06 Layer 2 Switch

Copyright © 2003 Chesapeake NetCraftsmen, Inc. Page 6-1

6-1Copyright © 2003, Chesapeake Netcraftsmen

6: Layer 2 – Switches


Objectives

• Upon completion of this chapter, the students will be able to:– Explain and demonstrate how switches learn and

use MAC addresses to forwarding Ethernet frames

– Describe why switches need Spanning Tree Protocol (STP) and key concepts relating to STP

– Configure a Cisco switch for management and basic port settings

– Explain VLANs and Trunks– Configure a Cisco switch for simple VLANs and

Trunks– Monitor and troubleshoot switches, STP, VLANs,

and trunks



Topics

• Switches and MAC Addresses• Spanning Tree Protocol• Working with Cisco switches• VLANs and Trunks


Bridges vs Switches

• Bridges were introduced by DEC in the 80’s as a low-cost, low-complexity way to improve network performance– Replace a hub with a bridge or a switch and now many PCs can

transmit at the same time

• Some people once thought bridges would replace routers– But they’re not “smart enough”: bridged networks don’t scale to large

sizes

• Bridges do reduce router count in campus networks, simplifying network management

• Switches are basically high speed bridges that can be partitioned into logical sub-bridges– VLANs (covered later) are how we partition a switch

• Logically, switches and bridges are the same– They both use the same MAC learning strategy and both use Spanning

Tree Protocol (STP)– We’ll cover these in the next slides



Switches Learn MAC Addresses

• A switch associates the source MAC addresses in a frame with the port a frame was received on

A B C D E

Source = MAC of A

Dest = MAC of E

Everything just powered on

Host A transmits a frame to Host E




A B C D E

Source = MAC of A

Dest = MAC of E

Switches B, C, D learn the MAC address of A and associate it with the port receiving the frame

MAC of A MAC of A MAC of A





A B C D E

Source = MAC of E

Dest = MAC of A

When a reply is sent, the switches learn the location of E (MAC of E and port received on)


MAC of E MAC of E MAC of E


Switches Selectively Forward

• If a switch has learned a MAC address, it forwards frames going to that MAC address out only the associated port

A B C D E

So when A and E communicate, frames are only sent out the appropriate ports


MAC of E MAC of E MAC of E



Switches Flood Other Traffic

• Switch flood traffic out all ports if they do not know where the destination MAC is– Unknown unicast MAC addresses– Multicasts– Layer 2 Broadcasts (MAC address ffff.ffff.ffff)

A B C D E

Source = MAC of A

Dest = MAC of H

What the H?

What the H?

What the H?



• Until the unknown unicast MAC address H replies, frames sent to H are flooded

• Once H replies, the switches can learn which port the frame from H was received on

A B C D E

Source = MAC of A

Dest = MAC of H

What the H?

What the H?

What the H?




• Broadcasts and multicasts are also flooded

A B C D E

Source = MAC of A

Dest = FFFF.FFFF.FFFF

Broadcast! Broadcast! Broadcast!


Collision and Broadcast Domains

• An Ethernet segment, or multiple segments with hubs and repeaters, form a collision domain– Two devices on such a segment will have a

collision if they transmit at the same time

• Each port of a bridge or switch is a separatecollision domain– May be a single device or multiple devices

attached to the switch via a hub

• The switch or collection of switches form a broadcast domain– Broadcasts flood all ports in the interconnected

bridges or switches



Topics



Switches and Redundant Links

• Consider what happens when there is a loop in the switch topology

Broadcast!




• Consider what happens when there is a loop in the switch topology

• Switches must flood the broadcast out every port other than the one it was received on…

Broadcast!



• And switches can’t say “I’ve seen this before”, they don’t “remember” frames

• So each flooded copy spawns more copies!

Broadcast!




Broadcast!


Need for Spanning Tree Protocol

• We see that if a loop is accidentally introduced into a bridge topology, any broadcast (multicast or unknown as well) will cause the network to get very busy

• Consequently, switches use Spanning Tree Protocol (STP) to detect and de-activate loops

• Side-effect: switches normally do not load balance when there are multiple, redundant links (routers can)



Spanning Tree Protocol

• Switch ports transition through a series of states:– Disabled– Blocking (20 seconds)– Listening (15 seconds)– Learning (15 seconds)– Forwarding

• Until link status is detected or a command entered, a switch port is disabled

• Once enabled, it is in blocking state, where no frames are forwarded out the port– This gives a chance for things to stabilize



• When a switch port transitions to the learning state, it starts learning MAC addresses

• It is also sending and receiving Bridge Protocol Data Units (BPDUs or Bridge Hellos)




• Switches gradually learn the identity of a Root Bridgefrom BPDUs– They start out thinking they’re Root, until they hear otherwise

• The Root Bridge advertises its identity and timers to other bridges in the BPDUs– Other bridges (to some extent) pass this information along

Root Switch



• (Without going into all the details…)• BPDUs advertise their best cost back to the Root Bridge• Each switch selects a port with the lowest cost back to the

Root Bridge– This is the Root Port

• For each LAN segment, one switch and switch port is chosen as the best path back to the Root Bridge– This is the Designated Port Root Switch

LAN Segment

Root Port Root Port

Designated Port




• Frames are forwarded (sent out) only on the root or designated ports of switches– Forwarding ports

• Other ports do not forward frames– Blocking ports– BPDUs are still received on blocking ports, in case

changes are needed

B B

Root Switch

B B

BB B



• This connects every LAN and switch by exactly one path back to the Root Bridge– Hence each LAN is connected to every other LAN by

exactly one path– However, it might not be the shortest possible path

between the LANs

B B

Root Switch

B B

BB BX

Actual path used



Change and STP

• When there’s a change, switches in principle repeat the Blocking, Listening, Learning cycle– It takes about 50 seconds to find a new path

• Cisco and other vendors sometimes have clever optimizations to improve this Layer 2 Convergence time– If you’ve got them, use them!– Explaining these is beyond the scope of this course


Topics

• Switches and MAC Addresses• Spanning Tree Protocol• Working with Cisco switches

– CLI– Management address, management vlan

and default gateway– Port settings– Passwords– Key show commands

• VLANs and Trunks



Switch Operating Systems

• Cisco switches have one of two operating systems– Catalyst OS or CatOS: uses set commands– Cisco IOS: uses commands similar to those on a router

• Catalyst 4000 with Supervisor 2, Catalyst 5000, 5500, 6000, 6500 switches generally use CatOS– Cisco is working on “native IOS” for the newer models

• Inexpensive switches from other vendors may well be unmanageable– No SNMP– Hard to manage multiple switches

• Other vendors’ manageable switches of course have their own command interfaces


Configuring Cisco IOS-Based Switches

• The Catalyst 1900 and 2900 XL series switches use Cisco IOS– 1900 switches also have a menu interface– Press K to get to the command line

• Connect to the switch console port to issue commands or to configure it– Similar to connecting to a router

• Switch status lights– The switch lights normally indicate if a port is

forwarding, blocking (yellow), or has errors (blinking yellow)

– Press the 2900 XL switch mode button to check switch utilization, 10/100 status, or duplex status



Switch Global Configuration Commands

• Switches are configured like routers for:– Hostname– IP host table– Enable password or enable secret– DNS server address or disabling DNS

no service password-encryption

hostname Switch

enable password cisco

no ip domain-lookup

ip host pc 192.168.1.205


Managing a Switch

• To allow telnet and SNMP management access to a switch, you need to give the switch one IP address, subnet mask, and default gateway– Similar to setting up a new PC

• Specify the VLAN the management interface is to be in– Has to be VLAN 1 on older Cisco IOS versions– We’ll explain VLANs later in this chapter

• Configure the address and default gateway as follows:

interface VLAN1

ip address 192.168.2.100 255.255.255.0

ip default-gateway 192.168.2.202



Switch Line Configuration Commands

• Switch asynchronous (terminal) lines are also configured like the router, for:– Login and password

– Exec-timeout

• Switches may not have an AUX port

line con 0

password cisco

login

line vty 0 4

exec-timeout 15 30

password cisco

login


Switch Port Configuration Commands

• Cisco IOS based switches refer to interfaces rather than ports

• Interface switching Layer 2 commands start with the words:– Port– Switchport– Spanning-tree

• These aren’t needed for basic switch operation• Unless the switch is Layer 3 capable, you do not put

addresses on switch interfaces– We’ll see that each active router interface needs its own IP address

interface FastEthernet0/1

description This port connects to the Colonel’s PC!

no shutdown



Switch Port Configuration Commands

• To override auto-negotiation, you can configure speed and duplex-ness on the interface– This is generally done for switch ports connecting to

servers or routers or other important devices– Configure “duplex auto” and “speed auto” to restore

auto-negotiation

interface FastEthernet0/1

speed 100

duplex full


Switch Show Commands

Switch#show version

Cisco Internetwork Operating System Software

IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)XU, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2000 by cisco Systems, Inc.

Compiled Mon 03-Apr-00 16:37 by swati

Image text-base: 0x00003000, data-base: 0x00301398

ROM: Bootstrap program is C2900XL boot loader

Switch uptime is 40 minutes

System returned to ROM by power-on

System image file is "flash:c2900XL-c3h2s-mz-120.5-XU.bin"

(etc.)

Similar to this command on a router




• “Show ip int brief” shows the management address and VLAN, also shows status of the switch ports (interfaces)

Switch#show ip int brief

Interface IP-Address OK? Method Status Protocol

VLAN1 192.168.2.100 YES NVRAM up up

FastEthernet0/1 unassigned YES unset up up




FastEthernet0/5 unassigned YES unset down down



• “Show ip arp” shows the ARP table– Think of this as being like a PC’s ARP table

• Not to be confused with the learned MAC address table

Switch#show ip arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.2.100 - 0003.6ba1.6680 ARPA VLAN1

Internet 192.168.2.202 47 0003.e327.9ea6 ARPA VLAN1

Internet 192.168.2.200 47 0010.7b1b.730c ARPA VLAN1




Switch#show ip int

VLAN1 is up, line protocol is up

Internet address is 192.168.2.100/24

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound access list is not set

Proxy ARP is enabled

Security level is default

Split horizon is enabled

(etc.)

Similar to this command on a router, shows IP address and subnet mask



Switch#show mac

Dynamic Address Count: 4

Secure Address Count: 0

Static Address (User-defined) Count: 0

System Self Address Count: 47

Total MAC addresses: 51

Maximum MAC addresses: 2048

Non-static Address Table:

Destination Address Address Type VLAN Destination Port

------------------- ------------ ---- -------------------

0003.e327.9ea6 Dynamic 1 FastEthernet0/4

0010.7b1b.730c Dynamic 1 FastEthernet0/3

0050.0429.37cb Dynamic 1 FastEthernet0/1

00b0.6452.2319 Dynamic 1 FastEthernet0/2

Displays learned MAC addresses and ports




Switch#show spanning-tree

Spanning tree 1 is executing the IEEE compatible Spanning Tree protocol

Bridge Identifier has priority 32768, address 0003.6ba1.6680

Configured hello time 2, max age 20, forward delay 15

We are the root of the spanning tree

Topology change flag not set, detected flag not set, changes 2

Times: hold 1, topology change 35, notification 2

hello 2, max age 20, forward delay 15

Timers: hello 1, topology change 0, notification 0

(continued…)

Displays spanning tree information



Interface Fa0/1 (port 13) in Spanning tree 1 is FORWARDING

Port path cost 19, Port priority 128

Designated root has priority 32768, address 0003.6ba1.6680

Designated bridge has priority 32768, address 0003.6ba1.6680

Designated port is 13, path cost 0

Timers: message age 0, forward delay 0, hold 0

BPDU: sent 1101, received 0

Interface Fa0/2 (port 14) in Spanning tree 1 is FORWARDING

Port path cost 100, Port priority 128

Designated root has priority 32768, address 0003.6ba1.6680

Designated bridge has priority 32768, address 0003.6ba1.6680

Designated port is 14, path cost 0

Timers: message age 0, forward delay 0, hold 0

BPDU: sent 1305, received 0




Switch#show int fa 0/1

FastEthernet0/1 is up, line protocol is up

Hardware is Fast Ethernet, address is 0003.6ba1.6681 (bia0003.6ba1.6681)

Description: This port connects to the Colonel’s PC!

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive not set

Auto-duplex (Full), Auto Speed (100), 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output 00:00:01, output hang never

Last clearing of "show interface" counters never

(etc.)

Similar to what you see on a router


Topics




VLANs

• Switches normally flood broadcasts (multicasts and unknown unicasts) out all ports– In big campus networks with many users, the high volume of such

flooded traffic is undesirable

• VLANs allow us to partition a switch into groups of ports for flooding purposes– Smaller broadcast domains!

• As we’ll see in the next chapter, each VLAN is a different subnet– Routers required to go between VLANs– Therefore VLANs divide switch ports into “security zones”

VLAN 2 VLAN 3 VLAN 4


VLANs

• VLANs limit the spread of broadcasts or of layer 2 problems (jabbering NIC card, etc.)

Broadcast! XXXXXXXX



Trunks

• On a single switch, the switch can tell what VLAN to flood a broadcast (etc.) in by which port the broadcast was received on

• When you have multiple switches, what do you do?

??? ??? ???

What VLAN is it in???


Trunks

• You could use a separate cable to carry each VLAN to the other switch– That rapidly gets expensive in terms of cabling tangle

and number of switch ports used up

• Alternative: put a VLAN number or tag field into the Ethernet frame header on the link between switches

• Make the inter-switch link a member of all VLANs

VLAN 2 VLAN 2

Trunk

VLAN 2



Trunks

• Cisco-proprietary format: ISL trunks– Inter-Switch Link

• Standard: 802.1Q trunks– 12 bits for VLAN ID– 3 bits for user priority– Etc.

Ethernet Frame Header

802.1Q header

Layer 3 Header and Payload

Ethernet type code indicates presence of

the extra 802.1Q bytes


802.1Q

• Frames received on 802.1Q trunks are in a “native VLAN” if they do not have the 802.1Q header inserted– Determined by the port the frame is received on

• Otherwise, if the 802.1Q header is present, the VLAN ID in it determines the VLAN

VLAN 2 VLAN 2

TrunkVLAN 3

No 802.1Q info hence in VLAN 2



Trunks and STP

• Cisco runs a separate copy of STP for each ISL VLAN– Per VLAN Spanning Tree (PVST)– Enhanced to work with mixed ISL and 802.1Q:

PVST+

• 802.1Q– Initially allowed only one Spanning Tree

• CST = Common Spanning Tree

– Now you can specify which VLANs use which Spanning Tree

• MST = Multiple Spanning Tree• Some Cisco or other documents may have used MST to

refer to Mono Spanning Tree


Dynamic Trunking Protocol

• Cisco switches use DTP, Dynamic Trunking Protocol, to negotiate:– Whether a link should become trunking– What trunking protocol (ISL or 802.1Q) to use on

the link

• “Auto” negotiation for DTP will not result in trunking– Both ends wait for the other to initiate trunking– Set one end to “desirable” or “on”

• Auto selection of protocol may not work– We recommend setting the trunking protocol

manually



Cisco VTP

• When you create a VLAN on a Cisco switch, you usually assign it a number and optionally a name and other parameters

• To (allegedly) make this easier and more consistent, Cisco invented VTP to pass this information to other switches in the same “VTP domain”– VTP stands for VLAN Trunking Protocol

– VTP operates across trunks

• Create or delete a VLAN on a switch that’s a VTP server, and it propagates throughout the VTP domain– Switches are VTP servers by default

• Ports belonging to a deleted VLAN are disabled!


Cisco VTP

Create an Ethernet VLAN 52 named “Unsecure”

VTP

Automatically creates an Ethernet VLAN 52 named “Unsecure”

Switches in same VTP domain

Trunk



Cisco VTP

• To make this more challenging, Cisco IOS-based switches have a “vlan database” mode for configuring VTP and creating VLANs– VLAN defaults are a NULL domain name and server mode

• This information is saved separately from the configuration file– Confusing!

– The usual tools don’t work well with this scheme!

• In recent IOS versions, using a VLAN 12 in configuration mode also creates it with default name VLAN0012

• In the newest versions of the Cisco IOS for the switches, all this will be part of configuration mode


VLAN Database Mode

Switch#vlan database

Switch(vlan)#?

VLAN database editing buffer manipulation commands:

abort Exit mode without applying the changes

apply Apply current changes and bump revision number

exit Apply changes, bump revision number, and exit mode

no Negate a command or set its defaults

reset Abandon current changes and reread current database

show Show database information

vlan Add, delete, or modify values associated with a single VLAN

vtp Perform VTP administrative functions.

Switch(vlan)#



Configuring VTP

Switch(vlan)#vtp ?

client Set the device to client mode.

domain Set the name of the VTP administrative domain.

password Set the password for the VTP administrative domain.

pruning Set the administrative domain to permit pruning.

server Set the device to server mode.

transparent Set the device to transparent mode.

v2-mode Set the administrative domain to V2 mode.

Switch(vlan)#vtp domain MyDomain

Changing VTP domain name from NULL to MyDomain

Switch(vlan)#

Assign the switch to a VTP domain

named “MyDomain”

Most options are rarely used


Creating a VLAN

Switch(vlan)#vlan ?

<1-1005> ISL VLAN index

Switch(vlan)#vlan 52 ?

…

name Ascii name of the VLAN

parent ID number of the Parent VLAN of FDDI or Token Ring typeVLANs

ring Ring number of FDDI or Token Ring type VLANs

said IEEE 802.10 SAID

state Operational state of the VLAN

ste Maximum number of Spanning Tree Explorer hops for this VLAN

…

<cr>

Switch(vlan)#vlan 52 name unsecure

VLAN 52 modified:

Name: unsecureCreate VLAN 52

and name it “unsecure”

Most of the options are rarely used



Deleting a VLAN

Switch(vlan)#no vlan 12

Deleting VLAN 12...

Switch(vlan)#


VLAN Database Mode

• When you exit VLAN database mode, the changes are committed

• The VTP version number is incremented

• If the switch is a VTP server, the revised VLAN information is sent to the rest of the VTP domain



Putting a Port in a VLAN

• To put a port into one specific unchanging VLAN:– Set the interface to access mode– Specify the VLAN for the interface

Switch(config)#int fast 0/5

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 52


Setting a Port to Trunking

• To make a port trunking:– Specify trunking mode– (Optional) Set the port trunking

encapsulation

Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport trunk encaps ?

dot1q Interface uses only 801.1q trunking encapsulation when trunking

isl Interface uses only ISL trunking encapsulation when trunking

Switch(config-if)#switchport trunk encaps dot1q



VTP and VLAN Show Commands

Switch(vlan)#show

VLAN ISL Id: 1

Name: default

Media Type: Ethernet

VLAN 802.10 Id: 100001

State: Operational

MTU: 1500

Translational Bridged VLAN: 1002

Translational Bridged VLAN: 1003

VLAN ISL Id: 2

Name: VLAN0002

Media Type: Ethernet

VLAN 802.10 Id: 100002

…

Note we’re in VLAN database

mode here



Switch#show vlan

VLAN Name Status Ports

---- ------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4,

Fa0/9, Fa0/10, Fa0/11, Fa0/12,

Fa0/13, Fa0/14, Fa0/15, Fa0/16,

Fa0/17, Fa0/18, Fa0/19, Fa0/20,

Fa0/21, Fa0/22, Fa0/23, Fa0/24

2 VLAN0002 active

…

6 VLAN0006 active Fa0/6

…

52 unsecure active

…

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

...




Switch#show vtp ?

counters VTP statistics

status VTP domain status

Switch#show vtp status

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 68

Number of existing VLANs : 19

VTP Operating Mode : Transparent

VTP Domain Name : MyDomain

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0xF3 0x35 0xC1 0x9E 0xF7 0x0B 0x0F 0x20

Configuration last modified by 192.168.2.100 at 3-1-93 02:55:31



Switch#show int fa 0/1 switchport

Name: Fa0/1

Switchport: Enabled

Administrative mode: static access

Operational Mode: static access

Administrative Trunking Encapsulation: isl

Operational Trunking Encapsulation: isl

Negotiation of Trunking: Disabled

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Trunking VLANs Enabled: NONE

Pruning VLANs Enabled: NONE

Priority for untagged frames: 0

…

Access mode means the port is not

trunking but assigned to a single VLAN

Interface is in VLAN 1




Switch#show int fa 0/5 switchport

Name: Fa0/5

Switchport: Enabled

Administrative mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: Disabled

Access Mode VLAN: 0 ((Inactive))

Trunking Native Mode VLAN: 1 (default)

Trunking VLANs Enabled: ALL

Trunking VLANs Active: 1-8,11,13-16,52,141

Pruning VLANs Enabled: 2-1001

802.1Q trunking on

this port

Native VLAN 1


Review Questions

• What is the main function of a bridge or switch?– Learn MAC addresses and base Layer 2 frame forwarding on the

MAC/port table

• What is the main drawback of bridges and switches– Layer 2 only scales to a certain extent– Routers provide better security and also other Layer 3 services– Routers or Layer 3 switches control broadcast traffic and layer 2

problems

• What cabling problem do switches have to guard against, and how do they do this?– Loops, Spanning Tree Protocol (STP)

• A connection between two switches carrying multiple VLANs between the switches is called what? What encapsulations can be used there?– A trunk. 802.1q or Cisco ISL.



Summary

• Having completed this chapter, the students should now be able to:– Explain and demonstrate how switches learn and

use MAC addresses to forwarding Ethernet frames

– Describe why switches need Spanning Tree Protocol (STP) and key concepts relating to STP

– Configure a Cisco switch for management and basic port settings

– Explain VLANs and Trunks– Configure a Cisco switch for simple VLANs and

Trunks– Monitor and troubleshoot switches, STP, VLANs,

and trunks


References

CCIE Professional Development: Cisco LAN Switching– Kennedy Clark, Kevin Hamilton, Cisco Press,

ISBN: 1578700949, 926 pages

06 Layer 2 Switch

Documents