Shiratsuchi, Kenth F.

ECET515LA

ECE51 Engr. Warren Bejasa

Laboratory Exercise 8 Basic Configurations of Layer 2 Router

Introduction

Layer 2 Ethernet segments can be connected in parallel using Catalyst 6500 series switches.

Switched Ethernet segment connections are only active for the duration of the packet. For the next

packet, new connections between distinct segments can be created.

By assigning each device (for example, a server) to its own 10-, 100-, or 1000-Mbps collision

domain, Catalyst 6500 series switches tackle congestion problems caused by high-bandwidth

devices and a large number of users. Servers in a correctly designed switched environment gain

full access to the bandwidth since each LAN port connects to a different Ethernet collision domain.

Because collisions cause significant congestion in Ethernet networks, full-duplex communication is an

efficient solution. Ethernet is normally used in half-duplex mode, which means that stations can

only receive or transmit data. Two stations can transmit and receive at the same time in full-

duplex mode. The effective Ethernet bandwidth doubles when packets may flow in both directions

at the same time.

A Catalyst 6500 series switch's LAN ports can connect to a single workstation or server, or to a

hub that connects workstations and servers to the network. All ports on a standard Ethernet hub

link to a common backplane within the hub, and all devices connected to the hub share the

network's bandwidth. The network performance of all other stations connected to the hub is

reduced if two stations initiate a session that consumes a considerable amount of bandwidth.
The switch treats each LAN port as a separate segment to reduce degradation. When stations

connected to various LAN ports need to interact, the switch sends frames at wire speed from one

LAN port to the next, ensuring that each session gets the entire amount of bandwidth. The switch

uses an address table to efficiently exchange frames between LAN ports. When a frame arrives

at the switch, it associates the sender network device's MAC address with the LAN port on which it

was received.

The source address of the frames received is used to generate the address table in Catalyst

6500 series switches. When the switch receives a frame with a destination address that isn't in its

address database, it floods the frame to all LAN ports in the same VLAN save the one where the

frame was received. When the destination station responds, the switch updates the address table

with the relevant source address and port ID. Following that, the switch directs subsequent frames

to a single LAN port rather than flooding all LAN ports.

Without flooding any entries, the address table can store at least 32,000 address entries. If an

address is inactive for a certain amount of seconds, the switch employs an aging method defined

by a configurable aging timer, and it is removed from the address database.

Discussion

The Data Link Layer, or Layer 2, is the second level of the seven-layer OSI reference model for

network protocol architecture. In the TCP/IP network paradigm, Layer 2 corresponds to the link

layer (the lowest layer). Layer 2 is the network layer that allows data to be transferred between

network nodes in a wide area network or within a local area network.

On a Layer 2 network, a frame is a protocol data unit, which is the smallest unit of bits. Frames

are sent and received between devices connected to the same local area network (LAN). Frames,

like bits, have a specified structure and can be utilized for things like error detection and control
plane activities. Not every frame contains user data. Some frames are used by the network to

govern the data link. At Layer 2, unicast refers to sending frames from a single node to another,

whereas multicast refers to sending traffic from a single node to several nodes, and broadcasting

refers to sending frames to all nodes in a network. A broadcast domain is a logical segment of a

network in which a broadcast can reach all of the network's nodes at Layer 2.

Bridges can be used to connect LAN segments at the frame level. Bridging divides the LAN into

separate broadcast domains, resulting in VLANs, which are logical networks that combine related

devices into separate network segments. The physical location of devices on a LAN has no

bearing on how they are grouped on a VLAN. All devices on an Ethernet LAN are in a single

broadcast domain without bridging or VLANs, and all devices detect all packets on the LAN.

Packet forwarding is the process of nodes in a network sending packets from one network

segment to another. A frame whose origin and destination are both in the same VLAN is only

routed within the local VLAN on a VLAN. A network segment is a section of a computer network in

which all devices use the same physical layer to communicate.

Layer 2 is divided into two sublayers:

The logical link control (LLC) sublayer is in charge of handling frame traffic and regulating

communications lines.

The MAC sublayer is responsible for controlling protocol access to the physical network medium.

Multiple devices on the same physical link can be uniquely identified by using the MAC addresses

assigned to all ports on a switch.

A switch's ports, or interfaces, operate in one of three modes: access, tagged-access, or trunk:

 A network device, such as a desktop computer, an IP telephone, a printer, a file server, or a

security camera, is connected to an access mode port. A single VLAN is assigned to the port.
 Normal Ethernet frames are transmitted over an access port. All ports on a switch are in access

mode by default.

 A network device, such as a desktop computer, an IP telephone, a printer, a file server, or a

security camera, is connected to a Tagged-Access mode port. A single VLAN is assigned to the

port. Normal Ethernet frames are transmitted over an access port. All ports on a switch are in

access mode by default. Cloud computing, specifically scenarios involving virtual machines or

virtual computers, is supported by tagged-access mode. Because a physical server can contain

several virtual computers, the packets created by that server may comprise an aggregate of

VLAN packets from various virtual machines on that server. When the destination address of a

packet is learnt on a downstream port, tagged-access mode reflects packets back to the physical

server on that downstream port to handle this situation. When the destination has not yet been

determined, packets are also mirrored back to the physical server on the downstream port. As a

result, the third interface mode, tagged access, combines some of the properties of access mode

with those of trunk mode:

 Trunk mode ports handle traffic for numerous VLANs by multiplexing all of the VLANs' traffic

onto a single physical connection. In most cases, trunk interfaces are used to link switches to

other devices or switches. Frames without VLAN tags are sent across the trunk interface when

native VLAN is enabled. Use native VLAN mode if you have a circumstance where packets are

sent from a device to a switch in access mode and subsequently sent from the switch over a

trunk port. Assign a native VLAN to the single VLAN on the switch's port (which is in access

mode). Those frames will be treated differently than the other tagged packets by the switch's

trunk port.
  If a trunk port has three VLANs allocated to it, 10, 20, and 30, with VLAN 10 being the native

VLAN, frames on VLAN 10 leaving the trunk port on the other end will not have an 802.1Q

header (tag). Another native VLAN option exists. For untagged packets, you can have the switch

add and remove tags. To do so, you must first set up the single VLAN as a native VLAN on a port

connected to an edge device. Then, on the port connected to a device, assign a VLAN ID tag to

the single native VLAN. Last but not least, assign the VLAN ID to the trunk port. When the switch

gets an untagged packet, it adds the ID you supplied and broadcasts and receives tagged packets

on the trunk port set to acept that VLAN.

Reflection

The firewall can be deployed in Layer 2 transparent mode without requiring any changes to the

existing routing infrastructure. The firewall is configured as a Layer 2 switch with numerous VLAN

segments, and it delivers security services to those segments. Bump-in-wire deployment is made

possible by a specific form of Layer 2 transparent mode called secure wire.

When a device's interfaces are defined as Layer 2 interfaces, it functions in transparent mode. If

no physical interfaces are specified as Layer 2 interfaces, the device works in route mode (the

default mode).

Transparent mode for SRX Series devices provides comprehensive security services for Layer 2

switching capabilities. Layer 2 switching can be configured on one or more VLANs on these SRX

Series devices. A VLAN is a collection of logical ports with similar flooding or broadcasting

characteristics. A VLAN, like a virtual LAN, spans one or more ports from various devices. As a

result, the SRX Series device can act as a Layer 2 switch for various VLANs on the same Layer 2

network.
The SRX Series device filters packets that pass through it in transparent mode without changing

the source or destination information in the IP packet headers. Because there is no need to alter

the IP settings of routers or protected servers, transparent mode is excellent for safeguarding

servers that primarily receive traffic from untrusted sources.

All physical ports on the device are assigned to Layer 2 interfaces in transparent mode. Layer 3

communication should not be routed through the device. Security policies can be set between

Layer 2 zones, and Layer 2 zones can be configured to host Layer 2 interfaces. Security policies

can be applied to packets as they move between Layer 2 zones.

Information in Ethernet headers is used to make traffic forwarding decisions in the first

implementation of Ethernet or Layer 2 switching. By capturing the EthernetMAC addresses of

packets entering the switch, intelligent switches may figure out which ports have which end stations

attached. A Layer 2 switch can only forward frames out of ports where it knows the end station is

by using this knowledge and the ability to interpret the Layer 2 headers of all packets. Frames

with unknown destination MAC addresses are flooded out of every port in the switch to force the

recipient to reply for end station addresses that have not yet been learned.

Because the relevantMAC address will be the source address on the reply frame, the switch will

be able to learn it. For local area networks, Layer 2 switching is used in conjunction with Layer 3

routing to permit communication between devices on the same IP subnet. Because the information

at this layer is minimal, it is usually unnecessary to set Layer 2 switches to understand address

information and act on it in ways other than those outlined earlier.

Many Layer 2 switches will allow you to implement intelligent services like Quality of Service

(QoS), bandwidth shaping, and VLAN membership based on Layer 2 data. Large layer 2

broadcast domains can be vulnerable to unforeseen consequences, such as broadcast storms,

which can cause network failures. Separating specific clients into various broadcast domains may
also be preferable for security and policy reasons. This is when configuring VLANs comes in

handy. VLANs can be assigned to individual switch ports on a layer 2 switch, which are then in

various layer 3 subnets, and hence in different broadcast domains. By allowing various layer 3

networks to share the same layer 2 infrastructure, VLANs provide more flexibility. There's a

propensity to develop huge Layer 2 topologies and add hundreds of nodes since switches

increase throughput and filtering, but this creates a large broadcast domain. The issue is that all

network devices (computers, printers, switching equipment, and so on) create broadcast and

multicast frames that traverse the whole broadcast domain, competing for bandwidth with data

traffic.
References

 https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-

2SXF/native/configuration/guide/swcg/layer2.pdf

 https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/topic-

map/layer-2-understanding.html

 https://cdn.ttgtmedia.com/searchNetworking/downloads/ConSwitchch02.pdf

 https://www.oreilly.com/library/view/packet-guide-to/9781449311315/ch04.html