📡Systems Approach to Computer Networks Unit 15 – Ethernet and VLANs in Switched LANs

Ethernet Basics

• Ethernet is a family of wired computer networking technologies commonly used in local area networks (LANs)
• Operates at the data link layer (Layer 2) of the OSI model and defines the rules for communication within a LAN
• Uses a bus or star topology with devices connected to a central switch or hub
• Employs carrier-sense multiple access with collision detection (CSMA/CD) to manage access to the shared medium
  • Devices listen for traffic before transmitting to avoid collisions
  • If a collision occurs, devices wait a random time before retransmitting
• Supports various data rates, including 10 Mbps, 100 Mbps (Fast Ethernet), 1 Gbps (Gigabit Ethernet), and 10 Gbps (10 Gigabit Ethernet)
• Utilizes unique 48-bit MAC addresses to identify devices on the network
• Encapsulates data into frames, which include source and destination MAC addresses, data payload, and error-checking information

LAN Switching Fundamentals

• LAN switches are network devices that connect multiple devices within a LAN and forward data based on MAC addresses
• Switches operate at the data link layer (Layer 2) of the OSI model
• Maintain a MAC address table that maps each device's MAC address to the switch port it is connected to
• When a frame arrives, the switch examines the destination MAC address and forwards the frame to the appropriate port
  • If the destination MAC address is not in the table, the switch floods the frame to all ports except the one it arrived on
• Switches create separate collision domains for each port, allowing full-duplex communication and reducing collisions
• Switches can be connected to form larger networks, with each switch maintaining its own MAC address table
• Offer benefits such as improved network performance, reduced collisions, and increased security compared to hubs

VLAN Concepts and Implementation

• Virtual Local Area Networks (VLANs) are logical subgroups within a physical LAN that segregate devices based on function, department, or security requirements
• VLANs allow network administrators to create smaller broadcast domains, improving network performance and security
• Each VLAN is assigned a unique identifier (VLAN ID) ranging from 1 to 4094
• Devices within the same VLAN can communicate with each other as if they were on the same physical LAN, even if they are connected to different switches
• VLANs are configured on switches using management interfaces (CLI or GUI)
  • Ports are assigned to specific VLANs
  • VLAN membership can be based on port, MAC address, or IP subnet
• Inter-VLAN communication requires a Layer 3 device, such as a router or a Layer 3 switch, to route traffic between VLANs
• VLANs enhance network security by isolating sensitive devices and limiting the impact of broadcast storms or other network issues

Ethernet Frame Structure

• Ethernet frames are data link layer (Layer 2) protocol data units (PDUs) that encapsulate upper-layer data for transmission over an Ethernet network
• The Ethernet frame structure consists of several fields:
  • Preamble (7 bytes): Alternating 1s and 0s used for synchronization
  • Start Frame Delimiter (1 byte): Indicates the start of the frame
  • Destination MAC Address (6 bytes): Specifies the recipient device's MAC address
  • Source MAC Address (6 bytes): Specifies the sending device's MAC address
  • VLAN Tag (Optional, 4 bytes): Used for VLAN tagging (IEEE 802.1Q)
  • EtherType (2 bytes): Identifies the upper-layer protocol (e.g., IPv4, IPv6, ARP)
  • Payload (46-1500 bytes): Contains the upper-layer data
  • Frame Check Sequence (4 bytes): Error-checking information (CRC-32)
• The minimum frame size is 64 bytes, while the maximum is 1518 bytes (1522 with VLAN tag)
• If the payload is less than 46 bytes, padding is added to meet the minimum frame size requirement

Spanning Tree Protocol (STP)

• Spanning Tree Protocol (STP) is a network protocol that prevents loops in switched Ethernet networks with redundant paths
• Loops can cause broadcast storms, multiple frame copies, and MAC address table instability, leading to network performance issues
• STP creates a logical tree topology by electing a root bridge and blocking redundant paths
  • Each switch is assigned a unique bridge ID (BID) based on its priority and MAC address
  • The switch with the lowest BID becomes the root bridge
• STP uses Bridge Protocol Data Units (BPDUs) to exchange information between switches and determine the best paths
  • Root BPDU: Sent by the root bridge to announce its presence
  • Configuration BPDU: Sent by other switches to propagate STP information
• Switches calculate the shortest path to the root bridge based on path cost and block redundant ports
• If the root bridge or a network link fails, STP automatically recalculates the tree topology and unblocks previously blocked ports to maintain connectivity
• Variants of STP include Rapid Spanning Tree Protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP), which provide faster convergence and support for multiple VLANs

VLAN Trunking and Tagging

• VLAN trunking allows a single physical link to carry traffic for multiple VLANs between switches
• Trunks are configured on switch ports connected to other switches or routers
• VLAN tagging is used to identify the VLAN membership of frames transmitted over a trunk link
  • The IEEE 802.1Q standard defines the method for VLAN tagging
  • A 4-byte VLAN tag is inserted into the Ethernet frame, which includes a 12-bit VLAN ID and other control information
• When a tagged frame arrives at a switch, the switch examines the VLAN tag and forwards the frame to the appropriate VLAN
• Native VLAN: The default VLAN for untagged frames on a trunk link (usually VLAN 1)
  • Untagged frames are assumed to belong to the native VLAN
• Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol that automatically negotiates trunking parameters between switches
• VLAN Trunking Protocol (VTP) is another Cisco proprietary protocol that propagates VLAN configuration information between switches to maintain consistency

Inter-VLAN Routing

• Inter-VLAN routing enables communication between devices in different VLANs
• Requires a Layer 3 device (router or Layer 3 switch) to route traffic between VLANs
• Two common methods for inter-VLAN routing:
  • Router-on-a-stick (RoaS): A single router interface is connected to a switch port configured as a trunk, and subinterfaces are created for each VLAN
  • Switch Virtual Interface (SVI): A virtual interface is created on a Layer 3 switch for each VLAN, and the switch performs both Layer 2 switching and Layer 3 routing
• The Layer 3 device must have an IP address configured on each VLAN interface to route traffic between VLANs
• When a device in one VLAN wants to communicate with a device in another VLAN, it sends the frame to the default gateway (the Layer 3 device)
  • The Layer 3 device then routes the packet to the destination VLAN based on the destination IP address
• Inter-VLAN routing provides a way to logically segment the network while still allowing communication between VLANs when necessary

Ethernet and VLAN Security

• Ethernet and VLAN security measures help protect the network from unauthorized access, attacks, and data breaches
• Port security: Restricts the number of MAC addresses allowed on a switch port
  • Limits the risk of unauthorized devices connecting to the network
  • Can be configured to automatically shut down the port or send an alert when a violation occurs
• DHCP snooping: Filters DHCP messages and builds a trusted database of DHCP bindings
  • Prevents rogue DHCP servers and unauthorized IP address assignments
• Dynamic ARP Inspection (DAI): Validates ARP packets and discards those with invalid MAC-to-IP bindings
  • Protects against ARP spoofing and man-in-the-middle attacks
• IP Source Guard (IPSG): Filters traffic based on the DHCP snooping database and prevents IP address spoofing
• Private VLANs (PVLANs): Provide additional segmentation within a VLAN by creating isolated and community ports
  • Isolated ports can only communicate with promiscuous ports (usually connected to routers or servers)
  • Community ports can communicate with each other and with promiscuous ports
• IEEE 802.1X: Provides port-based network access control and authentication
  • Devices must authenticate with a RADIUS server before being granted access to the network
• Regularly updating switch firmware and implementing strong passwords for management interfaces are also essential for maintaining network security