Hi, my name is Jeffrey Babb, and I'm a network security training engineer in the Education Department in Paloalto Networks, today we'll do a tutorial on layer 2 networking. In this tutorial, we'll look at layer 2 addressing and forwarding, including MAC addresses, CSMA/CD & CSMA/CA, switching and bridging logic, which includes broadcasts unknown unicast and switching loops, DHCP, ARPs, VLANs, tagging and trunking. We'll begin with MAC addressing. Understanding how devices use layer 2 addresses, to send messages to specific destinations is an important aspect of networking. A MAC address, is a number that uniquely identifies a network note, the manufacturer hard-codes , the Media Access Control or MAC address on the network interface card or NIC card. This address is composed of the block and device ID. Every reporter device needs a Mac in order to connect to a local area network segment. They're used for relocation of logical addresses. MACs are sometimes referred to as datalink clear addresses or physical addresses. MAC addresses are used as a network address for most [inaudible] to network technologies, including Ethernet and Wi-Fi. Manufacturers all place a special number sequence called the Organizationally Unique Identifier, or OUI, in the MAC address that identifies them as the manufacturer. This OUI is typically right at the front of the address. MAC address structure. The MAC address is six octets, each octet is a bit slow. The first three octets identifies the OUI, the last three octets identifies a network interface controller or NIC specific number. The Tripoli defines the format and assignment of LAN addresses and requires a globally unique unicast MAC address in LAN interface cards to ensure a unique MAC address. The Ethernet in that card manufacturers, encodes the MAC address onto the card, usually a round chip. The first half of the address identifies the manufacturer of the card. This code, which is assigned to each manufacturer by the IEEE, is called the organizationally Unique Identifier or OUI. Each manufacturer, he signs in MAC address with its own OUI as the first half of the address. The second half of the address is assigned in number that manufacturer has never used on another card. Types of addresses. Unicast, are used when a single recipient of a frame is the intended destination. Group addresses, we've the broadcast and the multi-cast. The broadcasts are used when Ethernet frame is intended for all of the devices that are on the LAN and you have all F's in hexadecimal notation. Multi-cast, they're used to allow many, but not all of the devices on the LAN to communicate. Frames are a package for the data that includes not only the raw data or payload, but also the senders and receivers network addresses and required protocol control information. A frame is usually transmitted bit by bit, contains a header field and a trailer field that frame the data. In the figure, the flag and address fields constitute the header, the frame check sequence in the flag fields constitute the trailer. The information or data in the frame may contain another encapsulated frame that is used in the higher level or different protocol. Ethernet framing, framing defines how a string of binary numbers is interpreted, layer 1 or the physical layer move the strings of bits from one device to another, framing as a process of formatting data in a manner that can be interpreted by another device on an infinite network. In this frame, we see the destination MAC address identified as all Fs, because this is a broadcast message and the source MAC, which identified as the MAC address of the source host. Finally the trailer, which is at the end of the frame. Inside of the frame, we have the IP packet, we have the destination IP, which is identified as the 192.168.1.255 address, because that is the broadcast address for this particular subnet. We have the source IP, which is 192.168.1.5, because that is the source IP of the source host that is sending the broadcast message. To use Ethernet, the network layer protocol would place its packets, the layer 3 PDU into the data portion of the Ethernet frame. However, when a device receives such a frame, that receiving device needs to know what type of layer 3 PDU was in the Ethernet frame. The PDU could potentially include an IP packet or a side packet or some other layer 3 PDU that is created by a vendor. In this graphic, we have the preamble, which is seven bytes in the field length, which is used for synchronization. The start frame Delimiter, which is one bite which signifies that the next byte against the destination MAC field. The destination MAC address, which is six bytes, which identifies the intended recipient of this frame. The source MAC, which is six bytes, identifies the sender of this frame. The length just two bytes, defines the length of the data field of the frame. The type field, which is two bytes, defines the type of protocol listed inside of the frame. Either the length or the type is present, but not both. The data field, which is 46-1500 bytes, holds data from a higher layer, typically a layer 3 PDU, is often an IP packet. Finally, the frame check sequence, the FCS field, which is four bytes, provides a method for the receiving make to determine if the frame experienced transmission errors. The IEEE 802.3 specification limits the data portion of the 802.3 frame, to a maximum of 1,500 bytes, by default. However, if jumbo frames are enabled, the maximum frame size, can be increased to 9,000 bytes. The data field was designed to hold layer 3 packets. The term, maximum transmission unit, or MTU, defines the maximum layer 3 packet that can be sent over medium. To create a type field for frames, that uses link as the type in the type link field, either one or two additional headers are added after the Ethernet 802.3 header, but before the layer 3 header. For example, when sending IP packets, the Ethernet frame has two additional headers, an EEE 802.2 logical link controller or LLC header, and an IEEE subnetwork access protocol, or SNAP header. Error detection. Error detection is the process of discovering a frame's bits has changed, as a result of being sent over a network. It may change for many small reasons, but generally, such errors occur as the result of some electrical interference. The Ethernet frame check sequence, or FCS field in the Ethernet trailer, allows the device receiving an Ethernet frame to detect, whether the bits were changed during transmission. To detect an error, the sending device calculates a complex mathematical function with the frame content as input. The result of this calculation is entered as full bytes in the FCS field. The receiving device performs the same calculation on the frame. If the results match, no errors were detected. If the results do not match, then an error has occurred, and the frame is discarded. This is referred to as error detection. Ethernet takes, no action to cause the frame to be retransmitted. Other protocols, notably TCP, can notice that some data was lost and cause error recovery to occur. This is known as, error correction. Carriers sense, multiple access with collision detection and carrier sense multiple access with collision avoidance. CSMA/CD, is a protocol in which a node senses the networking medium for transmitting data. This rule for communication is shared, by all Ethernet networks. In CSMA/CD, each node waits its turn before transmitting data. CSMA/CD is used, on wired Ethernet. Each node, waits its turn before transmitting data. In CSMA/CD, it isn't deterministic like token ring is, it is contention based. It's more like each node waits its turn until it believes the media is open and not being used before it begins transmitting its data. If a collision is heard, both of the senders will send a jam signal over the Ethernet. This jam signal, indicates to all other devices on the Ethernet segment that there has been a collision, and they should not send any data onto the wire. A second indication of a collision, is the noise created by the collision itself. Carrier sense multiple access with collision avoidance. CSMA/CA, is a network access method used on local networks or nodes share communication channel. These nodes, signal their intent to transmit data before any data is sent to avoid any possible collision. CSMA/CA is used on 802.11 Wi-Fi communications. Collision Domains. In this topology, there are five collision domains. A collision domain, is an area of a network where two or more frames could electrically collide if more than a single frame is transmitted at the same time. Bridges and switches can logically define the boundaries of a collision domain. The bridge breaks the network into two or more pieces, with each piece being separate collision domains. The switch acts like multisport bridge. In an Ethernet network, the interference of one network node's data transmission, with another, is a collision. Broadcast Domain. In this graphic, we have three broadcast domains. The router, has three interfaces, that all must be configured with IP addresses, for the different networks. If a broadcast happens, in broadcast domain 1, the broadcast is contained, in that broadcast domain itself. The broadcast domain is a group of devices that share the same network ID on a subnet. A broadcast frame sent by one device is received by all other devices in the same broadcast domain. A broadcast, is a one to everyone communication. When a switch receives a broadcast, it will forward that broadcast out every connected interface, except for the interface that the broadcast arrived on. When a host receives a broadcast, it must process that frame. The [inaudible] must interrupt the computer's CPU and the CPU must take time to process the broadcast frame. Every device will check to see if the destination mac of that frame matches its own mac. If the macs do not match, the device will drop the broadcast. Types of communication. Simplex, a PA announcement system where one person speaks, and all must listen. Half duplex, a one-at-a-time communication similar to a walkie talkie. One person talks, the other person waits their turn. A full duplex, like a phone conversation, both persons can communicate simultaneously. Bridges versus switches. Bridges, are switches with more ports. Bridges are software based while switches are hardware based, because switches use application specific integrated circuits, or ASIC chips to help make filtering decisions. Bridges can only have one instance of spanning tree, and switches can support many. We'll discuss spanning tree later in this course. Both bridges and switches forward layer 2 broadcast, they both learn MAC addresses by examining the source address of each frame received, and they both make forwarding decisions based on layer 2 addresses. In today's networks, switches are preferred because of their speed and versatility. Every switch is pre-configured with the default VLAN 1, which is a broadcast domain. Each switchboard represents a single collision domain. If two switches are connected together, it just becomes a larger broadcast domain called VLAN 1. If your broadcast is sent on the segment, every device that is connected to the switch would also receive the broadcast. This includes any other switch that is attached, and every device that is attached to those switches. Switch functions at layer 2. Address learning, forwarding and filtering, and loop avoidance. With address learning, when a PC is plugged into a switch interface, spanning tree protocol is activated in the corresponding switchboard and will learn the MAC of that PC. The MAC will be added to the MAC address table on the switch, and it will be associated to the interface of the switch that learned it. The MAC address is identified as the physical address beginning 00:0C in the graphic. To see your PC's MAC address, click start and type C and D in the search bar and hit enter. This will start Command Prompt, then type IP config /hall. In the image, host switches learn host locations. If device A wants to send the message to device C, if this is their first communication, device A, they will not know device C's MAC address. Device A will send an address resolution protocol, request or app to the IP address of device C. Apps by default are broadcasts that basically say, whoever on this network that has this specific IP address please respond with your MAC address. Your app request that is sent will include the MAC address of the device that sent it, in this case device A. The switch will then cache the MAC address of device A, and associate it to the interface that it is plugged into on the switch. Every device connected to the switch will receive the app request and every device that is not using the IP address that the app was intended for will ignore the app. Only device C will respond to the app, basically saying, I have that IP address and here is my MAC address. This response will include device C's MAC address. The switch will cache this MAC address and associate it to the interface that device C is plugged into. The switch will then forward the response from the device C up to the interface that device A is connected to. Device A now has the IP and MAC address of device C, and can now forward a uni-cast message to device C. Forwarding and filtering. When a frame arrives at a switch interface, the device MAC address is compared to the forward/filter MAC database. If the destination MAC is known and listed in the database, the frame is sent out that interface only. If the destination MAC is unknown, the frame is flooded out all active interfaces except the interface that received it. Every device that is not the intended destination MAC, will ignore the frame. Only the device with the MAC will respond to that frame, and the switch will associate the destination MAC address with the interface that received the response. Loop Avoidance. If redundant links between switches, help to prevent complete network failures in the event that the link fails, this is a good thing. However, these redundant links between the switches may also cause switching loops, which can cause significant problems on the network. Switches from broadcast messages, and they create one broadcast domain. This means that if a switch receives a broadcast, it will broadcast it all active interfaces. This would mean that the other switch would receive the broadcast on the two interfaces that it shares with the switch that sent the broadcast, causing it to forward the broadcast back to the other switch. The broadcast would be sent back and forth between the two switches, endlessly. Loop avoidance continue. The switches need a mechanism that would identify the possibility of a switching loop to be able to avoid it. Spanning tree protocol or STP has the task of identifying the potential for switching loop and taking the steps to prevent them. Using a spanning tree algorithm, STP would find the redundant links dynamically and create a spanning tree topology database. The switches will exchange bridge protocol data units or BPBU messages with each other. The BPBU's contains the bridge IP and MAC address info of those switches. The switches will use this information to have an election to determine, which switch will be in charge. This switch is identified as the route bridge. All of the interfaces on the route bridge will remain active. All other switches will be non-routine bridges. The non-route bridges will calculate the cost to get to the route bridge. The interfaces on the switches with the lowest calculated cost to the root bridge will be active. These interfaces are called route-ports. If there are switches with the same cost to the route-bridge, then the switch with the lower bridge IP is used. If a switch has multiple ports that can access the route-bridge, the port with the lowest port number will be used. The port that is used is the designated port. This is the port with the best bandwidth to get to the route bridge. Dynamic host configuration protocol. DHCP is a network management protocol that is used to automatically assign IP addresses to network devices, and any device that is configured as a DHCP client could receive TCP/IP configurations from the DHCP server on the network. This includes the IP address, subnet mask, default gateway, DNS server, and WINs server. A DHCP server would have to be configured with this information so it can share it with the clients. The server should be configured with enough addresses in the DHCP pool to be able to address all of the potential clients. DHCP Process. The DHCP client will need to talk to DHCP server to receive an IP address. This procedure is called DORA, discover, offer, request, and acknowledge. The client will send a DHCP discovery request, which is a broadcast message out on the network. Every device that is not DHCP server will ignore the message. The DHCP server will respond to the message with the DHCP offer, basically saying, I am the DHCP server and I can offer you this address. The client will then make a DHCP request for the address. The server will then send the DHCP acknowledgment, saying or acknowledging that the client has accepted the address that was offered. Address Resolution Protocol, ARP. Network hosts use the address resolution protocol or ARP for short to discover and map the hardware address of a local peer, to a specific destination IP address. In other words, ARP enables hosts to insert the correct destination MAC Address in the Layer-2 Frame in order to reach the more universally recognized destination IP address in the Layer-3 Packet. Before sending a packet, a host consultant's it's broadcast, a table containing a mapping of all known IP addresses and the MAC addresses to which they must be sent in order to reach that IP address. If the Layer-3 destination IP address belongs on the same local network as the source IP address, then the host sends out Layer-2 broadcast packet destined to all FCS asking all local peers " If your IP address matches the destination IP address in this packet, please send your MAC address." If the host exists on the local network, then the ARP will contain the source MAC address in the Layer-2 Frame header. If the destination IP address belongs to a different network than the host local network, then the packet is forwarded to the local gateway, complete with the destination MAC address of that gateway. But it will contain the destination IP address of the intended Layer-3 host also known as ending. This process of checking the destination IP address against the network ID of the sender is vitally important to moving into network traffic across local segments from gateway to gateway until the final hop reaches a gateway who can locally reach the intended original Layer-3 IP recipient. Virtual Local Area Network. VLANs are logical grouping of network devices. VLANs breakup broadcast domains into smaller broadcast domains. A broadcasts in a VLAN is contained within that VLAN. By default, devices and separate VLANs cannot communicate with each other, but devices that are in the same VLAN can. Different VLANs require a router to send traffic to each other. VLANs are subnets or broadcast domains from the perspective of a switch. Switches use the VLAN ID to determine which ports or interfaces to send a broadcast packet to. Switches are one broadcast domain by default called VLAN 1. If two switches are connected together, it just becomes a larger broadcast domain, still named VLAN 1. Every device that is connected to these switches must share the same network IP. For example, they must all belong to the 192.168.1.0 subnet. If you wanted to logically divide the switch into multiple broadcast domains, all with different network IDs, then additional VLANs can be created on the switches. All interfaces on the switch will belong to VLAN 1 by default. Assuming that you've created an additional VLAN named VLAN 2, any interface that you wanted to be a part of VLAN 2 would need to be assigned to VLAN 2 using your GUI or the CLI. Now that you've created multiple VLANs, if you want to connect your switch to another switch that also has VLANs configured, the connection between these switches must be configured as a trunk link, 802.1Q tag and trunking. Trunks are used to carry traffic that belongs to multiple VLANs between devices over the same link. A device can determine which VLAN the traffic belongs to by its VLAN identifier. The VLAN identifier is a tag that is encapsulated with the data. ISL or Inter-Switch Link and 802.1Q are two types of encapsulation that are used to carry data from multiple VLANs over trunk links. 802.1Q is the high tripoli standard for tagging frames on a trunk and supports up to 4,096 VLANs. ISL is a Cisco proprietary protocol for the interconnection of multiple switches and maintenance of VLAN information, as traffic goes between switches. In 802.1Q, a trunking device inserts a four by tag into the original frame and recomputes the Frame Check Sequence before the device sends the frame over the trunk link. At the receiving end, the tag is removed and the frame is forwarded to the assigned VLAN. 802.1Q does not tag frames on the native VLAN, which is VLAN 1 by default. It tags all other frames that are transmitted and received on the trunk. This concludes our Layer-2 networking tutorial. Please feel free to view some of our other videos. I hope this one was informative for you. Until next time have a good day.
