Which of the devices listed below is used for separating broadcast domains?

Collision Domains

A collision domain is defined as a single CSMA/CD network in which there will be a collision if two stations attached to the system transmit at the same time. Each port on a bridge or a switch defines a collision domain.

Spanning Tree Protocol and the Spanning Tree Algorithm

Spanning Tree Protocol (STP) is documented in the IEEE 802.1D standard. It is designed to maintain a loop-free topology in a bridged network. In a redundant topology, where more than one bridge might be connected between two LANs, frames can bounce back and forth between the two parallel bridges connecting the LANs. This can create a situation in which broadcast packets keep going around and around in a loop. STP works around this issue by blocking bridge ports when a physical loop exists in the network. This solution allows a new bridge to be placed anywhere in the LAN without the danger of creating a loop.

STP goes through three steps to achieve a loop-free topology:

Election of a root bridge

Election of a root port

Election of a designated port

BPDUs and a Root Bridge

Bridges and switches build spanning trees by exchanging Bridge Protocol Data Unit (BPDU) frames. Figure 1.24 shows the frame format of a configuration BPDU. It consists of the following fields:

Protocol Identifier A 2-byte field that identifies the type of protocol. This field always contains the value 0.

Version A 1-byte field that specifies the version of protocol. This field always contains the value 0.

Message Type A 1-byte field that indicates the type of message. This field always contains the value 0.

Flags A 1-byte field, but only the first 2 bits are used. The topology change (TC) bit indicates a topology change. The topology change acknowledgment bit (TCA) indicates acknowledgment of a message with the TC bit set.

Root ID An 8 -byte field that specifies the bridge ID of the root of the spanning tree.

Root Path Cost A 4-byte field that specifies the cost of the path from the bridge sending the BPDU to the root bridge.

Bridge ID An 8-byte field that specifies the bridge ID of the bridge sending the BPDU.

Port ID A 2-byte field that identifies the port from which the BPDU was sent.

Message Age A 2-byte field that specifies the amount of time elapsed since the root initiated the BPDU on which this BPDU is based.

Maximum Age A 2-byte field that specifies when this BPDU should be deleted.

Hello Time A 2-byte field that specifies the time period between configuration BPDUs.

Forward Delay A 2-byte field that specifies the amount of time bridges should wait before transitioning to a new state after a topology change.

When the network starts, all bridges start sending out configuration BPDUs. These BPDUs include a field known as the bridge ID. The bridge ID consists of two parts: a 2-byte priority value and the 6-byte MAC address of the bridge. The default priority value is 32,768. The bridge ID is used to determine the root of the bridged network, and the bridge with the lowest bridge ID becomes the root of the network. Once the root bridge has been determined, BPDUs originate only from the root.

Bridges use BPDUs to calculate and advertise the path cost to the root bridge. Each bridge performs a calculation to determine its cost to the root bridge. The port with the lowest root-path cost is designated as the root port. If the root-path cost is the same on multiple ports, the bridge uses the port ID as a tiebreaker to select a designated port.

If there is a change in spanning tree topology, topology change notification (TCN) BPDUs are sent by a nonroot bridge. TCN messages are 4 bytes long and consist of the following fields:

Protocol Identifier A 2-byte field that identifies the type of protocol. This field always contains the value 0.

Version A 1-byte field that specifies the version of the protocol. This field always contains the value 0.

Message Type A 1-byte field that indicates the type of message. This field always contains the value 128.

VLANs

A virtual LAN (VLAN) is a group of network stations that behave as though they were connected to a single network segment, even though they might not be. Legacy networks used router interfaces to separate broadcast domains. Today's switches have the ability to create broadcast domains based on the switches' configuration. VLANs provide a logical, rather than a physical, grouping of devices attached to a switch or a group of switches. A VLAN defines a broadcast domain and limits unicast, multicast, and broadcast flooding. Flooded traffic originating from a particular VLAN is flooded out only the other ports belonging to that VLAN.

VLANs are often associated with Layer 3 networks. All stations that belong to the same VLAN generally belong to the same Layer 3 network. Since VLANs define broadcast domains, traffic between VLANs must be routed.

Ports can be assigned to a VLAN statically or dynamically. If using static membership, you must manually specify which ports belong to a given VLAN. In dynamic mode, a station is automatically assigned to a particular VLAN based on its MAC address. A server on the network must keep a track of MAC address to VLAN mappings.

If two network devices share the same VLANs, frames for multiple VLANs might need to be exchanged. Rather than a separate physical link to connect each VLAN, VLAN-tagging technology provides the ability to send traffic for multiple VLANs over a single physical link. A common VLAN-tagging mechanism is IEEE 802.1q, which inserts a “tag” right after the Source Address field in Ethernet. The tag contains, among other things, the number of the VLAN to which the frame belongs.

Sniffer Pro has the ability to understand VLANs and is able to decode IEEE 802.1q packets as well as Cisco's Inter-Switch Link (ISL) VLAN-tagging protocol. Sniffer Pro can also decode Cisco's VLAN Trunk Protocol (VTP), which allows VLANs to propagate across multiple switches without having to create the VLAN manually on each switch. Additionally, the Switch Expert feature of Sniffer Pro can poll network switches to retrieve VLAN properties and statistics.

Determining the Collision Domain

Earlier in this section, we formally defined a collision domain for a 10Mbps transmission speed. A collision domain can generally be defined as a system whose elements are all part of the same signal timing domain. These elements can be cables, repeaters, hubs, bridges, and, strangely enough, space in the new wireless protocols. As shown previously in Figure 7.3, the collision domain consists of the entire cable segment between Node A and Node C. Recall that n Figure 7.5, the collision domain encompasses all four segments and all 12 workstations. A simultaneous transmission from Workstation 1 and Workstation 12 produces a collision. In Figure 7.6, we saw that the collision domain comprises all cable segments connecting all workstations. In Figure 7.7, we saw our first example of segmenting collision domains. The collisions that normally occur on the segment composed of Workstations 1, 2, and 3 are not propagated to the other segments. Therefore, the collision domain is confined to each segment. This reduces the likelihood of excessive collisions. The final device we examined was the switch in Figure 7.8. A switch can be thought of as a smart bridge that utilizes many ports. Switch-to-device communication is point-to-point communication, creating the smallest collision domain possible. In addition, using full-duplex mode eliminates collisions.

Bridges

Bridges area is a Layer 2 device that separates collision domains by determining what MAC addresses are on each side of the bridge and only passing traffic if the destination address is on the other side of the bridge. The bridge will also handle the placing of the data on the collision domain to try and reduce the collisions. It also uses CSMA/CD and will check the frame for errors and collisions on each side of the bridge. Bridges create broadcast domains. Frames with a MAC address of FF:FF:FF:FF:FF:FF are called broadcast frames and every network device must look at the data; therefore, any frame that is a broadcast must cross all bridges.

Switch Basics

Switches are multi-port bridges and are used to break up collision domains.

Hubs are weaker than switches as hubs pass all traffic to all devices.

Switches create broadcast domains due to the fact that all ports receive all broadcast transmissions.

VLANs and routers are used to break up broadcast domains.

Switch Terminology

Content-addressable memory (CAM) is the heart of the function of a switch, as it pertains to MAC address-to-network-port assignments for lookup by the switch.

MAC flooding topics are discussed to illustrate why network switches will act like a hub.

Layer 2 switches function and representative models.

Layer 3 switches are introduced and how they perform routing functions.

The topic of collision domains is tackled to impart the reasons why network switches have a role to make network traffic more efficient.

Broadcast domains are explained to introduce the concept of VLANS.

Port Security concepts show how switches can improve the network security posture of a network environment.

Connecting to the Switch

Use HyperTerminal on the console port if you want to be physically connected with the switch, but you should know how to Telnet into the switch.

Cisco switches don't have power switches or AUX ports, but there are plenty of network interfaces to choose from.

Remote administration can be performed, but it should be protected closely and secure protocols should be used as information is sent in the clear.

The Web interface is an available option with Cisco switches. It is a great tool for instant monitoring of the status of the device.

Cisco Network Assistant (CNA) can be used to make configuration changes and gain a sense of the network topology. Remember that its support may only extend to currently supported Cisco network equipment.

Switch Modes

User level 0 commands are of no tangible value to a network administrator, other than to demonstrate that the switch is alive.

User levels 1 through 14 commands are available through the CLI, but more sensitive commands may be restricted from view to prevent misadventure.

Privileged enable commands allow a user to do everything to the switch to maintain it without challenge, but it is wise to exercise extreme caution when using these commands.

Global configuration mode is the CLI environment where all the major configuration work is done within a switch. It requires enable mode to enter it and make changes to the switch's behavior.

Managing IOS

The show version command and show flash commands inform you of the current version of the IOS.

Use the copy tftp flash command to update the IOS and the copy flash tftp to make a backup of the IOS.

Backup and Restoration of Switches

Backing up configuration files is a required fundamental skill for anyone in charge of restoring function to a switch.

Use copy start tftp to make a backup of the configuration and the copy tftp run to update configurations from files on the TFTP server.

When you must reload a switch, your configuration backups and inspection skill will be required.

Switch Issues

Using the console, Telnet, and Web interfaces to get the required Cisco switch IOS information and state function is a first step toward resolving problems.

Offline switches can be brought back into operation with some basic troubleshooting and configuration changes.

Setting passwords on switch configuration entry interfaces is crucial, and setting password encryption is vital.

The Incident

Set up the switch based on company policies.

Security features such as SSH and user authentication are very rare in the field.

Default settings are dangerous.

Network Switches

In general, switches work at the data link layer (Layer 2) of the OSI model. Devices connected via a switch are on separate collision domain. Devices connected via a switch are in the same broadcast domain. Switches do filtering and forwarding based on MAC addresses. Switches keep a MAC table that lists all the devices that it has access to. When someone attempts to connect to a device, the switch knows which port to forward the request out on. If the switch does not know, then an ARP request will be sent. Based on who replies to the broadcast, the switch knows where to forward the traffic.

Protocol Analyzers

Protocol analyzers (or sniffers) are powerful programs that work by placing the host system’s network card into promiscuous mode, thereby allowing it to receive all of the data it sees in that particular collision domain. Passive sniffing is performed when a user is on a hub. When using a hub, all traffic is sent to all ports; thus, all a security professional or attacker has to do is start the sniffer and wait for someone on the same collision domain to begin transmitting data. A collision domain is a network segment that is shared but not bridged or switched; packets collide because users are sharing the same bandwidth.

Sniffing performed on a switched network is known as active sniffing, because it switches segment traffic and knows which particular port to send traffic to. While this feature adds much needed performance, it also raises a barrier when attempting to sniff all potential switched ports. One way to overcome this impediment is to configure the switch to mirror a port. Attackers may not have this capability, so their best hope of bypassing the functionality of the switch is through poisoning and flooding (discussed in subsequent chapters).

Sniffers operate at the data link layer of the OSI model, which means they do not have to play by the same rules as the applications and services that reside further up the stack. Sniffers can capture everything on the wire and record it for later review. They allow user’s to see all of the data contained in the packet. While sniffers are still a powerful tool in the hands of an attacker, they have lost some of their mystical status as many more people are using encryption.

The sniffer used in this book is called Ethereal, which is free and works well in both a Windows and a Linux environment. (Chapter 3 provides a more in-depth review of how to install and use Ethereal.) If you’re eager to start using Ethereal, more details about the program can be found at www.ethereal.com. (Ethereal’s name has been changed to Wireshark.)

How Does it Work?

Routers

Bridges add functions to an interconnected LAN because they operate at a higher layer of the protocol stack than repeaters. Bridges run at Layer 2, the frame layer, and can do everything a repeater can do, and more, because bridges create more collision domains. In the same way, routers add functionality to bridges and operate at Layer 3, the packet layer. Routers not only create more collision domains, they create more LAN broadcast domains as well.

In a LAN with repeaters or bridges, all of the systems belong to the same subnet or subnetwork. Layer 3 addresses in their simplest form—and IP addresses are a good example of this—consist of a network and system (host) portion of the address. LANs connected by routers have multiple broadcast domains, and each LAN segment belongs to a different subnetwork.

Because of the presence of multiple subnets, TCP/IP devices must behave differently in the presence of a router. Bridges connecting TCP/IP hosts are transparent to the systems, but routers connecting hosts are not. At the very least, the host must know the address of at least one router, the default router, to send packets beyond the local subnet. As we’ll soon see, use of the default router requires the use of a default route, a route that matches all IPv4/IPv6 packets.

Bridges are sometimes called “protocol independent” devices, which really means that bridges can be used to connect LAN segments regardless of whether TCP/IP is used or not. However, routers must have Layer 3 software to handle whichever Layer 3 protocols are in use on the LAN. Many routers, especially routers that connect to the Internet, can and do understand only the IP protocol. However, many routers can handle multiple Layer 3 protocols, including protocols that are not usually employed with routed networks.

Unnecessary Broadcasts

Unnecessary protocols, which depend on broadcast traffic, can increase the amount of traffic on your network. Such protocols can include IPX/SPX, NetBEUI, and DLC. Also, multicast traffic such as name resolution and switch and bridge updates can consume bandwidth needed for other traffic. To optimize Ethernet you can do the following:

▪

Eliminate unneeded protocols from your network hosts (clients, servers, routers, etc.).

Eliminate unneeded hosts on your network that are not in use and are perhaps sending out keepalives or some other traffic on the wire (make the collision domain smaller).

Use Switching instead of shared access hubs.

Implement VLANs if possible to separate Broadcast Domains or use a router to block broadcast traffic.

By using Sniffer Pro to monitor your network, you will be able to watch the way all the devices communicate with each other in real time. Here are some things you can do to improve Ethernet performance with Sniffer Pro:

▪

Use the Dashboard religiously to find your utilization statistics in real time.

Watch for high percentages of network utilization. It can vary from network to network, but anything over 40% is generally too high on an Ethernet network. If you are on a switched network, then anything over 70% is too high.

Watch for hardware-related errors. Jabbers or failing NICs often cause long or short frames and CRC errors. Correct these problems as they are found.

Use Sniffer Pro to determine your response time. A general rule should be that any response should be less than 100ms.

Broadcasts and multicasts should be no more than 20% of all network traffic.

On Ethernet networks there should be no more than 1 CRC error per 1 million bytes of data.

TIP

Check your router and switches! Cisco Router CPU utilization should not exceed 75%. To check it, you can use the following commands: show proc cpu and show proc mem (for memory).

Use hubs as little as possible. Often, when expanding a network, people try to save money and decide to connect via simple hubs. Obviously, a hub provides little more than a connection. A well-configured, segmented LAN using properly configured switches can avoid many network problems.

Which of the cable types listed below is often used to connect a computer terminal to a router's console port?

Which of the following is a network device that is responsible for separating collision domains?

Which of the protocols listed below provide protection against switching loops?

Which of the following allows for verifying the absence of traffic on a shared transmission medium in 802.3 networks?