Chapter 4:

Switching Concepts &

Redundant Networks
CISCO CERTIFIED NETWORK ASSOCIATE (CCNA)
Agenda
• LAN Switching Concepts
• Switch Functions at Layer 2
• Spanning Tree Protocol
• Switch EtherChannel
• Switch Stacking and Chassis Aggregation
• Switch Security

2
LAN Switching Concepts

3
LAN Switching Concepts
• Ethernet switches receive Ethernet frames in one port and then forward
(switch) the frames out one (or more) other port
• Bridges/Switches separated devices into groups called collision domains
• Deciding when to forward a frame or when to filter (not forward) a frame,
based on the destination MAC address
• Learning MAC addresses by examining the source MAC address of each frame
received by the switch
• Switches create private, dedicated collision domains and provide independent
bandwidth on each port, unlike hubs
• Creating a (Layer 2) loop-free environment with other bridges by using
Spanning Tree Protocol (STP).
4
LAN Switching Concepts
• The typical switched network design

5
 Limitations of Layer 2 Switching

• We absolutely must break up the collision domains correctly

• Bridged networks break up collision domains, but remember, that network is still
one large broadcast domain
• The right way to create a functional bridged network is to make sure that
its users spend 80 percent of their time on the local segment

6
Switch Functions at Layer 2

7
Switch Functions at Layer 2
• Address learning: Layer 2 switches and bridges remember the source
hardware address of each frame received on an interface, and they enter
this information into a MAC database called a forward/filter table
• Forward/filter decisions: When a frame is received on an interface, the
switch looks at the destination hardware address and finds the exit
interface in the MAC database. The frame is only forwarded out the
specified destination port
• Loop avoidance: If multiple connections between switches are created for
redundancy purposes, network loops can occur. Spanning Tree Protocol
(STP) is used to stop network loops while still permitting redundancy

8
Empty forward/filter Table
• When a switch is first powered on, the MAC forward/filter table is
empty

9
 MAC Address Learning
• Host A sends a frame to Host B
• The switch receives the frame on the E0/0
interface and places the source address in the
MAC address table
• Since the destination address is not in the MAC
database, the frame is forwarded out all
interfaces—except the source port
• Host B receives the frame and responds to Host
A. The switch receives this frame on interface
E0/1 and places the source hardware address in
the MAC database
• Host A and Host B can now make a point-to-point
connection and only the two devices will receive
the frames. Hosts C and D will not see the frames
10
 Forward/filter Table

• When a frame arrives at a switch interface, the destination hardware

address is compared to the forward/filter MAC database
• If the destination hardware address is known and listed in the database,
the frame is only sent out the correct exit interface
• The switch doesn’t transmit the frame out any interface except for the
destination interface
• If a host or server sends a broadcast on the LAN, the switch will flood the
frame out all active ports except the source port by default

11
Forward/filter Table

SW-1#sh mac address-table

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0005.dccb.d74b DYNAMIC Fa0/4
1 000a.f467.9e80 DYNAMIC Fa0/5
1 000a.f467.9e8b DYNAMIC Fa0/6

12
Switch Forwarding and Filtering Decision
• Sample Switch Forwarding and Filtering Decision

13
Forwarding Decision with Two Switches
• Sample Forwarding Decision with Two Switches

14
 Loop Avoidance

• Loop prevention, as implemented by Spanning Tree Protocol (STP)

• Without STP, any flooded frames would loop for an indefinite period of
time in Ethernet networks with physically redundant links
• To prevent looping frames, STP blocks some ports from forwarding frames
so that only one active path exists between any pair of LAN segments

15
 Redundant Links Without STP
• Network with Redundant Links but Without STP

Broadcast Storm Multiple Frame Copies

MAC Database Instability

16
Spanning Tree Protocol

17
Spanning Tree Protocol
(IEEE 802.1D)
• The IEEE later created its own version of STP called 802.1D
• Three Classes of Problems Caused by Not Using STP in Redundant
LANs
• Broadcast storms
• MAC table instability
• Multiple frame transmission

18
STP Terminology
• Root bridge: the bridge with the best bridge ID
• BPDU: All the switches exchange information Bridge Protocol Data
Unit (BPDU) to use in the selection of the root switch as well as in
subsequent configuration of the network
• Bridge ID: The bridge ID is how STP keeps track of all the switches in
the network. It is determined by a combination of the bridge priority
(32,768 by default on all Cisco switches) and the base MAC address.
The bridge with the lowest bridge ID becomes the root bridge in the
network.

19
STP Terminology
• Nonroot bridges: These are all bridges that are not the root bridge
• Port cost: Port cost determines the best path when multiple links are
used between two switches and none of the links is a root port. The
cost of a link is determined by the bandwidth of a link
• Root port: The root port is always the link directly connected to the
root bridge, or the shortest path to the root bridge.
• If more than one link connects to the root bridge, then a port cost is
determined by checking the bandwidth of each link. The lowest-cost port
becomes the root port.
• If multiple links have the same cost, the lowest port number will be used.

20
STP Terminology
• Designated port: one that has been determined as having the best
(lowest) cost. A designated port will be marked as a forwarding port.
• Nondesignated port: A nondesignated port is one with a higher cost
than the designated port. Nondesignated ports are put in blocking
mode—they are not forwarding ports
• Forwarding port: A forwarding port forwards frames
• Blocked port: A blocked port is the port that, in order to prevent
loops, will not forward frames. However, a blocked port will always
listen to frames.

21
Spanning Tree Operations
• STP’s job is to find all links in the network and shut down any redundant ones,
thereby preventing network loops from occurring
• STP accomplishes this by first electing a root bridge that will forward through all
ports and act as a point of reference for all other devices in the STP domain
• Once all switches agree on who the root bridge is, every bridge must find its one
and only allotted root port
• Each and every link provides the highest bandwidth to the root
• It’s really important to remember that a bridge can go through many other bridges
to get to the root, meaning that it’s not always the shortest path the fastest
(highest bandwidth) path that will be the one used.
• Obviously, every port on the root switch is a designated port, as you can get no
closer to the root than being the root
22
Selecting the Root Bridge
• The bridge ID is used to elect the root bridge in the STP domain and to
determine the root port for each of the remaining devices in the STP
domain
• This ID is 8 bytes long and includes both the priority and the MAC address of
the device
• The default priority on all devices running the IEEE STP version is 32,768
• If two switches or bridges happen to have the same priority value, the
MAC address becomes the tiebreaker for figuring out which one has
the lowest (best) ID
• You can change the bridge’s ID by lowering its priority so that it will become a
root bridge automatically
23
 Role of the BID

• Explain the role of the BID in STP

24
 Example STP Operations

• Switch A is the root bridge because it’s the one with the lowest bridge ID
• Switch B must shut down one of its ports connected to Switch A to prevent a
switching loop from occurring
• it will first check each link’s amount of bandwidth and then shut down the link with the
lowest bandwidth value
• If bandwith same STP will typically shut down the higher of the port numbers, but not always
• even though Switch B won’t transmit out the blocked port, it will still receive through it—
including BPDUs

25
Topology STP for Case Study 1#
• Changing the default priority is the best way to choose a root bridge.
This is important because you want the core switch (the one closest
to the center of your network) to be the root bridge in your network
so STP will converge quickly

26
 Verify STP for Case Study 1#
• Verify Default STP
SW-1#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 00D0.584E.8355
Cost 19
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 00E0.F77D.A20B
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------
Fa0/1 Root FWD 19 128.1 P2p
Fa0/2 Altn BLK 19 128.2 P2p
27
 Changing STP for Case Study 1#

• you can change the priority SW-1#config t

SW-1(config)#spanning-tree vlan 1 priority ?

to force a switch to become <0-61440> bridge priority in increments of 4096

SW-1(config)#spanning-tree vlan 1 priority 4096

the root of your STP SW-1(config)#exit

network, so let’s do that now

SW-1#show spanning-tree
VLAN0001

for SW-1
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 00E0.F77D.A20B
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 4097 (priority 4096 sys-id-ext 1)

Address 00E0.F77D.A20B
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- -----------------------
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg LSN 19 128.2 P2p

28
 Spanning-Tree Port States

• Blocking: A blocked port won’t forward frames; it just listens to BPDUs. The
purpose of the blocking state is to prevent the use of looped paths. All ports are
in blocking state by default when the switch is powered up.
• Listening: The port listens to BPDUs to make sure no loops occur on the network
before passing data frames. A port in listening state prepares to forward data
frames without populating the MAC address table
• Learning: The switch port listens to BPDUs and learns all the paths in the
switched network. A port in learning state populates the MAC address table but
doesn’t forward data frames.
• Forwarding: The port sends and receives all data frames on the bridged port
• Disabled: A port in the disabled state (administratively) does not participate in
the frame forwarding or STP 29
 STP Convergence

• Convergence occurs when all ports on bridges and switches have transitioned to
either forwarding or blocking modes
• No data will be forwarded until convergence is complete
• It usually takes 50 seconds to go from blocking to forwarding mode

30
 3 Steps STP Convergence

• STEP-1: Elect Root Bridge

31
 3 Steps STP Convergence

• STEP-2: Elect Root Port

32
 3 Steps STP Convergence

• STEP-3: Elect the Designated and Non-Designated ports

33
 Spanning Tree PortFast
• If you have a server or other devices connected into your switch that you’re totally sure
won’t create a switching loop if STP is disabled
• You can use something called portfast on these ports.
• Using it means the port won’t spend the usual 50 seconds to come up into forwarding mode while STP
is converging
W-1>en
SW-1#config t
SW-1(config)#int f0/3
SW-1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on FastEthernet0/3 but will only

have effect when the interface is in a non-trunking mode.
SW-1(config-if)#end
SW-1#
34
Rapid Spanning Tree Protocol (RSTP)
802.1w
• Cisco created PortFast, UplinkFast, and BackboneFast to “fix” the
holes and liabilities the IEEE 802.1d standard presented
• The new 802.1w standard (RSTP) addresses all these “issues” in one
tight package—just turn on RSTP and you’re good to go
• It’s important that you make sure all the switches in your network are
running the 802.1w protocol for 802.1w to work properly

35
STP Variants

36
PVST+ Extended Bridge ID

Bridge ID without the

extended system ID

Extended bridge ID
with system ID

System ID = VLAN

37
PVRST+ Implementation

SwitchX(config)#spanning-tree mode rapid-pvst

 Configuring PVRST+

SwitchX#show spanning-tree vlan vlan# [detail]

 Verify spanning-tree

SwitchX#debug spanning-tree pvst+

 Show PVST+ event debug messages

38
PVRST+ Verification
SwitchX# show spanning-tree vlan 30
VLAN0030
Spanning tree enabled protocol rstp
Root ID Priority 24606
Address 00d0.047b.2800
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24606 (priority 24576 sys-id-ext 30)
Address 00d0.047b.2800
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
-------- ----- --- --- -------- ----
Gi1/1 Desg FWD 4 128.1 P2p
Gi1/2 Desg FWD 4 128.2 P2p
Gi5/1 Desg FWD 4 128.257 P2p

The spanning-tree mode set to PVRST.

39
Configuring Root and Secondary Bridges

40
 Configuring Root and Secondary Bridges:
Switch A
SwitchA(config)#spanning-tree vlan 1 root primary
 This command will force the SwitchA as root for VLAN 1.

SwitchA(config)#spanning-tree vlan 2 root secondary

 This command will force the SwitchA as secondary root for VLAN 2.

OR

SwitchA(config)#spanning-tree vlan # priority priority

 This command statically configuring Priority(increment 4096).

41
Configuring Root and Secondary Bridges:
Switch B
SwitchB(config)#spanning-tree vlan 2 root primary
 This command will force the SwitchB as root for VLAN 1.

SwitchB(config)#spanning-tree vlan 1 root secondary

 This command will force the SwitchB as secondary root for VLAN 2.

OR

SwitchB(config)#spanning-tree vlan # priority priority

 This command statically configuring Priority(increment 4096).

42
Switch EtherChannel

43
 EtherChannel

• Bundle the links and create a logical aggregation so that our multiple
links will then appear as a single on
• Cisco’s version is called Port Aggregation Protocol (PAgP) and the IEEE
802.3ad standard is called Link Aggregation Control Protocol (LACP)

44
 EtherChannel

• EtherChannel Modes
Mode Protocol Description
Auto PAgP Sets the interface to respond to PAgP negotiation packets, but the interface will
start negotiations on its own.
Desirable PAgP Sets the interface to actively attempt to negotiate a PAgP connection
On EtherChannel Forces the connection to bring all links up without using a protocol to negotiate
connections. This mode can only connect to another device that is also set to
on. When using this mode, the switch does not negotiate the link using either
PAgP or LACP.
Active LACP Sets the interface to actively attempt to negotiate connections with other LACP
devices.
Passive LACP Sets the interface to respond to LACP data if it receives negotiation requests
from other systems.

45
 EtherChannel

• Sample Configuration
Switch1> enable
Switch1# configure terminal
Switch1(config)# interface range fasttethernet0/11 -12
Switch1(config-if-range)# switchport mode access
Switch1(config-if-range)# switchport access vlan 10
Switch1(config-if-range)# channel-group 5 mode desirable
Switch1(config-if-range)# end

witch2> enable
Switch2# configure terminal
Switch2(config)# interface range fasttethernet0/1 -2
Switch2(config-if-range)# switchport mode access
Switch2(config-if-range)# switchport access vlan 10
Switch2(config-if-range)# channel-group 2 mode auto
Switch2(config-if-range)# end

46
Switch Stacking and Chassis Aggregation

47
Traditional Access Switching Without
Stacking
• Typical Campus Design: Access Switches and Two Distribution
Switches
• Access switches A1 through A4 all operate as separate devices

48
Switch Stacking of Access Layer Switches
• Switch stacking technology allows the network engineer to make that
stack of physical switches act like one switch
• Benefit of Switch Stacking:
• The stack would have a single management IP address
• The engineer would connect with Telnet or SSH to one switch (with that one
management IP address), not multiple switches
• One configuration file would include all interfaces in all four physical switches
• STP, CDP, VTP would run on one switch, not multiple switches
• The switch ports would appear as if all are on the same switch
• There would be one MAC address table, and it would reference all ports on all
physical switches
49
Stacking Cables Between Access Switches in
the Same Rack

50
Stacking Cables Between Access Switches in
the Same Rack
• If the four switches were all 2960XR switches, each would need one
stacking module, and four cables total to connect the four switches

51
Stack Acts Like One Switch

52
Cisco FlexStack and FlexStack-Plus
• Cisco created one stacking technology, called FlexStack, as part of the
introduction of the 2960-S model series
• Cisco later enhanced FlexStack with FlexStack-Plus, adding support
with products in the 2960-X and 2960-XR model series
• Below the comparisons between FlexStack and FlexStack-Plus

53
Chassis Aggregation
• The term chassis aggregation refers to another Cisco technology used to
make multiple switches operate as a single switch
• From a big picture perspective, switch stacking is more often used and
offered by Cisco in switches meant for the access layer
• Chassis aggregation is meant for more powerful switches that sit in the
distribution and core layers
• Summarizing some of the key differences, chassis aggregation
• Typically is used for higher-end switches used as distribution or core switches
• Does not require special hardware adapters, instead using Ethernet interfaces
• Aggregates two switches
• Arguably is more complex but also more functional
54
Using EtherChannel and Different Line Cards

55
 One Design Advantage of Aggregated
Distribution Switches
• The right side of the figure shows the aggregated switch that appears as one switch to the
access layer switches. In fact, even though the uplinks connect into two different switches,
they can be configured as an EtherChannel through a feature called Multichassis
EtherChannel (MEC).

56
Advantages of using switch aggregation
• Multichassis EtherChannel (MEC): Uses the EtherChannel between the two
physical switches.
• Active/Standby Control Plane: Simpler operation for control plane because the
pair acts as one switch for control plane protocols: STP, VTP, EtherChannel, ARP,
routing protocols.
• Active/Active data plane: Takes advantage of forwarding power of supervisors
on both switches, with active Layer 2 and Layer 3 forwarding the supervisors of
both switches. The switches synchronize their MAC and routing tables to
support that process.
• Single switch management: Simpler operation of management protocols by
running management protocols (Telnet, SSH, SNMP) on the active switch;
configuration is synchronized automatically with the standby switch.
57
Making Six Switches Act like Two

58
Switch Security

59
 Switch Port Secuirty

• Port Security: If you want to set up a switch port to allow only one host
per port, and to shut down the port if this rule is violated, use the
following commands
Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>

Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
60
 Port Security Sticky

• Provide static MAC address security without having to type in everyone’s

MAC address on the network
Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security violation shutdown

61
Port Security Violation
• Actions When Port Security Violation Occurs

*shutdown is the default setting.

62
 Port Security Configuration
• Port Security Configuration Example
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address 0200.1111.1111
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
!
interface FastEthernet0/3
switchport mode access
switchport port-security
!
interface FastEthernet0/4
switchport mode access
switchport port-security
switchport port-security maximum 8

63
Securing Unused Switch Interfaces
• Cisco makes some general recommendations to override the default
interface settings to make the unused ports more secure, as follows:
• Administratively disable the interface using the shutdown interface
subcommand
• Prevent VLAN trunking by making the port a nontrunking interface using the
switchport mode access interface subcommand
• Assign the port to an unused VLAN using the switchport access vlan number
interface subcommand
• Set the native VLAN to not be VLAN 1, but to instead be an unused VLAN,
using the switchport trunk native vlan vlan-id interface subcommand

64
LAN Switch Interface Status Codes

65
BPDU Guard
• Disabling a port if any BPDUs are received on the port
• The port only as an access port and never connected to another switch
• Example configuration below:

66