Session 6:

Today, Agenda:
1) Switching.
2) Mac Address
3) ARP with (attacks “spoofing, poising, and gratuitous
4) VLAN

Switching history
1990s: Layer 2 Switches
Network switches (switches for short) are the evolution of network bridges whose behavior was defined by the Institute of
Electrical and Electronics Engineers (IEEE) in the standard IEEE 802.1 to connect two or more Ethernet segments. Switch
and switching are terms that do not exist in standards; they were introduced to indicate a multiport bridge.
Initially, switches were pure layer 2 devices that forwarded Ethernet frames without knowing their content and without
modifying the frames, thus providing connectivity for the many layer 3 protocols deployed in those days. The forwarding
model of layer 2 switches is straightforward and based on the exact lookup of the destination MAC address in a forwarding
(or filtering) table; this is usually accomplished with a hashing table, which is easy to implement in hardware. Layer 2
switches do not require any configuration; the forwarding table is initially empty and is populated by associating the source
MAC address of a frame being received with the port through which it is received - a technique called backward learning.
When the lookup of the destination MAC address fails (i.e., the association of the MAC address with a port has not yet
been done), the frame is forwarded on all ports other than the one it was received from - a technique named selective
broadcast.

2000s: The Introduction of Layer 3 Switches

In the 2000s, it became apparent that the only surviving layer 3 protocol was IPv4 (Internet Protocol version 4). Therefore,
it made sense to bypass the limits of the Spanning Tree Protocol by implementing IPv4 routing into the switches. Layer 3
switches were born. IP forwarding does not require blocking any port in the network, hence it can take advantage of all the
links in a network. Traditionally a Layer 3 switch forwards all traffic to a destination on the same path. However, a feature
called ECMP (Equal Cost Multi Path) even enables to load balance traffic to each destination among multiple paths that are
considered to have the same cost according to the routing protocol in use, like for example BGP (Border Gateway
Protocol).
Appreciating the difference between layer 2 (L2) forwarding and layer 3 (L3) forwarding is essential to understanding why
Layer 3 switches are substantially more complex than Layer 2 switches. At the IP level, forwarding is done packet-by-packet
by looking up the destination IP address into a forwarding table with a technique called LPM (Longest Prefix Match), which
is much more complex to implement in hardware than the exact, possibly hash-based, matching required in L2 switching.
Deploying LPM enables the routing table not to include all the possible IP addresses, but just prefixes, thus allowing for
larger networks without proportionally larger forwarding tables. A prefix is expressed as a combination of an IP address
and a netmask to identify which bits in the address represent the prefix. Being 32 bit long, a netmask is cumbersome to
write and not intuitive to understand; hence often the length of the prefix - or number of most significant bits in the
address that represent the prefix - is explicitly indicated (e.g., /16, /24).

2010: Modern L3 Switches

In the next decade, with the advent of even denser integrated circuits, layer 3 switches gained other functionality that can
be grouped in three categories.
What is difference between Core Switch, Distributed Switch, and Access Switch?
How to choose: core switch vs distribution switch vs access switch. To sum up, the access switch facilitates devices to
the network. The distribution switch accepts traffic from all the access layer switches and supports more high-end
features. And the core switch is responsible for routing and forwarding at the highest level.
What Is Core Switch?
Core switch is not a certain kind of network switch. It refers to the data switch that is positioned at the backbone or
physical core of a network. Therefore, it must be a high-capacity switch to serve as the gateway to a wide area network
(WAN) or the Internet. In a word, it provides the final aggregation point for the network and allows various aggregation
modules to work together.
What Is Distribution Switch?
Similarly, the distribution switch lies in distribution layer, and it links upwards to layer core switch and downwards to the
access switch. It is also called aggregation switch which functions as a bridge between core layer switch and access layer
switch. In addition, distribution switch ensures that the packets are appropriately routed between subnets and VLANs in
enterprise network. 10gb switch usually can perform as a distribution switch.
What Is Access Switch?
Access switch generally locates at the access layer for connecting the majority of devices to the network, therefore it
usually has high-density ports. It is the most commonly used gigabit Ethernet switch which communicates directly with the
public Internet, mostly used in offices, small server rooms, and media production centers. Both managed and unmanaged
switches can be deployed as access layer switch.
Switch Speeds and Forwarding Methods
• Store-and-forward switching - This frame forwarding method receives the entire frame and computes the CRC. If
the CRC is valid, the switch looks up the destination address, which determines the outgoing interface. Then the
frame is forwarded out of the correct port.
• Cut-through switching - This frame forwarding method forwards the frame before it is entirely received. At a
minimum, the destination address of the frame must be read before the frame can be forwarded.
Note: A big advantage of store-and-forward switching is that it determines if a frame has errors before propagating the frame. When an error is
detected in a frame, the switch discards the frame. Discarding frames with errors reduces the amount of bandwidth consumed by corrupt data.
Store-and-forward switching is required for quality of service (QoS) analysis on converged networks where frame classification for traffi c
prioritization is necessary. For example, voice over IP (VoIP) data streams need to have priority over web-browsing traffic.

Cut-Through Switching:
In cut-through switching, the switch acts upon the data as soon as it is received, even if the transmission is not complete.
The switch buffers just enough of the frame to read the destination MAC address so that it can determine to which port it
should forward out the data. The switch does not perform any error checking on the frame.
There are two variants of cut-through switching:
• Fast-forward switching - Offers the lowest level of latency by immediately forwarding a packet after reading the
destination address. Because fast-forward switching starts forwarding before the entire packet has been received,
there may be times when packets are relayed with errors. The destination NIC discards the faulty packet upon
receipt. Fast-forward switching is the typical cut-through method of switching.
• Fragment-free switching - A compromise between the high latency and high integrity of store-and-forward switching
and the low latency and reduced integrity of fast-forward switching, the switch stores and performs an error check
 on the first 64 bytes of the frame before forwarding. Because most network errors and collisions occur during the
first 64 bytes, this ensures that a collision has not occurred before forwarding the frame.
Memory Buffering on Switches

Duplex and Speed Settings:

Two of the most basic settings on a switch are the bandwidth (“speed”) and duplex settings for each individual switch port.
It is critical that the duplex and bandwidth settings match between the switch port and the connected devices.
There are two types of duplex settings used for communications on an Ethernet network:
• Full-duplex - Both ends of the connection can send and receive simultaneously.
• Half-duplex - Only one end of the connection can send at a time.
Autonegotiation is an optional function found on most Ethernet switches and NICs. It enables two devices to automatically
negotiate the best speed and duplex capabilities.
Note: Gigabit Ethernet ports only operate in full-duplex

• Duplex mismatch is one of the most common causes of performance issues on 10/100 Mbps Ethernet links. It occurs
when one port on the link operates at half-duplex while the other port operates at full-duplex.
• This can occur when one or both ports on a link are reset, and the autonegotiation process does not result in both
link partners having the same configuration.
• It also can occur when users reconfigure one side of a link and forget to reconfigure the other. Both sides of a link
should have autonegotiation on, or both sides should have it off. Best practice is to configure both Ethernet switch
ports as full-duplex.
Auto-MDIX
Connections between devices once required the use of either a crossover or straight-through cable. The type of cable
required depended on the type of interconnecting devices.
Note: A direct connection between a router and a host requires a cross-over connection.
• Most switch devices now support the automatic medium-dependent interface crossover (auto-MDIX) feature. When
enabled, the switch automatically detects the type of cable attached to the port and configures the interfaces
accordingly.
• The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12.2(18)SE or later. However, the
feature could be disabled. For this reason, you should always use the correct cable type and not rely on the auto-
MDIX feature.
• Auto-MDIX can be re-enabled using the mdix auto interface configuration command.

Mac Address history

A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC)
for use as a network address in communications within a network segment. This use is common in most IEEE 802
networking technologies, including Ethernet, Wi-Fi, and Bluetooth. Within the Open Systems Interconnection (OSI)
network model, MAC addresses are used in the medium access control protocol sublayer of th e data link layer.
 1- What is a MAC address (media access control address)?
A MAC address (media access control address) is a 12-digit hexadecimal number assigned to each device
connected to the network. Primarily specified as a unique identifier during device manufacturing, the MAC
address is often found on a device's network interface card (NIC). A MAC address is required when trying to
locate a device or when performing diagnostics on a network device.
The MAC address belongs to the data link layer of the Open Systems Interconnection (OSI) model, which
encapsulates the MAC address of the source and destination in the header of each data frame to ensure node-
to-node communication.
Each network interface in a device is assigned a unique MAC address, so it's possible for a device to have
more than one MAC address. For example, if a laptop has both an Ethernet cable port and built-in Wi-Fi, there
will be two MAC addresses shown in the system configuration.

The Format of a MAC Address (Deals With IPV4)

Traditional MAC addresses are 12-digit (6 bytes or 48 bits) hexadecimal numbers. By convention, these
addresses are usually written in one of the following three formats, although there are variations:
• MM:MM:MM:SS:SS:SS
 • MM-MM-MM-SS-SS-SS
• MMM.MMM.SSS.SSS
The leftmost six digits (24 bits), called a prefix, are associated with the adapter manufacturer (M). Each vendor

registers and obtains MAC prefixes as assigned by the IEEE. Vendors often possess many prefix numbers
associated with their products. For example, the prefixes 00:13:10, 00:25:9C, and 68:7F:74 (plus others) belong
to Linksys (Cisco Systems).

The rightmost digits of a MAC address represent an identification number for the specific device (S). Among all
devices manufactured with the same vendor prefix, each is given a unique 24-bit number. Hardware from
different vendors may share the same device portion of the address.
64-Bit MAC Addresses (Made To Deal With IPV6)
While traditional MAC addresses are 48 bits in length, a few types of networks require 64-bit addresses instead.
Zigbee wireless home automation and other similar networks based on IEEE 802.15.4, for example, require 64-bit
MAC addresses to be configured on their hardware devices.

TCP/IP networks based on IPv6 also implement a different approach to communicating MAC addresses
compared to mainstream IPv4. Instead of 64-bit hardware addresses, IPv6 automatically translates a 48-bit MAC

address to a 64-bit address by inserting a fixed (hardcoded) 16-bit value FFFE between the vendor prefix and the
device identifier. IPv6 calls these numbers identifiers to distinguish them from true 64-bit hardware addresses.

How to find MAC Address

Windows
For Windows-based machines, there are two ways to find the MAC address.

Method 1: Using the command prompt

Type cmd or command prompt in the search box of the taskbar. For older versions of Windows, right-click on the Start button, and select
command prompt from the menu.
Once inside the command prompt, type ipconfig/all, and hit Enter. This displays the network.
Scroll down to the network adapter, and look for a value description of the Physical Address field, which is the MAC address of the device.
Method 2: Without using the command prompt.
Search and click on View network status and tasks in the taskbar, or search and navigate to Control Panel > Network and Internet > Network
and Sharing Center.
Right-click the network device whose MAC address needs to be viewed and click on Properties.
Look for the MAC address listed there

Mac
• Click on the Apple icon in the top-left corner of the screen, and select System Preferences.
• Select Network.
• Select from the list the interface that needs to be used, and click on Advanced.
• Click on the Hardware tab, and find the listed MAC address.

Linux
• Log in as a superuser or with appropriate permissions.
• Open a terminal or console window.
• Type ifconfig.
• The MAC address is listed as HWaddr in a format similar to 12:34:56:78:AB.
Types of MAC addresses
There are three types of MAC addresses:
Unicast MAC Address
In Ethernet, different MAC addresses are used for Layer 2 unicast, broadcast, and multicast
communications.
A unicast MAC address is the unique address that is used when a frame is sent from a single transmitting
device to a single destination device.
The process that a source host uses to determine the destination MAC address associated with an IPv4
address is known as Address Resolution Protocol (ARP). The process that a source host uses to determine
the destination MAC address associated with an IPv6 address is known as Neighbor Discovery (ND).
Multicast MAC Address
An Ethernet multicast frame is received and processed by a group of devices that belong to the same
multicast group.
There is a destination MAC address of 01-00-5E when the encapsulated data is an IPv4 multicast packet and
a destination MAC address of 33-33 when the encapsulated data is an IPv6 multicast packet.
It is flooded out all Ethernet switch ports except the incoming port, unless the switch is configured for
multicast snooping. It is not forwarded by a router, unless the router is configured to route multicast
packets.
Because multicast addresses represent a group of addresses (sometimes called a host group), they can only
be used as the destination of a packet. The source will always be a unicast address.
As with the unicast and broadcast addresses, the multicast IP address requires a corresponding multicast
MAC address.
Broadcast MAC Address
An Ethernet broadcast frame is received and processed by every device on the Ethernet LAN. The features
of an Ethernet broadcast are as follows:
It has a destination MAC address of FF-FF-FF-FF-FF-FF in hexadecimal (48 ones in binary).
It is flooded out all Ethernet switch ports except the incoming port. It is not forwarded by a router.
If the encapsulated data is an IPv4 broadcast packet, this means the packet contains a destination IPv4
address that has all ones (1s) in the host portion. This numbering in the address means that all hosts on
that local network (broadcast domain) will receive and process the packet.
What is the difference between a MAC address vs. IP address?
Both MAC addresses and IP addresses serve the same purpose, which is to identify a device on a network.
While the MAC address identifies the physical address of a device on the same local network, the IP
address identifies the device globally or through its internet address.
Note: The following list highlights the key differences between a MAC address and an IP address.

Note: Here is a video for the difference between MAC address and IP address https://youtu.be/_SxUlR6L-pk

MAC Address Table

The MAC address table is where the switch stores information about the other Ethernet interfaces to which
it is connected on a network. The table enables the switch to send outgoing data (Ethernet frames) on the
specific port required to reach its destination, instead of broadcasting the data on all ports (flooding).

The MAC address table can contain two types of entries:

• Static: Static entries are manually added to the table by a switch administrator. Static entries have
higher priority than dynamic entries. Static entries remain active until they are removed by the switch
administrator.
• Dynamic: Dynamic entries are automatically added to the table through a process called MAC
learning, in which the switch retrieves the source MAC address (and VLAN ID, if present) of each
Ethernet frame received on a port. If the retrieved address does not exist in the table, it is added.
Dynamic entries remain in the table for a predetermined amount of time (defined with the command
mac-address-table age-time), after which they are automatically deleted.
Dynamic MAC address learning does not distinguish between illegitimate and legitimate frames, which can
invite security hazards. When Host A is connected to port A, a MAC address entry will be learned for the
MAC address of Host A (for example, MAC A). When an illegal user sends frames with MAC A as the source
MAC address to port B, the device performs the following operations:
1. Learns a new MAC address entry with port B as the outgoing interface and overwrites the old entry
for MAC A.
2. Forwards frames destined for MAC A out of port B to the illegal user.
ARP (Address Resolution Protocol) Table
The Address Resolution Protocol is used to dynamically discover the mapping between a layer 3 (protocol)
and a layer 2 (hardware) address. A typical use is the mapping of an IP address (e.g. 192.168.0.10) to the
underlying Ethernet address (e.g. 01:02:03:04:05:06). You will often see ARP packets at the beginning of a
conversation, as ARP is the way these addresses are discovered.

Over the years ARP has been greatly abused by attackers, due to its inherent security shortcomings.
• There is no way to validate MAC address ownership whenever an ARP request or response is
issued.
• ARP is stateless. Whenever an ARP response is received, hosts will create or update a cache entry
with the observed IP/MAC pair (regardless of them issuing an ARP request or not).
• An initial ARP request can result in the requester’s IP/MAC pair being cached by listening (for
broadcasts) hosts; this is done to reduce ARP broadcast requests.

Normal ARP
ARP is used to dynamically build and maintain a mapping database between link local layer 2 addresses and
layer 3 addresses. In the common case this table is for mapping Ethernet to IP addresses. This database is
called the ARP_Table. Dynamic entries in this table are often cached with a timeout of up to 15 minutes,
which means that once a host has ARPed for an IP address it will remember this for the next 15 minutes
before it gets time to ARP for that address again.
ARP Spoofing
ARP spoofing occurs on a local area network (LAN) using an ARP. An ARP is a communication protocol
connecting a dynamic internet protocol (IP) address to a physical machine address. The latter is referred to
as a media access control (MAC) address. The ARP protocol directs the communication on the LAN.
For example, Host A on a computer network wants to connect its IP address to the MAC address of Host B.
Therefore, it sends an ARP request to all the other hosts on the LAN. Following this request, it receives an
ARP response from Host B, with its MAC address. The requesting host then stores this address on its ARP
cache, which is similar to a contacts list. This cache is sometimes referred to as an ARP table, as the
addresses are stored in the form of a table.
ARP spoofing refers to an attacker with access to the LAN pretending to be Host B. The attacker sends
messages to Host A with the goal of tricking Host A into saving the attacker’s address as Host B’s address.
Host A will ultimately send communications intended for Host B to the attacker instead. Once the attacker
becomes these men in the middle, each time Host A communicates with Host B, that host will in fact be
communicating first with the attacker. Host B will typically be the default gateway, or the router.

ARP Poisoning
ARP Poisoning (also known as ARP Spoofing) is a type of cyber-attack carried out over a Local Area Network
(LAN) that involves sending malicious ARP packets to a default gateway on a LAN in order to change the
pairings in its IP to MAC address table. ARP Protocol translates IP addresses into MAC addresses. Because
the ARP protocol was designed purely for efficiency and not for security, ARP Poisoning attacks are
extremely easy to carry out as long as the attacker has control of a machine within the target LAN or is
directly connected to it.

Gratuitous ARP
This is how ARP works if one of the hosts in the network asks for it; however, this is not the only way
though. The so-called gratuitous ARP requests and responses are also possible, and they are usually abused
by attackers.
• Gratuitous ARP request: Ιt is a request packet where the source and destination IP are set with the IP
of the machine that is issuing the packet and the destination MAC is the broadcast address.
• Gratuitous ARP reply: It is an ARP reply that has been sent without being requested.

VLAN (Virtual Local Area Network)

A virtual local area network (VLAN) is a virtualized connection that connects multiple devices and network
nodes from different LANs into one logical network.
Virtual LAN: A logical separation of a local area network (LAN) into multiple segments within a single
bandwidth. One of the significant advantages of using this network is it’s customizable. This helps eliminate
the need to install several switches to connect to subnetworks, thereby generating more bandwidth. This
network system utilizes switch ports for its implementation. There are two ways to establish a virtual LAN:
static and dynamic.
Static: This network creation requires virtual LANs to connect to the port manually. It’s the most secure way
to create a virtual connection as the configurations cannot be altered without the administrator's
permission.
Dynamic: Dynamic creation requires software or intelligent tools to assign a virtual LAN to the port
automatically.
What is Trunking?
• trunk is a point-to-point link between two network devices that carries more than one VLAN. A VLAN
trunk allows you to extend the VLANs across an entire network.
• One benefit of trunks is that it can be used as one link instead of using multiple access links to
communicate between switches.
 What is VTP (Virtual Trunking Protocol)?
VTP is CISCO proprietary protocol used to maintain consistency throughout the network or the user can say
that synchronizing the VLAN information in the same VTP domain. VTP allows you to add, delete and
rename VLANs which is then propagated to other switches in the VTP domain.
We have some modes which you can configure in VTP which are:

• Creates VLANs
• Modifies VLANs
• Deletes VLANs
• Sends and forwards
advertisements
• Saved in NVRAM
• Default mode
• Cannot create,
change, or
delete VLANs • Creates local VLANs
• Forwards only
advertisements • Modifies local VLANs
after taking a only
copy. • Deletes local VLANs
• Not saved in only
NVRAM • Doesn’t advertise local
configuration.
• Sends and forwards
advertisements without
being affected
• Saved in NVRAM
Configure VLAN
Assign Switchport
Managing VLANS
Configure a Trunk
▪ Switch> enable
▪ Switch # config t
▪ Switch (config) # interface fastethernet 0/24
▪ Switch (config-if) # switchport mode trunk
▪ Switch (config-if) # end
▪ Switch # copy running-config startup-config
 Labs
Lab: 1
▪ Switch> enable
▪ Switch # config t
▪ Switch (config) # vlan 2
▪ Switch (config-vlan) # name IT
▪ Switch (config-vlan) # exit
▪ Switch (config) # interface fastethernet 0/1
▪ Switch (config-if) # switchport mode access
▪ Switch (config-if) # switchport access vlan 2
▪ Switch (config-if) # exit
▪ Switch (config) # interface fastethernet 0/2
▪ Switch (config-if) # switchport mode access
▪ Switch (config-if) # switchport access vlan 2
▪ Switch (config-if) # exit
▪ Switch (config) # vlan 3
▪ Switch (config-vlan) # name HR
▪ Switch (config-vlan) # exit
▪ Switch (config) # interface fastethernet 0/3
▪ Switch (config-if) # switchport mode access
▪ Switch (config-if) # switchport access vlan 3
▪ Switch (config-if) # interface fastethernet 0/4
▪ Switch (config-if) # switchport mode access
▪ Switch (config-if) # switchport access vlan 3
▪ Switch (config-if) # end
▪ Switch # copy running-config startup-config
SW 1
▪ Switch> enable
▪ Switch # config t
▪ Switch (config) # vlan 2
▪ Switch (config-vlan) # name IT
▪ Switch (config-vlan) # exit
▪ Switch (config) # interface fastethernet 0/1
▪ Switch (config-if) # switchport mode access
▪ Switch (config-if) # switchport access vlan 2
▪ Switch (config-if) # exit
▪ Switch (config) # interface fastethernet 0/2
▪ Switch (config-if) # switchport mode access
▪ Switch (config-if) # switchport access vlan 2
▪ Switch (config-if) # exit
▪ Switch (config) # vlan 3
▪ Switch (config-vlan) # name HR
▪ Switch (config-vlan) # exit
▪ Switch (config) # interface fastethernet 0/3
▪ Switch (config-if) # switchport mode access
▪ Switch (config-if) # switchport access vlan 3
▪ Switch (config-if) # interface fastethernet 0/4
▪ Switch (config-if) # switchport mode access
▪ Switch (config-if) # switchport access vlan 3
▪ Switch (config-if) # end
▪ Switch # copy running-config startup-config
SW 2
 Switch1

▪ Switch> enable
▪ Switch # config t
▪ Switch (config) # interface fastethernet 0/24
▪ Switch (config-if) # switchport mode trunk
▪ Switch (config-if) # end
▪ Switch # copy running-config startup-config
Lab 2: Inter VLAN routing
 raditional nter VLAN routing

IT PC .
Cha ter Cisco yste s Inc. All rights reser ed. Cisco P blic
How to configure traditional inter-VLAN
routing?
 ow to configure traditional interVLAN
routing

IT PC .
Cha ter Cisco yste s Inc. All rights reser ed. Cisco P blic
How to configure traditional inter-VLAN routing?
How to configure traditional inter-VLAN
routing?
Dividing a Physical Interface into Subinterfaces
How to configure modern inter-VLAN routing ?
How to configure modern inter-VLAN routing ?
How to configure modern inter-VLAN routing ?
How to configure modern inter-VLAN routing ?
Physical interface vs. subinterface
inter-vlan routing using router

Router on a Stick
Configure Router for Inter-VLAN Communication:

▪ Router#configure terminal
▪ Router(config)#interface FastEthernet0/0
▪ Router(config-if)#no ip address
▪ Router(config-if)#no shutdown
▪ Router(config-if)#exit
▪ Router(config)#interface fastEthernet 0/0.20
▪ Router(config-subif)#encapsulation dot1Q 20
▪ Router(config-subif)#ip address 192.168.20.1 255.255.255.0
▪ Router(config-subif)#exit
▪ Router(config)#interface fastEthernet 0/0.10
▪ Router(config-subif)#encapsulation dot1Q 10
▪ Router(config-subif)#ip address 192.168.10.1 255.255.255.0
▪ Router(config-subif)#exit
▪ Switch > enable
▪ Switch # config t
▪ Switch (config) # interface fastethernet 0/24
▪ Switch (config-if) # switchport mode trunk
inter-VLAN routing using multilayer switch
 Labs
Vlan with Trunk

Task: implement the network as shown in the figure above (VLANs Configuration).
Inter VLAN Routing.

Task 1: Implement the network as shown in the figure above.

Task 2: Set sub-interfaces and encapsulation method on the router interfaces in the same sequence shown in the figure
above
Task 3: Create VLANs in the same sequence of sub-interfaces you created before and ping