Switch

Switch
A network switch or switching hub is a computer networking device that connects network segments.
Unlike Hub, switches add more intelligence to data transfer management.
Switches can determine whether data should remain on a LAN or not, and
they can transfer the data to the connection or port that needs that data.

The first Ethernet switch was introduced by Kalpana in 1990. Later acquired by cisco in 1994

moinetworks.com
Switch Divided into:
Manageable: Non Manageable:

1) Console 1) Non console

2) Upgrade IOS 2) Only mini IOS (Cant upgrade)
3) Lots of ports 3) Less no. of ports
4) Security can be enabled 4) No Security
5) Layer 2:2950, 1900 5) Always a layer 2
Layer 3:3550, 3500, 3700
(Perform Layer 2 & basic function of Router)

Cisco Manageable switch supports two major types of switch operating systems:

Internetwork Operating System (IOS) [Current] &

Catalyst Operating System (Cat OS) [Earlier]

moinetworks.com
moinetworks.com
1. Fixed Switch:

moinetworks.com
moinetworks.com
2. Modular Configuration Cisco Switches

moinetworks.com
`

moinetworks.com
3. Stackable Switch

moinetworks.com
Fixed or Modular
Module Options for Cisco Switch Slots

moinetworks.com
Switch Mode buttons

moinetworks.com
3 general categories of MAC addresses on Ethernet:

Unicast addresses—A MAC address that identifies a single LAN interface card.
Broadcast addresses—the broadcast address, has a value of FFFF.FFFF.FFFF (in hexadecimal notation).
The broadcast address implies that all devices on the LAN should receive and process a frame sent to the
broadcast address.
Multicast addresses—Frames sent to multicast addresses are destined for a group of device in a network.

moinetworks.com
3 functions of switch:
Learning—The switch learns MAC addresses by examining the source MAC address of each frame the
bridge receives.
Forwarding or filtering—The switch decides when to forward a frame or when to filter (not forward) it
based on the destination MAC address.
Loop prevention—The switch creates a loop-free environment with other bridges by using Spanning Tree
Protocol (STP).

moinetworks.com
Cisco call this table as: Content Address Memory (CAM) table

moinetworks.com
Accessing the Cisco IOS CLI

moinetworks.com
User and Privileged Modes

moinetworks.com
Managing the MAC Address Table:
Switch #show mac-address-table
Switch #show mac address-table Displays current MAC address forwarding table
The MAC address entry is automatically
discarded or aged out after 300 seconds
Switch #clear mac address-table dynamic Deletes dynamic entries from table
Switch #clear mac address-table dynamic address aaaa.bbbb.cccc
Deletes the specified dynamic MAC
address
Switch #clear mac address-table dynamic interface fastethernet 0/5
Deletes all dynamic MAC addresses on
interface fastethernet 0/5

Switch (config) # mac-address-table static 0000.1234.abcd vlan 1 interface fa0/1

moinetworks.com
Configuring switch management Interface:

Setting IP address & Default Gateway:

SW1 (config) # interface vlan 1 Enters the virtual interface for VLAN 1, the default
VLAN on the switch
SW1 (config-if) # ip address 192.168.10.2 255.255.255.0
--------------------------------------------------------------------------------------------------------------------------------------------
SW1 (config) # ip default-gateway 192.168.10.1 Allows IP information an exit past the local network

TIP: For the 2960 series switches, the IP address of the switch is just that—the IP address for the entire switch. That
is why you set the address in VLAN 1 (the default VLAN of the switch) and not in a specific Ethernet interface.

moinetworks.com
moinetworks.com
Setting Speed & Duplex:
Switch (config) # interface fast-ethernet 0/1
Switch (config-if) #duplex full {half, full, auto}
Switch (config-if) #speed 100 {10,100, auto}
Switch (config-if) #mdix auto

moinetworks.com
Configure Basic Switch Settings
Basics tasks that should be first configured on a Cisco Router and Cisco Switch:
 Name the device – Distinguishes it from other routers
 Secure management access – Secures privileged EXEC, user EXEC, and Telnet access, and
encrypts passwords to their highest level
 Configure a banner – Provides legal notification of unauthorized access.

moinetworks.com
Verifying Commands:

Switch #show interfaces Displays the interface configuration and

status of line: up/up, up/down, admin down.
switch # show ip interface brief

switch #show version Displays information about software and hardware.

Switch #show flash: Displays information about flash
memory (for the 2900/2950 series only).

Copy Commands:

Switch #show running-config Displays the current configuration in DRAM.

Switch #show startup-config Displays the current configuration in
NVRAM.

moinetworks.com
moinetworks.com
Port Security:
 How do you secure used ports ?
 How do you prevent users from connecting unauthorized host devices to the network ?
Example scenario:
 A classroom with PCs is connected to the network
 How would you prevent students from unplugging classroom PC’s and connecting their own
notebooks to the network ?

moinetworks.com
Switch Port Security:
Switch (config) #interface fastethernet 0/1 Moves to interface configuration mode.
Switch (config-if) #switchport mode access
Switch (config-if) #switchport port-security Enables port security on the interface.
Switch (config-if) #switchport port-security maximum 1 Sets a maximum limit of 1 MAC addresses
that will be allowed on this port.

NOTE: The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number
of available MAC addresses allowed in the system.
----------------------------------------------------------------------------------------------------------------------------- ----------------------
Switch (config-if) #switchport port-security mac-address 1234.5678.90ab
Sets a specific secure MAC address
1234.5678.90ab. You can add additional
secure MAC addresses up to the maximum
value configured.

Switch (config-if) #switchport port-security mac-address sticky Sticky automatically embeds the mac
id into its configuration file
Converts all dynamic port security
learned MAC addresses to sticky
secure MAC addresses.
----------------------------------------------------------------------------------------------------------------------------- ----------------------
Switch (config-if) # switchport port-security violation {shutdown/restrict/protect}

NOTE: In shutdown mode, the port is errdisabled, a log entry is made, and manual intervention or errdisable recovery must
be used to reenable the interface.
NOTE: In restrict mode, frames from a nonallowed address are dropped, and a log entry is made. The interface remains
operational.
NOTE: In protect mode, frames from a nonallowed address are dropped, but no log entry is made. The interface remains
operational.
moinetworks.com
Ports In Error Disabled State

 A port security violation can put a switch in error disabled state

 A port in error disabled is effectively shut down
 The switch will communicate these events through console messages

moinetworks.com
 The show interface command also reveals a switch port on error disabled state

moinetworks.com
 A shutdown/no shutdown interface command must be issued to re-enable the port

moinetworks.com
Verifying Switch Port Security

Switch #show port-security Displays security information for all interfaces

Switch #show port-security address Displays MAC address table security

information

Switch #show port-security interface fastEthernet 0/1

moinetworks.com
moinetworks.com
Switch Port Security
Secure Unused Ports
 Disable Unused Ports is a simple yet efficient security guideline

moinetworks.com
An Ideal Design: Switch Layers

Layered approach allows for easy, manageable growth

Access switches connect directly to end users, providing access to the LAN.

Distribution switches provide a path through which the access switches can forward traffic to each other. By
design, each of the access switches connects to at least one distribution switch.

Core: Aggregates distribution switches in very large campus LANs, providing very high forwarding rates.
moinetworks.com
moinetworks.com
 Cisco Core Switch:
Cisco Nexus 7000 Series Switches

Cisco Core Switch:

Cisco Catalyst 6500 Series Switches

moinetworks.com
 Extending Switched
Networks with Virtual LANs
Introducing VLAN
Operations

moinetworks.com
moinetworks.com
moinetworks.com
VLAN
VLAN basic features:
Access Control/Security
o A group of users needing high security can be put into a separate VLAN.
o Administrators have full control over every switch port. In addition, switches can be configured to notify a
management station of any unauthorized access.
Quality of service
o Broadcast Control: broadcast-intensive applications can be placed in a separate VLAN, so they don't put a
load on the rest of the network.
Flexibility and Scalability:
o Users can be added to a specific VLAN, regardless of their physical location. Also, a VLAN can be split into
more VLANs, if necessary.

By default all the ports are in single VLAN called VLAN 1 and that VLAN is known as Management VLAN
or administrative VLAN. VLAN1 is already in all Cisco switches it cannot be deleted or renamed
Supports 1 – 4094 VLAN

moinetworks.com
VLAN Overview

moinetworks.com
VLAN Overview
Advantage of VLAN:
 Security
 Cost reduction
 Better performance
 Shrink broadcast domains
 Improved IT staff efficiency
 Simpler project and application
management

moinetworks.com
VLAN Membership:
1- Static VLAN membership:
Assign certain port to a certain VLAN.( port based VLAN )
By default, all ports of the switch are assigned to VLAN 1.
2- Dynamic VLAN membership:
Assign certain MAC to a certain VLAN.( MAC based VLAN )
Even if the PC changes its port on the switch , the PC still be connected to its VLAN.
This is done by using VMPS ( VLAN membership policy server ).

NOTE: You cannot delete the

default VLANs i.e VLAN 1
and FDDI or Token Ring
VLANs i.e from 1002 to
1005.

moinetworks.com
VLAN CONFIGURATION
1. Create vlan ( vlan 1 is default)
2. Assign vlan membership (all port membership is for vlan 1 by default)
You can create VLANs in two different ways:
1. Create VLAN:

New method: Old method:

(VLAN configuration mode) (VLAN database mode )

Sw1(config)# vlan 2 Sw1>enable

Sw1(config-vlan)# name sales Sw1# vlan database
Sw1(config)# vlan 3 Sw1(vlan)# vlan 2 name sales
Sw1(config-vlan)# name marketing Sw1(vlan)# vlan 3 name marketing
Name-1-32 character Sw1(vlan)# {apply/ exit/abort}

VLAN IDs 1–1005 are considered to be normal range VLANs, whereas

VLAN IDs 1006–4094 are considered to be extended range VLANs.

moinetworks.com
2. Assign VLAN Membership:

Switch (config) #interface fastethernet 0/1 Moves to interface configuration mode

Switch (config-if) #switchport mode access Sets the port to access mode
Switch (config-if) #switchport access vlan 2 Assigns this port to VLAN 2

-(OR)-

2. Assign VLAN Membership:

Switch (config)# interface range fastethernet 0/1 – 10

Switch (config-if-range) #switchport mode access Sets the port to access mode
Switch (config-if-range) #switchport access vlan 2 Assigns this port to VLAN 2
Or
Switch (config)# interface range fastethernet 0/10, fastethernet 0/12, fastethernet 0/23
Switch (config-if-range) #switchport mode access Sets the port to access mode
Switch (config-if-range) #switchport access vlan 2 Assigns this port to VLAN 2

moinetworks.com
Verify VLAN:

moinetworks.com
NOTE: All the vlan id, name are stored in flash in a file called vlan.dat

Resetting Switch Configuration

Switch #delete flash:vlan.dat Removes the VLAN database from flash memory.
Delete filename [vlan.dat]? Press Enter.
Delete flash:vlan.dat? [confirm] Reconfirm by pressing Enter.

Switch #erase startup-config Erases the file from NVRAM.

<output omitted>
Switch #reload Restarts the switch.

moinetworks.com
To span VLAN to more than one switch two methods:
1. Separate port for each VLAN:

2. Using Trunk ports for all VLAN:

moinetworks.com
So we can say 2 Types of Ports can be configured on a Switch:
Access Port:
Carries single VLAN information.
Typically a port connected to a PC
Trunk Port:
Carries multiple VLAN information.

moinetworks.com
Cisco switches support 2 different trunking protocols:
 Inter-Switch Link (ISL): [Cisco proprietary]
 IEEE 802.1Q: [Open Standard]

moinetworks.com
VLAN Trunking Configuration:

Trunking configuration on Cisco switches involves two important configuration choices, as follows:

The type of trunking: IEEE 802.1Q, ISL, or negotiate which one to use
Switch (config-if) # switchport trunk encapsulation {dot1q | isl | negotiate }

The administrative mode: Whether to trunk, not trunk, or negotiate

Switch(config-if) # switchport mode trunk

NOTE:
Cisco 2950,2960 Switch only supports 802.1q standard, so you only need to specify ―switch port mode
trunk‖ command on both end.
But in cisco 3560,3750 model, it supports isl, dot1q, so you have to specify both statements..

moinetworks.com
Verifying a Trunk

wg_sw_2950#show interfaces fa0/11 switchport

Name: Fa0/11
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
. . .

wg_sw_2950#show interfaces fa0/11 trunk

Port Mode Encapsulation Status Native vlan

Fa0/11 desirable 802.1q trunking 1

Port Vlans allowed on trunk

Fa0/11 1-4094

Port Vlans allowed and active in management domain

Fa0/11 1-13
moinetworks.com
Verifying VLAN Information:

Switch #show vlan brief Displays VLAN information in brief

Switch # show interface fa 0/1 switchport Show interface switchport information

Switch # show interface vlan 20

Switch #show interfaces trunk shows which all interface are trunk

moinetworks.com
Trunking with 802.1q

moinetworks.com
moinetworks.com
moinetworks.com
INTER VLAN COMMUNICATION
 Layer 2 switches can’t forward traffic between VLANs without the assistance of a router
 Inter-VLAN routing is a process for forwarding network traffic from one VLAN to another
using a router
 Routing between VLANs – intervlan communication is possible with the help of a layer 3
device like a router or a layer 3 switch.

moinetworks.com
INTER VLAN COMMUNICATION USING ROUTER
3 Methods to route between VLAN’s:

moinetworks.com
Method1: Configure Legacy Inter-VLAN Routing
 Legacy inter-VLAN routing requires routers to have multiple physical interfaces
 Each one of the router’s physical interfaces is connected to a unique VLAN
 Each interface is also configured with an IP address for the subnet associated with the particular VLAN
 Network devices use the router as a gateway to access the devices connected to the other VLANs

moinetworks.com
Method 2: Router-On-A-Stick
 The so called router-on-a-stick approach uses a different path to route between VLANs
 One of the router’s physical interfaces is configured as a 802.1Q trunk port. Now that interface can
understand VLAN tags
 Logical subinterfaces are then created. One subinterface per VLAN
 Each subinterface is configured with an IP address from the VLAN it
represents
 VLAN members (hosts) are configured to use the subinterface
address as a default gateway.
 Only one of the router’s physical interface is used

moinetworks.com
CORP (config) #interface fastethernet 0/0
CORP (config-if) #no shutdown

CORP (config) #interface fastethernet 0/0.10

CORP (config-subif) #encapsulation dot1q 10
CORP (config-subif) #ip address 192.168.10.1 255.255.255.0

CORP (config) #interface fastethernet 0/0.20

CORP (config-subif) #encapsulation dot1q 20
CORP (config-subif) #ip address 192.168.20.1 255.255.255.0

CORP (config) #interface fastethernet 0/0.30

CORP (config-subif) #encapsulation dot1q 30
CORP (config-subif) #ip add 192.168.30.1 255.255.255.0

moinetworks.com
L2Switch1 (config) #vlan 10
L2Switch1 (config-vlan) #name Sales .
L2Switch1 (config) #vlan 20
L2Switch1 (config-vlan) #name Engineering
L2Switch1 (config) #vlan 30
L2Switch1 (config-vlan) #name Marketing

L2Switch1 (config) #interface range fastethernet 0/2 – 4

L2Switch1 (config-if-range) #switchport mode access
L2Switch1 (config-if-range) #switchport access vlan 10

L2Switch1 (config-if-range) #interface range fastethernet 0/5 – 8

L2Switch1 (config-if-range) #switchport mode access
L2Switch1 (config-if-range) #switchport access vlan 20

L2Switch1 (config-if-range) #interface range fastethernet 0/9 - 12

L2Switch1 (config-if-range) #switchport mode access
L2Switch1 (config-if-range) #switchport access vlan 30

moinetworks.com
L2Switch1 (config) #interface fastethernet 0/1
L2Switch1 (config-if) #description Trunk Link to CORP Router
---------------------------------------------------------------------------------------------------------------
Switch (config-if) # switch trunk encapsulation dot1Q Switch 3550,3750….
L2Switch1 (config-if) # switchport mode trunk
---------------------------------------------------------------------------------------------------------------
L2Switch1 (config-if) # switchport mode trunk Switch 2950

---------------------------------------------------------------------------------------------------------------

Show command
Router # show interface trunk
Router # show vlan brief

moinetworks.com
Method 3: Using Multilayer Switch
 Multilayer switches can perform Layer 2 and Layer 3 functions. Routers are not required
anymore.
 Each VLAN existent in the switch is a SVI (Switched Virtual Interface)
 SVI are seen as layer 3 interfaces
 The switch understands network layer PDUs and therefore, it can route between its SVIs
just as a router routes between its interfaces
 With a multilayer switch, traffic is routed internal to the switch device
 Very scalable solution

moinetworks.com
Step 1: Configure the VLAN & assign the ports to corresponding VLAN
Step 2: Assign IP address on corresponding VLAN interface
Switch(config)#interface vlan 10
Switch(config-if)#ip address 192.168.10.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config)#interface vlan 20
Switch(config-if)#ip address 192.168.20.1 255.255.255.0
Switch(config-if)#no shutdown
Step 3: Enable Routing
Switch(config)#ip routing  Now switch will have routing capabality.

moinetworks.com
Troubleshooting Layer 3 Switching
Layer 3 Switching Configuration Issues
 To troubleshoot Layer 3 switching issues, check the following items for accuracy:
 VLANs
 VLANs must be defined across all the switches
 VLANs must be enabled on the trunk ports
 Ports must be in the right VLANs
 SVIs
 SVI must have the correct IP address or subnet mask
 SVI must be up
 SVI must match with the VLAN number

 Routing
 Routing must be enabled
 Each interface or network should be added to the routing protocol
 Hosts
 Hosts must have the correct IP address or subnet mask
 Hosts must have a default gateway associated with an SVI or routed port
moinetworks.com
moinetworks.com
VLAN Trunk Protocol (VTP)
 Cisco introduced its proprietary Layer 2 messaging protocol, which can be used for easy administration
method to transfer Vlan information between switches connected on the same domain.
 VTP manages addition, deletion, and modification of Vlan information in a certain VTP domain.
 Has a messaging system that advertises the existence of each VLAN based on its VLAN ID and the VLAN
name. However, VTP does not advertise the details about which switch interfaces are assigned to each
VLAN.
 For doing this, it should have one VTP Server and rest of the switch should be VTP client switch.
 Maintains VLAN configuration consistency throughout a common administrative domain
 Sends advertisements on trunk ports only

moinetworks.com
VTP Modes:
Server Mode: (default) Client Mode: Transparent Mode

Can create, delete, and modify
VLAN
Sends & receives VTP updates
Originate and saves a vtp packet.
Cannot change
(create, delete ) VLAN
Sends & receives VTP updates
Does not originate vtp packet.
It forwards vtp packets
Can create, delete, rename their own
VLAN
Does not accept information,
Forwards (passes) VTP updates
Does not listen to other vtp
advertisements

One server is needed per VTP Always

domain. Configuration Revision no = 0

VTP revision number is to indicate the modified version that VTP configured is a 32-bit value, which
begins with 0. If VLAN information changes, the revision number will plus 1 until 4294967295. Then
circulate and then return 0, re-start and increase.

moinetworks.com
Three Requirements for VTP to Work between Two Switches

 The link between the switches must be operating as a VLAN trunk (ISL or 802.1Q).
 The two switches’ case-sensitive VTP domain name should match.
 The two switches’ case-sensitive VTP Password should match.

NOTE:
VTP clients and servers store VLAN configuration—specifically, the VLAN ID, VLAN name, and other VTP
configuration settings—the configuration is stored in a file called vlan.dat in flash memory. (The filename is
short for ―VLAN database.‖) Even more interesting is the fact that Cisco IOS does not put this VLAN
configuration in the running-config file or the startup-config file. No command exists to view the VTP and
VLAN configuration directly; instead, you need to use several show commands to list the information about
VLANs and VTP output.

moinetworks.com
VTP configuration

VTP Configuration new VTP Configuration old:

(configuration Mode): (Database Mode)

Sw1(config)# vtp mode {server/client/transparent} Sw1# vlan database

Sw1(config)# vtp domain cisco Sw1(vlan)# vtp {server/client/transparent}
Sw1(config)# vtp password cisco Sw1(vlan)# vtp domain cisco
Sw1(config) #vtp v2-mode Sw1(vlan)# vtp password cisco
Sw1(vlan)# vtp v2-mode

Verifying VTP:

Switch#show vtp status Displays general information about VTP configuration

Switch#show vtp password Displays the VTP password

NOTE: If trunking has been established before VTP is set up, VTP information is propagated throughout the
switch fabric almost immediately. However, because VTP information is advertised only every 300 seconds (5
minutes), unless a change has been made to force an update, it can take several minutes for VTP information to be
propagated.

moinetworks.com
VLAN Ranges On Catalyst Switches
 The Catalyst 2960 and 3560 Series switches support over 4,000 VLANs
 These VLANs are split into 2 categories:
 Normal Range VLANs
 VLAN numbers from 1 through 1005
 Configurations stored in the vlan.dat (in the flash)
 VTP can only learn and store normal range VLANs
 Extended Range VLANs
 VLAN numbers from 1006 through 4096
 Configurations stored in the running-config (in the NVRAM)
 VTP does not learn extended range VLANs

moinetworks.com
 VTP Configuration Example

Switch(config)#vtp domain ICND

Changing VTP domain name to ICND
Switch(config)#vtp mode transparent
Setting device to VTP TRANSPARENT mode.
Switch(config)#end

Switch#show vtp status

VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 64
Number of existing VLANs : 17
VTP Operating Mode : Transparent
VTP Domain Name : ICND
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x7D 0x6E 0x5E 0x3D 0xAF 0xA0 0x2F 0xAA
Configuration last modified by 10.1.1.4 at 3-3-93 20:08:05
Switch#

moinetworks.com
Verifying VLAN Membership

wg_sw_2950#show vlan brief

wg_sw_2950#show vlan brief

VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
--
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
2 vlan2 active
3 vlan3 active
4 vlan4 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup

VLAN Name Status Ports

---- -------------------------------- --------- -----------------------------
--
1004 fddinet-default act/unsup
1005 trnet-default act/unsup

wg_sw_2950#show interfaces interface switchport

moinetworks.com
Spanning Tree Protocol(STP)
Redundancy Chaos:

 Redundant connections are necessary in business networks

 LAN designs with redundant links introduce the possibility that frames might loop around the
network forever. These looping frames would cause network performance problems. The main
problems are broadcast storm, receiving multiple copies of same frame, address table inconsistency
 To prevent looping frames, STP blocks some ports from forwarding frames so that only one active
path exists between any pair of LAN segments (collision domains).

Three Classes of Problems Caused by Not Using STP in Redundant LANs:

 Broadcast storms: The forwarding of a frame repeatedly on the same links, consuming significant
parts of the links’ capacities
 MAC table instability: The continual updating of a switch’s MAC address table with incorrect
entries, in reaction to looping frames, resulting in frames being sent to the wrong locations
 Multiple frame transmission: A side effect of looping frames in which multiple copies of one
frame are delivered to the intended host, confusing the host

moinetworks.com
 Before After
(Broadcast Storm)

The Facts about Spanning Tree:

 Original STP (802.1D) was created to prevent loops
 Uses the Spanning Tree Algorithm
 STA chooses a reference point, called a root bridge, and then determines the available paths to that
reference point.If more than two paths exists, STA picks the best path and blocks the rest
 The spanning tree algorithm places each bridge/switch port in either a forwarding state or a blocking state.
 Switches forward frames out ports and receive frames in ports that are in forwarding state
 Switches do not forward frames out ports and does not receive frames in ports that are in blocking state
except STP messages

moinetworks.com
The STP Bridge ID and Hello BPDU:
The Spanning Tree Algorithm (STA) begins with an election of one switch to be the root switch.

The STP Bridge ID (BID) is an 8-byte value unique to each switch.

Bridge ID = Priority + system ID [system ID is MAC address of switch]

2-byte + 6-byte Default Priority is 32768

STP defines messages called bridge protocol data units (BPDU), which bridges and switches use to exchange
information with each other. The most common message, called a Hello BPDU, lists the sending switch’s bridge
ID. By listing its own unique bridge ID, switches can tell the difference between BPDUs sent by different
switches. This message also lists the bridge ID of the current root switch.

Fields in the STP Hello BPDU

• Root bridge ID: The bridge ID of the bridge/switch that the sender of this Hello currently believes to be
the root switch
• Sender’s bridge ID: The bridge ID of the bridge/switch sending this Hello BPDU
• Cost to reach root: The STP cost between this switch and the current root
• Timer values on the root switch: Includes the Hello timer, MaxAge timer, and Forward Delay timer
moinetworks.com
moinetworks.com
moinetworks.com
Link Speed Cost (Revised IEEE Spec) Cost (Previous IEEE Spec)
10 Gbps 2 1
1 Gbps 4 1
100 Mbps 19 10
10 Mbps 100 100

moinetworks.com
moinetworks.com
moinetworks.com
Spanning Tree Port States
Was created a long time ago
 LISTENING:
Receives BPDU’s, to determine its Role in STP
Discards Frames
 LEARNING:
Receives & Transmits BPDU’s
Discards Frames
 FORWARDING:
Receives & Transmits BPDU’s
Forwards Frames
 BLOCKING:
Receives BPDU’s
Discards Frames
 DISABLED: This is the port which is non operational .i.e the port which is DOWN

From Blocking to Forwarding:

20 sec + 15 sec + 15 sec = 50 seconds
moinetworks.com
STP uses three criteria to choose whether to put an interface in Forwarding State:

STP elects a root bridge/switch. STP puts all working interfaces on the root switch in Forwarding State.
 STP Elects Root Bridge based on lowest Bridge ID [BID= Priority + MAC Address]
The simplistic view of STP: All switches find the best way to reach the root bridge then block all redundant
links
Non- Root Bridge: All other Bridge/Switch are called Non Root Bridge
 Each nonroot switch considers one of its ports to have the least administrative cost between itself and the
root switch. STP places this least-root-cost interface, called that switch’s root port (RP), in Forwarding
State.
 Many switches can attach to the same Ethernet segment. The switch with the lowest administrative cost from
itself to the root bridge, as compared with the other switches attached to the same segment, is placed in
Forwarding State. The lowest-cost switch on each segment is called the designated bridge, and that bridge’s
interface, attached to that segment, is called the designated port (DP).

moinetworks.com
Spanning Tree Election Criteria:
Spanning Tree builds path from the root bridge along the fastest links.
It selects paths according to the following criteria:
STP is vital for detecting loops within a switched network. Spanning tree works by designating a common
reference point (the root bridge) and systematically building a loop-free tree from the root to all other bridges.
All redundant paths remain blocked unless a designated link fails. The following criteria are used by each
spanning tree node to select a path to the root bridge:
 Lowest root bridge ID - Determines the root bridge
 Lowest cost to the root bridge - Favors the upstream switch with the least cost to root
 Lowest sender bridge ID - Serves as a tie breaker if multiple upstream switches have equal cost to root
 Lowest sender’s port priority
 Lowest sender port ID - Serves as a tie breaker if a switch has multiple (non-Etherchannel) links to a single
upstream switch
We can manually configure the priority of a switch and its individual interfaces to influence path selection.

Link Speed Cost (Revised IEEE Spec) Cost (Previous IEEE Spec)
10 Gbps 2 1
1 Gbps 4 1
100 Mbps 19 10
10 Mbps 100 100

moinetworks.com
Rapid STP (RSTP):
RSTP (802.1w) works just like STP (802.1d) in several ways:

 It elects the root switch using the same parameters and

tiebreakers.
 It elects the root port on nonroot switches with the same rules.
 It elects designated ports on each LAN segment with the same
rules.
 It places each port in either Forwarding or Blocking State,
although RSTP calls the Blocking State the Discarding State.

How RSTP improves performance:

 More logical port type:

 Root Port: Used to reach the Root Bridge
 Designed Port: Forwarding port, one per link
 Alternate port: Discarding port, Backup path to root

moinetworks.com
RSTP and STP Port States

Both STP (802.1d) and RSTP (802.1w) use the concepts of

port states and port roles. The STP process determines the
role of each interface.

moinetworks.com
Multiple Instances of STP:

 Per-VLAN Spanning Tree Plus (PVST+)

 Rapid Per-VLAN Spanning Tree (RPVST)

moinetworks.com
moinetworks.com
Configuration and Operations Commands
Switc (config) #spanning-tree mode {pvst, rapid-pvst}

Switch(config)# spanning-tree vlan vlan-id root {primary/secondary}

Changes this switch to the root switch. The switch’s priority is changed to
the lower of either 24,576 or 100 less than the priority of the
current root bridge when the command was issued.

Switch(config)# spanning-tree vlan vlan-id {priority priority}

Changes the bridge priority of this switch for the specified VLAN.

Switch(config-if)# spanning-tree cost cost

Changes the STP cost to the configured value.

Switch #show spanning-tree

Switch #show spanning-tree interface interface-id
Switch #show spanning-tree vlan vlan-id

moinetworks.com
moinetworks.com
moinetworks.com
PortFast & BPDU Guard

moinetworks.com
moinetworks.com
moinetworks.com
 Thanks...

moinetworks

Facebook: http://www.facebook.com/moinetworks
-----------------------------------------------------------------------------------------------------
For latest Updates for Networking  Visit & like the “page” 
http://www.facebook.com/moinetworks

moinetworks.com
Configure Switch Ports
MDIX Auto Feature
 Certain cable types (straight-through or crossover) were required when connecting
devices
 The automatic medium-dependent interface crossover (auto-MDIX) feature eliminates
this problem
 When auto-MDIX is enabled, the interface automatically detects and configures the
connection appropriately
 When using auto-MDIX on an interface, the interface speed and duplex must be set to
auto

moinetworks.com
Configure Switch Ports
Network Access Layer Issues

moinetworks.com
Configure Switch Ports
Network Access Layer Issues

moinetworks.com
Secure Remote Access
Configuring SSH

moinetworks.com
Secure Remote Access
Verifying SSH

moinetworks.com
Converged Networks
Core, Distribution, Access

moinetworks.com
 Frame Forwarding
Store-and-Forward Switching
 Store-and-Forwarding allows the switch to:
 Check for errors (via FCS check)
 Perform Automatic Buffering
 Slower forwarding

moinetworks.com
Frame Forwarding
Cut-Through Switching
 Cut-Through allows the switch to start forwarding in about 10 microseconds
 No FCS check
 No Automatic Buffering

moinetworks.com
moinetworks.com
Dynamic Trunking Protocol
Introduction to DTP
 Switch ports can be manually configured to form trunks
 Switch ports can also be configured to negotiate and establish a trunk link with a
connected peer
 Dynamic Trunking Protocol (DTP) is a protocol to manage trunk negotiation
 DTP is a Cisco proprietary protocol and is enabled by default in Cisco Catalyst 2960 and
3560 switches
 If the port on the neighbor switch is configured in a trunk mode that supports DTP, it
manages the negotiation
 The default DTP configuration for Cisco Catalyst 2960 and 3560 switches is dynamic auto

moinetworks.com
Tagging Ethernet Frames for VLAN Identification

Native VLANs and 802.1q Tagging:

A frame that belongs to the native VLAN will not be tagged

A frame that is received untagged will remain untagged and placed in the native VLAN
when forwarded
If there are not ports associated to the native VLAN and no other trunk links, an
untagged frame will be dropped
In Cisco switches, the native VLAN is VLAN 1 by default
moinetworks.com
moinetworks.com
moinetworks.com
VLAN Design:

moinetworks.com
Attacks on VLANs
Switch spoofing Attack
 There are a number of different types of VLAN attacks in modern switched
networks.VLAN hopping is one them.
 The default configuration of the switch port is dynamic auto
 By configuring a host to act as a switch and form a trunk, an attacker could gain
access to any VLAN in the network.
 Because the attacker is now able to access other VLANs, this is called a VLAN
hopping attack
 To prevent a basic switch spoofing attack, turn off trunking on all ports, except
the ones that specifically require trunking

moinetworks.com
Attacks on VLANs
Double-Tagging Attack
 The double-tagging attack takes advantage of the way that hardware on most
switches de-encapsulate 802.1Q tags
 Most switches perform only one level of 802.1Q de-encapsulation, allowing an
attacker to embed a second, unauthorized attack header in the frame
 After removing the first and legit 802.1Q header, the switch forwards the frame
to the VLAN specified in the unauthorized 802.1Q header
 The best approach to mitigating double-tagging attacks is to ensure that the
native VLAN of the trunk ports is different from the VLAN of any user ports

moinetworks.com
Attacks on VLANs
Double-Tagging Attack

moinetworks.com
Attacks on VLANs
PVLAN Edge
 Private VLAN (PVLAN) Edge feature, also known as
protected ports, ensures that there is no exchange
of unicast, broadcast, or multicast traffic between
protected ports on the switch
 Local relevancy only
 A protected port only exchanges traffic with un-
protected ports
 A protected port will not exchange traffic with
another protected port

moinetworks.com
moinetworks.com
Inter-VLAN Routing Operation
Legacy Inter-VLAN Routing
 In the past, actual routers were used to route between VLAN
 Each VLAN was connected to a different physical router interface
 Packets would arrive on the router through one through interface, be routed and leave
through another
 Since the router interfaces were connected to VLANs and had IP addresses from that
specific VLAN, routing between VLANs was achieved.
 Simple solution but not scalable. Large networks with large number of VLANs would
require lots of router interfaces

moinetworks.com
Layer 3 Switching Operation And Configuration
 Layer 3 switches usually have packet-switching throughputs in the millions of
packets per second (pps)
 All Catalyst switches support two types of Layer 3 interfaces:
 Routed Port
 SVI
 High-performance switches, such as the Catalyst 6500 and Catalyst 4500, are
able to perform most of the router’s functions
 But several models of Catalyst switches require enhanced software for specific
routing protocol feature

moinetworks.com
Layer 3 Switching Operation And Configuration
Inter-VLAN Routing with SVIs
 Today routing has become faster and cheaper and can performed at hardware speed
 It can be transferred to core and distribution devices with little to no impact on network
performance
 Many users are in separate VLANs, and each VLAN is usually a separate subnet
 This implies that each distribution switch must have IP addresses matching each access
switch VLAN
 Layer 3 (routed) ports are normally implemented between the distribution and the core
layer
 This model is less dependent on spanning-tree as there are no loops in the Layer 2
portion of the topology

moinetworks.com
 By default, an SVI is created for the default VLAN (VLAN1). This allows for remote switch
administration
 Any additional SVIs must be created by the admin
 SVIs are created the first time the VLAN interface configuration mode is entered for a
particular VLAN SVI
 The interface vlan 10 entered by the first time creates an SVI named VLAN 10
 The VLAN number used corresponds to the VLAN tag associated with data frames on an
802.1Q encapsulated trunk
 Whenever the SVI is created, ensure that particular VLAN is present in the VLAN database
 SVIs advantages include:
• It is much faster than router-on-a-stick, because everything is hardware switched
and routed.
• No need for external links from the switch to the router for routing.
• Not limited to one link. Layer 2 EtherChannels can be used between the switches
to get more bandwidth.
• Latency is much lower, because it does not need to leave the switch.

moinetworks.com
Layer 3 Switching Operation And Configuration
Inter-VLAN Routing with Routed Ports
 A routed port is a physical port that acts similarly to an interface on a router
 Routed ports are not associated with any VLANs
 Layer 2 protocols, such as STP, do not function on a routed interfac
 Routed ports on a Cisco IOS switch do not support subinterfaces
 To configure routed ports, use the no switchport interface configuration mode
command
 Note: Routed ports are not supported on Catalyst 2960 Series switches.

moinetworks.com
Layer 3 Switching Operation And Configuration
Configuring Static Routes on a Cat2960
 The Cisco Switch Database Manager (SDM) provides multiple templates for the 2960
switch
 The sdm lanbase-routingtemplate can be enabled to allow the switch to route between
VLANs and to support static routing
 Use the show sdm prefer command verify which template is in use
 The SDM template can be changed in global configuration mode with the sdm prefer
command

moinetworks.com
moinetworks.com
VTP Pruning
• Increases available bandwidth by reducing unnecessary flooded traffic
• Example: Station A sends broadcast, and broadcast is flooded only toward any switch with ports assigned to
the red VLAN

switch(config)#vtp pruning
moinetworks.com
moinetworks.com
 Thanks...

moinetworks

Facebook: http://www.facebook.com/moinetworks
-----------------------------------------------------------------------------------------------------
For latest Updates for Networking  Visit & like the “page” 
http://www.facebook.com/moinetworks

moinetworks.com