University of technology

Department of
Computer sciences

Layer 2 switching & VLANs and inter VLANs Routing

By : Ms.c student Bahaa A. Ali

Supervised : Dr. Mohammad natiq
2017

1
1. Layer 2 Switching
1.1 Introduction
Layer 2 switching is the process of using the hardware address of devices on a LAN to
segment a network. we rely on switching to break up large collision domains into smaller
ones and that a collision domain is a network segment with two or more devices sharing
the same bandwidth. A hub network is a typical example of this type of technology. But
each port on a switch its have own collision domain, we were able to create a much better
Ethernet LAN network by simply replacing our hubs with switches! , Switches have changed
the way networks are designed and implemented. In this chapter, we’ll compare how
networks were designed before and after switching technologies.

1.2 Switching Services

1. Rather than the old bridges, which used software to create and manage a Content
Addressable Memory (CAM) filter table, our new, fast switches use application-
specific integrated circuits (ASICs) to build and maintain their MAC filter tables.
2. Layer 2 switches and bridges are faster than routers because they don’t take up time
looking at the Network layer header information. Instead, they look at the frame’s
hardware addresses before deciding to either forward, flood, or drop the frame.
3. Unlike hubs, switches create private collision domains and provide independent
bandwidth exclusive on each port.

1.2.1 Advantage of layer 2 switching

There are four main advantages from using Layer 2 switching :

2
 A. Hardware-based bridging (ASICs). ( this hardware using cashed tables and retrain it in
high speed , so that forwarding decisions can be made in high-speed
hardware).
B. Wire speed.
C. Low latency.
D. Low cost.
Notice :
1.A big reason layer 2 switching is so efficient is that no modification to the data packet
takes place. The device only reads the frame encapsulating the packet, which makes the
switching process considerably faster and less error-prone than routing processes are.
2.And if you use layer 2 switching for both workgroup connectivity and network
segmentation (breaking up collision domains), you can create more network segments than
you can with traditional routed networks.
3.Plus, layer 2 switching increases bandwidth for each user because, again, each
connection, or interface into the switch, is its own, self-contained collision domain.

1.3 Switch Functions at Layer 2

There are three distinct functions of layer 2 switching that are vital for you to remember:
address learning, forward/filter decisions, and loop avoidance.

1.3.1 Address learning

1. Layer 2 switches remember the source hardware address of each frame received and
enter this information into a MAC database called a forward/filter table.
2. When a switch is first powered on, the MAC forward/filter table (CAM) is empty, as
shown in Figure .1.
3. When a device transmits and an interface receives a frame, the switch places the
frame’s source address in the MAC forward/filter table, allowing it to refer to the
interface .
4. the sending device is located on. The switch then has no choice but to flood the
network with this frame out of every port except the source port because it has no
idea where the destination device is actually located.

3
 Figure 1 : Empty forward/filter table on switch
5. If a device answers this flooded frame and sends a frame back, then the switch will
take the source address from that frame and place that MAC address in its database
as well, associating this address with the interface that received the frame. Because
the switch now has both of the relevant MAC addresses in its filtering table. The two
devices can now make a point-to-point connection.
6. The switch doesn’t need to flood the frame as it did the first time because now the
frames can and will only be forwarded between these two devices.
7. This is exactly why layer 2 switches are so superior to hubs.
8. In a hub network, all frames are forwarded out all ports every time—no matter what
9. Figure .2 shows the processes involved in building a MAC database.

Figure 2 : How switch learn host’s location

Example :
1. Host A sends a frame to Host B. Host A’s MAC address is 0000.8c01.000A; Host B’s MAC
address is 0000.8c01.000B.

4
2. The switch receives the frame on the Fa0/0 interface and places the source address in
the MAC address table.
3. Since the destination address isn’t in the MAC database, the frame is forwarded out all
interfaces except the source port.
4. Host B receives the frame and responds to Host A. The switch receives this frame on
interface Fa0/1 and places the source hardware address in the MAC database.
5. Host A and Host B can now make a point-to-point connection and only these specific
devices will receive the frames. Hosts C and D won’t see the frames, nor will their MAC
addresses be found in the database because they haven’t sent a frame to the switch yet.
☆ If Host A and Host B don’t communicate to the switch again within a certain time period,
the switch will flush their entries from the database to keep it as current as possible.

1.3.2 Forward/Filter Decisions

1. When a frame arrives at a switch interface, the destination hardware address is
compared to the forward/filter MAC database.
2. If the destination hardware address is known and listed in the database, the frame is only
sent out of the appropriate exit interface (without flooding). the destination interface,
which preserves bandwidth on the other network segments. This process is called frame
filtering.
3. But if the destination hardware address isn’t listed in the MAC database, then the frame
will be flooded out all active interfaces except the interface it was received on. If a device
answers the flooded frame, the MAC database is then updated with the device’s location—
its correct interface.

5
 Figure 3 : forward/filter table
-In Figure 3, Host A sends a data frame to Host D. What do you think the switch will do
when it receives the frame from Host A?
-Figure .4 to find the answer. Since Host A’s MAC address is not in the forward/filter table,
the switch will add the source address and port to the MAC address table, then forward the
frame to Host D.

Figure 4 : forward/filter answer

-remember that the source MAC is always checked first to make sure it’s in the CAM table.
After that, if Host D’s MAC address wasn’t found in the forward/filter table, the switch
would’ve flooded the frame out all ports except for port Fa0/3 because that’s the specific
port the frame was received on.

6
 Figure 5 : Switch mac address-table

1.3.2.1 Port Security

- how do we actually prevent someone from simply plugging a host into one of our
switch ports—or worse, adding a hub, switch, or access point into the Ethernet in
their office?
- MAC addresses will just dynamically appear in your MAC forward/filter database and
you can stop them in their tracks by using port security!
- Figure .6 shows two hosts connected to the single switch port Fa0/3 via either a hub
or access point (AP).
Figure 6 : Port security

- Port Fa0/3 is configured to observe and allow only certain MAC addresses to
associate with the specific port, so in this example, Host A is denied access, but Host
B is allowed to associate with the port.

7
 - For more security always remember to shut down unused ports or assign them to an
unused VLAN. All ports are enabled by default, so you need to make sure there’s no
access to unused switch ports!

1.3.3 Loop Avoidance

Redundant links between switches are important to have in place because they help
prevent nasty network failures in the event that one link stops working. But while it’s true
that redundant links can also cause more problems than they solve! This is because frames
can be flooded down all redundant links , creating network loops as well as other evils.
Here’s a list of the problems that can occur:
1. If no loop avoidance schemes are put in place, the switches will flood broadcasts
endlessly throughout the internetwork. This is sometimes referred to as a broadcast
storm. Most of the time, Figure .7 illustrates how a broadcast can be propagated
throughout the network.
Figure 7 : broadcast storm

8
2. A device can receive multiple copies of the same frame because that frame can arrive
from different segments at the same time. Figure .8 shown how a whole bunch of frames
can arrive from multiple segments same time. The server in the figure sends a unicast
frame to Router C. Because it’s a unicast frame, Switch A forwards the frame and Switch B
provides the same service—it forwards the unicast. This is bad because it means that
Router C receives that unicast frame twice, causing additional overhead on the network.
Figure 8 : multiple frame

- All of these problems spell disaster or close and are all evil situations that we will
must using specific Protocols was actually developed to solve each and every one of
the problems.

2.VLANs and inter VLAN routing

2.1 Introduction

9
At first we must remember a switches are break up a collision domain and Routers break up
a broadcast domain. By creating virtual local area networks (VLANs) we break up broadcast
domains in a switched internetwork. A VLAN is a logical grouping of network users and
resources connected to administratively defined ports on a switch. When you create VLANs,
you’re given the ability to create smaller broadcast domains within a layer 2 switched
internetwork by assigning different ports on the switch to service different subnetworks.
A VLAN is treated like its own subnet or broadcast domain, meaning that frames broadcast
onto the network are only switched between the ports logically grouped within the same
VLAN.
So, does this mean we no longer need routers? Maybe yes; maybe no. It really depends on
what your particular networking needs and goals are. By default, hosts in a specific VLAN
can’t communicate with hosts that are members of another VLAN, so if you want interVLAN
communication, the answer is that you still need a router or Inter-VLAN Routing (IVR).

2.2 VLAN Basics

- Figure 9. illustrates the flat network architecture that used to be so typical for layer 2
switched networks. With this configuration, every broadcast packet transmitted is seen by
every device on the network regardless of whether the device needs to receive that data or
not.

Figure 9 : Flat network Architecture

- In Figure 10. we see Host A sending out a broadcast and all ports on all switches
forwarding it—all except the port that originally received it.
- But routers allow broadcasts to occur only within the originating network, while
switches forward broadcasts to all segments. and by the way, the reason it’s called a
flat network is because it’s one broadcast domain, not because the actual design is
physically flat.

10
 - Now check out Figure 10. It pictures a switched network and shows Host A sending a
frame with Host D as its destination. Clearly, the important factor here is that the
frame is only forwarded out the port where Host D is located.

Figure 10 : benefit of switched network

- that the biggest benefit gained by having a layer 2 switched

network is that it creates individual collision domain segments for each device
plugged into each port on the switch. This scenario frees us from the old Ethernet
density constraints and makes us able to build larger networks.

2.2.1 VLANs Security

 big issue—security! This one is real trouble because within the typical layer 2
switched internetwork, all users can see all devices by default. And you can’t stop
devices from broadcasting, plus you can’t stop users from trying to respond to
broadcasts.
 But if you create a virtual LAN (VLAN)! You can solve many of the problems
associated with layer 2 switching with VLANs.
 VLANs work like this: Figure 11. shows all hosts in this very small company connected
to one switch, meaning all hosts will receive all frames, which is the default
behaviour of all switches.

11
 Figure 11 : One switch, one LAN: Before VLANs, there were no
separations between hosts
 If we want to separate the host’s data, we could either buy another switch or create
virtual LANs, as shown in Figure 12.

Figure 12 : One switch, two virtual LANs (logical separation between hosts): Still physically
one switch, but this switch acts as many separate devices.
 Figure 12. we configured the switch to be two separate LANs, two
subnets, two broadcast domains, two VLANs—they all mean the same thing—
without buying another switch. We can do this 1,000 times on most Cisco switches.

 Here’s a short list of ways VLANs to simplify network management:

1. Network adds, moves, and changes are achieved with ease by just configuring a
port into the appropriate VLAN.
2. A group of users that need an unusually high level of security can be put into its
own VLAN so that users outside of that VLAN can’t communicate with it.
3. As a logical grouping of users by function, VLANs can be considered independent
from their physical or geographic locations.
4. VLANs greatly enhance network security if implemented correctly.
12
 5. VLANs increase the number of broadcast domains while decreasing their size.

2.3 Identifying VLANs

There are two different types of ports in a switched environment :
1.Access ports : An access port belongs to and carries the traffic of only one VLAN.
Traffic is both received and sent in native formats with no VLAN information (tagging)
whatsoever. Anything arriving on an access port is simply assumed to belong to the
VLAN assigned to the port. Because an access port doesn’t look at the source
address.

 With an access link, this can be referred to as the configured VLAN of the port. Any
device attached to an access link is unaware of a VLAN membership—the device just
assumes it’s part of some broadcast domain.
 Voice access ports : access port can be assigned to only one VLAN is really only sort
of true. Nowadays, most switches will allow you to add a second VLAN to an access
port on a switch port for your voice traffic, called the voice VLAN. The voice VLAN
used to be called the auxiliary VLAN.

Figure 13 : Access port (Notice there are access ports for each host and an
access port between switches—one for each VLAN)

13
2. Trunk ports the term trunk port was inspired by the telephone system trunks, which
carry multiple telephone conversations at a time. So it follows that trunk ports can similarly
carry multiple VLANs at a time as well.
A trunk link is a 100, 1,000, or 10,000 Mbps point-to-point link between two
switches, between a switch and router, or even between a switch and server, and it
carries the traffic of multiple VLANs—from 1 to 4,094 VLANs at a time. But the
amount is really only up to 1,001 unless you’re going with something called extended
VLANs.Instead of an access link for each VLAN between switches.
Advantage of trucking
A.Trunking can be a real advantage because with it, you get to make a single port
part of a whole bunch of different VLANs at the same time. B. Another benefit to
trunking comes into play when you’re connecting switches. Trunk links can carry the
frames of various VLANs across them.

Figure 14 : trunk port (VLANs can span across multiple switches by using trunk links, which
carry traffic for multiple VLANs).

2.4Routing between VLANs

For this, you can use a router that has an interface for each VLAN or a router that supports
ISL or 802.1q routing.

14
 1. if you had two or three VLANs, you could get by with a router equipped with two or
three Fast Ethernet connections, in Figure 15.is that each router interface is plugged
into an access link. This means that each of the routers’ interface IP addresses would
then become the default gateway address for each host in each respective VLAN.

Figure 15 : Router connecting three VLANs together for inter-VLAN

communication, one router interface for each VLAN.

2. If you have more VLANs available than router interfaces, you can configure trunking
on one Fast Ethernet interface or buy a layer 3 switch.
Figure 16 . shows how a Fast Ethernet interface on a router will look when configured
with ISL or 802.1q trunking. This allows all VLANs to communicate through one
interface. Cisco calls this a router on a stick (ROAS).
Figure 16 : Router on a stick: Single router interface connecting all three VLANs

together for inter-VLAN communication.

3. Router create logical interface : Figure 18.shows how we would create a router on a
stick using a router’s physical interface by creating logical interfaces—one for each
VLAN.

15
 Figure 17 : Router create logical interface
we see one physical interface divided into multiple subinterfaces, with one sub-net
assigned per VLAN, each subinterface being the default gateway address for each
VLAN/subnet. An encapsulation identifier must be assigned to each subinterface to define
the VLAN ID of that subinterface.
4. configure logical interfaces on the backplane of the layer 3 switch; this is called inter-
VLAN routing (IVR), and is configured with a switched virtual interface (SVI).
Figure 19.shows how hosts see these virtual interfaces.

In Figure 18, it appears there’s a router present, but there is no physical router present as
here was when we used router on a stick. The IVR process takes little effort and is easy to
implement, which makes it very cool! Plus, it’s a lot more efficient for inter-VLAN routing
than an external router is. To implement IVR on a multilayer switch, we just need to create
logical interfaces in the switch configuration for each VLAN.

16