ISL and 802.1Q frames

The ISL frame consist of three primary fields: the encapsulation frame (original frame), which is encapsulated by the ISL header, and the FCS at the end:

ISL Header (26 bytes) | Encapsulation Frame (Original Data) | FCS (4 bytes)

In ISL, the original frame is encapsulated and an additional header is added before the frame is carried over a trunk link. Also, a FCS is generated based on some fields in the ISL Header and the Encapsulation Frame and added to the end of the frame. At the receiving end, the header and FCS are removed and the frame is forwarded to the assigned VLAN. The FCS field consists of 4 bytes and contains a 32-bit CRC value.

802.1Q is the IEEE standard for tagging frames on a trunk and supports up to 4096 VLANs. In 802.1Q, the trunking device inserts a 4-byte tag into the original frame and recomputes the frame check sequence (FCS) before the device sends the frame over the trunk link. At the receiving end, the tag is removed and the frame is forwarded to the assigned VLAN. 802.1Q does not tag frames on the native VLAN. IEEE 802.1Q uses an internal tagging mechanism which inserts a 4-byte tag field in the original Ethernet frame itself.

802.1Q modifies the FCS field inside the original Ethernet frame while ISL leaves the original FCS field inside the Ethernet frame unchanged, it just adds another FCS field outside the original Ethernet frame.

(Reference: http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note09186a0080094665.shtml)

IP Service Level Agreements (SLAs)

Cisco IOS IP Service Level Agreements (SLAs) allow users to monitor network performance between Cisco routers or from either a Cisco router to a remote IP device. Cisco IOS IP SLA has been the most popular way to measure performance statistics (i.e: latency, jitter, packet loss and MOS). Cisco IOS IP SLAs Responder is a component embedded in the destination Cisco router whose functionality is to respond to Cisco IOS IP SLAs request packets. The responder adds timestamps to the echoed packets to allow unidirectional packet loss, latency, and jitter measurements to a Cisco device. The accuracy of the measurements is improved significantly if the responder is used.

Cisco IOS IP SLAs Benefits
1. Measure end-to-end IP layer network
2. Deploy new applications and services with complete confidence
3. Verify and monitor quality of service (QoS) and differentiated services.
4. Increase end user confidence and satisfaction
5. Implement SLA measurement metrics
6. Notify users about network issues proactively
7. Measure network performance continuously, reliably, and predictably

Reference
http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper09186a00802d5efe.html

Configuring Port Security

Setting Maximum Number of Secure Addresses

This example shows how to enable port security on the Fast Ethernet interface 0/1 and how to set the maximum number of secure addresses to 3. The violation mode is the default, and no secure MAC addresses are configured.

Switch# configure terminal

Switch(config)# interface fa0/1

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 3

Switch(config-if)# switchport port-security mac-address sticky

Setting a Violation Mode

Switch(config-if)# switchport port-security violation restrict

Setting the Aging Timer

Switch(config-if)# switchport port-security aging time 120

Configuring a Secure MAC Address

Switch(config-if)# switchport port-security mac-address 0000.0000.0003 (Static secure MAC)

Configuring Sticky Port Security

Switch(config-if)# switchport port-security mac-address sticky

Private VLAN (PVLAN)

The main purpose of Private VLAN (PVLAN) is to provide the ability to isolate hosts at Layer 3 instead of Layer 3. As you know, a VLAN is a broadcast domain, by using PVLAN we are splitting that domain into some smaller broadcast domains. For example, without PVLAN, a service provider wants to increase security by isolating customers into separate domains so that they can’t access each other, they have to assign them into different VLANS and use different subnets. This can result in a waste of IP addresses and difficulty in VLAN management. Private VLANs (PVLANs) can solve this problem by allowing the isolation of devices at Layer 2 in the same subnet. PVLAN can be considered “VLAN inside VLAN”.

There are three types of ports in PVLAN:

1.     Isolated – only communicate with promiscuous ports. Notice that it cannot even communicate with another isolated port. Also, there can be only 1 isolated VLAN per PVLAN.

2.     Promiscuous – can communicate with all other ports. The default gateway is usually connected to this port so that all devices in PVLAN can go outside.

3.     Community – can communicate with other members of that community and promiscuous ports but cannot communicate with other communities. There can be multiple community VLANs per PVLAN.

HSRP States

Initial – This is the beginning state. It indicates HSRP is not running. It happens when the configuration changes or the interface is first turned on.

Listen – The router knows both IP and MAC address for the virtual router but it is not the active or standby router. For example, if there are 3 routers in HSRP group, the router that is not in active or standby state will remain in listen state.

Speak – The router sends periodic HSRP hellos and participates in the election of the active or standby router.

Standby – In this state, the router monitors hellos from the active router and it will take the active state when the current active router fails (no packets heard from active router)

Active – The router forwards packets that are sent to the HSRP group. The router also sends periodic hello messages.

Hot Standby Router Protocol (HSRP) – Routing Redundancy

Hot Standby Router Protocol (HSRP) – Routing Redundancy

1.     It is a Cisco Proprietary

2.     It enables a set of router interfaces to present the appearance of a single virtual router or default gateway to the hosts on a LAN.

3.     It provides a virtual Media Access Control (MAC) address and an IP address that is shared among the LAN network.

4.     The virtual router does not exist; it represents the common target for routers that are configured to provide backup to each other. 

5.     One of the routers is selected to be the active router and another to be the standby router, which takes control of the group MAC address and IP address should the designated active router fail.

The standby ip interface configuration command activates HSRP on a Layer 3 interface. Devices running HSRP send and receive multicast UDP-based hello packets to detect router failure and to designate active and standby routers.

The switch supports HSRP MAC addresses for up to 16 unique HSRP groups. Because each group address can be used on up to 16 Layer 3 interfaces, the maximum number of HSRP interfaces is 256. Cisco recommends to use no more than 64 HSRP interfaces due to CPU utilization.

Default HSRP Configuration

HSRP groups – None configured

Standby group number – 0

Standby MAC address – 0000.0c07.acXX, where XX is the HSRP group number

Standby priority – 100

Standby delay 0

Standby track interface priority 10

Standby hello time – 3 seconds

Standby holdtime – 10 seconds

HSRP Configuration Guidelines and Limitations

There are three types of interfaces that can be used to configure HSRP

1.     Routed port – a physical port configured as a Layer 3 port by entering the no switchport interface configuration command.

2.     SVI – a VLAN interface created by using the interface vlan vlan_id global configuration command and by default Layer 3 interface.

3.     Etherchannel port channel in Layer 3 mode – a port-channel logical interface created by using the interface port-channel port-channe-number global configuration command and binding the Ethernet interface into the channel group.

All Layer 3 interfaces must have IP addresses assigned to them.

An interface can belong to multiple HSRP groups, and the same HSRP group can be applied to different interfaces.

Following the steps below to create or enable HSRP on a Layer 3 interface:

1.     Enter global configuration mode.

2.     Enter interface configuration mode, and enter the Layer 3 interface on which you want to enable HSRP.

3.     Create the HSRP group using its number and virtual IP address. standby [group-number] ip [ip-address [secondary]]

Reference:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swhsrp.html

CAM Table Operation

Non-VLAN-Capable Switch CAM Table Operation

A Switch uses its CAM (Content addressable memory) table to store MAC addresses and the associated port where each MAC address was learned. Once the Switch receives a frame, it uses its CAM table in order to determine what to do with the frame.

1.     If the destination MAC address is not appearing in the CAM table, then the Switch sends (Flood) the frame to all ports except for the port through which it arrived.

2.     If the destination MAC address appears in the CAM table, then the frame is sent to the identified port for transmission. (Forward)

3.     If the destination MAC address comes from the same port on which it was received, it is discarded. (Filter)

4.     If the destination MAC address is a broadcast or multicast address, then the frame is sent to all ports, excluding the received port. (Flood)

VLAN-Capable Switch CAM Table Operation

A Switch uses its CAM table to store MAC addresses and the associated port and the port VLAN ID where each MAC address was learned. Once the Switch receives a frame, it uses its CAM table to determine which action to take.

1.     If the destination MAC address is not appearing in the CAM table, then the Switch sends (Flood) the frame to all ports with matching VLAN ID, excluding the received port.

2.     If the destination MAC address appears in the CAM table, then the frame is sent (Forward) to the port with matching VLAN ID for transmissions.

3.     If the destination MAC address comes from the same port on which it was received, it is discarded. (Filter)

4.     If the destination MAC address is a broadcast or multicast address, then the frame is sent (Flood) to all ports with matching VLAN ID, excluding the received port.