技術類文章

BDC CH4e: Link Layer 補充資料

CH4e: Link Layer 補充資料

Virtual Local Area Network (VLAN)

  • 實際上共用同一實體設施
  • Advantage of VLAN:
    • Creating multiple logical LANs on physical device for saving time and cost
      • 運用邏輯切割
    • Managing grouped hosts in corresponding VLANs
    • Improving the security (per VLAN are kept in different logical VLANs)
      • 防止大規模ARP,或節點過多難以追蹤
      • 透過 VLAN id 追蹤
    • Cross-VLAN traffic should be delivering by gateway interfaces on router (Layer3)
      • 要跨VLAN傳輸時,要透過layer3 Router

Access Port

  • VLAN-enabled switch, “push” corresponding VLAN tag to incoming packets
  • Each interface on switch belongs to a specific VLAN
  • For “Native VLAN” (without-tag), tag value = 1 (保留值)
  • For other VLAN, the tag value would be its corresponding to its VLAN ID (2~4095)
  • VLAN tag 放進 layer2 header (VLAN id)
  • 一開始的packet並無VLAN tag / id,到達Switch才被賦予
  • For outgoing traffic (傳輸到destination前的最後一個switch)
    • “Pop” the VLAN tag and forward the packet to corresponding host

Trunk Port

  • Carry multiple VLAN tag (可傳送有不同VLAN tag的封包)
  • Switch之間的骨幹網路
  • The VLAN tag could be selected, not all accepted

During the transmission, the overall operation still satisfies required actions in layer2 transmission (ex. ARP)

Access Port -> 加/減 tag (VLAN),Trunk Port -> forwarding different VLAN tags

MAC Address Flapping

  • Switch有學習MAC address功能,會將之記錄在MAC address table上
  • 可能因使用者改變port,而出現MAC Address Flapping問題
    • 在MAC address table上的同一MAC address同時記錄兩個Port Number
    • Switch會不知道該往哪一個port傳送packet
  • Solution
    • 經過一段時間,MAC address table上的紀錄會消失,flapping亦隨之消失
    • 可在Switch的port上設定僅讓特定MAC address通過
  • Security Problem
    • Hacker可修改MAC address,塞滿switch MAC address table,造成所有packet無法傳送(刻意製造flapping)

Network Loop

  • A network loop usually occurs when a network has multiple available active paths for carrying information from one source to aother destination
  • 盡量避免在底層出現loop
  • 有可能不知道傳輸方向
  • 大檔案被切割為多封包傳送,但在有loop下,難以確認傳送路徑 -> high latency
  • Loop Problem
    • slow speed、irregular connection、network failure
  • 有機會在destination收到相同的兩個packet

Broadcast Storm

  • Accumulation of broadcast and multicast traffic on a computer network that causes massive transmission
  • No “Time-To-Live (TTL)” value in layer 2 header, it can keep looping forever
  • 發生時機
    • 網路拓樸中有迴圈、網路設備故障、網卡損壞、資安攻擊等…
  • 透過VLAN只能讓VLAN彼此間不互相影響,但不能防止單一VLAN內出現Broadcast Storm
  • How to prevent ?
    • Enable detection method
    • Setup per-port threshold value (broadcast control policy) -> 在port上設定封包量的門檻值
    • Deploy security device (ex. firewall) to filter abnormal broadcasts
  • Approach Denial of Service (DoS)
  • Serious Problem
    • Smurf attack (對目標網路廣播大量的ICMP封包,並將來源IP address更換為受害者)
    • Fraggle attack (類似Smurf attack,但使用假造來源的UDP broadcast封包)

Spanning Tree Protocol (STP) 生成樹協定

  • Protocol use to build a non-looping topology for Ethernet
  • 初期不支援VLAN
  • Originally standardized as IEEE 802.1d, while it also has improved standards
    • 802.1w -> Rapid Spanning Tree Protocol (RSTP) -> 在網路發生變化時,能快速產生新拓樸(加快速度會造成資源浪費)
    • 802.1s -> Multiple Spanning Tree Protocol 進一步支援實體設備的"VLAN"生成樹 -> 在每個VLAN下傳送STP packet
  • 關閉redundant links作為備援線路
  • When enabling STP, all switches will constantly communicate with each other (under same LAN) with BPDUs (Bridge Protocol Data Units) -> STP送出的資訊
  • By BPDUs, switch would be able to select the best connection towards the root bridge for forwarding traffic (block the redundant link at the same time)
  • The information makes network to create a logical topology over physical topology
    • Every bridge has a “build-id”
    • Making one port if each bridges as the “root port”
  • 啟用STP根據BPDU可以得知細部資訊
  • Enabling STP, finding the shortest path and the spanning tree for the switch
    • no-loop 拓樸收斂
  • Forwarding and blocking ports by using information from the spanning tree
  • 根據權重(path cost)決定要關閉的redundant links
  • How to calculate the “Path Cost” ?
    • Default STP
      • 1 Gbits / bandwidth
    • Default RSTP
      • 20 Gbits / bandwidth
    • 5 types of Port Status during STP calculation
    • Blocking
      • BPDU data will be received for letting spanning tree algorithm determine if this port shuld be active again
      • 資訊不傳,但BPDU data仍會持續傳
    • Listening
      • 狀態不明,不forwarding資料
      • no further transmission actions would be processed
      • 資訊不傳,但BPDU data仍會持續傳
    • Learning
      • Source MAC address would be learned and put into MAC address table by switch
    • Forwarding
      • monitors BPDUs for preventing the loop
    • Disabled
      • manually disabled on this port
  • Link aggregation use aggregating methods to combine multiple network links in parallel as an EtherChannel between two devices
  • also called as bundling, bonding, channeling or teaming
  • larger bandwidth and better redundancy
  • Physical links which are joined the same group will be seen as a part of logical link, and it won’t triggerthe looping issue
  • 在邏輯上把兩條線當作一條線使用

Static On Mode

  • A simple way to build EtherChannel is using Static On Mode, putting all related ports to the same group
  • port兩端沒有溝通機制,會有loop出現的風險

Port Aggregation Protocol (PAgP)

  • Cisco’s port aggregation method used to build EtherChannel
  • Two modes in PAgP, one is Desirable, another is Auto
    • Desirable mode makes switch to send PAgP message for negotiation
    • Auto mode is just waiting passively
  • 最少要有一端為Desirable才能啟用
  • Note: PAgP aggregation, the configuration of each port must be the same
  • LACP is IEEE standard, aggregate ports to build EtherChannel
  • 最少要有一端是Active才能夠啟用
  • Two modes in LACP, Active and Passive
    • Active mode makes switch to send LACP message for negotiation
    • Passive mode is just waiting passively
  • Note: LACP aggregation, the configuration of each port also must be the same
分享到