CCNA Certification/Switching
Acknowledgements — Introduction — The OSI Model — Application Layer — Transport Layer — Network Layer — Addressing — Routing Protocols — Data Link Layer — Switching — Physical Layer — Router Operation — Advanced Addressing Topics — Advanced Routing Topics — Advanced Switching Topics — Security — WAN — Configuration — Conclusion — References — About the Exam — Cisco Router Commands — Quick Reference Sheet
LAN switching concepts
editBridge
editA layer 2 device used to connect different networks types or networks of the same type. It maps the Ethernet addresses of the nodes residing on each segment and allows only the necessary traffic to pass through the bridge. Packet destined to the same segment is dropped. This "store-and-forward" mechanism inspects the whole Ethernet packet before making a decision. Unfortunately, it cannot filter out broadcast traffic. Also, it introduces a 20 to 30 percent latency when processing the frame. Only 2 networks can be linked with a bridge. bridge is necessary device used in switching.
Switch
editSwitches are layer 2 devices (it can be of layer3 and above) that can link up four, six, eight or even more networks. Switches are the only devices that allow for micro segmentation. Cut-through switches run faster because when a packet comes in, it forwards it right after looking at the destination address only. A store-and-forward switch inspects the entire packet before forwarding. Most switches cannot stop broadcast traffic. Switches are considered dedicated data link device because they are close to a 100 % of the bandwidth. While bridging does most of its work by software, switches use ASICS hardware to handle most of its work. A Switch can be thought of as a multi-port bridge.
Store-and-forward
editThe entire frame is received before any forwarding takes place. The destination and/or the source addresses are read and filters are applied before the frame is forwarded. Latency occurs while the frame is being received; the latency is greater with larger frames because the entire frame takes longer to read. Error detection is high because of the time available to the switch to check for errors while waiting for the entire frame to be received. This method discards frames smaller than 64 bytes(runts) and frames larger than 1518 bytes (giants).
Cut-Through
editThe switch reads the destination address before receiving the entire frame. The frame is then forwarded before the entire frame arrives. This mode decreases the latency of the transmission and has poor error detection. This method has two forms, Fast-forward and fragment-free.
Fast-forward switching
editFast-forward switching offers the lowest level of latency by immediately forwarding a frame after receiving the destination address. Because fast-forward switching does not check for errors, there may be times when frames are relayed with errors. Although this occurs infrequently and the destination network adapter discards the fault frame upon receipt. In networks with high collision rates, this can negatively affect available bandwidth.
Fragment Free Switching
editUse the fragment-free option to reduce the number of collisions in frames forwarded with errors. In fast-forward mode, latency is measured from the first bit received to the first bit transmitted, or first in, first out (FIFO). Fragment-free switching filters out collision fragments, which are the majority of packets errors, before forwarding begins. In a properly functioning network, collision fragments must be smaller than 64 bytes. Anything greater than 64 bytes is a valid packet and is usually received without error. Fragment-free switching waits until the received frame has been determined not to be a collision fragment before forwarding the frame. In fragment-free, latency is measured as FIFO.
VLANs and trunking
editA virtual LAN, commonly known as a vLAN or as a VLAN, is a method of creating independent logical networks within a physical network. Several VLANs can co-exist within such a network. This helps in reducing the broadcast domain and aids in network administration by separating logical segments of a LAN (like company departments) that should not exchange data using a LAN (they still can exchange data by Inter-VLAN routing).
A VLAN consists of a network of computers that behave as if connected to the same wire - even though they may actually be physically connected to different segments of a LAN. Network administrators configure VLANs through software rather than hardware, which makes them extremely flexible. One of the biggest advantages of VLANs emerges when physically moving a computer to another location: it can stay on the same VLAN without the need for any hardware reconfiguration.
Advantages of VLANs
edit- Increase the number of broadcast domains but reduce the size of each broadcast domain, which in turn reduces network traffic and increases network security (both of which are hampered in cases of single large broadcast domains).
- Reduce management effort to create subnetworks.
- Reduce hardware requirement, as networks can be logically instead of physically separated.
- Increase control over multiple traffic types.
Protocols and design
editThe primary protocol currently used in configuring virtual LANs is IEEE 802.1Q, which describes how traffic on a single physical network can be partitioned into virtual LANs by tagging each frame or packet with extra bytes to denote which virtual network the packet belongs to.
Prior to the introduction of the 802.1Q standard, several proprietary protocols existed, such as Cisco's ISL (Inter-Switch Link, a variant of IEEE 802.10) and 3Com's VLT (Virtual LAN Trunk). ISL is no longer supported by Cisco.
Early network designers often configured VLANs with the aim of reducing the size of the collision domain in a large single Ethernet segment and thus improving performance. When Ethernet switches made this a non-issue (because they have no collision domain), attention turned to reducing the size of the broadcast domain at the MAC layer. Virtual networks can also serve to restrict access to network resources without regard to physical topology of the network, although the strength of this method remains debatable as VLAN Hopping is a common means of bypassing such security measures.
Virtual LANs operate at Layer 2 (the data link layer) of the OSI model. However, administrators often configure a VLAN to map directly to an IP network, or subnet, which gives the appearance of involving Layer 3 (the network layer).
In the context of VLANs, the term "trunk" denotes a network link carrying multiple VLANs, which are identified by labels (or "tags") inserted into their packets. Such trunks must run between "tagged ports" of VLAN-aware devices, so they are often switch-to-switch or switch-to-router links rather than links to hosts. (Confusingly, the term 'trunk' is also used for what Cisco calls "channels" : Link Aggregation or Port Trunking). A router (Layer 3 switch) serves as the backbone for network traffic going across different VLANs.
On Cisco devices, VTP (VLAN Trunking Protocol) allows for VLAN domains, which can aid in administrative tasks. VTP also allows "pruning", which involves directing specific VLAN traffic only to switches which have ports on the target VLAN.
Assigning VLAN Memberships
editThe four methods of assigning VLAN memberships that are in use are:
- Port-based: A switch port is manually configured to be a member of a VLAN. In order to connect a port to several VLANs (for example, a link with VLANs spanning over several switches) the port has to be member of a trunk. Only one VLAN on a port can be set untagged; the switch will add this VLAN's tags to untagged received frames and remove this VLAN's tag from transmitted frames.
- MAC-based: VLAN membership is based on the MAC address of the workstation. The switch has a table listing the MAC address of each machine, along with the VLAN to which it belongs.
- Protocol-based: Layer 3 data within the frame is used to determine VLAN membership. For example, IP machines can be classified as the first VLAN, and AppleTalk machines as the second. The major disadvantage of this method is that it violates the independence of the layers, so an upgrade from IPv4 to IPv6, for example, will cause the switch to fail.
- Authentication based: Devices can be automatically placed into VLANs based on the authentication credentials of a user or device using the 802.1x protocol.
Port Based VLANs
editA port based VLAN switch determines the membership of a data frame by examining the configuration of the port that received the transmission or reading a portion of the data frame’s tag header. A four-byte field in the header is used to identify the VLAN. This VLAN identification indicates what VLAN the frame belongs to. If the frame has no tag header, the switch checks the VLAN setting of the port that received the frame. If the switch has been configured for port based VLAN support, it assigns the port’s VLAN identification to the new frame.
Spanning Tree
editThe spanning tree network protocol provides a loop free topology for any bridged LAN. The Spanning Tree Protocol, which is also referred to as STP, is defined in the IEEE Standard 802.1D. Spanning tree is based on an algorithm invented by Radia Perlman while working for Digital Equipment Corporation. STP is used in switched networks to prevent loops, and has been standardized by IEEE 802.1D. As the name suggests, it finds a spanning tree within the mesh network formed by the installer, whether purposefully created or not, and disables the links not part of that tree. There are two different standards of STP: IEEE and DEC. IEEE is the most common, and is recommended to be the one used in a network. Problems can be caused in networks where both standards of STP are implemented. It is likely that both standards will elect their own root bridge and cause loops in the topology. The way in which both standards handle Bridge Protocol Data Units (see below) also differs.
If more than one open path were to be active at once then there would be several problems. First, a broadcast storm caused by broadcast packets looping between switches would reduce available CPU resources and bandwidth (many modern bridges can detect and limit the effects of this, although it usually still causes a breakdown in connectivity). Second, the traditional source-based location system (filtering database) used by switches would fail to operate correctly. However, a good network design should include spare (redundant) links to provide an alternate path if one fails. Hence the need for spanning tree in a switched network.
Protocol operation
edit- Elect a root bridge.
- Find paths to root bridge.
- Determine least cost (measured as sum of all traversed port costs) path to root bridge.
- Disable all other root paths.
Electing a root bridge
editEach switch has a unique identifier (ID) and a configurable priority number; both of these numbers make up the Bridge Identification or BID. The BID is used to elect a root bridge based upon the lowest priority number; if this is a tie then the numerically lowest ID wins. Because it is next to impossible that two IDs will be the same (they are uniquely assigned), one switch should always be successfully elected as the root bridge with the switch that has the next lowest priority/cost acting as a secondary (backup) root bridge. Other switches in the network that use spanning tree will use the same algorithmic process to calculate the shortest path to the root bridge and so produce a loop free tree topology where multiple paths to the root bridge exist. The priority number is normally left at its default value but can be reconfigured to a lower number if the network administrator wishes a particular switch to be elected; otherwise the whole process is fully automated. The Bridge ID is the concatenation of bridge priority number and MAC address of the switch. The bridge priority number varies from 0 to 65535. The Switch with least administrative cost is selected as a Root Bridge.
Bridge Protocol Data Units (BPDUs)
editBIDs and other Spanning Tree Protocol information are carried in special data frames called bridge protocol data units (BPDUs). BPDUs are exchanged regularly (every 2 seconds by default) and enable switches to keep track of network changes and activate or disable ports as required. When a device is first attached to a switch port, it will not immediately start to forward data. It will instead go through a number of states while it processes BPDUs and determines the topology of the network. When a host is attached such as a computer, printer or server the port will always go into the forwarding state, albeit after a delay of about 30 seconds while it goes through the listening and learning states (see below). The time spent in the listening and learning states is determined by a value known as the forward delay (default 15 seconds and set by the root bridge). However, if instead another switch is connected, the port may remain in blocking mode if it is determined that it would cause a loop in the network. Topology Change Notification (TCN) BPDUs are used to inform other switches of port changes. TCNs are injected into the network by a non-root switch and propagated to the root. Upon receipt of the TCN, the root switch will set a Topology Change flag in its normal BPDUs. This flag is propagated to all other switches to instruct them to rapidly age out their forwarding table entries.
STP switch port states:
- Listening - The switch processes BPDUs and awaits possible new information that would cause it to return to the blocking state.
- Learning - While the port does not yet forward frames (packets) it does learn source addresses from frames received and adds them to the filtering database (switching database)
- Blocking - A port that would cause a switching loop, no user data is sent or received but it may go into forwarding mode if the other links in use were to fail and the spanning tree algorithm determines the port may transition to the forwarding state. BPDU data is still received in blocking state.
- Forwarding - A port receiving and sending data, normal operation. STP still monitors incoming BPDUs that would indicate it should return to the blocking state to prevent a loop.
- Disabled - Not strictly part of STP, a network administrator can manually disable a port
To prevent the delay when connecting hosts to a switch and during some topology changes, Rapid STP was developed and standardized by IEEE 802.1w which allows a switch port to rapidly transition into the forwarding state during these situations.
Evolutions and extensions
editPer-VLAN Spanning Tree (PVST)
editIn Ethernet switched environments where multiple Virtual LANs exist, spanning tree can be deployed per Virtual LAN. Cisco's name for this is per VLAN spanning tree (PVST and PVST+ which is the default protocol used by Cisco switches). Both PVST and PVST+ protocols are Cisco proprietary protocols and they cannot be used on 3rd party switches. PVST only works with ISL due to its embedded Spanning tree ID. Due to high penetration of the IEEE 802.1Q] trunking standard and PVST's incompatibility with 802.1Q, Cisco redefined its PVST standard and called it PVST+.
Rapid Spanning Tree Protocol (RSTP)
editIn 1998, the IEEE introduced an evolution of the Spanning Tree Protocol: Rapid Spanning Tree Protocol (RSTP) or 802.1w. In the 2004 edition of 802.1D, STP is superseded by the RSTP.
RSTP is an evolution of the Spanning Tree Protocol; it was introduced in the extension IEEE 802.1w, and provides for faster spanning tree convergence after a topology change. Standard IEEE 802.1D-2004 now incorporates RSTP and obsoletes STP.
RSTP bridge port roles:
- Root - A forwarding port that has been elected for the spanning-tree topology
- Designated - A forwarding port for every LAN segment
- Alternate - An alternate path to the root bridge. This path is different than using the root port.
- Backup - A backup/redundant path to a segment where another bridge port already connects.
- Disabled - Not strictly part of STP, a network administrator can manually disable a port
RSTP is a refinement of STP and therefore shares most of its basic operation characteristics. However there are some notable differences as summarized below:
- Detection of root switch failure is done in 3 hello times, which is 6 seconds if default hello times have not been changed.
- Ports may be configured as edge ports if they are attached to a LAN which has no other bridges attached. These edge ports transition directly to the forwarding state. RSTP still continues to monitor the port for BPDUs in case a bridge is connected. RSTP can also be configured to automatically detect edge ports. As soon as the bridge detects a BPDU coming to an edge port, the port becomes a non-edge port.
- Unlike in STP, RSTP will respond to BPDUs sent from the direction of the root bridge. An RSTP bridge will "propose" to its designated ports its spanning tree information. If another RSTP bridge receives this information, determines this is the superior root information, and sets all its other ports to discarding. The bridge may send an "agreement" to the first bridge confirming its superior spanning tree information. The first bridge, upon receiving this agreement, knows it can rapidly transition that port to the forwarding state bypassing the traditional listening/learning state transition. This essentially creates a cascading effect away from the root bridge where each designated bridge proposes to its neighbors to determine if it can make a rapid transition. This is one of the major elements which allows RSTP to achieve faster convergence times than STP.
- As discussed in the port role details above, RSTP maintains backup details regarding the discarding status of ports. This avoids timeouts if the current forwarding ports were to fail or BPDUs were not received on the root port in a certain interval.
Multiple Spanning Tree Protocol (MSTP)
editThe Multiple Spanning Tree Protocol (MSTP), originally defined in IEEE 802.1s and later merged into IEEE 802.1Q-2003, defines an extension to the RSTP protocol to further develop the usefulness of virtual LANs (VLANs). This "Per-VLAN" Multiple Spanning Tree Protocol configures a separate Spanning Tree for each VLAN group and blocks the links that are redundant within each Spanning Tree.
If there is only one Virtual LAN(VLAN) in the network, single (traditional) STP works appropriately. If the network contains more than one VLAN, the logical network configured by single STP would work, but it is possible to make better use of the redundant links available by using an alternate spanning tree for different (groups of) VLANs.
MSTP allows formation of MST regions which can run multiple MST instances (MSTI). Multiple regions and other STP bridges are interconnected using one single common spanning tree (CST).
MSTP was inspired by Cisco Systems' Multiple Instances Spanning Tree Protocol (MISTP), and is an evolution of the Spanning Tree Protocol and the Rapid Spanning Tree Protocol. It was introduced in IEEE 802.1s as amendment to 802.1Q, 1998 edition. Standard IEEE 802.1Q-2003 now includes MSTP.
Unlike some proprietary per-VLAN spanning tree implementations, MSTP includes all of its spanning tree information in a single BPDU format. Not only does this reduce the number of BPDUs required on a LAN to communicate spanning tree information for each VLAN, but it also ensures backward compatibility with RSTP (and in effect classical STP too). MSTP does this by encoding additional region information after the standard RSTP BPDU as well as a number of MSTI messages (from 0 to 64 instances, although in practice many bridges support less). Each of these MSTI configuration messages conveys the spanning tree information for each instance. Each instance can be assigned a number of configured VLANs and frames (packets) assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region. In order to avoid conveying their entire VLAN to spanning tree mapping in each BPDU, bridges encode an MD5 digest of their VLAN to instance table in the MSTP BPDU. This digest is then used by other MSTP bridges, along with other administratively configured values, to determine if the neighboring bridge is in the same MST region as itself.
MSTP is fully compatible with RSTP bridges, in that an MSTP BPDU can be interpreted by an RSTP bridge as an RSTP BPDU. This not only allows compatibility with RSTP bridges without configuration changes, but also causes any RSTP bridges outside of an MSTP region to see the region as a single RSTP bridge, regardless of the number of MSTP bridges inside the region itself. In order to further facilitate this view of an MST region as a single RSTP bridge, the MSTP protocol uses a variable known as remaining hops as a time to live counter instead of the message age timer used by RSTP. The message age time is only incremented once when spanning tree information enters an MST region, and therefore RSTP bridges will see a region as only one "hop" in the spanning tree. Ports at the edge of an MST region connected to either a RSTP or STP bridge or an endpoint are known as boundary ports. As in RSTP, these ports can be configured as edge ports to facilitate rapid changes to the forwarding state when connected to endpoints.