If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. The goal of self-assessment is to gauge your mastery of the topics in this chapter. "Do I Know This Already?" Foundation Topics Section-to-Question Mappingįactors Affecting Layer 2 Mitigation Techniques Table 14-1 outlines the major topics discussed in this chapter and the "Do I Know This Already?" quiz questions that correspond to those topics.
The 11-question quiz, derived from the major sections in "Foundation Topics" section of the chapter, helps you determine how to spend your limited study time. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The purpose of the "Do I Know This Already?" quiz is to help you decide whether you really need to read the entire chapter. This chapter discusses Layer 2 attacks, mitigations, best practices, and functionality. The two most prevalent VLAN tagging techniques are the IEEE 802.1q tag and the Cisco Inter-Switch Link (ISL) tag. Like their physical counterparts, each VLAN consists of a single broadcast domain isolated from other VLANs and work by tagging packets with an identification header and then restricting the ports that the tagged packets can be received on to those that are part of the VLAN. VLANs enable network administrators to divide their physical networks into a set of smaller logical networks. With their ability to isolate traffic and create the "instant" networks, switches can be used to divide a physical network into multiple logical or VLANs through the use of Layer 2 traffic segmentation. If the destination address of a frame is not known or if the frame received by the switch is destined for a broadcast address, the switch forwards the frame out all ports. These lookup tables are populated by an address-learning process on the switch. Switches maintain content-addressable memory (CAM) lookup tables to track the source addresses located on the switch ports. Data frames are sent by end systems, and their source and destination addresses are not changed throughout the switched domain. Unlike hubs, switches cannot regulate the flow of data between their ports by creating almost "instant" networks that contain only the two end devices communicating with each other.
This chapter covers the following subjects: