Introduction to

Switched Networks

Routing And Switching

www.ncp.edu.pk 1
Converged Networks
Growing Complexity of Networks

ƒ Our digital world is changing

ƒ Information must be accessed
from anywhere in the world
ƒ Networks must be secure,
reliable, and highly available

2
www.ncp.edu.pk
Converged Networks
Elements Of A Converged Network

ƒ Collaboration is a requirement
ƒ To support collaboration,
networks employ converged
solutions
ƒ Data services such as voice
systems, IP phones, voice
gateways, video support, and
video conferencing
ƒ Call control, voice messaging,
mobility and automated
attendant are also common
features 3
www.ncp.edu.pk
Converged Networks
Elements Of A Converged Network

ƒ Benefits of Converged
Networks include:
Multiple types of traffic; Only one
network to manage
Substantial savings over installation
and management of separate
voice, video and data networks
Integrates IT management

4
www.ncp.edu.pk
Converged Networks
Hierarchy in the Borderless Switched Network

ƒ Borderless switched
network design guidelines
are built upon the
following principles:
Hierarchical
Modularity
Resiliency
Flexibility

5
www.ncp.edu.pk
Converged Networks
Core, Distribution, Access

6
www.ncp.edu.pk
Switched Networks
Role of Switched Networks

ƒ The role of switched networks has evolved

ƒ A switched LAN allows more flexibility, traffic
management
ƒ It also support features such as quality of service,
additional security, support for wireless, support for IP
telephony and mobility services

7
www.ncp.edu.pk
Switched Networks
Form Factor

ƒ Fixed ƒ Modular ƒ Stackable

8
www.ncp.edu.pk
Frame Forwarding
Switching as a General Concept
ƒ A Switch makes a decision based on ingress and
destination port
ƒ A LAN switch keeps a table that it uses to
determine how to forward traffic through the switch
ƒ LAN switches forward Ethernet frames based on
the destination MAC address of the frames.

9
www.ncp.edu.pk
Frame Forwarding
Dynamically Populating a Switch MAC Address Table
ƒ A switch must first learn which devices exist on each
port before it can transmit a frame
ƒ It builds a table called a MAC address, or content
addressable memory (CAM) table
ƒ The mapping device <-> port is stored in the CAM table
ƒ CAM is a special type of memory used in high-speed
searching applications.
ƒ The information in the MAC address table is used to
send frames
ƒ When a switch receives an incoming frame with a MAC
address that is not found in the CAM table, it floods it to
all ports but the one that received the frame. 10
www.ncp.edu.pk
Frame Forwarding
Switch Forwarding Methods

11
www.ncp.edu.pk
Frame Forwarding
Store-and-Forward Switching
ƒ Store-and-Forwarding allows the switch to:
Check for errors (via FCS check)
Perform Automatic Buffering

ƒ Slower forwarding

12
www.ncp.edu.pk
Frame Forwarding
Cut-Through Switching
ƒ Cut-Through allows the switch to start forwarding in
about 10 microseconds
ƒ No FCS check
ƒ No Automatic Buffering

13
www.ncp.edu.pk
Switching Domains
Collision Domains
ƒ Collision domain is the segment where devices must
compete to communicate
ƒ All ports of a hub belong to the same collision domain
ƒ Every port of a switch is a collision domain on its own
ƒ A switch break the segment into smaller collision
domains, easing device competition.

14
www.ncp.edu.pk
Switching Domains
Broadcast Domains
ƒ Broadcast domain is the extend of the network where a
broadcast frame can be heard.
ƒ Switches forward broadcast frames to all ports.
Therefore switches don’t break broadcast domains.
ƒ All ports of a switch (with its default configuration)
belong to the same broadcast domain
ƒ If two or more switches are connected, broadcasts will
be forward to all ports of all switches (except for the port
that originally received the broadcast)

15
www.ncp.edu.pk
Switching Domains
Alleviating Network Congestion
Switches help alleviating network congestion by:
ƒ facilitating the segmentation of a LAN into separate
collision domains
ƒ providing full-duplex communication between devices
ƒ taking advantage of their high port density
ƒ buffering large frames
ƒ employing high speed ports
ƒ taking advantage of their fast internal switching process
ƒ having a low per-port cost

16
www.ncp.edu.pk
Basic Switch Configuration
Switch Boot Sequence
1. POST (Power On Self Test)
2. Run boot loader software
3. Boot loader does low-level CPU initialization
4. Boot loader initializes the flash filesystem
5. Boot loader locates and loads a default IOS operating
system software image into memory and hands
control of the switch over to the IOS.

17
www.ncp.edu.pk
Basic Switch Configuration
Switch Boot Sequence
In order to find a suitable IOS image, the switch goes
through the following steps:
1. It attempts to automatically boot by using information
in the BOOT environment variable
2. If this variable is not set, the switch performs a top-to-
bottom search through the flash file system. It will
load and execute the first executable file, if it can.
3. The IOS operating system then initializes the
interfaces using the IOS commands found in the
configuration file, startup configuration, which is
stored in NVRAM.
Note: the command boot system can be used to set the
BOOT environment variable. 18
www.ncp.edu.pk
Basic Switch Configuration
Preparing for Basic Switch Management
ƒ In order to remotely manage a switch, it needs to be
configured to access the network
ƒ An IP address and a subnet mask must be configured
ƒ If managing the switch from a remote network, a default
gateway must also be configured
ƒ The IP information (address, subnet mask, gateway) is
to be assigned to a switch SVI (switch virtual interface)
ƒ Although these IP settings allow remote management
and remote access to the switch, they do not allow the
switch to route Layer 3 packets.

19
www.ncp.edu.pk
Basic Switch Configuration
Preparing for Basic Switch Management

20
www.ncp.edu.pk
Configure Switch Ports
Configure Switch Ports at the Physical Layer

21
www.ncp.edu.pk
Configure Switch Ports
MDIX Auto Feature
ƒ Certain cable types (straight-through or crossover)
were required when connecting devices
ƒ The automatic medium-dependent interface crossover
(auto-MDIX) feature eliminates this problem
ƒ When auto-MDIX is enabled, the interface automatically
detects and configures the connection appropriately
ƒ When using auto-MDIX on an interface, the interface
speed and duplex must be set to auto

22
www.ncp.edu.pk
Configure Switch Ports
MDIX Auto Feature

23
www.ncp.edu.pk
Configure Switch Ports
Verifying Switch Port Configuration

24
www.ncp.edu.pk
Security Concerns in LANs
MAC Address Flooding
ƒ Attacker flooding the CAM table with bogus entries

25
www.ncp.edu.pk
Security Concerns in LANs
MAC Address Flooding
ƒ The switch now behaves as a hub

26
www.ncp.edu.pk
Security Concerns in LANs
DHCP Spoofing
ƒ DHCP is a network protocol used to assign IP info
automatically
ƒ Two types of DHCP attacks are:
• DHCP spoofing
• DHCP starvation

ƒ In DHCP spoofing attacks, a fake DHCP server is

placed in the network to issue DHCP addresses to
clients.
ƒ DHCP starvation is often used before a DHCP spoofing
attack to deny service to the legitimate DHCP server

27
www.ncp.edu.pk
Security Concerns in LANs
DHCP Spoofing
ƒ DHCP Spoof Attack

28
www.ncp.edu.pk
Security Best Practices
Network Security Tools: Options
ƒ Network Security Tools are very important to network
administrators
ƒ Such tools allow an administrator to test the strength of
the security measures implemented
ƒ An administrator can launch an attack against the
network and analyze the results
ƒ This is also to determine how to adjust security policies
to mitigate those types of attacks
ƒ Security auditing and penetration testing are two basic
functions that network security tools perform

29
www.ncp.edu.pk
Security Best Practices
Network Security Tools: Audits
ƒ Network Security Tools can be used to audit the
network
ƒ By monitoring the network, an administrator can assess
what type of information an attacker would be able to
gather
ƒ For example, by attacking and flooding the CAM table
of a switch, an administrator would learn which switch
ports are vulnerable to MAC flooding and correct the
issue
ƒ Network Security Tools can also be used as penetration
test tools

30
www.ncp.edu.pk
Security Best Practices
Network Security Tools: Audits
ƒ Penetration testing is a simulated attack
ƒ It helps to determine how vulnerable the network is
when under a real attack.
ƒ Weaknesses within the configuration of networking
devices can be identified based on pen test results
ƒ Changes can be made to make the devices more
resilient to attacks
ƒ Such tests can damage the network and should be
carried out under very controlled conditions
ƒ An off-line test bed network that mimics the actual
production network is the ideal.
31
www.ncp.edu.pk
Switch Port Security
Secure Unused Ports
ƒ Disable Unused Ports is a simple yet efficient security
guideline

32
www.ncp.edu.pk
Switch Port Security
DHCP Snooping
ƒ DHCP Snooping specifies which switch ports can
respond to DHCP requests

33
www.ncp.edu.pk
Switch Port Security
Port Security: Operation
ƒ Port security limits the number of valid MAC addresses
allowed on a port
ƒ The MAC addresses of legitimate devices are allowed
access, while other MAC addresses are denied
ƒ Any additional attempts to connect by unknown MAC
addresses will generate a security violation
ƒ Secure MAC addresses can be configured in a number
of ways:
• Static secure MAC addresses
• Dynamic secure MAC addresses
• Sticky secure MAC addresses

34
www.ncp.edu.pk
Switch Port Security
Port Security: Violation Modes
ƒ IOS considers a security violation when either of these
situations occurs:
• The maximum number of secure MAC addresses for that
interface have been added to the CAM, and a station whose
MAC address is not in the address table attempts to access
the interface.
• An address learned or configured on one secure interface is
seen on another secure interface in the same VLAN.

ƒ There are three possible action to be taken when a

violation is detected:
• Protect
• Restrict
• Shutdown
35
www.ncp.edu.pk
Switch Port Security
Port Security: Configuring
ƒ Dynamic Port Security Defaults

36
www.ncp.edu.pk
Switch Port Security
Port Security: Configuring
ƒ Configuring Dynamic Port Security

37
www.ncp.edu.pk
Switch Port Security
Port Security: Configuring
ƒ Configuring Port Security Sticky

38
www.ncp.edu.pk
Switch Port Security
Port Security: Verifying
ƒ Verifying Port Security Sticky

39
www.ncp.edu.pk
Switch Port Security
Port Security: Verifying
ƒ Verifying Port Security Sticky – Running Config

40
www.ncp.edu.pk
Switch Port Security
Ports In Error Disabled State
ƒ A port security violation can put a switch in error
disabled state
ƒ A port in error disabled is effectively shut down
ƒ The switch will communicate these events through
console messages

41
www.ncp.edu.pk
Switch Port Security
Ports In Error Disabled State
ƒ The show interface command also reveals a switch port
on error disabled state

42
www.ncp.edu.pk
Switch Port Security
Ports In Error Disabled State
ƒ A shutdown/no shutdown interface command must be
issued to re-enable the port

43
www.ncp.edu.pk
Spanning-Tree Protocol

ƒ How is reliability in a network achieved and downtime

reduced?

by using reliable equipment

by designing networks that are tolerant to failures

and faults

ƒ Networks should be designed to re-converge rapidly

so that a fault is bypassed

ƒ Fault tolerance is achieved by redundancy

44
www.ncp.edu.pk
Spanning-Tree Protocol
Redundant Switched Topologies
ƒ Redundant topologies eliminate single points of failure
ƒ If a path or device fails, the redundant path or device
can take over the tasks of the failed path or device.

A Simple
Redundant
Switched
Topology

45
www.ncp.edu.pk
Spanning-Tree Protocol
Switching loops?

ƒ Switches flood traffic out all ports when the traffic is

sent to a destination that is not yet known

ƒ Broadcast and multicast traffic is forwarded out every

port, except the port on which the traffic arrived

This traffic can be caught in a loop

46
www.ncp.edu.pk
Spanning-Tree Protocol
Avoiding Switching Loops

ƒ The Spanning-Tree Protocol is used in switched

networks to create a loop free logical topology from a
physical topology that has loops

ƒ “Given a connected,
undirected graph, a
spanning tree of that
graph is a subgraph which
is a tree and connects all
the vertices together”.
ƒ A single graph can have
many different spanning
trees.
47
www.ncp.edu.pk
Spanning-Tree Protocol
Intro to Spanning-Tree Protocol (STP)
ƒ IEEE 802.1D Spanning-Tree Protocol
Used by Ethernet bridges and switches to construct
a loop free shortest path network using the
spanning-tree algorithm
ƒ Shortest path is based on cumulative link costs
Link costs are based on the speed of the link

48
www.ncp.edu.pk
Spanning-Tree Protocol
Intro to STP continued…
ƒ The Spanning-Tree Protocol establishes a root node,
called the root bridge
STP constructs a topology that has one path for
reaching every network node
The resulting tree originates from the root bridge
Redundant links that are not part of the shortest path
tree are blocked.
Data frames received on blocked links are dropped.
ƒ Because certain paths are blocked, a loop free topology
is possible

49
www.ncp.edu.pk
Bridge Protocol Data Units (BPDUs)

ƒ The Spanning-Tree Protocol requires network devices

to exchange messages to help form a loop-free logical
topology

ƒ These messages are called Bridge Protocol Data Units

(BPDUs)
Links that will cause a loop are put into a blocking
state
BPDUs continue to be received on blocked ports
(ensures that if an active path or device fails, a new
spanning tree can be calculated)
50
www.ncp.edu.pk
More on BPDUs…
ƒ BPDUs help switches do the following:
Select a single switch that will act as the root of the spanning tree
Calculate the shortest path from itself to the root switch
Designate one of the switches as the closest one to the root, for each
LAN segment. This bridge is called the “designated switch”
The designated switch handles all communication from that LAN
towards the root bridge.
Choose one of its ports as a root port (if it is a non-root switch)
This is the interface that gives the best path to root switch.
Select ports that are part of the spanning tree, called designated ports
Non-designated ports are blocked

51
www.ncp.edu.pk
Root Ports, Designated Ports, & Non-
Designated Ports

52
www.ncp.edu.pk
Information Contained in BPDUs

53
www.ncp.edu.pk
Spanning-Tree Operation
ƒ When the network has stabilized, it has converged and
there is one spanning tree per network
ƒ For every switched network the following elements
exist:
One root bridge per network
One root port per non root bridge
One designated port per segment
Unused, non-designated ports
ƒ Root ports and designated ports forward data traffic.
ƒ Non-designated ports discard data traffic
These ports are called blocking or discarding ports
54
www.ncp.edu.pk
Selecting the Root Bridge
ƒ The first decision that all switches in the network make,
is to identify the root bridge using the spanning-tree
algorithm
the bridge with the smallest Bridge ID(BID) value will
be the root bridge.

ƒ BPDUs are sent out with the Bridge ID (BID).

The BID consists of a bridge priority (that defaults to
32768) and the switch base MAC address
By default BPDUs are sent every two seconds
All switches see the BIDs sent
55
www.ncp.edu.pk
Selecting the Root Bridge Cont’d
ƒ When a switch first starts up, it assumes it is the root
switch and sends “inferior” BPDUs.
These BPDUs contain the bridge priority and switch
MAC address in both the root and sender BID
ƒ As a switch receives a BPDU with a lower root BID it
replaces that in the subsequent BPDUs it sends out
ƒ A network administrator can influence the decision by
setting the switch priority to a smaller value than the
default (which will make the BID smaller)
Should only be implemented when the traffic flow on
the network is well understood

56
www.ncp.edu.pk
Four Stages of Spanning-Tree Port States

•A port can also be in a disabled state which occurs when an

administrator shuts down the port or the port fails. 57
www.ncp.edu.pk
Four Stages of Spanning-Tree Port States
ƒ Blocking State
Ports can only receive BPDUs
Data frames are discarded and no addresses can be learned
It may take up to 20 seconds to change from this state
ƒ Listening State
Switches determine if there are any other paths to the root bridge
The path that is not the least cost path to the root bridge goes back to
the blocked state
BPDUs are still processed.
User data is not being forwarded and MAC addresses are not being
learned
The listening period is called the forward delay and lasts for 15 seconds
58
www.ncp.edu.pk
Four Stages of Spanning-Tree Port States
ƒ Learning State
user data is not forwarded, but MAC addresses are learned from any
traffic that is seen
The learning state lasts for 15 seconds and is also called the forward
delay
BPDUs are still processed

ƒ Forwarding state
user data is forwarded and MAC addresses continue to be learned
BPDUs are still processed

ƒ Disabled State (Fifth State)

can occur when an administrator shuts down the port or the port fails

59
www.ncp.edu.pk
Spanning-Tree Recalculation
ƒ A switched internetwork has converged when all the
switch and bridge ports are in either the forwarding
or blocked state
Forwarding ports send and receive data traffic and BPDUs
Blocked ports will only receive BPDUs

ƒ When the network topology changes, switches and

bridges recompute the Spanning Tree causing a
disruption of user traffic.
ƒ Convergence on a new spanning-tree topology
using the IEEE 802.1D standard can take up to 50
seconds 60
www.ncp.edu.pk
Link Aggregation
ƒ Also known as port bundling, link bundling, Etherchannel
ƒ You can use multiple links in parallel as a single, logical
link
For increased capacity
For redundancy (fault tolerance)
ƒ LACP (Link Aggregation Control Protocol) is a
standardized method of negotiating these bundled links
between switches using LACPDUs
ƒ PAgP is Cisco’s proprietary Port Aggregation Protocol.

61
www.ncp.edu.pk
Link Aggregation
ƒ Two switches connected via multiple links will send
control packets to form a single logical link.

active Enable LACP unconditionally

passive Enable LACP only if a LACP device is detected

auto Enable PAgP only if a PAgP device is detected

desirable Enable PAgP unconditionally
on Enable Etherchannel only

62
www.ncp.edu.pk
LACP Operation
100 Mbps

100 Mbps

LACPDUs
• Two switches are connected to each other using two sets of Fast Ethernet ports.
LACP is enabled and the ports are turned on

• Switches start sending LACPDUs, then negotiate how to set up the aggregation
100 Mbps

100 Mbps

200 Mbps logical link

•
•The result is an aggregated 200 Mbps logical link which is fault tolerant.

63
www.ncp.edu.pk
VLANs

Routing And Switching

www.ncp.edu.pk 64
Overview Of VLANs
VLAN Definitions
ƒ VLAN (virtual LAN) is a logical partition of a layer 2
network
ƒ Multiple partition can be created, allowing for multiple
VLANs to co-exist
ƒ Each VLAN is a broadcast domain, usually with its own
IP network
ƒ VLANS are mutually isolated and packets can only
pass between them through a router
ƒ The partitioning of the layer 2 network takes inside a
layer 2 device, usually a switch.
ƒ The hosts grouped within a VLAN are unaware of the
VLAN’s existence 65
www.ncp.edu.pk
Overview Of VLANs
VLAN Definitions

66
www.ncp.edu.pk
Overview Of VLANs
Benefits of VLANs
ƒ Security
ƒ Cost reduction
ƒ Better performance
ƒ Shrink broadcast domains
ƒ Improved IT staff efficiency
ƒ Simpler project and application management

67
www.ncp.edu.pk
Overview Of VLANs
Types of VLANs
ƒ Data VLAN
ƒ Default VLAN
ƒ Native VLAN
ƒ Management VLAN
ƒ Private VLAN

68
www.ncp.edu.pk
Overview Of VLANs
Types of VLANs

69
www.ncp.edu.pk
VLANs in a Multi-Switched Environment
VLAN Trunks
ƒ A VLAN trunk carries more than one VLAN
ƒ Usually established between switches so same-VLAN
devices can communicate even if physically connected
to different switches
ƒ A VLAN trunk is not associated to any VLANs.
ƒ Cisco IOS supports IEEE802.1q, a popular VLAN trunk
protocol

70
www.ncp.edu.pk
VLANs in a Multi-Switched Environment
VLAN Trunks

71
www.ncp.edu.pk
VLANs in a Multi-Switched Environment
Controlling Broadcast Domains with VLANs
ƒ VLANs can be used to limit the reach of broadcast
frames
ƒ A VLAN is a broadcast domain of its own
ƒ Therefore, a broadcast frame sent by a device in a
specific VLAN is forwarded within that VLAN only.
ƒ This help controlling the reach of broadcast frames and
their impact in the network
ƒ Unicast and multicast frames are forwarded within the
originating VLAN as well

72
www.ncp.edu.pk
VLANs in a Multi-Switched Environment
Tagging Ethernet Frames for VLAN Identification
ƒ Frame tagging is used to properly transmit multiple
VLAN frames through a trunk link
ƒ Switches will tag frames to identify the VLAN they
belong. Different tagging protocols exist, with IEEE
802.1q being a very popular one
ƒ The protocol defines the structure of the tagging header
added to the frame
ƒ Switches will add VLAN tags to the frames before
placing them into trunk links and remove the tags
before forwarding frames through non-trunk ports
ƒ Once properly tagged, the frames can transverse any
number of switches via trunk links and still be forward
within the correct VLAN at the destination 73
www.ncp.edu.pk
VLANs in a Multi-Switched Environment
Tagging Ethernet Frames for VLAN Identification

74
www.ncp.edu.pk
VLANs in a Multi-Switched Environment
Native VLANs and 802.1q Tagging
ƒ A frame that belongs to the native VLAN will not be
tagged
ƒ A frame that is received untagged will remain untagged
and placed in the native VLAN when forwarded
ƒ If there are no ports associated to the native VLAN and
no other trunk links, an untagged frame will be dropped
ƒ In Cisco switches, the native VLAN is VLAN 1 by
default

75
www.ncp.edu.pk
VLANs in a Multi-Switched Environment
Voice VLAN Tagging

76
www.ncp.edu.pk
VLAN Assignment
VLAN Ranges On Catalyst Switches
ƒ The Catalyst 2960 and 3560 Series switches support
over 4,000 VLANs
ƒ These VLANs are split into 2 categories:
ƒ Normal Range VLANs
• VLAN numbers from 1 through 1005
• Configurations stored in the vlan.dat (in the flash)
• VTP can only learn and store normal range VLANs

ƒ Extended Range VLANs

• VLAN numbers from 1006 through 4096
• Configurations stored in the running-config (in the NVRAM)
• VTP does not learn extended range VLANs
77
www.ncp.edu.pk
VLAN Assignment
Creating a VLAN

78
www.ncp.edu.pk
VLAN Assignment
Assigning Ports To VLANs

79
www.ncp.edu.pk
VLAN Assignment
Deleting VLANs

80
www.ncp.edu.pk
VLAN Assignment
Verifying VLAN Information

81
www.ncp.edu.pk
VLAN Assignment
Configuring IEEE 802.1q Trunk Links

82
www.ncp.edu.pk
VLAN Assignment
Resetting the Trunk To Default State

83
www.ncp.edu.pk
VLAN Assignment
Resetting the Trunk To Default State

84
www.ncp.edu.pk
VLAN Assignment
Verifying Trunk Configuration

85
www.ncp.edu.pk
VLAN Trunking
Protocol (VTP)

www.ncp.edu.pk 86
VLAN Management Challenge (1)

It is not difficult to add new VLAN for a small network

87
www.ncp.edu.pk
VLAN Management Challenge (2)

It is not easy to add a new VLAN to all of switches 88

www.ncp.edu.pk
What is VTP?

ƒ VTP allows a network manager to configure a switch so

that it will propagate VLAN configurations to other
switches in the network.
ƒ The switch can be configured in the role of a VTP server
or a VTP client. VTP server distributes and synchronizes
VLAN information to VTP-enabled switches throughout
the switched network
ƒ VTP only learns about normal-range VLANs (VLAN IDs 1
to 1005).
ƒ Extended-range VLANs (IDs greater than 1005) are not
supported by VTP.

89
www.ncp.edu.pk
VTP benefits

90
www.ncp.edu.pk
 VTP Components

ƒ VTP Domain: consists of one or more

interconnected switches.
ƒ All switches in a domain share VLAN
configuration details using VTP
advertisements.
ƒ A router or Layer 3 switch defines the
boundary of each domain.
ƒ VTP Advertisements : VTP uses a
hierarchy of advertisements to distribute
and synchronize VLAN configurations
across the network.
ƒ VTP Modes: A switch can be
configured in one of three modes:
server, client, or transparent.
ƒ VTP Pruning: VTP pruning increases network available bandwidth by restricting
flooded traffic to those trunk links that the traffic must use to reach the destination
devices.
91
www.ncp.edu.pk
Dynamic Trunking Protocol
Introduction to DTP
ƒ Switch ports can be manually configured to form trunks
ƒ Switch ports can also be configured to negotiate and
establish a trunk link with a connected peer
ƒ Dynamic Trunking Protocol (DTP) is a protocol to
manage trunk negotiation
ƒ DTP is a Cisco proprietary protocol and is enabled by
default in Cisco Catalyst 2960 and 3560 switches
ƒ If the port on the neighbor switch is configured in a
trunk mode that supports DTP, it manages the
negotiation
ƒ The default DTP configuration for Cisco Catalyst 2960
and 3560 switches is dynamic auto
92
www.ncp.edu.pk
Dynamic Trunking Protocol
Negotiated Interface Modes
ƒ Cisco Catalyst 2960 and 3560 support the following
trunk modes:
• switchport mode dynamic auto
• switchport mode dynamic desirable
• switchport mode trunk
• switchport nonegotiate

93
www.ncp.edu.pk
Routing Concepts

Routing Protocols

www.ncp.edu.pk 94
Functions of a Router
Why Routing?
ƒ The router is responsible for the routing of traffic
between networks.

95
www.ncp.edu.pk
Functions of a Router
Routers Interconnect Networks
ƒ Routers can connect multiple networks.
ƒ Routers have multiple interfaces, each on a different
IP network.

96
www.ncp.edu.pk
Functions of a Router
Routers Choose Best Paths
ƒ Determine the best path to send packets
Uses its routing table to determine path

ƒ Forward packets toward their destination

Forwards packet to interface indicated in routing table.
Encapsulates the packet and forwards out toward
destination.

ƒ Routers use static routes and dynamic routing

protocols to learn about remote networks and build
their routing tables.

97
www.ncp.edu.pk
 Functions of a Router
Packet Forwarding Methods
ƒ Process switching – An older
packet forwarding mechanism
still available for Cisco routers.
ƒ Fast switching – A common
packet forwarding mechanism
which uses a fast-switching
cache to store next hop
information.
ƒ Cisco Express Forwarding
(CEF) – The most recent,
fastest, and preferred Cisco
IOS packet-forwarding
mechanism. Table entries are
not packet-triggered like fast
switching but change-triggered.

98
www.ncp.edu.pk
Connect Devices
Default Gateways
To enable network access
devices must be configured
with the following IP address
information
ƒIP address - Identifies
a unique host on a
local network.
ƒSubnet mask -
Identifies the host’s
network subnet.
ƒDefault gateway -
Identifies the router a
packet is sent to to
when the destination is
not on the same local
network subnet.
99
www.ncp.edu.pk
 Connect Devices
Document Network Addressing
Network Documentation should include at least the following in a
topology diagram and addressing table:
ƒ Device names
ƒ Interfaces
ƒ IP addresses and
subnet mask
ƒ Default gateways

100
www.ncp.edu.pk
 Connect Devices
Enable IP on a Host
ƒ Statically Assigned IP address – host is manually
assigned the IP address, subnet mask and default
gateway. DNS server IP address can also be
assigned.
Used to identify specific network resources such as network
servers and printers
Can be used in very small networks with few hosts.

ƒ Dynamically Assigned IP Address – IP Address

information is dynamically assigned by a server using
Dynamic Host Configuration Protocol (DHCP)
Most hosts acquire their IP address information through
DHCP

101
www.ncp.edu.pk
 Connect Devices
Enable IP on a Switch
ƒ Network infrastructure devices require IP addresses to enable
remote management.
ƒ On a switch the management IP address is assigned on a virtual
interface

102
www.ncp.edu.pk
Basic Settings on a Router
Configure Basic Router Settings
Basics tasks that should be first configured on a Cisco Router and
Cisco Switch:
ƒ Name the device – Distinguishes it from other routers
ƒ Secure management access – Secures privileged EXEC, user
EXEC, and Telnet access, and encrypts passwords to their
highest level

ƒ Configure a banner – Provides legal notification of

unauthorized access.

103
www.ncp.edu.pk
 Basic Settings on a Router
Configure Router Interfaces
To be available a router
interface must be:
ƒ Configured with an
address and subnet mask .
ƒ Activated – by default LAN
and WAN interfaces are not
activated. Must be activated
using no shutdown
command.
ƒ Other parameters - serial
cable end labeled DCE must
be configured with the clock
rate command.
ƒ Optional description can be
included.
104
www.ncp.edu.pk
 Basic Settings on a Router
Configure a Loopback Interface
ƒ Loopback interface is a
logical interface internal to
the router.
ƒ It is not assigned to a
physical port, it is
considered a software
interface that is
automatically in an UP
state.
ƒ Useful for testing and
important in the OSPF
routing process.

105
www.ncp.edu.pk
Verify Connectivity of Directly Connected Networks
Verify Interface Settings
Show commands to verify
operation and
configuration of interface.
ƒ show ip interfaces brief
ƒ show ip route
ƒ show running-config
Show commands to gather
more detailed interface
information.
ƒ show interfaces
ƒ show ip interfaces

106
www.ncp.edu.pk
Switching Packets between Networks
Router Switching Functions

107
www.ncp.edu.pk
Switching Packets between Networks
Send a Packet

108
www.ncp.edu.pk
Switching Packets between Networks
Forward to the Next Hop

109
www.ncp.edu.pk
Switching Packets between Networks
Packet Routing

110
www.ncp.edu.pk
Switching Packets between Networks
Reach the Destination

111
www.ncp.edu.pk
Path Determination
Routing Decisions

112
www.ncp.edu.pk
Path Determination
Best Path
ƒ Best path is selected by a routing protocol based on the
value or metric it uses to determine the distance to
reach a network.
ƒ A metric is the value used to measure the distance to a
given network.
ƒ Best path to a network is the path with the lowest metric.
ƒ Dynamic routing protocols use their own rules and
metrics to build and update routing tables for example:
Routing Information Protocol (RIP) - Hop count
Open Shortest Path First (OSPF) - Cost based on cumulative
bandwidth from source to destination
Enhanced Interior Gateway Routing Protocol (EIGRP) -
Bandwidth, delay, load, reliability
113
www.ncp.edu.pk
Path Determination
Load Balancing
ƒ When a router has two or more paths to a destination
with equal cost metrics, then the router forwards the
packets using both paths equally.

114
www.ncp.edu.pk
Path Determination of the route
Administrative Distance
ƒ If multiple paths to a destination are configured on a
router, the path installed in the routing table is the one
with the best (lowest) Administrative Distance (AD).
ƒ Administrative Distance is the “trustworthiness” of the
route
ƒ The Lower the AD the more trustworthy the route.

115
www.ncp.edu.pk
The Routing Table
The Routing Table
ƒ Routing Table is a file stored in RAM that contains
information about
ƒ Directly Connected Routes
ƒ Remote Routes
ƒ Network or Next hop Associations

116
www.ncp.edu.pk
The Routing Table
Routing Table Sources
ƒ Show ip route command is used to display the contents
of the routing table
ƒ Directly connected interfaces -Added to the routing
table when an interface is configured and active.
ƒ Static routes - Added when a route is manually
configured and the exit interface is active.
ƒ Dynamic routing protocol - Added when EIGRP or
OSPF are implemented and networks are identified.

117
www.ncp.edu.pk
The Routing Table
Routing Table Sources

118
www.ncp.edu.pk
The Routing Table
Remote Network Routing Entries
ƒ Interpreting the entries in the routing table.

119
www.ncp.edu.pk
Directly Connected Routes
Directly Connected Interfaces
ƒ A newly deployed router, without any configured interfaces,
has an empty routing table.
ƒ An active, configured directly connected interface creates two
routing table entries Link Local (L) and Directly Connected (C)

120
www.ncp.edu.pk
Directly Connected Routes
Directly Connected Interfaces
ƒ A newly deployed router, without any configured interfaces,
has an empty routing table.
ƒ An active, configured directly connected interface creates two
routing table entries Link Local (L) and Directly Connected (C)

121
www.ncp.edu.pk
Statically Learned Routes
Static Routes
ƒ Manually configured
ƒ Define an explicit path between two networking devices.
ƒ Must be manually updated if the topology changes.
ƒ Benefits include improved security and control of
resources.
ƒ Static route to a specific network.
ip routenetworkmask {next-hop-ip | exit-intf}

ƒ Default Static Route used when the routing table does not
contain a path for a destination network.
ip route 0.0.0.0 0.0.0.0 {exit-intf | next-hop-ip

122
www.ncp.edu.pk
Statically Learned Routes
Static Routes Example

123
www.ncp.edu.pk
Dynamic Routing Protocols
Dynamic Routing
ƒ Used by routers to share information about the
reachability and status of remote networks.
ƒ Performs network discovery and maintaining routing
tables.

124
www.ncp.edu.pk
Dynamic Routing Protocols
IPv4 Routing Protocols
ƒ Cisco ISR routers can support a variety of dynamic IPv4
routing protocols including:
ƒ EIGRP – Enhanced Interior Gateway Routing Protocol
ƒ OSPF – Open Shortest Path First
ƒ IS-IS – Intermediate System-to-Intermediate System
ƒ RIP – Routing Information Protocol

125
www.ncp.edu.pk
Dynamic Routing Protocols
IPv4 Routing Protocols

126
www.ncp.edu.pk
Inter-VLAN Routing

Routing And Switching

www.ncp.edu.pk 127
Inter-VLAN Routing Operation
What is Inter-VLAN Routing?
ƒ Layer 2 switches can’t forward traffic between VLANs
without the assistance of a router
ƒ Inter-VLAN routing is a process for forwarding network
traffic from one VLAN to another using a router

128
www.ncp.edu.pk
Inter-VLAN Routing Operation
Router-On-A-Stick Inter-VLAN Routing
ƒ The so called router-on-a-stick approach uses a
different path to route between VLANs
ƒ One of the router’s physical interfaces is configured as
a 802.1Q trunk port. Now that interface can understand
VLAN tags
ƒ Logical sub-interfaces are then created. One sub-
interface per VLAN
ƒ Each sub-interface is configured with an IP address
from the VLAN it represents
ƒ VLAN members (hosts) are configured to use the sub-
interface address as a default gateway.
ƒ Only one of the router’s physical interface is used 129
www.ncp.edu.pk
Inter-VLAN Routing Operation
Multilayer Switch Inter-VLAN Routing
ƒ Multilayer switches can perform Layer 2 and Layer 3
functions. Routers are not required anymore
ƒ Each VLAN existent in the switch is a SVI
ƒ SVI are seen as layer 3 interfaces
ƒ The switch understands network layer PDUs and
therefore, it can route between its SVIs just as a router
routes between its interfaces
ƒ With a multilayer switch, traffic is routed internal to the
switch device
ƒ Very scalable solution

130
www.ncp.edu.pk
Configure Router-On-A-Stick
Preparation
ƒ An alternative to legacy inter-VLAN routing is to use
VLAN trunking and sub-interfaces
ƒ VLAN trunking allows a single physical router interface
to route traffic for multiple VLANs
ƒ The physical interface of the router must be connected
to a trunk link on the adjacent switch
ƒ On the router, sub-interfaces are created for each
unique VLAN on the network
ƒ Each sub-interface is assigned an IP address specific
to its subnet/VLAN and is also configured to tag frames
for that VLAN
131
www.ncp.edu.pk
Configure Router-On-A-Stick
Switch Configuration

132
www.ncp.edu.pk
Configure Router-On-A-Stick
Router Interface Configuration

133
www.ncp.edu.pk
Configure Router-On-A-Stick
Verifying Sub-interfaces

134
www.ncp.edu.pk
Configure Router-On-A-Stick
Verifying Sub-interfaces

135
www.ncp.edu.pk
Configure Router-On-A-Stick
Verifying Routing
ƒ Access to devices on remote VLANs can be tested
using the ping command.
ƒ The ping command sends an ICMP echo request to the
destination address
ƒ When a host receives an ICMP echo request, it
responds with an ICMP echo reply
ƒ Tracert is a useful utility for confirming the routed path
taken between two devices

136
www.ncp.edu.pk
Layer 3 Switching Operation And Configuration
Introduction To Layer 3 Switching
ƒ Layer 3 switches usually have packet-switching
throughputs in the millions of packets per second (pps)
ƒ All Catalyst switches support two types of Layer 3
interfaces:
• Routed Port
• SVI

ƒ High-performance switches, such as the Catalyst 6500

and Catalyst 4500, are able to perform most of the
router’s functions
ƒ But several models of Catalyst switches require
enhanced software for specific routing protocol feature

137
www.ncp.edu.pk
Layer 3 Switching Operation And Configuration
Inter-VLAN Routing with SVIs
ƒ Today routing has become faster and cheaper and can
performed at hardware speed
ƒ It can be transferred to core and distribution devices
with little to no impact on network performance
ƒ Many users are in separate VLANs, and each VLAN is
usually a separate subnet
ƒ This implies that each distribution switch must have IP
addresses matching each access switch VLAN
ƒ Layer 3 (routed) ports are normally implemented
between the distribution and the core layer

138
www.ncp.edu.pk
Layer 3 Switching Operation And Configuration
Inter-VLAN Routing with SVIs (cont)
ƒ By default, an SVI is created for the default VLAN
(VLAN1). This allows for remote switch administration
ƒ Any additional SVIs must be created by the admin
ƒ SVIs are created the first time the VLAN interface
configuration mode is entered for a particular VLAN SVI
ƒ The interface vlan 10 entered by the first time creates
an SVI named VLAN 10
ƒ The VLAN number used corresponds to the VLAN tag
associated with data frames on an 802.1Q
encapsulated trunk
ƒ Whenever the SVI is created, ensure that particular
VLAN is present in the VLAN database 139
www.ncp.edu.pk
Layer 3 Switching Operation And Configuration
Inter-VLAN Routing with SVIs (cont)
ƒ SVIs advantages include:
• It is much faster than router-on-a-stick, because everything is
hardware switched and routed.
• No need for external links from the switch to the router for
routing.
• Not limited to one link. Layer 2 EtherChannels can be used
between the switches to get more bandwidth.
• Latency is much lower, because it does not need to leave the
switch.

140
www.ncp.edu.pk
Troubleshooting Layer 3 Switching
Layer 3 Switching Configuration Issues
ƒ To troubleshoot Layer 3 switching issues, check the
following items for accuracy:
ƒ VLANs
• VLANs must be defined across all the switches
• VLANs must be enabled on the trunk ports
• Ports must be in the right VLANs

ƒ SVIs
• SVI must have the correct IP address or subnet mask
• SVI must be up
• SVI must match with the VLAN number

141
www.ncp.edu.pk
Troubleshooting Layer 3 Switching
Layer 3 Switching Configuration Issues
ƒ To troubleshoot Layer 3 switching issues, check the
following items for accuracy (cont):
ƒ Routing
• Routing must be enabled
• Each interface or network should be added to the routing
protocol

ƒ Hosts
• Hosts must have the correct IP address or subnet mask
• Hosts must have a default gateway associated with an SVI or
routed port

142
www.ncp.edu.pk