Chapter 1: Ethernet Basics

I. Foundation Topics
1. Ethernet Layer 1: Wiring, Speed, and Duplex
1. RJ-45 Pinouts and Category 5 Wiring
2. f

3. f
Ethernet Cabling Types
Type of Cable

Pinouts

Key Pins Connected

Straight-through

T568A (both ends) or T568B

(both ends)

1-1; 2-2; 3-3; 6-6

Crossover

T568A on one end, T568B on

the other

1-3; 2-6; 3-1; 6-2

4.
5. Auto-negotiation, Speed, and Duplex
1. HDX = Half Duplex
2. FDX = Full Duplex
3. Switch ports default to auto-negotiate
1. Fast Link Pulses (FLP) used in auto-negotiation for speed however if autonegotiation disabled on one of the endpoints, then speed can be detected
based on the incoming electrical signal.
2. Duplex can only be auto-negotiated, and if statically set on one side while the
other side is using auto duplex will default to half for 10 and 100Mbps,
while 1000Mbps will default to full.

2. CSMA/CD
1. Created to minimize and detect collisions
2. How it works
1. A device with a frame to send listens until the Ethernet is not busy (in other
words, the device cannot sense a carrier signal on the Ethernet segment).
2. When the Ethernet is not busy, the sender begins sending the frame
3. The sender listens to make sure that no collision occurred.
4. If there was a collision, all stations that sent a frame send a jamming signal to
ensure that all stations recognize the collision.
5. After the jamming is complete, each sender of one of the original collided
frames randomizes a timer and waits that long before resending. (Other
stations that did not create the collision do not have to wait to send.)
6. After all timers expire, the original senders can begin again with Step 1.
3. Collision Domains and Switch Buffering
1. Hubs
1. Operate solely at Ethernet Layer 1
2. Repeat (regenerate) electrical signals to improve cabling distances
3. Forward signals received on a port out all other ports (no buffering)
4. Hubs create only a single collision domain while SWITCHES create one
per port.

4. Collision Mitigation using a switch

1. Switch buffering eliminates collisions using FDX.
2. HDX mode must be used if connecting to a hub due to hub logic.
NOTE: NICs in HDX mode use loopback circuitry when transmitting a frame. This
circuitry loops the transmitted frame back to the receive side of the NIC, so that
when the NIC receives a frame over the cable, the combined looped-back signal and
received signal allows the NIC to notice that a collision has occurred.
3. J

6. Basic Switch Port Configuration

1. You must configure speed first manually in order to be able to set duplex
manually; otherwise the duplex command will be rejected.

2. See below; shows SW1 and SW4 configured for a duplex mismatch. SW4
configured with half duplex is getting a lot of collisions and late collisions as
well as deferred frames and output errors.

3. One thing to consider is that collisions should be detected within the first 64
bytes of transmission; however below you will see more late collisions which are
collisions that are detected after the first 64 bytes... this is because one side isn't
playing by CSMA/CD rules and is sending frames via FDX.

4. Below you will notice that CDP carries information about switch and port
settings and will notify you via syslog message there is a duplex mismatch.

7.

2. Ethernet Layer 2: Framing and Addressing

3. f

4. f
Field

Description

Preamble (DIX)

Provides synchronization and signal transitions to allow proper

clocking of the transmitted signal. Consists of 62 alternating 1s and
0s, and ends with a pair of 1s.

Preamble of Start of Frame

Delimiter (802.3)

Same purpose and binary value as DIX preamble; 802.3 simply

renames the 8-byte DIX preamble as a 7-byte preamble and a 1-byte
Start of Frame Delimiter (SFD)

Type (or Protocol Type) (DIX) 2-byte field that identifies the type of protocol or protocol header that
follows the header. Allows the receiver of the frame to know how to
process a received frame.
Length (802.3)

Describes the length, in bytes, of the data following the Length field,
up to the Ethernet trailer. Allows an Ethernet receiver to predict the
end of the received frame.

Destination Service Access

Point (802.2)

DSAP; 1-byte protocol type field. The size limitations, along with
other uses of the low-order bits, required the later addition of SNAP
headers.

Source Service Access Point

(802.2)

SSAP; 1-byte protocol type field that describes the upper-layer

protocol that created the frame.

Control (802.2)

1 or 2 byte field that provides mechanisms for both

connectionless and connection-oriented operation. Generally used
only for connectionless operation by modern protocols, with a 1-byte
value of 0x03.

Organizationally Unique
Identifier (SNAP)

OUI; 3-byte field, generally unused today, providing a place for the
sender of the frame to code the OUI representing the manufacturer of
the Ethernet NIC.

Type (SNAP)

2 byte Type field, using same values as the DIX Type field,
overcoming deficiencies with size and use of the DSAP field.

5.
1. Types of Ethernet Addresses
Three types of Ethernet/MAC Address
Type of Ethernet/MAC Description and Notes
Address
Unicast

Fancy term for an address that represents a single LAN interface. The I/G
bit, the most significant bit in the most significant byte, is set to 0.

Broadcast

An address that means all devices that reside on this LAN right now.
Always a value of hex FFFFFFFFFFFF.

Multicast

A MAC address that implies some subset of all devices currently on the
LAN. By definition, the I/G bit is set to 1.
2.
3. Ethernet Address Formats

4. f

1.
I/G and U/L Bits
Field
Meaning
I/G

Binary 0 means the address is a unicast; Binary 1 means the address is a multicast or
broadcast

U/L

Binary 0 means the address is vendor assigned; Binary 1 means the address has been
administratively assigned, overriding the vendor-assigned address.
5. f

II. Protocol Types and the 802.3 Length Field

1. f
Ethernet Type Fields
Type Field

Description

Protocol Type

DIX V2 Type field; 2 bytes; registered values now

administered by the IEEE

DSAP

802.2 LLC; 1 byte, with 2 high-order bits reserved

for other purposes; registered values now
administered by the IEEE

SNAP

SNAP header; 2 bytes; uses same values as

Ethernet Protocol Type; signified by an 802.2
DSAP of 0xAA (and SSAP as 0xAA, as well as
the control field being 0x03
2.

2. Switching and Bridging Logic

3. f

LAN Switch Forwarding Behavior

Type of Address
Switch Action
Known unicast

Forwards frame out the single interface associated with the destination address

Unknown unicast

Floods frame out all interfaces, except the interface on which the frame was
received

Broadcast

Floods frame identically to unknown unicasts

Multicast

Floods frame identically to unknown unicasts, unless multicast optimizations

are configured.

4. f

5. f

6. f

7. f
8. SPAN and RSPAN
1. SPAN (Switch Port Analyzer) useful to send all traffic from a source port or VLAN
out a single port.
1. Traffic monitoring for compliance
2. Data Collection
1. All traffic from a voice VLAN send out a port to record all conversations.
2. IDS/IPS
3. Support particular application
2. SPAN Sessions can be sourced from a single or multiple ports, or from a VLAN.
3. Can be on a port on another switch, using RSPAN
1. RSPAN VLAN must be included on the trunk leading to another switch

9.
1. Core Concepts of SPAN and RSPAN
1. In SPAN, you create SPAN source, either ports or VLANs, and the destination port
is also on the same switch
2. In RSPAN, you create same source as SPAN, ports or VLANs. Destination is the
RSPAN VLAN... therefore all traffic can be carried over trunks until it reaches the
destination switch which will take the RSPAN VLAN and output to a RSPAN
destination port.
3. SPAN source port can be any type of port. Source VLAN all ports that are part of
that VLAN are monitored and are dynamically added or removed from the
monitoring when they become or are removed from VLAN membership. Also, a
port configured as a SPAN destination cannot be part of a SPAN source VLAN.

2. Restrictions and Conditions

1. Destination ports in SPAN and RSPAN have multiple restrictions. The key
restrictions include the following:
1. When you configure a destination port, its original configuration is overwritten.
If the SPAN configuration is removed, the original configuration on that port is
restored.
2. When you configure a destination port, the port is removed from any
EtherChannel bundle if it were part of one. If it were a routed port, the SPAN
destination configuration overrides the routed port configuration.
3. Destination ports do not support port security, 802.1x authentication, or private
VLANs. In general, SPAN/RSPAN and 802.1x are incompatible
4. Destination ports do not support any Layer 2 protocols, including CDP, Spanning
Tree, VTP, DTP, and so on.
2. SPAN and RSPAN require compliance with a number of specific conditions to work.
For SPAN, the key restrictions include the following:
1. The source can be either one or more ports or a VLAN, but not a mix of these.
2. Up to 64 SPAN destination ports can be configured on a switch.
3. Switched or routed ports can be configured as SPAN source ports or SPAN
destination ports.
4. Be careful to avoid overloading the SPAN destination port. A 100-Mbps source
port can easily overload a 10-Mbps destination port; it's even easier to overload a
100-Mbps destination port when the source is a VLAN.
5. Within a single SPAN session, you cannot deliver traffic to a destination port
when it is source by a mix of SPAN and RSPAN source ports or VLANs. This
restriction comes into play when you want to mirror traffic to both a local port
on a switch (in SPAN) and a remote port on another switch (in RSPAN mode).
6. A SPAN destination port cannot be a source port, and a source port cannot be a
destination port.
7. Only one SPAN/RSPAN session can send traffic to a single destination port.
8. A SPAN destination port ceases to act as a normal switchport. That is, it passes
only SPAN-related traffic.
9. It's possible to configure a trunk port as the source of a SPAN or RSPAN session.
In this case, all VLANs on the trunk are monitored by default; the filter vlan
command option can be configured to limit the VLANs being monitored in this
situation.
10. Traffic that is routed from another VLAN to a source VLAN cannot be
monitored with SPAN. An easy way to understand this concept is that only
traffic that enters or exits the switch in a source port or VLAN is forwarded in a
SPAN session. In other words, if the traffic comes from another source within
the switch (by routing from another VLAN, for example), that traffic isn't
forwarded via SPAN.
3. Basic SPAN Configuration
1. #config t
2. (config)# monitor session 1 source interface fa0/12
3. (config)# monitor session 1 destination interface fa0/24

4. Complex SPAN Configuration

1. #config t
2. (config)# monitor session 11 source interface fa0/18 rx
3. (config)# monitor session 11 source interface fa0/9 tx
4. (config)# monitor session 11 source interface fa0/19
5. (config)# monitor session 11 filter vlan 1 3 , 229
6. (config)# monitor session 11 destination interface fa0/24 encapsulation replicate
5. RSPAN Configuration
1. From IDF-SYR1, all traffic received on VLANs 66-68
2. From IDF-SYR2, all traffic received on VLAN 9
3. From IDF-SYR2, all traffic sent and received on VLAN 199
1. IDF-SYR1# config term
2. IDF-SYR1(config)# vlan 199
3. IDF-SYR1(config-vlan)# remote span
4. IDF-SYR1(config-vlan)# exit
5. IDF-SYR1(config)# monitor session 3 source vlan 66 68 rx
6. IDF-SYR1(config)# monitor session 3 destination remote vlan 199
7. !Now moving to IDF-SYR2:
8. IDF-SYR2# config term
9. IDF-SYR2(config)# vlan 199
10. IDF-SYR2(config-vlan)# remote span
11. IDF-SYR2(config-vlan)# exit
12. IDF-SYR2(config)# monitor session 23 source vlan 9 rx
13. IDF-SYR2(config)# monitor session 23 source vlan 11
14. IDF-SYR2(config)# monitor session 23 destination remote vlan 199
15. !Now moving to MDF-SYR9
16. MDF-SYR9# config term
17. MDF-SYR9(config)# vlan 199
18. MDF-SYR9(config-vlan)# remote span
19. MDF-SYR9(config-vlan)# exit
20. MDF-SYR9(config)# monitor session 63 source remote vlan 199
21. MDF-SYR9(config)# monitor session 63 destination interface fa0/24
22. MDF-SYR9(config)# end
4. *NOTE* Monitor Sessions by using: show monitor session command.
5. *NOTE* destination port must not be shutdown or SPAN instance won't come up.

III. What do you do now? What do you think... check out Cisco
documentation on this subject, review, practice etc....