| Online Product Catalog |
|
Do our network need a core switch?
Cisco has defined a hierarchical model that simplifies internetworking. Other manufacturers may not classify their switches
according to this model.
In a small network, computers are connected using
a switch or a number of cascaded switches. Cisco defines switches used to connect desktops as access layer switches.
Access layer is also called desktop layer because it is used to connect
desktops and workstations.
A large organization is bound to have many small networks or subnets. It is necessary
to interconnect them. Routing between subnets must also be done. For this purpose, Cisco defined the distribution layer. The
distribution layer uses IP aware Layer 3 switches. Please note that Access layer switches are Layer 2; therefore,
the distribution of packets between various subnets are performed by the distribution layer.Firewalls are also
implemented at the distribution layer.
High performance Layer 2 switches are used to interconnect distribution switches. Cisco defines these switches as core switches.
If you have many Layer 3 switches in your organization, a core layer is essential. Without a core layer, the interconnections
between the distribution switches will become unmanageable.
See diagram below for an illustration of a hierarchical network.
|
What is the difference between a Layer 3 and Layer 2 switch?
Let us first look at a data packet.
In early days, ethernet switches used only MAC addresses to identify target and destination ports.
Since Media Access Control (MAC) is a Layer 2 protocol (see figure above), these switches became
known as Layer 2 switches.
A router is a device that routed IP packets between IP subnets based on routing information
configured in it. Since IP is a Layer 3 protocol, routers are Layer 3 devices.
Then, switch manufacturers started making switches that could route packets to switch ports based on IP address
information. Such switches that are capable of routing based on IP information are called Layer 3
switches.
Please note that Layer 3 switches can route packets based on Layer 2 addresses also. Therefore,
a Layer 3 switch is a Layer 2 switch and a router rolled into one.
|
| |
|
What is a Virtual Local Area Network?
A Local Area Network (LAN) usually refers to computers connected to a switch. When one computer sends out an Ethernet broadcast
packet, all other computers connected to the switch receives it. It may also be called a broadcast domain. Suppose you have
a situation where you need to define LANs that require one of the following. 1) You want computers connected to two different
access switches to be on the same LAN. 2) You want two computers connected to the same switch to be on two different LANs.
In such situations, a Virtual LAN (VLAN) may be used. Each switch port can be tagged with a VLAN identifier. When one computer
sends out a broadcast packet, it is received only by computers connected to switch ports that are configured with the same
VLAN identifier. Thus, Virtual Local Area Network (VLAN) lets you do precisely what it says -- create a LAN (or broadcast
domain) that exclude ports on the same switch.
|
Can VLAN be used as a security feature?
VLAN implementation is based on traffic tagging. i.e., data packets are tagged with VLAN labels.
MAC Flooding Attack, 802.1Q and ISL Tagging Attack, Double-Encapsulated 802.1Q/Nested VLAN Attack,
ARP Attacks are some examples of schemes used by malicious users to compromise VLANs.
Although VLAN mechanism is sound in principle, there has been many instances where holes have been
found in implementation. Hence, VLAN should not be used for protecting critical systems.
It is important to compartmentalize networks and use firewalling among these compartments -- VLAN must
not be used as the technology used to provide this.
|
|
What is Address Resolution Protocol?
Every Ethernet Network Interface Card (NIC) is identified by a unique MAC (media access control) address. When
NIC sends a data packet to another NIC, it must be addressed with the target NIC's MAC address. But, only the
target IP address is known to the source NIC. To resolve the MAC identifier from its IP address, Address Resolution
Protocol (ARP) is used.
The source NIC sends out an ARP request as a broadcast packet (addressed to MAC address: FF:FF:FF:FF:FF:FF).
The ARP request contains the question - "What is the MAC address corresponding to IP address x.y.z.a?".
All NICs receive this message. The NIC that has the IP address referred to by the ARP request responds with its MAC
address. Now, the original ethernet packet can be send addressing it with the newly available MAC address.
|
How does ARP work when the target IP address is not on the same network?
The IP stack on the source computer knows that the target IP address is not on the same subnet based on its own IP address
and subnet mask. Once it is identified that the target IP is not on the same subnet, the IP stack checks its routing table
to locate the router interface to which the packet must be send. Since the router interface is on the same subnet, ARP
can be used.
|