Cisco LAN Switching -- authors: Kennedy Clark Kevin Hamilton 心得筆記: # 1. part 1. Foundational Issues: * [ch1 introduction](#ch1-desktop-technologies) desktop technologies (legacy ethernet, lan frame, fast eth, Gigabit eth, token ring) p11; * [ch2 Segmenting-LAN](#ch2-Segmenting-LANs) Segmenting LANs(Why?, segment with bridge/switch/router) p40; * [ch3 Bridging-tech](#ch3-Bridging-tech) Bridging tech (Transparent bridging, switching mode, token ring bridging/switching, eth to token ring)p60; * ch4. Configuring the Catalyst(思科產品管理 p88) * [ch5 VLAN](#ch5-VLAN) VLAN (Why, vlan types, 802.11Q vlan interoperability, move usr in vlans, protocol filtering) p112 * part 2. spanning tree: * [ch6 intro to STP](#ch6-understanding-spanning-tree) understanding spanning tree (four step of decision, STP states, STP timers, BPDUs, per VLAN spanning tree p153) * [ch7 Advanced STP](#ch7-Advanced-spanning-tree) Advanced spanning tree (Spanning tree load balance, Fast STP Convergence, PVST+, Tips and Tricks p201) * part 3. Trunking: * ch8 truncking tech and app (Ethernet trunk, 802.10Enc, ATM Trunk p291) * ch9.truncking with lan emulation (ATM tutorial and LANE, configuration concept/syntax, Advanced issue SSRP p332) * ch10 truncking with multiprotocol over ATM(Asynchronous trafer mode). (Two ATM mode LANE and MPOA, MOPA overview and configuration, Trobleshooting MPOA network) * part 4. Advanced Features: * ch11. Layer 3 switching (routing key to large network, router on a stick/ configured trunking protocol ISL or 802.1Q, RSM--router switch module, routing switch/ switch routing p425) * ch12. VLAN truncking protocol (VTP modes, working mechanics, configuration VTP mode) * ch13. multicast and boardcast service :::spoiler 後續進階實戰 * part 5. Real-World Campus design and implementation * ch14. Campus Design Models ::: ### ch1 desktop technologies (legacy ethernet, lan frame, fast eth, Gigabit eth, token ring) p11 :::spoiler 抒發 哇...好扯 我Cisco LAN switching以及linux kernel networking 這兩篇心得筆記文 這三周 都打超過900行了，每天沒事就來看 就來打 `習慣`真的很可怕。 累累 ::: `CSMA/CD`: listening before speaking(設備偵測idle 產backoff 值減到0就傳輸，若訊號衝撞就擾亂它並重產backoff循環). MAC 48 bits 分前24bits `OUI`組織唯一標識符 後24bits `NIC`網路介面卡編號 boardcast addr : FF-FF-FF-FF-FF-FF routers send IP RIP(Routing Information Protocol) updates every 30 seconds. The router transmits the update in a broadcast frame Ethernet format: 6byte DA, SA, 2bytes Type上層L3協定幫解碼, 1500 Data or 802.3 replace type by length: DA, SA, Length封包長度, 1500 Data. (三種: raw 802.3, or 802.3 with LLC, or 802.3 with SNAP)  fast ethernet: 100Mbps, twisted-pair cable, 100BaseT(用 電話系統的 Category 3雙絞線) 100BaseX 讓新系統(fast eth)與舊系統(legacy eth)共容，不須換header (用C5雙絞線 or 光纖) 100BaesX use hub with point to point link 因始可全雙工（同時收送,因為 ptp 而非legacy的shared link只能半雙工） 1000BaesX is Gigabit eth, (802.3x, 100BaseX, 1000BaesX)flow control mechanism, 收方 send pause frame to request stop sending (因receiver buffer滿) 為了支援不同的傳輸媒介，在PMD與CSMA/CD間 又訂了媒介無關界面 MII，方便不須修改全部設備，就可支援新的高速協定 高速傳輸 不適合用clock encoding([曼徹斯特編碼](https://zh.wikipedia.org/zh-tw/%E6%9B%BC%E5%BD%BB%E6%96%AF%E7%89%B9%E7%BC%96%E7%A0%81))，high clock rate導致UTP雙絞線上傳輸錯誤，因此改用bit encoding，確保收端能達成同步接收。 Autonegotiation自動協商讓兩網卡能協調連線參數，送FLP 一種link test並依照預先訂好優先權(eg 全雙工優先, 網速高優先)，讓雙方定好參數 100BaseTX uses an encoding scheme like Fiber Distributed Data Interface (FDDI) Class1 repeater latency略高 但可轉換輸入訊號去編碼轉換來 support different media type Class2 repeater latency較低 適合大型網路，但無法編碼轉換，只能統一編碼 fast eth另一用途是backbone segments，企業網路常有層次結構，Trunking tech and app consider the use of fast eth to interconnect switch toghter as a backbone. Gigabit Ethnet 1000Mbps 一樣CSMA/CD frame，UTP Category 5，為提升效率，引入Carrier extension and Frame bursting 提供 流量控制的全雙工點對點鏈路(full duplex ptp link)，與 半雙工共享衝撞特性的網域 (half duplex shared collision) Gigabit eth: will not be used to connect directly to clients any time soon. 線路的長短與傳送速度成反比(因為大家都速度快，易衝撞，而衝撞就要讓大家知道。) Gigabit Ethernet Interface Converter (GBIC) configure an interface with external components rather than purchasing modules with a built-in interface type. slot time 由網路中最長的來回傳遞延遲時間所推算 目標要讓 送端可因 沒偵測到衝突 而確保傳送成功，或是發生衝突，讓大家(目標)知道這訊號有問題。 載波延伸: 本來 高速網Giga 就會變更slot time與 最短訊框，但這出現一個問題，server端用高速(1000)而client只有10/100，改動最短frame長度對client端困擾，要克服slot time與最短Frame 差異 就引伸出carrier extension: 最短訊框的長度仍然為512bits(同10/100 eth), 成功傳輸 所需的 載波監測最短時間則增加為512 bits，透過不足部分在FCS做extension (特別設計的載波符號) Frame burst: 允許在工作站一個burst中送多筆frame，中間以載波延伸分離，以及96位元的訊框間隔。(像是3台機器網路 你知道A每30分有大量需求傳輸，透過burst timer啟動，來做多frame傳輸) ### ch2 Segmenting LANs (Why?, segment with bridge/switch/router) p40; segment多種好處: 更高頻寬，更多用戶，分區管理不用更新所有設備。  repeater: 不考慮輸入訊號種類，單純加強訊號，也不filter不檢查錯誤 Hub: are multiport repeater 這類有extend collision domain problem，大家共享頻寬，collision則大家都慢，也不增加每網段用戶量極限 531 rules: 要讓最遠兩端能知道collision. rules state that up to five segments can be interconnected with repeaters. But only three of the segments can have devices attached. Bridge: 具filter(相比hub不具，任何frame會到所有主機)，分割網路，但並不會隔離廣播或多點傳播的封包， store and forward, 並且紀錄mac addr/ port table(hub無table)。 Switch: multiport bridge(結合集線器與橋接器功能), 有table紀錄mac addr, 有addr learning, frame forwarding.  Each user then has all of the local bandwidth to himself, only one station and the bridge port belong to the collision domain. This is, in effect, what switching technology does. 且可extend to full distance, 每個網段也有其slotTime value(衝撞時間通知 對應 距離最大長度) bridge 80/20 rules: efficient when 80 percent of the segment traffic is local and only 20 percent needs to cross a bridge to another segment router prevent broadcast from propogate across network.因此路由不只區分collision 還區分boardcast domain，設備就會認知道路由的存在  工作站檢查addr 發現目的與自己不再同個LAN 就找router mac addr 送給router(or using ARP 問MAC位址)  注意這data flow是基本，IP來源與目的端基本不變，通常做的是DMAC, SMAC變動，如同wifi那本書講wifi to eth 也是變換DMAC與SMAC 以及這例子，廣播不propogate也是因router自帶broadcast domain 區分，而bridge無法做區分，switch則是配合VLAN才做區分。 Segmenting LANs with Switches: EtherSwitch was a glorified bridge in that it offered many ports to attach directly to devices rather than to segments. Each port defined a separate collision domain providing maximum media bandwidth for the attached user. LAN switch is a multiport bridge that allows workstations to attach directly to the switch to experience full media bandwidth and enables many workstations to transmit concurrently It is possible to design the switch so that ports can belong to different broadcast domains as assigned by a network administrator  If you create `five VLANs, you create five virtual bridge functions within` the switch. Each bridge function is logically isolated from the others. | Switch | Bridge | | -------- | -------- | | can divide broadcast domain with VLAN | dont division broadcast domain | | can cut through, fragment free, store and forward | store and forward | | can error checking | can't error checking | | has buffer | dont have buffer | | forward based on hardware (ASICS) | forward based on software | ### ch3 Bridging tech (Transparent bridging, switching mode, token ring bridging/switching, eth to token ring)p60; five main processes of transparent bridging. These include Forwarding, Flooding, Filtering, Learning and Aging. bridge protect network and eliminate loop. eth use transparent bridging and STP, token ring use source-route-bridge Bridges learn only unicast source addresses. A station never generates a frame with a broadcast or multicast source address. `five state of bridging`  Flooding: bridge must send an unknown unicast frame out all forwarding interfaces except for the source interface.(將未知單播地址 或multicast/boardcast轉送給全部port，這也是後續要用VLAN作邏輯區分網路，控管的原因) Filtering occurs when the source and destination reside on the same interface.(當來源與目的在同個接口時，不須轉發，直接過濾) A bridge forwards a frame when the destination address is a known unicast address, and the source and destination are on different interfaces(目標位址已知，就轉送單播到不同接口) Aging: aging timer helps to limit flooding by remembering the most active stations in the network.(更新 最常活動的工作站，也能避免floding過多) MAC address belongs to only one VLAN at a time. 1(VLAN) MAC-addr 1/2 (relative port location)  The switch can be configured to behave as multiple bridges by defining internal virtual bridges (i.e., VLANs). Each virtual bridge defines a new broadcast domain because no internal connection exists between them. Broadcasts for one virtual bridge are not seen by any other. Switch可以透過定義 內部虛擬橋接VLAN 來配置多個bridge，每個VLAN訂一個新的廣播域，一個VLAN的廣播不被另一區知道。 三種switching mode: store-and-forward(reliable, slow, but slow is not problem in very high speed), cut-through(can't check FCS, ), and fragment-free.  adaptive cut-through: defualt cut-through, selective use store and forward(當偵測太多錯誤就轉成store and forward mode) Fragment-free switching forwards aframe after it receives the first 64 octets of the frame. Fragment-free switching protects the destination segment from fragments, an artifact of half-duplex Ethernet collisions. In a correctly designed Ethernet system, devices detect a collision before the source finishes its transmission of the 64-octet (因為正確設置的eth系統，支援最遠距離雙方能偵測到collision(in 64 octets)，並立即擾亂訊號通知其他主機，) Token Ring use source route birdging: each ring is uniquely identified (1~4095), Valid bridge identifiers include 1 through 15  先檢測是否在同ring, 是直接溝通無需bridge，不再同ring就在frame包入RIF(routing information field)，此bit叫RII標示ring存在。 乙太網路中，站點都透過匯流排拓撲競爭網路存取權，而令牌環則，確保站點都有預定傳輸的機會，令牌環成本更高，設定也更費力 token ring也大多轉移到fast eth, 因其頻寬緣故。 SNAP encapsulation approach was devised to carry the Protocol_Type value across IEEE 802-based networks (子網路存取協議，封裝資料乘載協議在802網路上溝通 eg eth to token ring or eth to wifi) However, translatio nal bridges must be aware of the protocols to be translated. The best solution, though, is to use routing to interconnect mixed media networks (L3 switching). ### ch5 VLAN (Why, vlan types, 802.11Q vlan interoperability, move usr in vlans, protocol filtering) p112 #### VLAN將實體不一定連一起的設備，以邏輯的方式連結起來，使其有不同broadcast domain(以往用router做分區broadcast domain現在有VLAN)。 與路由區分廣播domain不同(直接根據設備看出幾區)，用switch做broadcast domain區分，must examine configuration files in a VLAN environment to determine where broadcast domains terminate(一定去看VLAN參數 因port可能屬於不同VLAN) VLANs define `broadcast domains` in a Layer 2 network. A switch is a multi-port bridge that allows you to create multiple broadcast domains.(交換機就是多孔橋接，還可建立多個廣播區域) Layer 3 internetworking devices must interconnect the VLANs. You should not interconnect the VLANs with a bridge. Using a bridge merges the two VLANs into one giant VLAN. Rather, you must use routers or Layer 3 switches to interc onnect the VLANs. (建議用L3 網路設備來連接VLAN，而不要只用BRIDGE? WHY?) Each bridge within the switch corresponds to a single VLAN.  傳統傳輸flow  在MLS(mutli layer switching) 建議一種新的newflow，建立shortcut快擷，不用到ROUTER而是switch就可做判斷了 (MLS 的目的是在兩個 VLAN 之間建立快捷方式，以便交換器可以在兩個終端設備之間執行「路由」)  另一種L3 switching -- MPOA, even eliminates the need to repeatedly pass a frame through the switched cloud. 分兩類型VLAN定義如何存MAC addr 在bridge table中: SVL and IVL(better.. allows the same MAC address to appear in different broadcast domains) SVL constrains a MAC address to only one VLAN.(not good when devices or protocols reuse MAC addresses in different broadcast domains) :::spoiler [side note about forwarding in detail](https://ithelp.ithome.com.tw/m/articles/10240841) router store IP table(IP/IP(next hop)) and forwarding table(IP/MAC), 當一unknow ip package arrive, check ip table有無match的nexthop(有多個 就以最長前綴匹配找，IP目的不動因是最終目標端，只改動MAC目的為next hop的路由設備，以及source mac addr為自己設備 ), 若無 則依照預設的路由送，而forwarding table是檢查 IP與MAC最終目的設備是否就在我這網區(問MAC 用IPv4 ARP 或是IPv6 NDP)，是我就送給此設備。 ::: #### five issues that warrant imple mentation of a VLAN: 1. network security (因shared media(legacy network)使pwd, email等可能給全部設備收到(它們check是否給自己 不是就丟，但有安全疑慮) 所以用VLAN解) 2. broadcast distribution (影響網路效能，因大多廣播不帶user data, 且沒必要給所有device，解法就 用VALN建更細分的broadcast domain) 3. Bandwidth utilization (shared media上接的設備越多，頻寬越不夠，解法VLAN port分區，使不同broadcast domain有其享用(concurrent transmission)的頻寬) 4. network latency from routers (舊軟體與路由 比swtich慢，造成壅塞網段，建議把accounting user into one VLAN使無須跨多個路由或網段，減少延遲， 若一定要過路由，就啟用L3 switching減少路由延遲) 5. complex access list (設備常用access list 控管流量，允許拒絕等，透過VLAN可使access list 簡化設計(不用整間公司list, 而可分小部門)，並對需求精細化(根據部門需求來設計access list等等)) 看起來VLAN很美好，但還要引入STP與broadcast domain分隔，也確實使網路更複雜。 Logistics Issues in a Legacy Network  VLAN 跟這些switching tech無法幫助L1, L3, app曾要解決的issue, 無法implicity保證bandwidth, 但可讓你flexiable install more bandwidth, 而不用改動(redegisning)整個網路 eg eth to fast/Giga eth , 以及移動用戶時，去改其VLAN所屬資訊即可(屬於同broadcast domain 路由/防火牆就不過濾，即使在不同phy location) 以上是end to end VLAN 隨著網路擴大 越多bridge引入與STP複雜化，會建議部署L3 distribution 方法做VLAN 來簡化STP複雜度 #### L3 distribution for network access menagement and load distribution  L3 switching(適合以IP addr在不同VLAN 或子網進行路由) it enables load balancing, which is not easily obtainable in a Layer 2 design.  為PORT設定VLAN後，可能該設備很常移動，不想重複，可動態分配VLAN(根據第一次設定後 將該vlan port 對應設備MAC資訊給VMPS存，以後變動就依照此VMPS存的紀錄作自動動態VLAN分派 (configures port to correct VLAN)) 3 components enable a dynamic VLAN environment: 1, TFTP(簡單檔案傳輸協定) server. VMPS(VLAN管理原則伺服) database resides as a text file on the TFTP server. 2, VMPS server, reads the database from the TFTP server and locally remembers all of the data. Dynamic VLAN clients interrogate the VMPS whenever a device attaches to a port on the switch. (VMPS伺服從TFTP伺服讀 VLAN與port資料，且當設備接上port時，VMPS客戶端詢問伺服VLAN資訊) 3, the VMPS client, communicates with the VMPS server using UDP [NETCONF取代SNMP用XML標記語言與RPC溝通](https://cshihong.github.io/2019/12/29/Netconf%E5%8D%8F%E8%AE%AE%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/) port based VALN: 以bridge port為基本單位，管理設定軟體 規劃 VLAN應包含哪些port，設定容易但少彈性(移動性問題)，所以此書才提到用VLAN 管理原則伺服器 (VMPS)讓設備學到資訊(MAC/VLAN)後 傳到此伺服器上，後續變動就從此伺服器拉資訊下來，確認屬於哪個VLAN MAC based VLAN: 優點在移動性。虛擬網路工作站移動至別的port時，bridge 仍可以由addr learning功能得知此工作站port，並且維持VLAN communication IP subnet-based VLAN: 以IP subnet為基本單位，管理設定 VLAN對應的ip subnet(prefix 140.114.76.xx vs 140.114.78.xx) Layer 3 based VLAN: 成員以工作站用的 IP/IPX(應用在允許設備APP和另一台透過網路溝通)，管理設定 軟體來規劃VLAN用哪種協定 (VLNA1 IPX and VLAN2 IP) 使用此類 主要因素是IP封包與IPX封包並不相容 (IPX 端點間 常應用在網路遊戲，封包與IP不相容) 對於每個虛擬區域網路，橋接器須記錄兩個集合: * 成員集合(Member set, Port IDs) 虛擬網路經由哪些連接埠可到達成員 * 無標籤集合(Untagged set, Port IDs) 哪些連接埠上傳送的訊框不須貼上標籤  SVL: 每個虛擬區域網路學習到的位址將會與所有虛擬區域網路共享 IVL: 每個虛擬區域網路學習到的位址將自己使用, 不與其他虛擬區域網路共享 通常SVL與IVL學到的一樣，但特殊情況下(addr reuse/ port resue)，SVL會造成問題， :::spoiler example of SVL vs IVL correct IVL  wrong SVL  就像此書所說，當我只有SVL，addr/port重複使用會有問題，B到A要過自己VLAN 到Y port再轉到Xport 進VLAN RED，可是SVL裡只有一個table 且出於addr learning (在過去A->B的路線 配合前一圖，他以為A from port 4!，就造成此圖的荒謬了) 三種情況需要處理SVL: 連接多個獨立虛擬網路 MAC位址重複 非對稱性虛擬網路 ::: 訊框貼上標籤的主要目的: 攜帶虛擬網路辨識碼 將使用者優先權的資訊加入那些無法攜帶優先權資訊的訊框 做三件事: 1.Tag Header 2. 網路型態不同(eth to token)就encapsulation 3. 重算FCS tag編碼分兩種 SNAP 與 ethernet格式:  TPID: 為標籤通訊辨識碼，2bytes, TCI標籤控制資訊，包含user priority , CFI 與VID GVRP是[GARP](https://blog.csdn.net/Kuaisen/article/details/112793572)的一個應用元件，提供虛擬網路註冊服務 使用GID(12位 虛擬網路辨識碼)與GIP(propogation) bridge and station 都可送出 或取消 VLAN的宣告(讓收到的 參與者將 該宣告代的GID 加入port輸出名單中)， 解釋VLAN: VLAN將實體位置不同的設備，來邏輯上視為同一區去管理，也有流量控管與filter機制。 為甚麼需要 是因為沒VLAN時，bridge將轉送廣播frame至所有port，浪費頻寬與安全問題 ，所以VLAN可以做broadcast domain分區，避免廣播propogate到其他區的設備 VLAN分三層式架構: 1.VLAN參數設定(MIBs一種樹狀結構，管理網路資料的資訊庫，描述被管理的網路資料物件，是SNMP重要組成元素) 2.配送參數( delcarition 透過GARP通用屬性註冊協議(提供分發，註冊 vlan/組播addr等訊息 的手段) 以及 request/reply [SNMP簡易網路管理](https://www.cc.ntu.edu.tw/chinese/epaper/0047/20181220_4707.html)交換網路管理中的資訊) 3.訊框轉送 Relay為frame上tag (Ingress將收到frame對應VLAN，forwarding 決定frame由哪port，Engress 對frame增刪tag。) 解釋SNAP: 網路管理協定，透過Request/reply向被管理裝置上的監控軟體，查詢其設備資訊與狀態 解釋VLAN參數如何用SNMP管理? SNMP Object 都以 "物件描述樹" 來描述 MIB 為樹狀結構，每節點代表一個管理群組或物件（eg. snmp or TCP/IP），其leaf為 SNMP Object 的"訊息"（如 tcpRtoAlgorithm）。 節點都有編號 `物件識別值OID`  Network Management System (NMS)：網路管理系統負責管理與監控網路設備的軟體 解釋Trunk Link, Access Link: `Access link`是一個網路區段將多台非虛擬(no vid)連置虛擬橋接(has vid)的接口，此link上frame都用隱性標籤，不貼VID `Trunk link`在VLAN BRIDGE間的網路區段轉送不同VLAN frame，要求frame要填顯性標籤 `Hybrid link`是依網路區段連接虛擬與(非)虛擬設備，指要求標籤要統一，統一顯性or統一隱性 ### ch6 understanding spanning tree (four step of decision, STP states, STP timers, BPDUs, per VLAN spanning tree p153) STP: loop prevention protocol create tree structure that span entire L2 network. 最簡單例子，有迴圈，flooding時(無法辨認封包給誰，就flood to all port)，會inf loop(也因eth header dont have TTL). BPDU: 傳送STP 資訊的data unit，包括root BID BID, RPC(root path cost), port id等等共35bytes. 建立STP 都是根據 port `收到BPDU資訊`(bridge id fro root bridge selection, rpc for root port and designate port)  time1. bridge z port n 收到BPDU的rpc 38, 就代理LAN w 為port m 以及 通過m 轉發 自己更新的BPDU 到root rpc is 38 + port n cost 10 = 48 time4. Y rpc 53, root port k and X rpc 58 , root port j time5. X 從i port收到rpc 20 , 我更新BPDU rpc 20+ i cost 15 = 35 我要當代理 以及我優勢的BPDU轉發 讓其他bridge 有機會更新其root port time9. Y從l 收到rpc 25 ,更新BPDU rpc 25+ l cost =30 我要當代理 轉發優勢BPDU 注意 每個port都存一份 最有優勢的BPDU copy ，說到底 一切資訊交換就是based on BPDU info! 所以bridge用以下四準則，決定留哪分BPDU copy給對應port(比較此port收到的所有BPDU) 選擇準則: 1. 比bridge id，選root bridge時才用 2. 比root path cost 3. 比bridge id 4. 比port id(4 bits priority, 12 bits interface) 初始選舉，每個bridge都想當root(每2s發BPDU), 也是用這套選擇標準，當收到更優的BPDU，我就幫其轉發表示對方更能當root，以及當收不到鄰居更優BPDU超過20s，我就開始送自己BPDU two type BPDU: Configuration BPDUs and Topology Change Notification (TCN) BPDUs. 解釋STP流程: 1.決定root bridge(由2bytes priority(0~65535, default 32768) + 8 bytes MAC addr 組合成) 選最低bridge id者為root bridge 2.為每個switch決定root port(從此port到root的cost最低) 3.為每個區網決定代理port(從此port到root 的cost最低) Remember that STP costs are incremented as BPDUs are received on a port, not as they are sent out a port. (根據BPDU來想就好了，B從port2送到A的port1 自然我port1計算是根據B Port2出來的BPDU!) `port state`  輸掉的port就進blocking state直到TCN通知重學習STP 而代理與root port 在15(預設)秒後 進入learning(尚不可傳usr data, 但默默監聽整個bridge來建表，學習就如ch3前述addr learning將MAC與port以及timer(更新最活躍)放入table中), 再15秒後進入Forwarding state 2 key points to remember about using the STP timers(ch7 fast STP convergence). First, don't change the default timer values without some careful consideration Second, assuming that you are brave enough to attempt timer tuning, you should only modify the STP timers from the Root Bridge Mastering the show spantree Command  BPDU(Bridge Protocol Data Unit)是STP(生成樹 防止無限迴圈) 的 message unit用來描述attributes of a switch port  BPDU: 封裝於802.11 LLC header(DSAP,SSAP(service access point)), BPDU有Flags(TCN用通知要處理拓樸改變), Root BID, RPC, BID, Port ID, Message age(紀錄root Bridge給的BPDU的經歷時間), Max age(BPDU保存的最大時間，也影響aging timer), hello time(週期配置BPDU的時間) 若不用TCN BPDU，假設所有設備通某host E路徑block，就要等5分鐘的defualt time out才更新bridge table 找新的拓樸 TCN BPDU加快bridge table update 產生TCN BPDU時機點: 1. 轉變1 port為forwarding且至少有1 代理port 2. 轉變port 從forwarding/ learning為blocking 產生TCN BPDU從root port出去給root(每個hello time 週期性送 直到得到TCN ACK回應)，中間bridge收到就從其root port轉送給root, 直到root收到回ACK及設定bridge table 老化時間提前至15s (300 -> 15) Root Bridge continues to set the Topology Change flag in all Configuration BPDUs that it sends out for a total of Forward Delay + Max Age seconds (default = 35 seconds). This flag instructs all bridges to shorten their bridge table aging process from the default value of 300 seconds to the current Forward Delay value (default=15 seconds).  `後續ch6, ch7根據題目build switch網路環境(GNU3)去練習` ### ch7 Advanced spanning tree (Spanning tree load balance, Fast STP Convergence, PVST+, Tips and Tricks p201)  IDF: interdimate distribution frame switch(位於各階層基本的switch) MDF: main distribution frame switch (connect to 各個IDF 以及connect to server farm) 透過階層式架構IDF/MDF 可以 focuses on the fact that most campus designs utilize `triangle-shaped` STP patterns. 並且近代流量高度集中，透過此架構 可以去除negliable IDF to IDF traffic in most network.  :::spoiler server farm Server farm is a `collection of computer servers`(一堆路由器與交換器的集合), usually maintained by an organization` to supply server functionality `far beyond the capability of a single machine ::: 兩個常見的網路設計: campus-side VLAN model(many large and overlapping triangle and interconnect, thus many scaling problem) and multilayer model(break network into many small L2 triangle connectivity, scalable) 每port根據收到BPDU做最優選(前章 四則選舉準則)，補充listening state是process of sending Configuration BPDUs，當他認為自己最佳，但直到learning state時 port才開始把source mac加進設備的bridging table 1/0/12 大致上對應 機箱(switch device)/插槽(slot)或線路卡/連接埠(port) 在一switch 出去的線路 Fa0/0 對應Fast eth, slot/port Normal configuration BPDU processing 根橋的所有連接埠每隔 Hello Time 秒都會進行一次正常處理 results in the origination of Configuration BPDUs at the Root Bridge. 根bridge的每個port 每過hello time就發送◎onfiguration BPDU non-Root Bridge receives a Configuration BPDU on its Root Port and sends an updated version of this BPDU out every Designated Port 非根bridge 收到從root port來的configuration BPDU 就更新代理port的BPDU  * Configuration BPDUs flow away from the Root Bridge. (只有root bridge發 調整BPDU) * Root Ports receive Configuration BPDUs. (只有root port收調整BPDU 並且傳給代理port) * Root Ports do not send Configuration BPDUs. * Blocking ports do not send Configuration BPDUs. * If the Root Bridge fails, Configuration BPDUs stop flowing throughout the network. This absence of Configuration BPDUs continues until another bridge's Max Age timer expires and starts taking over as the new Root Bridge. (當root bridge失效，不再有configuration BPDU，則其他bridge 等max age timer到期就開始重新選舉root bridge過程) Exception configuration BPDU processing: 當root failed，會有bridge想重新選舉，開始發BPDU，但卻會被其他代理port(以為root還在)通知root再而阻止的例外情況。 所以做法處理就是，代理port依樣 再有root configuration BPDU副本時，拒絕劣質的BPDU，直到該root BPDU資訊過期(20s)，讓該bridge可以開始發自認root的BPDU(立即駁斥的作法，可以避免這20s 不小心開啟loop，使收斂更快) Configuration BPDUs are sent in three cases: 每過hello time時間(2s)，root bridge送configuration BPDU到所有port 當非root bridge收到root port來的BPDU，他將propogate update configuration BPDU到其代理port 當代理port聽到劣質的BPDU，會發自己port的BPDU資訊來抑制劣質BPDU TCN: 幫助網路拓樸變更後 ，恢復active topology 非root bridge偵測到變更後，向上游發TCN通知root，而後root通知bridge table aging 300s 撿到forward delay，以加速橋接表的更新 :::success STP提供三種 用戶可調整的timer: `hello time`(根bridge發BPDU的間隔), `forward delay`(port learning state to forward state 時間間隔), `max age`(port存的BPDU資訊時間，過期就要丟) 為了讓大家時間是同步，都用root給的，root BPDU最後三格放的就是這三個timer ::: :::spoiler Tips Avoid the frustration of trying to modify timer values from non-Root Bridges—they can only be changed from the Root Bridge ::: :::success PVST+: cisco STP protocol, 配合VLAN 兩大好處: control與isolation(一VLAN(eg 遺失root bridge)不干擾另一VLAN) control: 允許每個VLAN 有完全獨立的STP配置，可有不同root, 有不同優先權值與cost，如此可做 makes possible Spanning Tree load balancing. (next section ch8會提) ::: 儘管隔離VLAN 但是loop會使satueate(使飽和) trunk link造成其他VLAN 資源匱乏(ch15) :::spoiler tips and tricks mastering stp "Tips and Tricks: Mastering STP." Spanning Tree and campus design principles, please refer to Chapter 11, "Layer 3 Switching," Chapter 14, "Campus Design Models," Chapter 15, "Campus Design Implementation," and Chapter 17, "Case Studies: Implementing Switches." ::: #### Spanning Tree Load Balancing 目標: maximize your available bandwidth with minimal added complexity. 4 tech for load balance: Root Bridge Placement Port Priority Bridge Priority Port Cost 2 general principle: · Multiple paths that form loops · Multiple VLANs 雖然STP目的是消除loop，但沒multiple path就沒法load balance與增加頻寬，因此要用VLAN建多個STP domain  :::spoiler IDF and MDF IDF(不與server farm連) 建築物的不同樓層或區域之間進行訊號分配和管理，功能像是 中繼訊號：IDF從（MDF）接收訊號，訊號分配到期管理區域 簡化佈線 : 不用都連到MDF那麼長，可結構化網路架構與配線 管理與維護 擴大覆蓋率 MDF (與server farm連，與IDF設備(switch/bridge)連，不太與主機直連): 功能像是 連接外部線路：MDF連接來自 外部網路服務供應商 的主幹線纜，將訊號引入建築物內部。 分配內部線路：MDF將 外部引入的訊號分配到建築物內各個房間(連IDF 再由IDF到終端) 或樓層的終端設備 集中管理點 : 方便故障排查，以及集中化管理(server farm伺服器叢集) ::: #### VLAN load balance VLANs make it possible to create multiple Spanning Tree domains over a single physical infrastructure 在交換器上放置單一 VLAN，會阻止你實現 生成樹負載平衡。 Root Bridge Placement Load Balancing: 幸運的是，最有效的負載平衡技術之一也是最簡單的  VLAN2 有Cat-A 交換機作為root bridge 以及VLAN3 有Cat-B 交換機作為root bridge，從Cat-C交換機來看，我可以從VLAN2與server farm通訊 也可從VLAN3通訊，對C來說可用頻寬加倍了(有兩條路徑到root bridge)。 而對C 選擇root port 到VLAN2 root bridge會選 1/1 Cost 19 到VLAN3 root port選1/2 cost 19 (這與STP loop free不衝突 在於 對per vlan 內部 我確實loop free，我是透過多個VLAN設定其root bridge 來讓交換機上(port 對應某一VLAN)總體頻寬增加) Root Bridge Placement in Hierarchical Networks 並且在階層式架構 MLS 更明顯有load balance，想像Cat B, Cat A 分別下掛載router 處理VLAN2 與VLAN3的流量，自然Cat C裡VLAN2與 VLAN3 的L3資料load balance 且L2 資料也spear across both IDF uplinks. 並且也自動找到 去VLAN2 預設網關的最佳路徑  Port/VLAN Priority Load Balancing: 因back to back 架構 (任一VLAN 只有兩bridge互連)無法用root bridge load balance tech，改用port/VLAN priority based two interesting points: 1. non-Root Bridge that must implement load balancing (解釋說 是因為會選root port 與代理port 使其他bridge 當root 以及流量會從代理port出發，影響load balance) 2. it is the received values that are being used here. 因為會用root bridge來個BPDU 值來做設定 因此延伸出 根據port id 做load balance Port ID Is a 16-Bit Field 前6 port priority, 後10 port number 調整一個交換器連接埠的方案優先順序，去影響另一個交換器的負載平衡是非常違反直覺的。 Just remember, to use port/VLAN priority load balancing, you must adjust the upstream bridge (the one closer to the Root Bridge, or, in this case, the Root Bridge itself).  這個有點不好懂，配合圖來看，VLAN2 設定port優先權，來讓1/2斷掉 以使用left link， VLAN3 設定port優先權，來讓1/1 block 以使用right link 藉此來達到附載平衡 (回憶SPT選擇準則 都是lowest bridge id -> RPC -> bridge id -> port id ) 結果最後建議 不要用這套== ... Don't use set spantree portvlanpri in the typical model Tip Don't use set spantree portvlanpri with back-to-back configurations. Instead, use Fast or Gigabit EtherChannel 因為Cisco's EtherChannel technology provides much better performance. 配合ch8. trunking between Cat 後續還有兩種 看重要性做補充巴 (這兩還沒細看) Bridge Priority Load Balancing: 適合多個building 間大型網路 load balance 使用bridge priority前  使用後  Load Balancing with Port/VLAN Cost:??? p236 Spanning Tree Load Balancing Summary: Root Bridge Placement: 適合MLS結構，但若網路結構無階層式(eg back to back) 就不太有用 Port/VLAN Priority— set spantree portvlanpri: 在back to back結構做 load balance Bridge Priority—: ?? Port/VLAN Cost— set spantree portvlancost: ?? 七個技巧來做 fast convergence: (還沒細看 這些跟ch1,2不一樣 都是要慢慢花時間了== 可以先把ch8 trunking重點先看 ，後續再來補這些) · Tuning Max Age · Tuning Forward Delay · Lowering Hello Time · PortFast · UplinkFast · BackboneFast · Disabling PAgP on EtherChannel-capable ports (p244 ~ p268) 而且這章 超多例子要看，沒看清楚想清楚，不算真正學會。 :::spoiler PVST+ PVST+: 兩大重點: It can allow you to tap into many wonderful features such as `load balancing` and `per-VLAN flows`. (ch7 對這些進一步優化) It can make your life miserable (if you don't know what you are doing). [ref](https://www.jannet.hk/spanning-tree-protocol-stp-zh-hant/) PVST+(per VLAN spanning tree plus)是cisco switch預設的STP設定 step 1.選舉root switch (選switch priority 最小的作root), 計算公式: 本機switch priority + vlan number 可以理解為 per vlan精神 讓每個vlan 有自己決定STP拓樸連接，eg. 交換機A有3 port屬於vlan1,2,3 ; 假設vlan1其他交換機B (vlan number same but, 他們本機priority高 就會是 A最小會當上root switch ，然後id由priority + mac addr組成 若priority相同就選 mac addr最小的 ) step 2. 為每個switch選root port(從此port出去到root cost 最低)，按照頻寬與cost對照表去找 step 3.為每個區域網路選代理port，非代理也非root port的就block ::: Three Types of Regions Supported under PVST+  第三層交換器(硬體轉發)，可以成為(取代)路由器(軟體轉發)的前級處理器 Per-VLAN Spanning Tree Plus: p274 PVST+ utilizes two techniques to provide transparent STP support across the three types of regions: · Mapping · Tunneling ### ch8 truncking tech and app (Ethernet trunk, 802.10Enc, ATM Trunk p291) Why Trunks? 連接分散的各個VLAN，考量technology availability, resources, bandwidth, and resiliency，我要傳輸VLAN間流量路線，以及彈性(一路壞 還有別路) 這章講ISL(inter switch link) DTP(dynamic trunk protocol) LANE(LAN emulation) MPOA(multiprotocol over ATM )這些可能是重點? 還netfilter 以及業界Linux 環境 團隊在幹嘛，是上工後最優先，搞清楚架構! `Access link`是一個網路區段將多台非虛擬(no vid)連置虛擬橋接(has vid)的接口，此link上frame都用隱性標籤，不貼VID `Trunk link`在VLAN BRIDGE間的網路區段轉送不同VLAN frame，要求frame要填顯性標籤 `Hybrid link`是依網路區段連接虛擬與(非)虛擬設備，指要求標籤要統一，統一顯性or統一隱性 dedicate a link to a single VLAN -> access link 想像每個都access link 在複雜點網路變這樣  或者你用trunk link 就不須一堆interface and cables (使用VID標籤 來標示即可!) trunk link between Catalysts. Trunks allow you to distribute VLAN connectivity without needing to use as many interfaces and cables.  trunk 比access link 更好的scale 網路 但這時候又會想 這跟前章load balance好像又有點不同韻味， 這些VALN shared link 頻寬可能也共用到，但這章重點在`維持connectivity`。 #### Bundling Ports EtherChanel(port aggregate or link aggregate, work as access link or trunk link)是將交換器的多個port綁定為一logical link，增加寬頻，容錯 The combined links behave as a single interface, `load distribute` frames across each segment in the EtherChannel, and provide `link resiliency`. EtherChanel 提供額外link speed by bunding fast or Gigabit link and making switch/router use merged port as single port 因為只是綁定，所以要想成是2 個100Mbps 而不是2端口 間是1 個200Mbps的線路 然後從STP 來看 (多個port 作為一個port去對待 所以port state也是共通 一起forward 或是blocking等等) From a Spanning Tree point of view, an EtherChannel is treated as a single port rather than multiple ports. When Spanning Tree places an EtherChannel in either the Forward or Blocking state, it puts all of the segments in the EtherChannel in the same state The multiplexing scheme encapsulates user data and identifies the source VLAN for each frame. The protocol, called Inter-Switch Link (ISL), enables multiple VLANs to share a virtual link 透過多工封裝多家用戶的frame與辨識其VLAN，ISL使多個VLAN共享一個virtual link 那既然這些VLAN 以trunk相連，就要確保每個VLAN都是loop free (有建好STP)，不然任一有loop會使全部performance下降 :::spoiler LACP 與 PAgP [Link Aggregation Control Protocol](https://www.jannet.hk/etherchannel-pagp-lacp-zh-hant/)鏈路聚合控制協定 多個線路聚在一起，形成一個邏輯線路 而PAgP 端口匯聚協議 是Cisco獨有的 aggregate link的 協議 ::: 為EtherChannel(線路聚合) 建立port 的準則: * 綑綁2 or 4 port * 用連續的port做綑綁(bundle) * 所有port屬於同一VLAN，且 if ports are used for trunks, all ports must set as a trunk * If you set port to trunk, make sure all ports pass the same VLANs * 確保port兩端都相同的speed 與 雙工的設置 早期的EtherChannel module使用chip 叫EBC (Ethernet BundlingController)來管理聚合port 可以幫助load balance， EBC 可以distributes frames based upon source/dest mac addr. 透過XOR 在src/dst MAC 最後一bit 若產0, segment 1 is used, 產1, segment(segment of an EtherChannel bundle) 2 is used.  配合此圖來看 bunding 依序 做dual bunding 要就依序綁2 or 4 而segment就是我的slot 1 or slow 2的感覺? (還需再檢驗下) 這達到load balance原因 從統計看 MAC 地址夠隨機，lnik does not likely experience a traffic loading imbalance due to src/dst mac addr values 為了簡化 EtherChannel 的配置，Cisco 建立了連接埠聚合協定（PAgP） 可以幫助automatically form an EtherChannel between switch/rotuer PAgP 有4 state: *on, off, auto, desirable* on/off 代表switch 總是(絕不) 綑綁port 作為EtherChannel desirable 告知swtich 用Etherchannel 在另一端也同意的情況，並且綑綁規則(前項提到 all VLAN all trunk 等等)也完成 auto 讓switch可用EtherChannel 在另一端是on or desirable的情況。 :::spoiler tips: PAgP takes about 18 seconds to negotiate a link. 而Spanning tree strat convergence 前就要negotiation完成 所以Spanning tree若在有PAgP情況下 至少要18s If you change an attribute on one of the EtherChannel segments, you must make the same change on all of the segments for the change to be effective. All ports must be configured identically ::: 如前述 swtich forward based on hardware, hardware forms an EtherChannel 且distribute fraem based on mac addr . 而router forward based on software, 所以其EtherChannel 接口不必連續，router xor src/dst ip addr, 但IP可能手動設置 ，以致於無意間使 frame prefer 某link，所以要注意會使load 不平均的 assignment policy! L3 switch perform load balance based on ip addr and ipx addr, 因IPX 將station mac 作為邏輯地址一部分，也有高隨機性。 #### ISL(cisco trunk protocol) and 802.1Q(tag trunk protocol) EtherChannel Resiliency 當Etherchannel segment fail 會通知EARL 這個ASIC In essence, the EARL is the learning and address storage device creating the bridge tables ISL(inter switch link): 當從fast etherchannel收到屬於某VLAN 多工frame時 , switch要辨認此frame屬於哪個VLAN。 Cicso透過ISL 封裝 使VLAN能共享link 使收方設備能辨認frame屬於哪個VLAN，當switch透過ISL enabled trunk interface, 會封裝原始frame來辨認來源VLAN，加26 bytes ISL header.  ISL trunk links can carry traffic from LAN sources other than Ethernet. eg 也可用在token ring上 :::spoiler token recap 拓樸 成環狀，point to point 傳遞資訊，採用token passing 單方向傳遞， 拿到token的工作站才可傳送，否則只能接收 其傳遞的邏輯環，由硬體架設 ::: Dynamic ISL (DISL): DISL能讓交換機 溝通 eth 兩端 啟用/不啟用 ISL(過往只能手動設定)，有特定dst mac multicast addr 01-00-0C-CC-CC-CC 當交換機收到有此dst 的封包時 不轉送而是交由supervisor module處理 switch trunk interface 5 trunk modes: off, on, desirable, auto, or nonegotiate. p308~312 Tip If you configure the Catalyst trunk links for dynamic operations (desirable, auto), ensure that both ends of the link belong to the same VTP management domain. If they belong to different domains, Catalysts do not form the trunk link. IEEE 802.1Q(single-tag scheme, use TPID, priority and VID): 提供另一種 trunk protocol, explicitly tags frame 來辨認該frame所屬的VLAN. 另外802.1p 可加流量 優先權 於802.1Q 的標頭中  TPID (Tag Protocol Identifier)—: 此辨識字 告知收方 接下來是802.1Q tag Priority: 802.1p priority embedded in 802.1Q header CFI (Canonical format indicator): 表示MAC 是標準(0) 格式 或是非標準(1)格式 VID: 指示 frame 所屬的src vlan (0~4095, but 0,1,4095 reserved) 因網路複雜性，思科搞PVST 另每VLAN有其Spanning tree, 而802.1Q defines a single instance of spanning tree for all VLANs. they have same root bridge. this is called Mono Spanning tree (MST). 你須限制拓樸為一個 common topology for all VLANs 設定802.1Q 三步驟 1. Specify encapsulation mode (ISL or 802.1Q) 2. Enable the correct DTP trunking mode or manually ensure both ends 3. Select VLAN-id on both ends. DTP: 思科溝通trunk協議 加強DISL功能， 讓 雙方決定用 ISL 或802.1Q Just like ISL, 802.1Q trunks can be set for on, off, desirable, or auto. :::spoiler FDDI trunk and 802.10 Enc FDDI Trunks and 802.10 Encapsulation: (光纖真的很不熟== ) FDDI基於token ring 使用雙環權杖傳遞網路拓撲結構，兩環方向相反 FDDI operates as a shared network media (half duplex) and can have more than two participants on the network 思科用IEEE 802.10 標準 to facilitate transport of multiple traffic source over shared local network and yet retain logical isolation between src network at receiver ::: ATM Trunks: ATM does not have any collision domain distance constraints like LAN technologies, ATM deployments can reach from the desktop to around the globe. Catalysts support two modes of transporting data over the ATM network: LANE and MPOA. LANE emulates Ethernet and Token Ring networks over ATM A member of the ELAN is referred to as a LANE Client (LEC). ATM networks, on the other hand, create direct point-to-point connections between users. This creates a problem when a client transmits a broadcast frame LANE provides a solution by defining a special server responsible for distributing broadcasts within an ELAN. ATM 網路將在廣域網路 (WAN) 中扮演極為重要的骨幹網路角色，但目前再區網因價格仍過高，基本是以Gigabit標準為主。 MPOA enables devices to circumvent the default path and establish a direct connection between the devices, even though they belong to different subnets. This shortcut path, illustrated in Figure 8-15, eliminates the multiple transits of the default path conserving ATM bandwidth and reducing the overall transit delay. MPOA does not replace LANE, but supplements it. In fact, MPOA requires LANE as one of its components  :::spoiler Trunk options: (可以skip 偏網管做設置) 快速乙太網路和千兆乙太網路使用 ISL 或 802.1Q 封裝。 FDDI trunk link採用 Cisco 專有的 802.10。使用 ATM，可以使用 LANE 封裝。也可以選擇增強 使用 MPOA 進行 LANE 操作 做選擇所考慮的標準包括： · 現有基礎設施 · 您的技術舒適度 · 基礎設施彈性需求 · 頻寬要求 ::: ### ch9.truncking with lan emulation (ATM tutorial and LANE, configuration concept/syntax, Advanced issue SSRP p332) principal concepts covered here include the following: · Understanding ATM Cells · ATM is Connection Oriented · ATM Addressing · ATM Devices · ATM Overhead Protocols · When to Use ATM :::spoiler ATM vs Gigabit ATM定義遠比Gigabit Ethernet嚴謹，其為一完善的技術，無論在區域網路抑或廣域網路之環境，ATM都足可勝任，擴充性也沒有多大限制；而Gigabit Ethernet在此便無法與之媲美。ATM的五十三位元固定封包和其服務品質(Quality of Service; QoS)參數，使其可以處理各種型式的資料包含：數據、圖形、影像、視訊以及語音。反觀乙太網路技術，主要做為數據傳送用，它不是為多媒體通訊而設計。 看起來總結是 Gigabit只有優點在Eth架構與便宜。整體是ATM更完善?，應該就像ipv4~ipv6過度 業界自然都已Eth為主 ATM則十年後主流的感覺，所以先把Eth做網通產品開發搞好。 其實 我感覺講得大多東西，沒到底層開發(不向linux kernel networking那本一堆Linux code==)，這本主要面向在，switching STP與VLAN與trunk是我重點 後面ATM 應該...? 畢竟都沒講底層 又是專門cisco產品指令 非linux 針對業界第一份工作，重疊覆蓋率可能35%不高? 而且router 先搞 CCNA那套八，開發驅動 設register實現VLAN, Trunk, STP over realtek chip 工作重點 而CCNA則是基礎網通常識! (ccna 200-300 再ccnp encor 300-400 ) ::: How Does an IP Packet Fit Inside a Cell? To answer this question, this section examines the three-step process that ATM uses to transfer information: Step 1. Slice & Dice Step 2. Build Header Step 3. Ship Cells  ATM顯然必須在傳輸之前切碎較大的IP封包。這是 ATM 適配層 (AAL)；或是更值觀的術語 “Slice & Dice Layer” AAL slicing可以以多種方式切片和切塊。這是 ATM 透過網路承載語音、視訊和數據流量的方式 ATM 層。建構5位元組的ATM單元頭，這是整個ATM流程的核心。 primary function of this header is to identify the remote ATM device that should receive each cell. 非同步傳輸模式ATM(連線導向式傳輸) 新一代的高速網路 特點: ATM 交換機上的每一個埠也可以使用不同的傳輸媒介 工作站都有一條專線連接到交換機 頻寬為此工作站所專用 每條連線 可有不同QoS之保證， transform data unit is a fixed length data called "cell". cell format: fixed 53 bytes, 5 header 48 payload GFC流量控制4bits 控制流量 VPI虛擬路徑辨識碼8bits 哪條虛擬路徑 VCI虛擬通道辨識碼16bits 哪條虛擬通道 PTI負擔類型辨識碼3bits 告知payload data資料型態 CLP細胞流失優先權1bits 壅塞可丟 HEC標頭錯誤更正8bits ATM三層 實體層(Physical Layer 光纖 雙絞線), ATM 層(ATM Layer 處理ATM cell 傳輸),及 ATM 調節層(ATM Adaptation Layer, AAL 調節與上層長度不定的封包 轉換到 fixed size cell) ATM交換機工作: cell switching 埠進入的細胞 交換 至適當的輸出埠(因為連線導向式傳輸 路徑已確定 查表即可) 每條連線 virtual channel 都有VCI(辨識哪條來 哪條去) 將多個連線合起來 並稱為 virtual path ATM 的 NSAP 地址（Network Service Access Point address） 是一種結構化地址，用來唯一標識 ATM 網路中的一個終端或節點，類似於 IP 位址的功能 NASP 20bytes AFI（Authority and Format Identifier） 指定地址類型（如 E.164, DCC, ICD） IDI（Initial Domain Identifier） 網域 ID DSP（Domain-Specific Part） 主機位址、路由選項等細節 VPI 和 VCI一起負責 識別虛擬通道（Virtual Channel） , ATM 是 連線導向（Connection-Oriented）先建立一條「虛擬通道（VC）」。VC 就是由 VPI + VCI 唯一標識的 , ATM cell前 5 個 bytes 是 cell header，其中就包含了 VPI/VCI。 ATM Overhead Protocols its plug-and-play nature is due in large part to two automation protocols: Integrated Local Management Interface (ILMI) and Private Network-Network Interface (PNNI). PNNI: allows switches to dynamically establish SVCs between edge devices. However, edge devices do not participate in PNNI—it is a switch-to-switch protocol PNNI two primary functions: * Signaling * Routing Signaling allows devices to issue requests that create and destroy ATM SVCs Routing locate the destination the NSAP addresses specified in signaling requests. When to use ATM? its depend, ATM has advantage over * Full support for Quality of Service (QoS) * Communication over long geographic distances `ATM這部分先skip好了，在後續業界有遇到再來研究!` LANE: Theory of Operation: (VLAN) vs Emulated LAN (ELAN): VLAN純分區管理描述廣播區域，而ELAN 是emulation over ATM 是VLAN concept的特例，ELAN fools 上層協議以為是eth/token ring 其實是跑在ATM cloud上，既然如此 就有MAC addr轉譯 與 broadcast機制要處理(ATM是connection orient ) Four Characters (Components) of LANE · LAN Emulation Clients (LECs) · LAN Emulation Configuration Server (LECS) · LAN Emulation Server (LES) · Broadcast and Unknown Server (BUS) Act I is where the main drama occurs and consists of five scenes: ?? p354 After the five scenes of Act I are complete, the Client has joined the ELAN, Act II. Five-Step LANE Initialization Sequence ### ch11 Layer 3 switching MLS架構 使可網路結構更模塊化 更具擴展性，傳統上switch 只做L2 hardware based 處理 而router只做L3 routing based on protocol, 是software based, 但router又有許多高價值的特性 包括tunneling, DLSs(data link switching), access list, DHCP。所以L3 switching就是想把這些tech加入來 L3 switching 分兩類 Routing switches Switching routers Routing switch uses hardware to create shortcut path. Routing switches do not run routing protocols. switching routers do run routing protocols such as OSPF. These operations are typically run on a general-purpose CPU as with a traditional router platform. Layer 3 switches use high-speed application specific integrated circuits (ASICs) in the data plane. 這就是公司重點 ACL, fast forwarding, ASICs 在register上實現VLAN 等等 Because routers prevent broadcast propagation and use more intelligent forwarding. This simultaneously results in flexible and optimal path selection.(代表router更容易提供了load balance across multiple paths, ch7提到Layer 2 load balancing can be very difficult to design) Linking a router to a switched network, two alternatives are available: · One-link-per-VLAN · Trunk-connected router 首先是one link per vlan架構案例，ISL是cisco特有的L2 trunking協議 可以讓多個VLAN共享一link(ISL 封裝其ISL header供辨認所屬VLAN，802.1Q則是封裝TPID供辨認VLAN)，但router為每個VLAN都專線，如圖，好處頻寬與簡單易實現，但如前述多個缺點 interface量大，無擴展性  Trunk-Connected Routers: trunking tech such as: ISL, 802.1Q, 802.10, LAN Emulation(LANE), or MPOA can be used 實現代表 實際phy cable, 虛線代表multiple logical link running over this phy link  別把這裡L3 switching 與bridge switching 搞混 這裡談sofrware or hardware處理L3資訊 來交換資料switching(routing)送到另一端， 前章ch6,ch7的 (bridge) switching 則更多是談處理L2 資訊! Process Switching(slowest) relies on the CPU to perform brute-force routing on each and every packet. Just as first gear is useful in all situations. 資料流的第一個封包將會被放置於系統緩衝區(system buffer)。其目的地位址將會被拿到路由表中去查詢比對，路由器的中央處理器(CPU)同時將進行CRC check，檢查封包是否正確。然後Frame中的Layer 2 MAC Address將會被重寫，被置換成next-hop interface的MAC Address。這樣的程序將會`持續進行為後續封包 (查表 sanity check, MAC addr rewrite)` 而fast switching用了`路由快取(route cache)功能，來儲存關於某資料流的特定資訊`，包括像是目的地MAC Address、目的地interface等內容，只對第一個封包做process switching 取得所需資訊，後續同一資料流封包 的特定資訊 都由cache取得。 但還有很多特殊應用環境--延伸出更多switching mode eg:Autonomous Switching, Silicon Switching, Optimum Switching, Optimum and Distributed Switching: Optimum Switching採用了一種`優化交換快取`(Optimumed switching cache) Distributed Switching Mode使用Versatile Interface Card這種硬體模組介面，又稱之為VIP card。它會自己保留一份route cache，這樣在查詢時就`不必要等待使用共享的系統緩衝`(system buffer) Software-based routers containing Fast Ethernet interfaces are `limited to Fast Switching speeds for ISL operations`. `ASIC-based` Cisco LAN Switching routers such as the Catalyst 8500 do `not have this limitation` and can perform ISL routing at wire speed. RSM (routing switch module): `Inter-VLAN Routing 意思是使原本相互隔離的vlan間互通，而Router on a Stick(也叫單臂路由) 是指在路由器的單口上實現vlan互通。` 也就是上圖trunk-router事例，通過虛擬interface and RSM 實現VLAN互通。 router-on-a-stick design, traffic flows to the router within the source VLAN where it is routed into the destination VLAN. 分離控制與資料平面：RSM 處理控制平面（如 OSPF/BGP），而資料平面則使用快速的 ASIC。 VLAN routing：RSM 通常處理不同 VLAN 間的路由（inter-VLAN routing）。 L3 switching (or called routing ASIC) 支援 L3 switching 的交換器中 data flow: 1.收封包 判斷是否本地MAC 2.forwarding 決定該封包VLAN要去哪個port，若要給其虛擬路由介面就，查詢FIB(RIB的優化結果表)，找netx hop與出口介面 3.rewrite MAC addr 4.從對應出口介面出去 Instead of using the usual Ethernet0 and Fast Ethernet1/0, the `RSM uses virtual interfaces` that correspond to VLANs. `RSM is a software-based routing device` that cannot provide enough Layer 3 performance for larger campus networks on its own. However, another appealing benefit to the RSM is that it can be easily `upgraded to provide hardware-based forwarding via MLS`. ( RSM 處理控制平面（如 OSPF/BGP），而資料平面則使用快速的 ASIC, 而且正常下小章節MLS所說`caching technique`，MLS不跑routing protocol。) MLS: when discussing MLS is that, like all shortcut switching mechanisms, it is a caching technique. The NFFC does not run any routing protocols such as OSPF, EIGRP, or BGP. MLS常需要在Switching Engine上安裝NetFlow功能卡(NFFC) NFFC does `not run any routing protocols`, it must `rely on its pattern matching` capabilities to discover packets that have been sent to a router MLS makes use of three components: · MLS Route Processor (MLS-RP) · MLS Switching Engine (MLS-SE) · Multilayer Switching Protocol (MLSP) The MLS-RP acts as the router in the network (note that more than one can be used). This device handles the first packet in every flow, allowing the MLS-SE to build shortcut entries in a Layer 3 CAM table. The MLSP is a lightweight protocol used by the MLS-RP to initialize the MLS-SE and notify it of changes in the Layer 3. 所以為了處理L3 swithcing 使用RP做為路由 處理資料流第一個封包 並透過MLSP告知SE 有L3 change 使其可建立L3 CAM table shortcut條目 | 比較項目 | MLS | RSM | | -------- | -------- | -------- | | 架構類型 | 分散式 / 整合於 switch ASIC | 模組化（獨立插卡模組） | | Routing 功能位置 | 多數在 ASIC（Data plane） 控制面在 Switching Engine(建shortcut, NFFC不跑路由協議) | 控制平面與資料平面大多集中在 RSM 上 | | 路由快取（FIB） | 使用 Layer 3 switching table / CEF 快取 | 使用 routing table（轉為 FIB） | MLS uses a four-step process: Step 1. MLSP hello packets are sent by the router Step 2. The NFFC identifies candidate packets Step 3. The NFFC identifies enable packets Step 4. The NFFC shortcuts future packets 配合圖來看此4 step process: 原始連接狀態  step1. MLSP Hello Packets Are Sent by the Router  第一步就是，路由first boot, 每15秒送hello packet包含了該路由有用到的VLAN與MAC addr資訊，SE上的NFFC監聽來了解有該路由屬性，並用單一XTAG關聯一路由做辨識。  Step 2: The NFFC Identifies Candidate Packets: 隨著hello packet, NFFC 開始用pattern matching檢查是否該packet有建立shortcut, 若無 就分類為 candidate packet(候選封包)  Step 3: The NFFC Identifies Enable Packets Router receives and routes the packet as normal (代表routing protocol的control plane still on router(檢查標頭，查FIB，改MAC做轉送，改VLAN讓目標IP在對應VLAN能收到，減TTL), not on NFFC)，在MLS switching 設備的NFFC辨認router mac, dst ip, XTAG and step2的partial shortcut 後，會enable(completes) shortcut entry, 該entry包含做header改動所需的資訊(TTL, SMAC,DMAC, VLAN etc)  Step 4: The NFFC Shortcuts Future Packets The rewrite mechanism can modify the following fields: · Source and Destination MAC address · VLAN ID · TTL · Encapsulation (for example, ARPA to SNAP) · Checksums · ToS/COS There are two options that MLS can use to rewrite the packet. In the first option, the NFFC card itself is used to rewrite the packet.(前例就是第一個option) 第二個option called inline rewrite  Cache aging: 分三time · Quick (每五秒 把partial shortcut沒能完成enable的丟掉) · Normal (正常user configurable data transfer flow) · Fast (used to age short-term data flow such as ping, DNS) Access Lists and Flow Masks: One of the best features of MLS is that it supports IP access lists This support relies on three mechanisms: · The assumption that if a candidate packet fails an access list, the router never sends an enable packet to complete the shortcut (若有候選封包 被ACL在路由擋住，就不該送出去完成shortcut) · The MLSP protocol to notify the NFFC to flush all shortcut entries if the access list is modified (若router的ACL 修改 就要用MLSP通知NFFC 清掉所有shortcut) · A flow mask (用來讓NFFC確定一個data flow的構成) Flow mask 分三類 (在不違反ACL的情況下，根據dst,src ip等資訊來enable data flow) · Destination flow mask. (enables flows based on Layer 3 destination addresses only.) · Destination-source flow mask (uses both the source and destination Layer 3 addresses) · Full flow mask (uses Layer 4 port numbers in addition to source and destination Layer 3 addresses. This creates a separate shortcut for every application) Configuring MLS five step: 1. globally enable mls on router via `mls rp ip` (in other word, not on particular interface) 2. configure VLAN trunking protocol(VTP) domain for each interface using `mls rp vtp-domain` 3. if non-trunk interface is used, set `mls rp vlan-id` tell router about vlan assignment 4. enable each particular mls interface via `mls rp ip` 5. select one or more router interface to send MLSP via `mls rp management-interface` The rule to remember is that the same NFFC must see the flow traveling to and from the router (簡單想像 若兩台L3 switch 都只各收 candidate or enable packet 就不可能完成short cut了) 所以為了解決multiple router port 給出下圖建構拓樸  對於有loop的L3 switch架構，就會啟用STP 把其中某port 進block state ，最終就會有root bridge 收送candidate and enable packet來建構shortcut Other MLS Capabilities: Protocol Filtering Multicast Switching and IGMP Snooping Quality of Service NetFlow Data Export 何時使用MLS: 這種hardware assisted approach to route 幫助router提升效能， it can be easily to added to an existing network to turbocharge the routing performance MLS relies on hardware-based caching to perform shortcut switching, 並且做control plane 與 data plane 的分工， 跑routing protocol 於general-purpose, RISC-based CPU，跑 routing table lookups and data forwarding is handled by high-speed ASICs 在複雜點的MLS network topo:  However, a new VLAN has been created between the two routers (call it the Purple VLAN). NFFC recognizes it as a candidate packet and creates a partial shortcut entry (labeled Step 1 in Figure 11-21). Router-A then forwards the traffic over the Purple VLAN to Router-B. As the packet passes back through the Catalyst, the NFFC recognizes the packet as an enable packet and completes the shortcut entry (Step 2 in Figure 11- 21). step3/step4 重複依樣步驟，所以對NFFC建立shortcut的認知點，在於我認知到MLS capable的router ，我switch認知這包不再同子網 就發給router問(步驟一candidate) 與router發回來告知在哪(步驟二enable)，就為這路徑建一shortcut 其他MLS 或者NFFC功能 protocol filtering:NFFC limit broadcast/multicast traffic `on per-port and per protocol basic`, 就像VLAN 那章節提到 放同一VLAN管理的node 才收該區broadcast, 以及只收跑同一協定的 (忽然想到 那同一VLAN 的主機A跑IP 主機B 跑IPX會如何? A: 如果不先通過代理或隧道，您無法直接從 IPX 主機和 IP 主機進行通訊。) MLS and ICMP spooling: 回想bridge learning address process，(收到判斷dst是否在table內，學dst，再判斷來端再否再table內，學src端)可以注意到multicast 在傳統L2 bridging是無法學的，過去用static CAM table紀錄最popular的multicast addr, 但缺乏彈性且管理難，故延伸出 三種 動態管理 機制 dynamically building multicast forwarding tables: CGMP(思科獨有協議讓router可用IGMP來update L2 multicast table), GMRP, and IGMP Snooping. [IGMP](https://www.jannet.hk/internet-group-management-protocol-igmp-zh-hant/): 管理網路協定多播組成員的一種通訊協定, L3 router間用PIM這路由間的多播協議，L2則靠IGMP負責host與PIM router互動。 回想你再IPv6 所學的MLD 就是IGMP的v6版本 GMRP 則是基於GARP通用屬性註冊協議(802.1p)來提供註冊多播addr. [side note on MRP 似乎是GARP強化於多spanning tree](https://www.h3c.com/cn/d_201407/834575_30005_0.htm) :::spoiler [wireshark on MVRP](https://wiki.wireshark.org/MVRP) 它之所以被取代，是因為不支援 VLAN 的 GARP 在大型 VLAN 網路中運作時有嚴重缺陷。 本質上是相似物，但重點在我處理差在哪，以及hdr, implementation，業界用哪個版本? 猜還是GARP 畢竟一面聊的也是GARP, VLAN, trunk, ACL, register-level 操作 ::: IGMP Snooping: rely on pattern mattching capabilities of NFFC to listen to ICMP packet as they flow between router. IGMP is suitable for high-end devices that contain ASIC-based pattern-matching capabilities. 跑routing protocol eg OSPF and EIGRP 做拓樸/路徑發現 由RISC-based CPU(called control plane)負責 而跑routing table lookups and data forwarding 由 high-speed ASICs(called data plane)負責 就像先前提到 MLS switch deivce上NFFC不做routing protocl，但又有部分 改ttl等IP功能來幫助建立shortcut Switching Routers: Whereas MLS(routing switch) relies on hardware-based caching to perform shortcut switching, the Catalyst 8500(switching router) relies on `hardware` to perform the same tasks as a `traditional router`, only faster. 當本地流量可以透過捷徑交換時，MLS 可以從backbone路由器offload processing(就是分control plane, data plane有效率)。此外，NFFC 的附加功能（如協定過濾、IGMP 偵聽和 QoS 分類）在配線櫃應用(wiring-closet applications)中非常有用（這也是它們最有用的地方）。 前面提過 要把大型網路 分割成小型網路組成拓樸 可用MLS但還需做額外設定，僅僅單純安裝並不建立擴張樹分隔區 However, just blindly installing MLS-capable switches does not do samller spanning tree domain. 像是此圖 50VLAN與設備混再一起，結果單純安裝沒設好階層就一堆VLAN trunk與router and MLS device.  Creating Layer 3 partitions when using the MLS-style of Layer 3 switching requires careful design and planning of VLANs and trunk links. 下圖是一個例子. (所以重點是 我開發網通設備 該怎麼讓它們trunk? VLAN效果好?)  A pair of links connects the two buildings. Rather than simply creating ISL links that trunk all VLANs across to the other building 思科的hot standby 路由協定 (HSRP) ，主要任務是為終端設備 提供 redudant defualt gateway 與提供負載平衡。 許多情況是 多個設備只有單一gateway, 使該router 負擔較大，HSRP 提供了一種機制，允許多個路由器共享 IP 位址 與 MAC addr。  HSRP 提供了兩個路由器共享的第三個位址。兩個路由器 定期交換 hello 訊息 一個路由器被選為活躍的 HSRP 對等體，並處理所有 路由器對共享位址的職責 它們還必須共用一個 MAC 位址。 用一種演算法來建立共享虛擬 MAC 位址。作為 使用共用 IP 位址 IRB(integrated routing and bridging) allow a single protocol to be both bridged and routed on the same box. ### ch12 VLAN Trunking Protocol VTP是思科獨有VLAN管理協議，分三種VTP mode : VTP server, client and transparent modes. 介紹VTP Pruning: Advanced Traffic Management the steps for creating a VLAN are to assign a Catalyst to a management domain, create the VLAN, and assign ports to the VLAN. One of the features covered in this chapter, VLAN Trunking Protocol (VTP), helps to minimize configuration efforts by helping with the first two steps. Without VTP, you need to perform these steps in every Catalyst in your network. With VTP, you only need to perform the first two steps at selected devices (VTP 可讓你在一switch上設置好VLAN設定，透過VTP來傳遞資訊，不然就需要為每台做VLAN設定) Dynamic VLANs enable the Catalyst to configure ports to a VLAN automatically based upon the MAC address of the attached device VTP is layer 2 multicast messaging protocol that can ease some of the administrative burden associated with maintaining VLANs. VTP maps VLANs across all media types and VLAN tagging methods between switches, enabling VLAN configuration consistency throughout a network. (trunking(shared interface/ link) 分思科ISL, 802.1Q TPID + 802.1p priority added up 等等 )  ISL and 802.1Q specify how to `encapsulate or tag data transported over trunk ports`. The encapsulation and tagging methods identify a packet's source VLAN. This enables the switches to `multiplex the traffic` from multiple VLANs over a common trunk link. Chapter 8, "Trunking Technologies and Applications" describes these two methods and how they function. DISL and DTP help Catalysts to automatically `negotiate whether to enable a common link` as a trunk or not. [VTP](https://ccna2012.weebly.com/vtp.html) allows switch share information about VLANs in the VTP management domain. # [spanning tree詳解參考](https://www.jannet.hk/spanning-tree-protocol-stp-zh-hant/) [瞭解快速生成樹通訊協定 (802.1w)](https://www.cisco.com/c/zh_tw/support/docs/lan-switching/spanning-tree-protocol/24062-146.html#anc11) [csdn翻譯與心得cisco lan switching 只有第六章 參考](https://blog.csdn.net/shallnet/category_2887887.html) [netcof vs SNMP](https://cshihong.github.io/2019/12/29/Netconf%E5%8D%8F%E8%AE%AE%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/) [why do I need a bridge if I have switches?](https://www.reddit.com/r/mikrotik/comments/1g1b6m1/portbased_vlan_why_do_i_need_a_bridge_if_i_have/?rdt=46551) [netconf](https://cshihong.github.io/2019/12/29/Netconf%E5%8D%8F%E8%AE%AE%E5%AD%A6%E4%B9%A0%E7%AC%94%E8%AE%B0/) [switch vs bridge](https://giboss.pixnet.net/blog/post/26798642) :::spoiler 目標是透過中文資料，有一個基礎架構了解，知道業界重點在哪，然後完整回去讀cisco lan switching那本書。 :::