Configuring VLANs

Before you begin creating VLANs, you should determine whether the switch will participate in a VTP domain that will synchronize VLAN configuration with the rest of the network. You must also enable a trunk connection if you want to use VLANs across multiple switches.

The steps to configure a VLAN are:

1. Enable VTP (optional)
   
2. Enable Trunking (optional)
3. Create VLANs
4. Assign VLANs to ports

Verifying VLANs

• Verifying the VLAN Configuration
• Verifying VLAN Membership
• Prevent VLANs from Crossing a Trunk Link
• Prevent Individual VLANs from Crossing a Trunk Link
• Verifying Trunk Links
• Verifying VTP Information
• Enabling VTP Pruning

Enable VTP

---

When adding a new switch to an existing domain, it is a good idea to add it in VTP client mode. This will prevent the switch from propagating any incorrect VLAN information to other switches. In this example we will setup a new VTP domain and place the switch into server mode. The password puts VTP into secure mode. Every switch in the management domain must have a password assigned to it for the management domain to function properly in secure mode.

   Switch1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z
Switch1(config)#vtp server
Switch1(config)#vtp domain ciscotest
Switch1(config)#vtp password ccna

Enable Trunking

---

The next step is to create a trunk connection with the other switches that will be sharing VLAN information. To enable trunking on a port, enter interface configuration mode for the desired port, and then use the trunk command with the appropriate option:

   Switch1#configure terminal
Switch1(config)#interface f 0/26
Switch1(config-if)#trunk on

trunk Command Options

Option	Function
on	Puts the port into permanent trunking mode and negotiates to convert the link into a trunk link. The port becomes a trunk port even if the neighboring port does not agree to the change.
off	Puts the port into permanent nontrunking mode and negotiates to convert the link into a nontrunk link. The port becomes a nontrunk port even if the neighboring port does not agree to the change.
desirable	Makes the port actively attempt to convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to on, desirable, or auto mode.
auto	Makes the port willing to convert the link to a trunk link. The port becomes a trunk port if the neighboring port is set to on or desirable mode. This is the default mode.
negotiate	Puts the port into permanent trunking mode but prevents the port from generating DTP frames. You must configure the neighboring port manually as a trunk port to establish a trunk link.

Create VLANs

---

To create a VLAN, enter global configuration mode and use the vlan command with the VLAN identifier (1-1005) and its name.

   Switch1#configure terminal
Switch1(config)#vlan 5 name accounting
Switch1(config)#vlan 6 name management   

Assign VLANs to Ports

---

Now that the VLAN has been created, you can statically assign which ports will be members of the VLAN. A port can only belong to one VLAN at a time and by default, all ports are members of VLAN 1. To assign a VLAN to a port, enter interface configuration mode for the port and use the vlan-membership command.

   Switch1#configure terminal
Switch1(config)#interface e0/4
Switch1(config-if)#vlan-membership static 5
Switch1(config)#interface e0/5
Switch1(config-if)#vlan-membership static 5
Switch1(config)#interface e0/6
Switch1(config-if)#vlan-membership static 6

Verifying the VLAN Configuration

---

To view the VLANs configured on the switch, use the show vlan command.

Switch1#show vlan

VLAN    Name               Status            Ports
--------------------------------------------------
1       default            Enabled           1-3, 7-24, AUI, A, B
5       accounting         Enabled           4, 5
6       management         Enabled           6

Optionally you can view an individual VLAN to see how it's configured by using the show vlan [#] command.

Switch1#show vlan 5

VLAN  Name          Status      Ports
-------------------------------------
5     accounting    Enabled     2
-------------------------------------

VLAN  Type   SAID   MTU   Parent  RingNo BridgeNo Stp  Trans1 Trans2
---------------------------------------------------------------------
5  Ethernet 100005  1500   0        1       1     Unkn   0     0

Verifying VLAN Membership

---

To view which ports are assigned to a VLAN, use the following command:

   Switch1#show vlan-membership
   Port  VLAN   Membership
   1        1      Static
   2        1      Static
   3        1      Static
   4        5      Static
   5        5      Static
   6        6      Static
   7        1      Static
   8        1      Static    
      [Output Cut]

Prevent VLANs from Crossing a Trunk

---

All VLANs are configured on a trunked link unless you clear it manually. Use the following command if you don't want a trunk to carry VLAN information:

   Switch1(config)#int f0/26
Switch1(config-if)#clear trunk

Prevent Individual VLANs from Crossing a Trunk Link

---

You can clear individual VLANs from crossing a trunk link by using the following command:

   Switch1(config)#int f0/26
Switch1(config-if)#no trunk-vlan 5

Verifying Trunk Link

---

To verify a trunk port use the show trunk [a|b] command. The a is for port f0/26 while b represents f0/27.

   Switch1#show trunk a
DISL state:  Auto, Trunking: On, Encapsulation type:ISL

Switch1#show trunk allowed-vlans
1-4, 6-1004

Verifying VTP Information

---

After VTP has been enabled and configured, you can view the configuration with the following command:

   Switch1#show vtp
VTP Version                     : 2
Configuration Revision          : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs        : 2
VTP Operating Mode              : Server
VTP Password                    : ccna
VTP Domain Name                 : ciscotest
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Enabled
MD5 digest                      : 0xB9 0xC7 0x8D 0xB3 0xD4 0xBA 0x94 0x03
Configuration last modified by 192.168.1.86 at 7-25-01 01:22:24

Enabling VTP Pruning

---

If you enable VTP pruning on a VTP server, you will enable it for the entire domain. Enable VTP pruning with the following command:

   Switch1(config)#vtp pruning enable

Disable VTP pruning with:

   Switch1(config)#vtp pruning disable

Virtual Local Area Networks

A virtual LAN (VLAN) is a group of hosts or network devices, such as routers (running transparent bridging) and bridges, that forms a single bridging domain. There can be several VLANs defined on a single switch. A VLAN can also span multiple switches. Using layer 2 protocols such as IEEE 802.1q and ISL (Inter-Switch Link) allow a VLAN to span across multiple switches. VLANs are formed to group related users together regardless of the physical connections of their hosts to the network. The users can be spread across a campus network or even across geographically isolated locations. Users can be organized into separate VLANs according to their department, location, function, application, address (logical or physical), or protocol used. The goal with VLANs is to group users into separate VLANs so their traffic will stay within the VLAN. When you configure VLANs, the network can take advantage of the following benefits:

Benefits of using VLANs

• Broadcast Control - Just as switches physically isolate collision domains for attached hosts and only forward traffic out a particular port, VLANs refine this concept further and provide complete isolation between VLANs. A VLAN is a bridging domain, and all broadcast and multicast traffic is contained within it.
• Security - VLANs provide security in two ways:
  • High-security users can be grouped into a VLAN, possibly on the same physical segment, and no users outside of that VLAN can communicate with them.
  • Because VLANs are logical groups that behave like physically separate entities, inter-VLAN communication can only be achieved through a router. When inter-VLAN communication occurs through a router, all the security and filtering functionality that routers traditionally provide can be used. In the case of nonroutable protocols, there can be no inter-VLAN communication. All communication must occur within the same VLAN.
• Performance - You can isolate users that require high performance networks for bandwidth intensive projects, VLANs can isolate them and the rest of the network from each other.
• Network Management - Software on the switch allows you to assign users to VLANs and, later, reassign them to another VLAN. Recabling to change connectivity is no longer necessary in the switched LAN environment because network management tools allow you to reconfigure the LAN logically in seconds.

Routers by default only send broadcasts within the originating network, but switches forward them to all segments. This is known as a flat network because it's one big broadcast domain. Switches and VLANs are used to replace the flat network. All members of a VLAN are in the same broadcast domain and receive all broadcasts. By default the broadcasts are filtered from all ports on a switch that aren't in the same VLAN. Routers, layer 3 switches, or Route Switch Modules (RSM) must be used in conjunction with switches to provide connections between networks (VLANs), which can stop broadcasts from propagating throughout the entire internetwork.

VLAN Organizations

A traditional collapsed backbone consists of a router with separate networks attached to its interfaces. Each node attached to the physical network need to have the same network number in order to communicate on the internetwork. On switches you can group users into communities of interest called VLAN Organizations. In a VLAN, network nodes of each VLAN can communicate with other nodes in the same VLAN, the nodes in one VLAN need to go through a router or other layer 3 device in order to communicate with other VLANs.

VLAN Memberships

VLANs are usually created by administrators who assign switch ports to VLANs. These are called static VLANs. Dynamic VLANs are configured by assigning all the host devices' hardware addresses into a database.

Static VLAN

Static VLANs are the typical method of creating VLANs and are the most secure. The switch port you assign a VLAN association to always maintains that association until an administrator changes the port assignment.

Dynamic VLAN

Dynamic VLANs determine a node's VLAN assignment automatically. Using intelligent management software, you can enable MAC addresses, protocols, or even applications to create dynamic VLANs. For example, if the MAC address is in a centralized database, and if it connects to a switch port, the VLAN management database can lookup the address and configure the port for the correct VLAN. If the user moves, the switch will automatically assign them to their correct VLAN.

Links in a Switched Environment

VLANs can span multiple connected switches by using frame tagging and trunk connections. Switches in the switch fabric must keep track of frames and which VLAN the frame belongs to. Frame tagging performs this function. Switches can then direct frames to the appropriate port.

Frame Tagging

Switches use frame tagging to keep track of users and frames as they travel the switch fabric and VLANs. Switch fabric is a group of connected switches. Frame tagging assigns a unique user-defined ID to each frame, also called VLAN ID or color. Frame tagging is to be used when an Ethernet frame traverses a trunked link. Each switch the frame traverses must identify the VLAN ID and then determine what to do with the frame based on its filter table. Once the frame reaches the exit to the access link, the VLAN ID is removed and the end device receives the frame without having to understand the VLAN ID. A VLAN interface can have only one VLAN ID, and VLAN trunk interfaces support multiple VLANs across them.

There are two types of links:
Access Links

Links that are only part of one VLAN are referred to as the native VLAN of the port. Any device attached to an access link is unaware of a VLAN membership. This device just assumes that it is part of a broadcast domain, without any understanding of the physical network. Switches remove any VLAN information before it is sent to an access link device. Access link devices can't communicate with any devices outside their VLAN without a router or layer 3 device.

Trunk Links

Trunks can carry multiple VLANs and are used to connect switches to other switches, to routers, or servers. Trunk links are only supported on Fast or Gigabit Ethernet (100 or 1000Mbps). Cisco switches support two ways to identify which VLAN a frame belongs to: ISL and 802.1q. If no trunk encapsulation type is specified when configuring an Ethernet trunk, ISL is used as the default. Trunk links have a native or default VLAN that is used if the trunk link fails. Trunked links carry the traffic of multiple VLANs from 1 to 1005 at a time. Trunking allows you to make a single port a part of multiple VLANs, so you can be in more than one broadcast domain at a time. When connecting switches together, trunk links can carry some or all VLAN information across the link. If you don't trunk the links then the switch will only carry VLAN 1 information across the link. Cisco switches use the Dynamic Trunking Protocol (DTP) to manage trunks. DTP is a PPP that was created to send trunk information across 802.1q trunks.

Trunking Methods

• Inter-Switch Link - ISL is a Cisco proprietary protocol for interconnecting multiple switches and maintaining VLAN information as traffic goes between switches. ISL is similar to 802.10 as they both multiplex bridge groups over a high-speed backbone (ISL runs only on Fast Ethernet). With ISL, an Ethernet frame is encapsulated with a header that maintains VLAN IDs between switches. A 26-byte header that contains a 10-bit VLAN ID is prepended to the Ethernet frame. A VLAN ID is added to the frame only when the frame is destined for a non-local network. Since the frame is encapsulated, only devices running ISL can read it. If you need a protocol for other than Cisco Switches use 802.1q. ISL frames can be up to 1522 bytes long. On multi-VLAN ports, each frame is tagged as it enters the switch. ISL NICs allow servers to send and receive frames tagged with multiple VLANs so the frames can traverse multiple VLANs without going through a router. The ISL protocol can allow a file server to exist in multiple VLANs at the same time. Note that ISL encapsulation is only added to frames that are forwarded on a trunk link, and when they arrive at the access link the encapsulation is removed and the frame is delivered.
• IEEE 802.1q - Created by the IEEE as a standard method of frame tagging. It actually inserts a field into the frame to identify the VLAN. If you are trunking between a Cisco switch and a non-Cisco switch, you will need to use 802.1q for the trunk to work.
• IEEE 802.10 - Defines a method for securing bridging of data across a shared MAN (Metropolitan Area Network) backbone. The coloring (VLAN ID) of traffic across the FDDI backbone is achieved by inserting a 16-byte header between the source MAC and the Link Service Access Point (LSAP) of frames leaving a switch. This header contains the 4-byte VLAN ID or "color". The receiving switch removes the header and forwards the frame to interfaces that match the VLAN color.

Communicating between VLANs

To communicate between VLANs you need to have a router with an interface for each VLAN or a router that supports ISL routing. The lowest Cisco router that supports ISL routing is the 2600 series. If you're using a router with one interface and ISL, the interface should be at least 100Mbps (Fast Ethernet).

VLAN Trunking Protocol (VTP)

VTP is a protocol used between switches to simplify the management of VLANs. With VTP, you can make configuration changes centrally on a single Catalyst series switch and have those changes automatically communicated to all the other switches in the network.

VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can result in a number of problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.

Developed by Cisco, it is the industry's first protocol implementation specifically designed for large VLAN deployments. VTP enhances VLAN deployment by providing the following:

• Integration of ISL, 802.10, and ATM LAN-based VLANs.
• Auto-intelligence within the switches for configuring VLANs.
• Configuration consistency across the network.
• An auto-mapping scheme for going across mixed-media backbones.
• Accurate tracking and monitoring of VLANs.
• Dynamic reporting of added VLANs across the network.
• Plug-and-Play setup and configuration when adding new VLANs.

To allow VTP to manage your VLANs across the network, you must first create a VTP server. All servers that need to share VLAN information must use the same domain name, and a switch can only be in one domain at a time. If all your switches are in the same VLAN then you don't need to use VTP. VTP information is sent via a trunk port. Switches advertise VTP management domain information, as well as configuration revision number and all known VLANs with any specific parameters. Switches detect the additional VLANs within a VTP advertisement and then prepare to receive information on their trunk ports. The information would be VLAN ID, 802.10 SAID fields, or LANE information. Updates are sent out as revision numbers that are notification +1. Anytime a switch sees a higher revision number, it knows the information is newer and overwrites the database with the newer one.

Three modes of operation within a VTP

• Server - Default mode for all catalyst switches. You need at least one to propagate VLAN data throughout the domain. The switch must be in server mode to create, add, or delete VLANs in a VTP domain. Any changes made while in server mode will be advertised to the entire VTP domain. Advertisements are sent every 5 minutes or whenever there is a change.
• Client - Receives information from VTP servers and sends and receives updates, but can't make any changes. To add a switch to a VLAN, first make it a client to update the database, then change it to a server to make the changes and have them advertised or alternatively delete the VTP database with the delete vtp privileged EXEC mode command.
• Transparent - Doesn't participate in the VTP domain, but will still forward VTP advertisements through the configured trunk links. Can add and create VLANs as it doesn't share its database with any other switch and changes made to its database are only considered locally significant.

VTP Advertisements

Each switch in the VTP domain sends periodic advertisements out each trunk port to a reserved multicast address. VTP advertisements are received by neighboring switches, which update their VTP and VLAN configurations as necessary.

The following global configuration information is distributed in VTP advertisements:

• VLAN IDs (ISL and 802.1Q)
• Emulated LAN names (for ATM LANE)
• 802.10 SAID values (FDDI)
• VTP domain name
• VTP configuration revision number
• VLAN configuration, including maximum transmission unit (MTU) size for each VLAN
• Frame format

VTP Pruning

VTP pruning enhances network bandwidth use by reducing unnecessary flooded traffic, such as broadcast, multicast, unknown, and flooded unicast packets. VTP pruning increases available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to access the appropriate network devices. By default, VTP pruning is disabled. VTP pruning only sends broadcasts to trunk links that must have the information. Enabling VTP pruning on a VTP server enables pruning for the entire management domain. VTP pruning takes effect several seconds after you enable it. By default, VLANs 2 through 1000 are pruning-eligible. VTP pruning does not prune traffic from VLANs that are pruning-ineligible. VLAN 1 is always pruning-ineligible; traffic from VLAN 1 cannot be pruned. VLAN 1 can never prune because it is an administrative VLAN.

Configuring a Catalyst 1900 Switch

This page covers configuring a Cisco Catalyst 1900 Switch from the command line interface. This is the method that is tested on the CCNA 2.0 test, but you should know that you can also configure the switch from a Menu (runs on the command line) or you can use the Web interface (set the IP address on the Switch and enter the IP address in a web browser on a client to access the Switch's configuration web pages).

Setting Hostname, IP Address, and DFGW

You set these items the same way as for a router. The exception is that the IP address is for the entire device as opposed to a router, which has addresses for each interface. You should also know that you can telnet to a switch but you can't telnet from it.

   > enable
  # conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  (config)# hostname Switch1
  Swicth1(config)# ip address 192.168.1.75 255.255.255.224
  Switch1(config)# ip default-gateway 192.168.1.65
  Switch1(config)# ip domain-name foo.org

Viewing the IP Information

Use the show ip user Exec command to display global Internet Protocol (IP) configuration information.

   Switch1# show ip

  IP Address:192.168.1.75
  Subnet Mask:255.255.255.224
  Default Gateway:192.168.1.65
  Management VLAN: 1
  Domain name: foo.org
  Name server 1:192.168.1.70
  Name server 2:0.0.0.0
  HTTP server :Enabled
  HTTP port : 80
  RIP :Enabled

Setting Passwords

Use the enable password <1-15> <password> global configuration command to set unencrypted user Exec or privileged Exec passwords. Level 1-14 is for user Exec privileges while Level 15 is for privileged Exec privileges. The Password is a noncase-sensitive string of between 4 and 8 characters, spaces, and punctuation (except double quotes). Password strings with blank spaces must be enclosed in double quotes.

   Switch1(config)# enable password level 1 "CcNa 2.0"
  Switch1(config)# enable password level 15 CiScO123

Enable Secret Password

Use the enable secret global configuration command to set encrypted user Exec or privileged Exec passwords. The enable secret password is used in place of the enable password if it is set since the enable secret password is encrypted and therefore more secure.

   Switch1(config)# enable secret PaSs&oRd

Interfaces

Use the interface type slot/port global configuration command to choose an interface type and to enter interface configuration mode.

   Switch1(config)# interface ethernet 0/5
  Switch1(config-if)#

Setting the Interface Description

While in interface configuration mode you can use the description string command to set a description for an interface. The description can be from 1 to 80 alphanumeric characters. Use double quotes to enclose strings with spaces.

   Switch1(config-if)# description "Marketing VLAN"

Set the Port's Duplex

Use the duplex {auto | full | full-flow-control | half} interface configuration command to enable duplex mode for an interface.

Syntax Description:

auto	Auto-negotiation of duplex mode.
full	Full-duplex mode.
full-flow-control	Force full-duplex mode with flow control.
half	Half-duplex mode.

Example:

   Switch1(config-if)# duplex full

Show Version

This example shows how to display the switch hardware and firmware versions accessible from privileged Exec mode for the Catalyst 1900 switch.

   Switch1# show version

  Cisco Catalyst 1900/2820 Enterprise Edition Software
  Version V9.00.00(12)
  Copyright (c) Cisco Systems, Inc.  1993-1999
  Switch1 uptime is 2day(s) 22hour(s) 50minute(s) 21second(s)
  cisco Catalyst 1900 (486sxl) processor with 2048K/1024K bytes of memory
  Hardware board revision is 1
  Upgrade Status: No upgrade currently in progress.
  Config File Status: No configuration upload/download is in progress
  27 Fixed Ethernet/IEEE 802.3 interface(s)
  Base Ethernet Address: 00-E0-1E-7E-BE-80
  Switch1#

MAC Address Tables

Since layer 2 switches use MAC addresses to filter network traffic, it stands to reason that you can control MAC related functions. A Catalyst 1900 switch can store up to 1024 MAC addresses in its filter table. When the filter table is full, the switch will flood the network with all new incoming frames until one of the existing addresses in the table expires and is removed. To view the table of MAC addresses, use the following command:

   Switch1#show mac-address-table
  
  Number of permanent addresses :0
  Number of restricted static addresses :0
  Number of dynamic addresses :9

  Address           Dest Interface    Type         Source Interface List
  ----------------------------------------------------------------------------------
  00D0.5868.F583    FastEthernet 2    Dynamic      All
  00E0.1E74.6ADA    FastEthernet 1    Dynamic      All
  00E0.1E74.6AC0    FastEthernet 1    Dynamic      All
  0060.47D5.2770    FastEthernet 2    Dynamic      All
  00D0.5868.F580    FastEthernet 2    Dynamic      All
  00D0.5868.C8C0    FastEthernet 2    Dynamic      All
  00D0.5868.EF00    FastEthernet 2    Dynamic      All
  00E0.1E74.6080    FastEthernet 2    Dynamic      All
  00D0.C0F5.5B80    FastEthernet 2    Dynamic      All

Clearing the MAC Address Table

If clear mac-address-table is invoked with no options, all dynamic addresses are removed. If you specify an address but do not specify an interface, the address is deleted from all interfaces. If you specify an interface but do not specify an address, all addresses on the specified interface are removed.

   Switch1#clear mac-address-table

Setting Static MAC Addresses

Use the mac-address-table restricted static global configuration command to associate a restricted static address with a particular switched port interface (specified as type module/port). Use the no mac-address-table restricted static command to delete a restricted static address.

The following example shows how to configure a packet with MAC address of 0040.C80A.2F07 to come in on either Ethernet interface 1 or Ethernet interface 2 and be forwarded to the Fast Ethernet interface 27.

   Switch1(config)#mac-address-table restricted static 0040.C80A.2F07 f0/27 e0/1 e0/2

Setting Permanent MAC Addresses

Use the mac-address-table permanent global configuration command to associate a permanent unicast or multicast MAC address with a particular switched port interface (specified by type and module/port). Use the no mac-address-table permanent command to delete a permanent MAC address. This example shows how to specify that packets with the multicast destination address 0140.C80A.2F07 should be forwarded on the Fast Ethernet interface 27.

   Switch1(config)# mac-address-table permanent 0140.C80A.2F07 fastethernet 0/27

Using Port Security

Use the port secure interface configuration command to enable addressing security. Use the no port secure command to disable addressing security or to set the maximum number of addresses allowed on the interface to the default value. The default is 132, but can be from 1 to 132. The following example shows how to set the maximum MAC address count to 100 on the ethernet slot 0 port four interface.

   Switch# conf t
  Switch1(config)# interface ethernet 0/4
  Switch1(config-if)# port secure max-mac-count 100

Upgrading/ Restoring the IOS for a Catalyst 1900

You can upgrade or restore the IOS, but you can't back it up on Catalyst 1900 switches. To copy an IOS from a TFTP host use the following command.

Syntax:

   copy tftp://tftp_host's_address/IOS_filename opcode

Example:

   Switch1#copy tftp://192.168.1.70/cat1900EN_9_.bin opcode

Backing Up and Restoring the Catalyst 1900's Configuration

The configuration file is called nvram on a 1900 switch. To copy the file to a TFTP host, use the following command:

Syntax:

   copy nvram tftp://tftp_host's_address/config_name

Example:

   Switch1#copy nvram tftp://192.168.1.70/1900en

To restore the file from a TFTP host to the switch, use the following command:

Syntax:

   copy tftp://tftp_host's_address/config_name nvram

Example:

   Switch1#copy tftp://192.168.1.70/1900en nvram

Deleting the Startup-Configuration

To delete the startup-config (nvram), use the following command:

   Switch1#delete nvram

Change the LAN Switch Type

You can view the switch type with the privileged EXEC command show port system. To change the switch's switch type, use the following command:

   Switch1(config)#switching-type ?
  fragment-free       Fragment Free mode
  store-and-forward   Store-and-Forward mode
 
  Switch1(config)#switching-type store-and-forward

Layer 2 Switching

• Layer 2 switching is hardware based, it uses the host's Media Access Control (MAC) address.
• Switches use Application Specific Integrated Circuits (ASIC) to build and maintain filter tables.
• Switches tend to be faster than Routers, because they don't look at the logical address (Network layer headers), they instead use the hardware address defined at the Data Link (MAC) layer to decide whether to forward or discard the frame.
• Layer 2 switching is so efficient because it doesn't modify the data packet only the frame encapsulating the packet; this also causes it to be less error prone.
• Uses Layer 2 switching for network connectivity and network segmentation (each port is a separate collision domain).
• Be careful how you segment your network, ensure that the users spend 80% of their time on their local segment, and all the segments of a switch are still in the same broadcast domain. Use routers to split up broadcast domains.

Benefits of LAN Switches (Layer 2 Services)

An individual Layer 2 switch might offer some or all of the following benefits:

• Bandwidth---LAN switches provide excellent performance for individual users by allocating dedicated bandwidth to each switch port (for example, each network segment). This technique is known as microsegmenting.
• VLANs---LAN switches can group individual ports into logical switched workgroups called VLANs, thereby restricting the broadcast domain to designated VLAN member ports. VLANs are also known as switched domains and autonomous switching domains. Communication between VLANs requires a router.
• Automated packet recognition and translation---Cisco's unique Automatic Packet Recognition and Translation (APaRT) technology recognizes and converts a variety of Ethernet protocol formats into industry-standard CDDI/FDDI formats. With no changes needed in either client or server end stations the Catalyst solution can provide an easy migration to 100-Mbps server access while preserving the user's investment in existing shared 10Base-T LANs.

Three functions of layer 2 switching

1. Address learning - Layer 2 switches retain, in their filter tables, the source hardware address and port interface it was received on.
2. Forward/Filter decisions - When a frame is received, the switch looks at the destination hardware address and finds the interface it is on in the filter table. If the address is unknown, the frame is broadcast on all interfaces except the one it was received on.
3. Loop Avoidance - If multiple connections between switches exist for redundancy, network loops can occur. Spanning Tree Protocol is used to stop loops while still allowing redundancy.

Spanning Tree Protocol

STP is a Layer 2 link management protocol that provides path redundancy while preventing undesirable loops in the network. For an Ethernet network to function properly, only one active path must exist at Layer 2 between two stations. STP operation is transparent to end stations, which do not detect whether they are connected to a single LAN segment or a switched LAN of multiple segments.

The Catalyst series switches use STP (IEEE 802.1D bridge protocol) on all Ethernet virtual LANS (VLANs). When you create fault-tolerant internetworks, you must have a loop-free path between all nodes in a network. In STP, an algorithm calculates the best loop-free path throughout a Catalyst-switched network. The switches send and receive spanning-tree packets at regular intervals (2 seconds). The switches do not forward the packets, but use the packets to identify a loop-free path. The default configuration has STP enabled for all VLANs.

Multiple active paths between stations cause loops in the network. If a loop exists in the network, you might receive duplicate messages. When loops occur, some switches see stations on both sides of the switch. This condition confuses the forwarding algorithm and allows duplicate frames to be forwarded.

To provide path redundancy, STP defines a tree that spans all switches in an extended network. STP forces certain redundant data paths into a standby (blocked) state. If one network segment in the STP becomes unreachable, or if STP costs change, the spanning-tree algorithm reconfigures the spanning-tree topology and reestablishes the link by activating the standby path.

• Defined as IEEE 802.1d
• It first elects a root bridge (only 1 per network), root bridge ports are called designated ports which operate as forwarding-state ports. Forwarding-state ports can send and receive traffic. Other switches in your network are nonroot bridges.
• The nonroot bridge's port with the fastest link to the root bridge is called the root port, and it sends and receives traffic.
• Ports that have the lowest cost to the root bridge are called designated ports. The other ports on the bridge are considered non designated and will not send or receive traffic, (blocking mode).
• Switches or bridges running STP, exchange information with what are called Bridge Protocol Data Units (BPDU). BPDUs send configuration information using multicast frames, BPDUs are also used to send the bridge ID of each device to other devices. The bridge ID is used to determine the root bridge in the network and to determine the root port. The Bridge ID is 8 bytes long, includes priority and MAC address. The default priority of devices using IEEE STP is 32,768 (2¹⁵).
• To determine the root bridge the priority and the MAC addresses are combined, if priority is the same, the MAC address is used to determine the who has the lowest ID, which determines who will be the root bridge.
• Path Cost is used to determine which ports will be used to communicate with the root bridge (designated ports). STP cost is the total accumulated path cost based on the bandwidth of the links. The slower the link the higher the cost.

Spanning Tree Protocol Port States

• Blocking - doesn't forward any frames, but still listens to BPDUs. Ports default to blocking when the switch powers on. Used to prevent network loops. If a blocked port is to become the designated port, it will first enter listening state to ensure that it won't create a loop once it goes into forwarding state.
• Listening - listens to BPDUs to ensure no loops occur on the network before passing data frames.
• Learning - learns MAC addresses and builds filter table, doesn't forward frames.
• Forwarding - sends and receives all data on the bridge ports. A forwarding port has been determined to have the lowest cost to the root bridge.

LAN Switching Modes

• Store and Forward - the entire frame is copied into its buffer and computes the Cyclic Redundancy Check (CRC). Since it copies the entire frame, latency varies with frame length. If the frame has a CRC error, is too short (<64>1518 bytes) it is discarded. If no error, the destination address (MAC) is looked up in the filter table and is sent to the appropriate interface. Is the default state for 5000 series switches.
• Cut Through - fastest switching mode as only the destination address is copied. It will then look up the address in its filter table and send the frame to the appropriate interface.
• Fragment Free - modified form of Cut Through switching. The switch waits for the first 64 bytes to pass before forwarding the frame. If the packet has an error, it usually occurs in the first 64 bytes of the frame. Default mode for 1900 switches.

LAN SWITCHING

Lan Switches

So, what are LAN switches? Switches are essentiallY mult-port bridges. Switches operate on the same basic principle as bridges. The difference is that essentially each host is often connected directly to a port on the switch, effectively resulting in each host having its own dedicated segment (microsegmentation). By examining MAC addresses the switch learns where hosts are located and forwards frames only to the necessary port. Because the decision to forward packets is based on layer 2 addresses, these types of switches are often called frame switches. Note: Some vendors also sell LAN switches that incorporate functions that operate on layer 3 information. Such switches are often referred to as multi-layer switches.

The benefits of switches are enormous. With Full-Duplex ethernet support, collisions can be virtually eliminated. Each host on the switch essentially has access to the full amount of available bandwidth.

There are two primary of Lan Switching modes, Store & Forward and Cut Through.

Store & Forward

This is the mode used by Catalyst 5000 series switches. In this mode an entire frame is read into a memory buffer on the switch. The frame is then analyzed for errors (CRC computation). If the frame is good, the switch consults its table of known MAC addresses and forwards the frame to the appropriate port. This method has the benefit of having each frame checked for errors and discarded if mal-formed. However, because it must read the entire frame into memory and peform the CRC, there is a higher degree of latency when compared to other methods.

Cut Through

This is an option in some EtherSwitch models. In Cut-Through switching, only the destination MAC address is read into memory. This is done simply to determine to which port to forward the frame. Once the destination port is known the switch immediatly begins forward the frame to that port. It does not do any error checking. The benefit of this method of switching is reduced latency but at the cost of potentially sending unwanted, mal-formed frames to host computers. Some cut-through switches attempt to reduce problems by filtering out collision fragments. Collision fragments are less than 64 bytes, so the switch reads 64bytes before beginning to forward the frame. Cisco refers to the standard cut-through switch as Fast Forward and those that filter collision fragments as Fragment Free.

Virtual LANs

Another great benefit of modern switches is a capability to created virtual LANs (VLANs). After a VLAN is established on a switch, frames (broadcast, multicast, or unicast) will only be forwarded to that particular VLAN. VLANs become particularly beneficial in their capability to span switches. No longer is the physical location of a host the determining factor in which LAN it belongs. This is accomplished by inserting a VLAN ID into the frame that identifies to which VLAN the frame belongs. This is used only in the switch framework and is removed before the final switch in a network forwards the frame to the destination port.

MANAGING A CISCO INTERNETWORK

• Cisco has TFTP server software that can be run on a computer.
• Three places a router can look for a valid Cisco IOS - Flash, TFTP Server or ROM.
• To copy the current config to a TFTP server type “copy running-config tftp”. To load a copy type “copy tftp run”.

• Show memory is used to see how the system allocates memory for different purposes.

• Show stacks monitors the stack use and if the reboot was the result of a system crash, and displays the last system reboot.

• Show Buffers reveals the size of the buffers (S, M, Big, VeryBig, L, and Huge)

• Show Flash describes the flash memory and the size of files and how much memory is free.

• Cisco Discovery Protocol (CDP) – allows you access to configuration information on other routers with a single command. Running Subnetwork Access Protocol (SNAP) at the Data Link layer, two devices running different Network Layer protocols can still communicate. CDP runs by default on 10.3 versions and earlier. Once a router is found, it can display information about the upper-layer protocols. Find by typing “sh cdp int” will show interfaces configured to run CDP.

Telnet is a virtual terminal protocol.

• “sh hosts” will show all the names of routers that your router knows about, assuming DNS is running on router or on a server. Router as a DNS server, use “ip domain-lookup, and “ip name-server ip_address”

You just received an output that states the CDP hold time, hardware, port ID, and local interface. What was the command you typed in?

“Show cdp neighbor” will show the hardware platform (Cisco 2500) the local interface the routers are connected through, the hold time, the port id of the remote router and the device id and its capability.

What’s the default CDP hold time in seconds?

180 - 3 times the default broadcast frequency, which is 60 seconds

What's the default CDP update broadcast rate for routers in seconds?

60 seconds. Changed with the cdp timer command.

What type of frame does CDP use to gather information about its directly connected neighbors?

CDP uses SNAP by default.

Which command do you type to view the hostnames configured in your router (choose two)?

Show hosts or sh host will show the ip host table configured on the router.

How can you view the CDP information received from all routers?

Show cdp entry or sh cdp entry * will show you entries of CDP information received from the neighbor routers.

If you want to type in the hostname Bob instead of the IP address 172.16.10.1 to access the remote router named Bob, what should you do?

“config t, ip host bob 172.16.10.1”.

If you type “copy tftp flash”, which event did you cause?

Copied a file from TFTP server to router flash. The router will look to a TFTP host for a valid Cisco IOS to copy into EEPROM, or Flash.

If you want to load a new Cisco IOS into your router's memory, which command should you use?

“copy tftp flash” tells the router to look to a TFTP server.

What does it mean if you’re running a trace and receive a “P” as a response?

Protocol unreachable

If you want to configure the router configuration stored in NVRAM, which command should you use?

“config mem” copies the startup-config into running-config.

Which command will load the Cisco router configuration into RAM (choose three)?

To reload the router, type “Reload” or “copy startup-config running-config”, or ”copy tftp running-config”.

What command will copy your router configuration to a TFTP server?

“copy star tftp” or “copy runn tftp”

What command should you use to have your router load the valid Cisco IOS from a TFTP server?

“boot system tftp ”

Which command will you use if you want to disable DNS lookup?

“no ip domain-lookup” will disable DNS.

Which command do you use to configure your router to do a domain-lookup?

IP name-server 10.10.10.10

After telneting into multiple routers simultaneously, what command can you type to see these connections?

“sh sessions” will show all that are open.

kNOW the password recovery processes for both 25xx and 26xx router