CISCO SWITCHING Hussein Salameh Network Administrator ATS Automation Tooling Systems Inc.

AGENDA Cisco Switching Switch Operation VLANs and Trunks Link Aggregation Multilayer Switching IP Telephony Quality of Service Voice QoS Securing Switches Demo Questions

Layer 2 Switch Operation Cisco Switching Layer 2 Switch Operation CAM Table D. MAC Port VLAN Node A (VLAN 20) Node B (VLAN 20) Node C (VLAN 30) Node D (VLAN 30) FOLLOW THE FRAME! Switch learns the source MAC and add it to CAM table Switch makes decisions based on destination MAC and finds VLAN and port Found: Forwards the frame on specific port Not Found: Floods the frame on access & trunk ports Ingress Queues Egress L2 Forwarding Table (CAM) Security ACLs (TCAM) QoS ACLs

Layer 3 Switch Operation Cisco Switching Layer 3 Switch Operation CAM Table FIB Table D. MAC Port VLAN D. IP Next IP Next MAC Port Node A (VLAN 20) Node B (VLAN 20) Node C (VLAN 30) Node D (VLAN 30) FOLLOW THE PACKET! Layer 3 engine maintains routing information which is reformatted and copied into FIB table An update is sent to FIB if there is a change in the routing table If frame contains layer 3 packet to be forwarded, consult FIB In FIB, longest match is found and next IP is obtained Entire Ethernet frame is rewritten (TTL & Header Checksum) Ingress Queues Egress Routing Table ARP Table Packet Rewrite FIB Table Adjacency Table Layer 3 Forwarding Engine Layer 3 Engine Reorder entries according to longest prefix match Resolve MAC of each next hop in the FIB Control Plane Data Plane

VLANS & TRUNKS Cisco Switching A VLAN is a broadcast domain All devices connected to the VLAN receive broadcasts from members on the same VLAN Static VLANS offer port-based membership, devices assume VLAN connectivity VLAN Numbers 1 to 1005 (VLAN 1, 1002 to 1005 are used for special cases) Extended range of VLANs: 1006 to 4094 Port Configuration (Access Mode) Create a VLAN Configure the interface for layer 2 operation Force the port to be assigned to only a single VLAN Assign a static VLAN membership to the port

VLANS & TRUNKS Cisco Switching A trunk link can transport more than one VLAN through a single port Beneficial when switches are connected to other switches, routers or servers VLAN Identification (Encapsulation): ISL (Inter-Switch Link) Cisco Proprietary; referred as Double Tagging Switch adds a header and a trailer (VLAN id in the header) IEEE 802.1Q Open Standard Embeds its tagging within the layer 2 frame (Single Tagging) Concept of native VLAN Port Configuration (Trunk Mode) Create VLANs Configure the interface for layer 2 operation Configure the trunk encapsulation Configure the native VLAN (no tagging) Define which VLANs to be trunked over the link Force the port to be in the trunk mode

Negotiation Packets Sent? LINK AGGREGATION Cisco Switching Aggregation means scaling link bandwidth by bundling parallel links also called EtherChannel Technology Bundled ports must have the same speed/duplex, belong to the same VLAN (Access) or pass the same VLANs (Trunk) Frames are forwarded on specific link as a result of a hashing algorithm (using IP address, MAC address, TCP/UDP port numbers) EtherChannel Negotiation Protocols: Port Aggregation Protocol (PAgP) – Cisco Proprietary Link Aggregation Control Protocol (LACP) – Open Standard Negotiation Mode Negotiation Packets Sent? Characteristics LACP PAgP On No Port-Channeling Passive Auto Yes Waits until asked Active Desirable Actively asks

Layer 2 EtherChannel Layer 3 EtherChannel LINK AGGREGATION Cisco Switching Layer 2 EtherChannel Layer 3 EtherChannel Layer 2 Interfaces PortChannel Interface Configure as Access or Trunk Create Portchannel Hashing Algorithm src-mac Layer 2 Interfaces Convert to Layer 3 + Create Portchannel PortChannel Interface Configure IP Address Hashing Algorithm src-dst-IP

MULTILAYER SWITCHING Cisco Switching Transporting packets between VLANs requires a layer 3 device -> interVLAN Routing VLAN 30 VLAN 10 VLAN 20 Trunk Link ROAS VLANs 10, 20, 30 Gi0/1 Gi0/1.10 10.10.10.1 Gi0/1.20 10.10.20.1 Gi0/1.30 10.10.30.1 Layer 2 Access Ports Layer 3 Port Trunk Port SVI VLAN 20 10.10.20.1/24 SVI VLAN 10 10.10.10.1/24 Layer 2 Switch Multilayer Switch Multilayer Switch

IP TELEPHONY Cisco Switching Detecting a Powered Device: Power is always disabled when a switch port is down A switch continually detects whether a powered device is connected to a port IEEE 802.3af – Open Standard: Switch supplies small voltage across the Tx and Rx pairs and measures the resistance If resistance = 25K ohm -> Power device is detected Power budget can be changed by detecting the device’s power class Cisco Inline Power (ILP) – Cisco Proprietary: Switch sends out a 340 kHz test tone on the Tx pair If a PoE device is connected then the switch can hear its test tone looped back Power budget can be changed by receiving CDP information from the PoE device Power Class Max Power at 48V DC 15.4 W (Default Class) 1 4.0 W 2 7.0 W 3 15.4 W 4 Up to 50 W

IP TELEPHONY Cisco Switching Data VLAN Special Case 802.1Q Trunk Distribution - Core Layers Data VLAN Special Case 802.1Q Trunk Data VLAN: Untagged Data Packets Voice VLAN: Tagged Voice Packets VLAN Isolation: Security, QoS Voice VLAN Call Manager Interface Gi1/0/1 switchport access vlan 20 switchport voice vlan 25 Switch CDP Packets Data VLAN Scope - DHCP Voice VLAN Scope - DHCP Voice VLAN Call Manager IP Non-Cisco Phone Phone PC

QUALITY OF SERVICE QoS Cisco Switching Typical Network: Best effort delivery and equal chance of packets being dropped Protect and prioritize time-critical or important traffic Voice Packets must be delivered with little delay, jitter and loss Types of QoS: Best Effort Integrated services model (per flow basis) Differentiated services model (per hop basis) QoS Basic Model Classification Policing Marking Queueing & Scheduling Inspect packet and determine QoS label based on ACL or config. Compare incoming traffic with configured policer Determine whether to pass through, mark down or drop the packet Determine into which of the egress Queues to place the packet and schedule Generate QoS label In profile or out of profile Based on QoS Label

Layer 2 QoS (CoS) Layer 3 QoS (DSCP) QUALITY OF SERVICE Cisco Switching Layer 2 QoS (CoS) Layer 3 QoS (DSCP) Inter-Switch Link (ISL) User Field: CoS Value IEEE 802.1Q Priority Field: CoS Value 0 ….. Low Priority 1 2 3 4 5 6 7 …… High Priority CoS DS5 DS4 DS3 DS2 DS1 DS0 Class Selector Drop Precedence 0 ---------------- 0 1 ---------------- 8 2 ---------------- 16 3 ---------------- 24 4 ---------------- 32 5 ---------------- 46 6 ---------------- 48 7 ---------------- 56 CoS – DSCP Map

VOICE QoS Cisco Switching Switch can decide whether to trust CoS and DSCP values and use them to make QoS decisions Classify the traffic at the edge of the QoS Domain by using Trust State on ports Extend the trust boundary Switchport priority extend {cos value | trust} Trust Boundary I see you are an IP Phone So I will trust your CoS Phone VLAN 110 PC VLAN 10 Voice=5; Signaling=3 PC Sets CoS to 5 for all traffic All PC traffic is reset to CoS 0 CoS 5 = DSCP 46 CoS 3 = DSCP 24 CoS 0 = DSCP 0

SECURING SWITCHES Cisco Switching Best Practices for Securing Switches Enable port security: Identify a set of allowed MAC addresses & violation type Enable 802.1x Port-Based Authentication Configure secure passwords Use system banners: warn unauthorized users Secure the web interface Secure the switch console Use SSH instead of Telnet Secure SNMP access Secure unused switch ports Secure STP operation

DEMO Cisco Switching Create VLANs Configure Access interfaces Configure security on Access ports Configure EtherChannel Configure Trunk interfaces Configure interVLAN Routing Configure DHCP Server Configure QoS trust boundary Test the topology Erase configuration

QUESTIONS THANK YOU!