CHAPTER 5

ANALYZING ETHERNET LAN

SWITCHING
LAN SWITCHING CONCEPTS
• A modern Ethernet LAN connects user devices as well as servers into some
switches, with the switches then connecting to each other, sometimes in a
design like Figure 5-1.

• Part of the LAN, called a campus LAN, supports the end-user population as
shown on the left of the figure. End-user devices connect to LAN switches,
which in turn connect to other switches so that a path exists to the rest of
the network.

• The campus LAN switches sit in wiring closets close to the end users. On
the right, the servers used to provide information to the users also connect
to the LAN.

• Those servers and switches often sit in a closed room called a data center,
with connections to the campus LAN to support traffic to/from the users.
• To forward traffic from a user device to a server and back, each switch
performs the same kind of logic, independently from each other.

• The first half of this chapter examines the logic: how a switch chooses
to forward an Ethernet frame, when the switch chooses to not
forward the frame, and so on.
OVERVIEW OF SWITCHING LOGIC
• Ultimately, the role of a LAN switch is to forward Ethernet frames.
LANs exist as a set of user devices, servers, and other devices that
connect to switches, with the switches connected to each other.

• The LAN switch has one primary job: to forward frames to the
correct destination (MAC) address. And to achieve that goal,
switches use logic—logic based on the source and destination MAC
address in each frame’s Ethernet header.
• LAN switches receive Ethernet frames and then make a switching decision:
either forward the frame out some other ports or ignore the frame. To
accomplish this primary mission, switches perform three actions:

1. Deciding when to forward a frame or when to filter (not forward) a frame,

based on the destination MAC address

2. Preparing to forward frames by learning MAC addresses by examining the

source MAC address of each frame received by the switch

3. Preparing to forward only one copy of the frame to the destination by

creating a (Layer 2) loop-free environment with other switches by using
Spanning Tree Protocol (STP)
• The first action is the switch’s primary job, whereas the other two
items are overhead functions.
• Although Chapter 2’s section titled “Ethernet Data-Link Protocols”
already discussed the frame format, this discussion of Ethernet
switching is pretty important, so reviewing the Ethernet frame at this
point might be helpful.

• Figure 5-2 shows one popular format for an Ethernet frame. Basically,
a switch would take the frame shown in the figure, make a decision of
where to forward the frame, and send the frame out that other
interface.
• Most of the upcoming discussions and figures about Ethernet
switching focus on the use of the destination and source MAC
address fields in the header.

• All Ethernet frames have both a destination and source MAC address.
Both are 6-bytes long (represented as 12 hex digits in the book) and
are a key part of the switching logic discussed in this section.
FORWARDING KNOWN UNICAST FRAMES
• To decide whether to forward a frame, a switch uses a dynamically
built table that lists MAC addresses and outgoing interfaces. Switches
compare the frame’s destination MAC address to this table to decide
whether the switch should forward a frame or simply ignore it.

• For example, consider the simple network shown in Figure 5-3, with
Fred sending a frame to Barney.

• In this figure, Fred sends a frame with destination address

0200.2222.2222 (Barney’s MAC address). The switch compares the
destination MAC address (0200.2222.2222) to the MAC address table,
matching the bold table entry. That matched table entry tells the
switch to forward the frame out port F0/2, and only port F0/2.
OUR ONE SWITCH NETWORK TOPOLOGY
• A switch’s MAC address table lists the location of each MAC relative to that one
switch. In LANs with multiple switches, each switch makes an independent
forwarding decision based on its own MAC address table.

• Together, they forward the frame so that it eventually arrives at the destination.

• For example, Figure 5-4 shows the first switching decision in a case in which Fred
sends a frame to Wilma, with destination MAC 0200.3333.3333. The topology has
changed versus the previous figure, this time with two switches, and Fred and
Wilma connected to two different switches.

• Figure 5-3 shows the first switch’s logic, in reaction to Fred sending the original
frame. Basically, the switch receives the frame in port F0/1, finds the destination
MAC (0200.3333.3333) in the MAC address table, sees the outgoing port of G0/1,
so SW1 forwards the frame out its G0/1 port.
OUR TWO SWITCH NETWORK TOPLOGY LAB
• That same frame next arrives at switch SW2, entering SW2’s G0/2
interface. As shown in Figure 5-5, SW2 uses the same logic steps, but
using SW2’s table.

• The MAC table lists the forwarding instructions for that switch only.
In this case, switch SW2 forwards the frame out its F0/3 port, based
on SW2’s MAC address table.
• The examples so far use switches that happen to have a MAC table
with all the MAC addresses listed. As a result, the destination MAC
address in the frame is known to the switch.

• The frames are called known unicast frames, or simply known

unicasts, because the destination address is a unicast address, and
the destination is known.

• As shown in these examples, switches forward known unicast frames

out one port: the port as listed in the MAC table entry for that MAC
address.
LEARNING MAC ADDRESSES
• Thankfully, the networking staff does not have to type in all those MAC
table entries. Instead, each switch does its second main function: to learn
the MAC addresses and interfaces to put into its address table.

• With a complete MAC address table, the switch can make accurate
forwarding and filtering decisions as just discussed.

• Switches build the address table by listening to incoming frames and

examining the source MAC address in the frame. If a frame enters the
switch and the source MAC address is not in the MAC address table, the
switch creates an entry in the table.

• That table entry lists the interface from which the frame arrived. Switch
learning logic is that simple.
• Figure 5-6 depicts the same single-switch topology network as Figure
5-3, but before the switch has built any address table entries.

• The figure shows the first two frames sent in this network—first a
frame from Fred, addressed to Barney, and then Barney’s response,
addressed to Fred.
• EXPLAIN THE ABOVE DIAGRAM
FLOODING UNKNOWN UNICAST AND
BROADCAST FRAMES
• Now again turn your attention to the forwarding process, using the
topology in Figure 5-5.

• What do you suppose the switch does with Fred’s first frame, the one
that occurred when there were no entries in the MAC address table?
As it turns out, when there is no matching entry in the table, switches
forward the frame out all interfaces (except the incoming interface)
using a process called flooding.

• And the frame whose destination address is unknown to the switch is

called an unknown unicast frame, or simply an unknown unicast.
• Switches flood unknown unicast frames. Flooding means that the
switch forwards copies of the frame out all ports, except the port on
which the frame was received.

• The idea is simple: if you do not know where to send it, send it
everywhere, to deliver the frame. And, by the way, that device will
likely then send a reply—and then the switch can learn that device’s
MAC address and forward future frames out one port as a known
unicast frame.

• Switches also flood LAN broadcast frames (frames destined to the

Ethernet broadcast address of FFFF.FFFF.FFFF) because this process
helps deliver a copy of the frame to all devices in the LAN.
• For example, Figure 5-7 shows the same first frame sent by Fred,
when the switch’s MAC table is empty.

• At step 1, Fred sends the frame. At step 2, the switch sends a copy of
the frame out all three of the other interfaces.
AVOIDING LOOPS USING SPANNING TREE
PROTOCOL
• The third primary feature of LAN switches is loop prevention, as
implemented by Spanning Tree Protocol (STP).

• Without STP, any flooded frames would loop for an indefinite period
of time in Ethernet networks with physically redundant links.

• To prevent looping frames, STP blocks some ports from forwarding

frames so that only one active path exists between any pair of LAN
segments.
• The result of STP is good: frames do not loop infinitely, which makes the
LAN usable.

• However, STP has negative features as well, including the fact that it takes
some work to balance traffic across the redundant alternate links.

• A simple example makes the need for STP more obvious. Remember,
switches flood unknown unicast frames and broadcast frames.

• Figure 5-8 shows an unknown unicast frame, sent by Larry to Bob, which
loops forever because the network has redundancy but no STP.

• Note that the figure shows one direction of the looping frame only, just to
reduce clutter, but a copy of the frame would also loop the other direction.
• The flooding of this frame would result in the frame repeatedly
rotating around the three switches, because none of the switches list
Bob’s MAC address in their address tables—so each switch floods the
frame.

• And while the flooding process is a good mechanism for forwarding

unknown unicasts and broadcasts, the continual flooding of traffic
frames as in the figure can completely congest the LAN to the point of
making it unusable.
• A topology like Figure 5-8, with redundant links, is good, but we need
to prevent the bad effect of those looping frames. To avoid Layer 2
loops, all switches need to use STP. STP causes each interface on a
switch to settle into either a blocking state or a forwarding state.

• Blocking means that the interface cannot forward or receive data

frames, while forwarding means that the interface can send and
receive data frames. If a correct subset of the interfaces is blocked,
only a single currently active logical path exists between each pair of
LANs.
LAN SWITCHING SUMMARY
• Switches use Layer 2 logic, examining the Ethernet data-link header to
choose how to process frames. In particular, switches make decisions
to forward and filter frames, learn MAC addresses, and use STP to
avoid loops, as follows:

Step 1. Switches forward frames based on the destination MAC

address:
A. If the destination MAC address is a broadcast, multicast, or unknown
destination unicast (a unicast not listed in the MAC table), the switch
floods the frame.
B. If the destination MAC address is a known unicast address (a unicast
address found in the MAC table):

i. If the outgoing interface listed in the MAC address table is different

from the interface in which the frame was received, the switch
forwards the frame out the outgoing interface.

ii. If the outgoing interface is the same as the interface in which the
frame was received, the switch filters the frame, meaning that the
switch simply ignores the frame and does not forward it.
Step 2. Switches use the following logic to learn MAC address table
entries:
A. For each received frame, examine the source MAC address and note
the interface from which the frame was received.

B. If it is not already in the table, add the MAC address and interface it
was learned on.

Step 3. Switches use STP to prevent loops by causing some interfaces to

block, meaning that they do not send or receive frames.
VERIFYING AND ANALYZING ETHERNET
SWITCHING
• A Cisco Catalyst switch comes from the factory ready to switch
frames. All you have to do is connect the power cable, plug in the
Ethernet cables, and the switch starts switching incoming frames.

• Connect multiple switches together, and they are ready to forward

frames between the switches as well. And the big reason behind this
default behavior has to do with the default settings on the switches.
• Cisco Catalyst switches come ready to get busy switching frames because of
settings like these:

 The interfaces are enabled by default, ready to start working once a cable
is connected.
 All interfaces are assigned to VLAN 1.
 10/100 and 10/100/1000 interfaces use auto-negotiation by default.
 The MAC learning, forwarding, flooding logic all works by default.
 STP is enabled by default.

• This second section of the chapter examines how switches will work with
these default settings, showing how to verify the Ethernet learning and
forwarding process.
DEMONSTRATING MAC LEARNING
• To see a switch’s MAC address table, use the show mac address-table command. With no
additional parameters, this command lists all known MAC addresses in the MAC table,
including some overhead static MAC addresses that you can ignore. To see all the
dynamically learned MAC addresses only, instead use the show mac address-table dynamic
command.

• The examples in this chapter use almost no configuration, as if you just unboxed the switch
when you first purchased it. For the examples, the switches have no configuration other
than the hostname command to set a meaningful hostname. Note that to do this in lab, all
I did was
■ Use the erase startup-config EXEC command to erase the startup-config file

■ Use the delete vlan.dat EXEC command to delete the VLAN configuration details

■ Use the reload EXEC command to reload the switch (thereby using the empty
startupconfig, with no VLAN information configured)

■ Configure the hostname SW1 command to set the switch hostname

ONE SWITCH GNS3 NETWOTK TOPOLOGY
GNS3 ONE SWITCH MAC ADDRESS TABLE
• EXPLAIN THE MAC ADDRESS TABLE FIELDS
SWITCH INTERFACES
• The first example assumes that you installed the switch and cabling
correctly, and that the switch interfaces work.

• Once you do the installation and connect to the Console, you can
easily check the status of those interfaces with the show interfaces
status command, as shown in Example 5-2.
“Show interface status” command on Cisco PT
“Show interface status” command on GNS3
• Focus on the port column for a moment. As a reminder, Cisco Catalyst
switches name their ports based on the fastest specification
supported, so in this case, the switch has 24 interfaces named
FastEthernet, and two named GigabitEthernet.

• Many commands abbreviate those terms, this time as Fa for

FastEthernet and Gi for GigabitEthernet. (The example happens to
come from a Cisco Catalyst switch that has 24 10/100 ports and two
10/100/1000 ports.)
• The Status column, of course, tells us the status or state of the port. In this
case, the lab switch had cables and devices connected to ports F0/1–F0/4
only, with no other cables connected.

• As a result, those first four ports have a state of connected, meaning that
the ports have a cable and are functional. The notconnect state means
that the port is not yet functioning.

• It may mean that there is no cable installed, but other problems may exist
as well. (The section “Analyzing Switch Interface Status and Statistics,” in
Chapter 7, “Configuring and Verifying Switch Interfaces,” works through
the details of what causes a switch interface to fail.)
• The show interfaces command has a large number of options. One
particular option, the counters option, lists statistics about incoming
and outgoing frames on the interfaces.

• In particular, it lists the number of unicast, multicast, and broadcast

frames (both the in and out directions), and a total byte count for
those frames. Example 5-3 shows an example, again for interface
F0/1.
FINDING ENTRIES IN THE MAC ADDRESS TABLE
• With a single switch and only four hosts connected to it, you can just
read the details of the MAC address table and find the information
you want to see.

• However, in real networks, with lots of interconnected hosts and

switches, just reading the output to find one MAC address can be
hard to do.

• You might have hundreds of entries—page after page of output—

with each MAC address looking like a random string of hex characters.
(The book uses easyto- recognize MAC addresses to make it easier to
learn.)
• Thankfully, Cisco IOS supplies several more options on the show mac
address-table command to make it easier to find individual entries.

• First, if you know the MAC address, you can search for it—just type
in the MAC address at the end of the command, as shown in
Example 5-4.

• All you have to do is include the address keyword, followed by the

actual MAC address. If the address exists, the output lists the
address.

• Note that the output lists the exact same information in the exact
same format, but it lists only the line for the matching MAC address.
ON GNS3
• While this information is useful, often the engineer troubleshooting a
problem does not know the MAC addresses of the devices connected to
the network.

• Instead, the engineer has a topology diagram, knowing which switch ports
connect to other switches and which connect to endpoint devices.

• Sometimes you might be troubleshooting while looking at a network

topology diagram and want to look at all the MAC addresses learned off a
particular port.

• IOS supplies that option with the show mac address-table dynamic
interface command. Example 5-5 shows one example, for switch SW1’s
F0/1 interface.
ON GNS3
• Finally, you may also want to find the MAC address table entries for
one VLAN. You guessed it—you can add the vlan parameter, followed
by the VLAN number.

• Example 5-6 shows two such examples from the same switch SW1
from Figure 5-7—one for VLAN 1, where all four devices reside, and
one for a nonexistent VLAN 2.
ON GNS3
MANAGING THE MAC ADDRESS TABLE (AGING,
CLEARING)
• This chapter closes with a few comments about how switches
manage their MAC address tables. Switches do learn MAC addresses,
but those MAC addresses do not remain in the table indefinitely.

• The switch will remove the entries due to age, due to the table filling,
and you can remove entries using a command.

• First, for aging out MAC table entries, switches remove entries that
have not been used for a defined number of seconds (default of 300
seconds on many switches).
• To do that, switches look at every incoming frame and every source
MAC address, and do something related to learning. If it is a new MAC
address, the switch adds the correct entry to the table, of course.

• However, if that entry already exists, the switch still does something:
it resets the inactivity timer back to 0 for that entry.

• Each entry’s timer counts upward over time to measure how long the
entry has been in the table.

• The switch times out (removes) any entries whose timer reaches the
defined aging time.
• Example 5-7 shows the aging timer setting for the entire switch. The
aging time can be configured to a different time, globally and per-
VLAN using the mac address-table aging-time time-in-seconds [vlan
vlan-number] global configuration command.

• The example shows a case with all defaults, with the global setting of
300 seconds, and no per-VLAN overrides.
ON GNS3
• Each switch also removes the oldest table entries, even if they are younger
than the aging time setting, if the table fills. The MAC address table uses
content-addressable memory (CAM), a physical memory that has great
table lookup capabilities.

• However, the size of the table depends on the size of the CAM in a
particular model of switch and based on some configurable settings in the
switch.

• When a switch tries to add a new MAC table entry and finds the table full,
the switch times out (removes) the oldest table entry to make space.

• For perspective, the end of Example 5-7 lists the size of a Cisco Catalyst
switch’s MAC table at about 8000 entries—the same four existing entries
from the earlier examples, with space for 7299 more
• Finally, you can remove the dynamic entries from the MAC address table
with the clear mac address-table dynamic command.

• Note that the show commands in this chapter can be executed from user
and enable mode, but the clear command happens to be an enable mode
command.

• The command also allows parameters to limit the types of entries cleared,
as follows:
■ By VLAN: clear mac address-table dynamic vlan vlan-number
■ By Interface: clear mac address-table dynamic interface interface-id
■ By MAC address: clear mac address-table dynamic address mac-address
MAC ADDRESS TABLES WITH MULTIPLE
SWITCHES
• Finally, to complete the discussion, it helps to think about an example with
multiple switches, just to emphasize how MAC learning, forwarding, and
flooding happen independently on each LAN switch.

• Consider the topology in Figure 5-10, and pay close attention to the port
numbers. The ports were purposefully chosen so that neither switch used
any of the same ports for this example.

• That is, switch SW2 does have a port F0/1 and F0/2, but I did not plug any
devices into those ports when making this example. Also note that all ports
are in VLAN 1, and as with the other examples in this chapter, all default
configuration is used other than the hostname on the switches.
CISCO PACKET TRACER NETWORK TOPOLOGY
• Think about a case in which both switches learn all four MAC
addresses. For instance, that would happen if the hosts on the left
communicate with the hosts on the right.

• SW1’s MAC address table would list SW1’s own port numbers (F0/1,
F0/2, and G0/1) because SW1 uses that information to decide where
SW1 should forward frames.

• Similarly, SW2’s MAC table lists SW2’s port numbers (F0/3, F0/4, G0/2
in this example). Example 5-8 shows the MAC address tables on both
switches for that scenario.
ON SWITCH SW1
ON SWITCH SW2
THE END.