CCNA

Chapter 7:
Layer 2 Switching
Objectives
The CCNA Topics Covered in this chapter include:
• Switching services
• Bridges vs. LAN switching
• Three switch functions
• Address Learning
• Switching loops Spanning-Tree Protocol (STP)
Before Layer 2 Switching

Switched LANs
Typical Switched Designs

• Purposes for using switching

– Breaks up collision domains
– Cost-effective, resilient internetwork
• Purpose for Spanning-Tree Protocol (STP)
– Stops loops in layer 2 switched networks
Switching Services
Layer 2 switching provides:
 Hardware-based bridging (ASICs)
 Wire speed
 Low latency
 Low cost

Limitations of Layer 2 Switching

• Must break up the collision domains correctly.
• Make sure that users spend 80 percent of their time on the local
segment.
• Switches do not break up broadcast domains by default.
Bridging vs. LAN switching
Three Switch Functions at Layer-2

The MAC database also known as MAC table, filter table or Content
Addressable Memory(CAM) table is a dynamic table in a switch that maps
MAC addresses to ports/interfaces. Its one of essential mechanisms that
separate switches from hubs
Types of LAN Switching
LAN switch types determine how a frame will be handled when it received
on a switch port. There are three types of LAN switching:

• Cut-Through: also known as the fastforward, in this mode the switch only
waits to read the destination MAC address before forwarding the frame
to the desired port after a look up in the CAM table. It doesn’t check for
any errors in the frame thus reducing latency.
• Fragment Free: this mode checks the frame for collisions before
forwarding it. It checks the first 64 bytes of a frame before forwarding for
fragmentations thus guarding against forwarding runts caused by
collisions.
* A runt is a packet that is too small to traverse the network, ethernet
requires each packet to be at least 64bytes long.
• Store and Forward: in this mode the entire frame is read before being
forwarded. Errors in the frame are also checked by running the CRC, if
the CRC passes then the frame is forwarded to the destination address
in the CAM table.
Address Learning
When a switch is first powered on the
MAC forward/filter table is empty

When a device transmits the its

MAC is associated with its
interface the MAC table, the
switch then has no choice but
to flood the frame since it has
no idea of the destination. If a
device answers then its Mac
will also be stored in MAC
table.
Forward/Filter Decisions
When a frame arrives its destination MAC address is compared to the
forward/filter table, if its known the frame is sent out through the
associated interface. The switch doesn’t transmit the frame through
any other interface except for the destination interface, this preserves
bandwidth and is known as frame filtering.

If the destination address isn’t listed in the MAC table the frame is
flooded out all active interfaces except the interface on which the
frame was received.

If a broadcast is sent over the LAN the switch will flood the frame out
all active interfaces except the one that received the frame,
remember switches don’t break up collision domains thus they
forward broadcasts.
SWITCHING LOOPS
Redundant links between switches are useful as they prevent complete network
failure in the event that one link stops working.
This is great but then results in the possibility of switching loops if frames are flooded
through both redundant links.
Problems that can be a result of redundant links
• Broadcast storms

• MAC address filter can be totally confused about the location of

a device because its frames can be received through more than
one link, the switch may be caught up always trying to update the
MAC table hence failing to forward frames(Thrashing the MAC
table)
SWITCHING LOOPS
• A device can receive multiple copies of the same frame
as the frame might arrive from different segments at the
same time.

Spanning-Tree Protocol (STP)

802.1D standard of IEEE.
STP has a main task of stopping network(switching) loops, it does
so by monitoring all links and destroying any redundant links.
With STP frames will be forwarded only on the STP picked links.
Spanning-Tree Protocol (STP)
Without some layer 2 mechanism to control loops, a redundant
topology like the one below would result into problems as
previously described
Spanning-Tree Protocol (STP)
Terminologies
BridgeID: combination of bridge/switch priority and MAC address.
The bridge/switch with lowest bridgeID becomes root bridge.

Root Bridge: bridge/switch with the best bridgeID, the lower the
BridgeID the better it is.

BPDU: Bridge Protocol Data unit, these carry information used in

the selection of root bridge as well as in subsequent
configuration of the network

Nonroot Bridge: bridge/switch that is not a root bridge

Root port: a link that gives a connection to a root bridge. It can be
directly connected or provides the best path to the root bridge
Spanning-Tree Protocol (STP)
Terminologies
Designated port: a port determined to have the best cost thus marked
as a forwarding port.
Nondesignated port: a port with higher cost thus marked as a blocking
port.
Forwarding port: a port that can forward frames
Blocked port: port that can’t forward frames in order to prevent loops.
Port Cost: determined by the bandwidth of a link, determines the best
path when multiple links are used between two switches and non of
the links is root port
Spanning-Tree Port States
Blocking: a blocking port will not forward frames it just listens to
BPDUs. When a switched is powered up all ports are in a blocking
state by default.
Listening: a listening port listens BPDUs to make sure no loops occur
on the network before passing frames. Prepares to forward frames
without populating the MAC address table.
Learning: listens to BPDU and learns all the paths in the switched
network, populates the MAC address table but doesn’t forward
frames. Forward delay is the time it takes to transition from listening
to learning mode which is 15 seconds by default
Forwarding: sends and receives frames, if a port is a designated or
root port at the end of learning stage it enters the forwarding state.
Disabled: non operational, doesn’t participate in STP or frame
forwarding.
Spanning-Tree Port States
Spanning-Tree Operations
STP job is to find all links in the network and shutdown
all redundant links.
This is accomplished by first electing a root bridge that
will forward through all ports(every port on a root
bridge is a designated port) and act as a point of
reference for all devices in the STP domain.
Once root bridge is elected other switches will allot one
root port(the root port will provide the fastest path to
the root bridge). Each link between two switches will
have one designated port.
Any port that is neither a root port nor a designated port
will be in blocking state thus breaking the switching
loop.
Spanning-Tree Operations
Electing the root bridge
The bridgeID is used to elect the root bridge in the STP domain,
and is used to determine the root port for each of the remaining
devices in the STP domain.
BridgeID is 8bytes long, it includes the priority and the MAC
address. Default priority being 32768.
The lower the BridgeID the better, if two switches have the same
priority then the MAC address will be the tie breaker

To determine which port to shutdown STP, each port bandwidth

will be checked, the one with the lower bandwidth will be
shutdown. If bandwidths are the same as above then the higher
of the port numbers will be shutdown. *Though not always.*
Spanning-Tree Operations
Spanning-Tree Operations
Electing the root bridge
To make a switch a root bridge(influencing election) we would have to lower
its priority or increase the priority of the other switches. Priority is always
an increment of 4096.
Command show spanning-tree will give us details regarding STP on the
given switch.
To change priority, command
spanning-tree vlan 1 priority X

**Convergence: state in which all ports have transitioned into either

forwarding or blocked state, no data is forwarded until convergence is
complete. Convergence takes up to 50seconds with the default timers.
Spanning-Tree Operations
Portfast: this disables STP on a port so it doesn’t take 50seconds from
blocked to forwarding state. This is done on port we totally sure won’t
create switching loops, typically access ports.
Switch(config)# int fastEthernet 0/1
Switch(config-if-range)# spanning-tree portfast
Uplinkfast: allows a switch to find alternative paths to a root bridge before the
primary link fails. This improves convergence time incase of link failure
because when the primary link fails the other link will come up quickly.
Backbonefast: used to determine and fix link failures on the local
switch, speeds up convergence when a link not directly connected
to the switch fails. This is detected when an inferior BPDU is
received thus starting STP reconfiguration quickly.

All the above features are cisco proprietary, created to fix the holes in
802.1d standard
Rapid Spanning-Tree Protocol
802.1w standard that addresses all the issues with 802.1d.
Though it can interoperate with 802.1d its essential to make sure that
all switches in the network run 802.1w for it to work properly.
Core(config)# spanning-tree mode rapid-pvst
PORT SECURITY
Port security is a means of protecting our switches from intruders.
This would prevent an intruder from being able to plug in another
switch, hub or even a computer on a switch port.
Port security allows us to configure the following rules
• Maximum # of users that connect
• Specific MACs that can connect through a given port
• Effect of violating the above security

Before these configurations can be made, port security need to be

enabled on the switch
Switch(config-if)#switchport mode access
Switch(config-if)# switchport port-security.

This is turning ON port security on the switch

PORT SECURITY
Specifying the maximum # of users
Switch(config-if)# switchport port-security maximum X

Specifying MACs that can connect

Switch(config-if)# switchport port-security mac-address x-x-x-x-x-x

This will allow only the specified MAC address to be able to connect
(depending on the maximum configured)

Switch(config-if)# switchport port-security mac-address sticky

This will allow the switch to dynamically learn the mac address and allow
the first mac addresses depending on the maximum configured.

Specifying the effect of violation

Switch(config-if)#switchport port-security violation shutdown
This tell the switch port to shutdown if a violation is made.

Switch(config-if)#switchport port-security violation restrict

This tell the switch to alert you via SNMP that a violation has occured

Switch(config-if)#switchport port-security violation protected

This tell the switch port to drop the frames from the violating host
PORT SECURITY
Examples
Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown

Switch#config t
Switch(config)#int f0/1
Switch(config-if)#switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security violation shutdown