Difference Between Access Port vs Trunk Port vs Hybrid Port

 

Ethernet Layer 2 Port Type

Interface-based VLAN division depends on the following switch port types:

Access port

• An access port is used to connect to a user terminal (such as a user PC or server) that cannot identify a tag or distinguish VLAN members.

• The NICs of these devices connected to the Access port tend to send and receive only untagged frames.

• An Access port can be added to only one VLAN.

Trunk port

• A trunk port allows data frames of multiple VLANs to pass through. These data frames are differentiated by 802.1Q tags.

• A trunk port is used to connect devices such as switches, routers, firewalls, and APs.

Hybrid port

• A hybrid port can be used to connect user terminals (such as user hosts and servers) that cannot identify tags, switches, routers, voice terminals, and APs that can send and receive tagged and untagged frames at the same time.

• Users can specify whether a hybrid port carries a tag when sending data frames of a certain VLAN or some VLANs. The default port type of Huawei devices is hybrid, and only Huawei switches have the hybrid port.

Introduction of Access Port

As shown in the preceding figure, four scenarios are described.

• Scenario 1: The interface receives untagged frames.

The switch adds a PVID tag to the frame and forwards the tagged frame(flooding, forwarding, discarding).

• Scenario 2: The interface receives tagged frames.

The switch checks whether the VID in the tag of the frame is the same as the PVID.

If they are the same, the Tagged frame is received or forwarded.

If they are different, the Tagged frame is discarded.

• Scenario 3: The VLAN ID of the frame is the same as the port PVID.

First, strip the label of the frame, and then send it out of that interface.

• Scenario 4: The VLAN ID of the frame is different from the port PVID

Disables sending the frame out of the interface.

Features of the access port

Only the data frames with the same VLAN ID as the port PVID are allowed to pass.

Introduction of the Trunk port

As shown in the preceding figure, four scenarios are described.

• Scenario 1: The interface receives untagged frames.

The switch adds the PVID to the frame and checks whether the PVID is in the list of allowed VLAN IDs. 

If yes, the Tagged frame is received or forwarded.

If not, the label frame is directly discarded.

• Scenario 2: The interface receives tagged frames.

The switch checks whether the VID in the tag of the frame is in the list of allowed VLAN IDs. 

If yes, the Tagged frame is received or forwarded.

If not, the Tagged frame is discarded.

• Scenario 3: The VLAN ID of the frame is the same as the port PVID.

When a tagged frame arrives at a trunk port from another port on the switch, if the VID in the tag of the frame is in the list of allowed VLAN IDs, the system compares whether the VID in the tag is the same as the PVID of the port.

If they are the same, the switch removes the tag of the tagged frame and sends the untagged frame out of the link.

Note: If the VLAN ID is not in the list of allowed VLANs, the frame cannot be sent from the interface.

• Scenario 4: The VLAN ID of the frame is different from the port PVID.

When a tagged frame arrives at a trunk port from another port on the switch, if the VID in the tag of the frame is in the list of allowed VLAN IDs, the system compares whether the VID in the tag is the same as the PVID of the port.

If they are different, the switch does not strip the tag of the tagged frame but sends it directly off the link.

Note: If the VLAN ID is not in the list of allowed VLANs, the frame cannot be sent from the interface.

For the trunk port, you must configure a list of allowed VLAN IDs in addition to PVIDs. VLAN 1 exists by default.

Working Procedure of a Layer 2 Switch with VLAN and Trunk Functions

When a switch interface receives a data frame:

1. Construct a MAC address table by learning source MAC addresses.

   
   

2. Add PVID (Tag)

   
   

3. Forwarding Data Frames Based on the Destination MAC Address (VLAN Range)

   
   

   MAC address table changes:

   1) If the data frame is broadcast or multicast, the switch floods the data frame.

   2) For unicast data frames, the switch queries the MAC address table and forwards the frames.

   
   

4. Forwards data frames through the outbound interface.

   
   

   1) Remove PVID (tag).

   2) Keep label forwarding. - Trunk port

Introduction of Hybrid port

As shown in the preceding figure, four scenarios are described.

• Scenario 1: The interface receives untagged frames.

The switch adds a PVID tag to the frame and checks whether the PVID is in the untagged or tagged VLAN ID list.

If yes, the Tagged frame is received or forwarded.

If not, the Tagged frame is discarded.

• Scenario 2: The interface receives tagged frames.

The switch checks to see if the VID in the tag of this frame is in the list of untagged or tagged VLAN IDs.

If yes, the Tagged frame is received or forwarded.

If not, the Tagged frame is discarded.

Summarize scenario 3 and scenario 4. The hybrid port transmits data frames:

• When a tagged frame arrives at a hybrid port from another interface on the switch, if the VID in the tag of the frame is neither in the untagged VLAN ID list nor in the tagged VLAN ID list, the tagged frame is discarded.

  
  

• When a tagged frame arrives at a hybrid port from another interface on the switch, if the VID in the tag of the frame is in the untagged VLAN ID list, the switch removes the tag from the tagged frame. Then, the untagged frame is sent out over the link.

  
  

• When a tagged frame arrives at a hybrid port from another interface on the switch, if the VID in the tag of the frame is in the tagged VLAN ID list, the switch does not remove the tag from the tagged frame but directly sends the tagged frame over the link.

For a hybrid port, you need to configure the PVID and two VLAN ID lists that allow packets to pass through. One is the untagged VLAN ID list and the other is the tagged VLAN ID list. By default, VLAN 1 is in the untagged VLAN list. The frames of all VLANs in the two allowed lists are allowed to pass through the hybrid port.

Features of the Hybrid port

• A hybrid port allows only the data frames whose VLAN IDs are in the allowed list to pass through.

• A hybrid port can allow tagged frames from multiple VLANs to pass through, and allow frames from certain VLANs to be tagged and frames from certain VLANs to be untagged.

• The main difference between a Hybrid port and a Trunk port is that the Hybrid port supports data frames of multiple VLANs without tags.

Configuration of different port types

As shown in the preceding figure: Both G0/0/1 and G0/0/2 of SW1 are connected to PCs. Therefore, G0/0/1 and G0/0/2 of SW1 are configured as access ports, and G0/0/24 of SW1 is connected to SW2, and this link needs to carry two different VLANs. Therefore, G0/0/24 of SW1 is configured as a trunk port.

The configuration of SW1 is as follows:

• Configuring an Access Port

[SW1] VLAN batch 10 20 --- Creating VLANs in Batches

[SW1] interface GigabitEthernet 0/0/1 --- Enter the interface view.

[SW1-GigabitEthernet0/0/1] port link-type access --- Set the link type of the interface to Access. 

[SW1-GigabitEthernet0/0/1] port default VLAN 10 --- Configure the default VLAN for the interface and add the interface to the VLAN.

[SW1] interface GigabitEthernet 0/0/2

[SW1-GigabitEthernet0/0/2] port link-type access

[SW1-GigabitEthernet0/0/2] port default VLAN 20

• Configuring a Trunk Port

[SW1] interface GigabitEthernet 0/0/24

[SW1-GigabitEthernet0/0/24] port link-type trunk--- Set the link type of the interface to Trunk. 

[SW1-GigabitEthernet0/0/24] port trunk pvid vlan 1--- Configuring the Default VLAN for a Trunk Interface 

[SW1-GigabitEthernet0/0/24] port trunk allow-pass vlan 10 20--- Adding a Trunk Interface to a VLAN

• Configuring a Hybrid Port

Now let's think about whether it is possible to replace access and trunk ports with hybrid ports, and how?

Replacing Access Port Configurations with Hybrid Ports

[SW1] interface GigabitEthernet 0/0/1

[SW1-GigabitEthernet0/0/1] Port link-type hybrid --- Set the link type of the interface to hybrid. 

[SW1-GigabitEthernet0/0/1] Port hybrid pvid vian 10 --- Configuring the Default VLAN for a Hybrid Interface 

[SW1-GigabitEthernet0/0/1] Port untagged vian 10 --- Configure the VLANs to which the hybrid interface is added and the frames from the VLANs pass through the interface in untagged mode.

Replacing Trunk Port Configurations with Hybrid Ports

[SW1] interface GigabitEthernet 0/0/24

[SW1-GigabitEthernet0/0/24] Port link-type hybrid

[SW1-GigabitEthernet0/0/24] Port hybrid pvid vian 10

[SW1-GigabitEthernet0/0/24] Port hybrid untagged vlan 10

[SW1-GigabitEthernet0/0/24] Port hybrid tagged vlan 20 --- Configure the VLANs to which the hybrid interface is added and the frames from these VLANs pass through the interface in tagged mode.

Cisco Bandwidth Rate link on Catalyst series(3550,3750,3560,2960)

 There is a 2 way to configure the QOS bandwidth SHaping on port in CIsco L2/L3 switches.

1-SRR(Only Download traffic can be controlled )
2-Service Policy.(Only one direction you can control).

if you want to be both then you can configure the both SRR and Service policy on same port .

SRR

srr-queue bandwidth limit %

You have to set the bandwidth as a percentage of the link speed. The options are 10-99 percent. This means that if you want a limit less than 10Mb you must set the port’s physical speed to 10 and the duplex to full. You will then have to statically configure the client to 10/full. This, however, only limits the egress traffic.

int 0 /12
srr-queue bandwidth limit 10

Service Policy

We use this to match and limit our ingress traffic.

First, you must enable mls qos on your switch, otherwise your matching won’t work.

Make Sure you have enabled the mls qos command .

mls qos

1-Next we define our class map. We have it set to match ip traffic with DSCP set to 0.

class-map match-all rate-limit
  description Bandwidth Control
 match ip dscp default

2-We then create policy maps that have our desired speeds:

policy-map 8meg

 class rate-limit

  police 8192000 192000 exceed-action drop

3-Last we apply this to the interface:

int fa0/1

service-policy input 8meg

What is AS Number and Why do we need it ??

 The Autonomous system is basically a kind of TAG which is basically going to represent an organization, You as an administrator are the in-charge of the routing domain  like routing policies, Routing protocols etc etc .

An autonomous system number (ASN) is a unique number, assigned by IANA that is available globally to identify an autonomous system and which enables that system to exchange exterior routing information with other neighboring autonomous systems.

ASN Types
There are two types of autonomous system numbers - public and private.

Public ASN - Used when an AS is exchanging routing information with other Autonomous Systems on the public Internet. 

Private ASN - Used if an AS is only required to communicate via Border Gateway Protocol with a single provider. As the routing policy between the AS and the provider will not be visible on the Internet. [3] In this case the upstream provider will typically remove the ASN from the ASN Path and replace it with his own public ASN. In reality, this can be thought of as a type of NAT for ASN`s.

ASN Ranges
Below lists the various ASN Ranges:
0 : reserved.
1-64,495 : public AS numbers.
64,496 – 64,511 : reserved to use in documentation.
64,512 – 65,534 : private AS numbers.
65,535 : reserved.

All ROuting Protocol Administrative Distance Values.

 

Administrative distances help us when we have routes are coming from multiple sources like from Rip and EIGRP , in that case the lower AD value is better so the routes are going to accept from EIGRP instead of RIP.

Protocols	AD Value
Connected	0
Static	1
EIGRP (Internal routes)	90
OSPF	110
IS-IS	115
RIP	120
EIGRP (External routes)	170
iBGP/eBGP	200/20
Unreachable	255

Cisco Switch Port Security..

 Port Security is a very useful feature that can be used to limit access to switch ports. It means you can bind the MAC address and also 

you can limit the mac address which are authorized .

•Maximum quantity of learned, dynamic MAC addresses can be limited.
•Static, authorized MAC addresses can be pre-configured

Port-Security Violations

If a violation occurs, you have three options with regards to the response:

•Shutdown (default)

•Protect

•Restrict

Protect:- This violent mode silently discard the frame , if the source MAC is the authorized user.

Restrict:- This Violent mode discard the frame but it logs the record .

Switch port-security:- If you only run this command , It means it will learn the first MAC address dynamically and that would be the only MAC is allowed on that port , When second MAC comes it will shutdown the port .

Switch port-security violation restrict:- If you set it to the restrict ,it will discard the frames but it will not make shutdown the port instead it will log the record of violation , means how many times there is a violation on the port .

Switch port-security maximum 3 :-if you set the maximum with a value 3, it means you are going to allowed maximum 3 mac address on the port .Statically or dynamically .

 

                        

Switch port-security mac-address sticky:-It will learn the mac address dynamically and then it will show un in running configuration , and if we save it using write memory then those MAC address will be authorized  as long as there is an entry .

 

Configurations.

interface fa0/1
switchport mode access
switchport access vlan 101
switchport port-security 
switchport port-security violation restrict
switchport port-security mac-address 0022.6732.8d32 vlan access

Verifications.

Switch#show port-security
Switch#show port-security interface fa0/1
Switch#show port-security address