CISCO CCNA

SWITCHING
Study Guide
CCNA Basic Switching
❏ A network switch is a computer networking device that
connects devices together on a computer network by using
packet switching to receive, process, and forward data to the
destination device.

❏ A network switch is a multiport network bridge that uses MAC

h/w addresses to process and forward data at the data link
layer (layer 2) of the OSI model.
Switching on the Network Layers
fff

ROUTERS

SWITCHES,BRIDGES

HUBS, REPEATERS
● As networks grew in size and complexity, the bridge
evolved into the modern switch, allowing further
segmentation of the network.

● Today’s networks typically are built using switches and

routers, often with the routing and switching function in
the same device.
HUBS
● A Hub is the simplest of the above mentioned devices.

● Hubs cannot filter data so data packets are sent to all connected
devices/computers. The end-device has to make decision if it needs the
packet. This can slow down the network overall.

● Hubs do not have intelligence to find out best path for data packets. This
leads to inefficiencies and wastage.

● Pretty much repeat signal on one end to another.

An 8 port mini Ethernet Hub

● Broadcast Layer 1 Device

● Collision Domain of all hosts

connected through Hub remains
one.

● Simple, Inexpensive device

BRIDGES
● A Bridge is a product that connects a local area network (LAN) to another
LAN that uses the same protocol.

● Having a single incoming and outgoing port and filters traffic on the LAN by
looking at the MAC address, bridge is more complex than hub.

● Bridge looks at the destination of the packet before forwarding unlike a hub. It
restricts transmission on other LAN segment if destination is not found.
SWITCHES
● A switch when compared to bridge has multiple ports. Switches can
perform error checking before forwarding data.

● Switches are very efficient by forwarding only good packets

selectively to correct devices only.

● Switches can support both layer 2 (based on MAC Address) and layer
3 (Based on IP address) depending on the type of switch.

● Usually large networks use switches instead of hubs.

CISCO C3650 Stack Switch
● Switches create a virtual
circuit between two connected
devices, establishing a
dedicated communication
path between two devices.

● A switch is also able to

facilitate multiple,
simultaneous virtual circuit
connections.
Basic Packet Switching
 Comparison : Hubs Switches
LAYER Physical layer. Hubs are Data Link Layer. Network
classified as Layer 1 switches operate at Layer
devices per the OSI 2 of the OSI model.
model.

FUNCTION To connect a network of Allow connections to

personal computers multiple devices, manage
together, they can be ports, manage VLAN
joined through a central security settings
hub.

DATA TRANSMISSION Electrical signal or bits Frame (L2 Switch) Frame

& Packet (L3 switch

TRANSMISSION MODE Half duplex Half/Full duplex

Transmission Type Hubs always perform First broadcast; then
frame flooding; may be unicast & multicast as
unicast, multicast or needed.
broadcast

Ports 4/12 ports Switch is multiport Bridge.

24/48 ports

Device Type Passive Device (Without Active Device (With

Software) Software) & Networking
device

Used in (LAN, MAN, LAN LAN

WAN)
 Table A network hub cannot Switches use content
learn or store MAC accessible memory
address. CAM table which is
typically accessed by
ASIC (Application
Specific integrated
chips).

Broadcast Domain Hub has one Broadcast Switch has one

Domain. broadcast domain
[unless VLAN
implemented]

Collisions Collisions occur No collisions occur in a

commonly in setups full-duplex switch.
using hubs.
Spanning-Tree No Spanning-Tree Many Spanning-tree
Possible

Manufacturers Sun Systems, Oracle Cisco and D-link

and Cisco Juniper
Broadcast Domain
● A broadcast domain is a logical division of a computer network, in which all
nodes can reach each other by broadcast at the data link layer.
● A broadcast domain can be within the same LAN segment or it can be
bridged to other LAN segments.
● The best broadcast domain is the virtual local area network (VLAN) in
which multiple computers establish a broadcast domain via a virtual
connection, they are not physically connected.
● A broadcast domain provides fast and reliable communication for offices in
different locations
Nominally, only broadcast frames will be received by all other nodes.

Collisions are localized to the network segment they occur on.

Thus, the broadcast domain is the entire inter-connected layer two network, and the
segments connected to each switch ports are each a collision domain.
Collision Domain
● A collision domain is a part of a network where packet collisions can occur.

● A collision occurs when two devices send a packet at the same time on the
shared network segment. The packets collide and both devices must send the
packets again. This reduces network efficiency.

● Collisions are often in a hub network, because each port on a hub is in the
same collision domain. That is each port on a bridge, a switch or a router is in
a separate collision domain.
● As you can see, we have 6 collision domains.
● All ports on a router are in the different broadcast domains
and routers don’t forward broadcasts from one broadcast
domain to another.

● Each port on a hub is in the same collision domain. Each

port on a bridge, a switch or router is in a separate collision
domain.
Functions Of Switching
Learning
● Learning is the process of obtaining the MAC address of connected devices.
● When a frame reaches into the port of a switch, the switch reads the MAC
address of the source device from Ethernet frame and compares it to its CAM
(Content Addressable Memory) table.
● If the switch cannot find a corresponding entry in MAC address table, the
switch will add the address to the table with the port number.
● If the MAC address is already available in the MAC address table, the switch
compares the incoming port with the port already available in the MAC table.
If the port numbers are different, the switch updates the MAC address table
new port number.
Forwarding
● Forwarding is the process of passing network traffic a device connected to
one port of a Network Switch to another device connected to another port on
the switch. When a frame reaches a port on the Network Switch the switch
reads the destination MAC address as a part of forwarding function.
● If the destination MAC address is not found on the MAC address table, the
switch forwards the frame through all its ports except the source port. This is
known as flooding.
● Flooding prevents loss of traffic when the switch is learning. When the
destination device receives the Ethernet frame and send a reply frame to the
source device, the switch reads the MAC address of the destination device
and add it to the MAC address table.
Loop Prevention

● The switch creates a loop free environment with other switches by using
STP(Spanning Tree Protocol).

● Having physically redundant links help LAN availability and STP prevents the
switch logic from forming loops by indefinitely congesting the n/w of the LAN.

● Broadcast frames occur all the time in switched networks. These frames in
bridging loops keep circulating forever. They are exponentially procreating,
leading both network bandwidth and resources into starvation.
Port Security
● The port security feature is used to restrict input to an interface by limiting and
identifying MAC addresses of the workstations that are allowed to access the
port.
● When you assign secure MAC addresses to a secure port, the port does not
forward packets with source addresses outside the group of defined
addresses.
● If you limit the number of secure MAC addresses to one and assign a single
secure MAC address, the workstation attached to that port is assured the full
bandwidth of the port.
To enable Port Security on an interface:
Switch(config)# interface fa 1/10
Switch(config-if)# switchport port-security

By default, Port Security will allow only one MAC on an interface. To

adjust the maximum number of allowed VLANs, up to 1024:

Switch(config-if)# switchport port-security maximum 2

To statically map the allowed MAC addresses on an interface:

Switch(config-if)# switchport port-security mac-address 0001.1111.2222

Switch(config-if)# switchport port-security mac-address 0001.3333.5555
A violation occurs if an unauthorized MAC address attempts to forward
traffic through a port. There are three violation actions a switch can perform:

• Shutdown – If a violation occurs, the interface is placed in an

errdisable state. The interface will stop forwarding all traffic,
including non-violating traffic, until it is removed from an errdisable
state. This is the default action for Port Security.

• Restrict – If a violation occurs, the interface will remain online.

Legitimate traffic will be forwarded, and unauthorized traffic will be
dropped. Violations are logged, either via a syslog message or SNMP
Trap.

• Protect – If a violation occurs, the interface will remain online.

Legitimate traffic will be forwarded and unauthorized traffic will be
dropped, but no logging will occur.
To configure the desired Port Security violation action:

Switch(config-if)# switchport port-security violation shutdown

Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security violation protect
Virtual LAN (VLAN)
● Virtual Local Area Networks (VLANs) divide a single existing physical
network into multiple logical networks.

● VLAN membership can be configured through software instead of

physically relocating devices or connections.

● By using VLANs, you can take four ports on one switch and associate
them with a VLAN, which means you treat those four ports as their own
separate switch.
The above diagram shows how VLAN helps in separating individual network
segments for the issue of security.

Finance, Sales and Management n/ws need to be separated via Vlans to

ensure
Advantages of using VLAN
● VLANs enable logical grouping of end-stations that are physically dispersed
on a network.
● When users on a VLAN move to a new physical location but continue to
perform the same job function, the end-systems do not need to be
reconfigured.
● Virtual LANs (VLANs) are a solution to allow you to separate users into
individual network segments to prevent security issues.
● By confining the broadcast domains, end-stations on a VLAN are prevented
from listening to or receiving broadcasts not intended for them. If a router is
not connected between the VLANs, the end-systems of a VLAN cannot
communicate with the end-stations of the other VLANs.
ROUTER

VLAN SEPARATION OF BROADCAST DOMAINS

Types of VLAN
● Static VLAN : VLAN in which the admin normally assigns a port on a switch
to a VLAN. A port on a switch can be assigned to a VLAN using a Interface
Sub Configuration mode command. Also Known as Port band VLAN

● Dynamic VLAN : The Administrator assigns all the host device’s MAC
address into a database, then the switches can be configured to assign
VLAN’s dynamically whenever a host is plugged into the switch.
Configuring a VLAN
Consider the following figure of a simple configuration:
Creating a VLAN

S1(config)#vlan 10 -------- VLAN 10 created

S1(config-vlan)#name cisco1 -------- VLAN name

S1(config)#vlan 20 -------- VLAN 20 created

S1(config-vlan)#name cisco2 -------- VLAN name

S1(config)#vlan 30 -------- VLAN 30 created

S1(config-vlan)#name cisco3 -------- VLAN name
Assigning VLAN Membership
Switch 1(config)#interface Switch 1(config)#interface
fastEthernet 0/2 fastEthernet 0/3
Switch 1(config-if)#switchport mode Switch 1(config-if)#switchport mode
access access
Switch 1(config-if)#switchport Switch 1(config-if)#switchport
access vlan 10 access vlan 20

VLAN 10 to FA 0/2 VLAN 20 to FA 0/3

Switch 1(config)#interface fastEthernet

0/4
Switch 1(config-if)#switchport mode
access
Switch 1(config-if)#switchport access
vlan 30

THE SAME CONFIGURATION IS

APPLIED TO SWITCH 2# IN THE
VLAN 30 to FA 0/4 FIGURE.
 Vlan 10

Vlan 20

Vlan 30
 VLAN Port Trunking
● A port configured for Trunk mode is also called a trunk port and, by default, it
will pass traffic for all VLANs.
● The port fa 0/1 in the above example is set as a trunk port, to allow same-
VLAN communication between the switches.

Switch 1(config)#interface fastEthernet 0/1 Switch 2(config)#interface fastEthernet 0/1

Switch 1(config-if)#switchport mode trunk Switch 2(config-if)#switchport mode trunk
Switch 1(config-if)#switchport trunk allowed vlan all Switch 2(config-if)#switchport trunk allowed vlan all
 Vlan 10

Vlan 20

Trunk port

Vlan 30

We have successfully assigned VLAN membership.

VLAN 10, 20 & 30 on SW1 will communicate with VLAN 10, 20 & 30 on SW2 via
the trunk port connection.
Inter-VLAN Routing
● Devices within a VLAN can communicate with each other without the need of
Layer 3 routing. But devices in separate VLANs require a Layer 3 routing
device to communicate with one another.

● The routing traffic from one VLAN to another VLAN is called InterVLAN
routing.

● Consider the following figure :

● Now host A can communicate with host C or D easily.
● First, host A knows the destination host is in a different VLAN so it sends traffic to its
default gateway (on the router) through the switch.
● The switch tags the frame as originating on VLAN 10 and forwards to the router. In turn,
the router makes routing decision from VLAN 10 to VLAN 20 and sends back that traffic
to the switch, where it is forwarded out to host D.
● The routing decision to another VLAN is done by the router, not the switch. When frames
leave the router (step 3 in the picture above), they are tagged with VLAN 20.
● Hosts A & D are unaware of any VLAN information. Switch attaches VLAN information
when receiving frames from host A and removes VLAN information before forwarding to
host D.
● The Disadvantage in the topology is that for each VLAN we need a physical
connection from the router to the switch but in practical, the interfaces of the
router are very limited.

● To overcome this problem, we can create many logical interfaces in one

physical interface. For example from a physical interface fa0/0 we can create
many sub-interfaces like fa0/0.0, fa0/0.1 …
● The router treats each subinterface as a separate physical interface in routing
decisions
● The Data can be sent and received in the same physical interface (but different sub-
interfaces) without being dropped..
TRUNK PORT
Configuration
Configure trunk port on switch:

Switch(config)#interface f0/0
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode trunk

(Note: The main interface f0/0 doesn’t need an IP address but it must
be turned on)
Configure VLAN :

Switch(config)#vlan 10
Switch(config-vlan)#name SALES
Switch(config-vlan)#vlan 20
Switch(config-vlan)#name TECH

Switch(config)#interface range fa0/1-2

Switch(config-if)#no shutdown
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config-if)#interface range fa0/3-4
Switch(config-if)#no shutdown
Switch(config-if)#switchport mode access
Switch(config-if)# switchport access vlan 20
Create sub-interfaces, set 802.1Q trunking protocol and ip address on each
sub-interface:

Router(config)#interface fa 0/0
Router(config-if)#no shutdown
Router(config)#interface f0/0.0
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address 192.168.1.1 255.255.255.0
Router(config-subif)#interface f0/0.1
Router(config-subif)#encapsulation dot1q 20
Router(config-subif)#ip address 192.168.2.1 255.255.255.0
Inter-VLAN Routing with Layer 3 Switch
● In practical, we often use a Layer 3 switch instead of a switch and a “router on
the stick”, this helps reduce the complexity of the topology and cost.

● With the following topology, we don’t need to use a trunking protocol and the
“switchport mode trunk” command.

● On a Layer 3-capable switch, the port interfaces work as Layer 2 access ports
by default, but you can also configure them as “Routed Ports” which act as
normal router interfaces. That is, you can assign an IP address directly on the
routed port.
Router(config-if)# ip routing
Router(config-if)#interface FastEthernet0/1
Router(config-if)#switchport access vlan 10
Router(config-if)#switchport mode access
Router(config-if)#interface FastEthernet0/2
Router(config-if)#switchport access vlan 20
Router(config-if)#switchport mode access
Router(config-if)#interface Vlan10
Router(config-if)#ip address
192.168.10.1 255.255.255.0
Router(config-if)#interface Vlan20
Router(config-if)#ip address
192.168.20.1 255.255.255.0
Native VLANs

Normally when a Switch port configured as a trunk port send and receive IEEE
801.q VLAN tagged Ethernet frames.

If a switch receives untagged Ethernet frames on its Trunk port, they are
forwarded to the VLAN that is configured on the Switch as Native VLAN.

Both sides of the trunk link must be configured to be in same Native VLAN. Thus
Native VLAN is the default VLAN accessible in a switch.

In most switches the Native VLAN is vlan1.

Setting the Native VLAN
Per default the native VLAN is VLAN 1 but you can change
that:
#show interface Fa0/8 trunk
Port Mode Encapsulation Status
Native vlan
Fa0/8 on 802.1q other 1
(config-if)#switchport trunk native vlan 2
(config-if)#do show interface f0/8 trunk
Port Mode Encapsulation Status
Native vlan
Fa0/8 on 802.1q other 2
VTP( VLAN Trunking Protocol)
● Virtual local area network (VLAN) trunking Protocol or VTP is a proprietary
protocol from Cisco that allows networks to send network functionality through
all of the switches in a domain.
● This technique eliminates the need for multiple configurations for VLANs
throughout the system.
● There’s also the option of VLAN pruning which will avoid sending traffic
through some switches. Users can make these systems pruning eligible or
pruning ineligible.
VTP Modes
● Server mode
● Client mode
● Transparent mode

● Choose server mode for the switch that you will use to create, change, or
delete VLANs. The server will propagate this information to other switches
that are configured as servers or clients.
● Set client mode on any switch where you do not want to create, change, or
delete VLANS.
● Use transparent mode on a switch that needs to pass VTP advertisements to
other switches but also needs the capability to have its VLANs independently
administered
VTP Configuration

● Once the VTP is configured on Switch 2 & 3, run the 'show vlan' command
from privileged mode on Switch 2 or 3 to make sure that the VLAN
configuration information is propagated from Switch 1 to Switch 2 & 3.
SERVER Switch 1
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S1
S1(config)#vtp mode server
Device mode already VTP SERVER.
S1(config)#vtp domain CCNA
Changing VTP domain name from NULL to CCNA
S1(config)#vtp password cisco
Setting device VLAN database password to cisco
CLIENT Switch 2
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S2
S2(config)#vtp mode client
Setting device to VTP CLIENT mode.
S2(config)#vtp domain Swit2
Changing VTP domain name from NULL to Swit2
S2(config)#vtp password ccna
Setting device VLAN database password to ccna
CLIENT Switch 3
Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#hostname S3
S3(config)#vtp mode client
Setting device to VTP CLIENT mode.
S3(config)#vtp domain Swit3
Changing VTP domain name from NULL toSwit3
S3(config)#vtp password ccna
Setting device VLAN database password to ccna
Spanning Tree Protocol (STP)
● Loop Prevention is one of the basic functions of a Switch. The ports
automatically close down to prevent the loop from forming.
● To prevent bridging loops, the IEEE 802.1d committee defined a standard
called the spanning tree protocol (STP).
● Spanning-Tree Protocol is a link management protocol that provides path
redundancy while preventing undesirable loops in the network.
● For an Ethernet network to function properly, only one active path can exist
between two stations.
Advantages of STP
The spanning tree algorithm provides the following benefits:

● Eliminates bridging loops

● Provides redundant paths between devices
● Enables dynamic role configuration
● Recovers automatically from a topology change or device failure
● Identifies the optimal path between any two network devices
 How the STP works

● Suppose you have two switches connected with redundant links. One switch
connected to A and the other switch connected to B.

● Now A wants to talk to B. It then sends a broadcast, say an Address

Resolution Protocol (ARP) to find out where the location of B, the green arrow
shows a broadcast frame sent by A.
● When the switch A receives a broadcast frame, it forwards that frame to all
ports except the port where it receives the request -> SwA forwards that ARP
frame out of fa0/0 and fa0/1 ports.

● Suppose SwB receives the broadcast frame from fa0/0 first then it will forward
that frame to the two other links ( fa0/1 and fa0/5 of SwB).

● The other broadcast frame from SwA comes to fa0/1 of SwB so SwB forwards
it to fa0/0 and fa0/5.
● SwA has sent 2 broadcast frames out of its fa0/0 and fa0/1, SwB receives each
of them, creates 2 copies and sends one of them back to SwA (the other is sent
to B).

● When SwA receives these broadcast frames it continues broadcasting them

again to its other interfaces, this will keep going on forever until you shutdown
the network. This phenomenon is called a broadcast storm.

● Broadcast storm is a serious network problem and can shut down entire
network in seconds.
How Spanning Tree Protocol (STP) works

SPT must performs three steps to provide a loop-free network topology:

1. Elects one root bridge.

2. Select one root port per non-root bridge.

3. Select one designated port on each network segment.

● Each switch claims itself as the root bridge immediately and starts sending
out multicast frames called Bridge Protocol Data Units (BPDUs), which are
used to exchange STP information between switches.

● The BPDU, which every switch sends, contains information about the switch
and its Bridge ID that uniquely identifies the switch on the network.

● The Bridge ID is made of two components: a configurable Bridge Priority

value (which is 32,768 by default) and the switch MAC address.
The Bridge ID is composed of the bridge priority value (0-65535, 2 bytes) and the
bridge MAC address (6 bytes).

Bridge ID = Bridge Priority + MAC Address

● The root bridge is the bridge with the lowest bridge ID.

● To compare two bridge ID’s, the priority is compared first. If two bridges
have equal priority, then the MAC addresses are compared.

● Both SwA and SwB have the same bridge ID (32768) so they will
compare their MAC addresses. Because SwB has lower MAC address
it will become root bridge.
● On the root bridge, all ports are designated ports. DP’s are in the forwarding
state and can send and receive traffic.

● An administrator can decide which bridge will become the root bridge by
lowering the priority value (thus lowering Bridge ID).

● The bridge priority number can be incremented only in step of 4096.

● STP decides which switch will become root bridge by comparing the Bridge
ID in the BPDUs.
Identifying Root Ports
● The ports on the switches that have the lowest path cost to get to the root
switch.
● Each Switch has only one Root port, Path cost is the cumulative cost based
on the bandwidth of the links.
● The higher the bandwidth, the lower the Path Cost
BANDWIDTH COST

4Mbps 250

10Mbps 100

16Mbps 62

100Mbps 19

1 Gbps 4
Spanning tree types
1. Common Spanning Tree(CST): A single STP process is used for all VLANs

1. Per-VLAN Spanning Tree(PVST): CISCO proprietary Protocol, Separate

process for seperate VLANs.

1. PVST+ : Enhanced version of PVST, Interoperability between CST-enabled

switches and PVST-enabled switches.
Port Priority
● Port ID will be used as the tiebreaker in-case the bridge paths are equal.
Interface with the lowest port ID will become the Root Port.

● The default port priority of an interface is 128.

● By lowering this value we can ensure a specific interface becomes the root
port.
Configuring the Root Bridge & Priority

To configure a switch as the root bridge for VLAN 10.

Switch# configure terminal

Switch(config)# spanning-tree vlan 10 root primary
Switch(config)# end

● Using this command will automatically lower the priority of the switch to a very
significant value in order to make sure that the switch is elected as a root
switch.
● Configuring the spanning tree port priority of a Fast Ethernet interface:

Switch# configure terminal

Switch(config)# interface fastethernet 0/1
Switch(config-if)# spanning-tree port-priority 4096
Switch(config-if)# end

● Configuring the bridge priority of VLAN 20 to 33,792:

Switch# configure terminal

Switch(config)# spanning-tree vlan 20 priority 33792
Switch(config)# end
Spanning Tree Switchport States
When STP is enabled, every switch in the network goes through the blocking state
and the transitory states of listening and learning.

● Blocking – No user data is sent or received but it may go into forwarding

mode if the other links in use fail and the spanning tree algorithm determines
the port may transition to the forwarding state.
● Listening – The switch processes BPDUs and awaits possible new
information that would cause it to return to the blocking state, discards frames
and MAC address.
● Learning – receives and transmits BPDUs and learns MAC addresses but
does not yet forward frames.
● Forwarding – receives and sends data, normal operation, learns MAC
STP Port Fast
● The transitioning period from state to state takes the following times by
default:

From blocking to listening: 20 seconds

From listening to learning: 15 seconds
From learning to forwarding: 15 seconds
● PortFast causes a port to enter the forwarding state almost immediately by
dramatically decreasing the time of the listening and learning states.

● Portfast minimizes the time it takes for the server or workstation to come
online, thus preventing problems with applications such as DHCP, DNS etc
● Port Fast should not be enabled on the switchport connecting to another
hub/switch, as it may result in a loop.

● Port Fast does not disable STP on a port, but it speeds up the
convergence.

● A separate instance of Spanning Tree Protocol (STP) for each VLAN

helps VLAN to be configured independently and also can perform better.