (media access control) addresses to forward traffic. Frame Relay for example use a different type of addressing to forward trafic (DLCI's etc). We are going to focus on the MAC address for Layer 2 forwarding.
A MAC address is a 48bit address that is split into 6 octets (6x8=48) and is written in hexadecimal notation. The 1st 3 octets are Device Manafacturer OUI (organisationally Unique Identifier) and the 2nd 3 octets are unique. A devices listens for network traffic that contains its MAC address before moving the packet up the OSI stack to Layer 3 for processing. The only exception is broadcast traffic with MAC address FF:FF:FF:FF:FF:FF when all devices will process it if on the same network segment. Broadcasts are not forwarded beyond a L3 boundary
Collision Domains:
Ethernet uses CSMA/CD (Carrier Sense Multiple Access/Collisio Detect) to ensure only ONE device talks ata time in a COLLISION DOMAIN. If a device detecs that another device is transmitting data, it delays transmitting packets until the cable is quite. This means that it can ony transmit or redeive data at one time (ie, it operates at half-duplex) CSMA/CD is operative when device is operating in half duplex. As communication is possible in both direction in full duplex mode, there is no chance of collision and no mechanism is required to detect the same.
Network switches create virtual channels whereby they maintain a hosts MAC address to the port the traffic was received from and thereby use the MAC address table / port combination to forward traffic to the correct host. This reduces the size of the collison domain and thus enabling the devises to tx/rx at the the same time - ie operate at full duplex.
All hubs are half-duplex and use CSMA/CD and so only one device at a time can communicate. Switches, as on the right, can operate at full duplex and as such creates separate collision domains. When a frame contains a destination MAC address thats not in the MAC address table it forwards the frame out every port except the port it came in on. This is known as unknown unicast flooding. All devices in the same L2 segment are in the same broadcast domain
Virtual LAN's:
Having a router between LAN segments helps shrink broadcast domains. Much as the same way as VLAN's provide logical segmentation thus creating multiple broadcast domains on the same network switch.
Network devices in one VLAN can NOT communicate with devices in another VLAN via traditional L2 or broadcast traffic. Inter VLAN communication has to be done via a L3 network device. VLAN's (802.1q) as defined by IEEE and states that 32bits (4 Bytes) are added to the Ethernet Frame in the following fields:
TPID = Tag Protocol Identifier (16bit)
This field is set to 0x8100 to identify that its a 802.1q VLAN
PCP = Priority Code Point (3bit) - 802.1p
This is the L2 CoS (Class of Service) from 0-7 (lowest to highest priority)
DEI = Drop Eligible Indicator (1bit)
If there is congestion within the network, this can be set to be dropped
VLAN ID = 12bit
This is basically the VLAN number between 0-4096. As its 12bits, ( 2 to the 12= 4096) . VLANS 0 and 4095 are reserved and can't be used,so it can only support 4094 VLAN's
VLAN 0 is solely used for 802.1p traffic (Cant be modified of deleted)
VLAN 1 is the default VLAN (Cant be modified or deleted)
VLAN's 2-1001 are in the normal VLAN range and CAN be modified or deleted
VLAN's 1002-1005 are reserved and cannot be deleted (fddi, token-ring, fddinet, trnet)
VLAN's 1006 - 4094 are in the extended VLAN range and can be added, deleted and modified as necessary
VLAN's created by 'vlan vlan-id eg vlan 10 and a name is usually associated to it with the namecommand.
Output Commands below:
OUTPUT:1 DLS2#show vlan
OUTPUT:2 DLS2#show vlan brief
OUTPUT:3 DLS2#show vlan summary
OUTPUT:4 DLS2#show vlan id 99
OUTPUT:5 DLS2#show vlan name Guest
See Notes in Output 1, 2 and 3 relatig to Remote Spans, Private VLAN's
brief: Displays only the relevant port-to-VLAN mappings
summary: Displays a count of VLAN's, VLAN's participating in VTP and extended VLAN's
vlan id <#>: Displays all output but filtered to the VLAN number that was specified.
vlan name <name>: Displays all but filtered to the VLAN name that was specified.
Access Ports:
An access port can only be assigned to a SINGLE VLAN and are by default all access ports are assigned to VLAN 1. No 802.1Q tags are included on frames transmitted or received on access ports. Ports can be configured as an access port with the command switchport mode access. A specific vlan can be associated to the interface with switchport access vlan <vlan id> | name <vlan name>. Using either vlan-id or vlan name will both show as a numeric form in the configuration
DLS1(config-vlan)#vlan 10
DLS1(config-vlan)#name Operations
DLS1(config-vlan)#exit
DLS1(config)#interface range gi0/1, gi0/3, gi1/1
DLS1(config-if-range)#switchport mode access
DLS1(config-if-range)#exit
DLS1(config)#interface gi0/1
DLS1(config-if)#switchport access vlan 10
DLS1(config-if)#interface gi0/3
DLS1(config-if)#switchport access vlan 20
DLS1(config-if)#interface gi1/1
DLS1(config-if)#switchport access vlan name Engineering
You will see now that Gi/1/1 will have the numeric vlan id 30 even though we stipulated the name 'Engineering' in the config above.
We can also remove the negotiation auto above from the interfaces and hardcode the speed and full duplex parameters.
Trunk Ports:
Trunk ports = multiple VLANs on an interface (or bundled interfaces aka EtherChanell). When a frame is received on a TRUNK interface, how does it know where to forward the traffic to?
For example, PC1 wants to send data to PC2 in the same VLAN across the trunk, it sends the data to SW2 and SW2 forwards the data to SW1. The trunk port allows VLAN's 10 and 30 How does SW1 know which VLAN the traffic belongs to? It does this by VLAN Tagging. Switches will 'tag' all frames that they send over a trunk link. This allows the receiving switch to know which VLAN the frame belongs to.
There are 2 main trunking protocols:
ISL (Inter-Switch Link) - old Cisco proprietary created before the IEEE 802.1Q industry standard. Modern Cisco equipment don't support it any more.
802.1Q - commonly known as dot1q
As discussed above previously, the 802.1q tag is inserted between the 'Source' and 'Type/Length Fields The tag is 4Bytes (32 bits) and is made up of 2 main fields:
Native VLAN
802.1q has a feature called 'Native VLAN' which ISL does not. The native VLAN is by default VLAN 1which in the beginning all ports are associated to. This can be manually changed on each trunk port. The switch does not add 802.1q tags to frames received on the Native VLAN, and forward the frame normally over the trunk port (without an 802.1q tag - ie its comong through the truk port as an UNTAGGED frame. The receiving switch sees the untagged frame on the trunk port and assumes it belongs to the NATIVE VLAN (remember to ensure native VLANS match between switches trunk ports). As mentioned, switches will still forward traffic if there is a NATIVE VLAN MISMATCH which could cause problems as traffic can change VLANS unintentionally. Lets see some scenarios below:
PC1 wants to forward traffic to PC2 and both are in the same VLAN10 which also happens to be the configured 802.1q native vlan. Because the native vlan is 10 the frame will NOT be tagged and SW2 forwards the frame to SW1. SW1 sees it has no tag and assumes its in the natove VLAN 10 and sends it to PC2. This works in this case
NATIVE VLAN MISMATCH
Here we can see a native VLAN mis-match with SW2 as VLAN10 and DW1 as VLAN30. As with the previous example the untagged frame arrives at SW1 which it then assumes it must belong to VLAN30, but the destination is VLAN10 so it drops the frame.
Here we can see that PC1 want to send data to PC2 in VLAN30. All is the same except that SW2 has marked the frame as VLAN 30 but on SW1, VLAN 30 is the native VLAN and so it wont be expecting VLAN30 tagged traffic so will then discard the frame.
All switch control plane traffic is advertised using the NATIVE VLAN. To change the default Native VLAN (for security reasons)- it is best to change it to an unused VLAN (make sure the naive VLAN matches between switches !!)
SW1(config)#interface gi1/0
SW1(config-if)#switchport trunk native vlan 1001
SW2(config)#interface gi0/0
SW2(config-if)#switchport trunk native vlan 1001
SW1#show vlan brief
SW1#show interfaces trunk
Management traffic such as:
Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDU)
Dynamic Trunking Protocol (DTP)
always use the Native VLAN. Other protocols always use VLAN1 (default Native VLAN) such as
Cisco Discovery Protocol (CDP)
VTP (VLAN Trunk Protocol)
PAgP (Port Aggregation Protocol)
UDLD (Uni Directional Link Detection)
However if the Native VLAN is NOT Vlan 1, then they will be tagged to the NATIVE VLAN
VLAN Port Allocation
Ports are assigned to VLAN's in a number of ways:
Statically Assigned - this is where the Administrator statically assigns switch ports to their respective VLAN's
Dynamic VLAN's
Using VMPS (VLAN Membership Policy Server), whereby the ports can be dynamically updated depending on which source MAC address of the device attached to that port. For example a boardroom port, if a Director connects to a port, the VMPS dynamically assigns that port to the Directors VLAN based on his MAC address.
If the following day a Manager plugs his laptop into the same port the VMPS dynamically allocates the port to the Managers VLAN
VOICE VLAN's - specifically used by IP Phones
VTP
VLAN Trunking Protocol is a Cisco Proprietary Layer 2 Protocol which allows for the propagation of VLAN information from one switch to another rather than connecting individually to each switch, whereby you can create, add or delete or rename VLAN's and have that information propagate to other switches across TRUNK links. (Notice the name:VTP - this information can only be propagated across TRUNK links)
VTP can save a lot of time but also can be a headache:
Entire VLAN information and configuration can be wiped out due to a new Cisco switch being intro an environment without due diligence being followed and a lot of Engineers will disable VTP to mitigate these issues.
The Router (Router on a Stick) - Inter VLAN routing
The 3 interfaces to the router from the switch for each VLAN does not scale, so instead of 3 we have 1 physical connection with sub-interfaces to carry the 3 VLAN's.
g0/0.10 --> for vlan 10
g0/0.20 --> for vlan 20
g0/0.30 --> for vlan 30
If the router interface to the switch is gi0/0 we configure the port to the router as a normal trunk port and then on the router we do the following
R1(config)#interface gi0/0
R1(config)#no shut
R1(config-int)#interface gi0/0.10
R1(config-int)#encapsulation dot1q 10
R1(config-int)#ip address 192.168.1.62 255.255.255.192
R1(config-int)#interface gi0/0.20
R1(config-int)#encapsulation dot1q 20
R1(config-int)#ip address 192.168.1.126 255.255.255.192
R1(config-int)#interface gi0/0.30
R1(config-int)#encapsulation dot1q 30
R1(config-int)#ip address 192.168.1.190 255.255.255.192
The sub-interface number eg. gi0/0.10, does not have to match the VLAN number but it does make it easier to understand which VLAN and sub-interface you are looking at to make it the SAME !! :)
Last updated
