You are on page 1of 541

1

1. LAN design
1.1.1Chapter introduction
For the small- and medium-sized business, communicating digitally using data,
voice, and video is critical to business survival. Consequently, a properly
designed LAN is a fundamental requirement for doing business today. You must
be able to recognize a well-designed LAN and select the appropriate devices to
support the network specifications of a small- or medium-sized business.

In this chapter, you will begin exploring the switched LAN architecture and some
of the principles that are used to design a hierarchical network. You will learn
about converged networks. You will also learn how to select the correct switch for
a hierarchal network and which Cisco switches are best suited for each network
layer. The activities and labs confirm and reinforce your learning.

1.1.1 The hierachical network model
When building a LAN that satisfies the needs of a small- or medium-sized
business, your plan is more likely to be successful if a hierarchical design model
is used. Compared to other network designs, a hierarchical network is easier to
manage and expand, and problems are solved more quickly.

Hierarchical network design involves dividing the network into discrete layers.
Each layer provides specific functions that define its role within the overall
network. By separating the various functions that exist on a network, the network
design becomes modular, which facilitates scalability and performance. The
typical hierarchical design model is broken up in to three layers: access,
distribution, and core. An example of a three-layer hierarchical network design is
displayed in the figure.

Access Layer

The access layer interfaces with end devices, such as PCs, printers, and IP
phones, to provide access to the rest of the network. The access layer can
include routers, switches, bridges, hubs, and wireless access points (AP). The
main purpose of the access layer is to provide a means of connecting devices to
the network and controlling which devices are allowed to communicate on the
network.

2

3

Distribution Layer

The distribution layer aggregates the data received from the access layer
switches before it is transmitted to the core layer for routing to its final
destination. The distribution layer controls the flow of network traffic using
policies and delineates broadcast domains by performing routing functions
between virtual LANs (VLANs) defined at the access layer. VLANs allow you to
segment the traffic on a switch into separate subnetworks. For example, in a
university you might separate traffic according to faculty, students, and guests.
Distribution layer switches are typically high-performance devices that have high
availability and redundancy to ensure reliability. You will learn more about
VLANs, broadcast domains, and inter-VLAN routing later in this course.

Core Layer

The core layer of the hierarchical design is the high-speed backbone of the
internetwork. The core layer is critical for interconnectivity between distribution
layer devices, so it is important for the core to be highly available and redundant.
The core area can also connect to Internet resources. The core aggregates the
traffic from all the distribution layer devices, so it must be capable of forwarding
large amounts of data quickly.

4

Note: In smaller networks, it is not unusual to implement a collapsed core model,
where the distribution layer and core layer are combined into one layer.

A Hierarchical Network in a Medium-Sized Business

Let us look at the hierarchical network model applied to a business. In the figure,
the access, distribution, and core layers are separated into a well-defined
hierarchy. This logical representation makes it easy to see which switches
perform which function. It is much harder to see these hierarchical layers when
the network is installed in a business.

The figure shows two floors of a building. The user computers and network
devices that need network access are on one floor. The resources, such as e-
mail servers and database servers, are located on another floor. To ensure that
each floor has access to the network, access layer and distribution switches are
installed in the wiring closets of each floor and connected to each of the devices
needing network access. The figure shows a small rack of switches. The access

5

layer switch and distribution layer switch are stacked one on top of each other in
the wiring closet.

Although the core and other distribution layer switches are not shown, you can
see how the physical layout of a network differs from the logical layout of a
network.

Benefits of a Hierarchical Network

There are many benefits associated with hierarchical network designs.

Scalability

Hierarchical networks scale very well. The modularity of the design allows you to
replicate design elements as the network grows. Because each instance of the
module is consistent, expansion is easy to plan and implement. For example, if
your design model consists of two distribution layer switches for every 10 access
layer switches, you can continue to add access layer switches until you have 10
access layer switches cross-connected to the two distribution layer switches
before you need to add additional distribution layer switches to the network
topology. Also, as you add more distribution layer switches to accommodate the
load from the access layer switches, you can add additional core layer switches
to handle the additional load on the core.

Redundancy

As a network grows, availability becomes more important. You can dramatically
increase availability through easy redundant implementations with hierarchical
networks. Access layer switches are connected to two different distribution layer
switches to ensure path redundancy. If one of the distribution layer switches fails,
the access layer switch can switch to the other distribution layer switch.
Additionally, distribution layer switches are connected to two or more core layer
switches to ensure path availability if a core switch fails. The only layer where
redundancy is limited is at the access layer. Typically, end node devices, such as
PCs, printers, and IP phones, do not have the ability to connect to multiple access

6

layer switches for redundancy. If an access layer switch fails, just the devices
connected to that one switch would be affected by the outage. The rest of the
network would continue to function unaffected.

Performance

Communication performance is enhanced by avoiding the transmission of data
through low-performing, intermediary switches. Data is sent through aggregated
switch port links from the access layer to the distribution layer at near wire speed
in most cases. The distribution layer then uses its high performance switching
capabilities to forward the traffic up to the core, where it is routed to its final
destination. Because the core and distribution layers perform their operations at
very high speeds, there is less contention for network bandwidth. As a result,
properly designed hierarchical networks can achieve near wire speed between all
devices.

Security

Security is improved and easier to manage. Access layer switches can be
configured with various port security options that provide control over which
devices are allowed to connect to the network. You also have the flexibility to use
more advanced security policies at the distribution layer. You may apply access
control policies that define which communication protocols are deployed on your
network and where they are permitted to go. For example, if you want to limit the
use of HTTP to a specific user community connected at the access layer, you
could apply a policy that blocks HTTP traffic at the distribution layer. Restricting
traffic based on higher layer protocols, such as IP and HTTP, requires that your
switches are able to process policies at that layer. Some access layer switches
support Layer 3 functionality, but it is usually the job of the distribution layer
switches to process Layer 3 data, because they can process it much more
efficiently.

Manageability

Manageability is relatively simple on a hierarchical network. Each layer of the
hierarchical design performs specific functions that are consistent throughout
that layer. Therefore, if you need to change the functionality of an access layer
switch, you could repeat that change across all access layer switches in the
network because they presumably perform the same functions at their layer.
Deployment of new switches is also simplified because switch configurations can
be copied between devices with very few modifications. Consistency between the
switches at each layer allows for rapid recovery and simplified troubleshooting. In
some special situations, there could be configuration inconsistencies between
devices, so you should ensure that configurations are well documented so that
you can compare them before deployment.

Maintainability

Because hierarchical networks are modular in nature and scale very easily, they
are easy to maintain. With other network topology designs, manageability
becomes increasingly complicated as the network grows. Also, in some network

7

design models, there is a finite limit to how large the network can grow before it
becomes too complicated and expensive to maintain. In the hierarchical design
model, switch functions are defined at each layer, making the selection of the
correct switch easier. Adding switches to one layer does not necessarily mean
there will not be a bottleneck or other limitation at another layer. For a full mesh
network topology to achieve maximum performance, all switches need to be
high-performance switches, because each switch needs to be capable of
performing all the functions on the network. In the hierarchical model, switch
functions are different at each layer. You can save money by using less
expensive access layer switches at the lowest layer, and spend more on the
distribution and core layer switches to achieve high performance on the network.

8

1.1.2 Principles of a hierarchical network design
Hierarchical Network Design Principles

Just because a network seems to have a hierarchical design does not mean that
the network is well designed. These simple guidelines will help you differentiate
between well-designed and poorly designed hierarchical networks. This section is
not intended to provide you with all the skills and knowledge you need to design
a hierarchical network, but it offers you an opportunity to begin to practice your
skills by transforming a flat network topology into a hierarchical network
topology.

Network Diameter

When designing a hierarchical network topology, the first thing to consider is
network diameter. Diameter is usually a measure of distance, but in this case, we
are using the term to measure the number of devices. Network diameter is the
number of devices that a packet has to cross before it reaches its destination.
Keeping the network diameter low ensures low and predictable latency between
devices.

I
n the figure, PC1 communicates with PC3. There could be up to six
interconnected switches between PC1 and PC3. In this case, the network
diameter is 6. Each switch in the path introduces some degree of latency.
Network device latency is the time spent by a device as it processes a packet or
frame. Each switch has to determine the destination MAC address of the frame,
check its MAC address table, and forward the frame out the appropriate port.
Even though that entire process happens in a fraction of a second, the time adds
up when the frame has to cross many switches.

In the three-layer hierarchical model, Layer 2 segmentation at the distribution
layer practically eliminates network diameter as an issue. In a hierarchical
network, network diameter is always going to be a predictable number of hops
between the source and destination devices.

Bandwidth Aggregation

9

Each layer in the hierarchical network model is a possible candidate for
bandwidth aggregation. Bandwidth aggregation is the practice of considering the
specific bandwidth requirements of each part of the hierarchy. After bandwidth
requirements of the network are known, links between specific switches can be
aggregated, which is called link aggregation. Link aggregation allows multiple
switch port links to be combined so as to achieve higher throughput between
switches. Cisco has a proprietary link aggregation technology called
EtherChannel, which allows multiple Ethernet links to be consolidated. A
discussion of EtherChannel is beyond the scope of this course. To learn more,
visit:
http://www.cisco.com/en/US/tech/tk389/tk213/tsd_technology_support_protocol_h
ome.html.

In the figure, computers PC1 and PC3 require a significant amount of bandwidth
because they are used for developing weather simulations. The network manager
has determined that the access layer switches S1, S3, and S5 require increased
bandwidth. Following up the hierarchy, these access layer switches connect to
the distribution switches D1, D2, and D4. The distribution switches connect to
core layer switches C1 and C2. Notice how specific links on specific ports in each
switch are aggregated. In this way, increased bandwidth is provided for in a
targeted, specific part of the network. Note that in this figure, aggregated links
are indicated by two dotted lines with an oval tying them together. In other
figures, aggregated links are represented by a single, dotted line with an oval.

Redundancy

Redundancy is one part of creating a highly available network. Redundancy can
be provided in a number of ways. For example, you can double up the network
connections between devices, or you can double the devices themselves. This
chapter explores how to employ redundant network paths between switches. A
discussion on doubling up network devices and employing special network
protocols to ensure high availability is beyond the scope of this course. For an
interesting discussion on high availability, visit:

10

http://www.cisco.com/en/US/products/ps6550/products_ios_technology_home.htm
l.

Implementing redundant links can be expensive. Imagine if every switch in each
layer of the network hierarchy had a connection to every switch at the next layer.
It is unlikely that you will be able to implement redundancy at the access layer
because of the cost and limited features in the end devices, but you can build
redundancy into the distribution and core layers of the network.

In the
figure, redundant links are shown at the distribution layer and core layer. At the
distribution layer, there are two distribution layer switches, the minimum
required to support redundancy at this layer. The access layer switches, S1, S3,
S4, and S6, are cross-connected to the distribution layer switches. This protects
your network if one of the distribution switches fails. In case of a failure, the
access layer switch adjusts its transmission path and forwards the traffic through
the other distribution switch.

Some network failure scenarios can never be prevented, for example, if the
power goes out in the entire city, or the entire building is demolished because of
an earthquake. Redundancy does not attempt to address these types of
disasters.

Start at the Access Layer

Imagine that a new network design is required. Design requirements, such as the
level of performance or redundancy necessary, are determined by the business
goals of the organization. Once the design requirements are documented, the
designer can begin selecting the equipment and infrastructure to implement the
design.

When you start the equipment selection at the access layer, you can ensure that
you accommodate all network devices needing access to the network. After you
have all end devices accounted for, you have a better idea of how many access
layer switches you need. The number of access layer switches, and the estimated
traffic that each generates, helps you to determine how many distribution layer
switches are required to achieve the performance and redundancy needed for

Converged networks have existed for a while now. and data networks to make convergence feasible and functional. but were only feasible in large enterprise organizations because of the network infrastructure requirements and complex management that was involved to make them work seamlessly.3 What is a converged network? Small and medium-sized businesses are embracing the idea of running voice and video services on their data networks. However. Few individuals had the expertise in voice. you can identify how many core switches are required to maintain the performance of the network. This sort of equipment will slowly be migrated to modern IP-based phone switches. video.1. because voice and video data traffic needed to be classified and prioritized on the network. so they still have existing analog telephone wiring closets. The figure shows a legacy telephone company switch. you will also see equipment that has to support both legacy PBX telephone systems and IP-based phones. 11 the network. Because analog phones have not yet been replaced. by Priscilla Oppenheimer (2004). In addition.com: Top-Down Network Design. Most telephone companies today have made the transition to digital-based switches. Let us look at how voice and video over IP (VoIP) affect a hierarchical network. For a good introduction to network design. After you have determined the number of distribution layer switches. There were high network costs associated with convergence because more expensive switch hardware was required to support the additional bandwidth requirements. Legacy Equipment Convergence is the process of combining voice and video communications on a data network. . read this book that is available from Ciscopress. there are many offices that still use analog phones. A thorough discussion on how to determine which switch to select based on traffic flow analysis and how many core switches are required to maintain performance is beyond the scope of this course. legacy equipment hinders the process. 1. Converged networks also required extensive management in relation to Quality of Service (QoS).

Traditionally. With a converged network. and data on a single network infrastructure. video. if a business has a separate voice and data network. . This VoIP technology used to be affordable only to enterprises and governments. It is difficult to abandon an investment that still works. video. Managing a single network is also less expensive. Convergence is now easier to implement and manage. video. and less expensive to purchase. Using a single network means you just have to manage one wired infrastructure. but there are several advantages to converging voice. The figure also shows a Cisco Catalyst Express 500 switch and a Cisco 7906G phone suitable for small to medium-sized businesses. video. and data networks. and data networks. and data networks has become more popular recently in the small to medium-sized business market because of advancements in technology. Another benefit is lower implementation and management costs. 12 Advanced Technology Converging voice. changes to the network have to be coordinated across networks. One benefit of a converged network is that there is just one network to manage. With separate voice. you have one group managing both the voice and data networks. It is less expensive to implement a single network infrastructure than three distinct network infrastructures. they have one group of people managing the voice network and another group managing the data network. There are also additional costs resulting from using three sets of network cabling. Moving to a converged network can be a difficult decision if the business already invested in separate voice. The figure shows a high-end VoIP phone and switch combination suitable for a medium-sized business of 250-400 employees.

a voice network contains isolated phone lines running to a PBX switch to allow phone connectivity to the Public Switched Telephone Network (PSTN). Video and Data Networks As you see in the figure. 13 New Options Converged networks give you options that had not existed previously. separate from the data and video wiring closets. videoconferencing can be added to a softphone. Softphones. With the addition of inexpensive webcams. When software is used in place of a physical phone. a business can quickly convert to converged networks. The wiring closets are usually separated . The PBX switch is typically located in a telco wiring closet. as shown in the figure. The person in the top left of the figure is using a softphone on the computer. These are just a few examples provided by a broader communications solution portfolio that redefine business processes today. You can now tie voice and video communications directly into an employee's personal computer system. because there is no capital expense in purchasing IP phones and the switches needed to power the phones. Separate Voice. a new line has to be run back to the PBX. There is no need for an expensive handset phone or videoconferencing equipment. You can accomplish the same function using special software integrated with a personal computer. When a new phone is added. such as the Cisco IP Communicator. offer a lot of flexibility for businesses.

and data communications at the same time. video networks were maintained separately to allow the videoconferencing equipment to operate at full speed without competing for bandwidth with voice and data streams. which is why voice. As a result. However. and implementing QoS policies that prioritize the audio data. Using a properly designed hierarchical network. . it makes sense to converge them all onto a single hierarchical network. voice data can be converged onto an existing data network with little to no impact on audio quality. Now that properly designed hierarchical networks can accommodate the bandwidth requirements of voice. Click the Data Network button in the figure to see an example of a separate data network. using a properly designed hierarchical network. In this figure. 14 because different support personnel require access to each system. Videoconferencing data can consume significant bandwidth on a network. video. The data network interconnects the workstations and servers on a network to facilitate resource sharing. video. Data networks can consume significant data bandwidth. and implementing QoS policies that prioritize the video data. and data networks were kept separated for such a long time. video can be converged onto an existing data network with little to no impact on video quality. videoconferencing equipment is wired separately from the voice and data networks.

and servers. When selecting switch hardware. are added to the network.1 Considerations for hierarchical network switches Traffic Flow Analysis To select the appropriate switch for a layer in a hierarchical network. and data storage servers. As the business adds more employees. perform and record traffic flow analyses on a regular basis. Traffic Flow Analysis . user communities. printers. 15 1. To help you more accurately choose appropriate switches. Some companies are replacing their existing telephone systems with converged VoIP phone systems. Purchase the appropriate Cisco switch hardware to accommodate both current needs as well as future needs. you need to have specifications that detail the target traffic flows. devices.2 Matching switches to specific LAN functions 1. Accompanying the new devices is an increase in network traffic. which adds additional traffic. A business may start with a few PCs interconnected so that they can share data. and access layers to accommodate the bandwidth requirements of your network. data servers. determine which switches are needed in the core. distribution.2. Companies need a network that can meet evolving requirements. such as PCs. Your plan should take into account future bandwidth requirements.

This is much easier than having to interpret the numbers in a column of traffic flow data.shtml. you can identify traffic flow problems visually. visit http://www. Analysis Tools Many traffic flow analysis tools that automatically record traffic flow data to a database and perform a trend analysis are available. capacity planning.cisco.com/warp/public/732/Tech/nmp/netflow/partners/commercial/ind ex. to obtain accurate results. Port density and forwarding rates are explained later in this chapter. you can see just how every interface is performing at any given point in time on the network. Traffic flow analysis is done using traffic flow analysis software. For a list of some commercial traffic flow collection and analysis tools. and making hardware improvement decisions. Manual recording of traffic data is a tedious process that requires a lot of time and diligence. there are some automated solutions. visit http://www. regardless of its purpose or source. In larger networks. which monitors traffic flow on a network.1 NetFlow Analysis. Analyzing the various traffic sources and their impact on the network. Fortunately. software collection solutions are the only effective method for performing traffic flow analysis. There are many ways to monitor traffic flow on a network. 16 Traffic flow analysis is the process of measuring the bandwidth usage on a network and analyzing the data for the purpose of performance tuning. Using the included charts. For a list of some freeware traffic flow collection and analysis tools.com/warp/public/732/Tech/nmp/netflow/partners/freeware/index . you want to determine future traffic flow requirements based on the capacity at certain times of the day and where most of the data is generated and sent. All network data contributes to the traffic. Although there is no precise definition of network traffic flow. you need to record enough data.cisco. When you are making your decisions about which hardware to purchase. for the purposes of traffic flow analysis we can say that network traffic is the amount of data sent through a network for a given period of time. . Traffic flow data can be used to help determine just how long you can continue using existing network hardware before it makes sense to upgrade to accommodate additional bandwidth requirements. However.shtml. You can manually monitor individual switch ports to get the bandwidth utilization over time. When analyzing the traffic flow data. The figure displays sample output from Solarwinds Orion 8. allows you to more accurately tune and upgrade the network to achieve the best possible performance. While the software is collecting data. you should consider port densities and switch forwarding rates to ensure adequate growth capability.

a good network design plan factors in the growth of each department to ensure that there are enough open switch ports that can utilized before the next planned upgrade to the network. That translates to 20 switch ports needed to connect the workstations to the network. and requires access to different data resources available through the network. Port density is explained later in this chapter. If you were to select an appropriate access layer switch to accommodate the HR department. because they require similar access to resources and applications. while Finance is located on another floor. Each department has a different number of users and application needs. influences the selection of network switches. Additionally. in turn. . The way users are grouped affects issues related to port density and traffic flow. when selecting switches for the wiring closets of the HR and Finance departments. you would probably choose a 24 port switch. In a typical office building. As shown in the figure. You may find the Human Resource (HR) department located on one floor of an office building. 17 User Communities Analysis User community analysis is the process of identifying various groupings of users and their impact on network performance. which has enough ports to accommodate the 20 workstations and the uplinks to the distribution layer switches. the HR department requires 20 workstations for its 20 users. end users are grouped according to their job function. you would choose a switch that had enough ports to meet the department needs and was powerful enough to accommodate the traffic requirements for all the devices on that floor. which. For example.

If the Finance users are using a network-intensive application that exchanges data with a specific server on the network. you can reduce the network diameter for their communications. Some user communities use applications that generate a lot of network traffic. it may make sense to locate the Finance user community close to that server. A solid network plan includes the rate of personnel growth over the past five years to be able to anticipate the future growth. you can identify the effect of adding more users to that community. and determining the location of the data source. A workgroup-sized user community in a small business is supported by a couple of switches and typically connected to the same switch as the server. you would want to purchase a switch that can accommodate more than 24 ports. As well as looking at the number of devices on a given switch in a network. You may have to . while other user communities do not. the location of the user communities influences where data stores and server farms are located. Consider what will happen if the HR department grows by five employees. The resources that medium-sized business or enterprise user communities need could be located in geographically separate areas. 18 Future Growth But this plan does not account for future growth. By locating users close to their servers and data stores. Consequently. In medium- sized businesses or enterprises. With that in mind. One complication of analyzing application usage by user communities is that usage is not always bound by department or physical location. thereby reducing the impact of their traffic across the rest of the network. user communities are supported by many switches. such as stackable or modular switches that can scale. you should investigate the network traffic generated by end-user applications. By measuring the network traffic generated for all applications in use by different user communities.

consider both client- server traffic and server-server traffic. storage area networks (SANs). consider where the data stores and servers are located so that you can determine the impact of traffic on the network. When considering the traffic for data stores and servers. 19 analyze the impact of the application across many network switches to determine its overall impact. network-attached storage (NAS). tape backup units. . or any other device or component where large quantities of data are stored. Data stores can be servers. Data Stores and Data Servers Analysis When analyzing traffic on a network.

detailed down to which switch port interconnects the devices. and other network equipment are located. switches selected for data centers should be higher performing switches than the switches you would find in the wiring closets at the access layer. Some server applications generate very high volumes of traffic between data stores and other servers. Server-server traffic is the traffic generated between data storage devices on the network. A topology diagram shows how all switches are interconnected. Topology Diagrams A topology diagram is a graphical representation of a network infrastructure. servers needing frequent access to certain resources should be located in close proximity to each other so that the traffic they generate does not affect the performance of the rest of the network. Client-server traffic typically traverses multiple switches to reach its destination. client-server traffic is the traffic generated when a client device accesses data from data stores or servers. A device can be physically located in the data center but represented in quite a different location in the logical topology. To improve the performance. By examining the data paths for various applications used by different user communities. Servers and data stores are typically located in data centers within a business. or replace the slower switches with faster switches capable of handling the traffic load. A topology diagram graphically displays any redundant paths or aggregated ports between switches that provide . data stores. As a result. you could aggregate links to accommodate the bandwidth. 20 As you can see in the figure. you can identify potential bottlenecks where performance of the application can be affected by inadequate bandwidth. A data center is a secured area of the building where servers. Traffic across data center switches is typically very high due to the server-server and client-server traffic that traverses the switches. Bandwidth aggregation and switch forwarding rates are important factors to consider when attempting to eliminate bottlenecks for this type of traffic. To optimize server-server traffic.

you can determine just how everything is interconnected and then document the network infrastructure in a topology diagram. With patience. you will learn about these features. Network cables in the wiring closets disappear into the floors and ceilings. as well as identifies their configuration. it is difficult to know how all of the pieces are connected together. making it difficult to trace their destinations. you need to decide between fixed configuration or modular configuration. The figure displays a simple network topology diagram. 1. Notice how many switches are present in the network. The topology diagram identifies each switch port used for inter- switch communications and redundant paths between access layer switches and distribution layer switches. The topology diagram also displays where different user communities are located on the network and the location of the servers and data stores. 21 for resiliency and performance.2. A network topology can be very difficult to piece together after the fact if you were not part of the design process. It shows where and how many switches are in use on your network. And because devices are spread throughout the building. When you are selecting a switch. Topology diagrams can also contain information about device densities and user communities.2 Switch features Switch Form Factors What are the key features of switches that are used in hierarchical networks? When you look up the specifications for a switch. what do all of the acronyms and word phrases mean? What does "PoE" mean and what is "forwarding rate"? In this topic. Another consideration . Having a topology diagram allows you to visually identify potential bottlenecks in network traffic so that you can focus your traffic analysis data collection on areas where improvements can have the most significant impact on performance. and stackable or non-stackable. as well as how each switch is interconnected.

if you purchase a 24-port gigabit fixed switch. the network can recover quickly if a single switch fails. you could easily add an additional 24 port line card. Fixed Configuration Switches Fixed configuration switches are just as you might expect. Using cross-connected connections. The stacked switches effectively operate as a single larger switch. For example. Stackable switches use a special port for interconnections and do not use line ports for inter-switch connections. As you can see in the figure. and cables connect the switches in daisy chain fashion. Modular Switches Modular switches offer more flexibility in their configuration. Stackable Switches Stackable switches can be interconnected using a special backplane cable that provides high-bandwidth throughput between the switches. What that means is that you cannot add features or options to the switch beyond those that originally came with the switch. The line card fits into the switch chassis like expansion cards fit into a PC. There are typically different configuration choices that vary in how many and what types of ports are included. The line cards actually contain the ports. StackWise allows you to interconnect up to nine switches using fully redundant backplane connections. to bring the total number of ports up to 48. . the more modules it can support. For example. fixed in their configuration. The particular model you purchase determines the features and options available. The larger the chassis. As you can see in the figure. Cisco introduced StackWise technology in one of its switch product lines. If you bought a modular switch with a 24-port line card. you cannot add additional ports when you need them. The speeds are also typically faster than using line ports for connection switches. Stackable switches are desirable where fault tolerance and bandwidth availability are critical and a modular switch is too costly to implement. Modular switches typically come with different sized chassis that allow for the installation of different numbers of modular line cards. switches are stacked one atop of the other. 22 is the thickness of the switch expressed in number of rack units. there can be many different chassis sizes to choose from. These options are sometimes referred to as switch form factors. the Fixed Configuration Switches shown in the figure are all 1 rack unit (1U).

as shown in the figure. with only one port used to connect the switch to the rest of the network. and only one power outlet needed to accommodate the single switch. the network would need many fixed . In addition. Modular switches can support very high port densities through the addition of multiple switch port line cards. On the other hand. or core layer. because you lose at least one port per switch to connect each switch to the rest of the network. Without using a high-density modular switch. consider the ability of the switch to support the port density. For example. High port densities allow for better use of space and power when both are in limited supply. if you have a single 48-port switch. distribution. If you have two switches that each contain 24 ports. with options for up to four additional ports for small form-factor pluggable (SFP) devices. two power outlets are required. as shown in the figure. forwarding rates. and bandwidth aggregation requirements of your network. you would be able to support up to 46 devices. Port Density Port density is the number of ports available on a single switch. 23 Performance When selecting a switch for the access. the Catalyst 6500 switch can support in excess of 1.000 switch ports on a single device. Large enterprise networks that support many thousands of network devices require high density. 47 devices can be supported. modular switches to make the best use of space and power. Fixed configuration switches typically support up to 48 ports on a single device.

A series of fixed configuration switches may consume many additional ports for bandwidth aggregation between switches for the purpose of achieving target performance. Forwarding rates are important to consider when selecting a switch. where the forwarding rate makes a bigger difference. If the switch only supports a forwarding rate of 32 Gb/s. either 100 Mb/s Fast Ethernet or 1000 Mb/s Gigabit Ethernet. For example. bandwidth aggregation is less of an issue because the backplane of the chassis can provide the necessary bandwidth to accommodate the devices connected to the switch port line cards. Forwarding Rates Click Forwarding Rates button in the figure to see an example of forwarding rates on switches with different port densities. and use the more expensive. With a single modular switch. Wire speed is the data rate that each port on the switch is capable of attaining. 24 configuration switches to accommodate the number of devices that need network access. access layer switches typically do not need to operate at full wire speed because they are physically limited by their uplinks to the distribution layer. it cannot accommodate full wire-speed communication across all of its switch ports. You must also address the issue of uplink bottlenecks. . This approach can consume many power outlets and a lot of closet space. This allows you to use less expensive. Entry-layer switches have lower forwarding rates than enterprise-layer switches. it cannot run at full wire speed across all ports simultaneously. a 48-port gigabit switch operating at full wire speed generates 48 Gb/s of traffic. Forwarding rates define the processing capabilities of a switch by rating how much data the switch can process per second. Switch product lines are classified by forwarding rates. Fortunately. If the switch forwarding rate is too low. lower performing switches at the access layer. higher performing switches at the distribution and core layers.

That results in 1/24th wire speed available to each of the 24 devices connected to the switch. Due to the contention for bandwidth. For example. EtherChannel technology allows a group of physical Ethernet links to create one logical Ethernet link for the purpose of providing fault tolerance and high-speed links between switches. 25 Link Aggregation As part of bandwidth aggregation. which carries up to 1 Gb/s of traffic. With the addition of multiple 10 Gigabit Ethernet (10GbE) uplinks on some enterprise-layer switches. very high throughput rates can be achieved. there is four times the throughput when compared to the single port connection between switches C1 and D2. and servers. In this example. you should determine if there are enough ports on a switch to aggregate to support the required bandwidth. . Link aggregation helps to reduce these bottlenecks of traffic by allowing up to eight switch ports to be bound together for data communications. consider a Gigabit Ethernet port. For example. the wire speed of an Ethernet connection is dependent on the physical and electrical properties of the cable. with all ports capable of running at gigabit speeds. Wire speed describes the theoretical maximum data transmission rate of a connection. Cisco uses the term EtherChannel when describing aggregated switch ports. routers. you could generate up to 24 Gb/s of network traffic. four separate ports on switches C1 and D1 are used to create a 4-port EtherChannel. If the switch is connected to the rest of the network by a single network cable. providing up to 8 Gb/s of data throughput when Gigabit Ethernet ports are used. If you have a 24-port switch. it can only forward 1 Gb/s of the data to the rest of the network. the data would forward more slowly. combined with the lowest layer of the connection protocols. As you can see in the figure.

You do not need to consider how to run ordinary power to the device. Power over Ethernet Power over Ethernet (PoE) allows the switch to deliver power to a device over the existing Ethernet cabling. this feature can be used by IP phones and some wireless access points. You should only select a switch that supports PoE if you are actually going to take advantage of the feature. As you can see in the figure. . 26 PoE and Layer 3 Functionality Two other characteristics you want to consider when selecting a switch are Power over Ethernet (PoE) and Layer 3 functionality. because it adds considerable cost to the switch. PoE allows you more flexibility when installing wireless access points and IP phones because you can install them anywhere you can run an Ethernet cable.

27 Click the switch icon to see PoE ports. Click the phone icon to see the phone ports. Click the wireless access point icon to see its ports. .

Layer 3 switches offer advanced functionality. Typically.2. You . 28 Layer 3 Functions Click the Layer 3 Functions button in the figure to see some Layer 3 functions that can be provided by switches in a hierarchical network.3 Switch features in a hierarchical network Access Layer Switch Features Now that you know which factors to consider when choosing a switch. Layer 3 switches are also known as multilayer switches. switches operate at Layer 2 of the OSI reference model where they deal primarily with the MAC addresses of devices connected to switch ports. let us examine which features are required at each layer in a hierarchical network. 1.

Access layer switches take advantage of link aggregation when aggregating bandwidth up to distribution layer switches. such as workstations. support Gigabit Ethernet. Another feature requirement for some access layer switches is PoE. Port security is applied at the access layer. Fast Ethernet allows up to 100 Mb/s of traffic per switch port. enabling users to be more productive. however. Characteristics such as the internal forwarding rate are less of a concern for access layer switches because they only handle traffic from the end devices and forward it to the distribution layer switches. Most modern devices. Port security allows the switch to decide how many or what specific devices are allowed to connect to the switch. the internal forwarding rate of access layer switches does not need to be as high as the link between the distribution and access layer switches. 29 will then be able to match the switch specification with its ability to function as an access. For this reason. VLANs are an important component of a converged network. and improved security. Link aggregation is another feature that is common to most access layer switches. they need to support features such as port security. Cisco IP phones are types of equipment that are found at the access layer. performance is slower than Gigabit Ethernet ports. or core layer switch. and link aggregation. Consequently. In this way. You will learn about port security in Chapter 2. it is an important first line of defense for a network. distribution. When a . All Cisco switches support port layer security. Gigabit Ethernet allows up to 1000 Mb/s of traffic per switch port. PoE dramatically increases the overall price of the switch across all Cisco Catalyst switch product lines. Gigabit Ethernet does have a drawback-switches supporting Gigabit Ethernet are more expensive. you must choose between Fast Ethernet and Gigabit Ethernet switch ports. so it should only be considered when voice convergence is required or wireless access points are being implemented. Fast Ethernet is adequate for IP telephony and data traffic on most business networks. Depending on the performance requirements for your network. more redundant connections. and power is difficult or expensive to run to the desired location. VLANs. Fast Ethernet/Gigabit Ethernet. Because the uplink connection between the access layer switch and the distribution layer switch is typically the bottleneck in communication. Access layer switches allow you to set the VLANs for the end node devices on your network. access layer switches need to support QoS to maintain the prioritization of traffic. notebooks. Voice traffic is typically given a separate VLAN. Access layer switches facilitate the connection of end node devices to the network. and IP phones. video and data network traffic. Port speed is also a characteristic you need to consider for your access layer switches. Link aggregation allows the switch to use multiple links simultaneously. voice traffic can be supported with more bandwidth. PoE. This allows for much more efficient data transfers. In a converged network supporting voice.

ACLs also allow you to control which network devices can communicate on the network. Distribution layer switches alleviate the core switches from needing to perform that task since the core is busy handling the forwarding of very high volumes of traffic. the switches at this layer need to support Layer 3 functions. Distribution Layer Switch Features Distribution layer switches have a very important role on the network. data traffic. Access lists are used to control how traffic flows through the network. Distribution layer switches provides the inter-VLAN routing functions so that one VLAN can communicate with another on the network. so it does not needlessly consume bandwidth throughout the network. traffic that is generated at Layer 2 on a switched network needs to be managed. As you will learn later in this course. for example. or segmented into VLANs. This inspection is performed at the distribution layer. Instead of using . They collect the data from all the access layer switches and forward it to the core layer switches. that switch port tells the IP phone how to send its voice traffic. because the switches at this layer typically have the processing capability to handle the additional load. 30 Cisco IP phone is plugged into an access layer switch port configured to support voice traffic. Security Policies Another reason why Layer 3 functionality is required for distribution layer switches is because of the advanced security policies that can be applied to network traffic. An Access Control List (ACL) allows the switch to prevent certain types of traffic and permit others. This routing typically takes place at the distribution layer because distribution layer switches have higher processing capabilities than the access layer switches. Because inter-VLAN routing is performed at the distribution layer. QoS needs to be enabled on access layer switches so that voice traffic the IP phone has priority over. and it also simplifies the use of ACLs. Using ACLs is processing-intensive because the switch needs to inspect every packet and see if it matches one of the ACL rules defined on the switch.

Typically. Having more than one power supply allows the switch to continue operating even if one of the power supplies failed during operation. This allows you to repair the failed component without impacting the functionality of the network. Distribution layer switches are typically implemented in pairs to ensure availability. distribution layer switches need to support link aggregation. It is also recommended that distribution layer switches support multiple. Newer distribution layer switches support aggregated 10 Gigabit Ethernet (10GbE) uplinks to the core layer switches. making management of the ACLs much easier. . Priority policies ensure that audio and video communications are guaranteed adequate bandwidth to maintain an acceptable quality of service. if not all of the network devices support QoS. Finally. the benefits of QoS will be reduced. Having hot swappable power supplies allows you to change a failed power supply while the switch is still running. they need to be able to forward all of that traffic as fast as possible to the core layer switches. Quality of Service The distribution layer switches also need to support QoS to maintain the prioritization of traffic coming from the access layer switches that have implemented QoS. access layer switches use multiple links to connect to a distribution layer switch to ensure adequate bandwidth to accommodate the traffic generated on the access layer. It is important that distribution switches support redundancy for adequate availability. and provide fault tolerance in case a link is lost. 31 ACLs for every access layer switch in the network. This results in poor performance and quality for audio and video communications. hot swappable power supplies. all of the switches that forward voice data must support QoS. distribution layer switches also need high- bandwidth aggregated links back to the core layer switches. they are defined on the fewer distribution layer switches. Because distribution layer switches accept incoming traffic from multiple access layer switches. Loss of a distribution layer switch could have significant impact on the rest of the network because all access layer traffic passes through the distribution layer switches. The distribution layer switches are under high demand on the network because of the functions that they provide. To maintain the priority of the voice data throughout the network. As a result.

you can identify an appropriate switch to support the network. audio. Take care to evaluate your needs for the present and near future. The required forwarding rate is largely dependent on the number of devices participating in the network. If you choose an inadequate switch to run in the core of the network. you want to ensure that your core layer switches support Layer 3 functions. Convergence in this context refers to the time it takes for the network to adapt to a change. This allows corresponding distribution layer switches to deliver traffic as efficiently as possible to the core. Redundancy The availability of the core layer is also critical. You determine your necessary forwarding rate by conducting and examining various traffic flow reports and user communities analyses. Core layer switches should have support for aggregated 10GbE connections. which is currently the fastest available Ethernet connectivity option. slowing down all communications on the network. not to be confused with a converged network that supports data. Layer 3 redundancy typically has a faster convergence than Layer 2 redundancy in the event of hardware failure. and video communications. It remains an open question about the need for Layer 2 redundancy in this context. 32 Core Layer Switch Features The core layer of a hierarchical topology is the high-speed backbone of the network and requires switches that can handle very high forwarding rates. you face potential bottleneck issues in the core. A complete discussion on the implications of Layer 3 redundancy is beyond the scope of this course. so you should build in as much redundancy as you can. With that in mind. Based on your results. Layer 2 . Link Aggregation The core layer also needs to support link aggregation to ensure adequate bandwidth coming into the core from the distribution layer switches.

Since high-speed WAN access is often prohibitively expensive. For example. Many true. 33 redundancy is examined in Chapter 5 when we discuss the spanning tree protocol (STP). core layer-capable switches have the ability to swap cooling fans without having to turn the switch off. Also. With hot-swappable hardware. you could expect to have at least a 5 minute network outage. and that is if you are very fast at performing the maintenance. e-mail and other services) and enterprise Wide Area Networks (WANs). mission-critical and time-sensitive traffic such as voice should receive higher QoS guarantees than less time-sensitive traffic such as file transfers or e-mail. adding bandwidth at the core layer is not an option. service providers (who provide IP. For example. At the core and network edge. look for core layer switches that support additional hardware redundancy features like redundant power supplies that can be swapped while the switch continues to operate. . To perform a hardware replacement. data storage. In a more realistic situation. QoS is an important part of the services provided by core layer switches. core layer switches can provide a cost effect way of supporting optimal and differentiated use of existing bandwidth. Because QoS provides a software based solution to prioritize traffic. so they should have more sophisticated cooling options. the switch could be down for 30 minutes or more. are adding more voice and video traffic to an already growing amount of data traffic. Because of the high workload carried by core layer switches. there is no downtime during switch maintenance. which most likely is not acceptable. it would be disruptive to shut down a core layer switch to change a power supply or a fan in the middle of the day when the network usage is at its highest. they tend to operate hotter than access or distribution layer switches.

could be used as a distribution layer switch if it met the criteria determined by the network designer for that application. It offers the following: – Forwarding rates from 8. you will learn about the Cisco switches that are applicable for each layer in the hierarchical network model. a switch that is shown as an access layer switch. The Cisco switch product lines are: – Catalyst Express 500 – Catalyst 2960 – Catalyst 3560 – Catalyst 3750 – Catalyst 4500 – Catalyst 4900 – Catalyst 6500 Catalyst Express 500 The Catalyst Express 500 is Cisco's entry-layer switch. the Cisco 3560 for example. A small business with 12 employees might be integrated into the network of a large multinational enterprise and require all of the advanced LAN services available at the corporate head office. 34 1.4 Switches for small and medium sized business The features of Cisco Catalyst Switches Now that you know which switch features are used at which layer in a hierarchical network.2. the port densities of the Cisco 6500 switch only makes sense as an access layer switch where there are many hundreds of users in one area. If you think of the needs of a medium-sized business. The Cisco Catalyst Express 500 series switches are scaled for small business environments ranging from 20 to 250 employees. such as the floor of a stock exchange. The following classification of Cisco switches within the hierarchical network model represents a starting point for your deliberations on which switch is best for a given application. you cannot simply select a Cisco switch by considering the size of a business. Each product line offers different characteristics and features. The classification presented reflects how you might see the range of Cisco switches if you were a multinational enterprise. allowing you to find the right switch to meet the functional requirements of your network. Today.8 Gb/s to 24 Gb/s – Layer 2 port security – Web-based management – Converged data/IP communications support This switch series is appropriate for access layer implementations where high port density is not required. Cisco has seven switch product lines. The Catalyst Express 500 series switches are available in different fixed configurations: – Fast Ethernet and Gigabit Ethernet connectivity – Up to 24 10/100 ports with optional PoE or 12 10/100/1000 ports . For example.

com/en/US/products/ps6406/index. The Catalyst 3560 series switches are available in different fixed configurations: – Fast Ethernet and Gigabit Ethernet connectivity – Up to 48 10/100/1000 ports. QoS. The Catalyst 2960 series switches are appropriate for access layer implementations where access to power and space is limited.cisco. integrated web management interface. the Cisco Network Assistant or the new Cisco Configuration Manager developed specifically for the Catalyst Express 500 series switches. The Catalyst Express does not support console access. go to http://www. Catalyst 3560 The Cisco Catalyst 3560 series is a line of enterprise-class switches that include support for PoE.com/en/US/products/ps6545/index. plus four small form-factor pluggable (SFP) ports . 35 Catalyst Express 500 series switches do not allow management through the Cisco IOS CLI. The Catalyst 2960 series supports the Cisco IOS CLI.html. medium-sized. To learn more about the Cisco Express 500 series of switches. and advanced security features such as ACLs. The CCNA Exploration 3 LAN Switching and Wireless labs are based on the features of the Cisco 2960 switch. The Cisco Catalyst 3560 Series supports forwarding rates of 32 Gb/s to 128 Gb/s (Catalyst 3560-E switch series). and branch office networks to provide enhanced LAN services. visit http://www. Catalyst 2960 The Catalyst 2960 series switches enable entry-layer enterprise. This switch series supports console and auxiliary access to the switch.html. The Catalyst 2960 series switches offers the following: – Forwarding rates from 16 Gb/s to 32 Gb/s – Multilayered switching – QoS features to support IP communications – Access control lists (ACLs) – Fast Ethernet and Gigabit Ethernet connectivity – Up to 48 10/100 ports or 10/100/1000 ports with additional dual purpose gigabit uplinks The Catalyst 2960 series of switches do not support PoE. These switches are ideal access layer switches for small enterprise LAN access or branch-office converged network environments.cisco. and Cisco Network Assistant. They are managed using a built-in web management interface. To learn more about the Catalyst 2960 series of switches.

3af).3af) – Dual. . and 10 slot chassis offering different layers of scalability – High port density: up to 384 Fast Ethernet or Gigabit Ethernet ports available in copper or fiber with 10 Gigabit uplinks – PoE (Cisco pre-standard and IEEE 802.cisco. up to 24 ports with 15. 6. The Catalyst 4500 series offers multilayer QoS and sophisticated routing functions. visit http://www.cisco. The modular capability of the Catalyst 4500 series allows for very high port densities through the addition of switch port line cards to its modular chassis. the Catalyst 4500 series is capable of managing traffic at the distribution layer.4 watts or 48 ports with 7.3 watts To learn more about the Catalyst 3560 series of switches. 36 – Optional 10 Gigabit Ethernet connectivity in the Catalyst 3560-E models – Optional Integrated PoE (Cisco pre-standard and IEEE 802.com/en/US/products/hw/switches/ps5528/index. plus four SFP ports – Optional 10 Gigabit Ethernet connectivity in the Catalyst 3750-E models – Optional Integrated PoE (Cisco pre-standard and IEEE 802.to medium-sized businesses.3af).com/en/US/products/hw/switches/ps4324/index. 7. visit http://www. Catalyst 3750 The Cisco Catalyst 3750 series of switches are ideal for access layer switches in midsize organizations and enterprise branch offices. The Catalyst 4500 series switches are available in different modular configurations: – Modular 3.html.html. visit http://www.3 watts To learn more about the Catalyst 3750 series of switches. With forwarding rates up to 136 Gb/s. Catalyst 4500 The Catalyst 4500 is the first midrange modular switching platform offering multilayer switching for enterprises. and service providers. The Catalyst 3750 series supports Cisco StackWise technology. small. hot-swappable internal AC or DC power supplies – Advanced hardware-assisted IP routing capabilities To learn more about the Catalyst 4500 series of switches. up to 24 ports with 15. redundant. backplane connection. The Catalyst 3750 series switches are available in different stackable fixed configurations: – Fast Ethernet and Gigabit Ethernet connectivity – Up to 48 10/100/1000 ports. StackWise technology allows you to interconnect up to nine physical Catalyst 3750 switches into one logical switch using a high-performance (32 Gb/s).4 watts or 48 ports with 7. This series offers forwarding rates from 32 Gb/s to 128 Gb/s (Catalyst 3750-E switch series).cisco.html.com/en/US/products/hw/switches/ps5023/index.

The following tool can help identify the correct switch for an implementation: http://www.com/en/US/products/hw/switches/ps708/index. supporting forwarding rates up to 720 Gb/s. 4. hot-swappable internal AC or DC power supplies Hot-swappable fan trays To learn more about the Catalyst 4900 series of switches.3af Class 3 (15. visit http://www. 577 10/100/1000 ports.html. 9. and data networks. 410 SFP Gigabit Ethernet ports. hot-swappable internal AC or DC power supplies – Advanced hardware-assisted IP routing capabilities To learn more about the Catalyst 6500 series of switches. redundant power supplies and fans that can be swapped out while the switch is still running. It is a specialty access layer switch designed for data center deployments where many servers may exist in close proximity. The Catalyst 6500 series is the highest performing Cisco switch. .com/en/US/products/hw/switches/products_promotion0900aecd 8050364f. and 13 slot chassis – LAN/WAN service modules – PoE up to 420 IEEE 802.html. converged voice. The Catalyst 6500 is capable of managing traffic at the distribution and core layers. making them ideal candidates for the back-end IP telephony hardware. Catalyst 6500 The Catalyst 6500 series modular switch is optimized for secure. video. or 64 10 Gigabit Ethernet ports – Dual. Catalyst 4900 series switches do not support the StackWise feature of the Catalyst 3750 series nor do they support PoE.html. visit http://www. The Catalyst 6500 series switches are available in different modular configurations: – Modular 3. This switch series supports dual. The Catalyst 6500 is ideal for very large network environments found in enterprises. The Catalyst 4900 series switches support advanced QoS features.com/en/US/products/ps6021/index. The Cisco Catalyst 4900 is not a typical access layer switch. 6. 37 Catalyst 4900 The Catalyst 4900 series switches are designed and optimized for server switching by allowing very high forwarding rates. The Catalyst 4900 series switches are available in different fixed configurations: – Up to 48 10/100/1000 ports with four SFP ports or 48 10/100/1000 ports with two 10GbE ports – Dual.cisco. which is critical in data center deployments.cisco. This allows the switches to achieve higher availability.4W) PoE devices – Up to 1152 10/100 ports. medium-sized businesses. and service providers.cisco.

com/en/US/prod/switches/ps5718/ps708/networking_solutions_p roducts_genericcontent0900aecd805f0955.cisco.pdf. . 38 The following guide provides a detailed comparison of current switch offerings from Cisco: http://www.

39 .

40 .

41 .

performance. . Hierarchical network topologies facilitate network convergence by enhancing the performance necessary for voice and video data to be combined onto the existing data network. 42 1.4. availability. data stores and server location. and Layer 3 support and how they relate to the different layers of the hierarchical network design. we discussed the hierarchical design model. and topology diagram analysis are used to help identify network bottlenecks.1 Chapter summary In this chapter. user communities. manageability. We surveyed the different switch features. such as form factor. PoE. The bottlenecks can then be addressed to improve the performance of the network and accurately determine appropriate hardware requirements to satisfy the desired performance of the network. An array of Cisco Catalyst switch product lines is available to support any application or business size. and maintainability of the network. scalability. Implementing this model improves the performance. Traffic flow.

43 .

3 networks In this topic. The messages propagate across the media until they . a device transmits its message. Carrier Sense In the CSMA/CD access method. 44 2. While this transmission is occurring. Multi-access If the distance between devices is such that the latency of the signals of one device means that signals are not detected by a second device. all network devices that have messages to send must listen before transmitting. the device continues to listen for traffic or collisions on the LAN. You will learn about some key malicious threats to switches and learn to enable a switch with a secure initial configuration. The set of rules that Ethernet uses is based on the IEEE carrier sense multiple access/collision detect (CSMA/CD) technology. Full-duplex switches do not use CSMA/CD. reviewing and reinforcing these skills with in-depth practice activities.1 Chapter introduction In this chapter. You will explore how Ethernet communications function and how switches play a role in the communication process. You may recall from CCNA Exploration: Networking Fundamentals that CSMA/CD is only used with half- duplex communication typically found in hubs.1 Key elements of Ethernet 802. it waits for a specified amount of time before attempting to transmit.0: Network Fundamentals. If a device detects a signal from another device. the second device may also start to transmit. The media now has two devices transmitting signals at the same time. 2. you will learn about key components of the Ethernet standard that play a significant role in the design and implementation of switched networks.0. you will build upon the skills learned in CCNA Exploration 4. CSMA/CD Ethernet signals are transmitted to every host connected to the LAN using a special set of rules to determine which station can access the network.1. the device returns to its default listening mode. When there is no traffic detected. After the message is sent.

Although the messages are corrupted. which allows the collision signals to subside. as well as all the transmitting devices. detect the increase in the signal amplitude. Collision Detection When a device is in listening mode. Every device that is transmitting continues to transmit to ensure that all devices on the network detect the collision. Jam Signal and Random Backoff When a collision is detected. so that they invoke a backoff algorithm. When a collision occurs. which would cause the whole process to repeat. a collision has occurred. Click the Play button to see the animation. it can detect when a collision occurs on the shared media. A random backoff period ensures that the devices that were involved in the collision do not try to send traffic again at the same time. the other devices in listening mode. the signals mix and the messages are destroyed. the device goes back into the "listening before transmit" mode. At that point. 45 encounter each other. the jumble of remaining signals continues to propagate across the media. a third device may transmit before either of the two involved in the collision have a chance to re-transmit. because all devices can detect an increase in the amplitude of the signal above the normal level. This backoff algorithm causes all devices to stop transmitting for a random amount of time. The jamming signal notifies the other devices of a collision. . the transmitting devices send out a jamming signal. during the backoff period. However. After the delay has expired on a device.

46 .

47 .

In unicast transmission. . and Telnet. 48 Ethernet Communications Reference the selected Ethernet Communications area in the figure. there is just one sender and one receiver. SMTP. and multicast: Unicast: Communication in which a frame is sent from one host and addressed to one specific destination. Unicast transmission is the predominant form of transmission on LANs and within the Internet. Examples of protocols that use unicast transmissions include HTTP. Communications in a switched LAN network occur in three ways: unicast. broadcast. FTP.

49 Broadcast: Communication in which a frame is sent from one address to all other addresses. CCNA Exploration: Networking Fundamentals. If there is a match. Preamble and Start Frame Delimiter Fields The Preamble (7 bytes) and Start Frame Delimiter (SFD) (1 byte) fields are used for synchronization between the sending and receiving devices. Source MAC Address Field The Source MAC Address field (6 bytes) identifies the frame's originating NIC or interface. Roll over each field name to see its description. The first course in our series. The figure shows the structure of the current Ethernet frame standard. In this case. the Ethernet frame structure adds headers and trailers around the Layer 3 PDU to encapsulate the message being sent. This field is used later as part of the Frame Check Sequence (FCS) to ensure that . described the structure of the Ethernet frame in detail. Both the Ethernet header and trailer have several sections (or fields) of information that are used by the Ethernet protocol. Destination MAC Address Field The Destination MAC Address field (6 bytes) is the identifier for the intended recipient. collaborative business meeting. Length/Type Field The Length/Type field (2 bytes) defines the exact length of the frame's data field. the device accepts the frame. Broadcast transmission is essential when sending the same message to all devices on the LAN. Multicast: Communication in which a frame is sent to a specific group of devices or clients. To briefly review. An example of a broadcast transmission is the address resolution query that the address resolution protocol (ARP) sends to all computers on a LAN. the first few bytes tell the receivers to get ready to receive a new frame.3 (Ethernet). An example of multicast transmission is the video and voice transmissions associated with a network-based. The address in the frame is compared to the MAC address in the device. These first 8 bytes of the frame are used to get the attention of the receiving nodes. the revised IEEE 802. there is just one sender. but the information is sent to all connected receivers. Multicast transmission clients must be members of a logical multicast group to receive the information. Switches use this address to add to their lookup tables. Essentially. Ethernet Frame Click the Ethernet Frame button in the figure. This address is used by Layer 2 to assist a device in determining if a frame is addressed to it.

If the calculations match. the frame is dropped. or 0005. the node determines which higher layer protocol is present. If the two-octet value is equal to or greater than 0x0600 hexadecimal or 1536 decimal. If a small packet is encapsulated. Some vendors allow local modification of the MAC address. The MAC address is permanently encoded into a ROM chip on a NIC. Only a frame length or a frame type can be entered here. the contents of the Data Field are decoded according to the protocol indicated. or more commonly. The address formats might be similar to 00-05-9A-3C-78- 00. which is a generic Layer 3 PDU. All frames must be at least 64 bytes long (minimum length aides the detection of collisions). the Pad field is used to increase the size of the frame to the minimum size. the Type field describes which protocol is implemented.9A3C. an IPv4 packet. 00:05:9A:3C:78:00. An Ethernet MAC address is a two-part 48-bit binary value expressed as 12 hexadecimal digits. It is 24 bits long and identifies the manufacturer of the NIC card. If the purpose of the field is to designate a type. MAC Address Click the MAC Address button in the figure. Roll over each field name to see its description. This type of MAC address is referred to as a burned in address (BIA). no error has occurred. Organizational Unique Identifier The OUI is the first part of a MAC address. The MAC address is made up of the organizational unique identifier (OUI) and the vendor assignment number. If the calculations do not match. The NIC uses the MAC address to determine if a message should be passed to the upper layers for processing. All devices connected to an Ethernet LAN have MAC-addressed interfaces. It uses a cyclic redundancy check (CRC). you learned about the MAC address. Data and Pad Fields The Data and Pad fields (46 to 1500 bytes) contain the encapsulated data from a higher layer. The receiving device receives the frame and generates a CRC to look for errors. The sending device includes the results of a CRC in the FCS field of the frame. The IEEE regulates the assignment of OUI .7800. In CCNA Exploration: Networking Fundamentals. When a node receives a frame and the Length/Type field designates a type. 50 the message was received properly. if the two-byte value is less than 0x0600 then the value represents the length of the data in the frame. Frame Check Sequence Field The FCS field (4 bytes) detects errors in a frame.

Vendor Assignment Number The vendor-assigned part of the MAC address is 24 bits long and uniquely identifies the Ethernet hardware. Locally administered address bit: If the vendor-assigned MAC address can be modified locally. . It can be a BIA or modified by software indicated by the local bit. 51 numbers. this bit should be set. as follows: Broadcast or multicast bit: Indicates to the receiving interface that the frame is destined for all or a group of end stations on the LAN segment. there are 2 bits that have meaning only when used in the destination address. Within the OUI.

The bidirectional support enhances performance by reducing the wait time between transmissions. Standard. As a result. a collision occurs. Full- duplex connections require a switch that supports full duplex or a direct connection between two nodes that each support full duplex. such as hubs. the collision detect circuit is disabled. In this case the port on the switch defaults to a half-duplex mode as well. In full-duplex mode. Fast Ethernet. half-duplex communication implements CSMA/CD to help reduce the potential for collisions and detect them when they do happen. Each full-duplex connection uses only one port. Half-duplex connections are typically seen in older hardware. so data can be sent and received at the same time. Full-duplex Fast Ethernet. Half-duplex communications have performance issues due to the constant waiting. data flow is bidirectional. Because of these limitations. Nodes that are directly attached to a dedicated switch port with NICs that support full duplex should be connected to switch ports that are configured to operate in full-duplex mode. shared hub-based Ethernet configuration efficiency is typically rated at 50 to 60 percent of the 10-Mb/s bandwidth. compared . Most Ethernet. Half Duplex: Half-duplex communication relies on unidirectional data flow where sending and receiving data are not performed at the same time. Nodes that are attached to hubs that share their connection to a switch port must operate in half-duplex mode because the end computers must be able to detect collisions. because data can only flow in one direction at a time. Nodes can operate in a half-duplex mode if the NIC card cannot be configured for full duplex operations. full-duplex communication has replaced half duplex in more current hardware. 52 Duplex Settings There are two types of duplex settings used for communications on an Ethernet network: half duplex and full duplex. This is similar to how walkie-talkies or two-way radios function in that only one person can talk at any one time. Frames sent by the two connected end nodes cannot collide because the end nodes use two separate circuits in the network cable. Full Duplex: In full-duplex communication. If someone talks while someone else is already speaking. The figure shows the two duplex settings available on modern network equipment. and Gigabit Ethernet NICs sold today offer full-duplex capability.

check for FCS errors on the switch full-duplex port. For Fast Ethernet and 10/100/1000 ports. The Cisco Catalyst switches have three settings: – The auto option sets autonegotiation of duplex mode. when autonegotiation fails. 53 to 10-Mb/s bandwidth. you will configure duplex settings.or full- duplex mode when they are set to 10 or 100 Mb/s. autonegotiation errors can happen if the device is manually configured to operate in full-duplex mode. offers 100 percent efficiency in both directions (100-Mb/s transmit and 100-Mb/s receive). If the device is manually configured to operate in half- duplex mode. For 100BASE-FX ports. The 10/100/1000 ports operate in either half. Later in this chapter. but when set to 1. Note: Autonegotiation can produce unpredictable results. the default is auto. they operate only in full-duplex mode. With autonegotiation enabled. the two ports communicate to decide the best mode of operation. Having half-duplex on one end and full-duplex on the other causes late collision errors at the half-duplex end. By default. manually set the duplex parameters of the switch to match the attached device. To avoid this situation. Switch Port Settings A port on a switch needs to be configured with duplex settings that match the media type. it matches the default mode of the switch. the default is full. – The half option sets half-duplex mode. – The full option sets full-duplex mode.000 Mb/s. This type of failure happens when an attached device does not support autonegotiation. However. If the switch port is in full-duplex mode and the attached device is in half-duplex mode. the Catalyst switch sets the corresponding switch port to half-duplex mode. auto-MDIX .

the switch then knows to send traffic destined for that specific node out the port mapped to that node for subsequent transmissions. regardless of the type of device on the other end of the connection. In networks with multiple interconnected switches. the switch detects the required cable type for copper Ethernet connections and configures the interfaces accordingly. Once a MAC address for a specific node on a specific port is recorded in the address table. you can now use the mdix auto interface configuration command in the CLI to enable the automatic medium-dependent interface crossover (auto-MDIX) feature. A switch determines how to handle incoming data frames by using its MAC address table. you can use either a crossover or a straight-through cable for connections to a copper 10/100/1000 port on the switch. MAC Addressing and Switch MAC Address Tables Switches use MAC addresses to direct network communications through their switch fabric to the appropriate port toward the destination node. The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12. the auto-MDIX feature is disabled by default.2(18)SE or later. the switch records the node's MAC address in the address table from the frame's source address field.1(14)EA1 and 12. straight- through). the MAC address tables record multiple MAC addresses for the ports connecting the . The switch fabric is the integrated circuits and the accompanying machine programming that allows the data paths through the switch to be controlled. the switch forwards the frame out all ports. For a switch to know which port to use to transmit a unicast frame. For releases between Cisco IOS Release 12. it must first learn which nodes exist on each of its ports. When the auto-MDIX feature is enabled.2(18)SE. 54 Connections between specific devices. Therefore. Instead. When an incoming data frame is received by a switch and the destination MAC address is not in the table. When the destination node responds. except for the port on which it was received. such as switch-to-switch or switch-to- router. A switch builds its MAC address table by recording the MAC addresses of the nodes connected to each of its ports. once required the use of certain cable types (cross-over.

click the steps in the figure. To see how this works. The switch enters the source MAC address and the switch port that received the frame into the address table. 55 switches which reflect the node's beyond. except the port on which it received the frame. The following describes this process: – Step 1. – Step 3. the switch floods the frame to all ports. Typically. The switch receives a broadcast frame from PC 1 on Port 1. . Because the destination address is a broadcast. switch ports used to interconnect two switches have multiple MAC addresses recorded in the MAC address table. – Step 2.

– Step 5. 56 – Step 4. The switch enters the source MAC address of PC 2 and the port number of the switch port that received the frame into the address table. The destination device replies to the broadcast with a unicast frame addressed to PC 1. . The destination address of the frame and its associated port is found in the MAC address table.

A hub offers no mechanisms to either eliminate or reduce these collisions and the available bandwidth that any one node has to transmit is correspondingly reduced. Because Ethernet has no way of controlling which node will be transmitting at any time. As a result. The net throughput of the port (the average data that is effectively transmitted) will be considerably reduced as a function of how many other nodes want to use the network. Collision Domains . because it has entries in the address table that identify the associated ports. the transmitted frames are corrupted or destroyed. the number of nodes sharing the Ethernet network will have effect on the throughput or productivity of the network. Because of this. it is important to understand that when stating the bandwidth of the Ethernet network is 10 Mb/s. Ethernet's resolution for collisions does not occur instantaneously. Collisions occur when two hosts transmit frames simultaneously. Bandwidth and Throughput A major disadvantage of Ethernet 802. 57 – Step 6. The switch can now forward frames between source and destination devices without flooding. you will learn about the Ethernet design guidelines needed for interpreting hierarchical network designs for small and medium-sized businesses. full bandwidth for transmission is available only after any collisions have been resolved. This topic focuses on broadcast and collision domains and how they affect LAN designs.3 networks is collisions. we know that collisions will occur when more than one node attempts to gain access to the network. a node involved in a collision cannot start transmitting until the matter is resolved. In this topic. based on the Ethernet 802. When a collision occurs. Also. As more devices are added to the shared media the likelihood of collisions increases.3 rules of CSMA/CD. The sending hosts stop sending further transmissions for a random period.

The use of VLANs to segment broadcast domains will be discussed in the next chapter. To reduce the number of nodes on a given network segment. 12 collision domains are created.1. When two connected hosts want to communicate with each other. can stop a Layer 3 broadcast domain. A collection of interconnected switches forms a single broadcast domain. are collision domains. All shared media environments. The microsegment behaves as if the network has only two hosts. For other switches on the LAN to get broadcasted frames. Host A and Host B want to communicate with each other. Switches reduce collisions and improve bandwidth use on network segments because they provide dedicated bandwidth to each network segment. Only a Layer 3 entity. called collision domains.2 Design considerations for Ethernet 802. This connection is considered an individual collision domain. providing maximum utilization of the available bandwidth. broadcast frames must be forwarded by switches. The switch creates the connection that is referred to as a microsegment. In the figure. such as those created by using hubs. they do not filter broadcast frames. if a 12-port switch has a device connected to each port. a switch builds a MAC address table by learning the MAC addresses of the hosts that are connected to each switch port. thereby eliminating the potential for a collision. you can create separate physical network segments. The circuit is maintained until the session is terminated. 58 When expanding an Ethernet LAN to accommodate more users with more bandwidth requirements. 2. the switch uses the switching table to establish a connection between the ports. one host sending and one receiving. The figure shows unique collision domains in a switched environment. such as a router. or a virtual LAN (VLAN). the switch creates a dedicated connection. For example. When a host is connected to a switch port.3 networks Broadcast Domains Although switches filter most frames based on MAC addresses. Routers and VLANs are used to segment both collision and broadcast domains. because traffic is kept separate from all other traffic. the potential for collisions increases. As you now know. . The network area where frames originate and collide is called the collision domain.

By setting the destination to this value. In this example. This is shown in the first half of the animation. 59 When a device wants to send out a Layer 2 broadcast. all the devices accept and process the broadcasted frame. The broadcast domain at Layer 2 is referred to as the MAC broadcast domain. it forwards the frame to each of its ports. When a switch receives a broadcast frame. except the incoming port where the switch received the broadcast frame. This leads to reduced network efficiency. The frame is propagated to all devices connected to switch S2. a broadcast frame is forwarded to all connected ports on switch S1. Switch S1 is connected to switch S2. because bandwidth is used to propagate the broadcast traffic. the broadcast domain is increased. When two switches are connected. The MAC broadcast domain consists of all devices on the LAN that receive frame broadcasts by a host to all other machines on the LAN. . the destination MAC address in the frame is set to all ones. This is shown in the second half of the animation. Each attached device recognizes the broadcast frame and processes it.

60 .

Users of network-based applications experience latency when they have to wait many minutes to access data stored in a data center or when a website takes many minutes to load in a browser. there is the time it takes the source NIC to place voltage pulses on the wire. This is sometimes called NIC delay. Second. typically around 1 microsecond for a 10BASE-T NIC. Longer cable and slower nominal velocity of propagation (NVP) result in more propagation delay. First. 61 Network Latency Latency is the time a frame or a packet takes to travel from the source station to the final destination. Layer 2. Third. or Layer 3 devices. These are either Layer 1. latency is added based on network devices that are in the path between two devices. this is about 0. These three contributors to latency can be discerned from the animation as the frame traverses the network. there is the actual propagation delay as the signal takes time to travel through the cable. .556 microseconds per 100 m for Cat 5 UTP. and the time it takes the destination NIC to interpret these pulses. Latency has at least three sources. Typically.

while switches just analyze the Layer 2 data. 62 Latency does not depend solely on distance and number of devices. For example. . if three properly configured switches separate two computers. switches can process the frame more quickly. This is because routers conduct more complex and time-intensive functions. Many entry-level switches do not have enough internal throughput to manage full bandwidth capabilities on all ports simultaneously. Switch-based latency may also be due to oversubscribed switch fabric. port level QoS. The switch needs to be able to manage the amount of peak data expected on the network. the computers may experience less latency than if two properly configured routers separated them. and congestion management. Switches also support the high transmission rates of voice. The predominant cause of network latency in a switched LAN is more a function of the media being transmitted. Additional switch features such as port-based memory buffering. video. the latency through the switch is no longer the issue. As the switching technology improves. and types of applications running on the network. and data networks by employing application-specific integrated circuits (ASIC) to provide hardware support for many networking tasks. For example. a router must analyze Layer 3 data. routing protocols used. also help to reduce network latency. Since Layer 2 data is present earlier in the frame structure than the Layer 3 data.

63 .

High-bandwidth applications. therefore they can send more data at higher rates through the network. Previously. Software applications are becoming richer in their functionality and are requiring more and more bandwidth. CPUs. broadcast messages. bridges were used. The figure shows the routers and switches segmenting a LAN. Desktop publishing. video on demand (VoD). buses. The figure shows a network that is subject to congestion by multiple node devices on a hub-based network. Network traffic is now more common because remote resources are necessary to carry out basic work. Today. LAN Segmentation LANs are segmented into a number of smaller collision and broadcast domains using routers and switches. These are the most common causes of network congestion: Increasingly powerful computer and network technologies. and streaming video all require considerable processing power and speed. electronic learning (e-learning). Increasing volume of network traffic. In the figure the network is segmented into four collision domains using the switch. such as address resolution queries sent out by ARP. and they can process more data at higher rates. . engineering design. and peripherals are much faster and more powerful than those used in early LANs. can adversely affect end-station and network performance. a LAN quickly becomes clogged with traffic and collisions. 64 Network Congestion The primary reason for segmenting a LAN into smaller parts is to isolate traffic and to achieve better use of bandwidth per user. Additionally. Without segmentation. but this type of network equipment is rarely seen in a modern switched LAN.

in the figure spans the entire network. 65 Roll over the Collision Domain to see the size of each collision domain. the broadcast domain. Roll over the Broadcast Domain to see the size of broadcast domain. . However.

Click the Controlled Collision and Broadcast Domain button to see the effect of introducing routers and more switches into the network. Because routers do not forward broadcast traffic by default. Switches are generally used to segment a large LAN into many smaller segments.1. Each router interface connects to a separate network. Creating additional. containing broadcast traffic within the LAN segment in which it originated. For example. Bridges have only a few ports for LAN connectivity. whereas switches have many. Roll over the two text areas to identify the different broadcast and collision domains. 66 Bridges and Switches Although bridges and switches share many attributes. Bridges are generally used to segment a LAN into a couple of smaller segments. Switches can introduce latency on a network when oversubscribed on a busy network. and in the same VLAN. if a core level . you need to consider the latency caused by each device on the network. 2. several distinctions differentiate these technologies. all hosts connected to the switch. Routers Even though the LAN switch reduces the size of collision domains. are still in the same broadcast domain. they can be used to create broadcast domains.3 LAN design considerations Controlling Network Latency When designing a network to reduce latency. smaller broadcast domains with a router reduces broadcast traffic and provides more available bandwidth for unicast communications.

If each connection was used at full capacity. each computer would be able to use only 167 Mb/s. which creates a longer processing time. In this example. upgrading from 100 Mb/s to 1000 Mb/s connections) and using multiple links leveraging link aggregation technologies (for example. Removing Bottlenecks Bottlenecks on a network are places where high network congestion results in slow performance. In this figure which shows six computers connected to a switch. all the computers have to share the 1000 Mb/s connection that the server has to the switch. it is important to consider a device's capabilities when assessing a network's needs. Each workstation and the server are all connected using a 1000 Mb/s NIC. How many ports and of what speed is the device capable of? What is the internal throughput of the device? Can it handle the anticipated traffic loads considering its placement in the network? . Higher capacity links (for example. combining two links as if they were one to double a connection's capacity) can help to reduce the bottlenecks created by inter-switch links and router links. When a Layer 3 device. a single server is also connected to the same switch. Limiting the use of higher layer devices can help reduce network latency. needs to examine the Layer 3 addressing information contained within the frame. The figure shows five NIC cards in the server and approximately five times the bandwidth. However. Although configuring link aggregation is outside the scope of this course. additional network cards can be installed. The use of higher layer devices can also increase latency on a network. Cumulatively. The same logic applies to network topologies. it must read further into the frame than a Layer 2 device. such as a router. one-sixth of the 1000 Mb/s bandwidth. a bottleneck is created at this single interconnect. not of access- level switches. the switch should support around 96 Gb/s internal throughput if it is to maintain full wirespeed across all ports simultaneously. the throughput requirements stated are typical of core-level switches. When switches with multiple nodes are interconnected by a single 1000 Mb/s connection. each one capable of running at 1000 Mb/s full duplex. To reduce the bottleneck to the server. the computers are capable of 6000 Mb/s to the switch. 67 switch has to support 48 ports. What happens when all six computers try to access the server at the same time? Does each workstation get 1000 Mb/s dedicated access to the server? No. which increases the total bandwidth the server is capable of receiving. appropriate use of Layer 3 devices helps prevent contention from broadcast traffic in a large broadcast domain or the high collision rate in a large collision domain. Click on the Removing Network Bottlenecks button in the figure.

68 .

69 .

70 .

71 .

CRC uses a mathematical formula. switches used one of the following forwarding methods for switching data between network ports: store-and-forward or cut-through switching. However. After confirming the integrity of the frame.1 Switch forwarding methods Switch Packet Forwarding Methods In this topic. when the switch receives the frame. to determine whether the received frame has an error. you will learn how switches forward Ethernet frames on a network. In the past. Store-and-Forward Switching In store-and-forward switching. based on the number of bits (1s) in the frame. the switch analyzes the frame for information about its destination. store-and-forward is the sole forwarding method used on current models of Cisco Catalyst switches. . During the storage process. When an error is detected in a frame. Switches can operate in different modes that can have both positive and negative effects. the frame is forwarded out the appropriate port toward its destination. 72 2. it stores the data in buffers until the complete frame has been received. In this process. the switch also performs an error check using the Cyclic Redundancy Check (CRC) trailer portion of the Ethernet frame. Referencing the Switch Forwarding Methods button shows these two methods.2. the switch discards the frame.

Fragment-free switching can be viewed as a compromise between store-and-forward switching and cut- through switching. There are two variants of cut-through switching: – Fast-forward switching: Fast-forward switching offers the lowest level of latency. This occurs infrequently. and because the switch does not perform any error checking. even if the transmission is not complete. The switch does not perform any error checking on the frame. The destination MAC address is located in the first 6 bytes of the frame following the preamble. Because the switch does not have to wait for the entire frame to be completely buffered. there may be times when packets are relayed with errors. because the switch does not perform any error checking. The corrupt frames consume bandwidth while they are being forwarded. Click on the Store-and-Forward Switching button and play the animation for a demonstration of the store-and-forward process. The switch buffers just enough of the frame to read the destination MAC address so that it can determine to which port to forward the data. For example. Fast-forward switching is the typical cut-through method of switching. 73 Discarding frames with errors reduces the amount of bandwidth consumed by corrupt data. the switch stores the first 64 bytes of the frame before forwarding. However. The switch looks up the destination MAC address in its switching table. the switch acts upon the data as soon as it is received. cut-through switching is faster than store-and-forward switching. Fragment-free switching tries to enhance cut- through switching by performing a small error check on the first 64 bytes of the frame to ensure that a collision has not occurred before forwarding . Cut-through Switching In cut-through switching. Store-and-forward switching is required for Quality of Service (QoS) analysis on converged networks where frame classification for traffic prioritization is necessary. it forwards corrupt frames throughout the network. and forwards the frame onto its destination through the designated switch port. In fast-forward mode. The destination NIC eventually discards the corrupt frames. Because fast-forward switching starts forwarding before the entire packet has been received. – Fragment-free switching: In fragment-free switching. The reason fragment-free switching stores only the first 64 bytes of the frame is that most network errors and collisions occur during the first 64 bytes. voice over IP data streams need to have priority over web-browsing traffic. determines the outgoing interface port. and the destination network adapter discards the faulty packet upon receipt. Fast-forward switching immediately forwards a packet after reading the destination address. Click on the Cut-Through Switching button and play the animation for a demonstration of the cut-through switching process. latency is measured from the first bit received to the first bit transmitted.

74 the frame. . the port automatically changes back to cut-through switching. Fragment-free switching is a compromise between the high latency and high integrity of store-and-forward switching. When the error rate falls below the threshold. and the low latency and reduced integrity of cut-through switching. Some switches are configured to perform cut-through switching on a per-port basis until a user-defined error threshold is reached and then they automatically change to store-and-forward.

75 .

76 2.2 Symmetric and asymmetric switching Symmetric and Asymmetric Switching In this topic. LAN switching may be classified as symmetric or asymmetric based on the way in which bandwidth is allocated to the switch ports. Symmetric switching provides switched connections between ports with the same bandwidth. An asymmetric LAN . such as all 100 Mb/s ports or all 1000 Mb/s ports.2. you will learn the differences between symmetric and asymmetric switching in a network.

entire frames are kept in the memory buffer and are moved to the port one after the other as required. Symmetric switching is optimized for a reasonably distributed traffic load. For the switch to match the different data rates on different ports. Most current switches are asymmetric switches because this type of switch offers the greatest flexibility. 100 Mb/s. 77 switch provides switched connections between ports of unlike bandwidth. A network manager must evaluate the needed amount of bandwidth for connections between devices to accommodate the data flow of network-based applications. The figure shows the differences between symmetric and asymmetric switching. and 1000 Mb/s ports. . such as in a peer-to-peer desktop environment. This allows smoother traffic flows where multiple clients are communicating with a server at the same time. such as a combination of 10 Mb/s. Symmetric On a symmetric switch all ports are of the same bandwidth. Memory buffering is required on an asymmetric switch. Asymmetric Asymmetric switching enables more bandwidth to be dedicated to a server switch port to prevent a bottleneck.

3 Memory buffering Port Based and Shared Memory Buffering As you learned in a previous topic. The number of frames stored in the buffer is restricted by the size of the entire memory buffer and not limited to a single port buffer. The use of memory to store the data is called memory buffering. . Shared Memory Buffering Shared memory buffering deposits all frames into a common memory buffer that all the ports on the switch share. other than increasing the amount of memory available. is not configurable. This delay occurs even if the other frames could be transmitted to open destination ports. Buffering may also be used when the destination port is busy due to congestion and the switch stores the frame until it can be transmitted. It is possible for a single frame to delay the transmission of all the frames in memory because of a busy destination port. The switch keeps a map of frame to port links showing where a packet needs to be transmitted. 78 2. without moving it to a different queue. a switch analyzes some or all of a packet before it forwards it to the destination host based on the forwarding method. An Ethernet switch may use a buffering technique to store frames before forwarding them. where frames are being exchanged between different rate ports. Port-based Memory Buffering In port-based memory buffering. The amount of buffer memory required by a port is dynamically allocated. There are two methods of memory buffering: port-based and shared memory. The switch stores the packet for the brief time in a memory buffer. you will learn how two types of memory buffers are used during switch forwarding. The map link is cleared after the frame has been successfully transmitted. This allows the packet to be received on one port and then transmitted on another port. This permits larger frames to be transmitted with fewer dropped frames. Memory buffering is built into the hardware of the switch and. This is important to asymmetric switching. frames are stored in queues that are linked to specific incoming and outgoing ports. In this topic. The frames in the buffer are linked dynamically to the destination port. A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted.2.

reducing the need for dedicated routers on a LAN. a Layer 3 switch can also learn which IP addresses are associated with its interfaces.4 Layer 2 and layer 3 switching Layer 2 and Layer 3 Switching In this topic. Recall that a Layer 2 switch builds a MAC address table that it uses to make forwarding decisions.2. Instead of only learning which MAC addresses are associated with each of its ports. A Layer 3 switch. they can typically route data as quickly as they can switch. This allows the Layer 3 switch to direct traffic throughout the network based on IP address information. A Layer 2 LAN switch performs switching and filtering based only on the OSI Data Link layer (Layer 2) MAC address. Because Layer 3 switches have specialized switching hardware. functions similarly to a Layer 2 switch. you will review the concept of Layer 2 switching and learn about Layer 3 switching. such as the Catalyst 3560. such as the Catalyst 2960. a Layer 3 switch can also use IP address information. A Layer 2 switch is completely transparent to network protocols and user applications. 79 2. but instead of using only the Layer 2 MAC address information for forwarding decisions. Layer 3 switches are also capable of performing Layer 3 routing functions. .

Layer 3 switches can provide basic routing functions in a LAN and reduce the need for dedicated routers . and sometimes only. Routers are also capable of performing packet forwarding tasks not found on Layer 3 switches. Layer 3 switches do not completely replace the need for routers on a network. you learned that Layer 3 switches examine Layer 3 information in an Ethernet packet to make forwarding decisions. Layer 3 switches can route packets between different LAN segments similarly to dedicated routers. Routers perform additional Layer 3 services that Layer 3 switches are not capable of performing. However. such as establishing remote access connections to remote networks and devices. choice for connecting to a WAN. making them the preferred. Dedicated routers are more flexible in their support of WAN interface cards (WIC). 80 Layer 3 Switch and Router Comparison In the previous topic.

1 Navigating command line interface mode The Command Line Interface Modes . 81 2.3.

the password is not configured. User EXEC mode is the default mode you enter after logging in to a Cisco switch from the CLI. There are many configuration modes. you will explore how to navigate two common configuration modes: global configuration mode and interface configuration mode. As a security feature. enter the enable command. enter the interface<interface name> command. To access global configuration mode. To change from privileged EXEC mode to user EXEC mode. Click the user EXEC and privileged EXEC mode button in the figure. Global Configuration Mode The example starts with the switch in privileged EXEC mode. Privileged EXEC: Allows a person to access all device commands. The figure shows the Cisco IOS commands used to navigate from user EXEC mode to privileged EXEC mode and back again. To exit interface configuration mode. Interface Configuration Mode Configuring interface-specific parameters is a common task. Click the Navigating Configuration Modes button in the figure. To change from user EXEC mode to privileged EXEC mode. By default. Navigating Configuration Modes Once you have entered privileged EXEC mode on the Cisco switch. the switch prompts for the password. For now. enter the configure terminal command in privileged EXEC mode. enter the disable command. On a real network. Enter the correct password. you can access other configuration modes. The prompt switches . Privileged EXEC mode is identified by the # prompt. The prompt changes to (config-if)#. use global configuration mode. The prompt changes to (config)#. To access interface configuration mode from global configuration mode. User EXEC mode is identified by the > prompt. Each command mode supports specific Cisco IOS commands related to a type of operation on the device. use the exit command. To configure global switch parameters such as the switch hostname or the switch IP address used for switch management purposes. you will review what you learned in CCNA Exploration: Network Fundamentals about how to navigate the various command line interface (CLI) modes. 82 In this topic. Cisco IOS software separated the EXEC sessions into these access levels: User EXEC: Allows a person to access only a limited number of basic monitoring commands. Cisco IOS software uses a hierarchy of commands in its command-mode structure. such as those used for configuration and management. and can be password-protected to allow only authorized users to access the device.

letting you know that you are in global configuration mode. You can configure and manage . enter the exit command again. GUI-based Alternatives to the CLI There are a number of graphical management alternatives for managing a Cisco switch. Using a GUI offers simplified switch management and configuration without in-depth knowledge of the Cisco CLI. The prompt switches to #. signifying privileged EXEC mode. Click the Cisco Network Assistant button in the figure. To exit global configuration mode. Cisco Network Assistant Cisco Network Assistant is a PC-based GUI network management application optimized for small and medium-sized LANs. 83 back to (config)#.

cisco. CiscoView Application The CiscoView device-management application displays a physical view of the switch that you can use to set configuration parameters and to view switch status and performance information.html Click the Cisco Device Manager button in the figure.com/en/US/prod/collateral/netmgtsw/ps6504/ps5931/product_da ta_sheet0900aecd8068820a. Cisco Network Assistant is available at no cost and can be downloaded from Cisco (CCO username/password required): http://www. Click the SNMP Network Management button in the figure. The figure shows the management interface for the CiscoView Device Manager. Learn more about CiscoView Device Manager at: http://www. Cisco Device Manager Cisco Device Manager is web-based software that is stored in the switch memory.cisco. can be a standalone application or part of a Simple Network Management Protocol (SNMP) platform. 84 groups of switches or standalone switches. The CiscoView application. The switch is able to provide comprehensive management information and provide four Remote Monitoring (RMON) groups.html Click the CiscoView Application button in the figure.com/en/US/products/sw/cscowork/ps4565/prod_bulletin0900aec d802948b0. You can use Device Manager to configure and manage switches. purchased separately. The figure shows the management interface for Network Assistant. . You can access Device Manager from anywhere in your network through a web browser. SNMP Network Management You can manage switches from a SNMP-compatible management station. SNMP network management is more common in large enterprise networks. such as HP OpenView. The figure shows the management interface.

85 .

86 .

visit: . If you now enter the command clock set. an error message indicates that the command is incomplete. In the clock ? example. the help output shows that the keyword set is required after clock. no other arguments are needed to make the command function. Context-sensitive help supplies the whole command even if you enter just the first part of the command. enter the character sequence followed by a question mark (?). For example. enter the ? command. Now add a space and enter the ? command to display a list of command arguments that are available at that point for the given command. and seconds. 87 2. For example. Command syntax help: If you are unfamiliar with which commands are available in your current context within the Cisco IOS CLI. the context-sensitive help provides a means to check the syntax. When only ? is entered. let's see how CLI help works. If the ? command is entered after a specific command. or if you do not know the parameters required or available to complete a given command.3. preceded by a space. minutes. enter ?. Using the example of setting the device clock. The figure shows the Cisco help functions. entering sh? returns a list of all commands that begin with the sh character sequence. Make sure to include a space before the question mark to prevent the Cisco IOS CLI from performing word help rather than command syntax help. a list of all available commands in the current context is displayed. If <cr> is displayed. enter show ? to get a list of the command options supported by the show command. another error message appears indicating that the command is still incomplete. the command arguments are displayed. such as cl?.2 using the help facility Context Sensitive Help The Cisco IOS CLI offers two types of help: Word help: If you do not remember an entire command but do remember the first few characters. To view the required parameters for the clock command. For an excellent resource on how to use the Cisco IOS CLI. If the device clock needs to be set but the clock command syntax is not known. If you enter the command clock followed by the Enter key. A list of commands that start with the characters that you entered is displayed. The additional arguments needed to set the clock on the device are displayed: the current time using hours. Do not include a space before the question mark.

cisco.3.htm. In this topic. . 2. you can save time retyping commands by using the Cisco IOS command history buffer. 88 http://www. The figure provides example error messages. Console Error Messages Console error messages help identify problems when an incorrect command has been entered. and how to get help when they are displayed.com/univercd/cc/td/doc/product/software/ios124/124cg/hcf_c/ch 10/index. what they mean.3 Accessing the command history The Command History Buffer When you are configuring many interfaces on a switch.

and the system records the last 10 command lines in its history buffer. enter the terminal no history size command in privileged EXEC mode. You can use the show history command to view recently entered EXEC commands. With the command history feature. command history is enabled by default. When command history is disabled. you can complete the following tasks: – Display the contents of the command buffer. To revert the terminal history size back to its default value of 10 lines. The command history can be disabled for the current terminal session only by using the terminal no history command in user or privileged EXEC mode. The figure provides an explanation and example of these Cisco IOS commands. By default. Configure the Command History Buffer In Cisco network products that support the Cisco IOS software. – Recall previously entered commands stored in the history buffer. and the last 10 command lines are recorded in the history buffer. is particularly useful in helping recall long or complex commands or entries. – Set the command history buffer size. There is a buffer for each configuration mode. This feature. the device no longer retains any previously entered command lines. called command history. command history is enabled. . 89 you will learn how to configure the command history buffer to support your configuration efforts. The Cisco CLI provides a history or record of commands that have been entered.

It initializes the CPU registers. It tests the CPU DRAM and the portion of the flash device that makes up the flash file system. The boot loader has a command-line facility that provides access to the files stored on Flash memory before the operating system is loaded. the boot loader software searches each subdirectory before continuing the search in the original directory. it goes through the following boot sequence: The switch loads the boot loader software.bin extension). 90 Describe the Boot Sequence In this topic. The operating system then initializes the interfaces using the Cisco IOS commands found in the operating system configuration file. – Performs power-on self-test (POST) for the CPU subsystem. After a Cisco switch is turned on. . If it does not find it there. – Initializes the flash file system on the system board. From the boot loader command line you can enter commands to format the flash file system. and its speed. The boot loader: – Performs low-level CPU initialization. which control where physical memory is mapped. Recovering from a System Crash The boot loader also provides access into the switch if the operating system cannot be used. The boot loader is a small program stored in ROM and is run when the switch is first turned on.text. The boot loader finds the Cisco IOS image on the switch by first looking in a directory that has the same name as the image file (excluding the . config. reinstall the operating system software image. you will learn the sequence of Cisco IOS commands that a switch executes from the off state to displaying the login prompt. the quantity of memory. Loads a default operating system software image into memory and boots the switch. stored in the switch flash memory. or recover from a lost or forgotten password.

Attach the power cable plug to the switch power supply socket. The switch will start. Before starting the switch. Your terminal emulator application. verify the following: All network cable connections are secure. During POST. . Your PC or terminal is connected to the console port. which can be used to view the console of a Cisco device. 91 2. the LEDs blink while a series of tests determine that the switch is functioning properly. The figure shows the correct configuration of HyperTerminal. is running and configured correctly.5 Prepare to configure the switch Prepare to Configure the Switch The initial startup of a Catalyst switch requires the completion of the following steps: Step 1. Click the Configure Hyperterminal button in the figure. Observe the boot sequence as follows: When the switch is on. Some Catalyst switches. it is necessary to repair the switch. the POST begins. including the Cisco Catalyst 2960 series. When a switch fails the POST test. Step 3. the SYST LED turns amber. Step 2. If the switch fails POST. such as HyperTerminal. The figure illustrates how to connect a PC to a switch using the console port. do not have power buttons. When the POST has completed.3. the SYST LED rapidly blinks green.

. During the initial startup of the switch. they are reported to the console and the switch does not start. you are prompted to configure the switch. The figure shows the boot process on the console of a Cisco switch. and the switch has not been configured before. if POST failures are detected. 92 Observe the Cisco IOS software output text on the console. If POST completes successfully. Click the View Boot Process on Console button in the figure.

The default configuration on the switch is to have the management of the switch controlled through VLAN 1. To manage a switch remotely using TCP/IP. . This IP address is assigned to a virtual interface called a virtual LAN (VLAN). and a default gateway. To do this. In the figure. a best practice for basic switch configuration is to change the management VLAN to a VLAN other than VLAN 1. you want to manage S1 from PC1. 93 2. you need to assign switch S1 an IP address. and then it is necessary to ensure the VLAN is assigned to a specific port or ports on the switch. However. a computer used for managing the network.6 Basic switch configuration Management Interface Considerations An access layer switch is much like a PC in that you need to configure an IP address. a subnet mask. you need to assign the switch an IP address.3.

use the ip default-gateway command. This means that the Layer 3 interface. Enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured. Configure Management Interface To configure an IP address and subnet mask on the management VLAN of the switch. Use the command interface vlan 99 and enter the ip address configuration command. Note: You will learn more about VLANs in the next chapter. The default gateway is the mechanism for doing this. Only the management VLAN has an interface VLAN associated with it. Note that a Layer 2 switch. Click the Verify Configuration button in the figure. such as the Cisco Catalyst 2960. In the figure. When you see "interface VLAN x".17. Some of the commands introduced here are explained more thoroughly in the next chapter. that refers to the Layer 3 interface associated with VLAN x. Click the Configure Management Interface button in the figure. For now. but the Layer 3 interface. Its IP address is 172. The figure illustrates the use of VLAN 99 as the management VLAN.1. You must use the no shutdown interface configuration command to make this Layer 3 interface operational. interface VLAN 1. The figure also shows this configuration information. Here the focus is on providing management access to the switch using an alternative VLAN. To configure a default gateway for the switch. 94 The implications and reasoning behind this action are explained in the next chapter. Make sure you save the configuration running on a switch or router.99. Then the appropriate port on switch S1 is assigned to VLAN 99. Use the copy running- config startup-config command to back up your configuration. it is important to consider that an interface other than VLAN 99 can be considered for the management interface. Configure Default Gateway You need to configure the switch so that it can forward IP packets to distant networks. VLAN 99 is created and assigned an IP address. however. is active. interface VLAN 99. router R1 is the next-hop router. is not active. Verify Configuration . only permits a single VLAN interface to be active at a time. The switch forwards IP packets with destination IP addresses outside the local network to the default gateway. you must be in VLAN interface configuration mode. Click the Configure Default Gateway button in the figure.

regardless of the type of device on the other end of the connection. The auto-MDIX feature was introduced in Cisco IOS Release 12. You will practice using the switchport access vlan 99 command in a hands on lab and a Packet Tracer activity. straight-through) when connecting between specific devices. Show the IP Interfaces Use the show ip interface brief to verify port operation and status. Instead. the switch detects the required cable type for copper Ethernet connections and configures the interfaces accordingly. 95 The top screen shot in the figure is an abbreviated screen output showing that VLAN 99 has been configured with an IP address and subnet mask. When the auto-MDIX feature is enabled. you can use either a crossover or a straight-through cable for connections to a copper 10/100/1000 port on the switch.2(25)FX. and Fast Ethernet port F0/18 has been assigned the VLAN 99 management interface. switch-to-switch or switch-to-router. you can now use the mdix auto interface configuration command in the CLI to enable the automatic medium-dependent interface crossover (auto-MDIX) feature. The mdix auto Command You used to be required to use certain cable types (cross-over. Therefore. .

96 .

in this example. Although there can be issues when you configure switch port duplex settings to auto. You can manually set the duplex mode and speed of switch ports to avoid inter-vendor issues with autonegotiation. S1 and S2 switches have the same duplex settings and speeds. The figure describes the steps to configure the port F0/1 on the S1 switch. . 97 Configure Duplex and Speed You can use the duplex interface configuration command to specify the duplex mode of operation for switch ports.

98 Configure a Web Interface Modern Cisco switches have a number of web-based configuration tools that require that the switch is configured as an HTTP server.cisco. The local authentication method requires the user to use the login username. visit: http://www. The enable method requires users to use the server's enable password. and IP Phone and Cisco IOS Telephony Service applications. To control who can access the HTTP services on the switch. You may need to have a less complex authentication method. . You may have so many people using the HTTP services that you require a separate server specifically to handle user authentication.html.html. Cisco Router and Security Device Manager (SDM). AAA and TACACS authentication modes are examples that use this type of remote authentication method.com/en/US/tech/tk583/tk642/tsd_technology_support_sub- protocol_home. These applications include the Cisco web browser user interface. and privilege level access combination specified in the local system configuration (by the username global configuration command). For more information on AAA. AAA and TACACS are authentication protocols that can be used in networks to validate user credentials. Authentication methods can be complex.cisco.com/en/US/products/ps6638/products_data_sheet09186a00804f e332. password. visit: http://www. you can optionally configure authentication. For more information on TACACS.

Note: The MAC address table was previously referred to as content addressable memory (CAM) or as the CAM table. The default time is 300 seconds. and then adding the source MAC address and its associated port number to the MAC address table. This unnecessary flooding can impact performance. As a result. . and the switch always knows which port to send out traffic destined for that specific MAC address. You can change the aging time setting for MAC addresses. Only those devices that are known to the network administrator can connect to the network. The switch provides dynamic addressing by learning the source MAC address of each frame that it receives on each port. These MAC tables include dynamic and static addresses. As computers are added or removed from the network. A network administrator can specifically assign static MAC addresses to certain ports. The figure shows a sample MAC address table from the output of the show mac-address-table command that includes static and dynamic MAC addresses. Then. 99 Managing the MAC Address Table Switches use MAC address tables to determine how to forward traffic between ports. Static addresses are not aged out. Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. the switch updates the MAC address table. Setting too long an aging time can cause the address table to be filled with unused addresses. when the switch receives a packet for an unknown destination. This can also cause flooding. it floods the packet to all ports in the same LAN (or VLAN) as the receiving port. adding new entries and aging out those that are currently not in use. One reason to implement static MAC addresses is to provide the network administrator complete control over access to the network. which prevents new addresses from being learned. there is no need to relearn or refresh which port the MAC address is connected to. Setting too short an aging time can cause addresses to be prematurely removed from the table.

For example. you should confirm that the switch has been configured correctly. There are other protocols that may limit the absolute number of MAC address available to a switch.7 Verifying the switch configuration Using the Show Commands Now that you have performed the initial switch configuration. To remove a static mapping in the MAC address table.3. In this topic. 100 To create a static mapping in the MAC address table. The maximum size of the MAC address table varies with different switches. 2. ALL} interface interface-id command. the Catalyst 2960 series switch can store up to 8. use the no mac-address- table static <MAC address> vlan {1-4096. use the mac-address-table static <MAC address> vlan {1-4096. ALL} interface interface-id command.192 MAC addresses. you will learn how to verify the switch configuration using various show commands. .

17. as long as no other command option is the same. The next highlighted line shows that the duplex is auto-duplex and the speed is auto-speed. the show command is very useful. There are many additional show commands that you will learn throughout this course. The show interfaces command is used frequently while configuring and monitoring network devices. When you need to verify the configuration of your Cisco switch. which displays status and statistics information on the network interfaces of the switch. The show command is executed from privileged EXEC mode.11 255. For example. The figure shows an abbreviated output from the show running-config command. you can use show int for this command. The figure shows the output from a show interfaces FastEthernet 0/1 command. The first highlighted line in the figure indicates that the Fast Ethernet 0/1 interface is up and running. the Cisco IOS software interprets the command correctly. Use this command to verify that you have correctly configured the switch. Recall that you can type partial commands at the command prompt and.255.0 Default gateway set to 172. The three periods indicate missing content. Click the Show Running-config button in the figure. The figure has highlighted screen output of the S1 switch showing: Fast Ethernet 0/18 interface configured with the management VLAN 99 VLAN 99 configured with an IP address of 172.99. One of the more valuable show commands is the show running-config command. This command displays the configuration currently running on the switch.17.50.1 HTTP server configured Click the Show Interfaces button in the figure. 101 Click the Show Commands button in the figure. Another commonly used command is the show interfaces command. .0. The figure presents some of the key options for the show command that verify nearly all configurable switch features.

102 .

Click the Backup Configurations button in the figure. 103 2. When you issue the copy running-config startup-config command.3. the Cisco IOS software copies the running configuration to NVRAM so that when the switch boots. As you may already know.8 Basic switch management Back up and Restore Switch Configurations A typical job for an apprentice network technician is to load a switch with a configuration. the startup-config with your new configuration is loaded. Backing Up the Configuration You have already learned how to back up the running configuration of a switch to the startup configuration file. In this topic. the running configuration is saved in DRAM and the startup configuration is stored in the NVRAM section of Flash memory. You have used the copy running-config startup- config privileged EXEC command to back up the configurations you have made so far. . you will learn how to load and store a configuration on the switch flash memory and to a TFTP server.

using the copy startup-config flash:filename command. Restoring the Configuration Restoring a configuration is a simple process. If the system is set to restart on error. After issuing the reload command. Note: You cannot reload from a virtual terminal if the switch is not set up for automatic booting. Click the Restoring Configurations button in the figure. review the Cisco IOS Configuration Fundamentals Command Reference.4 found at this website: http://www. Once the configuration has been restored to the startup-config. You just need to copy the saved configuration over the current configuration. 104 You do not always want to save configuration changes you make to the running configuration of a switch.cisco. and use the second syntax when you know that the destination is the flash NVRAM installed on the switch. you could restore it over your existing startup- config by entering this Cisco IOS command copy flash:config. the file you just restored would be overwritten.bak1. if you had a saved configuration called config. Unfortunately. Use the reload command after configuration information is entered into a file and saved to the startup configuration. you restart the switch so that it reloads the new startup configuration by using the reload command in privileged EXEC mode. it reboots itself. html. Use the first syntax when you are unfamiliar with the network device you are working with. you can copy the configuration to different filenames. you might want to change the configuration for a short time period rather than permanently. this command does not entirely overwrite the running configuration. For more details on the reload command. For example. In every case you need to consider whether or not the current running configuration is the one you want to be active after reload. If you answered "yes". If you want to maintain multiple different startup-config files on the device. Release 12. Storing multiple startup-config versions allows you to roll back to a point in time if your configuration has problems. The figure shows three examples of backing up the configuration to Flash memory. For example.com/en/US/docs/ios/fundamentals/command/reference/cf_book. the system prompts you to answer whether or not to save the configuration. Normally you would indicate "yes". The third is the syntax used to save a copy of the startup-config file in flash. Note: There is also the option of entering the copy startup-config running-config command. The second is the syntax commonly used. but in this particular case you need to answer "no".bak1 startup-config. The first is the formal and complete syntax. The reload command halts the system. it only adds existing commands from the startup configuration to . This restriction prevents the system from dropping to the ROM monitor (ROMMON) and thereby taking the system out of the remote user's control.

This can cause unintended results. 105 the running configuration. so be careful when you do this. Back up Configuration Files to a TFTP Server Once you have configured your switch with all the options you want to set. it is a good idea to back up the configuration on the network where it can then be .

Having the configuration stored safely off the switch protects it in the event there is some major catastrophic problem with your switch. . Copy the configuration file to the appropriate TFTP directory on the TFTP server if it is not already there. Step 3. Some switch configurations take many hours to get working correctly. One commonly used TFTP server is from www. The Cisco IOS command is: #copy tftp: [[[//location]/directory]/filename] system:running-config or #copy tftp: [[[//location]/directory]/filename] nvram:startup-config. Verify that the TFTP server is running on your network. Step 3. you must configure the new switch from scratch. Enable the switch and then ping the TFTP server. Specify the IP address or hostname of the TFTP server and the name of the file to download. 106 archived along with the rest of your network data being backed up nightly. Enable the switch and then ping the TFTP server. If you lost the configuration because of switch hardware failure. The Cisco IOS command is: #copy system:running-config tftp:[[[//location]/directory]/filename] or #copy nvram:startup-config tftp:[[[//location]/directory]/filename]. Backing up the Configuration To upload a configuration file from a switch to a TFTP server for storage.solarwinds. If there is a backup configuration for the failed switch. If there is no backup configuration. Step 2. Step 4. it can be copied back to the switch using the following steps: Step 1. Verify that the TFTP server is running on your network. Note: There are free TFTP server software packages available on the Internet that you can use if you do not already have a TFTP server running. follow these steps: Step 1. Cisco IOS software comes with a built-in TFTP client that allows you to connect to a TFTP server on your network. Download the configuration file from the TFTP server to configure the switch. a new switch needs to be configured. Step 2. The figure shows an example of backing up the configuration to a TFTP server. Log in to the switch through the console port or a Telnet session. You can use TFTP to back up your configuration files over the network.com. it can be loaded quickly onto the new switch. Log in to the switch through the console port or a Telnet session. Upload the switch configuration to the TFTP server. Specify the IP address or hostname of the TFTP server and the destination filename. Restoring the Configuration Once the configuration is stored successfully on the TFTP server.

After the configuration has been erased or deleted. Clearing Configuration Information You can clear the configuration information from the startup configuration. Deleting a Stored Configuration File You may have been working on a complex configuration task and stored many backup copies of your files in Flash. When you erase the startup configuration file when the switch reboots. Caution: You cannot restore the startup configuration file after it has been erased. You might do this to prepare a used switch to be shipped to a customer or a different department and you want to ensure that the switch gets reconfigured. To clear the contents of your startup configuration. so make sure that you have a backup of the configuration in case you need to restore it at a later point. 107 If the configuration file is downloaded into the running-config. If the configuration file is downloaded into the startup-config. use the delete flash:filename privileged EXEC command. use the erase nvram: or the erase startup-config privileged EXEC command. The figure shows an example of erasing the configuration files stored in NVRAM. so make sure that you have a backup of the configuration in case you need to restore it at a later point. the switch prompts for confirmation when deleting a file. you can reload the switch to initiate a new configuration for the switch. the commands are executed as the file is parsed line by line. . Depending on the setting of the file prompt global configuration command. Caution: You cannot restore the startup configuration file after it has been deleted. To delete a file from Flash memory. the switch must be reloaded for the changes to take effect. By default. it enters the setup program so that you can reconfigure the switch with new settings. you might be prompted for confirmation before you delete a file.

You will also learn how to encrypt and recover passwords on a switch. a malicious user could compromise the switch configuration. The prompt changes to (config-line)#. indicating that the switch is now in line configuration mode. To access the console. and EXEC mode. Federal Bureau of Investigation (FBI) estimates that businesses lose $67. virtual terminal. Secure the Console To secure the console port from unauthorized access.S. To ensure that a user on the console port is required to enter the password. If you do not secure the console port properly. you need to have local physical access to the device. use the login . Data is very valuable and must be zealously guarded and protected. Use the line console 0 command to switch from global configuration mode to line configuration mode for console 0. The U.4. You can perform all configuration options directly from the console. The following are some current prices for stolen data: Automatic teller machine (ATM) or debit card with personal identification number (PIN): $500 Driver's license number: $150 Social Security number: $100 Credit card number with expiration date: $15 to $20 Securing your switches starts with protecting them from unauthorized access.2 billion annually because of computer-related crime.1 Configuration password options Configure Console Access In this topic. From line configuration mode. you will learn how to configure passwords for the console access. Personal customer data in particular sells for very high prices. which is the console port on Cisco switches. set a password on the console port using the password <password> line configuration mode command. you can set the password for the console by entering the password <password> command. 108 2.

Secure the vty Ports The vty ports on a Cisco switch allow you to access the device remotely. Even when a password is defined. Any user with network access to the switch can establish a . Step 2. it is not required to be entered until the login command has been issued. Remove Console Password If you need to remove the password and requirement to enter the password at login. Enter the command line console 0. remember to save the running configuration file to the startup configuration. Switch from global configuration mode to line configuration mode for console 0. The figure shows the commands used to configure and require the password for console access. Remove the password from the console line using the no password command. 109 command. use the following steps: Step 1. Step 5. The command prompt (config-line)# indicates that you are in line configuration mode. Step 4. You do not need physical access to the switch to access the vty ports. Enter the configure terminal command. You can perform all configuration options using the vty terminal ports. Recall that you can use the show running-config command to verify your configuration. Remove the requirement to enter the password at login to the console line using the no login command. Step 3. Switch from privileged EXEC mode to global configuration mode. so it is very important to secure the vty ports. Before you complete the switch configuration. Exit line configuration mode and return to privileged EXEC mode using the end command.

110 vty remote terminal connection. Step 3. you must be in line configuration mode. Enter the command line vty 0 4. To set the password on the vty ports. Leaving some lines unsecured compromises security and allows unauthorized users access to the switch. The figure shows the commands used to configure and require the password for vty access. Note: If the switch has more vty lines available. Remove the requirement to enter the password at login to the vty lines using the no login command. Enter the configure terminal command. a Cisco 2960 has lines 0 through 15 available. Step 4. you can set a vty password that is required before access is granted. Caution: If no password is defined and login is still enabled. For example. Multiple ports permit more than one administrator to connect to and manage the switch. If the vty ports are not properly secured. a malicious user could compromise the switch configuration. . You can use the show running-config command to verify your configuration and the copy running-config startup config command to save your work. There can be many vty ports available on a Cisco switch. Step 2. To secure all vty lines. adjust the range to secure them all. To secure the vty ports from unauthorized access. Switch from privileged EXEC mode to global configuration mode. Remove the password from the vty lines using the no password command. use the following steps: Step 1. there is no access to the vty lines. Step 5. Remove the vty Password If you need to remove the password and requirement to enter the password at login. make sure that a password is set and login is enforced on all lines. Exit line configuration mode and return to privileged EXEC mode using the end command. Use the line vty 0 4 command to switch from global configuration mode to line configuration mode for vty lines 0 through 4. Switch from global configuration mode to line configuration mode for vty terminals 0 through 4. The command prompt (config-line)# indicates that you are in line configuration mode.

including some of the unencrypted passwords! For these reasons. or temporary access to a Telnet or console session that is logged in to privileged EXEC mode. Cisco introduced a new password option to control access to privileged EXEC mode that stores the password in an encrypted format. The enable password global configuration command allows you to specify a password to restrict access to privileged EXEC mode. If someone were to gain access to a stored startup-config file. There is also a safeguard built into the Cisco IOS software that notifies you when setting the enable secret password to the same password that is used for the enable password. it is important to secure access to privileged EXEC mode. If identical passwords are entered. However. The figure shows the commands used to configure privileged EXEC mode passwords. not in addition to it. As a result. If the enable secret password is configured. they could see the password. 111 Configure EXEC Mode Passwords Privileged EXEC mode allows any user enabling that mode on a Cisco switch to configure any option available on the switch. You can also view all the currently configured settings on the switch. one problem with the enable password command is that it stores the password in readable text in the startup-config and running-config. You can assign an encrypted form of the enable password. the IOS will accept the password but will warn you they are the same and instruct you to re-enter a new password. called the enable secret password. You can use the show running-config command to verify your . it is used instead of the enable password. by entering the enable secret command with the desired password at the global configuration mode prompt.

. 112 configuration and the copy running-config startup config command to save your work. Remove EXEC Mode Password If you need to remove the password requirement to access privileged EXEC mode. you can use the no enable password and the no enable secret commands from global configuration mode.

Removing password encryption does not convert currently encrypted passwords back into readable text. The figure shows an abbreviated screen output from the show running-config command on the S1 switch. . all newly set passwords are stored in clear text format. It is universally accepted that passwords should be encrypted and not stored in clear text format. At the bottom of the figure. When the service password-encryption command is entered from global configuration mode. This encryption standard is very weak and there are easily accessible tools on the Internet for decrypting passwords encrypted with this standard. However. The clear text passwords are highlighted in orange. except for the enable secret password. all the currently set passwords are converted to encrypted passwords. the encrypted passwords are highlighted in orange. If you want to remove the requirement to store all system passwords in an encrypted format. all system passwords are stored in an encrypted form. Type 5 is more secure but must be invoked manually for each password configured. The Cisco IOS command service password-encryption enables service password encryption. enter the no service password-encryption command from global configuration mode. 113 Configure Encrypted Passwords When configuring passwords in Cisco IOS CLI. Note: The encryption standard used by the service password-encryption command is referred to as type 7. are stored in clear text format within the startup- config and running-config. by default all passwords. As soon as the command is entered.

In case you have lost or forgotten access passwords. To recover the password on a Cisco 2960 switch. For more information on the password procedure. you need to make sure you remember them. Power off the switch. You will see this display after Step 3 below. Set the line speed on the emulation software to 9600 baud. Connect a terminal or PC with terminal-emulation software to the switch console port. 114 Enable Password Recovery After you set passwords to control access to the Cisco IOS CLI. Note that you may not be able to actually recover the passwords on the Cisco device. The password recovery process requires physical access to the device.shtml. visit: http://www.com/en/US/products/sw/iosswrel/ps1831/products_tech_note091 86a00801746e6. but you are able to reset them to a new value. Step 2. Reconnect the power cord to the switch and within 15 seconds. The figure shows a screen capture of the console display indicating that password recovery has been enabled. especially if password encryption has been enabled. use the following steps: Step 1. . press the Mode button while the System LED is still flashing green. Step 3.cisco. Cisco has a password recovery mechanism that allows administrators to gain access to their Cisco devices.

text. enter N. 115 Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Enter N at the prompt. Enter global configuration mode using the configure terminal command. and you can change the password. the follow is displayed on the console: Source filename [config. Step 15. Step 10.FX 11 -rwx 5825 Mar 01 1993 22:31:59 config. . Return to privileged EXEC mode using the exit command.text flash:config. Copy the configuration file into memory using the copy flash:config. Step 9.old. and then when the system prompts whether to continue with the configuration dialog.text. Then release the Mode button. Display the contents of Flash memory using the dir flash command: The switch file system appears: Directory of flash: 13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.text 18 -rwx 720 Mar 01 1993 02:21:30 vlan. using the rename flash:config. At the switch prompt. Step 13.dat 16128000 bytes total (10003456 bytes free) Step 7.text system:running-config command. Boot the system with the boot command. Step 8. which contains the password definition.text.text command.122-25.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. Load any helper files using the load_helper command. After this command has been entered. enter privileged EXEC mode using the enable command.old flash:config. Step 5. You are prompted to start the setup program. Rename the configuration file to its original name using the rename flash:config. Rename the configuration file to config.old command. Initialize the Flash file system using the flash_init command. Step 4. The configuration file is now reloaded. Step 14. Change the password using the enable secret password command. Step 6. Step 11. Step 12.

Reload the switch using the reload command. Note: The password recovery procedure can be different depending on the Cisco switch series. Write the running configuration to the startup configuration file using the copy running-config startup-config command. In this topic. S1(config)#no banner login.4.2 login banner Configure a Login Banner The Cisco IOS command set includes a feature that allows you to configure messages that anyone logging onto the switch sees. . enter the no format of this command in global configuration mode. Enclose the banner text in quotations or using a delimiter different from any character appearing in the MOTD string. so you should refer to the product documentation before you attempt a password recovery. You can define a customized banner to be displayed before the username and password login prompts by using the banner login command in global configuration mode. 2. These messages are called login banners and message of the day (MOTD) banners. 116 Step 16. you will learn how to configure them. Step 17. for example. The figure shows the S1 switch being configured with a login banner Authorized Personnel Only! To remove the MOTD banner.

117 Configure a MOTD Banner The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns). The figure shows the S1 switch being configured with a MOTD banner to display Device maintenance will be occurring on Friday! To remove the login banner.3 Configure Telnet and SSH Telnet and SSH Older switches may not support secure communication with Secure Shell (SSH). Telnet is the original method that was supported on early Cisco switch models.4. The MOTD banner displays before the login banner if it is configured. Telnet is a popular protocol used for terminal access because most current . Enclose the banner text in quotations. 2. enter the no format of this command in global configuration mode. There are two choices for remotely accessing a vty on a Cisco switch. This topic will help you choose between the Telnet and SSH methods of communicating with a switch. Define the MOTD banner by using the banner motd command in global configuration mode. for example S1(config)#no banner motd.

It is recommended that you implement SSHv2 when possible. However. SSH has become the preferred protocol for remotely accessing virtual terminal lines on a Cisco device. The figure presents the differences between the two protocols. with Cisco devices currently supporting both SSHv1 and SSHv2. because it sends all communications across the network in clear text. use the following command from line configuration mode: (config-line)#transport input telnet or (config-line)#transport input all. In the previous topic. you do not need to specify it after the initial configuration of the switch has been performed. you need to enable the Telnet protocol to permit Telnet access manually. Using network monitoring software. If you need to re-enable the Telnet protocol on a Cisco 2960 switch. This makes running the Telnet service a little more secure. because it uses a more enhanced security encryption algorithm than SSHv1. Communication between the SSH client and SSH server is encrypted. Telnet is an insecure way of accessing a network device. you learned how to secure access to the switch over the vty lines by requiring password authentication. . if you have switched the transport protocol on the vty lines to permit only SSH. However. SSH has gone through a few versions. Initially. Configuring Telnet Telnet is the default vty-supported protocol on a Cisco switch. you can connect to it using a Telnet client. When a management IP address is assigned to the Cisco switch. an attacker can read every keystroke that is sent between the Telnet client and the Telnet service running on the Cisco switch. Because of the security concerns of the Telnet protocol. Because Telnet is the default transport for the vty lines. SSH gives the same type of access as Telnet with the added benefit of security. the vty lines are unsecured allowing access by any user attempting to connect to them. 118 operating systems come with a Telnet client built in.

so if you have to configure SSH. but DES takes less time to encrypt text than 3DES. and 3DES offers168-bit encryption. (The discussion of data encryption methods is beyond the scope of this course. you still permit SSH access to the switch as well as Telnet access. kept on a public RSA server. Encryption takes time. Step 2. and password-based user authentication. Step 3. Messages encrypted with the public key can only be decrypted using the private key. SSH supports the Data Encryption Standard (DES) algorithm. kept only by the sender and receiver. Configure a host domain for your switch using the ip domain-name domain_name command. you need to generate RSA keys. Typically. Beginning in privileged EXEC mode. The SSH feature has an SSH server and an SSH integrated client. the Triple DES (3DES) algorithm. and a private key. 119 By permitting all transport protocols. Step 1. You need to generate the encrypted RSA keys using the crypto key generate rsa command. The public key can be known to everyone and is used for encrypting messages. ask which one to use. DES offers 56-bit encryption. which are applications that run on the switch. RSA involves a public key. This procedure is required if you are configuring the switch as an SSH server. follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair. Enter global configuration mode using the configure terminal command. To use this feature. This is known as asymmetric encryption and will be discussed in greater detail in the Exploration: Accessing the WAN course. . The switch supports only SSHv1 for the client component. You can use any SSH client running on a PC or the Cisco SSH client running on the switch to connect to a switch running the SSH server. encryption standards are specified by the client. Configuring SSH SSH is a cryptographic security feature that is subject to export restrictions. Configure a hostname for your switch using the hostname hostname command.) To implement SSH. The switch supports SSHv1 or SSHv2 for the server component. a cryptographic image must be installed on your switch.

For a SSH connect to be established. the SSH server is automatically disabled. such as connection. To delete the RSA key pair. Step 2. Step 4. follow these steps to configure the SSH server. 120 Step 4. The default is 3. Repeat this step when configuring both parameters. Cisco recommends using a modulus size of 1024 bits. Configure the SSH control parameters: Specify the time-out value in seconds. Return to privileged EXEC mode using the end command. encrypted SSH connections for multiple CLI- based sessions over the network are available (session 0 to session 4). After the execution shell starts. (Optional) Configure the switch to run SSHv1 or SSHv2 using the ip ssh version [1 | 2] command. After the RSA key pair is deleted. you are prompted to enter a modulus length. Step 6. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair using the crypto key generate rsa command. a number of phases must be completed. For example. the default is 120 seconds. and parameter negation. Step 3. To configure both parameters use the ip ssh {timeout seconds | authentication-retries number} command. a user can allow the SSH session to sit for more than 10 minutes three times before the SSH session is terminated. The range is 0 to 120 seconds. Configuring the SSH Server Beginning in privileged EXEC mode. Return to privileged EXEC mode using the end command. protocol negotiation. The time-out value applies to the amount of time the switch allows for a connection to be established. the SSH server selects the latest SSH version supported by the SSH client. Enter global configuration mode using the configure terminal command. the SSH server selects SSHv2. For example. If you do not enter this command or do not specify a keyword. Show the status of the SSH server on the switch using the show ip ssh or show ssh command. use the crypto key zeroize rsa global configuration command. Step 5. the CLI-based session time-out value returns to the default of 10 minutes. When you generate RSA keys. if the SSH client supports SSHv1 and SSHv2. By default. . up to five simultaneous. but it takes longer to generate and to use. Step 1. A longer modulus length might be more secure. Specify the number of times that a client can re-authenticate to the server. the range is 0 to 5.

the switch looks in the MAC address table for the destination MAC address. MAC Address Flooding MAC address flooding is a common attack. visit: http://www. the switch acts like a . If the MAC address does not exist. 2. If you want to prevent non-SSH connections. Recall that the MAC address table in a switch contains the MAC addresses available on a given physical port of a switch and the associated VLAN parameters for each. the source MAC addresses are learned and recorded in the MAC address table.rsa. visit: http://www. you will learn about a few common security attacks and how dangerous they are. All Catalyst switch models use a MAC address table for Layer 2 switching. Straight (non-SSH) Telnet connections are refused. If an entry exists for the MAC address. basic switch security does not stop malicious attacks from occurring. the switch forwards the frame to the MAC address port designated in the MAC address table. For a detailed discussion on RSA technology. The details of how some of these common attacks work are beyond the scope of the course. visit http://en.org/wiki/Public- key_cryptography. This topic provides introductory level information about security attacks. Display the status of the SSH server connections on the switch using the show ip ssh or the show ssh command.4 Common security attacks Security Attacks Unfortunately. As frames arrive on switch ports. Step 6. you should explore the course CCNA Exploration: Accessing the WAN. For an overview of RSA technology. (Optional) Save your entries in the configuration file using the copy running-config startup-config command. If you find network security of interest. In this topic.4. For a detailed discussion on SSH.wikipedia.com/en/US/tech/tk583/tk617/tsd_technology_support_protocol_h ome.cisco.asp?id=2152.html. add the transport input ssh command in line configuration mode to limit the switch to SSH connections only.com/rsalabs/node. 121 Step 5. When a Layer 2 switch receives a frame.

The key to understanding how MAC address table overflow attacks work is to know that MAC address tables are limited in size. the switch then copies the frame and broadcasts it out every switch port. host A sends traffic to host B. but because the destination MAC address of that frame is host B. Click the Step 3 button in the figure to see the next step. the maximum MAC address table size varies. In the figure. recall the basic operation of a switch. Host B receives the frame and sends a reply to host A. any frame sent by host A (or any other host) to host B is forwarded to port 2 of the switch and not broadcast out every port. MAC flooding can be performed using a network attack tool. the attacker can see all of the frames sent from a victim host to another host without a MAC address table entry. The switch. Now. 122 hub and forwards the frame out every other port on the switch. The figure shows how an attacker can use the normal operating characteristics of the switch to stop the switch from operating. Click the Step 1 button in the figure to see how MAC address table overflow attack begins. Click the Step 2 button in the figure to see the next step. starts acting as a hub.000 MAC entries on a switch per minute. This tool floods a switch with packets containing . the attack tool is running on the host with MAC address C in the bottom right of the screen. The switch then enters into what is known as a fail- open mode. the switch floods all ports with incoming traffic because it cannot find the port number for a particular MAC address in the MAC address table. The network intruder uses the attack tool to flood the switch with a large number of invalid source MAC addresses until the MAC address table fills up. Click the Step 4 button in the figure to see how an attacker uses legitimate tools maliciously. In the figure. Some network attack tools can generate 155. Host C also receives the frame from host A to host B. in essence. host C drops that frame. The switch receives the frames and looks up the destination MAC address in its MAC address table. When the MAC address table is full. To understand the mechanism of a MAC address table overflow attack. and broadcasts packets to all the machines on the network. MAC address table overflow attacks are sometimes referred to as MAC flooding attacks. acts like a hub. If the switch cannot find the destination MAC in the MAC address table. The switch then learns that the MAC address for host B is located on port 2 and writes that information into the MAC address table. MAC flooding makes use of this limitation to bombard the switch with fake source MAC addresses until the switch MAC address table is full. Depending on the switch. As a result.

123 randomly generated source and destination MAC and IP addresses. the switch begins to forward all frames that it receives to every port. . the MAC address table in the switch fills up until it cannot accept new entries. Click the Step 5 button in the figure to see the next step. When the MAC address table fills up with invalid source MAC addresses. Over a short period of time. the switch begins to broadcast all received frames out every port so that frames sent from host A to host B are also broadcast out of port 3 on the switch. When this happens. the MAC address table on the switch remains full. As long as the network attack tool is left running.

124 .

but if the spoofing device is on the same segment as the client. To prevent DHCP attacks. its reply to the client may arrive first. and it may go entirely undetected as the intruder intercepts the data flow through the network. this kind of DHCP attack causes all of the leases on the real DHCP server to be allocated. You should be aware of another type of DHCP attack called a DHCP starvation attack. the clients then forward packets to the attacking device. This is referred to as a man-in-the-middle attack. The legitimate server may also reply. The intruder DHCP reply offers an IP address and supporting information that designates the intruder as the default gateway or Domain Name System (DNS) server. Trusted ports can source all DHCP messages. If successful. Ports are identified as trusted and untrusted. One way an attacker can gain access to network traffic is to spoof responses that would be sent by a valid DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet . Cisco Catalyst DHCP Snooping and Port Security Features DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. which in turn. 125 Spoofing Attacks Click the Spoofing button in the figure. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. The attacker PC continually requests IP addresses from a real DHCP server by changing their source MAC addresses. use the DHCP snooping and port security features on the Cisco Catalyst switches. sends them to the desired destination. thus preventing the real users (DHCP clients) from obtaining an IP address. untrusted ports can source requests only. In the case of a gateway. The DHCP spoofing device replies to client DHCP requests.

Each entry contains a client MAC address. binding type. Define ports as trusted or untrusted at the interface level by defining the trusted ports using the ip dhcp snooping trust command. can be inserted into the DHCP request packet. and port ID recorded as clients make DHCP requests. VLAN number. (Optional) Limit the rate at which an attacker can continually send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit raterate command. . A DHCP binding table is built for untrusted ports. the port is shut down. 126 into the network. Step 4. This feature can be coupled with DHCP options in which switch information. The table is then used to filter subsequent DHCP traffic. These steps illustrate how to configure DHCP snooping on a Cisco IOS switch: Step 1. Untrusted ports are those not explicitly configured as trusted. Click the DHCP Snooping button. From a DHCP snooping perspective. Step 3. untrusted access ports should not send any DHCP server responses. lease time. IP address. Enable DHCP snooping using the ip dhcp snooping global configuration command. such as the port ID of the DHCP request. Enable DHCP snooping for specific VLANs using the ip dhcp snooping vlan number [number] command. Step 2.

CDP information is sent in periodic broadcasts that are updated locally in each device's CDP database. By default. simplifying configuration and connectivity. CDP discovers other Cisco devices that are directly connected. CDP contains information about the device. To address this vulnerability. software version. typically in the form of a Denial of Service (DoS) attack. Also. it is recommended that you disable the use of CDP on devices that do not need to use it. which allows the devices to auto-configure their connection in some cases. they can use it to find exploits to attack your network. When this information is available to an attacker. CDP messages are not encrypted. capabilities. The figure is a portion of an Ethereal packet trace showing the inside of a CDP packet. most Cisco routers and switches have CDP enabled. in particular. platform. because CDP is unauthenticated. The Cisco IOS software version discovered via CDP. 127 CDP Attacks The Cisco Discovery Protocol (CDP) is a proprietary protocol that all Cisco devices can be configured to use. and the native VLAN. would allow the attacker to research and determine whether there were any security vulnerabilities specific to that particular version of code. it is not propagated by routers. such as the IP address. an attacker could craft bogus CDP packets and have them received by the attacker's directly connected Cisco device. Because CDP is a Layer 2 protocol. .

The simplest thing that you can do to limit the vulnerability to brute force password attacks is to change your passwords frequently and use strong passwords randomly mixing upper and lowercase letters with numerals. the attacker uses a program that creates sequential character combinations in an attempt to "guess" the password. you configured a login password for the vty lines and set the lines to require password authentication to gain access. There are tools available that allow an attacker to launch a brute force password cracking attack against the vty lines on the switch. DoS Attack . it is not a secure method of securing access to the vty lines. a brute force password attack can crack almost all passwords used. In an earlier topic. Luckily. More advanced configurations allow you to limit who can communicate with the vty lines by using access lists. This provides an essential and basic level of security to help protect the switch from unauthorized access. so you are safe for now. Given enough time. you are smart enough not to use a dictionary word. In the second phase of a brute force attack. Brute Force Password Attack The first phase of a brute force password attack starts with the attacker using a list of common passwords and a program designed to try to establish a Telnet session using each word on the dictionary list. However. but that is beyond the scope of this course. 128 Telnet Attacks The Telnet protocol can be used by an attacker to gain remote access to a Cisco network switch.

129 Another type of Telnet attack is the DoS attack. viruses and worms are able to propagate because of flaws in mail clients and web browsers. all the way to the desktop of users.5 Security tools After you have configured switch security. such as missing patches on client computers. Vulnerabilities in the Telnet service that permit DoS attacks to occur are usually addressed in security patches that are included in newer Cisco IOS revisions. Network security extends beyond network devices. the attacker exploits a flaw in the Telnet server software running on the switch that renders the Telnet service unavailable. or any other service on a Cisco device. you are introduced to how network security tools are one component used to protect a network from malicious attacks. They are tools that allow you to play the roles of a hacker and a network security analyst. Today. Network security auditing tools allow you to flood the . Using these tools. Network security is a complex and changing topic. Modern network security tools not only detect the remote flaws of the hosts on the network. For example. network security tools once focused only on the services listening on the network and examined these services for flaws. check to see if there is a newer Cisco IOS revision available.4. Network security tools help you test your network for various weaknesses. In a DoS attack. The features used by network security tools are constantly evolving. If you are experiencing a DoS attack against the Telnet service. Network Security Audit Network security tools allow you to perform a security audit of your network. Security auditing and penetration testing are two basic functions that network security tools perform. A security audit reveals what sort of information an attacker can gather simply by monitoring network traffic. you can launch an attack and audit the results to determine how to adjust your security policies to prevent a given attack. This sort of attack is mostly a nuisance because it prevents an administrator from performing switch management functions. you need to verify that you have not left any weakness for an attacker to exploit. In this section. but also determine if there are application level flaws. 2.

you will learn how to implement port security on your Cisco switches so that you can ensure these network security tests do not reveal any flaws in your security configuration. The changing landscape of security risks means that you need auditing and penetration tools that can be updated to look for the latest security risks. This allows you to identify weaknesses within the configuration of your networking devices. and most tool suites come with extensive documentation detailing the syntax needed to execute the desired attack. Network Security Tools Features A secure network really is a process not a product. Common features of a modern network security tool include: . limiting the data that you can monitor with a network auditing tool. In the next topic. There are numerous attacks that you can perform. you need to have a comprehensive network security plan defining how to regularly verify that your network can withstand the latest malicious network attacks. Then you can audit the switch ports as the switch starts flooding traffic out all ports as the legitimate MAC address mappings are aged out and replaced with more bogus MAC address mappings. you can determine which ports are compromised and have not been correctly configured to prevent this type of attack. following documented procedures detailed in a comprehensive network security policy. Different switches support varying numbers of MAC addresses in their MAC table. Of course. You also have to contend with the age-out period of the MAC table. You cannot just enable a switch with a secure configuration and declare the job done. It can be tricky to determine the ideal amount of spoofed MAC addresses to throw out on the network. In this way. 130 MAC table with bogus MAC addresses. If the spoofed MAC addresses start to age out while you are performing your network audit. Timing is an important factor in performing the audit successfully. if you have a small classroom-based network. Because these types of tests can have adverse effects on the network. Network Penetration Testing Network security tools can also be used for penetration testing against your network. you can arrange to work with your instructor to try your own network penetration tests. valid MAC addresses start to populate the MAC table. they are carried out under very controlled conditions. To say you have a secure network.

SMTPS. Support of SSL services: Testing services that use SSL level security. These tools should also be able to discover an FTP server running on a non-standard port or a web server running on port 8080. a large database of vulnerabilities can be maintained and uploaded to the tool to ensure that the most recent vulnerabilities are being tested. You can use network security tools to: – Capture chat messages – Capture files from NFS traffic – Capture HTTP requests in Common Log Format – Capture mail messages in Berkeley mbox format – Capture passwords – Display captured URLs in browser in real time – Flood a switched LAN with random MAC addresses – Forge replies to DNS address / pointer queries – Intercept packets on a switched LAN . and security certificate. IMAPS. Destructive auditing allows you to see how well your network withstands attacks from intruders. The tool should also be able to test all the services running on a host. including HTTPS. In this way. The tools should also let you perform destructive audits that significantly degrade network performance. Database of vulnerabilities: Vulnerabilities change all the time. Non-destructive and destructive testing: Performing non-destructive security audits on a routine basis that do not compromise or only moderately compromise network performance. 131 Service identification: Tools are used to target hosts using the Internet Assigned Numbers Authority (IANA) port numbers. Network security tools need to be designed so they can plug in a module of code and then run a test for that vulnerability.

MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch. . Port Security A switch that does not provide port security allows an attacker to attach a system to an unused. When you assign secure MAC addresses to a secure port. which means that every system connected to the switch can potentially view all network traffic passing through the switch to all systems connected to the switch. the port does not forward packets with source addresses outside the group of defined addresses. The following describes the ways you can configure port security on a Cisco switch: Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-security mac-address mac-address interface configuration command. the workstation attached to that port is assured the full bandwidth of the port. A switch can be configured to act like a hub. passwords. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached. a security violation occurs when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses. Click the Secure MAC Address Types button in the figure. 132 2. you will learn about the issues to consider when configuring port security on a switch. Secure MAC Address Types There are a number of ways to configure port security. and only that workstation with that particular secure MAC address can successfully connect to that switch port. You will also learn about configuring static and dynamic port security. All switch ports or interfaces should be secured before the switch is deployed. Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. Port security limits the number of valid MAC addresses allowed on a port. an attacker could collect traffic that contains usernames. If you limit the number of secure MAC addresses to one and assign a single secure MAC address to that port. enabled port and to perform information gathering or attacks. Click the Port Security button in the figure. or configuration information about the systems on the network.4. Thus. The figure summarizes these points.6 Configure port security Using Port Security to Mitigate Attacks In this topic. Key port security Cisco IOS commands are summarized. MAC addresses configured in this way are removed when the switch restarts.

the sticky secure MAC addresses remain in the running configuration. and a station whose MAC address is not in the address table attempts to access the interface. based on the action to be taken if a violation occurs. Security Violation Modes It is a security violation when either of these situations occurs: – The maximum number of secure MAC addresses have been added to the address table. an error message appears. and the sticky secure MAC address is not added to the running configuration. the interface does not need to relearn these addresses. the sticky secure MAC addresses remain part of the address table but are removed from the running configuration. You can configure the interface for one of three violation modes. they are lost. – An address learned or configured on one secure interface is seen on another secure interface in the same VLAN. to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running configuration. The figure presents which kinds of data traffic are forwarded when one of the following security violation modes are configured on a port: – protect: When the number of secure MAC addresses reaches the limit allowed on the port. If port security is disabled. Sticky MAC Addresses Sticky secure MAC addresses have these characteristics: – When you enable sticky learning on an interface by using the switchport port-security mac-address sticky interface configuration command. If you do not save the sticky secure addresses. Click the Security Violation Modes button in the figure. 133 Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration. when the switch restarts or the interface shuts down. – If you disable sticky learning and enter the switchport port-security mac- address sticky mac-address interface configuration command. – If you save the sticky secure MAC addresses in the configuration file. these addresses are added to the address table and the running configuration. – When you configure sticky secure MAC addresses by using the switchport port-security mac-address sticky mac-address interface configuration command. – If you disable sticky learning by using the no switchport port-security mac- address sticky interface configuration command. the interface converts all the dynamic secure MAC addresses. including those that were dynamically learned before sticky learning was enabled. packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase .

This is the default mode. When a secure port is in the error-disabled state. a port security violation causes the interface to immediately become error-disabled and turns off the port LED. packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode. you can bring it out of this state by entering the shutdown and no shutdown interface configuration commands. You are not notified that a security violation has occurred. . It also sends an SNMP trap. and increments the violation counter. an SNMP trap is sent. and the violation counter increments. a syslog message is logged. Specifically. 134 the number of maximum allowable addresses. you are notified that a security violation has occurred. logs a syslog message. – restrict: When the number of secure MAC addresses reaches the limit allowed on the port. – shutdown: In this mode.

cisco. The figure shows how to enable sticky port security on Fast Ethernet port 0/18 of switch S1. The figure shows the Cisco IOS CLI commands needed to configure port security on the Fast Ethernet F0/18 port on S1 switch. For a complete listing of port security configuration options. The figure summarizes the default port security configuration. In this example. As stated earlier. The ports on a Cisco switch are preconfigured with defaults. you can see the Cisco IOS command syntax used to set the maximum number of MAC addresses to 50. Click the Configure Sticky Port Security button in the figure.2_44_se/configuration/guide/swtrafc. 135 Configure Port Security Click the Default Configuration button in the figure. Click the Configure Dynamic Port Security button in the figure. you can configure the maximum number of secure MAC addresses.com/en/US/docs/switches/lan/catalyst2960/software/release/ 12.html . In this example. visit: http://www. Notice that the example does not specify a violation mode. There are other port security settings that you may find useful. the violation mode is set to shutdown. The violation mode is set to shutdown by default.

136 .

The output displays the following: Maximum allowed number of secure MAC addresses for each interface Number of secure MAC addresses on the interface Number of security violations that have occurred Violation mode Verify Secure MAC Addresses Click the Verify Secure MAC Addresses button in the figure. 137 Verify Port Security After you have configured port security for your switch. . use the show port-security [interface interface-id] address command. you want to verify that it has been configured correctly. You also have to check to make sure that you have configured static MAC addresses correctly. To display all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each. You need to check each interface to verify that you have set the port security correctly. use the show port-security [interface interface-id] command. Verify Port Security Settings To display port security settings for the switch or for the specified interface.

138 .

The process of enabling and disabling ports can become a tedious task. broadcast domains. 2. but the value in terms of enhancing security on your network is well worth the effort.1 Chapter summary In this chapter. For example. broadcast. and multicast traffic. It is simple to disable multiple ports on a switch.6. Duplex settings and LAN segmentation improve performance and reduce the need for CSMA/CD. LAN design considerations include collision domains. network latency. you can manually enter the no shutdown command on that interface. If a port needs to be activated. symmetric and asymmetric switching. A simple method many administrators use to help secure their network from unauthorized access is to disable all unused ports on a network switch. Early implementations of Ethernet networks needed to use CSMA/CD to help prevent and detect collisions between frames on the network. Memory buffering plays a role in switch forwarding. good security practice demands that you disable the 21 unused ports. you will learn how to use a simple Cisco IOS command to secure unused switch ports. we discussed IEEE 802. . and LAN segmentation. An alternate way to shutdown multiple ports is to use the interface range command. LAN design is a process with the intended end result a determination of how a LAN is to be implemented.3 Ethernet communication using unicast. If there are three Fast Ethernet connections in use. We discussed how switch forwarding methods influence LAN performance and latency. The figure shows partial output for this configuration. 139 Disable Unused Ports In this topic. Navigate to each unused port and issue this Cisco IOS shutdown command. imagine that a Cisco 2960 switch has 24 ports. and multilayer switching.

The Cisco IOS CLI maintains a command history that allows you to more quickly configure repetitive switch functions. Backing up a switch configuration and restoring a switch configuration are key skills for anyone administering a switch. configuring system-wide password encryption. . implementing passwords to limit access to privileged EXEC mode. We learned how to secure access to the switch: implementing passwords to protect console and virtual terminal lines. Built-in help functions are used to identify commands and command options. There are a number of security risks common to Cisco Catalyst switches. We discussed the initial switch configuration and how to verify the switch configuration. many of which are mitigated by using port security. 140 An introduction to navigating the Cisco IOS CLI on a Cisco Catalyst 2960 switch was presented. and enabling SSH.

141 .

142 .

A year later. and it would make it easier to manage their specific security and bandwidth needs. In this chapter. 3.0.1 Introducing VLANs Before VLANs To appreciate why VLANs are being widely used today.1. and troubleshoot VLANs and trunks. In the figure. the original network is the same. This works fine because each department is physically together. the college has grown and now has three buildings.1 Chapter introduction Network performance can be a factor in an organization's productivity and its reputation for delivering as promised. now the IT department wants to ensure that student computers all share the same security features and bandwidth controls. such as database services for an accounting department and high- speed data transfer for an engineering department. . manage. However. 143 3 VLANs 3. How can the network accommodate the shared needs of the geographically separated departments? Do you create a large LAN and wire each department together? How easy would it be to make changes to that network? It would be great to group the people with the resources they use regardless of their geographic location. One of the contributing technologies to excellent network performance is the separation of large broadcast domains into smaller ones with VLANs. The student dorms remain on the fifth floor and the faculty offices remain on the third floor. so it is easy to provide them with their network resources. consider a small community college with student dorms and the faculty offices all in one building. The figure shows the student computers in one LAN and the faculty computers in another LAN. but student and faculty computers are spread out across three buildings. you will learn how to configure. Click the Many Buildings button in the figure. Smaller broadcast domains limit the number of devices participating in broadcasts and allow devices to be separated into functional groupings.

A VLAN allows a network administrator to create groups of logically networked devices that act as if they are on their own independent network. 144 VLAN Overview The solution for the community college is to use a networking technology called a virtual LAN (VLAN). even if they share a common infrastructure with other VLANs. As another example. These VLANs allow the network administrator to implement access and security policies to particular groups of . You can also use a VLAN to geographically structure your network to support the growing reliance of companies on home-based workers. When you configure a VLAN. In the figure. departments. all of the student computers in a school can be configured in the "Student" VLAN. or project teams. Using VLANs. one VLAN is created for students and another for faculty. you can name it to describe the primary role of the users for that VLAN. you can logically segment switched networks based on functions.

each must have an IP address and a subnet mask that is consistent for that VLAN. 145 users. but not the students. Remember. VLANs allow multiple IP networks and subnets to exist on the same switched network. but there are definite advantages to using VLANs. For computers to communicate on the same VLAN. Click the Details button in the figure. You do not need VLANs to have multiple networks and subnets on a switched network. just because two computers are physically connected to the same switch does not mean that they can communicate. . The switch has to be configured with the VLAN and each port in the VLAN must be assigned to the VLAN. Devices on two separate networks and subnets must communicate via a router (Layer 3). the faculty. whether or not VLANs are used. A switch port with a singular VLAN configured on it is called an access port. can be allowed access to e- learning management servers for developing online course materials. VLAN Details A VLAN is a logically separate IP subnetwork. The figure shows a network with three computers. For example.

all the policies and procedures already configured for the particular VLAN are implemented when the ports are assigned. 146 Benefits of a VLAN User productivity and network adaptability are key drivers for business growth and success. Faculty computers are on VLAN 10 and completely separated from student and guest data traffic. and Guest. Student. Implementing VLAN technology enables a network to more flexibly support business goals.VLANs make it easier to manage the network because users with similar network requirements share the same VLAN.Groups that have sensitive data are separated from the rest of the network. there are only three broadcast domains: Faculty. When you provision a new switch. As discussed in the "Configure a Switch" chapter. The primary benefits of using VLANs are as follows: Security . It is also easy for the IT staff to identify the function of a VLAN by giving it an appropriate name.Dividing flat Layer 2 networks into multiple logical workgroups (broadcast domains) reduces unnecessary traffic on the network and boosts performance.Cost savings result from less need for expensive network upgrades and more efficient use of existing bandwidth and uplinks.Dividing a network into VLANs reduces the number of devices that may participate in a broadcast storm. Higher performance . Cost reduction . Improved IT staff efficiency . LAN segmentation prevents a broadcast storm from propagating to the whole network. Broadcast storm mitigation . decreasing the chances of confidential information breaches. . In the figure you can see that although there are six computers on this network.

VLANs aggregate users and network devices to support business or geographic requirements. for example. It is also easier to determine the scope of the effects of upgrading network services. 147 In the figure. an e-learning development platform for faculty. Having separate functions makes managing a project or working with a specialized application easier. for easy identification VLAN 20 has been named "Student". and VLAN 30 "Guest. VLAN 10 could be named "Faculty". ." Simpler project or application management .

Normal Range VLANs Used in small. can only learn normal range VLANs and stores them in the VLAN database file. Extended Range VLANs Enable service providers to extend their infrastructure to a greater number of customers.dat. . Configurations are stored within a VLAN database file. although the number configured affects the performance of the switch hardware. The VLAN trunking protocol (VTP). The vlan. Support fewer VLAN features than normal range VLANs. In this case. the 255 VLAN limit per single switch could be a constraint for some enterprise customers. Cisco has developed enterprise-level switches that can be joined or stacked together to create a single switching unit consisting of nine separate switches. 148 VLAN ID Ranges Access VLANs are divided into either a normal range or an extended range. VTP does not learn extended range VLANs.and medium-sized business and enterprise networks. Are identified by a VLAN ID between 1006 and 4094. Identified by a VLAN ID between 1 and 1005. called vlan. IDs 1002 through 1005 are reserved for Token Ring and FDDI VLANs. Some global enterprises could be large enough to need extended range VLAN IDs. which totals 432 ports on a single switching unit. Each separate switch can have 48 ports. IDs 1 and 1002 to 1005 are automatically created and cannot be removed. You will learn more about VLAN 1 later in this chapter.dat file is located in the flash memory of the switch. 255 VLANs Configurable One Cisco Catalyst 2960 switch can support up to 255 normal range and extended range VLANs. which helps manage VLAN configurations between switches. Are saved in the running configuration file. Because an enterprise network may need a switch with a lot of ports.

Default VLAN All switch ports become a member of the default VLAN after the initial boot up of the switch. this entails configuring all the ports on the switch to be associated with a default VLAN other than VLAN 1. This allows any device connected to any switch port to communicate with other devices on other switch ports.a "data VLAN". VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1. Roll over the Default VLAN button in the figure. However in the network there are a number of terms for VLANs.port-based VLANs. are associated with VLAN 1. Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain. 149 3. but this traffic would not be part of a data VLAN. In the figure. The default VLAN for Cisco switches is VLAN 1. By default. A VLAN could carry voice-based traffic or traffic used to manage the switch. The following describes common VLAN terminology: Roll over the Data VLAN button in the figure. . It is a security best practice to change the default VLAN to a VLAN other than VLAN 1.1. VLAN trunks support the transmission of traffic from more than one VLAN. except that you cannot rename it and you can not delete it. It is common practice to separate voice and management traffic from data traffic. and S3 switches. S2. Some terms define the type of network traffic they carry and others define a specific function a VLAN performs. A port-based VLAN is associated with a port called an access VLAN. such as CDP and spanning tree protocol traffic. Data VLAN A data VLAN is a VLAN that is configured to carry only user-generated traffic. Layer 2 control traffic. The importance of separating user data from switch management control data and voice traffic is highlighted by the use of a special term used to identify VLANs that only carry user data .2 Types of VLANs Today there is essentially one way of implementing VLANs . A data VLAN is sometimes referred to as a user VLAN. VLAN 1 has all the features of any VLAN.

Roll over the Management VLAN button in the figure. A switch can be managed via HTTP. The 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic).1Q trunk port. Recall that you configured the management VLAN as VLAN 99 in the Basic Switch Concepts and Configuration chapter. On the next page we will explore the one remaining VLAN type: voice VLANs. . An 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios. In the figure. Since the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN. 150 Although VLAN trunks are mentioned throughout this section. Note: Some network administrators use the term "default VLAN" to mean a VLAN other than VLAN 1 defined by the network administrator as the VLAN that all ports are assigned to when they are not in use. Roll over the Native VLAN button in the figure. Management VLAN A management VLAN is any VLAN you configure to access the management capabilities of a switch. Native VLAN A native VLAN is assigned to an 802. VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN. they are explained in the next section on VLAN trunking. It is a best practice to use a VLAN other than VLAN 1 as the native VLAN. SSH. the native VLAN is VLAN 99. the only role that VLAN 1 plays is that of handling Layer 2 control traffic for the network. You assign the management VLAN an IP address and subnet mask. you wouldn't want an arbitrary user connecting to a switch to default to the management VLAN. or SNMP. you see that VLAN 1 would be a bad choice as the management VLAN. a native VLAN serves as a common identifier on opposing ends of a trunk link. Untagged traffic is generated by a computer attached to a switch port that is configured with the native VLAN. In this case.1Q trunk port places untagged traffic on the native VLAN. Telnet. For our purposes. Native VLANs are set out in the IEEE 802.

a Cisco IP phone. VLAN 150 is designed to carry voice traffic. The details of how to configure a network to support VoIP are beyond the scope of the course. which is used for student data. PC5 is in VLAN 20. Data destined for PC5 coming from port F0/18 is tagged with VLAN 20 on the way to the phone. The student computer PC5 is attached to the Cisco IP phone. 151 Voice VLANs It is easy to appreciate why a separate VLAN is needed to support Voice over IP (VoIP). which strips the VLAN tag before the data is forwarded to PC5. The F0/18 port on S3 is configured to be in voice mode so that it will tell the phone to tag voice frames with VLAN 150. the entire network has to be designed to support VoIP. Imagine you are receiving an emergency call and suddenly the quality of the transmission degrades so much you cannot understand what the caller is saying. and the phone is attached to switch S3. In the figure. A Cisco Phone is a Switch The Cisco IP Phone contains an integrated three-port 10/100 switch as shown in the Figure. Data frames coming through the Cisco IP phone from PC5 are left untagged. Tagging refers to the addition of bytes to a field in the data frame which is used by the switch to identify which VLAN the data frame should be sent to. VoIP traffic requires: – Assured bandwidth to ensure voice quality – Transmission priority over other types of network traffic – Ability to be routed around congested areas on the network – Delay of less than 150 milliseconds (ms) across the network To meet these requirements. but it is useful to summarize how a voice VLAN works between a switch. You will learn later about how data frames are tagged. and a computer. The ports provide dedicated connections to these devices: . Click The Details button in the figure.

A discussion of the Cisco IOS commands are beyond the scope of this course. Port 2 is an internal 10/100 interface that carries the IP phone traffic. . 152 Port 1 connects to the switch or other voice-over-IP (VoIP) device. This protocol is discussed in greater detail in the CCNA Exploration: Routing Protocols and Concepts course. The figure shows one way to connect an IP Phone. The traffic from the PC attached to the IP Phone passes through the IP phone untagged. Note: Communication between the switch and IP phone is facilitated by the CDP protocol. the switch sends messages that instruct the attached IP phone to send voice traffic tagged with the voice VLAN ID 150. but you can see that the highlighted areas in the sample output show the F0/18 interface configured with a VLAN configured for data (VLAN 20) and a VLAN configured for voice (VLAN 150). The voice VLAN feature enables switch ports to carry IP voice traffic from an IP phone. the link between the switch and the IP phone acts as a trunk to carry both the tagged voice traffic and untagged data traffic. Click the Sample Configuration button in the figure. Port 3 (access port) connects to a PC or other device. Sample Configuration The figure shows sample output. When the switch port has been configured with a voice VLAN. When the switch is connected to an IP Phone.

153 Network Traffic Types .

and other shared network applications that are common to business uses. in a network configured with VLANs. Signaling traffic is. Applications assigned to this class have little or no contribution to the organizational objectives of the enterprise and are typically . Normal Data Normal data traffic is related to file creation and storage. Roll over the Normal Data button in the figure. progress. IP Telephony The types of IP telephony traffic are signaling traffic and voice traffic. and voice traffic is associated with a voice VLAN. Routers must be configured to ensure that multicast traffic is forwarded to the network areas where it is requested. IP Multicast IP multicast traffic is sent from a particular source address to a multicast group that is identified by a single IP and MAC destination-group address pair. 154 In CCNA Exploration: Network Fundamentals. responsible for call setup. As you just learned. and traverses the network end to end. VLANs are a natural solution for this type of traffic because you can segment users by their functions or geographic area to more easily manage their specific needs. Simple Network Management Protocol (SNMP) traffic. and Remote Monitoring (RMON) traffic. it is strongly recommended to assign a VLAN other than VLAN 1 as the management VLAN. Roll over the IP Multicast button in the figure. a VLAN must accommodate the same network traffic as a LAN. and teardown. Scavenger Class The Scavenger class is intended to provide less-than best-effort services to certain applications. VLANs should be configured to ensure multicast traffic only goes to those user devices that use the service provided. e-mail database access. you learned about the different kinds of traffic a LAN handles. When the network must support multicast traffic. Examples of applications that generate this type of traffic are Cisco IP/TV broadcasts. print services. Network Management and Control Traffic Many different types of network management and control traffic can be present on the network. Multicast traffic can produce a large amount of data streaming across the network. Roll over the IP Telephony button in the figure. Because a VLAN has all the characteristics of a LAN. Data traffic should be associated with a data VLAN (other than VLAN 1). such as remote video or audio applications. The other type of telephony traffic consists of data packets of the actual voice conversation. Roll over the Network Management button in the figure. such as Cisco Discovery Protocol (CDP) updates.

This can also be accomplished with GUI management applications. Unreal Tournament. As mentioned previously. Morpheus. click the Static Mode Example button in . VLAN Switch Port Modes When you configure a VLAN. Switch ports are used for managing the physical interface and associated Layer 2 protocols. The purpose of VLAN implementations is to judiciously associate ports with particular VLANs. you must assign it a number ID. iMesh. 3. To see a sample static-VLAN configuration. You can configure a port to belong to a VLAN by assigning a membership mode that specifies the kind of traffic the port carries and the VLANs to which it can belong. They do not handle routing or bridging. and you can optionally give it a name. the new VLAN is created for you. you can configure a VLAN in voice mode to support voice and data traffic coming from a Cisco IP phone. gaming applications (Doom. These include peer-to-peer media-sharing applications (KaZaa. such as the Cisco Network Assistant. 155 entertainment oriented in nature. Napster. You configure the port to forward a frame to a specific VLAN.3 Switch port membership modes Switch Ports Switch ports are Layer 2-only interfaces associated with a physical port. and so on). A port can be configured to support these VLAN types: – Static VLAN . Static VLANs are configured using the Cisco CLI. a convenient feature of the CLI is that if you assign an interface to a VLAN that does not exist. and so on). and any entertainment video applications. However. Switch ports belong to one or more VLANs. Quake.1.Ports on a switch are manually assigned to a VLAN. Groekster.

The benefit comes when you move a host from a port on one switch in the network to a port on another switch in the network. – Dynamic VLAN . You can see this verified in the bottom screen capture: Access Mode VLAN: 20 (VLAN0020).This mode is not widely used in production networks and is not explored in this course. The IP phone tags the voice frames with the voice VLAN ID and forwards all voice traffic through the voice VLAN. 156 the figure.com site: http://www. VLAN 150 is the voice VLAN. In the figure. You will see this configuration later in the chapter. You can see this verified in the bottom screen capture: Voice VLAN: 150 (VLAN0150). the switch port sends messages to the phone providing the phone with the appropriate voice VLAN ID and configuration. Before you configure a voice VLAN on the port. . click the Port Modes button in the figure. With the VMPS. you need to first configure a VLAN for voice and a VLAN for data. To examine parts of a voice mode configuration. based on the source MAC address of the device connected to the port. A dynamic port VLAN membership is configured using a special server called a VLAN Membership Policy Server (VMPS). – Voice VLAN . For more details about configuring a voice VLAN. click the Voice Mode Example button in the figure: The configuration command mls qos trust cos ensures that voice traffic is identified as priority traffic. The switchport access vlan 20 command configures VLAN 20 as the access mode (data) VLAN. visit this Cisco. You cannot just configure the port with this command. and VLAN 20 is the data VLAN. When you are done. It is assumed that the network has been configured to ensure that voice traffic can be transmitted with a priority status over the network. When a phone is first plugged into a switch port that is in voice mode. This configuration will not be examined in detail now. it is useful to know what a dynamic VLAN is. The switchport voice vlan 150 command identifies VLAN 150 as the voice VLAN.cisco. However.html. Remember that the entire network must be set up to prioritize voice traffic.A port is configured to be in voice mode so that it can support an IP phone attached to it.com/en/US/docs/switches/lan/catalyst2975/software/release/12. you assign switch ports to VLANs dynamically. 2_46_ex/configuration/guide/swvoip. the switch dynamically assigns the new port to the proper VLAN for that host.

157 .

158 3.40.1. As a result. when the faculty computer.4 Controlling broadcast domains with VLANs Network Without VLANS In normal operation. Click the Network broadcasts with VLAN segmentation button in the figure. In the figure. the network is one broadcast domain. switch S2 sends that broadcast frame out all of its ports. Network with VLANs . it forwards the frame out all other ports on the switch. sends out a broadcast frame.0/24. Eventually the entire network receives it. 172. when a switch receives a broadcast frame on one of its ports.17. the entire network is configured in the same subnet. PC1.

multicast. port F0/11. the transmission of unicast. and broadcast traffic from a host on a particular VLAN are constrained to the devices that are on the VLAN. The broadcast frame arrives at the only other computer in the network configured on VLAN 10. the network has been segmented into two VLANs: Faculty as VLAN 10 and Student as VLAN 20. the ports that make up the connection between switches S2 and S1 (ports F0/1) and between S1 and S3 (ports F0/3) have been configured to support all the VLANs in the network. PC1. S1 forwards that broadcast frame out the only port configured to support VLAN 10. . This connection is called a trunk. faculty computer PC4. the switch forwards that broadcast frame only to those switch ports configured to support VLAN 10. When S1 receives the broadcast frame on port F0/1. You will learn more about trunks later in this chapter. When S3 receives the broadcast frame on port F0/3. 159 In the figure. it forwards that broadcast frame out the only port configured to support VLAN 10. When the broadcast frame is sent from the faculty computer. port F0/3. In the figure. to switch S2. When VLANs are implemented on a switch.

160 .

161 .

PC1 in VLAN 10 sends its ARP request frame (broadcast) to switch S2. PC1. PC4. Breaking up domains into VLANs also allows for better information confidentiality within an organization. 162 Controlling Broadcast Domains with Switches and Routers Breaking up a big broadcast domain into several smaller ones reduces broadcast traffic and improves network performance. . PC1 and PC4 are both in VLAN 10. Switch S3 sends the ARP request out port F0/11 to PC4 on VLAN 10. regardless whether VLANs are used. Step 2. PC1 receives the reply which contains the MAC address of PC4. Intra-VLAN Communication In the figure. wants to communicate with another device. A router is needed any time devices on different Layer 3 networks need to communicate. Switches S2 and S1 send the ARP request frame out all ports on VLAN 10. The following describes how this process is accomplished: Step 1. The switches in the network forward the ARP reply frame (unicast) to PC1. Click the Intra-VLAN Communication button and click the Play button to start the animation. Breaking up broadcast domains can be performed either with VLANs (on switches) or with routers. Communicating with a device in the same VLAN is called intra-VLAN communication.

PC5 on VLAN 20 receives the ARP request frame from router R1. Router R1 sends the frame received from PC1 though S1 and S3 to PC5 (on VLAN 20). 163 Step 3. Step 3. Click the Inter-VLAN Communication button and click the Play button to start the animation. PC1 in VLAN 10 wants to communicate with PC5 in VLAN 20. broadcast the ARP request frame out ports configured for VLAN 20. Switches S3 and S1 forward the ARP reply frame to router R1 with the destination MAC address of interface F0/2 on router R1. Switches S2. PC1 in VLAN 10 wants to communicate with PC5 in VLAN 20. and the other to carry transmissions on VLAN 20 to the router interface. S3. Inter-VLAN Communication In the figure. PC5 on VLAN 20 sends an ARP reply frame to switch S3. Note: There are two connections from switch S1 to the router: one to carry transmissions on VLAN 10. The router R1 sends an ARP request frame on VLAN 20 to determine the MAC address of PC5. The router R1 replies with an ARP reply frame from its interface configured on VLAN 10. The ARP reply contains the MAC address of the default gateway. PC1 then creates an Ethernet frame with the MAC address of the Default Gateway. The frame is sent from switch S2 to S1. Step 5. Step 4. Switches. S1. S2. . Communicating with a device in another VLAN is called inter-VLAN communication. All switches forward the ARP reply frame and PC1 receives it. Step 2. The following describes how this process is accomplished: Step 1. Step 6. PC1 sends an ARP request frame for the MAC address of the default gateway R1. PC1 now has the destination MAC address of PC4 and uses this to create a unicast frame with PC4's MAC address as the destination. S1 and S3 deliver the frame to PC4.

164 .

165 .

166 .

167 .

168 .

169 .

The icon that represents a Layer 3 switch is shown. you learned about some of the differences between Layer 2 and Layer 3 switches. A discussion of Layer 3 switching is beyond the scope of this course. but a brief description of the switch virtual interface (SVI) technology that allows a Layer 3 switch to route transmissions between VLANs is helpful. SVI . The figure shows the Catalyst 3750G-24PS switch. one of many Cisco switches that supports Layer 3 routing. 170 Controlling Broadcast Domains with VLANs and Layer 3 Forwarding In the last chapter.

Switch S3 sends that ARP reply to S1. PC1 sends an ARP request broadcast on VLAN10. Switch S1 forwards the ARP request out all ports configured for VLAN 10. Step 4. In the animation. The SVI for VLAN 10 in switch S1 sends an ARP reply back to PC1 with this information. except that the SVIs act as the router interfaces for routing the data between VLANs. Step 5. Switch S3 forwards the ARP request out all ports configured for VLAN 10. The SVI for VLAN 20 sends an ARP request broadcast out all switch ports configured for VLAN 20. The animation describes this process. Switch S3 sends that ARP request broadcast out all switch ports configured for VLAN 20. an SVI is created for the default VLAN (VLAN 1) to permit remote switch administration. By default. You need to configure an SVI for a VLAN if you want to route between VLANs or to provide IP host connectivity to the switch. destined for PC5. The SVI for VLAN 10 in switch S1 knows the location of VLAN 20. Layer 3 Forwarding A Layer 3 switch has the ability to route transmissions between VLANs. The following steps outline the communication through the Layer 3 switch S1: Step 1. Switch S1 forwards the ARP reply to the SVI for VLAN 20. Click the Layer 3 Forwarding Example button in the figure to see an animation that presents a simplified representation of how a Layer 3 switch controls broadcast domains. Step 2. Step 7. 171 SVI is a logical interface configured for a specific VLAN. as a unicast frame through switch S2 to the SVI for VLAN 10 in switch S1. in a unicast frame to PC5 using the destination address it learned from the ARP reply in step 6. . The procedure is the same as described for the inter-VLAN communication using a separate router. sent from PC1. PC1 sends data. Step 3. S2 forwards the ARP request out all ports configured for VLAN 10. The SVI for VLAN 20 forwards the data. PC1 wants to communicate with PC5. Step 6. PC5 on VLAN 20 sends an ARP reply. including the SVI for VLAN 10.

172 .

173 .

174 .

175 .

176 .

177 .

178 .

179

3.2.1 VLAN trunks
What is a Trunk?

180

It is hard to describe VLANs without mentioning VLAN trunks. You learned about
controlling network broadcasts with VLAN segmentation, and you saw how VLAN
trunks transmitted traffic to different parts of the network configured in one
VLAN. In the figure, the links between switches S1 and S2, and S1 and S3, are
configured to transmit traffic coming from VLAN 10, 20, 30, and 99. This network
simply could not function without VLAN trunks. You will find that most networks
that you encounter are configured with VLAN trunks. This section brings together
the knowledge you already have on VLAN trunking and provides the details you
need to be able to configure VLAN trunking in a network.

Definition of a VLAN Trunk

A trunk is a point-to-point link between two network devices that carries more
than one VLAN. A VLAN trunk allows you to extend the VLANs across an entire
network. Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and
Gigabit Ethernet interfaces. You will learn about 802.1Q later in this section.

A VLAN trunk does not belong to a specific VLAN, rather it is a conduit for VLANs
between switches and routers.

What Problem Does a Trunk Solve?

In the figure, you see the standard topology used in this chapter, except instead
of the VLAN trunk that you are used to seeing between switches S1 and S2, there
is a separate link for each subnet. There are four separate links connecting
switches S1 and S2, leaving three fewer ports to allocate to end-user devices.
Each time a new subnetwork is considered, a new link is needed for each switch
in the network.

Click the With VLAN Trunks button in the figure.

In the figure, the network topology shows a VLAN trunk connecting switches S1
and S2 with a single physical link. This is the way a network should be configured.

181

802.1Q Frame Tagging

Remember that switches are Layer 2 devices. They only use the Ethernet frame
header information to forward packets. The frame header does not contain
information about which VLAN the frame should belong to. Subsequently, when
Ethernet frames are placed on a trunk they need additional information about the
VLANs they belong to. This is accomplished by using the 802.1Q encapsulation
header. This header adds a tag to the original Ethernet frame specifying the
VLAN to which the frame belongs.

Frame tagging has been mentioned a number of times. The first time was in
reference to the voice mode configuration on a switch port. There you learned
that once configured, a Cisco phone (which includes a small switch) tags voice
frames with a VLAN ID. You also learned that VLAN IDs can be in a normal range,

182

1-1005, and an extended range, 1006-4094. How do VLAN IDs get inserted into a
frame?

VLAN Frame Tagging Overview

Before exploring the details of an 802.1Q frame, it is helpful to understand what
a switch does when it forwards a frame out a trunk link. When the switch receives
a frame on a port configured in access mode with a static VLAN, the switch takes
apart the frame and inserts a VLAN tag, recalculates the FCS and sends the
tagged frame out a trunk port.

Note: An animation of the trunking operation is presented later in this section.

VLAN Tag Field Details

The VLAN tag field consists of an EtherType field, a tag control information
field,and the FCS field.

EtherType field

Set to the hexadecimal value of 0x8100. This value is called the tag protocol ID
(TPID) value. With the EtherType field set to the TPID value, the switch receiving
the frame knows to look for information in the tag control information field.

Tag control information field

The tag control information field contains:

– 3 bits of user priority - Used by the 802.1p standard, which specifies how
to provide expedited transmission of Layer 2 frames. A description of the
IEEE 802.1p is beyond the scope of this course; however, you learned a
little about it earlier in the discussion on voice VLANs.
– 1 bit of Canonical Format Identifier (CFI) - Enables Token Ring frames to be
carried across Ethernet links easily.
– 12 bits of VLAN ID (VID) - VLAN identification numbers; supports up to
4096 VLAN IDs.

FCS field

After the switch inserts the EtherType and tag control information fields, it
recalculates the FCS values and inserts it into the frame.

183

184

185

3.2.2 Trunking information
A Trunk in Action

You have learned how a switch handles untagged traffic on a trunk link. You now
know that frames traversing a trunk are tagged with the VLAN ID of the access
port the frame arrived on. In the figure, PC1 on VLAN 10 and PC3 on VLAN 30
send broadcast frames to switch S2. Switch S2 tags these frames with the
appropriate VLAN ID and then forwards the frames over the trunk to switch S1.
Switch S1 reads the VLAN ID on the frames and broadcasts them to each port
configured to support VLAN 10 and VLAN 30. Switch S3 receives these frames
and strips off the VLAN IDs and forwards them as untagged frames to PC4 on
VLAN 10 and PC6 on VLAN 30.

Click Play on the animation toolbar in the figure.

186

187

188

189 .

Switches do not need DTP to do trunking. IEEE 802.1Q is used. Not ISL Although a Cisco switch can be configured to support two types of trunk ports.1Q and ISL. Native (non- tagged) frames received from an ISL trunk port are dropped. you will enable it in the labs and activities associated with the chapter.com/en/US/tech/tk389/tk689/technologies_tech_note09186a008 017f86a. An 802. The following provides a brief description of the available trunking modes and how DTP is implemented in each. DTP manages trunk negotiation only if the port on the other switch is configured in a trunk mode that supports DTP. A detailed discussion on DTP is beyond the scope of this course. This course focuses on the 802. Trunking Modes A switch port on a Cisco switch supports a number of trunking modes. DTP is automatically enabled on a switch port when certain trunking modes are configured on the switch port. ISL is no longer a recommended trunk port mode. however. All other traffic is sent with a VLAN tag. The trunking mode defines how the port negotiates using DTP to set up a trunk link with its peer port.1Q trunks. All untagged traffic and tagged traffic with a null VLAN ID are assumed to belong to the port default PVID. A packet with a VLAN ID equal to the outgoing port default PVID is sent untagged. An IEEE 802.2.cisco. legacy networks may still use ISL.1Q trunk port mode configuration options.shtml. IEEE. and it is not supported on a number of Cisco switches. and all untagged traffic travels on the port default PVID. DTP supports both ISL and 802.1Q trunk port supports simultaneous tagged and untagged traffic. and all transmitted packets are sent with an ISL header. all received packets are expected to be encapsulated with an ISL header. and it is useful to learn about each type of trunk port.1Q trunking works on Cisco switch ports. and some Cisco switches and routers do not support DTP. First we need to discuss a Cisco legacy trunking protocol called inter-switch link (ISL). In an ISL trunk port. Switches from other vendors do not support DTP. On (default) .1Q trunk port is assigned a default PVID. because you will see this option in the switch software configuration guides. Now it is time to examine the 802. today only 802. 190 3.1Q implementation of DTP. To learn about DTP support on Cisco switches. DTP Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol.3 Trunking modes You have learned how 802. visit: http://www. However.

The local switch port advertises to the remote switch port that it is able to trunk and asks the remote switch port to go to the trunking state. After a DTP negotiation. The link between switches S1 and S2 becomes a trunk because the F0/1 ports on switches S1 and S2 are configured to ignore all DTP advertisements and come up and stay in trunk port mode. The local port then. The command used is switchport mode dynamic desirable. called advertisements. Dynamic desirable DTP frames are sent periodically to the remote port. trunk mode is on. When you configure a trunk port to be in trunk port mode. regardless of what DTP information the remote port sends as a response to the advertisement. desirable. there is no ambiguity about which state the trunk is in-it is always on. If both ports on the switches are set to auto. the F0/1 ports on switches S1 and S2 are configured with trunk mode on. The local switch port advertises to the remote port that it is dynamically changing to a trunking state. This results in an inactive trunk link. Use the command switchport nonegotiate. to the remote port. They negotiate to be in the access (non-trunk) mode state. The local switch port advertises to the remote switch port that it is able to trunk but does not request to go to the trunking state. the access (non-trunk) mode state. . The local port is then considered to be in an unconditional trunking state. Turn off DTP You can turn off DTP for the trunk so that the local port does not send out DTP frames to the remote port. 191 The switch port periodically sends DTP frames. or auto mode. The F0/3 ports on switches S1 and S3 are configured to be in auto trunk mode. A Trunk Mode Example In the figure. which link will be a trunk? Click the Which link will be configured as a trunk? button in the figure. It is also easy to remember which state the trunk ports are in-if the port is supposed to be a trunk. so they negotiate to be in the default state. they do not negotiate to be in a trunking state. The F0/3 ports on switches S1 and S3 are set to auto. The local port is considered to be in an unconditional (always on) trunking state. the local port ends up in trunking state. Dynamic auto The switch port periodically sends DTP frames to the remote port. The command used is switchport mode trunk. If the remote switch port is in the nonegotiate mode. If the local port detects that the remote has been configured in on. changes to a trunking state. When the switch configurations are completed and the switches are fully configured. The command used is switchport mode dynamic auto. Use this feature when you need to configure a trunk with a switch from another switch vendor. the local switch port remains as a nontrunking port. the local port ends up in trunking state only if the remote port trunk mode has been configured to be on or desirable.

but the default switchport mode for an interface on a Catalyst 2960 switch is dynamic auto. For information on which Cisco switches support 802. If S1 and S3 were Catalyst 2950 switches with interface F0/3 in default switchport mode. and DTP. the link between S1 and S3 would become an active trunk. . Click the DTP Modes button in the figure to review the mode interactions.com/en/US/tech/tk389/tk689/technologies_tech_note09186a008 017f86a. For information on how to support ISL on legacy networks.1Q.cisco. visit: http://www.cisco. 192 Note: The default switchport mode for an interface on a Catalyst 2950 switch is dynamic desirable.html.com/en/US/tech/tk389/tk689/tsd_technology_support_troublesho oting_technotes_list.shtml#topic1. ISL. visit: http://www.

In this section. references are provided if you want to research these options.2 Configure a VLAN Add a VLAN .1 Configuring VLANs and trunks overview In this chapter. you will learn the key Cisco IOS commands needed to create. you will configure both sides and verify that the link (VLAN or VLAN trunk) is configured correctly.3. you are shown the configuration and verification syntax for one side of a VLAN or trunk.3. 193 3. In this section. however. you have already seen examples of the commands used to configure VLANs and VLAN trunks. delete. you must save it to the startup configuration. 3. Note: If you want to keep the newly configured running configuration. Often these commands have many optional parameters that extend the capabilities of the VLAN and VLAN trunk technology. and verify VLANs and VLAN trunks. The focus of this section is to provide you with the necessary skills and knowledge to configure VLANs and VLAN trunks with their key features. These optional commands are not presented. In the labs and activities.

Click the Example button in the figure. the student computer. is highlighted in the screen capture. In the topology example. it is being phased out in favor of VLAN global configuration mode. The student VLAN.dat file.17. The normal range includes IDs 1 to 1001. Click the Command Syntax button in the figure.dat. but has an IP address of 172. is configured on switch S1. The default VLAN IDs 1 and 1002 to 1005 are shown in the screen output. Because you often configure other aspects of a Cisco switch at the same time. . Note: In addition to entering a single VLAN ID. is not in a VLAN yet it.105-107. There are two different modes for configuring VLANs on a Cisco Catalyst switch. Click the Verification button in figure. PC2. it is good practice to save running configuration changes to the startup configuration. The figure shows how the student VLAN.22. the configuration details are stored automatically in flash memory on the switch in a file called vlan. The figure reviews the Cisco IOS commands used to add a VLAN to a switch. When you configure normal range VLANs. for example: switch(config)#vlan 100. VLAN 20. database configuration mode and global configuration mode.102. VLAN 20. Although the Cisco documentation mentions VLAN database configuration mode. 194 In this topic. or a range of VLAN IDs separated by hyphens using the vlan vlan-id command. VLAN 1 and 1002 to 1005 are reserved ID numbers. you will learn how to create a static VLAN on a Cisco Catalyst switch using VLAN global configuration mode. The figure shows an example of using the show vlan brief command to display the contents of the vlan. You will configure VLANs with IDs in the normal range.20. Recall there are two ranges of VLAN IDs. you can enter a series of VLAN IDs separated by commas. and extended range consists of IDs 1006 to 4094.

195 Assign a Switch Port .

20. assign one or more ports to the VLAN. the network administrator knows to configure the other student computers to be in the same subnet as PC2: 172. Port F0/18 has been assigned to VLAN 20 so the student computer. 196 After you have created a VLAN. it is known as a static access port. PC2. VLAN 20. The student VLAN.17.0 /24. is highlighted in the screen capture. is in VLAN 20. VLAN 20. When VLAN 20 is configured on other switches. Click the Example button in the figure to see how the student VLAN. Click the Command Syntax button in the figure to review the Cisco IOS commands used to assign a static access port to VLAN. Click the Verification button in the figure to confirm that the show vlan brief command displays the contents of the vlan.dat file. A static access port can belong to only one VLAN at a time. is statically assigned to port F0/18 on switch S1. . When you manually assign a switch port to a VLAN.

197 .

198 .

VLAN 20.3 Managing VLANs Verify VLANs and Port Memberships After you configure the VLAN. visit: http://www.3. 199 3. For details on the show vlan command output fields. This command displays a lot of detail that is beyond the scope of this chapter. For details on the show interfaces command output fields.html# wp1011412. you can see that the show vlan name student command does not produce very readable output. . You can determine that the port F0/18 is assigned to VLAN 20 and that the native VLAN is VLAN 1. The show vlan summary command displays the count of all configured VLANs. Click the Command Syntax button in the figure.cisco.html#wp1017387.com/en/US/docs/ios/lanswitch/command/reference/lsw_s2. The preference here is to use the show vlan brief command. Click the Interfaces VLAN button in the figure. Click the Show VLAN button in the figure. You have used the show vlan brief command already. indicating that VLAN 20 is up. Click the Interfaces Switchport button in the figure. 1002-1005. you can validate the VLAN configurations using Cisco IOS show commands. The command syntax for the various Cisco IOS show commands should be well known.com/en/US/docs/ios/12_0/interface/command/reference/irshowin . The key information appears on the second line of the screen capture. The output shows six VLANs: 1. In this example. visit: http://www.cisco. Examples of these commands can be seen by clicking the buttons in the figure. and the student VLAN. This command displays information that is useful to you. You have used this command to review the configuration of a voice VLAN.

200 .

201 .

Click the Reassign VLAN button in the figure. In the show interfaces f0/18 switchport command. It has only been removed from interface F0/18. Reassign the VLAN to Another Port . you can see that the access VLAN for interface F0/18 has been reset to VLAN 1. Click the Remove VLAN button in the figure. you can use the no switchport access vlan command in interface configuration mode. Notice how VLAN 20 is still active. Examine the output in the show vlan brief command that immediately follows. The figure shows the syntax for the no switchport access vlan command. 202 Manage Port Memberships There are a number of ways to manage VLANs and VLAN port memberships. Reassign a Port to VLAN 1 To reassign a port to VLAN 1.

. 203 A static access port can only have one VLAN. When you reassign a static access port to an existing VLAN. port F0/11is reassigned to VLAN 20 . In the example. the VLAN is automatically removed from the previous port. With Cisco IOS software. you do not need to first remove a port from a VLAN to change its VLAN membership.

This effectively places the switch into is "factory default" concerning VLAN configurations. The show vlan brief command verifies that VLAN 20 is no longer in the vlan.dat file can be deleted using the command delete flash:vlan. Any ports that are not moved to an active VLAN are unable to communicate with other stations after you delete the VLAN. the previously configured VLANs will no longer be present. . be sure to first reassign all member ports to a different VLAN.dat file. the entire vlan. 204 Delete VLANs The figure provides an example of using the global configuration command no vlan vlan-id to remove VLAN 20 from the system.dat from privileged EXEC mode. Alternatively. Note: Before deleting a VLAN. After the switch is reloaded.

205 3. .4 Configure a trunk Configure an 802. the interface changes to permanent trunking mode. When you enter trunk mode.3.1Q Trunk To configure a trunk on a switch port. use the switchport mode trunk command.

. you will configure a trunk using only the switchport mode trunk command. It reconfigures the native VLAN as VLAN 99. You are familiar with this topology. PC2. you configure VLAN 99 as the native VLAN. and Guest computers. The F0/1 port on switch S1 will be configured as a trunk port and will forward traffic for VLANs 10. visit: http://www. The Cisco IOS command syntax to specify a native VLAN other than VLAN 1 is shown in the figure. 20. PC1. and 30 will support the Faculty. For details on all of the parameters associated with the switchport mode interface command. Click the Example button in the figure. In this course. 20. In the example. and 30. A discussion on DTP and the details of how each switchport access mode option works is beyond the scope of the course. and PC3. The example configures port F0/1 on switch S1 as the trunk port.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12. VLAN 99 will be configured as the native VLAN. Click the Topology button in the figure. 206 and the port enters into a DTP negotiation to convert the link into a trunk link even if the interface connecting to it does not agree to the change. 2_37_se/command/reference/cli3. The VLANs 10. Student.html#wp1948171.

in effect. and 30. Managing a Trunk Configuration In the figure. The command used is the show interfaces interface-ID switchport command. the commands to reset the allowed VLANs and the native VLAN of the trunk to the default state are shown. 207 Verify Trunk Configuration The figure displays the configuration of switch port F0/1 on switch S1. The command to reset the switch port to an access port and. the management VLAN. At the bottom of the output. Click the Reset Example button in the figure. In the figure. The show interfaces f0/1 switchport command reveals that the trunk has been reconfigured to a default state. the last highlighted area shows that the enabled trunking VLANs are VLANs 10. 20. Click the Remove Example button in the figure. The first highlighted area shows that port F0/1 has its administrative mode set to Trunk-the port is in trunking mode. The next highlighted area verifies that the native VLAN is VLAN 99. deleting the trunk port is also shown. . the commands used to reset all trunking characteristics of a trunking interface to the default settings are highlighted in the sample output.

the sample output shows the commands used to remove the trunk feature from the F0/1 switch port on switch S1. . The show interfaces f0/1 switchport command reveals that the F0/1 interface is now in static access mode. 208 In the figure.

Native VLAN Mismatches . 209 3. if one port has defined VLAN 99 as the native VLAN and the other trunk port has defined VLAN 100 as the native VLAN. This configuration error causes the trunk link to stop working. The next topic presents how to identify and solve incorrectly configured VLAN and IP subnets.The list of allowed VLANs on a trunk has not been updated with the current VLAN trunking requirements. causes control and management traffic to be misdirected and. This configuration error generates console notifications. If you have discovered an issue with a VLAN or trunk and do not know what the problem is. Each VLAN is a logically separate IP subnetwork.End user devices configured with incorrect IP addresses will not have network connectivity. you learn about common VLAN and trunking issues. for example. poses a security risk. When you are configuring VLANs and trunks on a switched infrastructure.Trunk ports are configured with different native VLANs. The rest of this topic examines how to fix the common problems with trunks.1 Common problems with trunks Common Problems with Trunks In this topic. start your troubleshooting by examining the trunks for a native VLAN mismatch and then work down the list. – Allowed VLANs on trunks .One trunk port is configured with trunk mode "off" and the other with trunk mode "on". Devices within the VLAN must be configured with the correct IP settings. – Trunk mode mismatches . – VLANs and IP Subnets . as you have learned. In this situation.4. these types of configuration errors are most common in the following order: – Native VLAN mismatches . unexpected traffic or no traffic is being sent over the trunk. which usually are associated with incorrect configurations.

the top highlighted area shows the command to configure the native VLAN to be VLAN 99. shown in the bottom highlighted area. the error message shown in the top highlighted area in the figure appears in your console window. The topology diagram seems correct. You need to reconfigure the native VLAN on the Fast Ethernet F0/3 trunk port to be VLAN 99. The next two highlighted areas confirm that the Fast Ethernet F0/3 trunk port has the native VLAN reset to VLAN 99. you see that the allowed VLANs are 10 and 99.17. 210 You are a network administrator and you get a call that the person using computer PC4 cannot connect to the internal web server. the second highlighted area in the figure. so why is there a problem? You decide to check the configuration on S3.30. In the figure. WEB/TFTP server in the figure. As soon as you connect to switch S3. As you scan further down the output. You notice that the native VLAN. The screen output for the computer PC4 shows that connectivity has been restored to the WEB/TFTP server found at IP address 172. has been set to VLAN 100 and it is inactive. Click the Solution button in the figure. You learn that a new technician was recently configuring switch S3. You take a look at the interface using the show interfaces f0/3 switchport command.10. . Click the Configurations button in the figure.

211 .

a trunk link fails to form between the two switches. Again. you have learned that trunk links are configured statically with the switchport mode trunk command. You have learned that the trunk ports use DTP advertisements to negotiate the state of the link with the remote port. the same problem arises: the person using computer PC4 cannot connect to the internal web server. . Why is there a problem? Click the Configurations button in the figure. the topology diagram has been maintained and shows a correct configuration. When a port on a trunk link is configured with a trunk mode that is incompatible with the other trunk port. 212 Trunk Mode Mismatches In this course. In this scenario.

Further checking reveals that the F0/3 interface is also in dynamic auto mode. An examination of the trunks on switch S3 reveals that are no active trunk ports. In the top left figure. the first highlighted area in the top figure. . It reveals in the figure that there is not a trunk on interface F0/3 on switch S1. You need to reconfigure the trunk mode of the Fast Ethernet F0/3 ports on switches S1 and S3. Now you know why the trunk is down. Click the Solution button in the figure. 213 The first thing you do is check the status of the trunk ports on switch S1 using the show interfaces trunk command.17. the highlighted area shows that the port is now in trunking mode. the first highlighted area in the bottom figure.10.30. revealing that interface F0/3 has been reconfigured as a trunk. You examine the F0/3 interface to learn that the switch port is in dynamic auto mode. The output from computer PC4 indicates that PC4 has regained connectivity to the WEB/TFTP server found at IP address 172. The top right output from switch S3 shows the commands used to reconfigure the port and the results of the show interfaces trunk command.

214 .

Click the Configurations button in the figure. An examination of the F0/3 interface on switch S1 reveals that interfaces F0/1 and F0/3 only allow VLANs 10 and 99. The command used to do this is the switchport access trunk allowed vlan add vlan-id command. the person using computer PC5 cannot connect to the student e- mail server shown in the figure. In the figure. The command reveals that the interface F0/3 on switch S3 is correctly configured to allow VLANs 10. and 99. In this scenario. 20. . The documentation has been updated to show that the VLANs allowed on the trunk are 10. 215 Incorrect VLAN List You have learned that for traffic from a VLAN to be transmitted across a trunk it has to be allowed access on the trunk. and 99. Check the trunk ports on switch S1 using the show interfaces trunk command. It seems someone updated the documentation but forgot to reconfigure the ports on the S1 switch. 20. VLAN 20 (Student) and computer PC5 have been added to the network.

and 99 are now added to the F0/1 and F0/3 ports on switch S1. 20.99 command. 216 Click the Solution button in the figure.17. The top screen output in the figure shows that VLANs 10.20.10. The bottom figure indicates that PC5 has regained connectivity to the student e-mail server found at IP address 172.20. The show interfaces trunk command is an excellent tool for revealing common trunking problems. . You need to reconfigure the F0/1 and the F0/3 ports on switch S1 using the switchport trunk allowed vlan 10.

217 .

Click the Solution button in the figure. each VLAN must correspond to a unique IP subnet. This type of incorrect configuration is a common problem. In this scenario. In the figure.17. The bottom screen capture reveals that PC1 . the person using computer PC1 cannot connect to the WEB/TFTP server shown in the figure.10.2 A common problem with a VLAN configuration VLAN and IP Subnets As you have learned.17.21. 218 3.10. If two devices in the same VLAN have different subnet addresses. they cannot communicate.4.172.21. The PC1 computer is configured with an IP address of 172. and it is easy to solve by identifying the offending device and changing the subnet address to the correct one. The screen capture of the PC1 Fast Ethernet configuration dialog box shows the updated IP address of 172. but it should have been configured with 172.10.21. a check of the IP configuration settings of PC1 reveals the most common error in configuring VLANs: an incorrectly configured IP address. Click the Configurations button in the figure.

17.10. . 219 has regained connectivity to the WEB/TFTP server found at IP address 172.30.

we introduced VLANs. VLANs are used to segment broadcast domains in a switched LAN. 220 3. user/data VLANs.6. This improves the performance and manageability of LANs. a management VLAN. and voice VLANs.1 Chapter summary In this chapter. . native VLANs. There are several types of VLANs: a default VLAN. VLANs provides network administrators flexible control over traffic associated with devices in the LAN.

We discussed the configuration. . IEEE 802. and troubleshooting of VLANs and trunks using the Cisco IOS CLI. verification. 221 VLAN trunks facilitate inter-switch communication with multiple VLANs.1Q frame tagging enables differentiation between Ethernet frames associated with distinct VLANs as they traverse common trunk links.

the figure shows a network manager adding a new VLAN. But what if you have many switches to manage? How will you manage the VLAN database across many switches? In this chapter.1 What is VTP? The VLAN Management Challenge As the number of switches increases on a small. 4. Small Network VLAN Management In the animation.or medium-sized business network. you learned how to create and manage VLANs and trunks using Cisco IOS commands. you will explore how you can use the VLAN Trunking Protocol (VTP) of Cisco Catalyst switches to simplify management of the VLAN database across multiple switches. VLAN30.1.1 Chapter introduction As the size of the network for a small. In the previous chapter. the overall administration required to manage VLANs and trunks in a network becomes a challenge.0.0 VTP 4. The network manager needs to update the three trunks to allow VLANs . 222 4.or medium-sized business grows. Click Play to view an animation of the VLAN management challenge. The focus was on managing VLAN information on a single switch. the management involved in maintaining the network grows.

You are ready to learn about VLAN trunking protocol (VTP). the VLAN management challenge becomes clear. After you have manually updated this network a few times. 20. 223 10. Click the Larger Network button in the figure. 30. Recall that a common error is forgetting to update the allowed list of VLANs on trunks. and 99. Larger Network VLAN Management When you consider the larger network in the figure. What is VTP? . you may want to know if there is a way for the switches to learn what the VLANs and trunks are so that you do not have to manually configure them.

Both the server and client leverage advertisements from one another to ensure each has an accurate record of VLAN information. Click the Two Switches button in the figure. . a VTP server. a VTP client. Basically. The details on how VTP works is explained in the rest of this chapter. VTP advertisements are exchanged between the switches. which minimizes the problems caused by incorrect configurations and configuration inconsistencies. The switch can be configured in the role of a VTP server or a VTP client. VTP only learns about normal-range VLANs (VLAN IDs 1 to 1005). VTP Overview VTP allows a network manager to makes changes on a switch that is configured as a VTP server. the VTP server distributes and synchronizes VLAN information to VTP-enabled switches throughout the switched network. Two Switches Click Play in the figure to view an animation on the basic VTP interaction between a VTP server and a VTP client. Extended-range VLANs (IDs greater than 1005) are not supported by VTP. and S2. Click Play in the figure to view an animation of an overview of how VTP works. VTP advertisements will not be exchanged if the trunk between the switches is inactive.dat. 224 VTP allows a network manager to configure a switch so that it will propagate VLAN configurations to other switches in the network. a trunk link is added between switch S1. After a trunk is established between the two switches. In the figure. VTP stores VLAN configurations in the VLAN database called vlan.

225 .

226 .

227 .

which will be further explained as you go through the chapter. . VTP Components There are number of key components that you need to be familiar with when learning about VTP. as shown in the figure. All switches in a domain share VLAN configuration details using VTP advertisements. Here is a brief description of the components. deletion. A router or Layer 3 switch defines the boundary of each domain. 228 Benefits of VTP You have learned that VTP maintains VLAN configuration consistency by managing the addition. VTP offers a number of benefits for network managers. and renaming of VLANs across multiple Cisco switches in a network. VTP Domain-Consists of one or more interconnected switches.

or delete VLANs on a VTP client. deleted. VTP Modes. or deleted on transparent switches are local to that switch only. . You must configure VTP client mode on a switch. change.A switch can be configured in one of three modes: server. multicast. but you cannot create. a switch floods broadcast. renamed. or renamed for the domain. and unknown unicast traffic across all trunk links within a VTP domain even though receiving switches might discard them. or transparent. client. Roll over the key VTP components in the figure to see where they are in the network. VTP Pruning-VTP pruning increases network available bandwidth by restricting flooded traffic to those trunk links that the traffic must use to reach the destination devices. VTP servers store the VLAN information for the entire domain in NVRAM. A switch reset deletes the VLAN information. VTP Transparent-Transparent switches forward VTP advertisements to VTP clients and VTP servers. 229 VTP Advertisements-VTP uses a hierarchy of advertisements to distribute and synchronize VLAN configurations across the network. The server is where VLANs can be created. VTP Client-VTP clients function the same way as VTP servers. A VTP client only stores the VLAN information for the entire domain while the switch is on. VLANs that are created. Without VTP pruning. Transparent switches do not participate in VTP. VTP Server-VTP servers advertise the VTP domain VLAN information to other VTP-enabled switches in the same VTP domain.

230 .

231 .

you learned that a Cisco switch comes from the factory with default settings. this benefit comes with a cost. The benefit of VTP is that it automatically distributes and synchronizes domain and VLAN configurations across the network. changes that are difficult to fix are automatically propagated throughout the network. So make sure that you only add switches that are in their default VTP configuration. The default VTP settings are shown in the figure.2 VTP operations 4. 232 4.1 Default VTP configuration In CCNA Exploration: Network Fundamentals. You will learn how to add switches to a VTP network later in this chapter. . If you add a VTP-enabled switch that is configured with settings that supersede existing network VTP configurations. However.2. you can only add switches that are in their default VTP configuration.

– MD5 Digest-A 16-byte checksum of the VTP configuration. By default. The following briefly describes the show VTP status parameters: – VTP Version-Displays the VTP version the switch is capable of running. the switch implements version 1. You will use the show VTP status command frequently as you configure and manage VTP on a network. – VTP V2 Mode-Displays if VTP version 2 mode is enabled. Click the Switch Output button in the figure to see the default VTP settings on switch S1. 2. but it is disabled. or transparent. – VTP Domain Name-Name that identifies the administrative domain for the switch. A discussion of VTP versions is beyond the scope of this course. S1. Displays the IP address of the switch that caused the configuration change to the database. – VTP Operating Mode-Can be server. and 3. The default is VTP version 1. but can be set to version 2. The output shows that switch S1 is in VTP server mode by default and that there is no VTP domain name assigned. – Configuration Last Modified-Date and time of the last configuration modification. 1. – VTP Traps Generation-Displays whether VTP traps are sent to a network management station. Displaying the VTP Status The figure shows how to view the VTP settings for a Cisco 2960 switch. client. You will learn more about revisions numbers in this chapter. – VTP Pruning Mode-Displays whether pruning is enabled or disabled. . The output also shows that the maximum VTP version available for the switch is version 2. Only one VTP version is allowed in a VTP domain. – Number of Existing VLANs-Number of existing VLANs. – Maximum VLANs Supported Locally-Maximum number of VLANs supported locally. VTP version 2 is disabled by default. A Cisco 2960 switch supports VTP version 2. 233 VTP Versions VTP has three versions. The Cisco IOS command show VTP status displays the VTP status. – Configuration Revision-Current configuration revision number on this switch. and that VTP version 2 is disabled.

234 .

2. An additional benefit of configuring VTP domains is that it limits the extent to which configuration changes are propagated in the network if an error occurs.2 VTP domains VTP Domains VTP allows you to separate your network into smaller management domains to help reduce VLAN management. . The figure shows a network with two VTP domains. 235 4.

A switch can be a member of only one VTP domain at a time. Until the VTP domain name is specified you cannot create or modify VLANs on a VTP server. the three switches. and VLAN information is not propagated over the network. S1. you will learn how VTP-enabled switches acquire a common domain name. S2. and S3. Click the Switch Output button in the figure to see switch S4 output. 236 cisco2 and cisco3. will be configured for VTP. In this chapter. Later in this chapter. . A VTP domain consists of one switch or several interconnected switches sharing the same VTP domain name.

237 .

. A VTP server propagates the VTP domain name to all switches for you. They are configured as VTP servers. The S2 and S3 VTP server switches update their VTP configuration to the new domain name. 238 VTP Domain Name Propagation For a VTP server or client switch to participate in a VTP-enabled network. When switches are in different VTP domains. Domain name propagation uses three VTP components: servers. The VTP server sends out a VTP advertisement with the new domain name embedded inside. they do not exchange VTP messages. in their default VTP configuration. S2. The details of password configuration will be presented later in the course. clients. Note: Cisco recommends that access to the domain name configuration functions be protected by a password. and S3. The network in the figure shows three switches. The network manager configures the VTP domain name as cisco1 on the VTP server switch S1. it must be a part of the same domain. you will learn about the details of VTP advertisements and find answers to these questions. How does the domain name get placed into a VTP advertisement? What information is exchanged between VTP-enabled switches? In the next topic. Click Play in the figure to see how a VTP server propagates the VTP domain name in a network. and advertisements. S1. VTP domain names have not been configured on any of the switches.

239 .

240 .

241 4. Click the Overview button in the figure and then click Play to view an animation on the structure of a VTP frame. In this topic.2.3 VTP advertising VTP Frame Structure VTP advertisements (or messages) distribute VTP domain name and VLAN configuration changes to VTP-enabled switches. you will learn about the VTP frame structure and how the three types of advertisements enable VTP to distribute and synchronize VLAN configurations throughout the network. The Ethernet frame is then . The VTP information is inserted into the data field of an Ethernet frame. VTP Frame Encapsulation A VTP frame consists of a header field and a message field.

Set to either VTP 1. Click the VTP Frame Details button in the figure. – Version. or request. VTP 2.Identifies the administrative domain for the switch. – Domain name length.1Q frame is not static. – VTP header field. 242 encapsulated as a 802.The current configuration revision number on this switch. you can see the VTP frame structure in more detail.1Q frame: – Destination MAC address. and the time it was sent – MD5 digest VLAN configuration. Each switch in the domain sends periodic advertisements out each trunk port to a reserved multicast address. subset.Logical link control (LLC) field contains a destination service access point (DSAP) and a source service access point (SSAP) set to the value of AA. The contents of the VTP message determines which fields are present. including maximum transmission unit (MTU) size for each VLAN – Frame format: ISL or 802. – Configuration revision number. The receiving VTP-enabled switch looks for specific fields and values in the 802. – LLC field.1Q) – VLAN name – VLAN type – VLAN state .1Q trunk frame (or ISL frame).Varies depending on the message type. which update their VTP and VLAN configurations as necessary.The contents vary depending on the VTP message type- summary. VTP Message Contents VTP frames contain the following fixed-length global domain information: – VTP domain name – Identity of the switch sending the message.1Q VTP frames contain the following information for each configured VLAN: – VLAN IDs (IEEE 802.Subnetwork Access Protocol (SNAP) field has an OUI set to AAAA and type set to 2003. The Cisco 2960 switch only supports VTP 1 and VTP 2. Click the VTP Message Contents button in the figure. VTP Frame Details In the figure. or VTP 3. – SNAP field. The following key fields are present when a VTP frame is encapsulated as an 802.Length of the domain name. – VTP message field. These advertisements are received by neighboring switches. Keep in mind that a VTP frame encapsulated as an 802.This address is set to 01-00-0C-CC-CC-CC. which is the reserved multicast address for all VTP messages.1Q frame to know what to process. but it always contains these VTP fields: – Domain name.

1Q Ethernet frame. and message are used interchangeably. . Often the terms frame. advertisement. The entire 802. 243 – Additional VLAN configuration information specific to the VLAN type Note: A VTP frame is encapsulated in an 802.1Q Ethernet frame is the VTP advertisement often called a VTP message.

244 .

it resets the revision number to zero. Each VTP device tracks the VTP configuration revision number that is assigned to it. The figure shows a network manager adding three VLANs to switch S1. 245 VTP Revision Number The configuration revision number is a 32-bit number that indicates the level of revision for a VTP frame. the configuration revision number is incremented. The default configuration number for a switch is zero. Instead. Note: A VTP domain name change does not increment the revision number. Each time a VLAN is added or removed. The configuration revision number determines whether the configuration information received from another VTP-enabled switch is more recent than the version stored on the switch. .

the number of VLANs is up to eight. 246 Click the Switch Output button in the figure to see how the revision number has been changed. because three VLANs have been added to the five default VLANs. To comprehend what the revision number does. VTP Advertisements Summary Advertisements . The highlighted area shows that the revision number on switch S1 is 3. you first need to learn about the three types of VTP advertisements and the three VTP modes. The revision number plays an important and complex role in enabling VTP to distribute and synchronize VTP domain and VLAN configuration information.

Summary advertisements are sent: – Every 5 minutes by a VTP server or client to inform neighboring VTP- enabled switches of the current VTP configuration revision number for its VTP domain – Immediately after a configuration has been made Click the Summary button in the figure and then click Play to view an animation on the summary VTP advertisements. Subset Advertisements A subset advertisement contains VLAN information. the VTP server responds by sending a summary advertisement and then a subset advertisement. 247 The summary advertisement contains the VTP domain name. Request advertisements are sent if: – The VTP domain name has been changed – The switch receives a summary advertisement with a higher configuration revision number than its own – A subset advertisement message is missed for some reason – The switch has been reset Click the Request button in the figure and then click Play to view an animation on the request VTP advertisements. . and other VTP configuration details. Request Advertisements When a request advertisement is sent to a VTP server in the same VTP domain. Changes that trigger the subset advertisement include: – Creating or deleting a VLAN – Suspending or activating a VLAN – Changing the name of a VLAN – Changing the MTU of a VLAN It may take multiple subset advertisements to fully update the VLAN information. the current revision number. Click the Subset button in the figure and then click Play to view an animation on the subset VTP advertisements.

248 .

Each type of VTP advertisement sends information about several parameters used by VTP. A description of the fields in each of the VTP advertisements are presented. Summary Advertisements Summary advertisements comprise the majority of VTP advertisement traffic. . 249 VTP Advertisements Details VTP uses advertisements to distribute and synchronize information about domains and VLAN configurations. Roll over the fields in the summary advertisement to view the descriptions. There are three main VTP advertisements. Click the Summary Details button in the figure.

Click the Request Details button in the figure. client.2. 4. can be configured in either server. Subset Advertisements The fields found in a subset advertisement are briefly described. you can create. configured with Cisco IOS software. Roll over the fields in the subset advertisement to view the descriptions. Request Advertisements The fields found in a request advertisement are briefly described. or transparent mode. These modes differ in how they are used to manage and advertise VTP domains and VLANs. VTP servers . Roll over the fields in the request advertisement to view the descriptions. Click the Subset Details button in the figure. modify. 250 Roll over the fields in the summary advertisement to view the descriptions.4 VTP modes VTP Modes Overview A Cisco switch. Server Mode In server mode. VTP server mode is the default mode for a Cisco switch. The fields in the VLAN-info are not described. and delete VLANs for the entire VTP domain.

and then use switches with less memory as VTP clients. This means that when a VTP transparent mode switch reboots. the network administrator must decide if the cost of purchasing switches with enough NVRAM to store the duplicate VLAN information is too much. Although a discussion of network redundancy is beyond the scope of this course. In transparent mode. VTP transparent mode switches do not advertise their VLAN configuration and do not synchronize their VLAN configuration with any other switch. it does not revert to a default VTP server mode. VTP clients require less memory than VTP servers. This configuration is suitable for small scale networks in which the size of the VLAN information is small and the information is easily stored in NVRAM on the switches. all switches are configured to be VTP servers. By default. A cost-conscious network administrator could choose to configure a few well-equipped switches as VTP servers. having client switches is also more cost-effective. Switches configured as VTP clients are more typically found in larger networks. Consequently. it sends a request advertisement to a VTP server for updated VLAN configuration information. In addition. Having only a few switches that are physically able to maintain VLAN configurations makes it easier to control VLAN upgrades and to track which network administrators performed them. VLAN configurations are saved in NVRAM (but not advertised to other switches). so the configuration is available after a switch reload. When a VTP client is shut down and restarted. it is harder to coordinate network upgrades. because in a network consisting of many hundreds of switches. change. Transparent Mode Switches configured in transparent mode forward VTP advertisements that they receive on trunk ports to other switches in the network. Configure a switch in VTP transparent mode when you have VLAN configurations that have local significance and should not be shared with the rest of the network. but remains in VTP transparent mode. For large networks. VTP servers keep track of updates through a configuration revision number. Other switches in the same VTP domain compare their configuration revision number with the revision number received from a VTP server to see if they need to synchronize their VLAN database. . 251 advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links. the VLAN configuration information that a VTP client switch receives from a VTP server switch is stored in a VLAN database. not in NVRAM. or delete VLANs. Client Mode If a switch is in client mode. know that the number of VTP servers should be chosen to provide the degree of redundancy that is desired in the network. you cannot create. In a large network of many hundreds of switches. Often there are many network administrators working at different times of the day.

. S2. configured with their factory default settings. 252 VTP in Action You will now see how the various VTP features come together to distribute and synchronize domain and VLAN configurations in a VTP-enabled network. The animation starts with three new switches. and finishes with all three switches configured and participating in a VTP-enabled network. You can pause and rewind the animation to reflect and review this process. and S3. S1.

253 .

254 .

255 .

256 .

257 .

258 .

259 You have seen how VTP works with three switches. This animation examines in more detail how a switch configured in VTP transparent mode supports the functionality of VTP. . Click the Play button in the figure. You can pause and rewind the animation to reflect and review this process.

260 .

261 .

262 .

263 .

Pruning is disabled by default. VTP pruning permits switches to negotiate which VLANs are assigned to ports at the other end of a trunk and. you would enable VTP pruning on switch S1. The figure shows a network with VLAN 10 and VLAN 20 configured. In the figure. You need to enable pruning on only one VTP server switch in the domain. hence.2.5 VTP pruning VTP pruning prevents unnecessary flooding of broadcast information from one VLAN across all trunks in a VTP domain. VTP pruning is enabled using the vtp pruning global configuration command. 264 4. and switch S2 has VLAN 10 and VLAN 20 . prune the VLANs that are not assigned to ports on the remote switch. Switch S3 has VLAN 20 configured.

265 configured. . Examine the topology in the figure and then click to see the switch configurations.

266 .

VLAN 10 in the figure. The flood traffic is stopped from entering the trunk connecting switches S1 and S2. Click the Play button in the figure to see the how VLAN flood traffic is handled on a network with no VTP pruning. The link between switches S1 and S3 does not carry any VLAN 10 traffic. the broadcast traffic travels across all trunk links throughout the network to all ports on all switches in VLAN 10. In the figure. A switch floods broadcast. The broadcast traffic from PC1 consumes bandwidth on the trunk link between all 3 switches and consumes processor time on all 3 switches. so it is a candidate for VTP pruning. No VTP Pruning . switches S1. and S3 all receive broadcast frames from computer PC1. VTP Pruning Click the VTP Pruning button and then click Play to see an animation on how VLAN flood traffic is handled on a network with VTP pruning. and unknown unicast traffic across all trunk links within a VTP domain. for example. When a computer or device broadcasts on a VLAN. S2. VTP pruning only prunes the egress port F0/1 on switch S2. 267 VTP Pruning in Action Recall that a VLAN creates an isolated broadcast domain. multicast.

268 .

269 .

270 VTP Pruning .

271 .

Click the Switch S1 button in the figure. . Click the Switch S2 button in the figure. it reconfigures the trunk links based on which ports are configured with which VLANs. The highlighted area shows that the trunk on port F0/1 allows VLAN 10 traffic. and S3 configured with VTP pruning. S2. VTP pruning only prunes the egress port. 272 VTP Pruning Enabled The figure shows a network topology that has switches S1. When VTP pruning is enabled on a network.

visit: http://www.htm#xtocid798016.com/univercd/cc/td/doc/product/lan/cat5000/rel_4_2/config/vlans . it reconfigures the trunk links based on which ports are configured with which VLANs. and S3 configured with VTP pruning. The highlighted area shows that the trunk on port F0/1 allows VLAN 10 traffic.com/univercd/cc/td/doc/product/lan/cat5000/rel_4_2/config/vlans . VLAN 10 is not listed. When VTP pruning is enabled on a network. . VTP Pruning Enabled The figure shows a network topology that has switches S1. For more details on VTP pruning.cisco. Click the Switch S2 button in the figure. VTP pruning only prunes the egress port. S2. Click the Switch S1 button in the figure. For more details on VTP pruning.cisco. The highlighted area shows that the trunk on port F0/1 does not allow VLAN 10 traffic. visit: http://www. VLAN 10 is not listed.htm#xtocid798016. 273 The highlighted area shows that the trunk on port F0/1 does not allow VLAN 10 traffic.

274 4. you cannot create new VLANs on the network. The topology shows the reference topology for this chapter. delete. you are ready to learn how to configure a Cisco Catalyst switch to use VTP. Because only server switches can create. – Configure at least two VTP server switches in your network. you should make sure that you have one backup VTP server in case the primary VTP server becomes disabled. . – Configure a VTP domain on the VTP server.1 Configuring VTP VTP Configuration Guidelines Now that you are familiar with the functionality of VTP. and modify VLANs. Other switches connected through trunk links receive the VTP domain information automatically through VTP advertisements. If all the switches in the network are configured in VTP client mode. Click the Table button in the figure. VTP will be configured on this topology.3. Not resetting the configuration revision number allows for potential disruption in the VLAN configuration across the rest of the switches in the VTP domain. Configuring the VTP domain on the first switch enables VTP to start advertising VLAN information. VTP Server Switches Follow these steps and associated guidelines to ensure that you configure VTP successfully: – Confirm that all of the switches you are going to configure have been set to their default settings. – Always reset the configuration revision number before installing a previously configured switch into a VTP domain.

you cannot add new VLANs. When a switch is in VTP client mode. – Create the VLAN after you have enabled VTP on the VTP server. VTP works over trunk links. Connect to a VTP server. VTP domain names are case-sensitive. it takes a few moments for the various advertisements to make their way back and forth to the VTP server. VLANs created before you enable VTP are removed. Before you begin configuring the access ports. Switches without a password or with the wrong password reject VTP advertisements. VTP Client Switches As on the VTP server switch. confirm that the default settings are present. – Ensure that all switches are configured to use the same VTP protocol version. Any version 1-only switches cannot participate in the VTP domain after that point. Always ensure that trunk ports are configured to interconnect switches in a VTP domain. ensure that the same password is set on all switches in the domain that need to be able to exchange VTP information. By default. Configure access ports. You can only assign access ports to existing VLANs. Recall that the switch is not in VTP client mode by default. . make sure that you match the name exactly. Cisco Catalyst 2960 switches run version 1 but are capable of running version 2. VTP information is only exchanged on trunk ports. all version 2 capable switches in the domain autoconfigure to use version 2 through the VTP announcement process. 275 – If there is an existing VTP domain. – If you are configuring a VTP password. When the VTP version is set to version 2. confirm that the revision mode and number of VLANs have been updated. Configure trunks. When you connect to a VTP server or another VTP- enabled switch. Configure VTP client mode. You have to configure this mode. VTP version 1 is not compatible with VTP version 2. Verify VTP status.

Configure the VTP Server The next three topics will show you how to configure a VTP server and two VTP clients. You will configure this switch to be a VTP server. Click the Confirm Details button in the figure. . Initially none of the devices are connected. The topology highlights switch S1. 276 Configuring VTP Step 1 . The commands to configure the trunk ports are provided for interface F0/1.

For security reasons. Click the Configure Domain Name button in the figure. the revision number is still set to 0 and the switch does not belong to VTP domain. you could configure it using the the vtp mode {server} command. Most switches can support VTP version 1 and 2. You can use the no version of the commands. switch S1 has been configured with the domain name cisco1. it informs us that the switch is already configured to be in version 1. . The output in the figure is displaying the result of these changes. Since no VLANs have yet been configured. The domain name is configured using the the vtp domain domain-name command. a password could be configured using the vtp password password command. 277 The output of the show vtp status command confirms that the switch is by default a VTP server. However. Assume that three VLANs have been configured and have been assigned VLANs names. Click the Add VLANs and Trunks button in the figure. Click the Configure Version button in the figure. When the vtp version 1 command is entered on the switch. the default setting for Catalyst 2960 switches is version 1. In the figure. If the switch was not already configured as a VTP server.

278 .

If you need to reset the VTP configuration to the default values. 279 The topology highlights switches S2 and S3. You will be shown the VTP client configuration for S2. Before configuring a switch as a VTP client. To configure S3 as a VTP client. Configure VTP client mode using the following Cisco IOS command syntax: Enter global configuration mode with the configure terminal command. Click the Verify VTP Status button to see the rest of VTP client configuration. Click the Confirm Defaults button to verify the switch status. Configure the switch in client mode with the vtp mode {client} command. Once you've confirmed status. you will follow the same procedure. verify its current VTP status. you will configure the switch to operate in VTP client mode. you can use the no version of the commands. . Click the Enable VTP Client Mode button to see how to configure a switch for VTP client mode.

280 .

The topology highlights the trunks that will be added to this topology. In the figure. Then switch S2 will be configured to support the computers. PC1 to PC3. you will connect the VTP client switch S2 to the switch S1 VTP server.Confirm and Connect After configuring the main VTP server and the VTP clients. . 281 Configuring VTP Step 3 . switch S2 will be connected to switch S1. although the commands for S3 are not shown. The same procedure will be applied to switch S3. Confirm VTP Operation Click the Confirm VTP Operation button in the figure.

The bottom highlighted area shows the Cisco IOS command used to configure port F0/18 on switch S2 to be in VLAN 20. There are now three new VLANs indicated by the existing number of VLANs showing 8. Use the show VTP status command to verify the following: Configuration revision number has been incremented to 6. Use the show vtp counters command to confirm that the advertisements took place. 282 There are two Cisco IOS commands for confirming that VTP domain and VLAN configurations have been transferred to switch S2. The top highlight in the screen output confirms that the switch S2 is in VTP client mode. . The task now is to configure the port F0/18 on switch S2 to be in VLAN 20. Configure Access Ports Click the Configure Access Ports button in the figure. Domain name has been changed to cisco1.

will help you when troubleshooting VTP configuration problems. This information. combined with your VTP configuration skills. . In this topic.3. The figure lists the common VTP configuration issues that will be explored in this topic. you will learn about common VTP configuration problems. 283 4.2 Troubleshooting VTP configurations Troubleshooting VTP Connections You have learned how VTP can be used to simplify managing a VLAN database across multiple switches.

older switches may only support VTP version 1. a Cisco switch does not use a VTP password. Click the VTP Password Solution button in the figure. The switch does not automatically set the password parameter. ensure that the password is set correctly on all switches in the VTP domain. are configured to use VTP version 1 by default. . If a password is used. it must be configured on each switch in the domain. Click the VTP Version Solution button in the figure. Switches that only support version 1 cannot participate in the VTP domain along with version 2 switches. If your network contains switches that support only version 1. However. 284 Incompatible VTP Versions VTP versions 1 and 2 are incompatible with each other. Modern Cisco Catalyst switches. such as the 2960. VTP Password Issues When using a VTP password to control participation in the VTP domain. you need to manually configure the version 2 switches to operate in version 1 mode. unlike other parameters that are set automatically when a VTP advertisement is received. Forgetting to set a VTP password is a very common problem. By default.

All other switches in the same VTP domain will . the switch discards the message. if a switch receives the wrong VTP advertisement. the switch does not synchronize its VLAN database as expected. only set the VTP domain name on one VTP server switch. 285 Incorrect VTP Domain Name The VTP domain name is a key parameter that is set on a switch. Click Play in the figure to see an animation of this issue. An improperly configured VTP domain affects VLAN synchronization between switches. If the discarded message contains legitimate configuration information. As you learned earlier. Click the VTP Domain Solution button in the figure. Solution To avoid incorrectly configuring a VTP domain name.

. 286 accept and automatically configure their VTP domain name when they receive the first VTP summary advertisement.

287 .

288 .

you can configure a second switch in the same domain as a VTP server. Click the Solution button in the figure. and manage VLANs within your network environment. If the network is being managed by a couple of network administrators. 289 Switches Set to VTP Client Mode It is possible to change the operating mode of all switches to VTP client. It is not uncommon for small networks that use VTP to have all the switches in VTP server mode. you lose all ability to create. they need to refresh the VLAN information after a reload. By doing so. Because the VTP client switches do not store the VLAN information in NVRAM. delete. . Solution To avoid losing all VLAN configurations in a VTP domain by accidentally reconfiguring the only VTP server in the domain as a VTP client. it is unlikely that conflicting VLAN configurations will arise. Click Play in the figure to see an animation of this issue.

290 .

291 .

There is one VTP server switch. When switch S4 is connected to switch S3. the ports no longer forward traffic from the computers because they are configured with VLANs that no longer exist on the newly reconfigured switches. and two VTP client switches. Configuration Revision Number Issues The topology in the figure is configured with VTP. 30 and 40. switch S1. is added to the network. The existing network has VLANs 10 and 20. S4. S4 comes preconfigured with two VLANs. there are other factors that can adversely affect the functionality of VTP. Solution The solution to the problem is to reset each switch back to an earlier configuration and then reconfigure the correct VLANs. that are not configured in the existing network. which is higher than the revision number of 17 in the existing network. which has been previously configured as a VTP client. S1. 292 Incorrect Revision Number Even after you have configured the switches in your VTP domain correctly. The animation shows how switch S3. The revision number of the switch S4 is 35. Click the Incorrect Revision Number button in the figure to play an animation showing how the addition of a switch with a higher configuration revision number affects the rest of the switches in the VTP domain. 10 and 20. on switch S1. reset the configuration revision number on previously configured switches being added to a VTP-enabled network. S2 and S3. To prevent this problem in the first place. VTP summary advertisements announce the arrival of a VTP-enabled switch with the highest revision number in the network. Click the Reset Revision Number button in the figure. The . As each switch reconfigures itself with VLANs that are not supported in the network. and finally switch S2 all reconfigure themselves to the configuration found in switch S4.

. 293 figure shows the commands needed to reset switch S4 back to the default revision number. Click Verify Revision Number button in the figure to see that switch S4 has had its revision number reset.

294 .

295 .

296 .

297 .

298 .

for example. . Click the show interfaces trunk button in the figure. switch S1 in the figure. The highlighted area shows that VLAN 10 is now active in the VTP management domain. It does not have any effect on which ports are configured in VLAN 10 on switches S1. S2. The commands to configure the correct ports for switches S2 and S3 are not shown. The verification for S3 is not shown. Click the show vtp status button in the figure. The output of the command is used to verify the configuration on switch S2. When a new VLAN.3. The figure displays the commands used to configure VLAN 10 and the port F0/11 on switch S1. confirm that VTP updated the VLAN database on switches S2 and S3. the network manager adds the VLAN to the VTP server. VTP takes care of propagating the VLAN configuration details to the rest of the network. Click the Configure New VLANs and Ports button in the figure. After you have configured the new VLAN on switch S1 and configured the ports on switches S1. 299 4. The output confirms that the new VLAN has been added to F0/1 on switch S2. S2. As you know.3 Managing VLANs on VTP server Managing VLANs on a VTP Server You have learned about VTP and how it can be used to simplify managing VLANs in a VTP-enabled network. Consider the topology in the figure. is added to the network. and S3 to support the new VLAN. and S3. VLAN 10.

300 .

301 .

We discussed VTP configuration and preventative measures to take to avoid common problematic VTP issues. By reducing the total amount of flooded traffic on the network. There are three VTP operating modes: server. VTP pruning limits the unnecessary propagation of VLAN traffic across a LAN. VTP pruning improves overall network performance by restricting the unnecessary flooding of traffic across trunk links. . bandwidth is freed up for other network traffic. VTP allows you to create a VLAN once within a VTP domain and have that VLAN propagated to all other switches in the VTP domain.1 Summary In this chapter. so switches are often left in the default VTP server mode. VTP client mode switches are more prevalent in large networks.5. we discussed the VLAN trunking protocol. client. VTP determines which trunk ports forward which VLAN traffic. and transparent. Pruning only permits VLAN traffic for VLANs that are assigned to some switch port of a switch on the other end of a trunk link. VTP is a Cisco- proprietary protocol used to exchange VLAN information across trunk links. 302 4. where there definition reduces the administration of VLAN information. In small networks. reducing VLAN administration and configuration errors. network managers can more easily keep track of network changes.

303 .

0 STP 5.0. another link needs to quickly take its place without introducing new traffic loops.and medium-sized businesses. Consequently IT administrators have to implement redundancy in their hierarchical networks. 304 5. .1 Chapter introduction It is clear that computer networks are critical components of most small. when a switch connection is lost. However adding extra links to switches and routers in the network introduces traffic loops that need to be managed in a dynamic way. In this chapter you will learn how spanning-tree protocol (STP) prevents loop issues in the network and how STP has evolved into a protocol that rapidly calculates which ports should be blocked so that a VLAN-based network is kept free of traffic loops.

the path between PC1 and PC4 is automatically adjusted to compensate for the disruption. As businesses become increasingly dependent on the network. the availability of the network infrastructure becomes a critical business concern that must be addressed. As you can see in the animation: 1.1.1 Redundancy Redundancy in a hierarchical network The hierarchical design model was introduced in Chapter 1. One of the issues is redundancy. 305 5. 2. When the network connection between S1 and S2 is restored. . Redundancy is the solution for achieving the necessary availability. Having multiple paths for data to traverse the network allows for a single path to be disrupted without impacting the connectivity of devices on the network. the path is then readjusted to route traffic directly from S2 through S1 to get to PC4. When the network link between switch S1 and switch S2 is disrupted. Layer 2 redundancy improves the availability of the network by implementing alternate network paths by adding equipment and cabling. The hierarchical design model addresses issues found in the flat model network topologies. PC1 is communicating with PC4 over a redundantly configured network topology. 3.

306 .

307 .

308 .

and core layers. the path is updated and the data is able to reach PC4. By having multiple paths to get between PC1 and PC4. In this example. distribution. 309 Examine a redundant design In a hierarchical design. This is to prevent loops in the Layer 2 network. STP will only use a redundant link if there is a failure on the primary link. preventing the data from PC1 that is destined for PC4 from reaching switch C2 on its original . redundancy is achieved at the distribution and core layers through additional hardware and alternate paths through the additional hardware. Click the Path Failure Access to Distribution Layer button in the figure. Also. STP is enabled on all switches. there is redundancy that can accommodate a single point of failure between the access and distribution layer. Click the Starting Point Access to Distribution Layer button in the figure. For now. However. preventing the data from PC1 that is destined for PC4 from reaching switch D1 on its original path. there is a hierarchical network with access. and between the distribution and core layer. because switch S1 has a second path to PC4 through switch D2. In the example. notice that STP has placed some switch ports in forwarding state and other switch ports in blocking state. each distribution layer switch is connected to both core layer switches. Each access layer switch is connected to two different distribution layer switches. The link between switch S1 and switch D1 has been disrupted. STP is the topic of this chapter and will be explained at length. The link between switch D1 and switch C2 has been disrupted. Click the Path Failure Distribution to Core Layer button in the figure. PC1 can communicate with PC4 over the identified path.

Redundancy does have some complications that need to be addressed before it can be safely deployed on a hierarchical network. However. However. 310 path. because switch D1 has a second path to PC4 through switch C1. . Click the Switch Failure Core Layer button in the figure. destined for PC4 from reaching switch C2 on its original path. Click the Switch Failure Distribution Layer button in the figure. the path is updated and the data is able to reach PC4. Switch D1 has now failed preventing the data from PC1. the path is updated and the data is able to reach PC4. the path is updated and the data is able to reach PC4. preventing the data from PC1 that is destined for PC4 from reaching switch D4 on its original path. However. Redundancy provides a lot of flexibility in path choices on a network. because switch D1 has a second path to PC4 through switch C1. Switch C2 has now failed. since switch S1 has a second path to PC4 through switch D2. allowing data to be transmitted regardless of a single path or device failing in the distribution or core layers.

311 .

312 .

3. there are some considerations that need to be addressed before redundancy is even possible on a network. this time with the last entry received from the other two switches. Because it is a broadcast frame. As a result. 313 5. S2 forwards the frame out all switch ports. . 6. 7. Although it is important for availability. a Layer 2 loop can occur. they update their MAC address tables to indicate that PC1 is available out port F0/1 on S1 and port F0/2 on S3. they continue to bounce from switch to switch endlessly or until a link is disrupted and breaks the loop. including Trunk1 and Trunk2.2 Issues with redundancy Layer 2 Loops Redundancy is an important part of the hierarchical design. If STP is enabled on these switches. Click the Play button in the figure to start the animation. Broadcast frames are forwarded out all switch ports. When S2 receives the broadcast frame it updates its MAC address table to record that PC1 is available on port F0/11. If there is more than one path for the frame to be forwarded out. 5. the MAC address table is updated once again. Each switch again forwards the broadcast frame out all of its ports. Because it is a broadcast frame. resulting in both switches forwarding the frame to S2. This ensures that all devices in the broadcast domain are able to receive the frame. except the one it came in on. if they are not terminated properly on a switched network. In the animation: 1. 8.4. 4. Each switch updates its MAC address table with the incorrect port for PC1. it can result in an endless loop. PC1 sends out a broadcast frame to switch S2. When the broadcast frame arrives at switches S3 and S1. 2. When multiple paths exist between two devices on the network and STP has been disabled on those switches. When S2 receives the broadcast frames from S3 and S1. S3 and S1 forward it out all switch ports. except the originating port. which is the default. a Layer 2 loop would not occur. Ethernet frames do not have a time to live (TTL) like IP packets traversing routers. S3 then sends the frame to S1 and vice versa. except the one they received the frame on.

Because the same frames are constantly being forwarded back and forth between all switches in the loop. Because the MAC address table is constantly changing with the updates from the broadcast frames. or turning the power off on one of the switches in the loop. As more and more frames end up looping on the network. A host caught in a network loop is not accessible to other hosts on the network. 314 This process repeats over and over again until the loop is broken by physically disconnecting the connections causing the loop. the CPU of the switch ends up having to process a lot of data. a broadcast storm occurs. Loops result in high CPU load on all switches caught in the loop. . The unicast frames end up looping around the network as well. the switch does not know which port to forward the unicast frames out to reach the final destination. This slows down performance on the switch when legitimate traffic arrives.

315 .

316 .

317 .

PC4 also sends a broadcast frame out on to the looped network. 2. Consequently. Click the Play button in the figure to start the animation. Because broadcast traffic is forwarded out every port on a switch. just like the PC1 broadcast frame. all connected devices have to process all broadcast traffic that is being flooded endlessly around the looped network. PC1 sends a broadcast frame out onto the looped network. 318 Broadcast Storms A broadcast storm occurs when there are so many broadcast frames caught in a Layer 2 loop that all available bandwidth is consumed. The broadcast frame ends up looping between all the interconnected switches on the network. There are other consequences for broadcast storms. As more devices send broadcasts out on the network. . In the animation: 1. The PC4 broadcast frame also gets caught in the loop and ends up looping between all the interconnected switches. and the network becomes unavailable for data communication. more and more traffic gets caught in the loop. This can cause the end device to malfunction because of the high processing requirements for sustaining such a high traffic load on the network interface card. 4. 5. no bandwidth is available bandwidth for legitimate traffic. eventually creating a broadcast storm that causes the network to fail. A broadcast storm is inevitable on a looped network. eventually resulting in a broadcast storm. more traffic gets caught in the loop. As more and more broadcast frames are sent out onto the network by other devices. 3.

As a result. when a loop is created. such as ARP requests. the network quickly becomes disabled. Because devices connected to a network are constantly sending out broadcast frames. new traffic is discarded by the switch because it is unable to process it. 319 6. a broadcast storm can develop in seconds. When the network is fully saturated with broadcast traffic looping between the switches. .

320 .

321 .

322 .

PC1 sends a unicast frame destined for PC4. 3. 2. so it floods the unicast frame out all switch ports in an attempt to find PC4. . The frame arrives at switches S1 and S3. 323 Duplicate Unicast Frames Broadcast frames are not the only type of frames that are affected by loops. Switch S2 does not have an entry for PC4 in its MAC table. Unicast frames sent onto a looped network can result in duplicate frames arriving at the destination device. Click the Play button in the figure to start the animation. In the animation: 1.

S1 does have a MAC address entry for PC4. Most upper layer protocols are not designed to recognize or cope with duplicate transmissions. 6. so it forwards the unicast frame out Trunk3 to S1. S3 also has an entry in its MAC address table for PC4. PC4 has now received the same frame twice. switches are capable of detecting loops on a network. 324 4. so it forwards the frame out to PC4. 5. . 7. You will learn about STP in the next section. Fortunately. Other protocols attempt to hand the duplicate transmission to the appropriate upper layer protocol to be processed and possibly discarded. protocols that make use of a sequence-numbering mechanism assume that the transmission has failed and that the sequence number has recycled for another communication session. S1 receives the duplicate frame and once again forwards the frame out to PC4. In general. The Spanning Tree Protocol (STP) eliminates these loop issues.

325 .

326 .

You can prevent loops using the Spanning Tree Protocol (STP). Network loops that are a result of accidental duplicate connections in the wiring closets are a common occurrence. The impact on the other switches may not be enough to disrupt legitimate communications.3 Real-world redundancy issues Loops in the Wiring Closet Redundancy is an important component of a highly available hierarchical network topology. It happens when an administrator mistakenly connects a cable to the same switch it is already connected to. but loops can arise as a result of the multiple paths configured on the network. Network wiring for small to medium-sized businesses can get very confusing. Network cables between access layer switches. Click the Loop from two connections to the same switch button in the figure. loops can occur unexpectedly. the loop affects the rest of the network because of high broadcast forwarding that reaches all the other switches on the network. but it could noticeably affect the overall performance of the other switches. if STP has not been implemented in preparation for a redundant topology. This usually occurs when network cables are not labeled or .1. disappear into the walls. If the network cables are not properly labeled when they are terminated in the patch panel in the wiring closet. The loop is localized to the switches that are interconnected. 327 5. and ceilings where they are run back to the distribution layer switches on the network. located in the wiring closets. However. However. This type of loop is common in the wiring closet. it is difficult to determine where the destination is for the patch panel port on the network. The example displays a loop that occurs if two connections from the same switch are connected to another switch. floors.

The impact of this type of loop is much greater because it affects more switches directly. Configuring EtherChannels is beyond the scope of this course.com/en/US/tech/tk389/tk213/technologies_white_paper09186a0 080092944. 328 mislabeled or when the administrator has not taken the time to verify where the cables are connected. visit: http://www. loops are not possible.cisco. . If you would like to learn more about EtherChannels. The example displays a loop that occurs if a switch is connected to two different switches on a network that are both also interconnected. Because the switch treats the ports configured for the EtherChannel as a single network link.shtmClick the Loop from a connection to a second switch on the same network button in the figure. An EtherChannel is a grouping of Ethernet ports on a switch that act as a single logical network connection. There is an exception to this problem.

so the end user can accidentally interconnect the switches or hubs. . 329 Loops in the Cubicles Because of insufficient network data connections. the administrator is not in control of how personal hubs and switches are being used or connected. Unlike the wiring closet. a simple hub or switch is connected to an existing network data connection allowing all devices connected to the personal hub or switch to gain access to the network. Wiring closets are typically secured to prevent unauthorized access. so often the network administrator is the only one who has full control over how and what devices are connected to the network. some end users have a personal hub or switch located in their working environment. Click the Loop from two interconnected hubs button in the figure. Rather than incur the costs of running additional network data connections to the workspace.

. loops and duplicate frames can occur. the two user hubs are interconnected resulting in a network loop. The Spanning Tree Protocol (STP) was developed to address these issues. 330 In the example. 5. When redundancy is introduced into a Layer 2 design.2. The loop disrupts communication between all devices connected to switch S1. such as a failed network cable or switch.1 The spanning tree algorithm STP Topology Redundancy increases the availability of the network topology by protecting the network from a single point of failure. Loops and duplicate frames can have severe consequences on a network.

Switch S3 is configured with STP and has set the port for Trunk2 to a blocking state. 3. A port is considered blocked when network traffic is prevented from entering or leaving that port. STP prevents loops from occurring by configuring a loop-free path through the network using strategically placed blocking state ports. You will learn more about STP BPDU frames later in the chapter. If the path is ever needed to compensate for a network cable or switch failure. Switch S1 receives the broadcast frame and forwards it out all of its switch ports. Switch S2 forwards a broadcast frame out all switch ports. STP reconverges and the port on S3 is again blocked. preventing a loop from occurring. 3. If this link comes back up. STP recalculates the paths and unblocks the necessary ports to allow the redundant path to become active. 4. The next topic describes how STP accomplishes this process automatically. 2. which leads to the blocked port on S3. This does not include bridge protocol data unit (BPDU) frames that are used by STP to prevent loops. resulting in the previous path being disrupted. The blocking state prevents ports from being used to forward switch traffic. permitting communication to continue. The Layer 2 loop is prevented. 331 STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop. but these paths are disabled to prevent the loops from occurring. . except the originating port from PC1. Blocking the redundant paths is critical to preventing loops on the network. 2. Click the STP compensates for network failure button in the figure and click Play to start the animation. Switch S3 unblocks the previously blocked port for Trunk2 and allows the broadcast traffic to traverse the alternate path around the network. The trunk link between switch S2 and switch S1 fails. where it reaches PC4 and S3. The physical paths still exist to provide redundancy. The broadcast is then forwarded around the network. just as in the previous animation. S3 does not forward the frame back to S2 over Trunk2 because of the blocked port. The switches running STP are able to compensate for failures by dynamically unblocking the previously blocked ports and permitting traffic to traverse the alternate paths. In the example. PC1 sends a broadcast out onto the network. Click the Play button in the figure to start the animation. all switches have STP enabled: 1. In this example: 1. PC1 sends a broadcast out onto the network. and the port on Trunk2.

332 .

333 .

334 .

335 .

You will learn more about the root bridge. STA chooses the path with the lowest path cost. The switch with the lowest BID automatically becomes the root bridge for the STA calculations. switch S1. The BPDU is the message frame exchanged by switches for STP. After the root bridge has been determined. If there is more than one path to choose from. When the STA has determined which paths are to be left available. Each BPDU contains a BID that identifies the switch that sent the BPDU. While the STA determines the best paths to the root bridge for all destinations in the broadcast domain. and BID in later topics. The port roles describe their relation in the network to the root bridge and whether they are allowed to forward traffic. The BID contains a priority value.Switch ports closest to the root bridge. it configures the switch ports into distinct port roles. The path costs are calculated using port cost values associated with port speeds for each switch port along a given path. The STA considers both path and port costs when determining which path to leave unblocked. BPDU. You will learn more about path and port costs in later topics. the root port on switch S2 is F0/1 configured for the trunk link between switch S2 and switch . The lowest BID value is determined by the combination of these three fields. The root bridge election process will be discussed in detail later in this chapter. all traffic is prevented from forwarding through the network. The STA designates a single switch as the root bridge and uses it as the reference point for all path calculations. the MAC address of the sending switch. and an optional extended system ID. The sum of the port cost values determines the overall path cost to the root bridge. Root ports . Each switch uses the STA to determine which ports to block. 336 STP Algorithm STP uses the Spanning Tree Algorithm (STA) to determine which switch ports on a network need to be configured for blocking to prevent loops from occurring. In the figure the root bridge. All switches participating in STP exchange BPDU frames to determine which switch has the lowest bridge ID (BID) on the network. the STA calculates the shortest path to the root bridge. is chosen through an election process. In the example.

In the example. You will learn more about port roles and states in a later topic. the STA configured port F0/2 on switch S3 in the non- designated role.All ports configured to be in a blocking state to prevent loops. configured for the trunk link between switch S3 and switch S1. Port F0/2 on switch S3 is in the blocking state. . In the example. The root port on switch S3 is F0/1.All non-root ports that are still permitted to forward traffic on the network. Designated ports . 337 S1. switch ports F0/1 and F0/2 on switch S1 are designated ports. Switch S2 also has its port F0/2 configured as a designated port. Non-designated ports .

. The figure shows the BID fields. As the switches forward their BPDU frames. The root ID identifies the root bridge on the network. The switch then forwards new BPDU frames with the lower root ID to the other adjacent switches. each switch identifies itself as the root bridge after bootup. and the MAC address of the switch. The root bridge serves as a reference point for all spanning-tree calculations to determine which redundant paths to block. but any other switch in the broadcast domain. All switches in the broadcast domain participate in the election process. it sends out BPDU frames containing the switch BID and the root ID every 2 seconds. but it is useful to know now that the BID is made up of a priority value. the root ID matches the local BID for all switches on the network. Initially. After a switch boots. Note: It may not be an adjacent switch. Eventually. The details of each BID field are discussed later. An election process determines which switch becomes the root bridge. adjacent switches in the broadcast domain read the root ID information from the BPDU frame. By default. the receiving switch updates its root ID identifying the adjacent switch as the root bridge. the switch with the lowest BID ends up being identified as the root bridge for the spanning-tree instance. If the root ID from the BPDU received is lower than the root ID on the receiving switch. 338 The Root Bridge Every spanning-tree instance (switched LAN or broadcast domain) has a switch designated as the root bridge. an extended system ID. Click the BID Fields button in the figure.

The path information is determined by summing up the individual port costs along the path from the destination to the root bridge. Click the Configuring Port Costs button in the figure. The non-linear numbers accommodate some improvements to the Ethernet standard but be aware that the numbers can be changed by IEEE if needed. the values have already been changed to accommodate the newer 10-Gb/s Ethernet standard.000. enter the spanning-tree cost value command in interface configuration mode. In the table. Although switch ports have a default port cost associated with them. The range value can be between 1 and 200. 100-Mb/s Fast Ethernet ports have a port cost of 19. the path cost values may change to accommodate the different speeds available. switch port F0/1 has been configured with a port cost of 25 using the spanning-tree cost 25 interface configuration command on the F0/1 interface. In the table. The ability to configure individual port costs gives the administrator the flexibility to control the spanning-tree paths to the root bridge. As newer. enter the no spanning-tree cost interface configuration command. To configure the port cost of an interface. the STA starts the process of determining the best paths to the root bridge from all destinations in the broadcast domain. faster Ethernet technologies enter the marketplace. you can see that 10-Gb/s Ethernet ports have a port cost of 2. . To revert the port cost back to the default value. Note: IEEE defines the port cost values used by STP. The default port costs are defined by the speed at which the port operates. and 10-Mb/s Ethernet ports have a port cost of 100. 1-Gb/s Ethernet ports have a port cost of 4.000. In the example. Click the Path Costs button in the figure. the port cost is configurable. 339 Best Paths to the Root Bridge When the root bridge has been designated for the spanning-tree instance.

. In the output. enter the show spanning-tree privileged EXEC mode command. This value changes depending on how many switch ports need to be traversed to get to the root bridge. The paths with the lowest path cost become the preferred path. 340 Path cost is the sum of all the port costs along the path to the root bridge. STP then configures the redundant path to be blocked. it is the preferred path. Another command to explore is the show spanning-tree detail privileged EXEC mode command. The Cost field in the output is the total path cost to the root bridge. and all other redundant paths are blocked. the path cost from switch S2 to the root bridge switch S1. Because path 1 has a lower overall path cost to the root bridge. each interface is also identified with an individual port cost of 19. preventing a loop from occurring. while the path cost over path 2 is 38. over path 1 is 19 (based on the IEEE-specified individual port cost). To verify the port and path cost to the root bridge. Click the Verify Port and Path Costs button in the figure. In the example.

341 .

The last four fields are all timer fields that determine how frequently BPDU messages are sent. the BPDU frame contains more fields than previously described. Roll over the BPDU fields in the figure to learn what they contain. By using this multicast group address. you learned that STP determines a root bridge for the spanning-tree instance by exchanging BPDUs. The first four fields identify the protocol. The example in the figure was captured using Wireshark. and how long the information received through the BPDU process (next topic) is retained. The 802.3 header indicates the source and destination addresses of the BPDU frame.2. version. Click the BPDU Example button in the figure. . This frame has a destination MAC address of 01:80:C2:00:00:00. The role of the timer fields will be covered in more detail later in this course. which is a multicast address for the spanning-tree group. In this topic.2 STP BPDU The BPDU Fields In the previous topic. message type. 342 5. When a frame is addressed with this MAC address. and status flags. all other devices on the network that receive this frame disregard it. The BPDU message is encapsulated in an Ethernet frame when it is transmitted across the network. In the example. you will learn the details of the BPDU frame and how it facilitates the spanning-tree process. The BPDU frame contains 12 distinct fields that are used to convey path and priority information that STP uses to determine the root bridge and paths to the root bridge. The next four fields are used to identify the root bridge and the cost of the path to the root bridge. each switch that is configured for spanning tree accepts and reads the information from the frame.

This indicates that the frame was captured from a root bridge switch. BPDU frames are sent every 2 seconds after a switch is booted. By default. 343 In the example. the root ID. When adjacent switches receive a BPDU frame. the switch updates the local root ID and the ID in its BPDU messages. Each switch maintains local information about its own BID. the default value of the hello timer specified in the BPDU frame is 2 seconds. . they compare the root ID from the BPDU frame with the local root ID. If the root ID in the BPDU is lower than the local root ID. The timers are all set to the default values. so the BPDU frames sent contain the BID of the local switch as the root ID. the root ID and the BID are the same in the captured BPDU frame. The BPDU Process Each switch in the broadcast domain initially assumes that it is the root bridge for the spanning-tree instance. that is. These messages serve to indicate the new root bridge on the network. and the path cost to the root.

it discards the BPDU frame received from S3. Step 8. If the priority of all the switches was the same. Initially. When switch S3 receives a BPDU from switch S2. S2 identifies the root ID in the BPDU frame as having a lower value and therefore updates its root ID values to indicate that S1 is now the root bridge. The priorities are equal. Each switch in the spanning tree uses its path costs to identify the best possible path to the root bridge. Step 3. 344 Also. the path cost is updated to indicate how far away the root bridge is. At that point. When S3 sends out its BPDU frames. Step 1. it discards it after verifying that the root ID in the BPDU matched its local root ID. Because S2 has a lower MAC address value. the BPDU frame is discarded. each switch identifies itself as the root bridge. Because S1 has a lower priority value in its root ID. The following summarizes the BPDU process: Note: Priority is the initial deciding factor when choosing a root bridge. When S1 compares its root ID with the one in the received BPDU frame. all subsequent BPDU frames sent from that switch contain the new root ID and updated path cost. When S2 receives the BPDU frame. if the BPDU was received on a Fast Ethernet switch port. S1 sends out its BPDU frames. Step 7. That way. Step 9. S3 updates its root ID with the S2 root ID. For example. S3 considers S2 as the root bridge. S3 identifies the root ID in the BPDU frame as having a lower value and therefore updates its root ID values to indicate that S1 is now the root bridge. the MAC address would be the deciding factor. Step 6. After a root ID has been updated to identify a new root bridge. the root ID contained in the BPDU frame is that of S2. it identifies the local root ID as the lower value and discards the BPDU from S2. all other adjacent switches are able to see the lowest root ID identified at all times. As the BPDU frames pass between other adjacent switches. so the switch is forced to examine the MAC address portion to determine which MAC address has a lower value. S3 compares its root ID with the BPDU frame it received. . the path cost would be set to 19. the path cost is continually updated to indicate the total path cost to the root bridge. Switch S2 forwards BPDU frames out all switch ports. Step 5. Step 2. If the local root ID is lower than the root ID received in the BPDU frame. Step 4.Click each step in the figure to learn about the BPDU process.

345 .

346 .

347 .

Each field is used during the root bridge election.3 Bridge ID BID Fields The bridge ID (BID) is used to determine the root bridge on a network. and MAC address. Bridge Priority .2. extended system ID. The BID field of a BPDU frame contains three separate fields: bridge priority. 348 5. This topic describes what makes up a BID and how to configure the BID on a switch to influence the election process to ensure that specific switches are assigned the role of root bridge on the network.

S1 has a lower priority than the other switches. . bridge priority values can only be multiples of 4096. so the increment for the bridge priority value changes from 1 to 4096. This results in an unpredictable choice for the root bridge. 349 The bridge priority is a customizable value that you can use to influence which switch becomes the root bridge. As a result. the MAC address becomes the deciding factor for which switch becomes the root bridge. When the extended system ID is used. which could disrupt network communication while a new root bridge is being selected. When VLANs started to become common for network infrastructure segmentation. Click the Priority-based decision button in the figure. Therefore. as is the case with all switches kept in the default configuration with a priority of 32768. to ensure that a specific switch is always the root bridge. For example. The MAC address is then the deciding factor on which switch is going to become the root bridge. the extended system ID can be omitted in BPDU frames in certain configurations. therefore. In the example. The early implementation of STP was designed for networks that did not use VLANs. The extended system ID value is added to the bridge priority value in the BID to identify the priority and VLAN of the BPDU frame. Initially. Click the MAC Address-based decision button in the figure. all switches are configured with the same default priority value. This also ensures that the addition of new switches to the network does not trigger a new spanning-tree election. the extended system ID field contains the ID of the VLAN with which the BPDU is associated. which means lowest BID. the higher the priority). The priority range is between 1 and 65536. MAC Address When two switches are configured with the same priority and have the same extended system ID. STP was enhanced to include support for VLANs. 1 is the highest priority. Extended System ID As shown in the example. There was a single common spanning tree across all switches. it is preferred as the root bridge for that spanning-tree instance. The switch with the lowest priority. you set the priority to a lower value than the rest of the switches on the network. The default value for the priority of all Cisco switches is 32768. it changes the number of bits available for the bridge priority value. therefore. You will learn about per VLAN spanning tree (PVST) in a later section of this chapter. When all switches are configured with the same priority. It is recommended to configure the desired root bridge switch with a lower priority to ensure that it is elected root bridge. becomes the root bridge (the lower the priority value. the switch with the MAC address with the lowest hexadecimal value has the lower BID.

. S2 has the lowest value for its MAC address and is therefore designated as the root bridge for that spanning-tree instance. the priority of all the switches is 32769. The MAC address with the lowest hexadecimal value is considered to be the preferred root bridge. 350 Note: In the example. The value is based on the 32768 default priority and the VLAN 1 assignment associated with each switch (1+32768). In the example.

Method 1 .Another method for configuring the bridge priority value is using the spanning-tree vlan vlan-id priority value global configuration mode command. The priority for the switch is set to the predefined value of 24576 or to the next 4096 decrement value below the lowest bridge priority detected on the network. and switch S2 has been configured as the secondary root bridge using the spanning- tree vlan 1 root secondary global configuration mode command. This ensures that this switch becomes the root bridge if the primary root bridge fails and a new root bridge election occurs and assuming that the rest of the switches in the network have the default 32768 priority value defined. The priority value is configured in increments of 4096 between 0 and 65536. This command sets the priority for the switch to the predefined value of 28672. use the spanning-tree vlan vlan-id root secondary global configuration mode command. In the example. If an alternate root bridge is desired. This command gives you more granular control over the bridge priority value.To ensure that the switch has the lowest bridge priority value. . switch S1 has been assigned as the primary root bridge using the spanning-tree vlan 1 root primary global configuration mode command. Method 2 . 351 Configure and Verify the BID When a specific switch is to become a root bridge. the bridge priority value needs to be adjusted to ensure it is lower than the bridge priority values of all the other switches on the network. There are two different configuration methods that you can use to configure the bridge priority value on a Cisco Catalyst switch. use the spanning-tree vlan vlan-id root primary command in global configuration mode.

switch S3 has been assigned a bridge priority value of 24576 using the spanning-tree vlan 1 priority 24576 global configuration mode command. use the show spanning-tree privileged EXEC mode command. . Click the Verification button in the figure. In the example. Also notice that the switch is designated as the root bridge for the spanning-tree instance. To verify the bridge priority of a switch. 352 In the example. the priority of the switch has been set to 24576.

Non-designated Port The non-designated port is a switch port that is blocked. For root bridges. If multiple switches exist on the same segment. Only one designated port is allowed per segment. 353 5. and the corresponding switch port begins forwarding frames for the segment. switch S3 has the only non-designated ports in the topology. This topic describes how the switch ports are configured for specific roles to prevent the possibility of loops on the network. a designated port is the switch port that receives and forwards frames toward the root bridge as needed. Root Port The root port exists on non-root bridges and is the switch port with the best path to the root bridge. For some variants of STP. . A non-designated port is not a root port or a designated port. There are four distinct port roles that switch ports are automatically configured for during the spanning-tree process. Disabled Port The disabled port is a switch port that is administratively shut down. The non-designated ports prevent the loop from occurring.2. Designated ports are capable of populating the MAC table. In the example. an election process determines the designated switch. Only one root port is allowed per bridge. so it is not forwarding data frames and not populating the MAC address table with source addresses. There are no disabled ports in the example. switch S1 is the root bridge and switches S2 and S3 have root ports defined on the trunk links connecting back to S1. Switch S2 also has a designated port configured on the trunk link going toward switch S3. switch S1 has both sets of ports for its two trunk links configured as designated ports. In the example. all switch ports are designated ports. The location of the root bridge in the network topology determines how port roles are calculated. A disabled port does not function in the spanning-tree process. the non-designated port is called an alternate port. The source MAC address of frames received on the root port are capable of populating the MAC table. For non-root bridges. Root ports forward traffic toward the root bridge. Designated Port The designated port exists on root and non-root bridges.4 Port roles Port Roles The root bridge is elected for the spanning-tree instance. In the example.

When there are two switch ports that have the same path cost to the root bridge and both are the lowest path costs on the switch. the switch compares the path costs on all switch ports participating in the spanning tree. . When determining the root port on a switch. except for the root bridge. where 128 is the configurable port priority value. However. the switch needs to determine which switch port is the root port. port F0/1 on switch S2 is the preferred port because it has a lower port ID value. or the lowest port ID if both port priority values are the same. The switch uses the customizable port priority value. all switches that are using spanning tree. Port F0/1 and F0/2 on switch S2 have the same path cost value back to the root bridge. The switch port with the lowest overall path cost to the root is automatically assigned the root port role because it is closest to the root bridge. the figure shows four switches. For example.1. switch port F0/1 has a default port priority value of 128.1 is the port ID.2. Switch port F0/2 has a port priority value of 128. have a single root port defined. For example. The port ID is the interface ID of the switch port. 354 Port Roles The STA determines which port role is assigned to each switch port. The port ID is appended to the port priority. and . In a network topology. by default.

The port priority values range from 0 . When the switch decides to use one port over another for the root port. in increments of 16. As with bridge priority. 355 Configure Port Priority You can configure the port priority value using the spanning-tree port-priority value interface configuration mode command. The default port priority value is 128. lower port priority values give the port higher priority. the other is configured as a non-designated port to prevent a loop from occurring. This ensures that the port is the preferred port when competing with another port for a specific port role. the port priority for port F0/1 has been set to 112. Port Role Decisions . which is below the default port priority of 128.240. In the example.

it needs to decide which ports have the designated and non-designated roles. Generally. the switch with the lower BID has its port configured as a designated port. while the switch with the higher BID has its port configured as a non-designated port. Click each step in the figure to learn about how port roles are determined. 356 In the example. the two switches have to decide which port gets to be configured as a designated port and which one is left as the non-designated port. which contain the switch BID. The switches on the LAN segment in question exchange BPDU frames. each switch determines which port roles are assigned to each of its ports to create the loop-free spanning tree. Designated ports are configured for all LAN segments. switch S1 is the root bridge. and root ports have already been defined. As a result. After a switch has determined which of its ports is configured in the root port role. When two switches are connected to the same LAN segment. is the BID of the sender used. keep in mind that the first priority is the lowest path cost to the root bridge and that only if the port costs are equal. The root bridge automatically configures all of its switch ports in the designated role. . Other switches in the topology configure their non-root ports as designated or non-designated ports. However. Switches S2 and S3 have root ports configured for the ports connecting back to S1.

357 .

358 .

359 .

360 Verifying Port Roles and Port Priority Now that spanning tree has determined the logical loop-free network topology. you may want to confirm which port roles and port priorities are configured for the various switch ports in the network. In the example. To verify the port roles and port priorities for the switch ports. Switch port F0/1 and F0/2 are configured as designated ports. use the show spanning-tree privileged EXEC mode command.1. the show spanning-tree output displays all switch ports and their defined roles. . Switch port F0/1 has a port priority of 128. The output also displays the port priority of each switch port.

Blocking . Forwarding .The Layer 2 port does not participate in spanning tree and does not forward frames. the switch port is not only receiving BPDU frames. The table summarizes what each port state does.The port is a non-designated port and does not participate in frame forwarding.2. The port receives BPDU frames to determine the location and root ID of the root bridge switch and what port roles each switch port should assume in the final active STP topology. Learning . 361 5.The port prepares to participate in frame forwarding and begins to populate the MAC address table. the port could temporarily create a data loop if the switch was not aware of all topology information at the time. . each switch port transitions through five possible port states and three BPDU timers. Disabled .5 STP port states and BPDU timers Port States STP determines the logical loop-free path throughout the broadcast domain. At this point. The spanning tree is determined through the information learned by the exchange of the BPDU frames between the interconnected switches. The disabled state is set when the switch port is administratively disabled. To facilitate the learning of the logical spanning tree. For this reason. The spanning tree is determined immediately after a switch is finished booting up. Listening .The port is considered part of the active topology and forwards frames and also sends and receives BPDU frames. If a switch port were to transition directly from the blocking to the forwarding state.STP has determined that the port can participate in frame forwarding according to the BPDU frames that the switch has received thus far. it is also transmitting its own BPDU frames and informing adjacent switches that the switch port is preparing to participate in the active topology. STP introduces five port states. The following provides some additional information on how the port states ensure that no loops are created during the creation of the logical spanning tree.

Adjusting the spanning-tree diameter value on the root bridge to a lower value automatically adjusts the forward delay and maximum age timers proportionally for the new diameter. Click the Configure Network Diameter button in the figure. These values allow adequate time for convergence in a network with a switch diameter of seven. The following timers determine STP performance and state changes: – Hello time – Forward delay – Maximum age Click the Roles and Timers button in the figure. switch diameter is the number of switches a frame has to traverse to travel from the two farthest points on the broadcast domain. use the spanning-tree vlan vlan id root primary diameter value global configuration mode command on the root bridge switch. Convergence in relation to spanning tree is the time it takes to recalculate the spanning tree if a switch or a link fails. a network administrator determined that the convergence time of the network could be optimized. In the example. 362 BPDU Timers The amount of time that a port stays in the various port states depends on the BPDU timers. To review. When STP is enabled. A seven-switch diameter is the largest diameter that STP permits because of convergence times. you do not adjust the BPDU timers nor reconfigure the network diameter. if after research. the administrator would do so by reconfiguring the network diameter. a port temporarily implements the listening and learning states for a specified period called the forward delay interval. The ports then stabilize to the forwarding or blocking state. . every switch port in the network goes through the blocking state and the transitory states of listening and learning at power up. To configure a different network diameter for STP. Typically. not the BPDU timers. You will learn how convergence works in the next section. It is recommended that the BPDU timers not be adjusted directly because the values have been optimized for the seven-switch diameter. However. Only the switch in the role of root bridge may send information through the tree to adjust the timers. as seen in the example. During a topology change. the spanning-tree vlan 1 root primary diameter 5 global configuration mode command was entered to adjust the spanning tree diameter to five switches.

363 Cisco PortFast Technology PortFast is a Cisco technology. When a switch port configured with PortFast is configured as an access port. that port transitions from blocking to forwarding .

it should be used only on access ports. a PC can send a DHCP request before the port is in forwarding state. To disable PortFast. To configure PortFast on a switch port.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008 009482f. 364 state immediately. To verify that PortFast has been enabled for a switch port. bypassing the typical STP listening and learning states. spanning tree can put the port into the blocking state using a feature called BPDU guard.cisco. to allow those devices to connect to the network immediately rather than waiting for spanning tree to converge. If an interface configured with PortFast receives a BPDU frame. Without PortFast. Click the Verify PortFast button in the figure. see: http://www. enter the no spanning-tree portfast interface configuration mode command on each interface that PortFast is to be disabled. The absence of the spanning-tree portfast command in the running configuration for an interface indicates that PortFast has been disabled for that interface. For more information on configuring BPDU guard. Note: Because the purpose of PortFast is to minimize the time that access ports must wait for spanning tree to converge. you risk creating a spanning-tree loop. . use the show running- config privileged EXEC mode command. the PC always gets a usable IP address. which are connected to a single workstation or to a server.shtml. Note: Cisco PortFast technology can be used to support DHCP. denying the host from getting a usable IP address and other information. Because PortFast immediately changes the state to forwarding. If you enable PortFast on a port connecting to another switch. You can use PortFast on access ports. PortFast is disabled on all interfaces by default. Configuring BPDU guard is beyond the scope of this course. Click the Configure PortFast button in the figure. enter the spanning-tree portfast interface configuration mode command on each interface that PortFast is to be enabled.

In this section. you will examine the whole STP process from start to finish.3. 365 5. .1 STP convergence STP Convergence Steps The previous section described the components that enable STP to create the logical loop-free network topology.

3. Electing a Root Bridge The first step of the spanning-tree convergence process is to elect a root bridge. go through all the different port states. This allows the entire root bridge election process to occur within 14 seconds. 366 Convergence is an important aspect of the spanning-tree process. While the switch ports are in a blocking state.2 Step 1: electing a root bridge Step 1. Initially. Initially. 5. Elect root ports Step 3. Elect designated and non-designated ports The remainder of this section explores each step in the convergence process. Spanning tree supports a maximum network diameter of seven switch hops from end to end. and set all switch ports to their final spanning-tree port roles where all potential loops are eliminated. they start sending BPDU frames advertising their BID in an attempt to become the root bridge. which is less than the time the switch ports spend in the blocking state. This is done to prevent a loop from occurring before STP has had time to calculate the best root paths and configure all switch ports to their specific roles. The convergence process takes time to complete because of the different timers used to coordinate the process. Convergence is the time it takes for the network to determine which switch is going to assume the role of the root bridge. To understand the convergence process more thoroughly. it has been broken down into three distinct steps: Step 1. Immediately after the switches have finished booting up. all switches in the network assume that they are the root bridge for the broadcast domain. Elect a root bridge Step 2. or when a path failure has been detected on a network. all switch ports are configured for the blocking state. which by default lasts 20 seconds. The flood of BPDU frames on the network have the root ID field matching . The root bridge is the basis for all spanning-tree path cost calculations and ultimately leads to the assignment of the different port roles used to prevent loops from occurring. they are still able to send and receive BPDU frames so that the spanning-tree root election can proceed. A root bridge election is triggered after a switch has finished booting up.

Performing the election process simultaneously allows the switches to determine which switch is going to become the root bridge much faster. This ensures that the lowest root ID is always conveyed to all other adjacent switches in the network. . the switches continue to forward their BPDU frames advertising the root ID of the root bridge every 2 seconds. recall that the root bridge election process occurs with all switches sending and receiving BPDU frames simultaneously. As each switch receives the BPDU frames from its neighboring switches. the switch assumes that a logical path in the spanning tree has failed and that the BPDU information is no longer valid. These BPDU frames are sent every 2 seconds based on the default hello timer value. the switch then incorporates the new root ID in all future BPDU frame transmissions. Therefore. Each switch is configured with a max age timer that determines how long a switch retains the current BPDU configuration in the event it stops receiving updates from its neighboring switches. This triggers another spanning-tree root bridge election. the max age timer is set to 20 seconds. As you review how STP elects a root bridge. If the root ID from the received BPDU frame is lower than the root ID it currently has. the root ID field is updated indicating the new best candidate for the root bridge role. Click the Play button in the figure to review the steps STP uses to elect a root bridge. they compare the root ID from the received BPDU frame with the root ID configured locally. The root bridge election ends once the lowest bridge ID populates the root ID field of all switches in the broadcast domain. indicating that each switch considers itself the root bridge. By default. if a switch fails to receive 10 consecutive BPDU frames from one of its neighbors. After the root ID field is updated on a switch. Even though the root bridge election process has completed. 367 the BID field.

368 .

369 .

370 .

you can verify the identity of the root bridge using the show spanning-tree privileged EXEC mode command In the topology example. . In the example. 371 Verify Root Bridge Election When the root bridge election is completed. confirming that S1 is the root bridge. switch S1 has the lowest priority value of the three switches. Click the Switch S2 Output button in the figure. You can see that the BID matches the root ID. Click the Switch S1 Output button in the figure. the show spanning-tree output for switch S1 reveals that it is the root bridge. so we can assume it will become the root bridge.

the show spanning-tree output for switch S3 shows that the root ID matches the expected root ID of switch S1. indicating that S3 considers S1 the root bridge. the show show spanning-tree output for switch S2 shows that the root ID matches the expected root ID of switch S1. . In the example. indicating that S2 considers S1 the root bridge. 372 In the example. Click the Switch S3 Output button in the figure.

373 5.3. has a single root port defined. Elect Root Ports Now that the root bridge has been determined. This can happen when redundant links are used to uplink one switch to another switch when an EtherChannel configuration is not used. the switches start configuring the port roles for each of their switch ports. except for the root bridge. . The root port is the switch port with the lowest path cost to the root bridge. However. Recall that Cisco EtherChannel technology allows you to configure multiple physical Ethernet type links as one logical link. Normally path cost alone determines which switch port becomes the root port. The first port role that needs to be determined is the root port role. additional port characteristics determine the root port when two or more ports on the same switch have the same path cost to the root. Every switch in a spanning-tree topology.3 Step 2: elect root ports Step 2.

until it finally settles on its final port role after the root ID changes for the last time. As a result. Click each step in the figure to learn about electing root ports. . The process of determining which port becomes a root port happens during the root bridge election BPDU exchange. At the time the path cost is updated. the port role for a given switch port may change multiple times during convergence. They use the port ID to break a tie. the losing port is configured as the non-designated to avoid a loop. 374 Switch ports with equivalent path costs to the root use the configurable port priority value. The port role decisions do not wait until all switches settle on which switch is going to be the final root bridge. Path costs are updated immediately when BPDU frames arrive indicating a new root ID or redundant path. the switch enters decision mode to determine if port configurations need to be updated. When a switch chooses one equal path cost port as a root port over another.

You can confirm the port configuration using the show spanning-tree privileged EXEC mode command. the show spanning-tree output for switch S1 reveals that it is the root bridge and consequently does not have any root ports configured. switch S1 has been identified as the root bridge. Click the Switch S2 output button in the figure. therefore. Click the Switch S1 Output button in the figure. The switch S2 F0/1 port and switch S3 F0/1 port are the two closest ports to the root bridge and. In the topology example. you can verify the configuration of the root ports using the show spanning-tree privileged EXEC mode command. should be configured as root ports. In the example. . 375 Verify the Root Port When the root bridge election has completed.

376 In the example. The Root ID shows the Priority and MAC Address of switch S1. Click the Switch S3 output button in the figure. the show spanning-tree output for switch S3 shows that switch port F0/1 is configured as a root port. In the example. The Root ID shows the Priority and MAC Address of switch S1. . the show spanning-tree output for switch S2 shows that switch port F0/1 is configured as a root port.

The losing switch configures its switch port to be non-designated and. The two switches exchange BPDU frames to sort out which switch port is designated and which one is non-designated. and determining the designated and non- designated ports happens within the 20-second blocking port state. The switch with the lower BID wins the competition and its port is configured in the designated role. . When two non-root port switch ports are connected on the same LAN segment. Each segment in a switched network can have only one designated port. therefore. Click each step in the figure to learn about electing designated ports and non- designated ports. a competition for port roles occurs.3. determining the root ports. Generally. As a result. the designated and non- designated roles may change multiple times during the convergence process until the final root bridge has been determined. This convergence time is based on the 2-second hello timer for BPDU frame transmission and the seven-switch diameter supported by STP. When two switches exchange their BPDU frames. in the blocking state to prevent the loop from occurring. it is based on the BID. keep in mind that the first priority is the lowest path cost to the root bridge and that only if the port costs are equal. is the BID of the sender.4 Step 3: electing designated ports and non-designated ports Step 3. the remaining ports must be configured as either a designated port (DP) or a non-designated port (non-DP) to finish creating the logical loop-free spanning tree. when a switch port is configured as a designated port. The max age delay of 20 seconds provides enough time for the seven-switch diameter with the 2-second hello timer between BPDU frame transmissions. However. The process of determining the port roles happens concurrently with the root bridge election and root port designation. they examine the sending BID of the received BPDU frame to see if it is lower than its own. 377 5. The entire process of electing the root bridge. Electing Designated Ports and Non-Designated Ports After a switch determines which of its ports is the root port.

378 .

379

380

381

Verify DP and Non-DP

After the root ports have been assigned, the switches determine which remaining
ports are configured as designated and non-designated ports. You can verify the
configuration of the designated and non-designated ports using the show
spanning-tree privileged EXEC mode command.

In the topology:

1. Switch S1 is identified as the root bridge and therefore configures both of its
switch ports as designated ports.

2. The switch S2 F0/1 port and switch S3 F0/1 port are the two closest ports to
the root bridge and are configured as root ports.

3. The remaining switch S2 F0/2 port and switch S3 F0/2 port need to decide
which of the two remaining ports will be the designated port and which will be
the non-designated port.

4. Switch S2 and switch S3 compare their BID values to determine which one is
lower The one with the lower BID is configured as the designated port.

5. Because both switches have the same priority, the MAC address becomes the
deciding factor.

6. Because switch S2 has a lower MAC address, it configures its F0/2 port as a
designated port.

7. Switch S3 consequently configures its F0/2 port as a non-designated port to
prevent the loop from occurring.

You can confirm the port configuration using the show spanning-tree privileged
EXEC mode command.

Click the Switch S1 Output button in the figure.

In the example, the show spanning-tree output for switch S1 reveals that it is the
root bridge and consequently has both of its ports configured as designated
ports.

Click the Switch S2 Output button in the figure.

In the example, the show spanning-tree output for switch S2 shows that switch
port F0/2 is configured as a designated port.

Click the Switch S3 Output button in the figure.

In the example, the show spanning-tree output for switch S3 shows that switch
port F0/2 is configured as a non-designated port.

382

383

384

5.3.5 STP topology change
STP Topology Change Notification Process

A switch considers it has detected a topology change either when a port that was
forwarding is going down (blocking for instance) or when a port transitions to
forwarding and the switch has a designated port. When a change is detected, the
switch notifies the root bridge of the spanning tree. The root bridge then
broadcasts the information into the whole network.

In normal STP operation, a switch keeps receiving configuration BPDU frames
from the root bridge on its root port. However, it never sends out a BPDU toward
the root bridge. To achieve that, a special BPDU called the topology change
notification (TCN) BPDU was introduced. When a switch needs to signal a
topology change, it starts to send TCNs on its root port. The TCN is a very simple
BPDU that contains no information and is sent out at the hello time interval. The
receiving switch is called the designated bridge and it acknowledges the TCN by
immediately sending back a normal BPDU with the topology change
acknowledgement (TCA) bit set. This exchange continues until the root bridge
responds.

For example, in the figure switch S2 experiences a topology change. It sends a
TCN to its designated bridge, which in this case is switch D1. Switch D1 receives
the TCN, acknowledges it back to switch S2 with a TCA. Switch D1 generates a
TCN, and forwards it to its designated bridge, which in this case is the root
bridge.

Click the Broadcast Notification button in the figure.

Broadcast Notification

Once the root bridge is aware that there has been a topology change event in the
network, it starts to send out its configuration BPDUs with the topology change
(TC) bit set. These BPDUs are relayed by every switch in the network with this bit
set. As a result, all switches become aware of the topology change and can
reduce their aging time to forward delay. Switches receive topology change
BPDUs on both forwarding and blocking ports.

The TC bit is set by the root for a period of max age + forward delay seconds,
which is 20+15=35 seconds by default.

385

5.4.1 Cisco and STP variants
Like many networking standards, the evolution of STP has been driven by the
need to create industry-wide specifications when proprietary protocols become
de facto standards. When a proprietary protocol becomes so prevalent that all
competitors in the market need to support it, agencies like the IEEE step in and
create a public specification. The evolution of STP has followed this same path, as
seen in the table.

When you read about STP on the Cisco.com site, you notice that there are many
types or variants of STP. Some of these variants are Cisco proprietary and others
are IEEE standards. You will learn more details on some of these STP variants, but
to get started you need to have a general knowledge of what the key STP
variants are. The table summarizes the following descriptions of the key Cisco
and IEEE STP variants.

Cisco Proprietary

Per-VLAN spanning tree protocol (PVST) - Maintains a spanning-tree instance for
each VLAN configured in the network. It uses the Cisco proprietary ISL trunking
protocol that allows a VLAN trunk to be forwarding for some VLANs while blocking

386

for other VLANs. Because PVST treats each VLAN as a separate network, it can
load balance traffic at Layer 2 by forwarding some VLANs on one trunk and other
VLANs on another trunk without causing a loop. For PVST, Cisco developed a
number of proprietary extensions to the original IEEE 802.1D STP, such as
BackboneFast, UplinkFast, and PortFast. These Cisco STP extensions are not
covered in this course. To learn more about these extensions, visit:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4000/7.4/configuration/gui
de/stp_enha.html.

Per-VLAN spanning tree protocol plus (PVST+) - Cisco developed PVST+ to
provide support for IEEE 802.1Q trunking. PVST+ provides the same functionality
as PVST, including the Cisco proprietary STP extensions. PVST+ is not supported
on non-Cisco devices. PVST+ includes the PortFast enhancement called BPDU
guard, and root guard. To learn more about BPDU guard, visit:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008
009482f.shtml.

To learn more about root guard, visit:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008
00ae96b.shtml.

Rapid per-VLAN spanning tree protocol (rapid PVST+) - Based on the IEEE 802.1w
standard and has a faster convergence than STP (standard 802.1D). Rapid PVST+
includes Cisco-proprietary extensions such as BackboneFast, UplinkFast, and
PortFast.

IEEE Standards

Rapid spanning tree protocol (RSTP) - First introduced in 1982 as an evolution of
STP (802.1D standard). It provides faster spanning-tree convergence after a
topology change. RSTP implements the Cisco-proprietary STP extensions,
BackboneFast, UplinkFast, and PortFast, into the public standard. As of 2004, the
IEEE has incorporated RSTP into 802.1D, identifying the specification as IEEE
802.1D-2004. So when you hear STP, think RSTP. You will learn more about RSTP
later in this section.

Multiple STP (MSTP) - Enables multiple VLANs to be mapped to the same
spanning-tree instance, reducing the number of instances needed to support a
large number of VLANs. MSTP was inspired by the Cisco-proprietary Multiple
Instances STP (MISTP) and is an evolution of STP and RSTP. It was introduced in
IEEE 802.1s as amendment to 802.1Q, 1998 edition. Standard IEEE 802.1Q-2003
now includes MSTP. MSTP provides for multiple forwarding paths for data traffic
and enables load balancing. A discussion of MSTP is beyond the scope of this
course. To learn more about MSTP, visit:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.
1_19_ea1/configuration/guide/swmstp.html.

387

388

5.4.2 PVST+
PVST+

Cisco developed PVST+ so that a network can run an STP instance for each VLAN
in the network. With PVST+, more than one trunk can block for a VLAN and load
sharing can be implemented. However, implementing PVST+ means that all
switches in the network are engaged in converging the network, and the switch
ports have to accommodate the additional bandwidth used for each PVST+
instance to send its own BPDUs.

In a Cisco PVST+ environment, you can tune the spanning-tree parameters so
that half of the VLANs forward on each uplink trunk. In the figure, port F0/3 on
switch S2 is the forwarding port for VLAN 20, and F0/2 on switch S2 is the
forwarding port for VLAN 10. This is accomplished by configuring one switch to be
elected the root bridge for half of the total number of VLANs in the network, and
a second switch to be elected the root bridge for the other half of the VLANs. In
the figure, switch S3 is the root bridge for VLAN 20, and switch S1 is the root
bridge for VLAN 10. Creating different STP root switches per VLAN creates a more
redundant network.

PVST+ Bridge ID

As you recall, in the original 802.1D standard, an 8-byte BID is composed of a 2-
byte bridge priority and a 6-byte MAC address of the switch. There was no need
to identify a VLAN because there was only one spanning tree in a network. PVST+
requires that a separate instance of spanning tree run for each VLAN. To support
PVST+, the 8-byte BID field is modified to carry a VLAN ID (VID). In the figure, the
bridge priority field is reduced to 4 bits and a new 12-bit field, the extended
system ID field, contains the VID. The 6-byte MAC address remains unchanged.

The following provides more details on the PVST+ fields:

Bridge priority - A 4-bit field carries the bridge priority. Because of the limited bit
count, the priority is conveyed in discrete values in increments of 4096 rather

389

than discreet values in increments of 1, as they would be if the full 16-bit field
was available. The default priority, in accordance with IEEE 802.1D, is 32,768,
which is the midrange value.

Extended system ID - A 12-bit field carrying the VID for PVST+.

MAC address - A 6-byte field with the MAC address of a single switch.

The MAC address is what makes a BID unique. When the priority and extended
system ID are prepended to the switch MAC address, each VLAN on the switch
can be represented by a unique BID.

Click on the PVST+ Bridge ID Example button in the figure.

In the figure, the values for priority, VLAN, and MAC address for switch S1 are
shown. They are combined to form the BID.

Caution: If no priority has been configured, every switch has the same default
priority, and the election of the root bridge for each VLAN is based on the MAC
address. Therefore, to ensure that you get the root bridge you want, it is
advisable to assign a lower priority value to the switch that should serve as the
root bridge.

390

The table shows the default spanning-tree configuration for a Cisco Catalyst 2960
series switch. Notice that the default spanning-tree mode is PVST+.

Configure PVST+

The topology shows three switches with 802.1Q trunks connecting them. There
are two VLANs, 10 and 20, which are being trunked across these links. This
network has not been configured for spanning tree. The goal is to configure S3 as
the root bridge for VLAN 20 and S1 as the root bridge for VLAN 10. Port F0/3 on
S2 is the forwarding port for VLAN 20 and the blocking port for VLAN 10. Port F0/2
on S2 is the forwarding port for VLAN 10 and the blocking port for VLAN 20. The
steps to configure PVST+ on this example topology are:

Step 1. Select the switches you want for the primary and secondary root bridges
for each VLAN.

Step 2. Configure the switch to be a primary bridge for one VLAN, for example
switch S3 is a primary bridge for VLAN 20.

391

Step 3. Configure the switch to be a secondary bridge for the other VLAN, for
example, switch S3 is a secondary bridge for VLAN 10.

Optionally, set the spanning-tree priority to be low enough on each switch so that
it is selected as the primary bridge.

Click the Primary and Secondary Root Bridges button in the figure.

Configure the Primary Root Bridges

The goal is to configure switch S3 as the primary root bridge for VLAN 20 and
configure switch S1 as the primary root bridge for VLAN 10. To configure a switch
to become the root bridge for a specified VLAN, use the spanning-tree vlan vlan-
ID root primary global configuration mode command. Recall that you are starting
with a network that has not been configured with spanning tree, so assume that
all the switches are in their default configuration. In this example, switch S1,
which has VLAN 10 and 20 enabled, retains its default STP priority.

Configure the Secondary Root Bridges

A secondary root is a switch that may become the root bridge for a VLAN if the
primary root bridge fails. To configure a switch as the secondary root bridge, use
the spanning-tree vlan vlan-ID root secondary global configuration mode
command. Assuming the other bridges in the VLAN retain their default STP
priority, this switch becomes the root bridge if the primary root bridge fails. This
command can be executed on more than one switch to configure multiple backup
root bridges.

The graphic shows the Cisco IOS command syntax to specify switch S3 as the
primary root bridge for VLAN 20 and as the secondary root bridge for VLAN 10.
Also, switch S1 becomes the primary root bridge for VLAN 10 and the secondary
root bridge for VLAN 20. This configuration permits spanning tree load balancing,
with VLAN 10 traffic passing through switch S1 and VLAN 20 traffic passing
through switch S3.

Click the PVST+ Switch Priority button in the figure.

PVST+ Switch Priority

Earlier in this chapter you learned that the default settings used to configure
spanning tree are adequate for most networks. This is true for Cisco PVST+ as
well. There are a number of ways to tune PVST+. A discussion on how to tune a
PVST+ implementation is beyond the scope of this course. However, you can set
the switch priority for the specified spanning-tree instance. This setting affects
the likelihood that this switch is selected as the root switch. A lower value
increases the probability that the switch is selected. The range is 0 to 61440 in
increments of 4096. For example, a valid priority value is 4096x2 = 8192. All
other values are rejected.

The examples show the Cisco IOS command syntax.

Click the Verify button in the figure.

392

The privileged EXEC command show spanning tree active shows spanning-tree
configuration details for the active interfaces only. The output shown is for switch
S1 configured with PVST+. There are a lot of Cisco IOS command parameters
associated with the show spanning tree command. For a complete description,
visit:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.
2_37_se/command/reference/cli2.html#wpxref47293.

Click the show run button in the figure.

You can see in the output that the priority for VLAN 10 is 4096, the lowest of the
three VLAN priorities. This priority setting ensures that this switch is the primary
root bridge for VLAN 10.

393

394

5.4.3 RSTP
What is RSTP?

RSTP (IEEE 802.1w) is an evolution of the 802.1D standard. The 802.1w STP
terminology remains primarily the same as the IEEE 802.1D STP terminology.
Most parameters have been left unchanged, so users familiar with STP can
rapidly configure the new protocol.

In the figure, a network shows an example of RSTP. Switch S1 is the root bridge
with two designated ports in a forwarding state. RSTP supports a new port type.
Port F0/3 on switch S2 is an alternate port in discarding state. Notice that there
are no blocking ports. RSTP does not have a blocking port state. RSTP defines
port states as discarding, learning, or forwarding. You will learn more about port
types and states later in the chapter.

Click the RSTP Characteristics button in the figure.

RSTP Characteristics

RSTP speeds the recalculation of the spanning tree when the Layer 2 network
topology changes. RSTP can achieve much faster convergence in a properly
configured network, sometimes in as little as a few hundred milliseconds. RSTP
redefines the type of ports and their state. If a port is configured to be an
alternate or a backup port it can immediately change to a forwarding state
without waiting for the network to converge. The following briefly describes RSTP
characteristics:

RSTP is the preferred protocol for preventing Layer 2 loops in a switched network
environment. Many of the differences were informed by Cisco-proprietary
enhancements to 802.1D. These enhancements, such as BPDUs carrying and
sending information about port roles only to neighboring switches, require no
additional configuration and generally perform better than the earlier Cisco-

395

proprietary versions. They are now transparent and integrated in the protocol's
operation.

Cisco-proprietary enhancements to 802.1D, such as UplinkFast and
BackboneFast, are not compatible with RSTP.

RSTP (802.1w) supersedes STP (802.1D) while retaining backward compatibility.
Much of the STP terminology remains, and most parameters are unchanged. In
addition, 802.1w is capable of reverting back to 802.1D to interoperate with
legacy switches on a per-port basis. For example, the RSTP spanning-tree
algorithm elects a root bridge in exactly the same way as 802.1D.

RSTP keeps the same BPDU format as IEEE 802.1D, except that the version field
is set to 2 to indicate RSTP, and the flags field uses all 8 bits. The RSTP BPDU is
discussed later.

RSTP is able to actively confirm that a port can safely transition to the forwarding
state without having to rely on any timer configuration.

396

RSTP BPDU

RSTP (802.1w) uses type 2, version 2 BPDUs, so an RSTP bridge can
communicate 802.1D on any shared link or with any switch running 802.1D. RSTP
sends BPDUs and populates the flag byte in a slightly different manner than in
802.1D:

Protocol information can be immediately aged on a port if hellos are not received
for three consecutive hello times, 6 seconds by default, or if the max age timer
expires.

Because BPDUs are used as a keepalive mechanism, three consecutively missed
BPDUs indicate lost connectivity between a bridge and its neighboring root or
designated bridge. The fast aging of the information allows failures to be
detected quickly.

Note: Like STP, an RSTP bridge sends a BPDU with its current information every
hello time period (2 seconds by default), even if the RSTP bridge does not receive
any BPDUs from the root bridge.

RSTP uses the flag byte of version 2 BPDU as shown in the figure:

– Bits 0 and 7 are used for topology change and acknowledgment as they
are in 802.1D.
– Bits 1 and 6 are used for the Proposal Agreement process (used for rapid
convergence).
– Bits 2-5 encode the role and state of the port originating the BPDU.
– Bits 4 and 5 are used to encode the port role using a 2-bit code.

Unlike PortFast. . thereby skipping the time- consuming listening and learning stages. Neither edge ports nor PortFast-enabled ports generate topology changes when the port transitions to a disabled or enabled status. Configuring an edge port to be attached to another switch can have negative implications for RSTP when it is in sync state because a temporary loop can result. The edge port concept is well known to Cisco spanning-tree users.4.4 edge ports Edge Ports An RSTP edge port is a switch port that is never intended to be connected to another switch device. because it corresponds to the PortFast feature in which all ports directly connected to end stations anticipate that no switch device is connected to them. 397 5. an RSTP edge port that receives a BPDU loses its edge port status immediately and becomes a normal spanning-tree port. It immediately transitions to the forwarding state when enabled. The Cisco RSTP implementation maintains the PortFast keyword using the spanning-tree portfast command for edge port configuration. possibly delaying the convergence of RSTP due to BPDU contention with loop traffic. The PortFast ports immediately transition to the STP forwarding state. Therefore making an overall network transition to RSTP more seamless.

but for now know that: Root ports do not use the link type parameter. but can be overwritten with an explicit port configuration. The link type is automatically determined. . the equivalent of PortFast-enabled ports. Alternate and backup ports do not use the link type parameter in most cases. Non-edge ports are categorized into two link types. These conditions are different for edge ports and non-edge ports. You will learn about port roles next. before the link type parameter is considered. The link type can predetermine the active role that the port plays as it stands by for immediate transition to forwarding state if certain conditions are met. 398 5. RSTP must determine the port role. Designated ports make the most use of the link type parameter.5 Link types Link Types The link type provides a categorization for each port participating in RSTP. Rapid transition to the forwarding state for the designated port occurs only if the link type parameter indicates a point-to-point link. However.4. point-to-point and shared. Edge ports. Root ports are able to make a rapid transition to the forwarding state as soon as the port is in sync. and point-to-point links are candidates for rapid transition to a forwarding state.

Click the Descriptions button in the figure. switch port. .6 RSTP port state and port role RSTP Port States RSTP provides rapid convergence following a failure or during re-establishment of a switch. With RSTP.4. learning. a port accepts and processes BPDU frames. Recall how the ports in the STP blocking. listening and disabled port states do not forward any frames. The table in the figure describes the characteristics of each of the three RSTP port states. and forwarding. An RSTP topology change causes a transition in the appropriate switch ports to the forwarding state through either explicit handshakes or a proposal and agreement process and synchronization. For example. You will learn more about the proposal and agreement process later. These port states have been merged into the RSTP discarding port state. even though its final state is to be forwarding. 399 5. The figure shows the three possible RSTP port states: discarding. Click the STP and RSTP Ports button in the figure. the role of a port is separated from the state of a port. The table in the figure compares STP and RSTP port states. or link. In all port states. a designated port could be in the discarding state temporarily.

Port roles and port states are able to transition independently of . 400 RSTP Port Roles The port role defines the ultimate purpose of a switch port and how it handles data frames.

The alternate port moves to the forwarding state if there is a failure on the designated port for the segment. when a port has been selected by spanning tree to become a designated port.1D STP. Creating the additional port roles allows RSTP to define a standby switch port before a failure or topology change. RSTP Proposal and Agreement Process In IEEE 802. it must wait two times the forward delay before transitioning the . Roll over the port roles in the figure to learn more about each RSTP port role. 401 each other.

Click the Play button in the figure to start the animation. 402 port to the forwarding state. RSTP significantly speeds up the recalculation process after a topology change. this condition corresponds to a designated port in the discarding state. Rapid transition to the forwarding state can only be achieved on edge ports and point-to-point links. because it converges on a link-by-link basis and does not rely on timers expiring before ports can transition. In RSTP. .

403 .

404 .

405 .

406 .

407 .

These parameters are applied when a loop is created and a spanning-tree instance is created. The final configuration will implement rapid-PVST+ on switch S1. However. Configuration Guidelines It is useful to review some of the spanning tree configuration guidelines. The topology in the figure has two VLANs: 10 and 20. Keep these guidelines in mind when you implement rapid-PVST+. If you would like to review the default spanning-tree configuration on a Cisco 2960 switch. ensure that at least one switch on . It supports spanning tree for each VLAN and is the rapid STP variant to use in Cisco-based networks. Rapid-PVST+ commands control the configuration of VLAN spanning-tree instances. you can configure STP switch and port parameters before a spanning-tree instance is created. As well. see the Default Switch Configuration section earlier in this chapter.4. A spanning-tree instance is created when an interface is assigned to a VLAN and is removed when the last interface is moved to another VLAN. which is the root bridge. 408 5.7 Configuring rapid PVST+ Rapid-PVST+ is a Cisco implementation of RSTP.

Click the show run button in the figure. Note: When a port is configured with the clear spanning-tree detected-protocols command and that port is connected to a port on a legacy IEEE 802. even if the designated switch detects that this switch is running rapid-PVST+. and MSTP. In this example.com/en/US/docs/switches/lan/catalyst2960/software/release/12. though recommended as a standard practice. 2_37_se/command/reference/cli3. Note: If you connect a port configured with the spanning-tree link-type point-to- point command to a remote port through a point-to-point link and the local port becomes a designated port.cisco. the show running-configuration command has been used to verify the rapid-PVST+ configuration on S1. The show spanning-tree vlan vlan-id command shows the configuration of VLAN 10 on switch S1. Click the Example Configuration button in the figure. For details on configuring the STP software features on a Cisco 2960 series switch visit this Cisco site: http://www. Notice that the BID priority is set to 4096.com/en/US/products/ps6406/products_configuration_guide_chap ter09186a0080875377. but only one version can be active for all VLANs at any time. The example configuration shows the rapid-PVST+ commands being enabled on switch S1. rapid-PVST+. visit: http://www. The BID was set using the spanning-tree vlan vlan-id priority priority-number command. The figure shows the Cisco IOS command syntax needed to configure rapid- PVST+ on a Cisco switch.html. Click the Configuration Commands button in the figure. the Cisco IOS software restarts the protocol migration process on the entire switch.html.1D switch. 409 each loop in the VLAN is running spanning tree. For complete details on all the parameters associated with specific Cisco IOS commands. The Cisco 2960 switch supports PVST+. There are other parameters that can also be configured. otherwise a broadcast storm can result. the switch negotiates with the remote port and rapidly changes the local port to the forwarding state. This step is optional. Click the Verify button in the figure. .cisco.

410 .

8 Design STP for trouble avoidance Know Where the Root Is You now know that the primary function of the STA is to break loops that redundant links create in bridge networks. you can usually identify which switch can best serve as root. STP operates at Layer 2 of the OSI model. Generally. 411 5. STP can fail in some specific cases. Troubleshooting the problem can be very difficult and depends on the design of the network. choose a powerful bridge in the middle of the network.4. Very often information about the location of the root is not available at troubleshooting time. That is why it is recommended that you perform the most important part of the troubleshooting before the problem occurs. If you put the . For each VLAN. Do not leave it up to the STP to decide which bridge is root.

know which ports should be blocking in the stable network. you reduce the average distance from the clients to the servers and routers. the router and the server are reachable in two hops for both hosts that connect on S2 and S3. Minimize the Number of Blocked Ports . In this case. configure the root bridge and the backup root bridge using lower priorities. However. Knowing the location of redundant links helps you identify an accidental bridging loop and the cause. The average distance is now two hops. plan the organization of your redundant links. the link from S1 to S3 is blocked on S1 or S3. knowing the location of blocked ports allows you to determine the location of the error. Have a network diagram that clearly shows each physical loop in the network and which blocked ports break the loops. 412 root bridge in the center of the network with a direct connection to the servers and routers. To make it easier to solve STP problems. Note: For each VLAN. Hosts that connect to bridge S3 can access the server and the router in three hops. – If switch S1 is the root. The figure shows: – If switch S2 is the root. Note: For each VLAN. The average distance is two and one-half hops. hosts that connect to switch S2 can access the server and the router in two hops. this tuning is usually not necessary if you have a hierarchical design and a root bridge in a good location. The logic behind this simple example transfers to more complex topologies. In non-hierarchical networks you might need to tune the STP cost parameter to decide which ports to block. Also.

Users on switches S1 and S2 that connect on distribution switches are only in a subset of the VLANs available in the network. . Note: Prune any VLAN that you do not need off your trunks. However. A single blocking port that mistakenly transitions to forwarding can negatively impact a large part of the network. In this figure. Click the Manual Pruning button in the figure. VTP Pruning You do not need more than two redundant links between two nodes in a switched network. you can remove all redundant links in just one step if you shut down C1 or C2. C1 and C2. switch D2 only connects users in VLAN 30. Manual Pruning VTP pruning can help. Distribution switches are dual-attached to two core switches. but this feature is not necessary in the core of the network. By default. trunks carry all the VLANs defined in the VTP domain. 413 The only critical action that STP takes is the blocking of ports. with this design. There are three redundant paths between core switch C1 and core switch C2. users that connect on switch D1 are all in VLAN 20. Also. In this design. In the figure. but it is also blocking one of its ports for VLAN 30. only one port is blocked per VLAN. A good way to limit the risk inherent in the use of STP is to reduce the number of blocked ports as much as possible. Only switch D1 receives unnecessary broadcast and multicast traffic for VLAN 20. a configuration shown in the figure is common. only an access VLAN is used to connect the distribution switches to the core. This redundancy results in more blocked ports and a higher likelihood of a loop. switches.

so there is no potential for a bridging loop. . with a reliance on Layer 3 routing protocols. The router generally exchanges information with peers by way of routing protocols. VLAN 20 and VLAN 30 are no longer bridged between C1 and C2. – STP no longer blocks any single port. – Leaving the VLAN by Layer 3 switching is as fast as bridging inside the VLAN. at the same speed as the Layer 2 switching function. 414 Use Layer 3 Switching Layer 3 switching means routing approximately at the speed of switching. Redundancy is still present. High-end Cisco Layer 3 switches are now able to perform this second function. so there is no possibility for a loop. In the figure: – There is no speed penalty with the routing hop and an additional segment between C1 and C2. A router performs two main functions: It builds a forwarding table. – Core switch C1 and core switch C2 are Layer 3 switches. It receives packets and forwards them to the correct interface based on the destination address. The design ensures a convergence that is even faster than convergence with STP.

Also. the network will be negatively impacted. disabling STP in a switched network is not worth the risk. Of course. However. the switch behaves like a generic IP host. Though useful. Therefore. packet switching does not involve the CPU in most Cisco switches. the same problem exists no matter which VLAN you use. In particular. which can bring down the whole network. Generally. it is strongly suggested that you do not disable STP. STP is generally not very processor intensive. keep user traffic off the administrative VLAN. the few BPDUs that are sent on each link do not significantly reduce the available bandwidth. Until recently. there was no way to remove VLAN 1 from a trunk in a Cisco implementation. Try to segment the bridging domains using high-speed Layer 3 switches. this setup can be dangerous because a bridging loop on VLAN 1 affects all trunks. known as the administrative VLAN. VLAN 1 generally serves as an administrative VLAN. . In this VLAN. A high rate of broadcast or multicast traffic on the administrative VLAN can adversely impact the CPU and its ability to process vital BPDUs. if a technician makes a connection error on a patch panel and accidentally creates a loop. 415 Final Points Keep STP Even If It Is Unnecessary Assuming you have removed all the blocked ports from the network and do not have any physical redundancy. Keep Traffic off the Administrative VLAN and Do Not Have a Single VLAN Span the Entire Network A Cisco switch typically has a single IP address that binds to a VLAN. where all switches are accessible in the same IP subnet. every broadcast or multicast packet is forwarded to the CPU.

Click the Play button in the figure to see STP fail. but it blocks traffic.1(11b)E. 5. a broadcast storm may result. In the intial state of the STP failure scenario. which prevents any loop possibility. . Switch S3 is considered to have a "better BPDU" than switch S2. 416 Note: As of Cisco IOS Software Release 12.4. switch S3 has a lower BID than S2 consequently the designated port between S3 and S2 is port F0/1 on switch S3.9 Troubleshoot STP operations Switch or Link Failure In the animation you see that when a port fails in a network configured with STP. VLAN 1 still exists. you can remove VLAN 1 from trunks.

417 .

out-of-band connectivity. Most of the steps apply to troubleshooting bridging loops in general. you need to know at least these items: – Topology of the bridge network – Location of the root bridge . there is no systematic procedure to troubleshoot an STP issue. You can use a more conventional approach to identify other failures of STP that lead to a loss of connectivity. Note: In-band access may not be available during a bridging loop. For example. Before you troubleshoot a bridging loop. Therefore. 418 Troubleshoot a Failure Unfortunately. such as console access may be required. This section summarizes some of the actions that are available to you. you can explore the path being taken by the traffic that is experiencing a problem. For example. during a broadcast storm you may not be able to Telnet to the infrastructure devices.

To know what to fix in the network. most Catalyst switches that run Cisco IOS software have a feature called BPDU guard. In this example. BPDU . To learn about other STP issues. PortFast Configuration Error You typically enable PortFast only for a port or interface that connects to a host. To prevent this situation. The rest of this topic briefly looks at two common spanning tree problems. 419 – Location of the blocked ports and the redundant links This knowledge is essential. you may create a network loop. when a second connection from switch S2 is connected to F0/2 on S1. If a switch with a lower bridge priority than that of the current active root bridge attaches to a PortFast-configured port or interface. This problem can delay the convergence considerably or in some extreme cases can actually bring down the network. When the link comes up on this port. the port or interface still participates in STP. Knowledge of the network helps you focus on the critical ports on the key devices. If the looped traffic is very intensive. hubs. or routers.shtml. Therefore. Caution: Do not use PortFast on switch ports or interfaces that connect to other switches. the bridge skips the first stages of the STA and directly transitions to the forwarding mode. visit: http://www. Port F0/2 has erroneously been configured with the PortFast feature. there is a problem with this kind of transient loop. Even with a PortFast configuration. However. port F0/1 on switch S1 is already forwarding. Eventually. you need to know how the network looks when it works correctly.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008 00951ac. This change of root bridge can adversely affect the active STP topology and can render the network suboptimal. the switch can have trouble successfully transmitting the BPDU that stops the loop.cisco. the port automatically transitions to forwarding mode and creates a loop. one of the switches will forward a BPDU and one of these switches will transition a port into blocking mode. it can be elected as the root bridge. a PortFast configuration error and network diameter issues. Most of the troubleshooting steps simply use show commands to try to identify error conditions. Otherwise.

the age field increments each time the BPDU goes though a switch. Network Diameter Issues Another issue that is not well known relates to the diameter of the switched network.cisco. the switch discards the BPDU when the age field goes beyond maximum age.shtml. There is danger if you try to get faster convergence in this way. The maximum network diameter restricts how far away swtiches in the network can be from each other. and change the port cost or priority parameter to control redundancy and load balancing. BPDUs will be dropped. Eventually." available at: http://www. Part of this restriction comes from the age field that BPDUs carry. For more information on using the BPDU guard feature on switches that run Cisco IOS software. visit: http://www. refer to the document "Using PortFast and Other Commands to Fix Workstation Startup Connectivity Delays. The conservative default values for the STP timers impose a maximum network diameter of seven.com/en/US/tech/tk389/tk621/technologies_tech_note09186a008 009482f. Take special care if you plan to change STP timers from the default value. 420 guard disables a PortFast-configured port or interface if the port or interface receives a BPDU.cisco.com/en/US/products/hw/switches/ps700/products_tech_note091 86a00800b1500. In this case. In the figure this design creates a network diameter of eight. If the root is too far away from some switches of the network. When a BPDU propagates from the root bridge toward the leaves of the tree. . This issue affects convergence of the spanning tree. For more information on using PortFast on switches that run Cisco IOS software. two distinct switches cannot be more than seven hops away. You can change the switch priority to select the root bridge. An STP timer change has an impact on the diameter of the network and the stability of the STP.shtml.

6. To prevent . 421 5.1 Chapter summary Implementing redundancy in a hierarchical network introduces physical loops that result in Layer 2 issues which impact network availability.

Rapid PVST+ is the preferred spanning-tree protocol implementation used in a switched network running Cisco Catalyst switches. port roles are determined: designated ports. We discussed point-to-point and shared link types with RSTP.1w rapid spanning-tree protocol was developed. This time delay is unacceptable in modern switched networks.1D spanning-tree protocol involves a convergence time of up to 50 seconds. Using the original IEEE 802. 422 problems resulting from physical loops introduced to enhance redundancy. The spanning-tree process uses different port states and timers to logically prevent loops by constructing a loop-free topology. and root ports. The per-VLAN Cisco implementation of IEEE 802. RSTP reduces convergence time to approximately 6 seconds or less. We also discussed the new concepts of alternate ports and backup ports used with RSTP. The distance is determined by the exchange of BPDUs and spanning-tree algorithm. non- designated ports. the spanning-tree protocol was developed. The spanning-tree protocol uses the spanning-tree algorithm to compute a loop-free logical topology for a broadcast domain. .1D is called PVST+ and the per-VLAN Cisco implementation of rapid spanning-tree protocol is rapid PVST+. as well as edge ports. The determination of the spanning-tree topology is constructed in terms of the distance from the root bridge. so the IEEE 802. In the process.

423 .

424 .

different static VLANs are . 425 6. you will learn about inter-VLAN routing and how it is used to permit devices on separate VLANs to communicate. Limiting the scope of each broadcast domain on the LAN through VLAN segmentation provides better performance and security across the network. You also learned how VTP is used to share the VLAN information across multiple switches in a LAN environment to simplify management of VLANs. The switch ports connect to the router in access mode. You will learn different methods for accomplishing inter-VLAN routing. Traditionally.0. we discussed how you can use VLANs and trunks to segment a network. and the advantages and disadvantages of each. Now that you have a network with many different VLANs. In a traditional network that uses multiple VLANs to segment the network traffic into logical broadcast domains. "How do we permit devices on separate VLANs to communicate?" In this chapter. routing is performed by connecting different physical router interfaces to different physical switch ports. and how to identify and correct them. Finally. in access mode. You will also learn how different router interface configurations facilitate inter-VLAN routing.1 Introduction In the previous chapters of this course. the next question is. LAN routing has used routers with multiple physical interfaces. you will explore the potential issues faced when implementing inter-VLAN routing. Each interface needed to be connected to a separate network and configured for a different subnet.0 Inter VLAN-routing 6.

Switch S1 then forwards the unicast traffic to router R1 on interface F0/0. PC1 on VLAN10 is communicating with PC3 on VLAN30 through router R1. . 5. 426 assigned to each port interface. The router routes the unicast traffic through to its interface F0/1. after which switch S2 can then forward the unicast traffic to PC3 on VLAN30. PC1 and PC3 are on different VLANs and have IP addresses on different subnets. 6. PC1 sends unicast traffic destined for PC3 to switch S2 on VLAN10. 2. which is connected to VLAN30. where it is then forwarded out the trunk interface to switch S1. Each router interface can then accept traffic from the VLAN associated with the switch interface that it is connected to. 8. Switch S1 then forwards the unicast traffic to switch S2 through the trunk link. As you can see in the animation: 1. In this example. Router R1 has a separate interface configured for each of the VLANs. Each switch interface would be assigned to a different static VLAN. and traffic can be routed to the other VLANs connected to the other interfaces. the router was configured with two separate physical interfaces to interact with the different VLANs and perform the routing. 7. 4. The router forwards the unicast traffic to switch S1 on VLAN 30. Click the Play button in the figure to view traditional inter-VLAN routing. 3.

427 .

. the router is connected to switch S1 using a single. The router interface is configured to operate as a trunk link and is connected to a switch port configured in trunk mode. not all inter-VLAN routing configurations require multiple physical interfaces. "Router-on-a-stick" is a type of router configuration in which a single physical interface routes traffic between multiple VLANs on a network. However. physical network connection. As you can see in the figure. This opens up new possibilities for inter-VLAN routing. The router then forwards the routed traffic-VLAN tagged for the destination VLAN-out the same physical interface. Some router software permits configuring router interfaces as trunk links. 428 Traditional inter-VLAN routing requires multiple physical interfaces on both the router and the switch. The router performs the inter-VLAN routing by accepting VLAN tagged traffic on the trunk interface coming from the adjacent switch and internally routing between the VLANs using subinterfaces.

Switch S1 forwards the tagged unicast traffic out the other trunk link to switch S2. Switch S1 forwards the tagged traffic out the other trunk interface on port F0/5 to the interface on router R1. PC1 sends its unicast traffic to switch S2. You will learn more about interfaces and subinterfaces in the next topic. 429 Subinterfaces are multiple virtual interfaces. 7. . Switch S2 then tags the unicast traffic as originating on VLAN10 and forwards the unicast traffic out its trunk link to switch S1. Switch S2 removes the VLAN tag of the unicast frame and forwards the frame out to PC3 on port F0/6. Subinterfaces are configured for different subnets corresponding to their VLAN assignment to facilitate logical routing before the data frames are VLAN tagged and sent back out the physical interface. Router R1 accepts the tagged unicast traffic on VLAN10 and routes it to VLAN30 using its configured subinterfaces. 2. associated with one physical interface. 6. These subinterfaces are configured in software on a router that is independently configured with an IP address and VLAN assignment to operate on a specific VLAN. As you can see in the animation: 1. 8. PC1 on VLAN10 is communicating with PC3 on VLAN30 through router R1 using a single. The unicast traffic is tagged with VLAN30 as it is sent out the router interface to switch S1. Click the Play button in the figure to view how a router-on-a-stick performs its routing function. 3. 4. physical router interface. 5.

430 .

431 .

432 .

433 .

434 .

. 3. Switch S2 tags the unicast traffic as originating on VLAN10 as it forwards the unicast traffic out its trunk link to switch S1. Click the Play button in the figure to see how switch-based inter-VLAN routing occurs. 435 Some switches can perform Layer 3 functions. PC1 on VLAN10 is communicating with PC3 on VLAN30 through switch S1 using VLAN interfaces configured for each VLAN. PC1 sends its unicast traffic to switch S2. Multilayer switches are capable of performing inter-VLAN routing. As you can see in the animation: 1. replacing the need for dedicated routers to perform basic routing on a network. 2.

visit: http://cisco. .com/en/US/tech/tk389/tk815/technologies_configuration_exampl e09186a008019e74e. For a good overview of multilayer switching. 7. To enable a multilayer switch to perform routing functions. Switch S1 removes the VLAN tag and forwards the unicast traffic to the VLAN10 interface.shtml.cisco. Multilayer switching is complex and beyond the scope of this course. 5. Switch S1 routes the unicast traffic to its VLAN30 interface. 436 4.html. Configuring inter-VLAN routing on a multilayer switch is beyond the scope of this course. to explore additional information. However. Switch S1 then retags the unicast traffic with VLAN30 and forwards it out the trunk link back to switch S2. 6. The multilayer switch also must have IP routing enabled. VLAN interfaces on the switch need to be configured with the appropriate IP addresses that match the subnet that the VLAN is associated with on the network. Also.com/en/US/docs/ios/12_0/switch/configuration/guide/xcmls. visit: http://www. Switch S2 removes the VLAN tag of the unicast frame and forwards the frame out to PC3 on port F0/6. the CCNP curriculum covers the concept comprehensively.

437 .

438 .

439 .

440 .

2 Interfaces and subinterfaces As we discussed. network devices can use the router as a gateway to access the devices connected to the other VLANs. devices use their default gateway as the destination for all traffic that needs to leave the local subnet. the router removes the source and destination MAC address information to examine the destination IP address of the packet. The source device examines the local routing table to determine where it needs to send the data. If the router determines that the destination network is a locally connected network. We will begin by reviewing the traditional model. the source device has to identify where it needs to forward the packet to reach the destination device. the source device can use the MAC address to finish framing the packet before it sends it out on the network as unicast traffic. Once the router sends its ARP reply back to the source device. network devices connected to each of the VLANs can communicate with the router using the physical interface connected to the same VLAN. there are various inter-VLAN routing options to choose from. Once the destination address has been determined to be on a remote network. Once the source device has determined that the packet must travel through the local router interface on the connected VLAN. The source device accomplishes this by comparing the source and destination addresses against the subnet mask. we will look at how each type of router interface configuration routes between VLANs. and the advantages and disadvantages. Each interface is also configured with an IP address for the subnet associated with the particular VLAN that it is connected to. The router compares the destination address to entries in its routing table to determine where it needs to forward the data to reach its final destination. When the frame arrives at the router. The destination device responds back to the router with its MAC address. the router sends an ARP request out the interface physically connected to the destination VLAN. In this configuration. Using the Router as a Gateway Traditional routing requires routers to have multiple physical interfaces to facilitate inter-VLAN routing. which the router then uses to frame the packet. The default gateway is the route that the device uses when it has no other explicitly defined route to the destination network. The router accomplishes the routing by having each of its physical interfaces connected to a unique VLAN. The . Each uses a different router configuration to accomplish the task of routing between VLANs. By configuring the IP addresses on the physical interfaces.1. the switch knows exactly which switch port to forward the unicast traffic out of to reach the router interface on that VLAN. In this topic. The routing process requires the source device to determine if the destination device is local or remote to the local subnet. The router interface on the local subnet acts as the default gateway for the sending device. the source device sends out an ARP request to determine the MAC address of the local router interface. Since the Ethernet frame has the destination MAC address of the router interface. Typically. as would be the case in inter- VLAN routing. 441 6.

the entire process happens in a fraction of a second. Click the Play button in the figure to view how traditional routing is accomplished. Even though there are many steps in the process of inter-VLAN routing when two devices on different VLANs communicate through a router. which forwards it out the port where the destination device is connected. . 442 router then sends the unicast traffic to the switch.

443 .

444 .

445 .

446 .

447 .

448 .

the no shutdown command needs to be entered for the interface. Notice also that interface F0/1 has been configured. After both IP addresses are assigned to each of the physical interfaces. if traffic was destined for the 172.30. Routers have a limited number of physical interfaces that they can use to connect to different VLANs.10.0 using the ip address 172.17.255. Large networks with many VLANs must use VLAN trunking to assign multiple VLANs to a single router interface to work within the hardware constraints of dedicated routers.10.17.0 command. .0 and the other for network 172. switch to interface configuration mode for the specific interface you want to configure.30.17. one for network 172. This letter indicates that the route is local for a connected interface. the physical approach of having one router interface per VLAN quickly becomes hindered by the physical hardware limitations of a router. Router interfaces are configured similarly to configuring VLAN interfaces on switches.255. As you see in the example. which is also identified in the route entry. In global configuration mode.255.0. 449 Interface Configuration Click the Interface Configuration button in the figure to see an example of router interfaces being configured. Using the output in this example. Click the Routing Table button in the figure to see an example of a routing table on a Cisco router. the router is capable of performing routing. the router would forward the traffic out interface F0/1. Traditional inter-VLAN routing using physical interfaces does have a limitation.255. interface F0/0 is configured with IP address 172. Routing Table As you can see in the example. As the number of VLANs increases on a network.17. To enable a router interface.0 subnet.17.10.1 and subnet mask 255. the routing table has two entries. Notice the letter C to the left of each route entry.1 255.

as in the router-on-a-stick example described earlier. the router can keep the traffic from each subinterface separated as it traverses the trunk link back to the switch. Subinterfaces are software-based virtual interfaces that are assigned to physical interfaces. but instead of using the physical interfaces to perform the routing. . When configuring inter-VLAN routing using the router-on-a-stick model. the router-on-a-stick model for inter-VLAN routing is the same as using the traditional routing model. the physical interface of the router must be connected to a trunk link on the adjacent switch. Functionally. subnet mask. and unique VLAN assignment. Each subinterface is configured with its own IP address. subinterfaces of a single interface are used. Each subinterface is assigned an IP address specific to the subnet that it will be part of and configured to VLAN tag frames for the VLAN that the interface is to interact with. allowing a single physical interface to simultaneously be part of multiple logical networks. virtual subinterfaces and trunk links are used. That way. This is useful when performing inter-VLAN routing on networks with multiple VLANs and few router physical interfaces. 450 To overcome the hardware limitations of inter-VLAN routing based on router physical interfaces. Subinterfaces are created for each unique VLAN/subnet on the network.

and PC3 is on VLAN30. 451 Let's explore an example. PC1 needs to have its data routed through router R1 using configured subinterfaces. . For PC1 to communicate with PC3. Click the Play button in the figure to see how subinterfaces are used to route between VLANs. PC1 wants to communicate with PC3. In the figure. PC1 is on VLAN10.

452 .

453 .

454 .

455 .

456 .

457 .

10 is assigned to VLAN10. 458 Subinterface Configuration Configuring router subinterfaces is similar to configuring physical interfaces. but it is typically associated to reflect the VLAN number.1 255. The syntax for the subinterface is always the physical interface.10. The physical interface is specified because there could be multiple interfaces in the router. rather than separate physical interfaces. Router Table Output As you see in the figure. followed by a period and a subinterface number. Likewise.0 command assigns the subinterface to the appropriate IP address for that VLAN.10 command in global configuration mode. create the router subinterface by entering the interface f0/0. the subinterface needs to be configured to operate on a specific VLAN using the encapsulation dot1q vlan id command. the routes defined in the routing table indicate that they are associated with specific subinterfaces. all the configured subinterfaces are enabled. in this case f0/0. In the example. if the physical interface is disabled. Instead. Unlike a typical physical interface.255. the subinterfaces use 10 and 30 as subinterface numbers to make it easier to remember which VLANs they are associated with. . except that you need to create the subinterface and assign it to a VLAN. all subinterfaces are disabled. In the example. each of which could be configured to support many subinterfaces. Click the Routing Table button in the figure to see an example of a routing table when subinterfaces are configured. The subinterface number is configurable. subinterfaces are not enabled with the no shutdown command at the subinterface configuration mode level of the Cisco IOS software.255. the ip address 172. Before assigning an IP address to a subinterface. when the physical interface is enabled with the no shutdown command. After the VLAN has been assigned.17. subinterface Fa0/0. In the example.

Port Limits . As we just discussed. both physical interfaces and subinterfaces are used to perform inter-VLAN routing. it can also reduce configuration complexity. Consequently. Not only can this save money. the router subinterface approach can scale to a much larger number of VLANs than a configuration with one physical interface per VLAN design. 459 One advantage of using a trunk link is that the number of router and switch ports used are reduced. There are advantages and disadvantage to each method.

On a busy network. each interface is connected to a separate switch port. . using a single router to perform inter- VLAN routing is not possible. because there are fewer physical network cables interconnecting the router to the switch. By consuming additional ports for inter-VLAN routing functions. Using subinterfaces. both the switch and the router drive up the overall cost of the inter- VLAN routing solution. physical interfaces have better performance when compared to using subinterfaces. Routers that have many physical interfaces cost more than routers with a single interface. Performance Because there is no contention for bandwidth on separate physical interfaces. When subinterfaces are used for inter-VLAN routing. Additionally. To balance the traffic load on a physical interface. 460 Physical interfaces are configured to have one interface per VLAN on the network. Subinterfaces allow a router to scale to accommodate more VLANs than the physical interfaces permit. Switch ports are an expensive resource on high performance switches. Instead. you could use multiple routers to perform inter-VLAN routing for all VLANs if avoiding the use of subinterfaces is a priority. Subinterfaces require the switch port to be configured as a trunk port so that it can accept VLAN tagged traffic on the trunk link. the traffic being routed competes for bandwidth on the single physical interface. it is more cost-effective to use subinterfaces over separate physical interfaces. Cost Financially. With fewer cables. there is less confusion about where the cable is connected on the switch. On networks with many VLANs. subinterfaces are configured on multiple physical interfaces resulting in less contention between VLAN traffic. Access Ports and Trunk Ports Connecting physical interfaces for inter-VLAN routing requires that the switch ports be configured as access ports. consuming extra switch ports on the network. this could cause a bottleneck for communication. Traffic from each connected VLAN has access to the full bandwidth of the physical router interface connected to that VLAN for inter-VLAN routing. Complexity Using subinterfaces for inter-VLAN routing results in a less complex physical configuration than using separate physical interfaces. many VLANs can be routed over a single trunk link rather than a single physical interface for each VLAN. Inter-VLAN routing in large environments with many VLANs can usually be better accommodated by using a single physical interface with many subinterfaces. if you have a router with many physical interfaces. Routers have physical limitations that prevent them from containing large numbers of physical interfaces.

After the VLANs have been created. Click the Switch Configuration button in the figure to see the example switch configuration. it is easier to troubleshoot the physical connections. You also need to check that the router subinterface is configured to use the correct VLAN ID and IP address for the subnet associated with that VLAN. VLANs 10 and 30 were created on switch S1. the switchport access . 6. you will learn how to configure a Cisco IOS router for inter-VLAN routing. To review. You need to check to see if the switch port is configured to be a trunk and verify that the VLAN is not being filtered on any of the trunk links before it reaches the router interface. VLANs are created in global configuration mode using the vlan vlan id command. you cannot simply trace the cable to see if the cable is plugged into the correct port. using subinterfaces with a trunk port results in a more complex software configuration. configure the switch that it will be connected to. 461 Because the VLANs are being trunked over a single link. If one VLAN is having trouble routing to other VLANs. In the router-on-a-stick model. which can be difficult to troubleshoot. they are assigned to the switch ports that the router will be connecting to. In this example. as well as review the commands needed to configure a switch to support inter-VLAN routing. Before configuring the router. only a single interface is used to accommodate all the different VLANs. On the other hand. respectively.2. To accomplish this task.1 Inter VLAN-routing In this topic. which have been configured for VLANs 10 and 30. Router R1 is connected to switch ports F0/4 and F0/5. As you see in the figure.

routing does not specifically need to be enabled. Cisco routers are configured to route traffic between the local interfaces.255. F0/1.0 command. to protect the configuration so that it is not lost after a reload of the switch.10. However. The process is repeated for all router interfaces. has been configured to use IP address 172. You will also notice that after the no shutdown interface configuration mode command has been executed a notification is displayed indicating that the interface state has changed to up. if multiple routers are being configured to perform inter-VLAN routing. 462 vlan vlan id command is executed from interface configuration mode on the switch for each interface that the router will connect to. This indicates that the interface is now enabled. interface F0/0 has been assigned the IP address of 172. Each router interface needs to be assigned to a unique subnet for routing to occur.17. Click the Router Interface Configuration button in the figure to see the example router configuration. each interface is configured with an IP address using the ip address ip_address subnet_mask command in interface configuration mode.html. . If you have not taken the course CCNA Exploration: Routing Protocols and Concepts. In this example.10. In this example.17.1. you may want to enable a dynamic routing protocol to simplify routing table management. As you see in the figure. you can learn more at this Cisco site: http://www. interfaces F0/4 and F0/11 has been configured on VLAN 10 using the switchport access vlan 10 command.1 255.com/en/US/products/sw/iosswrel/ps1835/products_configuration _guide_chapter09186a00800ca760.cisco. the other router interface. which is on a different subnet than interface F0/0. Router interfaces are disabled by default and need to be enabled using the no shutdown command before they are used.30. Next. By default. the copy running-config startup-config command is executed in privileged EXEC mode to back up the running configuration to the startup configuration. As a result.17. Finally. The same process is used to assign VLAN 30 to interface F0/5 and F0/6 on switch S1. the router can be configured to perform the inter-VLAN routing.1 using the ip address 172.255. In this example.

463 Routing Table .

use the show running-config privileged EXEC mode command. which is attached to the local interface F0/1. the router would identify that it should send the packet out interface F0/1 to reach hosts on the 172. Click the Verify Router Configuration button in the figure to see an example router configuration.30. In this example. notice the absence of the shutdown command below the F0/0 interface. The absence of the shutdown command confirms that the no shutdown command has been issued and that the interface is enabled.30.30.17. The other route is to the 172. . One route is to the 172. You can see which IP addresses have been configured for each of the router interfaces.0 subnet. Also. as well as the operational status of the interface.17. 464 Now examine the routing table using the show ip route privileged EXEC mode command.10.17.17.10. Verify Router Configuration To verify the router configuration.0 subnet. This command displays the current operating configuration of the router. status. and transmit or receive errors. notice that interface F0/0 is configured correctly with the 172. For example. if the router receives a packet on interface F0/0 destined for the 172.0 subnet. such as diagnostic information. You can get more detailed information about the router interfaces. In the example.0 subnet. there are two routes in the routing table.17. MAC address. The router uses this routing table to determine where to send the traffic it receives.1 IP address. which is attached to the local interface F0/0. using the show interface command in privileged EXEC mode.

the copy running-config startup-config command is executed in privileged EXEC mode to back up the running configuration to the startup configuration. Router Configuration Next. To configure switch port F0/5 as a trunk port.2. In this example. You cannot use the switchport mode dynamic auto or switchport mode dynamic desirable commands because the router does not support dynamic trunking protocol.2 Configure router on a stick inter VLAN routing Before configuring the router. VLANs 10 and 30 have also been added to switch S1. To review. Click the Switch Configuration button in the figure to see the example switch configuration. 465 6. VLANs are created in global configuration mode using the vlan vlan id command. Click the Router Configuration button in the figure to see the example router configuration. Finally. execute the switchport mode trunk command in interface configuration mode on the F0/5 interface. the router can be configured to perform the inter-VLAN routing. As you see in the figure. configure the switch that it will be connected to. you do not have to assign any VLANs to the port. VLANs 10 and 30 were created on switch S1 using the vlan 10 and vlan 30 commands. to protect the configuration so that it is not lost after a reload of the switch. Because switch port F0/5 will be configured as a trunk port. . Router R1 is connected to switch S1 on trunk port F0/5.

17. Each subinterface is created using the interface interface_id. By default.10 is assigned the IP address 172. As a result. Cisco routers are configured to route traffic between the local subinterfaces. is configured to use IP address 172. In this example.17. You do not need to execute a no shutdown command at the subinterface level because it does not enable the physical interface. the other router subinterface.1 255. This process is repeated for all the router subinterfaces that are needed to route between the VLANs configured on the network. routing does not specifically need to be enabled. assign the IP address for the subinterface using the ip address ip_address subnet_mask subinterface configuration mode command.1. which is on a different subnet from subinterface F0/0. After the subinterface has been created.10 global configuration mode command.1 using the ip address 172. 466 As you see in the figure. the physical interface is enabled.30. which enables all of the configured subinterfaces. F0/0.10. subinterface F0/0. .10. the VLAN ID is assigned using the encapsulation dot1q vlan_id subinterface configuration mode command.10.17.10 is created using the interface fa0/0. the subinterface Fa0/0.0 command. the configuration of multiple subinterfaces is different than when physical interfaces are used.Subinterface_id global configuration mode command. In this example.255. Each router subinterface needs to be assigned an IP address on a unique subnet for routing to occur. interface F0/0 has the no shutdown command executed to enable the interface. In this example. Next.255.30. In the example. Once all subinterfaces have been configured on the router physical interface.

17. examine the routing table using the show ip route command from privileged EXEC mode.17. 467 Routing Table Next. One route is to the 172.30.0 subnet. which is attached to the local subinterface F0/0.0 subnet. there are two routes in the routing table. the router would identify that it should send the packet out subinterface F0/0.10.0 subnet. which is attached to the local subinterface F0/0.17.10 destined for the 172. . For example. if the router received a packet on subinterface F0/0.17. In the example.0 subnet.30. The other route is to the 172.30 to reach hosts on the 172.30.10.30. The router uses this routing table to determine where to send the traffic it receives.

468 Click the Verify Router Configuration button in the figure to see an example router configuration. Also.10 has been configured correctly with the 172. The absence of the shutdown command confirms that the no shutdown command has been issued and the interface is enabled. as well as whether the physical interface has been left disabled or enabled using the no shutdown command. notice the absence of the shutdown command below the F0/0 interface.10. The show running-config command displays the current operating configuration of the router. using the show interface command in privileged EXEC mode. . and transmit or receive errors.1 IP address. MAC address. Verify Router Configuration To verify the router configuration. status. use the show running-config command in privileged EXEC mode. In this example. notice that interface F0/0.17. Notice which IP addresses have been configured for each router subinterface. such as diagnostic information. You can get more detailed information about the router interfaces.

but it uses ICMP echo requests with specific time-to-live values defined on the frame. but this time with a greater time-to-live value. The time-to-live value determines exactly how many router hops away the ICMP echo is allowed to reach. After the tracert utility finishes running. . When a host receives an ICMP echo request. Also. a confirmation is sent back from the router to the originating device. You can test access to devices on remote VLANs using the ping command.1 subinterface IP address of router R1. This allows the ICMP echo request to traverse the first router and reach the second device on route to the final destination. the next step is to verify that the router is functioning correctly.17. This elapsed time is used to determine the latency of the connection. 469 After the router and switch have been configured to perform the inter-VLAN routing. When the ICMP echo request times out on the first route. The device records the response from the router and proceeds to send out another ICMP echo request. Tracert also uses ICMP to determine the path taken. For the example shown in the figure. the ping utility was able to send an ICMP echo request to the IP address of PC3. On UNIX systems. The ping command calculates the elapsed time using the difference between the time the ping was sent and the time the echo reply was received. it responds with an ICMP echo reply to confirm that it received the ICMP echo request. you are presented with a list of every router interface that the ICMP echo request reached on its way to the destination. the utility is specified by traceroute. The first ICMP echo request is sent with a time-to-live value set to expire at the first router on route to the destination device.10. The Tracert Test Tracert is a useful utility for confirming the routed path taken between two devices. In the example. Successfully receiving a reply confirms that there is a path between the sending device and the receiving device. you would initiate a ping and a tracert from PC1 to the destination address of PC3. the tracert utility confirms that the path to PC3 is through the 172. The Ping Test The ping command sends an ICMP echo request to the destination address. Click the Device Outputs button in the figure to see a sample ping and tracert command output. The process repeats until finally the ICMP echo request is sent all the way to the final destination device.

we discuss the challenges associated with configuring multiple VLANs on a network.1 Switch configuration issues In this topic. devices configured on that VLAN cannot connect to the router interface. and therefore. This topic explores common issues and describes troubleshooting methods to identify and correct those issues. are unable to route to the other VLANs. 470 6. ensure that the switch ports that connect to the router interfaces are configured on the correct VLANs. When using the traditional routing model for inter-VLAN routing.3. Click the Topology 1 button in the figure. If the switch ports are not configured on the correct VLAN. .

To reduce the risk of a failed inter-switch link disrupting inter-VLAN routing. When the trunk is successfully established. This approach is dependent on the Spanning Tree Protocol (STP) to prevent the possibility of loops within the switch environment. To correct this problem. allowing the trunk to successfully establish a connection with router R1. Cisco EtherChannel technology enables you to aggregate multiple physical links into one logical link. visit: . also. As a result. the trunk link between switch S1 and switch S2 is down. Because router R1 is on a different VLAN than PC1. However. To correct this problem. the router-on-a-stick routing model has been chosen. allowing inter-VLAN routing to occur. This prevents all configured VLANs from routing through router R1 to reach the other VLANs. In Topology 2. This converts the interface to a trunk. to learn more about Cisco EtherChannel technology. The CCNP curriculum addresses EtherChannel technology. devices connected to each of the VLANs are able to communicate with the subinterface assigned to their VLAN. alternate paths through other interconnected switches could be configured. This can provide up to 80 Gb/s of aggregate bandwidth for with 10 Gigabit EtherChannel. as indicated by their IP address assignment. redundant links and alternate paths should be configured between switch S1 and switch S2. 471 As you can see in Topology 1. which allows it to access the other VLANs connected to router R1. Additionally. Redundant links are configured in the form of an EtherChannel that protects against a single link failure. the switch port F0/4 that connects to router R1 interface F0/0 has not been configured and remains in the default VLAN. execute the switchport mode trunk interface configuration command on switch port F0/5 on switch S1. all devices connected to switch S2 are unable to route to other VLANs through router R1. However. the F0/5 interface on switch S1 is not configured as a trunk and subsequently left in the default VLAN for the port. execute the switchport access vlan 10 interface configuration command on switch port F0/4 on switch S1. Because there is no redundant connection or path between the devices. they are unable to communicate. In Topology 3. Click the Topology 2 button in the figure to see another switch configuration issue. the router is not able to function correctly because each of its configured subinterfaces is unable to send or receive VLAN tagged traffic. There would also be a slight disruption in router access while STP determines whether the current link is down and finds an alternate route. Click the Topology 3 button in the figure to see another switch configuration issue. As a result. all devices connected to switch S2 are unable to reach router R1. PC1 can communicate with router R1 interface F0/0. When the switch port is configured for the correct VLAN. PC1 and router R1 interface F0/0 are configured to be on the same logical subnet.

cisco. visit: http://www.shtml.cisco. 472 http://www. .com/en/US/products/ps6406/products_configuration_guide_chap ter09186a00808752d9.com/en/US/tech/tk389/tk213/technologies_white_paper09186a0 080092944.html. To learn more about configuring EtherChannel on a Cisco Catalyst 2960 switch.

communication between router R1 and switch S1 has stopped. The screen output shows the results of the show interface interface-id switchport and the show running-config commands. Click the Incorrect VLAN Assignment button in the figure. but it does not show that it has been directly assigned to VLAN 10. . 473 Switch Cisco IOS Commands When you suspect that there is a problem with a switch configuration. use the various verification commands to examine the configuration and identify the problem. After device configuration has changed. The screen output shows the results of the show interface interface-id switchport command. Assume that you have issued these commands because you suspect that VLAN 10 has not been assigned to port F0/4 on switch S1. The bottom highlighted area also confirms that port F0/4 has been configured for access mode. Click the Incorrect Access Mode button in the figure. The top highlighted area confirms that port F0/4 on switch S1 is in access mode. The show running- config and the show interface interface-id switchport commands are useful for identifying VLAN assignment and port configuration issues. not trunk mode. The bottom highlighted area confirms that port F0/4 is still set to the default VLAN. The top highlighted area shows that port F0/4 on switch S1 is in access mode. The link between the router and the switch is supposed to be a trunk link.

placing it on the incorrect VLAN and preventing it from reaching the other VLANs. Click the Topology 2 button in the figure to see another router configuration issue. not VLAN10. This puts the router interface on the correct VLAN and allows inter- VLAN routing to function. you could change the VLAN assignment of switch port F0/9 to be on VLAN10. physically connect router R1 interface F0/0 to switch S1 port F0/4. Alternatively. This also allows PC1 to communicate with router R1 interface F0/0.10. router R1 has been configured to use the wrong VLAN on subinterface F0/0. Switch port F0/9 is configured for Default VLAN. 474 One of the most common inter-VLAN router configuration errors is to connect the physical router interface to the wrong switch port. preventing devices configured on VLAN10 from . To correct this problem. In Topology 2. As you can see in Topology 1. router R1 interface F0/0 is connected to switch S1 port F0/9. This prevents PC1 from being able to communicate with the router interface. and it is therefore unable to route to VLAN30.

10 on router R1 uses VLAN 100. you suspect a problem with the router R1. The show interface command produces a lot of output. it is accessible by devices on that VLAN and can perform inter-VLAN routing. and the subinterface F0/0. Verify Router Configuration In this troubleshooting scenario.10 should allow access to VLAN 10 traffic. This subsequently prevents those devices from being able to route to other VLANs on the network. making it sometimes hard to see the problem. When the subinterface has been assigned to the correct VLAN. To correct this problem. The screen capture shows the results of running the show interface and the show running-config commands.30 should allow VLAN 30 traffic.10 to be on the correct VLAN using the encapsulation dot1q 10 subinterface configuration mode command. 475 communicating with subinterface F0/0. The subinterface F0/0.10. . The top highlighted section shows that the subinterface F0/0. configure subinterface F0/0.

needs to be assigned an IP address that corresponds to the subnet for which it is connected. router R1 has been configured with an incorrect IP address on interface F0/0. or subinterface. a router needs to be connected to all VLANs. With proper verification. PC1 can use the interface as a default gateway for accessing other VLANs.255. For inter-VLAN routing to operate. 6. which is how they enter the routing table. assign the correct IP address to router R1 interface F0/0 using the ip address 172. VLANs correspond to unique subnets on the network. Recall that the VLANs are directly connected. router configuration problems are quickly addressed.3 IP addressing issues As we have discussed. Each interface.3. Click the Topology 2 button in the figure to see another IP address configuration issue.1 255. To correct this problem.0 interface command in configuration mode.10 on router R1 has been configured to allow access to VLAN 100 traffic and not VLAN 10. either by separate physical interfaces or trunked subinterfaces. After the router interface has been assigned the correct IP address.17.10. This permits devices on the VLAN to communicate with the router interface and enable the routing of traffic to other VLANs connected to the router. Perhaps this was a typing mistake. This prevents PC1 from being able to communicate with router R1 on VLAN10. subnets are the key to implementing inter-VLAN routing. 476 The show running-config confirms that the subinterface F0/0. . Let's examine some common errors. allowing for inter-VLAN routing to function again properly.255. As you can see in Topology 1.

with IP address 172. This prevents PC1 from being able to communicate with router R1 on VLAN10. the configuration details may be different. the traffic never reaches PC3.0. This results in PC1 determining that PC3.255.17. As a result. Depending on the type of PC being used.0. To correct this problem. the configuration details may be different. According to the subnet mask configured for PC1.0 network. PC1 has been configured with an incorrect IP address for the subnet associated with VLAN10. Therefore. To correct this problem. PC1 is on the 172. PC1 has been configured with the incorrect subnet mask. change the subnet mask on PC1 to 255. . assign the correct IP address to PC1.255.30. is on the local subnet. 477 In Topology 2.23. PC1 does not forward traffic destined for PC3 to router R1 interface F0/0. Depending on the type of PC being used. Click the Topology 3 button in figure to see another IP address configuration issue. In Topology 3.17.

10.255. or subinterface.17. such as a personal computer.10 on router R1 has an IP address of 172. The highlighted area shows that the subinterface F 0/0. But in this scenario.17. The second highlight shows the incorrect IP address.0. that is the culprit.255. The VLAN for this subinterface should allow VLAN 10 traffic.255. with an address of 172.0. The show ip interface is another useful command. the IP address is 172. 478 Verification Commands Earlier you learned that each interface. In the screen output configuration of the computer PC1. Click PC IP Addressing Issue button.255.21.17. A common error is to incorrectly configure an IP address for a subinterface.1. Sometimes it is the end-user device. needs to be assigned an IP address that corresponds to the subnet for which it is connected.20. The screen capture shows the results of the show running-config command.21 and a subnet mask of 255. with a subnet mask of 255.20. There is an IP address that has been incorrectly configured. PC1 should be in VLAN10. .

5. using either a dedicated router or a multilayer switch. . With this option. it is important to configure an IP address on each logical subinterface as well as the associated VLAN number. Modern switched networks use switch virtual interfaces on multilayer switches to enable inter-VLAN routing. 479 6.1 Chapter summary Inter-VLAN routing is the process of routing traffic between different VLANs. The inter-VLAN routing topology using an external router with subinterfaces trunked to a Layer 2 switch is called router-on-a-stick. while Catalyst 3560 switches can be used for the multilayer switching option for inter-VLAN routing. Catalyst 2960 switches can be used in a router-on-a-stick scenario. Inter-VLAN routing facilitates communication between devices isolated by VLAN boundaries.

you learned how switch functions can facilitate interconnecting devices on a wired network.1 Chapter introduction In the previous chapters. or when a manager wants to bring a notebook to a meeting room and connect to the network there. Managing a wired infrastructure can be challenging. and other peripheral devices to switches located in the wiring closets. In a wired network. Consider what happens when a worker decides they prefer their computer system in a different location in their office. Typical business networks make extensive use of wired networks. 480 7 Basic wireless concepts and configuration 7. you need to move the network connection cable to a new location in the worker's office and make sure . phone systems. Physical connections are made between computer systems.

Business networks today are evolving to support people who are on the move. from the office to the airport or even the home. Finally. This is the vision of mobility-an environment where people can take their connection to the network along with them on the road.1. service provider networks) that allow mobility like this to happen. more Wi-Fi-enabled mobile laptops were purchased than fixed-location desktops. At home. many people have changed the way they live and learn. students and faculty. you will learn how wireless local area networks (WLANs) offer businesses a flexible networking environment. Productivity is no longer restricted to a fixed work location or a defined time period. but in a business environment. government agents and those they serve.1 Why use wireless? Why have Wireless LANs Become so Popular? Click the Play button in the figure to view the video. For the first time. all are mobile and many of them are "connected. Home users are seeking many of the same flexible wireless solutions as office workers. 7. . In addition to the flexibility that WLANs offer. Even the method of accessing the Internet has quickly moved from temporary modem dialup service to dedicated DSL or cable service. how WLANs operate. wireless networks are becoming more and more common. the most important is the WLAN. Now employees can check e-mail. sports fans and shoppers. 481 there is a network connection available in the meeting room. Employees and employers. in 2005. The Internet has become a standard service in many homes. voice mail. you will learn how to configure a wireless access point and a wireless client. Traveling employees used to be restricted to pay phones for checking messages and returning a few phone calls between flights. People now expect to be connected at any time and place. and how to secure them. You will learn the different wireless standards available today and the features that each standard offers. There are many different infrastructures (wired LAN. with a wireless infrastructure already in place. and the status of products on personal digital assistants (PDAs) while at many temporary locations. You will learn which hardware components are typically necessary in a wireless infrastructure. In this chapter." Perhaps you have a mobile phone that you route instant messages to when you are away from your computer. For example. another important benefit is reduced costs. To avoid these physical changes. along with TV and phone service.

482

savings are realized when moving a person within a building, reorganizing a lab,
or moving to temporary locations or project sites. On average, the IT cost of
moving an employee to a new location within a site is $375 (US dollars).

Another example is when a company moves into a new building that does not
have any wired infrastructure. In this case, the savings resulting from using
WLANs can be even more noticeable, because the cost of running cables through
walls, ceilings, and floors is largely avoided.

Though harder to measure, WLANs can result in better productivity and more
relaxed employees, leading to better results for customers and increased profits.

Wireless LANs

In the previous chapters, you learned about switch technologies and functions.
Most current business networks rely on switch-based LANs for day-to-day
operation inside the office. However, workers are becoming more mobile and
want to maintain access to their business LAN resources from locations other
than their desks. Workers in the office want to take their laptops to meetings or
to a co-worker's office. When using a laptop in another location, it is inconvenient
to rely on a wired connection. In this topic, you will learn about wireless LANs
(WLANs) and how they benefit a business. You will also explore the security
concerns associated with WLANs.

Portable communications have become an expectation in many countries around
the world. You can see portability and mobility in everything from cordless
keyboards and headsets, to satellite phones and global positioning systems
(GPS). The mix of wireless technologies in different types of networks allows
workers to be mobile.

Click on the Wireless LANs button in the figure.

You can see that the WLAN is an extension of the Ethernet LAN. The function of
the LAN has become mobile. You are going to learn about WLAN technology and
the standards behind the mobility that allow people to continue a meeting, while
walking, while in a cab, or while at the airport.

483

Comparing a WLAN to a LAN

Wireless LANs share a similar origin with Ethernet LANs. The IEEE has adopted
the 802 LAN/MAN portfolio of computer network architecture standards. The two
dominant 802 working groups are 802.3 Ethernet and 802.11 wireless LAN.
However, there are important differences between the two.

WLANs use radio frequencies (RF) instead of cables at the Physical layer and MAC
sub-layer of the Data Link layer. In comparison to cable, RF has the following
characteristics:

RF does not have boundaries, such as the limits of a wire in a sheath. The lack of
such a boundary allows data frames traveling over the RF media to be available
to anyone that can receive the RF signal.

RF is unprotected from outside signals, whereas cable is in an insulating sheath.
Radios operating independently in the same geographic area but using the same
or a similar RF can interfere with each other.

RF transmission is subject to the same challenges inherent in any wave-based
technology, such as consumer radio. For example, as you get further away from
the source, you may hear stations playing over each other or hear static in the
transmission. Eventually you may lose the signal all together. Wired LANs have
cables that are of an appropriate length to maintain signal strength.

RF bands are regulated differently in various countries. The use of WLANs is
subject to additional regulations and sets of standards that are not applied to
wired LANs.

WLANs connect clients to the network through a wireless access point (AP)
instead of an Ethernet switch.

484

WLANs connect mobile devices that are often battery powered, as opposed to
plugged-in LAN devices. Wireless network interface cards (NICs) tend to reduce
the battery life of a mobile device.

WLANs support hosts that contend for access on the RF media (frequency bands).
802.11 prescribes collision-avoidance instead of collision-detection for media
access to proactively avoid collisions within the media.

WLANs use a different frame format than wired Ethernet LANs. WLANs require
additional information in the Layer 2 header of the frame.

WLANs raise more privacy issues because radio frequencies can reach outside
the facility.

Introducing Wireless LANs

802.11 wireless LANs extend the 802.3 Ethernet LAN infrastructures to provide
additional connectivity options. However, additional components and protocols
are used to complete wireless connections.

In an 802.3 Ethernet LAN, each client has a cable that connects the client NIC to
a switch. The switch is the point where the client gains access to the network.

Click the WLAN Devices button in the figure.

In a wireless LAN, each client uses a wireless adapter to gain access to the
network through a wireless device such as a wireless router or access point.

Click the Clients button in the figure.

The wireless adapter in the client communicates with the wireless router or
access point using RF signals. Once connected to the network, wireless clients
can access network resources just as if they were wired to the network.

485

7.1.2 Wireless LAN standards
Wireless LAN Standards

802.11 wireless LAN is an IEEE standard that defines how radio frequency (RF) in
the unlicensed industrial, scientific, and medical (ISM) frequency bands is used
for the Physical layer and the MAC sub-layer of wireless links.

When 802.11 was first released, it prescribed 1 - 2 Mb/s data rates in the 2.4 GHz
band. At that time, wired LANs were operating at 10 Mb/s so the new wireless
technology was not enthusiastically adopted. Since then, wireless LAN standards
have continuously improved with the release of IEEE 802.11a, IEEE 802.11b, IEEE
802.11g, and draft 802.11n.

Typically, the choice of which WLAN standard to use is based on data rates. For
instance, 802.11a and g can support up to 54 Mb/s, while 802.11b supports up to
a maximum of 11 Mb/s, making 802.11b the "slow" standard, and 802.11 a and g
the preferred ones. A fourth WLAN draft, 802.11n, exceeds the currently available
data rates. The IEEE 802.11n should be ratified by September 2008. The figure
compares the ratified IEEE 802.11a, b, and g standards.

Click the Table button in the figure to see details about each standard.

The data rates of different wireless LAN standards, are affected by something
called a modulation technique. The two modulation techniques that you will
reference in this course are Direct Sequence Spread Spectrum (DSSS) and
Orthogonal Frequency Division Multiplexing (OFDM). You do not need to know
how these techniques work for this course, but you should be aware that when a
standard uses OFDM, it will have faster data rates. Also, DSSS is simpler than
OFDM, so it is less expensive to implement.

802.11a

486

The IEEE 802.11a adopted the OFDM modulation technique and uses the 5 GHz
band.

802.11a devices operating in the 5 GHz band are less likely to experience
interference than devices that operate in the 2.4 GHz band because there are
fewer consumer devices that use the 5 GHz band. Also, higher frequencies allow
for the use of smaller antennas.

There are some important disadvantages to using the 5 GHz band. The first is
that higher frequency radio waves are more easily absorbed by obstacles such as
walls, making 802.11a susceptible to poor performance due to obstructions. The
second is that this higher frequency band has slightly poorer range than either
802.11b or g. Also, some countries, including Russia, do not permit the use of the
5 GHz band, which may continue to curtail its deployment.

802.11b and 802.11g

802.11b specified data rates of 1, 2, 5.5, and 11 Mb/s in the 2.4 GHz ISM band
using DSSS. 802.11g achieves higher data rates in that band by using the OFDM
modulation technique. IEEE 802.11g also specifies the use of DSSS for backward
compatibility with IEEE 802.11b systems. DSSS data rates of 1, 2, 5.5, and 11
Mb/s are supported, as are OFDM data rates of 6, 9, 12, 18, 24, 48, and 54 Mb/s.

There are advantages to using the 2.4 GHz band. Devices in the 2.4 GHz band
will have better range than those in the 5GHz band. Also, transmissions in this
band are not as easily obstructed as 802.11a.

There is one important disadvantage to using the 2.4 GHz band. Many consumer
devices also use the 2.4 GHz band and cause 802.11b and g devices to be prone
to interference.

802.11n

The IEEE 802.11n draft standard is intended to improve WLAN data rates and
range without requiring additional power or RF band allocation. 802.11n uses
multiple radios and antennae at endpoints, each broadcasting on the same
frequency to establish multiple streams. The multiple input/multiple output
(MIMO) technology splits a high data-rate stream into multiple lower rate streams
and broadcasts them simultaneously over the available radios and antennae. This
allows for a theoretical maximum data rate of 248 Mb/s using two streams.

The standard is expected to be ratified by September 2008.

Important: RF bands are allocated by the International Telecommunications
Union-Radio communication sector (ITU-R). The ITU-R designates the 900 MHz,
2.4 GHz, and 5 GHz frequency bands as unlicensed for ISM communities.
Although the ISM bands are globally unlicensed, they are still subject to local
regulations. The use of these bands is administered by the FCC in the United
States and by the ETSI in Europe. These issues will impact your selection of
wireless components in a wireless implementation.

487

Wi-Fi Certification

Wi-Fi certification is provided by the Wi-Fi Alliance (http://www.wi-fi.org), a global,
nonprofit, industry trade association devoted to promoting the growth and
acceptance of WLANs. You will better appreciate the importance of Wi-Fi
certification if you consider the role of the Wi-Fi Alliance in the context of WLAN
standards.

Standards ensure interoperability between devices made by different
manufacturers. Internationally, the three key organizations influencing WLAN
standards are:

– ITU-R
– IEEE
– Wi-Fi Alliance

The ITU-R regulates the allocation of the RF spectrum and satellite orbits. These
are described as finite natural resources that are in demand from such
consumers as fixed wireless networks, mobile wireless networks, and global
positioning systems.

488

The IEEE developed and maintains the standards for local and metropolitan area
networks with the IEEE 802 LAN/MAN family of standards. IEEE 802 is managed
by the IEEE 802 LAN/MAN Standards Committee (LMSC), which oversees multiple
working groups. The dominant standards in the IEEE 802 family are 802.3
Ethernet, 802.5 Token Ring, and 802.11 Wireless LAN.

Although the IEEE has specified standards for RF modulation devices, it has not
specified manufacturing standards, so interpretations of the 802.11 standards by
different vendors can cause interoperability problems between their devices.

The Wi-Fi Alliance is an association of vendors whose objective is to improve the
interoperability of products that are based on the 802.11 standard by certifying
vendors for conformance to industry norms and adherence to standards.
Certification includes all three IEEE 802.11 RF technologies, as well as early
adoption of pending IEEE drafts, such as 802.11n, and the WPA and WPA2
security standards based on IEEE 802.11i.

The roles of these three organizations can be summarized as follows:

– ITU-R regulates allocation of RF bands.
– IEEE specifies how RF is modulated to carry information.
– Wi-Fi ensures that vendors make devices that are interoperable.

7.1.3 Wireless infrastructure components
Wireless NICs

You may already use a wireless network at home, in a local coffee shop, or at the
school you attend. Have you ever wondered what hardware components are
involved in allowing you to wirelessly access the local network or Internet? In this
topic, you will learn which components are available to implement WLANs and
how each is used in the wireless infrastructure.

To review, the building block components of a WLAN are client stations that
connect to access points that, in turn, connect to the network infrastructure. The
device that makes a client station capable of sending and receiving RF signals is
the wireless NIC.

489

Like an Ethernet NIC, the wireless NIC, using the modulation technique it is
configured to use, encodes a data stream onto an RF signal. Wireless NICs are
most often associated with mobile devices, such as laptop computers. In the
1990s , wireless NICs for laptops were cards that slipped into the PCMCIA slot.
PCMCIA wireless NICs are still common, but many manufacturers have begun
building the wireless NIC right into the laptop. Unlike 802.3 Ethernet interfaces
built into PCs, the wireless NIC is not visible, because there is no requirement to
connect a cable to it.

Other options have emerged over the years as well. Desktops located in an
existing, non-wired facility can have a wireless PCI NIC installed. To quickly set up
a PC, mobile or desktop, with a wireless NIC, there are many USB options
available as well.

Wireless Access Points

An access point connects wireless clients (or stations) to the wired LAN. Client
devices do not typically communicate directly with each other; they
communicate with the AP. In essence, an access point converts the TCP/IP data
packets from their 802.11 frame encapsulation format in the air to the 802.3
Ethernet frame format on the wired Ethernet network.

In an infrastructure network, clients must associate with an access point to obtain
network services. Association is the process by which a client joins an 802.11
network. It is similar to plugging into a wired LAN. Association is discussed in
later topics.

An access point is a Layer 2 device that functions like an 802.3 Ethernet hub. RF
is a shared medium and access points hear all radio traffic. Just as with 802.3
Ethernet, the devices that want to use the medium contend for it. Unlike Ethernet
NICs, though, it is expensive to make wireless NICs that can transmit and receive
at the same time, so radio devices do not detect collisions. Instead, WLAN
devices are designed to avoid them.

CSMA/CA

Access points oversee a distributed coordination function (DCF) called Carrier
Sense Multiple Access with Collision Avoidance (CSMA/CA). This simply means
that devices on a WLAN must sense the medium for energy (RF stimulation above

490

a certain threshold) and wait until the medium is free before sending. Because all
devices are required to do this, the function of coordinating access to the
medium is distributed. If an access point receives data from a client station, it
sends an acknowledgement to the client that the data has been received. This
acknowledgement keeps the client from assuming that a collision occurred and
prevents a data retransmission by the client.

Click the Hidden Nodes button in the figure.

RF signals attenuate. That means that they lose their energy as they move away
from their point of origin. Think about driving out of range of a radio station. This
signal attenuation can be a problem in a WLAN where stations contend for the
medium.

Imagine two client stations that both connect to the access point, but are at
opposite sides of its reach. If they are at the maximum range to reach the access
point, they will not be able to reach each other. So neither of those stations sense
the other on the medium, and they may end up transmitting simultaneously. This
is known as the hidden node (or station) problem.

One means of resolving the hidden node problem is a CSMA/CA feature called
request to send/clear to send (RTS/CTS). RTS/CTS was developed to allow a
negotiation between a client and an access point. When RTS/CTS is enabled in a
network, access points allocate the medium to the requesting station for as long
as is required to complete the transmission. When the transmission is complete,
other stations can request the channel in a similar fashion. Otherwise, normal
collision avoidance function is resumed.

491

Wireless Routers

Wireless routers perform the role of access point, Ethernet switch, and router. For
example, the Linksys WRT300N used is really three devices in one box. First,
there is the wireless access point, which performs the typical functions of an
access point. A built-in four-port, full-duplex, 10/100 switch provides connectivity
to wired devices. Finally, the router function provides a gateway for connecting to
other network infrastructures.

The WRT300N is most commonly used as a small business or residential wireless
access device. The expected load on the device is low enough that it should be
able to manage the provision of WLAN, 802.3 Ethernet, and connect to an ISP.

7.1.4 Wireless operations
Configurable Parameters for Wireless Endpoints

The figure shows the initial screen for wireless configuration on a Linksys wireless
router. Several processes should occur to create a connection between client and
access point. You have to configure parameters on the access point-and
subsequently on your client device-to enable the negotiation of these processes.

and 11. The wireless network mode refers to the WLAN protocols: 802. or n. b. access points support both standards. Some products continuously monitor the radio space to adjust the channel settings dynamically in response to environmental changes. When a Linksys access point is configured to allow both 802. it must have a second radio to operate in the different RF band. Because 802. If there are three adjacent access points.11a as well as 802.11b and 802. select any two that are five channels apart. Click the SSID button in the figure to view a list of SSIDs for a Windows client. such as channels 5 and 10. The 2. 492 Click the Modes button in the figure to view the Wireless Network Mode parameter. A shared service set identifier (SSID) is a unique identifier that client devices use to distinguish between multiple wireless networks in the same vicinity. The IEEE 802. When 802.11g is backward compatible with 802. The 22 MHz channel bandwidth combined with the 5 MHz separation between center frequencies means there is an overlap between successive channels.4 GHz band is broken down into 11 channels for North America and 13 channels for Europe. case- sensitive entry from 2 to 32 characters long.11b and g. each which can be any alphanumeric. use channels 1. 6.11a. g.11b. Remember that if all the clients connect to an access point with 802. Click the Channel button in the figure to view a graphic of non-overlapping channels. they all enjoy the better data rates provided. . If there are just two. it is operating in mixed mode.11g. Several access points on a network can share an SSID. The figure shows an example of SSIDs distinguishing between WLANs.11b clients to clear the channel before transmitting.11 standard establishes the channelization scheme for the use of the unlicensed ISM RF bands in WLANs.11g clients. These channels have a center frequency separation of only 5 MHz and an overall channel bandwidth (or frequency occupation) of 22 MHz. For an access point to support 802.11b clients associate with the access point all the faster clients contending for the channel have to wait on 802. Best practices for WLANs that require multiple access points are set to use non-overlapping channels. Many access points can automatically select a channel based on adjacent channel use.

11 WLAN architecture is the basic service set (BSS). When describing these topologies. the fundamental building block of the IEEE 802. 493 802.11 Topologies Wireless LANs can accommodate various network topologies. The standard defines a BSS as a group of stations that communicate with each other. .

this is called an ad hoc topology.11 standard refers to an ad hoc network as an independent BSS (IBSS). 494 Click the Ad Hoc button in the figure. Client stations which are configured to operate in ad hoc mode configure the wireless parameters between themselves. . The IEEE 802. Ad hoc Networks Wireless networks can operate without access points. Click the BSS button in the figure.

an SSID. one BSS is differentiated from another by the BSS identifier (BSSID). and non-overlapping channels (one cell on channel 1 and the other on channel 6). Cells represent the coverage area provided by a single channel. Extended Service Sets When a single BSS provides insufficient RF coverage. . Click the ESS button in the figure. An ESS generally includes a common SSID to allow a user to roam from access point to access point. roaming capability can be created. one or more can be joined through a common distribution system into an extended service set (ESS). In an ESS. Common Distribution System The common distribution system allows multiple access points in an ESS to appear to be a single BSS. which is the MAC address of the access point serving the BSS. The coverage area is the extended service area (ESA). With a 15 percent overlap between cells. An ESS should have 10 to 15 percent overlap between cells in an extended service area. The coverage area for both an IBSS and a BSS is the basic service area (BSA). 495 Basic Service Sets Access points provide an infrastructure that adds services and improves the range for clients. A single access point in infrastructure mode manages the wireless parameters and the topology is simply a BSS. Click the Summary button in the figure to see a comparions of WLAN topologies.

The primary components of this process are as follows: – Beacons .Frames used by the WLAN network to advertise its presence.A process which is an artifact from the original 802.11 process is discovering a WLAN and subsequently connecting to it.Frames used by WLAN clients to find their networks.11 standard. . – Probes . 496 Client and Access Point Association A key part of the 802. – Authentication . but still required by the standard.

it goes through the following three-stage process: Click the Probe button in the figure. A typical WLAN client is configured with a desired SSID.11 deployments. is fundamentally a NULL authentication where the client says "authenticate me. the client sends an authentication request to the access point. the client is not authenticated. Although beacons may regularly be broadcast by an access point. it can send out a probe request with no SSID.11 client can send data over a WLAN network. . WLANs with the broadcast SSID feature disabled do not respond. so probe requests from the WLAN client contain the SSID of the desired WLAN network. Click the Authenticate button in the figure. the client and the access point share the same key and the access point authenticates the station.The process for establishing the data link between an access point and a WLAN client. The primary purpose of the beacon is to allow WLAN clients to learn which networks and access points are available in a given area.11 probing Clients search for a specific network by sending a probe request out on multiple channels. and all access points that are configured to respond to this type of query respond. If the messages do not match. authentication.11 authentication 802. The probe request specifies the network name (SSID) and bit rates. who encrypts the message using its shared key. In this technique.802. 497 – Association . The access point then sends a challenge text to the client. and association are used only during the association (or reassociation) process. Stage 1 . The access point then decrypts the encrypted text using its key and if the decrypted text matches the challenge text. called open authentication.11 was originally developed with two authentication mechanisms.802. and returns the encrypted text back to the access point." and the access point responds with "yes. the frames for probing.11 Join Process (Association) Before an 802." This is the mechanism used in almost all 802. A second authentication mechanism is referred to as shared key authentication. Access points may broadcast beacons periodically. thereby allowing them to choose which network and access point to use. The first one. This technique is based on a Wired Equivalency Protection (WEP) key that is shared between the client and the access point. Stage 2 . If the WLAN client is simply trying to discover the available WLAN networks. The 802.

As part of this stage. . and establishes the data link between the WLAN client and the access point. The problem is that the WEP key is normally used to encrypt data during the transmission process. Once the WEP key is extracted. Using this same WEP key in the authentication process provides an attacker with the ability to extract the key by sniffing and comparing the unencrypted challenge text and then the encrypted return message. it is not used or recommended.11 association This stage finalizes the security and bit rate options. 498 Although shared key authentication needs to be included in client and access point implementations for overall standards compliance. The AID is equivalent to a port on a switch. Click the Associate button in the figure. traffic is now able to travel back and forth between the two devices. the client learns the BSSID. any encrypted information that is transmitted across the link can be easily decrypted. and the access point maps a logical port known as the association identifier (AID) to the WLAN client. The association process allows the infrastructure switch to keep track of frames destined for the WLAN client so that they can be forwarded.802. Once a WLAN client has associated with an access point. Stage 3 . which is the access point MAC address.

. Detailed consideration of how to plan for specific numbers of users is beyond the scope of this course. There needs to be a well-documented plan before a wireless network can be implemented.5 Planning the wireless LAN Planning the Wireless LAN Implementing a WLAN that takes the best advantage of resources and delivers the best service can require careful planning. and transmit power settings (which are limited by local regulation).1. 499 7. we introduce what considerations go into the design and planning of a wireless LAN.You will have sufficient wireless support for your clients if you plan your network for proper RF coverage in an ESS. The number or users depends on the geographical layout of your facility (how many bodies and devices fit in a space). The number of users a WLAN can support is not a straightforward calculation. In this topic. Click the Map button in the figure. the use of non-overlapping channels by multiple access points in an ESS. WLANs can range from relatively simple installations to very complex and intricate designs. the data rates users expect (because RF is a shared medium and the more users there are the greater the contention for RF).

because there is a wireless voice over WLAN implementation overlaid on this network. Based on your plan. Note: The 5. you arrange them in a manner similar to those shown for Align Coverage Areas in the figure. the circle that is tangent to its four corners has a radius of 50 feet. but there are some additional recommendations. When the dimensions of the coverage area have been determined. Let us determine where to place the access points.000 square feet by a coverage area of 5. Network requirements specify that there must be a minimum of 6 Mb/s 802. 6 Mbps can be achieved in open areas like those on the map. Click the Align Coverage Areas button in the figure. Always consult the specifications for the access point when planning for coverage areas. as shown in the calculations. Position access points in locations where users are expected to be. Position access points above obstructions. the transmit power that the access point is configured for. If access points are to use existing wiring or if there are locations where access points cannot be placed. you may not be able to simply draw coverage area circles and drop them over a plan. Click Coverage Area button in the figure. if possible. therefore dividing 20.000 square feet in many environments. The BSA takes its radius diagonally from the center of this square. For example. This value varies depending on the WLAN standard or mix of standards that you are deploying.000 square feet. conference rooms are typically a better location for access points than a hallway. note these locations on the map.000 square foot coverage area is for a square. The facility is 20. and so on. Position access points vertically near the ceiling in the center of each coverage area. the nature of the facility. Because the coverage area is a square with side "Z". The approximate circular coverage area is important. With access points. place access points on the floor plan so that coverage circles are overlapping. determine the dimension of the coverage areas and arrange them on the floor plan.000 square feet. . 500 When planning the location of access points. When these points have been addressed. estimate the expected coverage area of an access point. as illustrated in the following example. Example Calculation The open auditorium (a Warehouse/Manufacturing Building Type) shown in the figure is approximately 20.000 square feet per access point results in at least four access points required for the auditorium.11b throughput in each BSA. with a coverage area of 5. Next.

. arrange four 50-foot radius coverage circles so that they overlap. Click the Plan button in the figure. as shown in the Plan. 501 On your floor plan map.

502 .

These security concerns are even more significant when dealing with business networks. In this first topic of this section. War driving now also means driving around a neighborhood with a laptop and an 802. an attacker may not have to physically enter the workplace to gain access to a WLAN.2. and perhaps exploit for creative reasons. 503 7.Hackers intent on doing harm are able to exploit weak security measures. we describe how wireless security threats have evolved.11b/g client card looking for an unsecured 802. Today. The term hacker originally meant someone who delved deeply into computer systems to understand. especially if the business maintains financial information associated with its customers. the terms hacker and cracker have come to mean malicious intruders who enter systems as criminals and steal data or deliberately harm systems.1 Threats to wireless security Unauthorized Access Security should be a priority for anyone who uses or administers networks. The difficulties in keeping a wired network secure are amplified with a wireless network. A WLAN is open to anyone within range of an access point and the appropriate credentials to associate to it. With a wireless NIC and knowledge of cracking techniques.11b/g system to exploit. the structure and complexity of a system. . Security breaches for a business can have major repercussions. because the livelihood of the business relies on the protection of its information. There are three major categories of threat that lead to unauthorized access: • War drivers • Hackers (Crackers) • Employees "War driving" originally referred to using a scanning device to find cellular phone numbers to exploit.

A rogue access point also could be configured to provide unauthorized users with information such as the MAC addresses of clients (both wireless and wired). Because access points act like Ethernet hubs. Device discards any traffic not addressed to it. Tools with a legitimate purpose. Unfortunately. or they may only implement standard WEP security. each NIC in a BSS hears all the traffic. Rogue Access Points A rogue access point is an access point placed on a WLAN that is used to interfere with normal network operation. the attacker needs to be able to physically access the LAN to insert a device logically into the topology. the radio waves emitted by access points can provide the connection. Attackers select a host as a target and position themselves logically between the target and the router or gateway of the target. A simple and common version of a rogue access point is one installed by employees without authorization. These same tools can be used by intruders to exploit security weaknesses. client data could be captured. In a wired LAN environment. In other words. . Employees install access points intended for home use on the enterprise network. such as a laptop with a NIC. so the network ends up with a security hole. using the laptop NIC acts as an access point. shared WEP keys are flawed and consequently easy to attack. as mentioned before. or to capture and disguise data packets or. Often. end users do not change default settings. at worst. If a rogue access point is configured with the correct security settings. Attackers can modify the NIC of their laptop with special software so that it accepts all traffic. leaving client authentication open. allow network engineers to capture data packets for system debugging. to gain access to servers and files. 504 Most wireless devices sold today are WLAN-ready. the devices have default settings and can be installed and used with little or no configuration by users. Man-in-the-Middle Attacks One of the more sophisticated attacks an unauthorized user can make is called a man-in-the-middle (MITM) attack. With a WLAN. These access points typically do not have the necessary security configuration. Radio signals from stations and access points are "hearable" by anyone in a BSS with the proper equipment. the attacker can carry out wireless MITM attacks. With this modification. such as wireless sniffers.

The hacker might be able to read and copy the target username. to observe the client station connecting to an access point. server name.cisco. For more information. 505 To carry out this attack. If an attacker is able to compromise an access point. When all legitimate users are known. a hacker selects a station as a target and uses packet sniffing software. The process begins with identifying legitimate devices on your WLAN.shtml. you must authenticate users on your WLAN. which is passed in clear text between station and access point. To do this. The attacker can monitor an entire wireless network segment and wreak havoc on any users connected to it. the attacker can potentially compromise all users in the BSS. client and server IP address. An access point that is busier than normal. such as Wireshark. refer to the Cisco paper "Addressing Wireless Threats with Integrated Wireless IDS and IPS" available at http://www. you then monitor the network for devices and traffic that is not supposed to be there.com/en/US/products/ps6521/products_white_paper0900aecd804 f155b. Denial of Service . These tools include scanners that identify rogue access points and ad hoc networks. the ID used to compute the response. Defeating an attack like a MITM attack. Further explanation of these mitigation techniques is beyond the scope of this course. and the challenge and associate response. alerts the administrator of possible unauthorized traffic. depends on the sophistication of your WLAN infrastructure and your vigilance in monitoring activity on the network. and radio resource management (RRM) which monitors the RF band for activity and access point load. Enterprise WLANs that use state-of- the-art WLAN devices provide administrators with tools that work together as a wireless intrusion prevention system (IPS).

and microwave ovens. As was mentioned earlier. cordless phones. When the stations are disconnected. Another DoS attack that can be launched in a BSS is when an attacker sends a series of disassociate commands that cause all stations in the BSS to disconnect." (a client requests authentication and the access point grants it). Earlier we discussed how an attacker can turn a NIC into an access point. With these devices crowding the RF band. The attacker sends another disassociate command and the cycle repeats itself. can flood the BSS with clear-to-send (CTS) messages. That trick can also be used to create a DoS attack. attackers can create noise on all the channels in the band with commonly available devices.4 GHz ISM band. The attacker.11b and g WLANs use the unlicensed 2. they immediately try to reassociate. WEP authentication was supposed to provide privacy to a link. Two types of authentication were introduced with the original 802. To counteract . which defeat the CSMA/CA function used by the stations. causing a constant stream of collisions. using a PC as an access point.2 Wireless security protocols Wireless Protocol Overview In this topic. 7. making it like a cable connecting a PC to an Ethernet wall-jack.2. The access points.11 standard: open and shared WEP key authentication. in turn. you will learn about the features of the common wireless protocols and the level of security each provides. This is the same band used by most wireless consumer products. flood the BSS with simultaneous traffic. While open authentication is really "no authentication. which creates a burst of traffic. including baby monitors. shared WEP keys proved to be flawed and something better was required. Click the DoS 2 button in the figure. 506 802.

html. Today. RADIUS will be described later in the chapter. see the paper "Security of the WEP algorithm" available at http://www. which was linked to the Wi-Fi Alliance WiFi Protected Access (WPA) security method.isaac. the algorithm used to encrypt the data was crackable. 507 shared WEP key weakness. The 32-bit WEP keys were manually managed. In networks that have stricter security requirements. Authenticating to the Wireless LAN In an open network.11i. there was a period of interim security measures. association may be all that is required to grant a client access to devices and services on the WLAN. the TKIP encryption algorithm was created. First. WPA2 includes a connection to a Remote Authentication Dial In User Service (RADIUS) database. Vendors such as Cisco. such as a home network. Following the weakness of WEP-based security.berkeley. Second. scalability was a problem. For more about the WEP security weakness.11i standard. the standard that should be followed in most enterprise networks is the 802.edu/isaac/wep-faq. This is similar to the Wi-Fi Alliance WPA2 standard. an additional authentication or . For enterprises. so users entered them by hand. You will learn more about the weaknesses of these techniques later.cs. the very first approach by companies was to try techniques such as cloaking SSIDs and filtering MAC addresses. On the way to 802.11i standard. These techniques were also too weak. often incorrectly. developed their own systems while simultaneously helping to evolve the 802. The flaws with WEP shared key encryption were two-fold. wanting to meet the demand for better security. creating calls to technical support desks.

The best way to ensure that end users are supposed to be on the WLAN is to use a security method that incorporates port-based network access control. some companies tried to secure their WLANs by filtering MAC addresses and not broadcasting SSIDs. This server is an Authentication. except for 802. but if you are using this method.1x. and Accounting (AAA) server running a RADIUS protocol. the AAA server sends an EAP success message to the access point. The idea that you can secure your WLAN with nothing more than MAC filtering and turning off SSID broadcasts can lead to a completely insecure WLAN. The ease of discovering SSIDs has led some people to leave SSID broadcasting turned on. The enterprise WLAN authentication process is summarized as follows: The 802. EAP is a framework for authenticating network access. which then allows data traffic from the WLAN client to pass through the virtual port. The access point blocks all data frames. The 802. the traffic that passes back and forth between the client and access point eventually reveals the SSID. such as WPA2. It does not mean you should not do it. If so. This login process is managed by the Extensible Authentication Protocol (EAP). so the MAC address filtering is easily fooled. Authorization. If the EAP authentication is successful. Click the EAP button in the figure to see the authentication process.11i standard for WLAN authentication and authorization to use IEEE 802.11i (WPA2) or even WPA were in use. Today. that should probably be an organizational decision recorded in the security policy. . Before 802.11 association process creates a virtual port for each WLAN client at the access point. data link encryption between the WLAN client and the access point is established to ensure that no other WLAN client can access the port that has been established for a given authenticated client. If an attacker is passively monitoring the RF band.1x frames carry the EAP authentication packets via the access point to a server that maintains authentication credentials. because it is sent in clear text. it is easy to use software to modify MAC addresses attached to adapters. 508 login is required to grant clients such access. the SSID can be sniffed in one of these transactions. Even if an SSID is not broadcast by an access point. IEEE developed the 802. Before opening the virtual port. you should back it up with additional security.1x-based traffic. such as WPA2.

It makes use of the original encryption algorithm used by WEP. TKIP is the encryption method certified as WPA. . TKIP has two primary functions: • It encrypts the Layer 2 payload • It carries out a message integrity check (MIC) in the encrypted packet. This helps ensure against a message being tampered with. It provides support for legacy WLAN equipment by addressing the original flaws associated with the 802.11 WEP encryption method.11i are certified as WPA and WPA2 by the Wi-Fi Alliance: Temporal Key Integrity Protocol (TKIP) and Advanced Encryption Standard (AES). 509 Encryption Two enterprise-level encryption mechanisms specified by 802.

are like having a security system. It also adds a sequence number to the encrypted data header. Various types of PSKs are as follows: • PSK or PSK2 with TKIP is the same as WPA • PSK or PSK2 with AES is the same as WPA2 • PSK2. Neither SSID cloaking nor MAC address filtering are considered a valid means of securing a WLAN for the following reasons: . AES has the same functions as TKIP. 510 Although TKIP addresses all the known weaknesses of WEP. It is like having a security system in your house. or even Windows XP. because it brings the WLAN encryption standards into alignment with broader IT industry standards and best practices. you can add depth. such as the WRT300N. most notably IEEE 802. you may not see WPA or WPA2.Disable SSID broadcasts from access points • MAC address filtering . is the same as WPA2 7. by implementing this three-step approach: • SSID cloaking .netstumbler.Tables are manually constructed on the access point to allow or disallow clients based on their physical hardware address • WLAN security implementation . but still locking all the doors and windows and asking the neighbors to watch it for you. instead you may see references to something called pre-shared key (PSK). If you want to do something extra to secure access to your WLAN. This is to merely reduce the RF signature on the outside of the building where anyone running an application such as Netstumbler (http://www. without an encryption method specified. can map WLANs. Wireshark. especially WPA2. the AES encryption of WPA2 is the preferred method. as shown in the figure. When you configure Linksys access points or wireless routers.11i. The security methods you have seen. but it uses additional data from the MAC header that allows destination hosts to recognize if the non-encrypted bits have been tampered with.com).3 Securing a wireless LAN Controlling Access to the Wireless LAN The concept of depth means having multiple solutions available.WPA or WPA2 An additional consideration for a vigilant network administrator is to configure access points that are near outside walls of buildings to transmit on a lower power setting than other access points closer to the middle of the building.2.

without enabling wireless security. Verify that the wireless client has received a DHCP IP address and can ping the local wired default router and then browse to the external Internet. You will also learn how to back up and restore the configuration of a typical wireless access point. Start the WLAN implementation process with a single access point and a single client. and access the web utility with a web browser. as with any basic networking. configure the channel. The following example uses the Linksys WRT300N multifunction device. wired network connectivity confirmed. and the access point installed. Use WEP only if the hardware does not support WPA. The steps for configuring the Linksys WRT300N are as follows: Ensure your PC is connected to the access point via a wired connection. configure wireless security with WPA2. • SSIDs are easily discovered even if access points do not broadcast them. enable security. 7.1 Configuring a wireless access point Overview of Configuring the Wireless Access Point In this topic. you will now configure it. Many access points can be configured through a GUI web interface. Finally. default configurations. It is good practice to change initial. You will learn how to set the SSID. you will learn how to configure a wireless access point. The basic approach to wireless implementation. and adjust the power settings of a wireless access point. This device includes an access point. With a plan for implementation in mind. To access the web-based utility of the .3. verify the existing network and Internet access for the wired hosts. 511 • MAC addresses are easily spoofed. Before implementing any wireless devices. Most access points have been designed to be functional right out of the box with the default settings. is to configure and test incrementally.

512 access point. use the following screens.Change the default SSID in the Basic Wireless Settings tab. If the device has already been configured. click the Save Settings button. The default password is admin. launch Internet Explorer or Netscape Navigator. and enter the WRT300N default IP address. 192. For a basic network setup. click Help. Select the level of security in the Wireless Security tab and complete the options for the selected security mode. The figure summarizes the implementation steps for an access point. and Wireless buttons in the figure: • Setup .Click the Administration tab and then select the Management screen.168. Leave the Username field blank. • Management . These are the default settings for a Linksys WRT300N. Make the necessary changes through the utility. A screen appears prompting you for your username and password. For information on a tab. change the password from its default. Press the Enter key. in the address field. Management. To secure the access point. • Wireless .1. . When you have finished making changes to a screen. or click the Cancel Changes button to undo your changes.Enter your basic network settings (IP address).1. the username and password may have been changed. as shown when you click the Setup. Enter admin in the Password field. Click OK to continue.

513 Configuring Basic Wireless Settings .

For added security. and Wireless- B networking. Wide Channel . they detect the SSID broadcast by the access point. If you do not want to broadcast the SSID. It is case-sensitive and must not exceed 32 characters (use any of the characters on the keyboard). If you want to disable wireless networking. Standard Channel . If you have only Wireless-G devices. click the Save Settings button.20MHz Channel. Wireless-G. To broadcast the SSID. and 802.For best performance in a network using Wireless-N. select Disable. the default setting. When you have finished making changes to this screen. keep the default Auto. select Wide .40MHz Channel.When wireless clients survey the local area for wireless networks to associate with. SSID Broadcast . this setting is available for your primary Wireless-N channel. Network Name (SSID) . 514 The Basic Setup screen is the first screen you see when you access the web- based utility. click Help. select Wireless-B Only. select Standard . you should change the default SSID (linksys) to a unique name.40MHz Channel for the Radio Band setting.11b devices in your network. Click the Wireless tab and then select the Basic Wireless Settings tab.The SSID is the network name shared among all points in a wireless network. select Wireless-G Only. select Disabled.11b devices. select BG-Mixed. Select any channel from the drop-down menu.If you selected Wide . and Wireless-B devices. the standard channel is a secondary channel for Wireless-N.Select the channel for Wireless-N.40MHz Channel for the Radio Band setting. The SSID must be identical for all devices in the wireless network. If you have only Wireless-B devices. Network Mode . or click the Cancel Changes button to undo your changes. Wireless-G.If you have Wireless-N. If you have only Wireless-N devices. If you selected Wide . Basic Wireless Settings Click the buttons along the bottom of the figure for a view of the GUI for each configuration. . Radio Band . For more information. For Wireless-G and Wireless-B networking only. select Wireless-N Only. the default setting. If you have Wireless-G and 802. Wireless-G. keep Mixed. keep Enabled. For Wireless-N devices only.

515 .

516 .

except for the last option.9 firmware or newer .93. There are seven wireless security modes supported by the WRT300N. These settings configure the security of your wireless network. or WPA-Personal in v0. which is disabled: • WEP • PSK-Personal. listed here in the order you see them in the GUI. from weakest to strongest. 517 Configuring Security Click the Overview button in the figure.

9 firmware or newer • RADIUS • Disabled When you see "Personal" in a security mode. you must have a RADIUS server attached to your access point.Select the algorithm you want to use. RADIUS. PSK2.Select the mode you want to use: PSK-Personal. PSK2-Enterprise. The answer is that many wireless LANs are supporting old wireless devices. or WPA2-Personal in v0.Each of the PSK and PSK2 modes have parameters that you can configure. or click the Cancel Changes button to undo your changes. If you select the PSK2-Enterprise security version. If you have this configuration.Enter the key shared by the router and your other network devices. • RADIUS Server Port .9 firmware or newer • PSK-Enterprise. It must have 8 to 63 characters. is the preferred option for the best security. • Mode Parameters . or WPA-Enterprise in v0. 518 • PSK2-Personal. you may wonder why there are so many other options. or WEP. or in the case of Linksys routers. or WPA2-Enterprise in v0.93. All wireless LAN devices manufactured after March 2006 must be able to support WPA2. (AES is a stronger encryption method than TKIP. "Enterprise" in the security mode name means a AAA server and EAP authentication is used. • Encryption . the access point has to be set to support the device running the weakest security mode. which tells the router how often it should change encryption keys. If WPA2 is the best. To configure security. • Key Renewal . • RADIUS Server IP Address .9 firmware or newer • PSK2-Enterprise.Enter the IP address of the RADIUS server. which is the same as WPA2 or IEEE 802. click the Save Settings button.93.Enter the key renewal period. The default is 1812. Because all client devices that associate to an access point must be running the same security mode that the access point is running.11i.93. do the following: • Security Mode . you need to configure the access point to point to the RADIUS server. When you have finished making changes to this screen. so in time. no AAA server is used. PSK2. you will be able to switch your network security mode over to PSK2. as devices are upgraded.Enter the port number used by the RADIUS server. You have learned that WEP is a flawed security mode. PSK-Enterprise. AES or TKIP.) • Pre-shared Key . The RADIUS option that is available for a Linksys wireless router allows you to use a RADIUS server in combination with WEP. Click the buttons along the bottom of the figure for a view of the GUI for each configuration. . PSK2- Personal.

519 .

520 .

You also should verify that the wireless client has successfully connected to the correct wireless network.3. . especially since there may be many WLANs available with which to connect. Click the View Wireless Networks button in the dialog box. Double-click the icon to open the Network Connections dialog box. If your PC is equipped with a wireless NIC. You may have a different utility installed and selected in preference to the native Microsoft Windows XP version. 521 7. If you have a WLAN that is not showing up on the list of networks. find the network connection icon that looks similar to the one shown in the figure. Observe the wireless networks that your wireless NIC has been able to detect. you need to configure the wireless NIC on a client device to allow it to connect to the wireless network. PCs running Microsoft Windows XP have a built-in wireless networks monitor and client utility. Step 2. Step 3. On the Microsoft Windows XP toolbar system tray. We will also introduce some basic troubleshooting steps and identify common problems associated with WLAN connectivity. Click the numbered steps in the figure to follow the process. The steps below are for using the View Wireless Networks feature in Microsoft Windows XP. If this is the case. you may have disabled SSID broadcast on the access point. Step 1. you should be ready to scan for wireless networks.2 Configuring a wireless NIC Scan for SSIDs When the access point has been configured. you must enter the SSID manually.

Click the Properties button in the Wireless Network Connections Status dialog box. The following steps describe how to configure your wireless network security parameters on the client: Step 1. you must match your client configuration to the access point parameters. 522 Select the Wireless Security Protocol After having configured your access point to authenticate clients with a strong security type. . Double-click the network connections icon in the Microsoft Windows XP system tray. Step 2.

WPA2 and PSK2 are preferred because of their strength. 523 Step 3. Step 7. In the Wireless Networks tab. Also. Step 6. Again. Step 8. click the Wireless Networks tab. In the Wireless network key box. this is a value that you have entered into the access point. Select the Data encryption method from the drop-down menu. After selecting the encryption method. enter the SSID of the WLAN you wish to configure. Click OK. Step 4. enter and confirm the Network key. In the Properties dialog box. Recall that AES is a stronger cipher than TKIP. . select your preferred authentication method from the Network Authentication drop-down menu. In the Wireless Network Properties dialog box. but you should match the configuration from your access point here on your PC. click the Add button. Step 5. you can save multiple wireless profiles with different security parameters allowing you to quickly connect to the WLANs you may use regularly.

524 .

525 .

526 .

Click the Approach button in the figure. This is a done by pinging devices in the network. 7. You should already be familiar with the first three steps of the systematic troubleshooting approach from working with 802. 527 Verify Connectivity to the Wireless LAN With configurations set for both the access point and the client. working up the TCP/IP stack from the Physical layer to the Application layer.Eliminate the user PC as the source of the problem. indicating a successful connection. If there is no connectivity. The ping was successful.1 Solve an access point radio and firmware issues A Systematic Approach to WLAN Troubleshooting Troubleshooting any sort of network problem should follow a systematic approach.1. the next step is to confirm connectivity.4. Verify that the PC has received an IP address via DHCP or is configured with a static IP address. . the IP address is 192.3 Ethernet LANs. Try to ping a known IP address for a device in the network.168. Try to determine the severity of the problem. They are repeated here in the context of the WLAN: Step 1 . Open the DOS command prompt window on the PC. This helps to eliminate any issues that you may be able to resolve yourself. check the following: Confirm the network configuration on the PC using the ipconfig command.254. In the figure.

. Step 2 .4 GHz band. Check the channel settings on the client. which is explained next. check the following: How far is the PC from an access point? Is the PC out of the planned coverage area (BSA). If the wireless NIC of the client is working. and are they powered on? Step 3 . 528 Confirm that the device can connect to the wired network. perhaps something is wrong with the access point or its configuration. baby monitors. Check the power status of the access point. check the security mode and encryption settings on the client. Is there power to all devices. Are all the devices actually in place? Consider a possible physical security issue. It may be necessary to try a different wireless NIC. begin investigating the performance of the access point. If necessary. use the wired LAN to see if you can ping devices including the access point. If connectivity still fails at this point.Inspect links. As you troubleshoot a WLAN. and potentially rogue access points. When you have reached the point where you have eliminated the user PC as the problem. Data from these devices can cause interference in the WLAN and intermittent connection problems between a client and access point. Inspect links between cabled devices looking for bad connectors or damaged or missing cables. try to connect to a different access point. Connect the device to the wired LAN and ping a known IP address. a process of elimination is recommended. Check for the presence of other devices in the area that operate on the 2. Examples of other devices are cordless phones. If the physical plant is in place. reload drivers and firmware as appropriate for the client device. if the radio continues to fail. wireless security systems. The client software should detect the appropriate channel as long as the SSID is correct. When the access point settings have been confirmed. If the PC of the user is operational but is performing poorly. the client cannot get access to the WLAN. If the security settings do not match.Confirm the physical status of devices. and also confirmed the physical status of devices. You may try to install new radio drivers and firmware. microwave ovens. working from physical possibilities to application-related ones.

Click the Select Firmware to Install button in the figure. . is upgraded using the web-based utility. Select the Firmware Upgrade tab. Enter the location of the firmware file. Step 6.com. Step 1. Follow these instructions: Click the Download Firmware button in the figure. or click the Browse button to find the file. and click the Administration tab. Click the Start to Upgrade button and follow the instructions. Extract the firmware file on your computer. 529 Updating the Access Point Firmware Caution: Do not upgrade the firmware unless you are experiencing problems with the access point or the new firmware has a feature you want to use. The firmware for a Linksys device. go to http://www.linksys. such as the one used in the labs on this course. Download the firmware from the web. Step 3. Step 2. Step 4. Open the web-based utility. Click the Run Firmware Upgrade button in the figure. Step 5. For a Linksys WTR300N.

530 .

It is worse if the channels overlap close to the center frequencies. there could be a channel setting issue. Click the Solution button in the figure. 531 7. but even if there is minor overlap. Click the Reason button in the figure. The high point in the middle of each channel is the point of highest energy. and the energy diminishes toward the edges of the channel. Most WLANs today operate in the 2. signals interfere with each other. The concept of the waning energy in a channel is shown by the curved line used to indicate each channel. A full explanation of the way energy is spread across the frequencies in a channel is beyond the scope of this course. which can have as many as 14 channels. . If users report connectivity issues in the area between access points in an extended service set WLAN.4. rather the channel is strongest at its center frequency. and channel 11.2 Incorrect channel settings Click the Problem button in the figure. The figure provides a graphical representation of the channels in the 2.4 GHz band. Interference can occur when there is overlap of channels.4 GHz band. Set the channels at intervals of five channels. each occupying 22 MHz of bandwidth. channel 6. Energy is not spread evenly over the entire 22 MHz. such as channel 1.

.4.3 Solve the access point radio and firmware issues Solving RF Interference Incorrect channel settings are part of the larger group of problems with RF interference. including proper channel spacing. WLAN administrators can control interference caused by channel settings with good planning. Click the Problem button in the figure. 532 7.

and 5 GHz) is documented. look for the presence of multiple WLANs. There are several approaches to doing utility-assisted site surveys. sophisticated tools are available that allow you to enter a facility floor plan. Alternatively. plan to place microwave ovens away from access points and potential clients. How can you find out which channels in an area are most crowded? In a small WLAN environment. . For instance. The problem with devices such as cordless phones. Unfortunately. and high client usage variances. as shown in screenshot 1 in the figure. such as cordless phones. is that they are not part of a BSS. operate on channel 6. a site survey might be needed. such as Airmagnet. unique building structures. You can then begin a recording of the RF characteristics of the site. try setting your WLAN access point to channel 1 or channel 11. so they do not contend for the channel-they just use it. baby monitors. An example of an Airmagnet site survey output is shown in screenshot 2 in the figure.4 GHz. the entire range of possible RF interference issues cannot be planned for because there are just too many possibilities. Perhaps you have experienced the snowy disruption of a television signal when someone nearby runs a vacuum cleaner. you should know that there are two categories of site surveys: manual and utility assisted. you can then walk around the facility using a site survey meter in the WLAN client utility of your PC. and make provisions for them. A site evaluation involves inspecting the area with the goal of identifying potential issues that could impact the network. and you are then able to choose channels for your WLAN. Specifically. which are then shown on the floor plan as you move about the facility with your wireless laptop. or at very least identify areas of high RF activity. With access points mounted. Such interference can be moderated with good planning. 533 Other sources of RF interference can be found all around the workplace or in the home. Although you do not conduct site surveys as part of this course. and microwave ovens. Click the Solution button in the figure. Many consumer items. If you do not have access to dedicated site survey tools. such as open floors and atriums. Click the Reason button in the figure. Part of the advantage to utility-assisted site surveys is that RF activity on the various channels in the various unlicensed bands (900 MHz. you can mount access points on tripods and set them in locations you think are appropriate and in accordance with the projected site plan. Manual site surveys can include a site evaluation to be followed by a more thorough utility-assisted site survey. Site Surveys In more crowded environments. such as those caused by differences in day or night shift staffing levels. 2.

534 Identify Problems with Access Point Misplacement .

or your data rates are much slower than they should be. Fix access point placement as follows: • Confirm the power settings and operational ranges of access points and place them for a minimum of 10 to 15% cell overlap. Click the Reason button in the figure. 535 In this topic. You may have experienced a WLAN that just did not seem to perform like it should. You may even have done a quick walk-around the facility to confirm that you could actually see the access points. and how to correctly place the access point in a small. • Do not mount the access point within 3 feet (91.or medium-sized business. . Click each of the buttons to advance through the graphic. you will learn how to identify when an access point is incorrectly placed. • Position access points vertically near the ceiling in the center of each coverage area. For example. reason.4 cm) of metal obstructions. Some additional specific details concerning access point and antenna placement are as follows: • Ensure that access points are not mounted closer than 7. • Install the access point away from microwave ovens. large rooms are typically a better location for access points than a hallway. Perhaps you keep losing association with an access point. • The orientation of access point antennae in hallways and corners diminishes coverage. Click the Solution button in the figure. The figure explores these issues in a problem. Having confirmed that they are there.9 inches (20 cm) from the body of all persons. • Change the orientation and positioning of access points: • Position access points above obstructions. Microwave ovens operate on the same frequency as the access point and can cause signal interference. solution sequence. • Position access points in locations where users are expected to be. Click the Problem button in the figure. you wonder why you continue to get poor service. as you learned earlier this chapter. There are two major deployment issues that may occur with the placement of access points: • The distance separating access points is too far to allow overlapping coverage. if possible.

7. and the client offers a different type.4. such as a RADIUS server.5 Problems with authentication and encryption The WLAN authentication and encryption problems you are most likely to encounter. • When mounting an access point in the corner of a right-angle hallway intersection. and a client through an access point are beyond the scope of this course. the authentication process fails. • Do not mount the access point outside of buildings. mount it at a 45-degree angle to the two hallways. The access point internal antennas are not omnidirectional and cover a larger area when mounted this way. • Do not mount the access point on building perimeter walls. 536 • Always mount the access point vertically (standing up or hanging down). . unless outside coverage is desired. and that you will be able to solve. Encryption issues involving the creation of dynamic keys and the conversations between an authentication server. are caused by incorrect client settings. If an access point is expecting one type of encryption.

Therefore. all devices connecting to an access point must use the same security type as the one configured on the access point. both the type of encryption (WEP) and the shared key must match between the client and the access point.11i is used. If WPA is being used. if WPA2 or 802. Similarly. . if an access point is configured for WEP. AES is required as the encryption algorithm. the encryption algorithm is TKIP. 537 Remember.

draft n. . before association is possible. Both the access point and wireless NICs must be configured with similar parameters. In addition to ensuring compatible configuration of wireless security settings. ensure that the devices have the latest firmware so that they can support the most stringent security options. but these methods alone are easily overcome by a determined attacker.1 Chapter summary In this chapter. we discussed the evolving wireless LAN standards.11a. 538 7. When configuring a wireless LAN.1x authentication provide very secure wireless LAN access in an enterprise network. including IEEE 802. Newer standards take into account the need to support voice and video and the requisite quality of service. troubleshooting wireless LANs involves resolving RF problems. WPA2 and 802.6. A single access point connected to the wired LAN provides a basic service set to client stations that associate to it. End users have to configure a wireless NICs on their client stations which communicate with and associate to a wireless access point. Multiple access points that share a service set identifier combine to form an extended service set. Methods such as MAC address filtering and SSID masking can be part of a security best practice implementation. Wireless LANs can be detected by any radio-enabled client device and therefore may enable access by attackers that do not have access to a wired-only network. including SSID. g and now. b.

539 .

540 .

541 .