Chapter 4 Switching Concepts & Redundant Networks
Chapter 4 Switching Concepts & Redundant Networks
2
LAN Switching Concepts
3
LAN Switching Concepts
• Ethernet switches receive Ethernet frames in one port and then forward
(switch) the frames out one (or more) other port
• Bridges/Switches separated devices into groups called collision domains
• Deciding when to forward a frame or when to filter (not forward) a frame,
based on the destination MAC address
• Learning MAC addresses by examining the source MAC address of each frame
received by the switch
• Switches create private, dedicated collision domains and provide independent
bandwidth on each port, unlike hubs
• Creating a (Layer 2) loop-free environment with other bridges by using
Spanning Tree Protocol (STP).
4
LAN Switching Concepts
• The typical switched network design
5
Limitations of Layer 2 Switching
6
Switch Functions at Layer 2
7
Switch Functions at Layer 2
• Address learning: Layer 2 switches and bridges remember the source
hardware address of each frame received on an interface, and they enter
this information into a MAC database called a forward/filter table
• Forward/filter decisions: When a frame is received on an interface, the
switch looks at the destination hardware address and finds the exit
interface in the MAC database. The frame is only forwarded out the
specified destination port
• Loop avoidance: If multiple connections between switches are created for
redundancy purposes, network loops can occur. Spanning Tree Protocol
(STP) is used to stop network loops while still permitting redundancy
8
Empty forward/filter Table
• When a switch is first powered on, the MAC forward/filter table is
empty
9
MAC Address Learning
• Host A sends a frame to Host B
• The switch receives the frame on the E0/0
interface and places the source address in the
MAC address table
• Since the destination address is not in the MAC
database, the frame is forwarded out all
interfaces—except the source port
• Host B receives the frame and responds to Host
A. The switch receives this frame on interface
E0/1 and places the source hardware address in
the MAC database
• Host A and Host B can now make a point-to-point
connection and only the two devices will receive
the frames. Hosts C and D will not see the frames
10
Forward/filter Table
11
Forward/filter Table
12
Switch Forwarding and Filtering Decision
• Sample Switch Forwarding and Filtering Decision
13
Forwarding Decision with Two Switches
• Sample Forwarding Decision with Two Switches
14
Loop Avoidance
15
Redundant Links Without STP
• Network with Redundant Links but Without STP
16
Spanning Tree Protocol
17
Spanning Tree Protocol
(IEEE 802.1D)
• The IEEE later created its own version of STP called 802.1D
• Three Classes of Problems Caused by Not Using STP in Redundant
LANs
• Broadcast storms
• MAC table instability
• Multiple frame transmission
18
STP Terminology
• Root bridge: the bridge with the best bridge ID
• BPDU: All the switches exchange information Bridge Protocol Data
Unit (BPDU) to use in the selection of the root switch as well as in
subsequent configuration of the network
• Bridge ID: The bridge ID is how STP keeps track of all the switches in
the network. It is determined by a combination of the bridge priority
(32,768 by default on all Cisco switches) and the base MAC address.
The bridge with the lowest bridge ID becomes the root bridge in the
network.
19
STP Terminology
• Nonroot bridges: These are all bridges that are not the root bridge
• Port cost: Port cost determines the best path when multiple links are
used between two switches and none of the links is a root port. The
cost of a link is determined by the bandwidth of a link
• Root port: The root port is always the link directly connected to the
root bridge, or the shortest path to the root bridge.
• If more than one link connects to the root bridge, then a port cost is
determined by checking the bandwidth of each link. The lowest-cost port
becomes the root port.
• If multiple links have the same cost, the lowest port number will be used.
20
STP Terminology
• Designated port: one that has been determined as having the best
(lowest) cost. A designated port will be marked as a forwarding port.
• Nondesignated port: A nondesignated port is one with a higher cost
than the designated port. Nondesignated ports are put in blocking
mode—they are not forwarding ports
• Forwarding port: A forwarding port forwards frames
• Blocked port: A blocked port is the port that, in order to prevent
loops, will not forward frames. However, a blocked port will always
listen to frames.
21
Spanning Tree Operations
• STP’s job is to find all links in the network and shut down any redundant ones,
thereby preventing network loops from occurring
• STP accomplishes this by first electing a root bridge that will forward through all
ports and act as a point of reference for all other devices in the STP domain
• Once all switches agree on who the root bridge is, every bridge must find its one
and only allotted root port
• Each and every link provides the highest bandwidth to the root
• It’s really important to remember that a bridge can go through many other bridges
to get to the root, meaning that it’s not always the shortest path the fastest
(highest bandwidth) path that will be the one used.
• Obviously, every port on the root switch is a designated port, as you can get no
closer to the root than being the root
22
Selecting the Root Bridge
• The bridge ID is used to elect the root bridge in the STP domain and to
determine the root port for each of the remaining devices in the STP
domain
• This ID is 8 bytes long and includes both the priority and the MAC address of
the device
• The default priority on all devices running the IEEE STP version is 32,768
• If two switches or bridges happen to have the same priority value, the
MAC address becomes the tiebreaker for figuring out which one has
the lowest (best) ID
• You can change the bridge’s ID by lowering its priority so that it will become a
root bridge automatically
23
Role of the BID
24
Example STP Operations
• Switch A is the root bridge because it’s the one with the lowest bridge ID
• Switch B must shut down one of its ports connected to Switch A to prevent a
switching loop from occurring
• it will first check each link’s amount of bandwidth and then shut down the link with the
lowest bandwidth value
• If bandwith same STP will typically shut down the higher of the port numbers, but not always
• even though Switch B won’t transmit out the blocked port, it will still receive through it—
including BPDUs
25
Topology STP for Case Study 1#
• Changing the default priority is the best way to choose a root bridge.
This is important because you want the core switch (the one closest
to the center of your network) to be the root bridge in your network
so STP will converge quickly
26
Verify STP for Case Study 1#
• Verify Default STP
SW-1#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 00D0.584E.8355
Cost 19
Port 1(FastEthernet0/1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
for SW-1
Spanning tree enabled protocol ieee
Root ID Priority 4097
Address 00E0.F77D.A20B
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
28
Spanning-Tree Port States
• Blocking: A blocked port won’t forward frames; it just listens to BPDUs. The
purpose of the blocking state is to prevent the use of looped paths. All ports are
in blocking state by default when the switch is powered up.
• Listening: The port listens to BPDUs to make sure no loops occur on the network
before passing data frames. A port in listening state prepares to forward data
frames without populating the MAC address table
• Learning: The switch port listens to BPDUs and learns all the paths in the
switched network. A port in learning state populates the MAC address table but
doesn’t forward data frames.
• Forwarding: The port sends and receives all data frames on the bridged port
• Disabled: A port in the disabled state (administratively) does not participate in
the frame forwarding or STP 29
STP Convergence
• Convergence occurs when all ports on bridges and switches have transitioned to
either forwarding or blocking modes
• No data will be forwarded until convergence is complete
• It usually takes 50 seconds to go from blocking to forwarding mode
30
3 Steps STP Convergence
31
3 Steps STP Convergence
32
3 Steps STP Convergence
33
Spanning Tree PortFast
• If you have a server or other devices connected into your switch that you’re totally sure
won’t create a switching loop if STP is disabled
• You can use something called portfast on these ports.
• Using it means the port won’t spend the usual 50 seconds to come up into forwarding mode while STP
is converging
W-1>en
SW-1#config t
SW-1(config)#int f0/3
SW-1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
35
STP Variants
36
PVST+ Extended Bridge ID
Extended bridge ID
with system ID
System ID = VLAN
37
PVRST+ Implementation
38
PVRST+ Verification
SwitchX# show spanning-tree vlan 30
VLAN0030
Spanning tree enabled protocol rstp
Root ID Priority 24606
Address 00d0.047b.2800
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 24606 (priority 24576 sys-id-ext 30)
Address 00d0.047b.2800
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
-------- ----- --- --- -------- ----
Gi1/1 Desg FWD 4 128.1 P2p
Gi1/2 Desg FWD 4 128.2 P2p
Gi5/1 Desg FWD 4 128.257 P2p
39
Configuring Root and Secondary Bridges
40
Configuring Root and Secondary Bridges:
Switch A
SwitchA(config)#spanning-tree vlan 1 root primary
This command will force the SwitchA as root for VLAN 1.
OR
41
Configuring Root and Secondary Bridges:
Switch B
SwitchB(config)#spanning-tree vlan 2 root primary
This command will force the SwitchB as root for VLAN 1.
OR
42
Switch EtherChannel
43
EtherChannel
• Bundle the links and create a logical aggregation so that our multiple
links will then appear as a single on
• Cisco’s version is called Port Aggregation Protocol (PAgP) and the IEEE
802.3ad standard is called Link Aggregation Control Protocol (LACP)
44
EtherChannel
• EtherChannel Modes
Mode Protocol Description
Auto PAgP Sets the interface to respond to PAgP negotiation packets, but the interface will
start negotiations on its own.
Desirable PAgP Sets the interface to actively attempt to negotiate a PAgP connection
On EtherChannel Forces the connection to bring all links up without using a protocol to negotiate
connections. This mode can only connect to another device that is also set to
on. When using this mode, the switch does not negotiate the link using either
PAgP or LACP.
Active LACP Sets the interface to actively attempt to negotiate connections with other LACP
devices.
Passive LACP Sets the interface to respond to LACP data if it receives negotiation requests
from other systems.
45
EtherChannel
• Sample Configuration
Switch1> enable
Switch1# configure terminal
Switch1(config)# interface range fasttethernet0/11 -12
Switch1(config-if-range)# switchport mode access
Switch1(config-if-range)# switchport access vlan 10
Switch1(config-if-range)# channel-group 5 mode desirable
Switch1(config-if-range)# end
witch2> enable
Switch2# configure terminal
Switch2(config)# interface range fasttethernet0/1 -2
Switch2(config-if-range)# switchport mode access
Switch2(config-if-range)# switchport access vlan 10
Switch2(config-if-range)# channel-group 2 mode auto
Switch2(config-if-range)# end
46
Switch Stacking and Chassis Aggregation
47
Traditional Access Switching Without
Stacking
• Typical Campus Design: Access Switches and Two Distribution
Switches
• Access switches A1 through A4 all operate as separate devices
48
Switch Stacking of Access Layer Switches
• Switch stacking technology allows the network engineer to make that
stack of physical switches act like one switch
• Benefit of Switch Stacking:
• The stack would have a single management IP address
• The engineer would connect with Telnet or SSH to one switch (with that one
management IP address), not multiple switches
• One configuration file would include all interfaces in all four physical switches
• STP, CDP, VTP would run on one switch, not multiple switches
• The switch ports would appear as if all are on the same switch
• There would be one MAC address table, and it would reference all ports on all
physical switches
49
Stacking Cables Between Access Switches in
the Same Rack
50
Stacking Cables Between Access Switches in
the Same Rack
• If the four switches were all 2960XR switches, each would need one
stacking module, and four cables total to connect the four switches
51
Stack Acts Like One Switch
52
Cisco FlexStack and FlexStack-Plus
• Cisco created one stacking technology, called FlexStack, as part of the
introduction of the 2960-S model series
• Cisco later enhanced FlexStack with FlexStack-Plus, adding support
with products in the 2960-X and 2960-XR model series
• Below the comparisons between FlexStack and FlexStack-Plus
53
Chassis Aggregation
• The term chassis aggregation refers to another Cisco technology used to
make multiple switches operate as a single switch
• From a big picture perspective, switch stacking is more often used and
offered by Cisco in switches meant for the access layer
• Chassis aggregation is meant for more powerful switches that sit in the
distribution and core layers
• Summarizing some of the key differences, chassis aggregation
• Typically is used for higher-end switches used as distribution or core switches
• Does not require special hardware adapters, instead using Ethernet interfaces
• Aggregates two switches
• Arguably is more complex but also more functional
54
Using EtherChannel and Different Line Cards
55
One Design Advantage of Aggregated
Distribution Switches
• The right side of the figure shows the aggregated switch that appears as one switch to the
access layer switches. In fact, even though the uplinks connect into two different switches,
they can be configured as an EtherChannel through a feature called Multichassis
EtherChannel (MEC).
56
Advantages of using switch aggregation
• Multichassis EtherChannel (MEC): Uses the EtherChannel between the two
physical switches.
• Active/Standby Control Plane: Simpler operation for control plane because the
pair acts as one switch for control plane protocols: STP, VTP, EtherChannel, ARP,
routing protocols.
• Active/Active data plane: Takes advantage of forwarding power of supervisors
on both switches, with active Layer 2 and Layer 3 forwarding the supervisors of
both switches. The switches synchronize their MAC and routing tables to
support that process.
• Single switch management: Simpler operation of management protocols by
running management protocols (Telnet, SSH, SNMP) on the active switch;
configuration is synchronized automatically with the standby switch.
57
Making Six Switches Act like Two
58
Switch Security
59
Switch Port Secuirty
• Port Security: If you want to set up a switch port to allow only one host
per port, and to shut down the port if this rule is violated, use the
following commands
Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
60
Port Security Sticky
61
Port Security Violation
• Actions When Port Security Violation Occurs
62
Port Security Configuration
• Port Security Configuration Example
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address 0200.1111.1111
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security mac-address sticky
!
interface FastEthernet0/3
switchport mode access
switchport port-security
!
interface FastEthernet0/4
switchport mode access
switchport port-security
switchport port-security maximum 8
63
Securing Unused Switch Interfaces
• Cisco makes some general recommendations to override the default
interface settings to make the unused ports more secure, as follows:
• Administratively disable the interface using the shutdown interface
subcommand
• Prevent VLAN trunking by making the port a nontrunking interface using the
switchport mode access interface subcommand
• Assign the port to an unused VLAN using the switchport access vlan number
interface subcommand
• Set the native VLAN to not be VLAN 1, but to instead be an unused VLAN,
using the switchport trunk native vlan vlan-id interface subcommand
64
LAN Switch Interface Status Codes
65
BPDU Guard
• Disabling a port if any BPDUs are received on the port
• The port only as an access port and never connected to another switch
• Example configuration below:
66