Chapter Four

Switches

Switches can perform error checking before forwarding data, which are very efficient by not
forwarding packets that error-end out or forwarding good packets selectively to correct devices
only. Switches can support both layer 2 (based on MAC Address) and layer 3 (Based on IP
address) depending on the type of switch. Usually large networks use switches instead of hubs to
connect computers within the same subnet.

 A switch operates in the layer 2, i.e. data link layer of the OSI model.
 It is an intelligent network device that can be conceived as a multiport network bridge.
 It uses MAC addresses (addresses of medium access control sublayer) to send data
packets to selected destination ports.
 It uses packet switching technique to receive and forward data packets from the source to
the destination device.
 It is supports unicast (one-to-one), multicast (one-to-many) and broadcast (one-to-all)
communications.
 Transmission mode is full duplex, i.e. communication in the channel occurs in both the
directions at the same time. Due to this, collisions do not occur.
 Switches are active devices, equipped with network software and network management
capabilities.
 Switches can perform some error checking before forwarding data to the destined port.
 The number of ports is higher – 24/48.

1. Switch basic configuration

Scenario In this lab, you will examine and configure a standalone LAN switch. Although a
switch performs basic functions in its default out-of-the-box condition, there are a number of
parameters that a network administrator should modify to ensure a secure and optimized LAN.
This lab introduces you to the basics of switch configuration.

Verify the Default Switch Configuration

Step 1: Enter privileged mode.

You can access all the switch commands in privileged mode. However, because many of the
privileged commands configure operating parameters, privileged access should be password-
protected to prevent unauthorized use. You will set passwords in Task 3. The privileged EXEC
command set includes those commands contained in user EXEC mode, as well as the configure
command through which access to the remaining command modes are gained. Enter privileged
EXEC mode by entering the enable command.
Switch>enable

Switch#

Notice that the prompt changed in the configuration to reflect privileged EXEC mode.

Step 2: Examine the current switch configuration.

Examine the current running configuration file.

Switch#show running-config

Step 3: Display Cisco IOS information.

Examine the following version information that the switch reports.

Switch#show version

Step 4: Examine the Fast Ethernet interfaces.

Examine the default properties of the Fast Ethernet interface used by PC1.

Switch#show interface fastethernet 0/18

Step 5: Examine VLAN information.

Examine the default VLAN settings of the switch.

Switch#show vlan

Step 6: Examine flash memory.

Issue one of the following commands to examine the contents of the flash directory.

Switch#dir flash: or Switch#show flash

Files have a file extension, such as .bin, at the end of the filename. Directories do not have a file
extension. To examine the files in a directory, issue the following command using the filename
displayed in the output of the previous command:

Switch#dir flash:c2960-lanbase-mz.122-25.SEE3

The output should look similar to this:

Directory of flash:/c2960-lanbase-mz.122-25.SEE3/

6 drwx 4480 Mar 1 1993 00:04:42 +00:00 html

618 -rwx 4671175 Mar 1 1993 00:06:06 +00:00 c2960-lanbase-mz.122-25.SEE3.bin

619 -rwx 457 Mar 1 1993 00:06:06 +00:00 info

32514048 bytes total (24804864 bytes free)

Step 7: Examine the startup configuration file. To view the contents of the startup configuration
file, issue the show startup-config command in privileged EXEC mode.

Switch#show startup-config

startup-config is not present

Let’s make one configuration change to the switch and then save it. Type the following
commands:

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#hostname S1

S1(config)#exit

S1#

To save the contents of the running configuration file to non-volatile RAM (NVRAM), issue the
the command copy running-config startup-config.

Switch#copy running-config startup-config

Destination filename [startup-config]? (enter)

Building configuration…

[OK]

Note: This command is easier to enter by using the copy run start abbreviation.

Now display the contents of NVRAM using the show startup-config command.

S1#show startup-config

Using 1170 out of 65536 bytes

version 12.2

no service pad
service timestamps debug uptime

service timestamps log uptime

no service password-encryption

hostname S1

<output omitted>

2. CAM table

We dig in deeper into the operations of a switch in the CCNP SWITCH Official Certification
Guide. The CAM table is one of the fundamental operations of a switch. It is not only important
for the 642-813 SWITCH exam but it is important to know for working on the job. The CAM
table, or content addressable memory table, is present in all Cisco Catalysts for layer 2 switching.
It is used to record a stations mac address and its corresponding switch port location. In addition,
a timestamp for the entry is recorded and it is VLAN assignment.

The CAM table is used in multilayer switching for the purpose of quickly switching frames to
their destination. The switch looks at the incoming frame’s source MAC address and enters it
into the CAM table and keeps it there for 300 seconds before aging out. This is the default value.
If the device connected to that switchport is moved to another port, the switch records the
incoming source MAC address, updates the CAM table and removes it’s previous entry for the
same MAC address.

 Host A is connected to switch port 1 and Host B is connected to switch port 2.

Host A sends traffic to the switch.
 The switch looks into the frame and records the source MAC address (of Host A) and
places an entry into the CAM table. Host A is on switchport 1, has the MAC address of
AAAA, VLAND ID of 1, and the timestamp.
 Host B has not communicated with the switch yet.
 Host A decides to communicate with Host B.
 When Host A sends a frame to the switch destined to Host B, the switch notices the
destination MAC address (for Host B) in the frame, queries the CAM table for that MAC
address but doesn’t find it.
 Because the destination MAC is unknown, the switch marks the frame for flooding and
sends the unicast frame to all ports with the same VLAN association.
 Host B responds to the unicast frame.
  The switch records the incoming frame from Host B and records Host B’s MAC,
switchport location, VLAN ID, and applies a timestamp.
 The next time Host A sends a frame destined for Host B, the switch queries it’s CAM
table, finds Host B in the table and sends the frame directly to Host B.

CAM Table Before Host B Communicates on the Network [table id=1 /]

CAM Table After Host B Communicates on the Network [table id=2 /]

Host A sending data to Host B

3. Port security

Attackers’ task is comparatively very easy when they can enter the network they want to attack.
Ethernet LANs are very much vulnerable to attack as the switch ports are open to use by default.
Various attacks such as Dos attack at layer 2, address spoofing can take place. If the
administrator has control over the network then obviously the network is safe. To take total
control over the switch ports, the user can use a feature called port-security. If somehow prevent
an unauthorized user to use these ports, then the security will increase up to a great extent at
layer 2.
Users can secure a port in two steps:

 Limiting the number of MAC addresses to a single switch port, i.e if more than the limit,
Mac addresses are learned from a single port then appropriate action will be taken.
 If unauthorized access is observed, the traffic should be discarded by using any of the
options, or more appropriately, the user should generate a log message so that
unauthorized access can be easily observed.

Switches learn MAC addresses when the frame is forwarded through a switch port. By using port
security, users can limit the number of MAC addresses that can be learned to a port, set static
MAC addresses, and set penalties for that port if it is used by an unauthorized user. Users can
either use restrict, shut down or protect port-security commands. Let’s discuss these violation
modes:

protect This mode drops the packets with unknown source mac addresses until you remove
enough secure mac addresses to drop below the maximum value.

restrict This mode performs the same function as protecting, i.e drops packets until enough
secure mac addresses are removed to drop below the maximum value. In addition to this, it will
generate a log message, increment the counter value, and will also send an SNMP trap.

shut down This mode is mostly preferred as compared to other modes as it shut down the port
immediately if unauthorized access is done. It will also generate a log, increment counter value,
and send an SNMP trap. This port will remain in a shutdown state until the administrator will
perform the “no shutdown” command.

sticky This is not a violation mode. By using the sticky command, the user provides static Mac
address security without typing the absolute Mac address. For example, if user provides a
maximum limit of 2 then the first 2 Mac addresses learned on that port will be placed in the
running configuration. After the 2nd learned Mac address, if the 3rd user wants to access then the
appropriate action will be taken according to the violation mode applied.

Note The port security will work on access port only i.e to enable port security, the user first has
to make it an access port.

Configuration

Applying port-security on fa0/1 interface of switch .first, convert the port to an access port and
will enable port-security.

S1(config)#int fa0/1

S1(config-if)#switchport mode access

S1(config-if)#switchport port-security
Use sticky command so that it will learn the Mac address dynamically and will provide the limit
and the appropriate action that should be taken.

S1(config-if)#switchport port-security mac-address sticky

S1(config-if)#switchport port-security maximum 2

S1(config-if)#switchport port-security violation shutdown

If the user wants to provide a static entry, then configure that by starting its Mac address.

S1(config-if)#switchport port-security

S1(config-if)#switchport port-security violation shutdown

S1(config-if)#switchport port-security mac-address aa.bb.cc.dd.ee.ff

4. VLANs

A VLAN is a switched network that is logically segmented by function, project team, or

application, without regard to the physical locations of the users. VLANs have the same
attributes as physical LANs, but you can group end stations even if they are not physically
located on the same LAN segment. Any switch port can belong to a VLAN, and unicast,
broadcast, and multicast packets are forwarded and flooded only to end stations in the VLAN.
Each VLAN is considered a logical network, and packets destined for stations that do not belong
to the VLAN must be forwarded through a router or a switch supporting fallback bridging.
Because a VLAN is considered a separate logical network, it contains its own bridge
Management Information Base (MIB) information and can support its own implementation of
spanning tree.

VLANs as Logically Defined Networks

VLANs are often associated with IP subnetworks. For example, all the end stations in a
particular IP subnet belong to the same VLAN. Interface VLAN membership on the switch is
assigned manually on an interface-by-interface basis. When you assign switch interfaces to
VLANs by using this method, it is known as interface-based, or static, VLAN membership.
Traffic between VLANs must be routed or fallback bridged. The switch can route traffic between
VLANs by using switch virtual interfaces (SVIs). An SVI must be explicitly configured and
assigned an IP address to route traffic between VLANs.

Note

If you plan to configure many VLANs on the switch and to not enable routing, you can use the
sdm prefer vlan global configuration command to set the Switch Database Management (sdm)
feature to the VLAN template, which configures system resources to support the maximum
number of unicast MAC addresses.

VLAN Port Membership Modes You configure a port to belong to a VLAN by assigning a
membership mode that specifies the kind of traffic the port carries and the number of VLANs to
which it can belong. Table 12-1 lists the membership modes and membership and VTP
characteristics.
Port Membership Modes and Characteristics

Configuring Normal-Range VLANs

Normal-range VLANs are VLANs with VLAN IDs 1 to 1005. If the switch is in VTP server or
VTP transparent mode, you can add, modify or remove configurations for VLANs 2 to 1001 in
the VLAN database. (VLAN IDs 1 and 1002 to 1005 are automatically created and cannot be
removed.)

You can cause inconsistency in the VLAN database if you attempt to manually delete the
vlan.dat file. If you want to modify the VLAN configuration, use the commands described in
these sections and in the command reference for this release. To change the VTP configuration.

You use the interface configuration mode to define the port membership mode and to add and
remove ports from VLANs. The results of these commands are written to the running-
configuration file, and you can display the file by entering the show running-config privileged
EXEC command. You can set these parameters when you create a new normal-range VLAN or
modify an existing VLAN in the VLAN database:

 VLAN ID
 VLAN name
 VLAN type (Ethernet, Fiber Distributed Data Interface [FDDI], FDDI network entity title
[NET], TrBRF, or TrCRF, Token Ring, Token Ring-Net)
 VLAN state (active or suspended)
 Maximum transmission unit (MTU) for the VLAN
  Security Association Identifier (SAID)
 Bridge identification number for TrBRF VLANs
 Ring number for FDDI and TrCRF VLANs
 Parent VLAN number for TrCRF VLANs
 Spanning Tree Protocol (STP) type for TrCRF VLANs
 VLAN number to use when translating from one VLAN type to another

Token Ring VLANs

Although the switch does not support Token Ring connections, a remote device such as a
Catalyst 5000 series switch with Token Ring connections could be managed from one of the
supported switches. Switches running VTP Version 2 advertise information about these Token
Ring VLANs:

 Token Ring TrBRF VLANs

 Token Ring TrCRF VLANs For more information on configuring Token Ring VLANs,
see the Catalyst 5000 Series Software Configuration Guide.

Normal-Range VLAN Configuration Guidelines

Follow these guidelines when creating and modifying normal-range VLANs in your network:

 The switch supports 1005 VLANs in VTP client, server, and transparent modes.
 Normal-range VLANs are identified with a number between 1 and 1001. VLAN numbers
1002 through 1005 are reserved for Token Ring and FDDI VLANs.
 VLAN configuration for VLANs 1 to 1005 are always saved in the VLAN database. If
the VTP mode is transparent, VTP and VLAN configuration are also saved in the switch
running configuration file.
 The switch also supports VLAN IDs 1006 through 4094 in VTP transparent mode (VTP
disabled). These are extended-range VLANs and configuration options are limited.
Extended-range VLANs are not saved in the VLAN database.
 Before you can create a VLAN, the switch must be in VTP server mode or VTP
transparent mode. If the switch is a VTP server, you must define a VTP domain or VTP
will not function.
 The switch does not support Token Ring or FDDI media. The switch does not forward
FDDI, FDDI-Net, TrCRF, or TrBRF traffic, but it does propagate the VLAN
configuration through VTP.
 The switch supports 128 spanning-tree instances. If a switch has more active VLANs
than supported spanning-tree instances, spanning tree can be enabled on 128 VLANs and
is disabled on the remaining VLANs. If you have already used all available spanning-tree
instances on a switch, adding another VLAN anywhere in the VTP domain creates a
VLAN on that switch that is not running spanning-tree. If you have the default allowed
list on the trunk ports of that switch (which is to allow all VLANs), the new VLAN is
 carried on all trunk ports. Depending on the topology of the network, this could create a
loop in the new VLAN that would not be broken, particularly if there are several adjacent
switches that all have run out of spanning-tree instances. You can prevent this possibility
by setting allowed lists on the trunk ports of switches that have used up their allocation of
spanning-tree instances.

If the number of VLANs on the switch exceeds the number of supported spanning-tree instances,
we recommend that you configure the IEEE 802.1s Multiple STP (MSTP) on your switch to map
multiple VLANs to a single spanning-tree instance.

VLAN Configuration in config-vlan Mode

To access config-vlan mode, enter the vlan global configuration command with a VLAN ID.
Enter a new VLAN ID to create a VLAN, or enter an existing VLAN ID to modify that VLAN.
You can use the default VLAN configuration or enter multiple commands to configure the
VLAN. For more information about commands available in this mode, see the vlan global
configuration command description in the command reference for this release. When you have
finished the configuration, you must exit config-vlan mode for the configuration to take effect.
To display the VLAN configuration, enter the show vlan privileged EXEC command.

VLAN Configuration in VLAN Database Configuration Mode

To access VLAN database configuration mode, enter the vlan database privileged EXEC
command. Then enter the vlan command with a new VLAN ID to create a VLAN, or enter an
existing VLAN ID to modify the VLAN. You can use the default VLAN configuration or enter
multiple commands to configure the VLAN. For more information about keywords available in
this mode, see the vlan VLAN database configuration command description in the command
reference for this release. When you have finished the configuration, you must enter apply or exit
for the configuration to take effect. When you enter the exit command, it applies all commands
and updates the VLAN database. VTP messages are sent to other switches in the VTP domain,
and the privileged EXEC mode prompt appears.

Saving VLAN Configuration

The configurations of VLAN IDs 1 to 1005 are always saved in the VLAN database (vlan.dat
file). If the VTP mode is transparent, they are also saved in the switch running configuration file.
You can enter the copy running-config startup-config privileged EXEC command to save the
configuration in the startup configuration file. To display the VLAN configuration, enter the
show vlan privileged EXEC command.

When you save VLAN and VTP information (including extended-range VLAN configuration
information) in the startup configuration file and reboot the switch, the switch configuration is
selected as follows:
  If the VTP mode is transparent in the startup configuration, and the VLAN database and
the VTP domain name from the VLAN database matches that in the startup configuration
file, the VLAN database is ignored (cleared), and the VTP and VLAN configurations in
the startup configuration file are used. The VLAN database revision number remains
unchanged in the VLAN database.
 If the VTP mode or domain name in the startup configuration does not match the VLAN
database, the domain name and VTP mode and configuration for the first 1005 VLANs
use the VLAN database information.
 If VTP mode is server, the domain name and VLAN configuration for the first 1005
VLANs use the VLAN database information

5. STP

Configuring STP

This part describes how to configure the Spanning Tree Protocol (STP) on port-based VLANs on
the Catalyst 3560 switch. The switch can use either the per-VLAN spanning-tree plus (PVST+)
protocol based on the IEEE 802.1D standard and Cisco proprietary extensions, or the rapid per-
VLAN spanning-tree plus (rapid-PVST+) protocol based on the IEEE 802.1w standard.

STP Overview

STP is a Layer 2 link management protocol that provides path redundancy while preventing
loops in the network. For a Layer 2 Ethernet network to function properly, only one active path
can exist between any two stations. Multiple active paths among end stations cause loops in the
network. If a loop exists in the network, end stations might receive duplicate messages. Switches
might also learn end-station MAC addresses on multiple Layer 2 interfaces. These conditions
result in an unstable network. Spanning-tree operation is transparent to end stations, which
cannot detect whether they are connected to a single LAN segment or a switched LAN of
multiple segments. The STP uses a spanning-tree algorithm to select one switch of a redundantly
connected network as the root of the spanning tree. The algorithm calculates the best loop-free
path through a switched Layer 2 network by assigning a role to each port based on the role of the
port in the active topology:

 Root—A forwarding port elected for the spanning-tree topology

 Designated—A forwarding port elected for every switched LAN segment
 Alternate—A blocked port providing an alternate path to the root bridge in the spanning
tree
 Backup—A blocked port in a loopback configuration The switch that has all of its ports
as the designated role or as the backup role is the root switch. The switch that has at least
one of its ports in the designated role is called the designated switch.
Spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in
the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the
spanning-tree topology and activates the standby path. Switches send and receive spanning-tree
frames, called bridge protocol data units (BPDUs), at regular intervals. The switches do not
forward these frames but use them to construct a loop-free path. BPDUs contain information
about the sending switch and its ports, including switch and MAC addresses, switch priority, port
priority, and path cost. Spanning tree uses this information to elect the root switch and root port
for the switched network and the root port and designated port for each switched segment.

When two ports on a switch are part of a loop, the spanning-tree port priority and path cost
settings control which port is put in the forwarding state and which is put in the blocking state.
The spanning-tree port priority value represents the location of a port in the network topology
and how well it is located to pass traffic. The path cost value represents the media speed.

Spanning-Tree Topology and BPDUs

The stable, active spanning-tree topology of a switched network is controlled by these elements:

 The unique bridge ID (switch priority and MAC address) associated with each VLAN on
each switch.
 The spanning-tree path cost to the root switch.
 The port identifier (port priority and MAC address) associated with each Layer 2
interface.

When the switches in a network are powered up, each functions as the root switch. Each switch
sends a configuration BPDU through all of its ports. The BPDUs communicate and compute the
spanning-tree topology. Each configuration BPDU contains this information:

 The unique bridge ID of the switch that the sending switch identifies as the root switch
 The spanning-tree path cost to the root
 The bridge ID of the sending switch
 Message age
 The identifier of the sending interface
 Values for the hello, forward delay, and max-age protocol timers

When a switch receives a configuration BPDU that contains superior information (lower bridge
ID, lower path cost, and so forth), it stores the information for that port. If this BPDU is received
on the root port of the switch, the switch also forwards it with an updated message to all attached
LANs for which it is the designated switch. If a switch receives a configuration BPDU that
contains inferior information to that currently stored for that port, it discards the BPDU. If the
switch is a designated switch for the LAN from which the inferior BPDU was received, it sends
that LAN a BPDU containing the up-to-date information stored for that port. In this way, inferior
information is discarded, and superior information is propagated on the network.
  A BPDU exchange results in these actions:
 One switch in the network is elected as the root switch (the logical center of the
spanning-tree topology in a switched network).

For each VLAN, the switch with the highest switch priority (the lowest numerical priority value)
is elected as the root switch. If all switches are configured with the default priority (32768), the
switch with the lowest MAC address in the VLAN becomes the root switch. The switch priority
value occupies the most significant bits of the bridge ID.

A root port is selected for each switch (except the root switch). This port provides the best path
(lowest cost) when the switch forwards packets to the root switch. The shortest distance to the
root switch is calculated for each switch based on the path cost. A designated switch for each
LAN segment is selected. The designated switch incurs the lowest path cost when forwarding
packets from that LAN to the root switch. The port through which the designated switch is
attached to the LAN is called the designated port. All paths that are not needed to reach the root
switch from anywhere in the switched network are placed in the spanning-tree blocking mode.

Bridge ID, Switch Priority, and Extended System ID

The IEEE 802.1D standard requires that each switch has a unique bridge identifier (bridge ID),
which controls the selection of the root switch. Because each VLAN is considered as a different
logical bridge with PVST+ and rapid PVST+, the same switch must have a different bridge IDs
for each configured VLAN. Each VLAN on the switch has a unique 8-byte bridge ID. The 2
most-significant bytes are used for the switch priority, and the remaining 6 bytes are derived
from the switch MAC address. The switch supports the IEEE 802.1t spanning-tree extensions,
and some of the bits previously used for the switch priority are now used as the VLAN identifier.
The result is that fewer MAC addresses are reserved for the switch, and a larger range of VLAN
IDs can be supported, all while maintaining the uniqueness of the bridge ID. As shown in Table
4-2, the 2 bytes previously used for the switch priority are reallocated into a 4-bit priority value
and a 12-bit extended system ID value equal to the VLAN ID.

Switch Priority Value and Extended System ID

Spanning tree uses the extended system ID, the switch priority, and the allocated spanning-tree
MAC address to make the bridge ID unique for each VLAN. Support for the extended system ID
affects how you manually configure the root switch, the secondary root switch, and the switch
priority of a VLAN. For example, when you change the switch priority value, you change the
probability that the switch will be elected as the root switch. Configuring a higher value
decreases the probability; a lower value increases the probability.

Spanning-Tree Interface States

Propagation delays can occur when protocol information passes through a switched LAN. As a
result, topology changes can take place at different times and at different places in a switched
network. When an interface transitions directly from nonparticipation in the spanning-tree
topology to the forwarding state, it can create temporary data loops. Interfaces must wait for new
topology information to propagate through the switched LAN before starting to forward frames.
They must allow the frame lifetime to expire for forwarded frames that have used the old
topology. Each Layer 2 interface on a switch using spanning tree exists in one of these states:

 Blocking—The interface does not participate in frame forwarding.

 Listening—The first transitional state after the blocking state when the spanning tree
decides that the interface should participate in frame forwarding.
 Learning—The interface prepares to participate in frame forwarding.
 Forwarding—The interface forwards frames.
 Disabled—The interface is not participating in spanning tree because of a shutdown port,
no link on the port, or no spanning-tree instance running on the port.
 An interface moves through these states:
 From initialization to blocking
 From blocking to listening or to disabled
 From listening to learning or to disabled
 From learning to forwarding or to disabled
 From forwarding to disabled

Spanning-Tree Interface States

When you power up the switch, spanning tree is enabled by default, and every interface in the
switch, VLAN, or network goes through the blocking state and the transitory states of listening
and learning. Spanning tree stabilizes each interface at the forwarding or blocking state.

When the spanning-tree algorithm places a Layer 2 interface in the forwarding state, this process
occurs:

 The interface is in the listening state while spanning tree waits for protocol information to
move the interface to the blocking state.
 While spanning tree waits the forward-delay timer to expire, it moves the interface to the
learning state and resets the forward-delay timer.
 In the learning state, the interface continues to block frame forwarding as the switch
learns end-station location information for the forwarding database.
 When the forward-delay timer expires, spanning tree moves the interface to the
forwarding state, where both learning and frame forwarding are enabled.

Blocking State

A Layer 2 interface in the blocking state does not participate in frame forwarding. After
initialization, a BPDU is sent to each switch interface. A switch initially functions as the root
until it exchanges BPDUs with other switches. This exchange establishes which switch in the
network is the root or root switch. If there is only one switch in the network, no exchange occurs,
the forward-delay timer expires, and the interface moves to the listening state. An interface
always enters the blocking state after switch initialization. An interface in the blocking state
performs these functions:

 Discards frames received on the interface

 Discards frames switched from another interface for forwarding
 Does not learn addresses
 Receives BPDUs

Listening State

The listening state is the first state a Layer 2 interface enters after the blocking state. The
interface enters this state when the spanning tree decides that the interface should participate in
frame forwarding. An interface in the listening state performs these functions:

 Discards frames received on the interface

 Discards frames switched from another interface for forwarding
 Does not learn addresses
 Receives BPDUs
Learning State

A Layer 2 interface in the learning state prepares to participate in frame forwarding. The
interface enters the learning state from the listening state. An interface in the learning state
performs these functions:

 Discards frames received on the interface

 Discards frames switched from another interface for forwarding
 Learns addresses
 Receives BPDUs

Forwarding State

A Layer 2 interface in the forwarding state forwards frames. The interface enters the forwarding
state from the learning state. An interface in the forwarding state performs these functions:

 Receives and forwards frames received on the interface

 Forwards frames switched from another interface
 Learns addresses
 Receives BPDUs

Disabled State

A Layer 2 interface in the disabled state does not participate in frame forwarding or in the
spanning tree. An interface in the disabled state is nonoperational. A disabled interface performs
these functions:

 Discards frames received on the interface

 Discards frames switched from another interface for forwarding
 Does not learn addresses
 Does not receive BPDUs

6. VTP

This portion describes how to use the VLAN Trunking Protocol (VTP) and the VLAN database
for managing VLANs with the Catalyst 3560 switch.

Understanding VTP

VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by

managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP
minimizes misconfigurations and configuration inconsistencies that can cause several problems,
such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.
Before you create VLANs, you must decide whether to use VTP in your network. Using VTP,
you can make configuration changes centrally on one or more switches and have those changes
automatically communicated to all the other switches in the network. Without VTP, you cannot
send information about VLANs to other switches. VTP is designed to work in an environment
where updates are made on a single switch and are sent through VTP to other switches in the
domain. It does not work well in a situation where multiple updates to the VLAN database occur
simultaneously on switches in the same domain, which would result in an inconsistency in the
VLAN database. The switch supports 1005 VLANs, but the number of routed ports, SVIs, and
other configured features affects the usage of the switch hardware. If the switch is notified by
VTP of a new VLAN and the switch is already using the maximum available hardware
resources, it sends a message that there are not enough hardware resources available and shuts
down the VLAN. The output of the show vlan user EXEC command shows the VLAN in a
suspended state. VTP only learns about normal-range VLANs (VLAN IDs 1 to 1005). Extended-
range VLANs (VLAN IDs greater than 1005) are not supported by VTP or stored in the VTP
VLAN database.

The VTP Domain

A VTP domain (also called a VLAN management domain) consists of one switch or several
interconnected switches under the same administrative responsibility sharing the same VTP
domain name. A switch can be in only one VTP domain. You make global VLAN configuration
changes for the domain. By default, the switch is in the VTP no-management-domain state until
it receives an advertisement for a domain over a trunk link (a link that carries the traffic of
multiple VLANs) or until you configure a domain name. Until the management domain name is
specified or learned, you cannot create or modify VLANs on a VTP server, and VLAN
information is not propagated over the network. If the switch receives a VTP advertisement over
a trunk link, it inherits the management domain name and the VTP configuration revision
number. The switch then ignores advertisements with a different domain name or an earlier
configuration revision number.

When you make a change to the VLAN configuration on a VTP server, the change is propagated
to all switches in the VTP domain. VTP advertisements are sent over all IEEE trunk connections,
including Inter-Switch Link (ISL) and IEEE 802.1Q. VTP dynamically maps VLANs with
unique names and internal index associates across multiple LAN types. Mapping eliminates
excessive device administration required from network administrators. If you configure a switch
for VTP transparent mode, you can create and modify VLANs, but the changes are not sent to
other switches in the domain, and they affect only the individual switch. However, configuration
changes made when the switch is in this mode are saved in the switch running configuration and
can be saved to the switch startup configuration file.
Configuring VTP

Default VTP Configuration

Default VTP Configuration

Configuration Mode

VTP Configuration in Global Configuration Mode

You can use the vtp global configuration command to set the VTP password, the version, the
VTP file name, the interface providing updated VTP information, the domain name, and the
mode, and to disable or enable pruning. For more information about available keywords, see the
command descriptions in the command reference for this release. The VTP information is saved
in the VTP VLAN database. When VTP mode is transparent, the VTP domain name and mode
are also saved in the switch running configuration file, and you can save it in the switch startup
configuration file by entering the copy running-config startup-config privileged EXEC
command. You must use this command if you want to save VTP mode as transparent, even if the
switch resets. When you save VTP information in the switch startup configuration file and reboot
the switch, the switch configuration is selected as follows:

 If the VTP mode is transparent in the startup configuration and the VLAN database and
the VTP domain name from the VLAN database matches that in the startup configuration
file, the VLAN database is ignored (cleared), and the VTP and VLAN configurations in
the startup configuration file are used. The VLAN database revision number remains
unchanged in the VLAN database.
 If the VTP mode or domain name in the startup configuration do not match the VLAN
database, the domain name and VTP mode and configuration for the first 1005 VLANs
use the VLAN database information.

VTP Configuration in VLAN Database Configuration Mode

You can configure all VTP parameters in VLAN database configuration mode, which you access
by entering the vlan database privileged EXEC command. For more information about available
keywords, see the vtp VLAN database configuration command description in the command
reference for this release. When you enter the exit command in VLAN database configuration
mode, it applies all the commands that you entered and updates the VLAN database. VTP
messages are sent to other switches in the VTP domain, and the privileged EXEC mode prompt
appears. If VTP mode is transparent, the domain name and the mode (transparent) are saved in
the switch running configuration, and you can save this information in the switch startup
configuration file by entering the copy running-config startup-config privileged EXEC
command.

VTP Configuration Guidelines

These sections describe guidelines you should follow when implementing VTP in your network.

Domain Names

When configuring VTP for the first time, you must always assign a domain name. You must
configure all switches in the VTP domain with the same domain name. Switches in VTP
transparent mode do not exchange VTP messages with other switches, and you do not need to
configure a VTP domain name for them.

Passwords

You can configure a password for the VTP domain, but it is not required. If you do configure a
domain password, all domain switches must share the same password and you must configure
the password on each switch in the management domain. Switches without a password or with
the wrong password reject VTP advertisements. If you configure a VTP password for a domain,
a switch that is booted without a VTP configuration does not accept VTP advertisements until
you configure it with the correct password. After the configuration, the switch accepts the next
VTP advertisement that uses the same password and domain name in the advertisement. If you
are adding a new switch to an existing network with VTP capability, the new switch learns the
domain name only after the applicable password has been configured on it.

VTP Version

Follow these guidelines when deciding which VTP version to implement:

 All switches in a VTP domain must run the same VTP version.
 A VTP Version 2-capable switch can operate in the same VTP domain as a switch
running VTP Version 1 if Version 2 is disabled on the Version 2-capable switch (Version
2 is disabled by default).
 Do not enable VTP Version 2 on a switch unless all of the switches in the same VTP
domain are Version-2-capable. When you enable Version 2 on a switch, all of the
Version-2-capable switches in the domain enable Version 2. If there is a Version 1-only
switch, it does not exchange VTP information with switches that have Version 2 enabled.
  If there are TrBRF and TrCRF Token Ring networks in your environment, you must
enable VTP Version 2 for Token Ring VLAN switching to function properly. To run
Token Ring and Token Ring-Net, disable VTP Version 2.

Configuration Requirements

When you configure VTP, you must configure a trunk port so that the switch can send and
receive VTP advertisements to and from other switches in the domain. If you are configuring
VTP on a cluster member switch to a VLAN, use the rcommand privileged EXEC command to
log in to the member switch. For more information about the command, see the command
reference for this release. If you are configuring extended-range VLANs on the switch, the
switch must be in VTP transparent mode. VTP does not support private VLANs. If you
configure private VLANs, the switch must be in VTP transparent mode. When private VLANs
are configured on the switch, do not change the VTP mode from transparent to client or server
mode.

Configuring a VTP Server

When a switch is in VTP server mode, you can change the VLAN configuration and have it
propagated throughout the network.

Configuring a VTP Server

When you configure a domain name, it cannot be removed; you can only reassign a switch to a
different domain. To return the switch to a no-password state, use the no vtp password global
configuration command. This example shows how to use global configuration mode to configure
the switch as a VTP server with the domain name eng_group and the password mypassword:
Switch# config terminal

Switch(config)# vtp mode server

Switch(config)# vtp domain eng_group

Switch(config)# vtp password mypassword

Switch(config)# end

You can also use VLAN database configuration mode to configure VTP parameters. Beginning
in privileged EXEC mode, follow these steps to use VLAN database configuration mode to
configure the switch as a VTP server:

When you configure a domain name, it cannot be removed; you can only reassign a switch to a
different domain. To return the switch to a no-password state, use the no vtp password VLAN
database configuration command. This example shows how to use VLAN database configuration
mode to configure the switch as a VTP server with the domain name eng_group and the
password mypassword:

Switch# vlan database

Switch(vlan)# vtp server

Switch(vlan)# vtp domain eng_group

Switch(vlan)# vtp password mypassword

Switch(vlan)# exit

APPLY completed.
Exiting….

Switch#

Configuring a VTP Client

When a switch is in VTP client mode, you cannot change its VLAN configuration. The client
switch receives VTP updates from a VTP server in the VTP domain and then modifies its
configuration accordingly.

Use the no vtp mode global configuration command to return the switch to VTP server mode. To
return the switch to a no-password state, use the no vtp password privileged EXEC command.
When you configure a domain name, it cannot be removed; you can only reassign a switch to a
different domain.

7. Inter VLAN communication

After VLANs are assigned, broadcast packets are only forwarded in the same VLAN. This
means that hosts in different VLANs cannot communicate at Layer 2. In real-world scenarios,
hosts in different VLANs often need to communicate, so inter-VLAN communication needs to
be implemented to resolve this.

Similar to intra-VLAN communication described in Intra-VLAN Communication, inter-VLAN

communication goes through three phases: packet transmission from the source host, Ethernet
switching in a switch, and adding and removing VLAN tags during the exchange between
devices. According to the Ethernet switching principle, broadcast packets are only forwarded in
the same VLAN and hosts in different VLANs cannot directly communicate at Layer 2. Layer 3
routing or VLAN translation technology is required to implement inter-VLAN communication.
Inter-VLAN Communication Technologies

Huawei provides a variety of technologies to implement inter-VLAN communication. The

following two technologies are commonly used:

 VLANIF interface A VLANIF interface is a Layer 3 logical interface that can be used to
implement inter-VLAN Layer 3 connectivity. It is simple to configure a VLANIF
interface, so VLANIF interfaces are the most commonly used for inter-VLAN
communication. However, a VLANIF interface needs to be configured for each VLAN
and each VLANIF interface requires an IP address. As a result, this technology wastes IP
addresses.
 Dot1q termination sub-interface A sub-interface is also a Layer 3 logical interface that
can be used to implement inter-VLAN Layer 3 connectivity. A Dot1q termination sub-
interface applies to scenarios where a Layer 3 Ethernet interface connects to multiple
VLANs. In such a scenario, data flows from different VLANs preempt bandwidth of the
primary Ethernet interface; therefore, the primary Ethernet interface may become a
bottleneck when the network is busy.
 VLAN aggregation VLAN aggregation associates a super-VLAN with a super-VLAN.
The sub-VLANs share the IP address of the super-VLAN, which acts as the gateway IP
address, to implement Layer 3 connectivity with an external network. Proxy ARP can be
enabled between sub VLANs to implement Layer 3 connectivity between sub-VLANs.
VLAN aggregation conserves IP addresses. VLAN aggregation applies to scenarios
where multiple VLANs share a gateway. For details about VLAN aggregation, see
VLAN Aggregation Configuration.
 VLAN Switch switch-vlan VLAN Switch switch-vlan requires a pre-configured static
forwarding path along switching nodes on a network. When a switching node receives
VLAN-tagged frames matching VLAN Switch entries, it directly forwards the frames to
corresponding interfaces according to the static forwarding path, thus implementing
Layer 2 communication. Switch-VLAN does not require lookup of the MAC address
table, so the forwarding efficiency and security are enhanced. If a switching node
connects to many user devices, the network administrator needs to configure each user
device in advance to establish a static forwarding path. This increases the manual
configuration workload and makes network management inconvenient. Switch-VLAN
applies to small-scale networks.

Inter-VLAN Communication through the Same Switch

Host_1 (source host) and Host_2 (destination host) connect to the same Layer 3 switch, are
located on different network segments, and belong to VLAN 2 and VLAN 3, respectively. After
VLANIF 2 and VLANIF 3 are created on the switch and allocated IP addresses, the default
gateway addresses of the hosts are set to IP addresses of the VLANIF interfaces.
Using VLANIF interfaces to implement inter-VLAN communication through the same switch

When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on the switch):

 Host_1 determines that the destination IP address is on a different network segment from
its own IP address, and therefore sends an ARP Request packet to request the gateway
MAC address. The ARP Request packet carries the destination IP address of 10.1.1.1
(gateway’s IP address) and all-F destination MAC address.
 When the ARP Request packet reaches IF_1 on the Switch, the Switch tags the packet
with VLAN 2 (PVID of IF_1). The Switch then adds the mapping between the source
MAC address, VLAN ID, and interface (1-1-1, 2, IF_1) in its MAC address table.
 The Switch detects that the packet is an ARP Request packet and the destination IP
address is the IP address of VLANIF 2. The Switch then encapsulates VLANIF 2’s MAC
address of 3-3-3 into the ARP Reply packet before sending it from IF_1. In addition, the
Switch adds the binding of the IP address and MAC address of Host_1 in its ARP table.
 After receiving the ARP Reply packet from the Switch, Host_1 adds the binding of the IP
address and MAC address of VLANIF 2 on the Switch in its ARP table and sends a
packet to the Switch. The packet carries the destination MAC address of 3-3-3 and
destination IP address of 10.2.2.2 (Host_2’s IP address).
 After the packet reaches IF_1 on the Switch, the Switch tags the packet with VLAN 2.
 The Switch updates its MAC address table based on the source MAC address, VLAN ID,
and inbound interface of the packet, and compares the destination MAC address of the
packet with the MAC address of VLANIF 2. If they are the same, the Switch determines
that the packet should be forwarded at Layer 3 and searches for a Layer 3 forwarding
entry based on the destination IP address. If no entry is found, the Switch sends the
packet to the CPU. The CPU then searches for a routing entry to forward the packet.
 The CPU looks up the routing table based on the destination IP address of the packet and
detects that the destination IP address matches a directly connected network segment
(network segment of VLANIF 3). The CPU continues to look up its ARP table but finds
no matching ARP entry. Therefore, the Switch broadcasts an ARP Request packet with
 the destination address of 10.2.2.2 to all interfaces in VLAN 3. The ARP Request packet
will be send from IF_2.
 After receiving the ARP Request packet, Host_2 detects that the IP address is its own IP
address and sends an ARP Reply packet with its own. Additionally, Host_2 adds the
mapping between the MAC address and IP address of VLANIF 3 to its ARP table.
 After IF_2 on the Switch receives the ARP Reply packet, IF_2 tags the packet with
VLAN 3 to the packet and adds the binding of the MAC address and IP address of
Host_2 in its ARP table. Before forwarding the packet from Host_1 to Host_2, the Switch
removes the tag with VLAN 3 from the packet. The Switch also adds the binding of
Host_2’s IP address, MAC address, VLAN ID, and outbound interface in its Layer 3
forwarding table.

The packet sent from Host_1 then reaches Host_2. The packet transmission process from Host_2
to Host_1 is similar. Subsequent packets between Host_1 and Host_2 are first sent to the
gateway (Switch), and the Switch forwards the packets at Layer 3 based on its Layer 3
forwarding table.

Inter-VLAN Communication through Multiple Switches

When hosts in different VLANs connect to multiple Layer 3 switches, you need to configure
static routes or a dynamic routing protocol in addition to VLANIF interface addresses. This is
because IP addresses of VLANIF interfaces can only be used to generate direct routes.

In Figure 4-14, Host_1 (source host) and Host_2 (destination host) are located on different
network segments, connect to Layer 3 switches Switch_1 and Switch_2, and belong to VLAN 2
and VLAN 3, respectively. On Switch_1, VLANIF 2 and VLANIF 4 are created and allocated IP
addresses of 10.1.1.1 and 10.1.4.1. On Switch_2, VLANIF 3 and VLANIF 4 are created and
allocated IP addresses of 10.1.2.1 and 10.1.4.2. Static routes are configured on Switch_1 and
Switch_2. On Switch_1, the destination network segment in the static route is 10.1.2.0/24 and
the next hop address is 10.1.4.2. On Switch_2, the destination network segment in the static route
is 10.1.1.0/24 and the next hop address is 10.1.4.1.

Using VLANIF interfaces to implement inter-VLAN communication through multiple switches

When Host_1 sends a packet to Host_2, the packet is transmitted as follows (assuming that no
forwarding entry exists on Switch_1 and Switch_2):

 The first six steps are similar to steps 1 to 6 in inter-VLAN communication when hosts
connect to the same switch. After the steps are complete, Switch_1 sends the packet to its
CPU and the CPU looks up the routing table.
 The CPU of Switch_1 searches for the routing table based on the destination IP address
of 10.1.2.2 and finds a static route. In the static route, the destination network segment is
10.1.2.0/24 and the next hop address is 10.1.4.2. The CPU continues to look up its ARP
table but finds no matching ARP entry. Therefore, Switch_1 broadcasts an ARP Request
packet with the destination address of 10.1.4.2 to all interfaces in VLAN 4. IF_2 on
Switch_1 transparently transmits the ARP Request packet to IF_2 on Switch_2 without
removing the tag from the packet.
 After the ARP Request packet reaches Switch_2, Switch_2 finds that the destination IP
address of the ARP Request packet is the IP address of VLANIF Switch_2 then sends an
ARP Reply packet with the MAC address of VLANIF 4 to Switch_1.
 IF_2 on Switch_2 transparently transmits the ARP Reply packet to Switch_1. After
Switch_1 receives the ARP Reply packet, it adds the binding of the MAC address and IP
address of VLANIF4 in its ARP table.
 Before forwarding the packet of Host_1 to Switch_2, Switch_1 changes the destination
MAC address of the packet to the MAC address of VLANIF 4 on Switch_2 and the
source MAC address to the MAC address of VLANIF 4 on itself. In addition, Switch_1
records the forwarding entry (10.1.2.0/24, next hop IP address, VLAN, and outbound
interface) in its Layer 3 forwarding table. Similarly, the packet is transparently
transmitted to IF_2 on Switch_2.
 After Switch_2 receives packets of Host_1 forwarded by Switch_1, the steps similar to
steps 6 to 9 in inter-VLAN communication when hosts connect to the same switch are
performed. In addition, Switch_2 records the forwarding entry (Host_2’s IP address,
MAC address, VLAN, and outbound interface) in its Layer 3 forwarding table.

8. Miscellaneous

This part contains miscellaneous configurations that are specific to certain access points.

Using the LAN ports on 700W APs

The Cisco Aironet 700W series access points have one 10/100/1000BASE-T PoE Uplink/WAN
port and four 10/100/1000BASE-T RJ-45 local Ethernet ports for wired device connectivity. The
fourth port functions as a PoE-Out port when the AP is powered by 802.3at Ethernet switch,
Cisco power injector AIR-PWRJ4=, or Cisco Power Supply. By default, all four local Ethernet
ports are disabled. You can be enable them when required. You can also configure the local
Ethernet ports to a VLAN ID using the interface configuration command, vlan vlan-id.
Enable LAN ports on 702W

Step 1 Enter global configuration mode.

ap#conf t Enter configuration commands, one per line. End with CNTL/Z.

Step 2 Enable the LAN port.

ap(config)#lan-Port

port-id 1

ap(config-lan-port)#no shutdown

ap(config-lan-port)#end

Assign a VLAN to the LAN ports

Use the commands given in the example below.

ap#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ap(config)#lan-Port port-id 1

ap(config-lan-port)#vlan 25

ap(config-lan-port)#end

Verifying the LAN Port Configurations

Use the command given in the example below

voip#sh lan config LAN table entries:

Port Status Vlan valid Vlan Id

—- ——— ———- ——-

LAN1 DISABLED 25 NA

LAN2 ENABLED NO NA

LAN3 DISABLED NO NA

LAN4 ENABLED NO NA

LAN POE out state = ENABLED

700W AP as Workgroup Bridge

Like other Cisco Access points 702W AP series also can be configured as a Workgroup Bridge
(WGB). A WGB can provide a wireless infrastructure connection for Ethernet-enabled devices.
Devices that do not have a wireless client adapter in order to connect to the wireless network can
be connected to the WGB through the Ethernet port. The WGB supports up to 20 Ethernet-
enabled devices to a Wireless LAN (WLAN). The WGB associates to the root AP through the
wireless interface. In this way, wired clients obtain access to the wireless network. A WGB can
associate to:

 An AP
 A root bridge (in AP mode)
 A controller through a lightweight AP

When a Cisco 702W access point acts as a WGB, the wired Ethernet clients behind the WGB can
be either connected to the LAN or WAN ports present on the 702W AP.