Anda di halaman 1dari 13

07 0197 ch06

11/21/03

11:36 AM

Page 103

6
Cisco Layer 2 Switching
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms youll need to understand:


Spanning Tree Protocol
Store-and-forward switching
Fragment-free switching
Cut-through switching
Virtual Local Area Network (VLAN)
VLAN ID
VLAN Trunking Protocol (VTP)

Techniques youll need to master:


Filtering and forwarding frames
Preventing loops
Discovering MAC addresses
Frame tagging
Inter-switch link

07 0197 ch06

11/21/03

11:36 AM

Page 104

104 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Chapter 3, Hardware and the OSI Model, presented the evolution of the
switch, as we know it today. Here, we will present switching technology, as
Cisco views it. Many of the features and protocols we will be talking about
are proprietary to Cisco or pioneered by Cisco. Therefore, even if you feel
you know the technology, read this chapter carefully. Switching is a major
product technology for Cisco and you will see more than a few questions on
the test that relate directly to this chapter.

Layer 2 Switching Technology


Remember from earlier chapters that switches operate at Layer 2 of the
Open Systems Interconnection (OSI) model.
Cisco has applied switching technology to some of their Layer 3 and Layer 4 products. Because of this, you will sometimes hear people refer to Layer 3 and Layer 4
switches. The CCNA exam, however, only covers Layer 2 switches. Therefore, when
you see the term switch, assume it is a Layer 2 device.

The technology upon which Layer 2 switches operate is the same as that
provided by Ethernet bridges. The basic operation of a switch involves the
following:
Discovering Media Access Control (MAC) addresses
Filtering or forwarding frames
Preventing loops

Discovering MAC Addresses


Like a bridge, a switch monitors all frames that pass through it to learn the
MAC addresses of each device connected to its ports. This information is
stored in a database called a filter table. The switch consults the filter table
each time it receives a frame to determine whether to forward the frame to a
different port or to drop it.
When the switch is initially booted up, the filter table is empty. Forwarding
or filtering decisions cannot be made with an empty database, so initially
each incoming frame is forwarded through all the switchs ports. This is
called flooding the frame. As flooding occurs, the switch begins to learn the
MAC addresses and associate them with one of its ports.

07 0197 ch06

11/21/03

11:36 AM

Page 105

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cisco
. . . Layer
. . . .2 .Switching
. . . . .

This address-learning process is a continual operation of the switch. Each


MAC database entry is stored in memory and is valid only for a preset interval. If a new frame does not refresh the entry, the entry is discarded.

Filtering and Forwarding


Each time the switch receives a frame, it examines the destination MAC
address. If this address exists in the MAC database, the frame is forwarded
only through the switch port associated with the address. This process frees
all the segments connected to different ports of the excess bandwidth taken
by the frame. This is known as frame filtering.
Whenever the destination MAC address is unknown, the frame is flooded to
all switch ports. This is undesirable because it wastes bandwidth.

Preventing Loops
Both bridges and switches introduce the possibility of creating a bridged network with multiple paths to a single destination. Typically, this type of
redundancy is considered favorable, but for switches and bridges it can cause
problems in the form of bridging loops, which occur when circular connections exist in a bridged network. Figure 6.1 illustrates a bridged network with
bridging loops.
Bridges and switches provide a bridging function. Although we will use the term
bridge in this discussion, the concept of bridging loops applies equally to switches.

For example, if someone sends a broadcast message from segment 2, the


message would be forwarded to physical segment 3 by bridges B and C.
Bridge A would then receive two broadcasts and forward both broadcasts to
physical segment 1. Bridge D would have forwarded this broadcast to physical segment 1 as well. Subsequently, bridge D will receive the two broadcasts
forwarded by bridge A and forward these frames to physical segment 2. This
continuous forwarding of broadcast packets wastes bandwidth. With more
complex bridged networks, the broadcast packets can be forwarded exponentially, leading to what is termed a broadcast storm. This occurs when so
many broadcasts are being continuously forwarded that they consume all the
available bandwidth. The Spanning Tree Protocol, which implements an
algorithm that removes all circular connections in a bridged network, eliminates bridging loops.

105

07 0197 ch06

11/21/03

11:36 AM

Page 106

106 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Logical LAN
Physical Segment 3

Bridge A

Physical Segment 1
Bridge B

Bridge C

Bridge D

Physical Segment 2
Figure 6.1 Switches and bridges can create loops if improperly positioned.

Spanning Tree Protocol


The Spanning Tree Protocol creates a loop-free network topology by placing
connections that create loops in a blocking state. It is important to note that
this protocol does not eliminate loops but rather only blocks the connections
that create the loops. Loops in a network often provide needed redundancy in
the case of a physical connection being disconnected. The Spanning Tree
Protocol maintains the benefits of redundancy while eliminating the disadvantages of looping. To illustrate how the Spanning Tree Protocol functions,
we will use the bridged network shown earlier in Figure 6.1.
The Spanning Tree Protocol selects a root bridge in the network (in this
case, bridge A).

Determining the Root Bridge


When a network using multiple bridges and spanning tree protocol starts, the bridges automatically broadcast their ID numbers. The ID number is actually a combination of the MAC
address and an assigned priority value. In most cases, the bridge with the lowest priority number assumes the role of root bridge. If two or more bridges have the same priority number, the
one with the lowest MAC address becomes the root bridge.

07 0197 ch06

11/21/03

11:36 AM

Page 107

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cisco
. . . Layer
. . . .2 .Switching
. . . . .

Next, every other bridge selects one of its ports with the least path cost to
the root bridge. The least path cost is the sum of the cost to traverse every network between the indicated bridge and the root bridge. The root path cost
can be determined in multiple ways; in this case, we have arbitrarily assigned
costs to each path. Next, designated bridges are determined. A designated
bridge is the bridge on each LAN with the lowest aggregate root path cost.
Its the only bridge on a LAN allowed to forward frames. Figure 6.2 illustrates our network with the root path cost assigned to each bridge interface.
 


 









 


















 

Figure 6.2 The root path cost for each bridge interface.

By applying the Spanning Tree Protocol, we block the connection between


bridge C and physical segments 2 and 3, because bridge D and bridge B both
have lower aggregate root path costs to the root bridge (bridge A). We also
block the connection between bridge D and physical segment 2, because
bridge B has a lower root path cost than bridge D. Figure 6.3 illustrates our
bridged network after the Spanning Tree Protocol has been applied. Note
that the connections between bridge C and physical segments 2 and 3 are
blocked, as well as the connection between bridge D and physical segment 2.
We now have no circular routes in our network, but we maintain redundancy,
because the Spanning Tree Protocol is applied whenever a bridge is powered
up or a topology change occurs. Therefore, if the connection between bridge
B and physical segment 2 is broken, the Spanning Tree Protocol would run
and the connection between bridge D and physical segment 2.

107

07 0197 ch06

11/21/03

11:36 AM

Page 108

108 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
 


 













 





















 

Figure 6.3 A bridged network with Spanning Tree Protocol.

Cisco LAN Switching Methods


All the switching methods used by Cisco switches provide increased
throughput in comparison to bridges. The hardware-based architectures of
switches allow them to make decisions at wire speeds. The primary difference between the various methods is the process each uses to switch frames.
Frames have been consistently used to represent Layer 2 data messages in this chapter. The term cells can also be used to identify Layer 2 data messages. This term is
used when referring to data traffic using the Asynchronous Transfer Mode (ATM)
technology. The CCNA exam does not cover this technology, so only frames have been
presented in this chapter to simplify the concepts.

Store-and-Forward Switching
In store-and-forward switching mode, the switch reads the entire incoming
frame and copies the frame into its buffers. After the frame has been completely read, the switch performs the Layer 2 cyclical redundancy check
(CRC) to determine whether an error occurred during transmission. If the
frame has an error, the switch drops the frame. If no error is identified, the
switch checks its forwarding table to determine the proper port (in the case
of a unicast) or ports (in the case of a multicast) to which the frame must be
forwarded.

07 0197 ch06

11/21/03

11:36 AM

Page 109

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cisco
. . . Layer
. . . .2 .Switching
. . . . .

Store-and-forward switches have the highest latency of any switching mode,


because the switch must read the entire frame before making a forwarding
decision. The added error checking of store-and-forward switching, however, reduces the number of erred frames that are forwarded.

Cut-Through Switching
Cut-through switches introduce a lower level of latency during the switching process than store-and-forward switches do, mainly because the frame is
forwarded as soon as the destination address and outgoing interface are
determined. They achieve increased performance by eliminating the error
checking and making forwarding decisions based only on the first six bytes
of the incoming frame. (These first six bytes contain the destination MAC
address of the frame.) Cut-through switches read the destination address of
the incoming frame and immediately check the forwarding table to determine the proper destination ports. This increased performance does, however, allow erred frames to be forwarded more often than store-and-forward
switches do.

Fragment-Free Switching
Fragment-free switching is a modification to the cut-through switching
method. Like cut-through switches, fragment-free switches read only a portion of the frame before beginning the forwarding process. The difference is
that fragment-free switches read the first 64 bytes, which is enough to check
the frame for collisions. This allows for better error checking than with cutthrough switches, with a minimal loss in latency.
Cisco has incorporated switching technology into devices operating at layers other
than Layer 2. Be very careful when answering exam questions to determine how the
term switch is used. The features and functions we are presenting in this chapter
apply to Cisco layer two switches exclusively.

Virtual Local Area


Networks (VLANs)
A VLAN is a group of switched ports that acts as a separate, isolated LAN.
There can be several VLANs defined on a single switch (see Figure 6.4). A
VLAN can also span multiple switches. Workstations in separate VLANs
will never encounter traffic from or share bandwidth with other VLANs
unless the data is routed. In other words, a router or switch with routing

109

07 0197 ch06

11/21/03

11:36 AM

Page 110

110 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

capabilities is required if devices on different VLANs need to communicate.


It should be noted that VLAN configuration is done through the switch and
its software.
Remember from earlier chapters that one of the main benefits to switches is
that they segment a network into many collision domains. Each port represents a single collision domain, and devices share bandwidth only with other
devices on the same switch port. Unless a switch is segmented into VLANs,
however, all the devices on the switch are still in the same broadcast domain;
that is, all broadcasts are sent to each port throughout the switching fabric.
VLANs introduce a way to limit the broadcast traffic in a switched network
(a job normally associated with routers). When you create a VLAN by defining which ports belong to it, you are really just creating a boundary for
broadcast traffic. This has the effect of creating multiple, isolated LANs on
a single switch.

VLAN-1
1

VLAN-2
5

10

11

12

Figure 6.4 This figure shows a 12-port switch that has been divided into two VLANs. Ports 1
through 6 are VLAN 1, and ports 7 through 12 are VLAN 2.
It is important to understand the need for routers in a switched network. If devices
on different VLANs need to communicate, routing is required to facilitate this
exchange of data. Many of todays network systems are collections of routers and
switches.

What happens when a device on one VLAN needs to communicate with


a device on another VLAN? Because a VLAN is a closed Layer 2 network, traffic must cross a Layer 3 device to communicate with other VLANs.

07 0197 ch06

11/21/03

11:36 AM

Page 111

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cisco
. . . Layer
. . . .2 .Switching
. . . . .

This means a router is required to facilitate the exchange of packets between


VLANs.
It is possible for a device to participate in more than one VLAN by using a
special type of network card that performs ISL, which is discussed later in
this chapter.
The real benefit to using VLANs is that they can span multiple switches.
Figure 6.5 shows two switches that are configured to share VLAN
information.
VLANs 1 & 2
Switch 1

Trunk
Connection
Utilizing ISL

VLAN 1 VLAN 2

Switch 2

Figure 6.5 VLANS can span multiple switches.

A large campus network may have hundreds of switches spread throughout


several buildings. Users can be put on the appropriate VLANs easily, no matter where they are physically located. Users on the same VLAN do not have
to be connected to the same device. Therefore, LANs are no longer tied to
the physical location of users but rather can be assigned based on department,
functional area, or security level. By isolating users according to department
or functional area, network administrators can keep the majority of data traffic within one VLAN, thereby maximizing the amount of traffic switched at
hardware speeds versus what is routed at slower software speeds.
The ability to assign a user to a VLAN on a port-by-port basis makes adding,
moving, or deleting users simple. For example, lets say a user changes from
the accounting department to the marketing department. If the network
administrator designed the network and VLANs by functional department,
this user would have changed VLANs. To accommodate this change, the
administrator only has to make a software configuration change in the switch
by assigning that users port to the new VLAN.

111

07 0197 ch06

11/21/03

11:36 AM

Page 112

112 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

In addition, VLANs provide the flexibility necessary to group users by security level. This can greatly simplify applying a security policy to a network.
In summary, here are the benefits of VLANs:
They simplify security administration.
They allow users to be grouped by functional area versus physical location.
They simplify moving and adding users.

Frame Tagging
Frame tagging is the method used by Cisco switches to identify to which
VLAN a frame belongs. As a frame enters the switch, the switch encapsulates
the frame with a header that tags the frame with a VLAN ID. Any time a
frame needs to leave one switch for another, the tagged frame is sent
throughout the switching fabric. When the frame arrives at the destination
switch, the tag tells the switch to which VLAN the frame belongs. This
process is illustrated in Figure 6.6 using the VLAN IDs 10, 20, and 30.

VLAN 10

VLAN 10
Switch 1

Switch 2
Fast Ethernet
with ISL

VLAN 20

VLAN 30

VLAN 20

VLAN 20

VLAN 10

VLAN 30

VLAN 30

Figure 6.6 Frame tagging in a VLAN environment.

The tag is stripped off of the frame before the frame is sent out to the destination device. This process gives the illusion that all ports are physically
connected to the same switch.

07 0197 ch06

11/21/03

11:36 AM

Page 113

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cisco
. . . Layer
. . . .2 .Switching
. . . . .
Be sure to understand the function of frame tagging, which tags a frame with a
user-defined VLAN ID.

Trunk Connections
Under normal circumstances, a switch port can carry traffic for a single
VLAN only. For VLANs to span multiple switches, a trunk connection must
be created. This trunk connection transports data from multiple VLANs.
Trunk connections allow VLANs to be used throughout the switching fabric
of large networks.
Any Fast Ethernet or Asynchronous Transfer Mode (ATM) port on a switch
can be designated as a trunk port. This port typically connects to another
switch via a crossover 100BASE-T cable in the case of a Fast Ethernet trunk.
For the trunked port to transport multiple VLANs, it must understand frame
tags.

Interswitch Link (ISL)


ISL is a technology developed by Cisco that allows a single Ethernet interface to participate in multiple VLANs. When a trunk connection is made on
a Catalyst switchs Ethernet port, ISL is used. ISL is also available on
Ethernet cards that can be used in servers or routers.
A device utilizing an ISL Ethernet card will appear to have many physical
cards, each connected to a different segment. ISL allows this single Ethernet
card to have many logical (virtual) addresses. The user must configure each
logical interface with an address that reflects the VLAN to which it belongs.
ISL works by allowing the frame-tagging information to be passed along to
the Ethernet card. The Ethernet card then reads the frame tag, which identifies the VLAN to which the frame belongs. Conversely, the ISL Ethernet
card creates the frame tags when transmitting frames.
ISL is a technology proprietary to Cisco and, therefore, is not supported on equipment
made by other vendors. However, in mid-1998, the Institute of Electrical and
Electronics Engineers (IEEE) standardized a frame-tagging process similar to Ciscos
ISL. The new standard is a protocol called 802.1Q. With 802.1Q, switches from multiple vendors can coexist in the same switching fabric.

113

07 0197 ch06

11/21/03

11:36 AM

Page 114

114 Chapter 6
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

VLAN Trunking Protocol (VTP)


VTP is a protocol used between switches to simplify the management of
VLANs. Configuration changes that are made to a VTP server are propagated across trunks to all connected switches.
All switches that are to be managed in this way must be members of the same
management domain. A VTP management domain is the entire group of
switches that share configuration information.
For example, when you add a new VLAN to a member switch, the VLAN is
available in all the network switches automatically. VTP allows switched networks to scale to larger environments; otherwise, VLAN configuration
would have to be maintained manually on individual switches.
By default, Catalyst switches are set to a no-management-domain state. The
switches remain in a no-management state until a user configures the management domain or the switches receive an advertisement for a domain over
a trunk link.

VTP Modes
When it has a management domain, a switch operates in one of three VTP
modes: server, client, or transparent. The default mode is server.
In VTP server mode, a switch can create, modify, or delete VLAN and other
configuration parameters for the entire VTP domain. VTP messages are
sent over all trunk links, and configuration changes are propagated to all
switches in the management domain.
In VTP client mode, the switch receives VTP messages and applies configuration changes made from any VTP server. However, a client cannot create, change, or delete VLAN information.
In VTP transparent mode, the switch forwards all VTP messages to other
switches in the domain but does not use the configuration from VTP advertisements. A VTP transparent switch can create, modify, or delete VLANs,
but the changes apply only locally and are not transmitted to other switches.

VTP Pruning
VTP can detect whether a trunk connection is carrying unnecessary traffic.
By default, all trunk connections carry traffic from all VLANs in the management domain. In many cases, however, a switch does not need a local port
configured for each VLAN. In this event, it is not necessary to flood traffic
from VLANs other than the ones supported by that switch (see Figure 6.7).
VTP pruning enables the switching fabric to prevent flooding traffic on
trunk ports that do not need it.

07 0197 ch06

11/21/03

11:36 AM

Page 115

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cisco
. . . Layer
. . . .2 .Switching
. . . . .

Flood traffic from VLAN 20


is pruned from this link

Switch

VLAN 20

Switch
Switch

Figure 6.7 VTP pruning.

Configuring VLANs
Three methods can be used to assign a switch port to a particular VLAN:
port-centric, static, and dynamic. In a port-centric configuration, all nodes that
are connected to ports within the same VLAN are given the same VLAN ID.
In this type of configuration, the network administrators job is much easier
because of the ease of administering the VLAN. In a static VLAN
configuration, the ports on a switch are hard-coded and remain in effect until
the administrator changes them. This type of configuration is typical of a
network that is very well monitored and where changes are unlikely. The
third type of port configuration is dynamic. This type of configuration
involves more overhead on setup for the administrator because of the database configuration. The ports on these switches automatically determine
their assigned VLAN. The VLAN assignment is determined by the type of
protocol (within a frame), MAC address, and logical addressing. A major
benefit of this type of configuration is that the administrator will notice when
any unauthorized or new user is on the network. If a workstation happens to
be connected to a port that is unassigned, the switch will record the MAC
address of the workstation and check its database to determine which VLAN
to assign the workstation to.

115