Interswitch connectivity - CSU359 - Shoolini University

Connect and Verify Interswitch Connectivity

2024, September 3

0. Interswitch Connectivity

Interswitch connectivity refers to the network connections established between multiple switches within a network. This connectivity is essential for ensuring that devices connected to different switches can communicate with each other. The following sections provide an overview of interswitch connectivity, its importance, and the methods used to establish it.

0.1 Importance of Interswitch Connectivity

In a network with multiple switches, interswitch connectivity is crucial for maintaining a unified network where all devices can communicate regardless of which switch they are connected to. This connectivity allows for the following:

  • VLAN Propagation: Ensures that VLANs can span across multiple switches, allowing devices in the same VLAN but connected to different switches to communicate.
  • Redundancy: Provides alternative paths for data in case of a failure in one part of the network, increasing network reliability.
  • Scalability: Allows the network to grow by adding more switches and connecting them to the existing network, thereby expanding the network's size and capacity.
  • Efficient Traffic Management: Enables the distribution of network traffic across multiple switches, optimizing network performance.

0.2 Methods of Establishing Interswitch Connectivity

There are several methods to establish interswitch connectivity, each with its own use cases and configuration requirements:

0.2.1 Trunk Ports

Trunk ports are commonly used to connect switches. A trunk port is configured to carry traffic from multiple VLANs, allowing different VLANs to communicate across switches. Trunk ports use protocols like 802.1Q to tag traffic with VLAN IDs, ensuring that it reaches the correct destination VLAN on the receiving switch.

Trunk ports are typically used in scenarios where multiple VLANs need to be propagated across switches, making them a key element in VLAN-based networks.

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode trunk
0.2.2 Access Ports with VLANs

While access ports are typically used to connect end devices, they can also be part of interswitch connectivity in certain topologies. In this case, each switch port is assigned to a specific VLAN, and the connection between switches is handled by routing or Layer 3 interfaces. This method is less common but may be used in networks with distinct VLANs that do not need to span across switches.

0.2.3 Layer 3 (Routed) Links

Layer 3 links, also known as routed links, involve configuring Layer 3 interfaces on the switches to handle traffic between them. This method is used in scenarios where different VLANs or subnets exist on each switch, and routing is required to manage traffic between them. Layer 3 interswitch connectivity is typically found in larger, more complex networks where inter-VLAN routing is necessary.

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# no switchport
Switch(config-if)# ip address 192.168.1.1 255.255.255.0

In this example, the interface GigabitEthernet 0/1 is configured as a Layer 3 interface with an IP address, enabling it to route traffic between switches.

0.2.4 EtherChannel

EtherChannel, also known as port aggregation, is a technique that combines multiple physical links between switches into a single logical link. This provides increased bandwidth and redundancy, as traffic can be distributed across multiple links. If one link fails, traffic is automatically rerouted through the remaining active links.

Switch(config)# interface range GigabitEthernet0/1 - 2
Switch(config-if-range)# channel-group 1 mode active

This command creates an EtherChannel by bundling interfaces GigabitEthernet 0/1 and 0/2, providing higher throughput and redundancy for interswitch connectivity.

0.3 Best Practices for Interswitch Connectivity

To ensure reliable and efficient interswitch connectivity, follow these best practices:

  • Consistent Configuration: Ensure consistent VLAN, trunk, and routing configurations across all connected switches to avoid connectivity issues.
  • Redundancy: Implement redundant connections between switches to provide failover options in case of a link failure.
  • Monitor Link Status: Regularly monitor the status and performance of interswitch links to detect and resolve issues promptly.
  • Security: Secure interswitch links by controlling which VLANs are allowed on trunk ports and by using authentication mechanisms like 802.1X where applicable.
  • Document Network Topology: Maintain up-to-date documentation of the network topology, including interswitch connections, to aid in troubleshooting and network management.

1. Configure and Verify Interswitch Connectivity - Trunk Ports

In a network where multiple switches are used, interswitch connectivity is crucial for ensuring that all VLANs can communicate across different switches. This is achieved through trunk ports, which allow traffic from multiple VLANs to pass through a single physical link. The following sections explain the configuration and verification process for trunk ports.

1.1 Trunk Ports: Concept and Purpose

A trunk port is a type of switch port configured to carry traffic from multiple VLANs. Unlike access ports, which are associated with a single VLAN, trunk ports tag traffic with VLAN identifiers, allowing it to be routed to the appropriate VLAN on the receiving switch. Trunk ports are essential in networks with multiple VLANs spread across different switches, enabling VLANs to span the entire network.

1.2 Configuring Trunk Ports

To configure a trunk port on a switch, follow these steps:

  • Step 1: Enter global configuration mode.
  • Step 2: Select the interface to be configured as a trunk port using the interface command.
  • Step 3: Set the interface mode to trunk using the switchport mode trunk command. This command forces the port to become a trunk.
  • Step 4: (Optional) Specify the VLANs allowed on the trunk with the switchport trunk allowed vlan command. By default, all VLANs are allowed.
  • Step 5: (Optional) Set the native VLAN with the switchport trunk native vlan command. The native VLAN is the VLAN that is not tagged when sent across the trunk link.
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Switch(config-if)# switchport trunk native vlan 99

The above commands configure the interface GigabitEthernet 0/1 as a trunk port, allowing VLANs 10, 20, and 30 on the trunk and setting VLAN 99 as the native VLAN.

1.3 Verifying Trunk Port Configuration

After configuring the trunk port, it's essential to verify that the configuration is correct and that the trunk is functioning as expected. This can be done using the following commands:

  • show interfaces trunk: Displays all trunk ports, the allowed VLANs, and the native VLAN.
  • show running-config interface <interface_id>: Shows the configuration of a specific interface, including trunk-related commands.
  • show vlan brief: Lists all VLANs configured on the switch and the ports assigned to them.
Switch# show interfaces trunk
Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      99

Port        Vlans allowed on trunk
Gi0/1       10,20,30

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       10,20,30

This output confirms that the trunk port is correctly configured on interface GigabitEthernet 0/1, with VLANs 10, 20, and 30 allowed on the trunk and VLAN 99 set as the native VLAN.

1.4 Troubleshooting Trunk Ports

If issues arise with trunk ports, consider the following troubleshooting steps:

  • Check VLAN Configuration: Ensure that the VLANs allowed on the trunk exist on both switches.
  • Verify Trunk Mode: Ensure that both ends of the trunk link are configured as trunk ports.
  • Native VLAN Mismatch: Ensure that the native VLAN is the same on both sides of the trunk link to avoid VLAN mismatch errors.
  • Spanning Tree Protocol (STP): Check STP settings to ensure no ports are erroneously blocking the trunk link.

1.5 Best Practices for Trunk Ports

To ensure efficient and secure trunk port operation, follow these best practices:

  • Limit Allowed VLANs: Only allow the necessary VLANs on trunk ports to minimize broadcast traffic.
  • Secure Native VLAN: Use a dedicated, non-used VLAN as the native VLAN to prevent VLAN hopping attacks.
  • Monitor Trunk Links: Regularly monitor trunk links to ensure they are functioning correctly and to detect any anomalies.

2. 802.1Q

802.1Q is a networking standard defined by the IEEE for VLAN tagging in Ethernet frames. It is the most commonly used method for managing VLANs on a network, allowing multiple VLANs to be transmitted over a single physical link. This section provides a conceptual understanding of 802.1Q, its structure, and its operation.

2.1 Overview of 802.1Q

802.1Q, also known as VLAN tagging, is a protocol that inserts a tag into the Ethernet frame to identify which VLAN the frame belongs to. This allows multiple VLANs to share the same physical link without interfering with each other. When a switch receives a tagged frame, it uses the VLAN ID (VID) in the tag to determine which VLAN the frame belongs to.

2.2 Structure of 802.1Q Tag

An 802.1Q tag is inserted into the Ethernet frame after the source MAC address and before the Ethernet type field. The tag consists of four main components:

  • Tag Protocol Identifier (TPID): A 16-bit field with a fixed value of 0x8100, indicating that the frame is an 802.1Q-tagged frame.
  • Priority Code Point (PCP): A 3-bit field used for Quality of Service (QoS) to prioritize frames.
  • Drop Eligible Indicator (DEI): A 1-bit field that indicates whether the frame can be dropped when the network is congested.
  • VLAN Identifier (VID): A 12-bit field that specifies the VLAN to which the frame belongs. This allows for up to 4096 VLANs (IDs 0-4095).

| Destination MAC | Source MAC | 0x8100 (TPID) | PCP | DEI | VID | Ethertype | Payload | FCS |
|-----------------|------------|---------------|-----|-----|-----|-----------|---------|-----|

In this structure, the tag increases the size of the Ethernet frame by 4 bytes. The VLAN ID is the most critical part of the tag, as it determines which VLAN the frame belongs to.

2.3 802.1Q Operation

When a frame is sent from a device within a VLAN, the switch adds the 802.1Q tag to the frame before it is sent out on a trunk link. This tagging process is called "VLAN tagging." The frame is then transmitted over the trunk link to another switch, which reads the tag and determines which VLAN to forward the frame to. The tag is removed before the frame reaches the destination device if the device is connected to an access port.

Here’s how the process works:

  • Ingress: When a frame enters a switch, the switch checks if the port is an access or trunk port. If it's an access port, the frame is associated with the port's VLAN, and no tag is added. If it's a trunk port, the switch tags the frame with the appropriate VLAN ID.
  • Transmission: The tagged frame is sent over the trunk link to the next switch.
  • Egress: When the frame reaches the destination switch, the switch reads the VLAN tag and forwards the frame to the correct VLAN. If the frame is destined for a device on an access port, the tag is removed before forwarding.

Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk encapsulation dot1q

The above commands configure the trunk port to use 802.1Q encapsulation for VLAN tagging.

2.4 Advantages of 802.1Q

The 802.1Q standard provides several advantages in a network:

  • Scalability: Supports up to 4096 VLANs, making it suitable for large networks.
  • Interoperability: 802.1Q is widely supported by most network devices, allowing for seamless operation across different vendors' equipment.
  • Efficiency: By allowing multiple VLANs to share a single physical link, 802.1Q reduces the need for additional cabling and ports.
  • Flexibility: Enables network administrators to segment and manage traffic efficiently, enhancing network security and performance.

2.5 Considerations and Best Practices

When using 802.1Q in a network, consider the following best practices:

  • Consistent VLAN IDs: Ensure that VLAN IDs are consistent across all switches to avoid routing issues.
  • Native VLAN Security: Use a dedicated VLAN as the native VLAN and ensure it's not used for regular traffic to prevent VLAN hopping attacks.
  • Monitor for VLAN Mismatches: Regularly monitor and verify VLAN configurations to detect and resolve mismatches.
  • QoS Management: Utilize the PCP field in the 802.1Q tag to prioritize critical traffic, ensuring Quality of Service (QoS) in the network.

3. Native VLAN

The concept of the Native VLAN is central to the operation of trunk ports in a VLAN-enabled network. The Native VLAN is the VLAN that is not tagged with an 802.1Q header when it traverses a trunk link. This section explains the purpose, configuration, and best practices associated with the Native VLAN.

3.1 Purpose of Native VLAN

The Native VLAN is designed to handle untagged traffic on a trunk port. In a typical network, most traffic is tagged with a VLAN ID when sent across a trunk link. However, there are scenarios where untagged frames may be sent—this is where the Native VLAN comes into play. Any untagged traffic received on a trunk port is assumed to belong to the Native VLAN.

By default, VLAN 1 is the Native VLAN on most switches, but this can and often should be changed for security reasons.

3.2 Configuring Native VLAN

To configure the Native VLAN on a trunk port, follow these steps:

  • Step 1: Enter the interface configuration mode for the desired trunk port.
  • Step 2: Use the switchport trunk native vlan <vlan_id> command to set the Native VLAN.
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk native vlan 99

In this example, VLAN 99 is configured as the Native VLAN on the trunk port GigabitEthernet 0/1.

3.3 Verifying Native VLAN Configuration

After configuring the Native VLAN, it is crucial to verify the configuration to ensure that the correct VLAN is set as native. This can be done using the following commands:

  • show interfaces trunk: Displays information about trunk ports, including the Native VLAN.
  • show running-config interface <interface_id>: Shows the detailed configuration of the specified interface, including the Native VLAN setting.
Switch# show interfaces trunk
Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      99

This output confirms that VLAN 99 is set as the Native VLAN on the trunk port GigabitEthernet 0/1.

3.4 Security Considerations for Native VLAN

The Native VLAN, if not properly secured, can be a point of vulnerability in a network. VLAN hopping attacks, where an attacker sends double-tagged frames to exploit the Native VLAN, are a common threat. To mitigate such risks, consider the following best practices:

  • Change the Default Native VLAN: Avoid using VLAN 1 as the Native VLAN. Choose a dedicated, non-used VLAN instead.
  • Restrict VLAN Access: Ensure that only necessary VLANs are allowed on trunk ports and that the Native VLAN is not used for regular traffic.
  • Monitor for Unusual Traffic: Regularly monitor trunk ports for untagged traffic that could indicate a VLAN hopping attempt.

3.5 Best Practices for Native VLAN

Implementing the following best practices can help maintain a secure and efficient network:

  • Consistent Configuration: Ensure the Native VLAN is consistently configured across all trunk links between switches to avoid mismatches.
  • Secure VLAN Management: Regularly review and update VLAN configurations to reflect current network requirements and security standards.
  • Document VLAN Settings: Maintain accurate documentation of VLAN configurations, including the Native VLAN, to assist in troubleshooting and audits.