Tag Archives: Layer 2 Switches


In the last post we looked at VLANs and switch ports, One of the details we learned is that switch ports can only exist in one VLAN and if we want to connect multiple VLANs from one or more switches, to a router, we have to use trunks. Trunks can forward all VLAN traffic.
You can see in the image above, if the connection to the router was an access port, it could only be in one VLAN. If we make it a trunk, all three VLANs can access the router from the switch. So switch ports can either be an access port or a trunk port.

We have looked at how to configure access ports but lets take a look at configuring trunk ports.

Note: you can’t actually turn off trunk mode, but if you change the mode to access, it is no longer trunking.

show interface trunk – show the ports used for trunking and gives details about trunk mode.

To configure trunk on a per port basis, we use switchport mode :

  • access – turn off trunk mode, puts the port into access mode
  • dynamic auto – Will trunk but must be initiated by remote port
  • dynamic desirable – will try to trunk if the remote port is ok.
  • trunk – forces the port to trunk mode
  • Switchport no negotiate – turn off DTP (Dynamic Trunk Protocol) to reduce overhead and prevent dynamic trunk changes

So now that we have trunks connecting our switches and routers, we have to have the switches understand each other’s VLANs. Also, some VLANs may span two or more switches, and we don’t need to be configuring all that manually. There is a mechanism for the switches to communicate all of this automatically, and it is called VTP (VLAN Trunking Protocol)

VLAN Trunking Protocol (VTP)

The first thing we should note about VTP is it is Cisco proprietary.

VTP Domains – A named area encompassing a number of switches. We can configure domains on a per switch basis. If VTP is running, there must be a domain name set. Domain names are case sensitive – beware.

Within a VTP domain the switches can be configured in one of 3 VTP modes:

  • Server – Can create, modify or delete VLANs.
  • Client – can receive VLAN info but cannot change VLANs
  • Transparent – can forward VTP ads, but will not process the info. This mode has locally significant VLANs only; the VLAN info is not passed to other servers or clients

Note: in all cases ports can be added or removed from the VLAN.

Communication from server to client and server to server is achieved through the use of the Summary Advertisement. This is a data packet, sent every 5 minutes or immediately upon a change.

A VTP server stores the VLAN config in NVRAM, so on reload, the info is immediately available. A client however does not and must get its VLAN config from a summary advertisement.

VTP Revision Numbers

Every time a VTP server sends out a summary advertisement, it attaches a configuration revision number. This is to ensure that the information received by the other servers in our switch network is the latest and greatest. When a summary is received by another server, the server compares the incoming revision number with its own and if the incoming is greater, it uses that info. If it is not, it drops the packet, and does not forward it.

VTP Password

We can authenticate our  VTP info using the command vtp password. As always the password is case sensitive. Check to make sure you have service-password encryption on so that the clear text password is not clear text, however, this is the one password that does not get encrypted. Yeah – maybe in the next version of VTP.

Also be aware that if we set a password, we have to configure that password on all the switches in the VTP domain.

VTP Pruning

One of the problems with trunks is that they forward broadcast and multicast packets from all VLANs on that switch, regardless of weather the destination switch even has those VLANs. This of course is a big waste of bandwidth and resource so how do we limit this? We have a whole post about that…

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

VLANs – the deep dive!

Just a quick recap:

The default behavior of a switch is send a broadcast out of every port except the one it rode in on.

— Chris Bryant at the Bryant Advantage sums up a switch in a simple and concise manner —

A switch is by default a single broadcast domain. This can be a problem. If you have a 4 or 8 port switch in your home, then likely it isn’t much of a problem, but lets assume you are running a switch with 48 hosts. Every single broadcast has to be pushed out of 47 ports, for each host on the system. Imagine the processor and memory load it takes just to handle that much broadcast traffic. Imagine the amount of traffic each host has to look at and ignore, wasting bandwidth and CPU time – no wonder my Facebook won’t load!

By segmenting our LAN with smaller Virtual LANs, we can ease this load, and reduce the amount of broadcast traffic by creating more broadcast domains. This sounds counter intuitive, but  really, its not.

In order to put ports into a VLAN, the port must be in Access mode (at least for the purposes of the CCNA this is true).

switchport mode access
switchport access vlanx

It is worth pointing out that not only will broadcast traffic not cross VLAN boundaries, but also any other traffic does not cross VLAN boundaries. There are two ways around this:

  • A router (router on a stick)
  • A layer 3 switch

For the CCNA we don’t cover layer 3 switches, so we will concern ourselves only with routers, but layer 3 switches do exist.

We are going to look at router on a stick later.

Other uses for VLANs

Security – we can use VLANs as a way of segregating hosts. We might want to do this to keep unused ports out of our actual network.

Departments – we can also segregate by department. If you need to keep engineering, sales and finance separated, putting the hosts into their own VLANs is one way to do that. Subnet that, and

VLANs and the MAC address table – You can filter the MAC address table by VLAN which can help us limit the number of MAC addresses we see. Not a big deal on a lab setup where we have limited hosts, but in a production network this may be a huge help if that address table has 48+ entries.

VLANs and Trunking

So what is trunking? Trunking is the process of making ‘upstream’ switch ports. Ports connecting to routers are almost always trunk ports. Well, why is that? The reason is that trunk ports can allow all VLAN traffic to flow through them. Remember that access ports can only be connected to one VLAN.

Frame Tagging – when a frame from a VLAN leaves a switch via the trunk port, the switch adds a tag to the frame, identifying the VLAN of origin.

Trunk Protocols – there are two protocols available to us:

  • ISL – Inter Switch Protocol (Cisco prop.)
  • IEEE802.1q – industry standard

ISL only works with Cisco equipment; obvious I know but worth stating. What ISL does is encapsulate the entire frame with a header and trailer. This adds overhead, but is robust.

Dot1q is what we usually use, and in fact some Cisco switches don’t even have ISL capability. The difference here is that there is no encapsulation. Dot1q simply add a 4 byte header and that is all which gives us a much lower overhead.

The native VLAN – This is the default VLAN, in my case VLAN 1 on my 2950. ISL will still encapsulate this, but dot1q does not add a tag to it. As far as dot1q is concerned, any frame with no tag belongs to the default VLAN.

Naming VLANs – One last note on VLANs. There is a very useful command that we should be aware of. When creating a VLAN, the name command can be used to name the VLAN. So now, instead of having VLAN0010, VLAN0020 and VLAN 0030 we could have Engineering, Accounting and Sales.

Final thoughts

  • A switchport can either be an access port or a trunk.
  • To turn off trunking, we put it into access mode (there is no trunk off command)
  • There are two trunking protocols, ISL and dot1q


Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

… and yet more switching theory – Part 3

Here we will take a look at some of the STP controls.

STP Timers

We generally leave the STP default values as they are, but there are occasions when we might want to change them.

Hello Time

BPDUs are sent every 2 seconds. These are the ‘heartbeat’ of STP. Once the switches have converged on a root switch, the BPDU lets the switches know that the root is still up. If that packet ever stops coming, the protocol kicks in again on each switch and a new Root switch is elected.

Max Age

The default here is 20 seconds. This is the amount of time the switch waits after its last BPDU, before putting its ports into listening and learning modes, and configuring a new switch topology. This protects the switching network from transient glitches.

Forward Delay

This is the default time that the switch stays in listen and learn mode, and the default is 15 seconds each. At the end of this time the port will either be in blocking or forwarding mode.

These default values prevent transient events from triggering a switch network reconfiguration. Shorten these delays and we reduce the amount of ‘damping’ in the system.
The command to do this is:

 s2950(config)#spanning-tree vlan 1 ?
 forward-time  Set the forward delay for the spanning tree
 hello-time    Set the hello interval for the spanning tree
 max-age       Set the max age interval for the spanning tree
 priority      Set the bridge priority for the spanning tree
 root          Configure switch as root

Note that you can also use the root command to set a secondary candidate for Root switch.

As a last note; Don’t turn STP off,

just don’t …….

no .. don’t do it.

Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Even more Switching Theory – Part 2

In this post, we will look at how the switches run STP, how switches communicate and figure out what links to open and block.

So how does STP figure out how out which ports to block and which switch takes control?

First we have to recognize that in order to figure this out, the switches have to communicate with each other. This is achieved by the use of a BPDU packet (Bridge Protocol Data Unit)

The BPDU does two things – it enables the switches to decide who is the ROOT switch, and which links will be used, which ones will block.

The Root Switch

In any given switch arrangement, there must be a root switch. Which switch this will be is figured out automatically by the STP algorithm.

First we do a root bridge election. This is done on a per VLAN basis (because VLANs define broadcast domains and BPDUs are a broadcast packet). When a switch first powers up, it thinks it is the root bridge for every VLAN. It sends out its BPDU, offering its root bridge BID.

This BID is made up of two factors:

  • The Default Priority (32768)
  • The MAC address (aa:bb:cc:dd:ee:ff)

… which defines the BID thus: 32768:aabbccddeeff. When a switch receives another BID, it compares it to its own BID and the lower BID wins. (We compare the priority and the MAC address essentially acts as a tie breaker). Once the compare is complete and the winner selected, the switch will broadcast that info. And slowly, the switches and thus the VLAN or broadcast domain converges on a winner.

We can see which switch is the Root just by checking the output of the spanning tree protocol on the switch thus:

 s3550#sh spanning-tree
 Spanning tree enabled protocol ieee
 Root ID Priority 32769
 Address 000f.f7d1.d100
 This bridge is the root
 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
 Address 000f.f7d1.d100
 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
 Aging Time 300
 Interface Role  Sts  Cost Prio.Nbr Type
  Fa0/1    Desg  FWD  19    128.1   P2p
  Fa0/2    Desg  FWD  19    128.2   P2p
  Fa0/3    Desg  FWD  19    128.3   P2p
  Fa0/4    Desg  FWD  19    128.4   P2p

You can see the declaration in bold – this is the root bridge. Also notice that the ports are all in Forward mode, because as we mentioned in the last post, the ports on a root switch are always in forward mode, and it is the non root switches that perform the blocking.

We can influence the outcome of the BID process, by manually changing the priority of the switch.

Which links will STP use?

STP figures out which link to use by choosing the fastest link based on a cost per the link speed score. It is interesting to note that the physically shortest path is not necessarily the logically shortest path.
The graphic shows the cost associated with link bandwidth. As the BPDU travels from switch to switch, it will accumulate the link score. For instance, in the scenario below, we have three switches.

At first glance it would appear that the link to use is the path fa0/13 of sw 1 to fa0/21 of sw2. This would have a score of 100. (10Mb/s)

However if we follow the alternative path of (fa0/12 sw1 to fa0/31 sw3) and  (fa0/32 sw3 to fa0/22 sw 2), we get a combined score of 19 + 4 = 23. This makes the alternative path a more desirable solution. This is due to the link speed. Note the score is calculated on the input side of the switch, not as the packet leaves the switch.

Also note that STP operates within one broadcast domain – STP packets are not sent to the host on fa0/11 or the router on fa0/23, and therefore sw4 is not involved in any way with the STP configuration in the example below!

With the STP score established by the passing of BPDU packets, the link fa0/13 sw1 to fa0/21 sw2 will be placed into blocking mode.

Also please note, I labeled all of the ports fa – this is incorrect as you know, but I wanted to illustrate a point – check the diagrams and make sure what you think is there, is actually there.



One of the problems with STP is that it can take a while for the port to become active, due to the listening and learning phases. With the defaults of 15 seconds for each state, it can take more than 30 seconds for a port to come up. However, there is a work around for this.

This is only to be used to ports that connect to hosts, and MUST NOT be used on ports that connect to other switch, bridge or hub type  devices.

Portfast enables the port to be put immediately into forwarding mode, allowing to come up much faster.

(config-if)# spanning-tree portfast

For this to work, the port must be in access mode, and not dynamic or trunking mode.

This would be appropriate for port fa0/11 sw1 to use portfast.

Also note that the port fa0/23 sw2 should not use port fast and in most situations could not use port fast as this is likely an inter-VLAN trunk port. (When using multiple VLANs, each port is in a separate VLAN except the trunking ports)

One last thing – Port Priority

What happens if we eliminate sw3, and have multiple links from sw1 to sw2?

Good question. In my mini lab, I had 4 links all of the same speed between two switches. How did the switches decide what ports to block and which one to forward?

Again, this is handled by the STP protocol. Spanning Tree looks at the port priority and the port number, and makes a decision based on that, in a process that is essentially the same as the bid process to determine root switch.

 Interface Role  Sts  Cost Prio.Nbr Type
  Fa0/1    Root  FWD   19   128.1   P2p
  Fa0/2    Altn  BLK   19   128.2   P2p
  Fa0/3    Altn  BLK   19   128.3   P2p
  Fa0/4    Altn  BLK   19   128.4   P2p

In this example from my mini lab, you can see that port Fa0/1 was chosen as the Root port and this is because:

  • All ports have the same priority
  • Port 1 has the lower port number
  • Lowest wins!

If we wish to influence the outcome we can either change the port speeds and/or change the port priority.


Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone

Configuring Switches

Its easy to get sucked into configuring routers because there is so much to configure, so I’m calling time out on the routers and shifting focus to the switches. So lets look at some fun things to do with switches.


Configure an IP address and default gateway.

I guess at first I didn’t think too deeply about this because I’ve been using the console port to connect to my switches, but if we are to telnet into them, they need to have an IP address. If I run sh run on my 2950, I get the following after the last physical interface:

interface GigabitEthernet0/2
 switchport mode access
 switchport port-security
interface Vlan1
 no ip address
 no ip route-cache

We have seen Vlan 1 before; it is the default VLAN on the switch. We can use it as the management VLAN if we want to or define a new VLAN for that function. The only issue with using telnet to control the switch is that we need one port for this function.

So to configure the VLAN with an IP address, we need to:

interface Vlan1
 description : Management VLAN
 ip address
 no ip route-cache
ip default-gateway
ip http server
line con 0
 logging synchronous
line vty 0 4
 password cisco
 logging synchronous

You can see the commands require to make this work. Don’t forget to the password command in the line vty config, or your telnet connection will be refused, This will work, but there is one more password we need to configure. As this stands, we can telnet into the switch, but we cannot enter enable or config mode. We need to set our secret to be able to do that.

s2950(config)#enable secret ccna

And that should do it. I can now telnet into my switch.


Changing the Port Speed and Duplex

Depending on the situation, you may just elect to leave everything in Auto, but there again it is good to know how to hard code the ports, and the commands for speed and duplex are pretty straight forward.

s2950(config-if)#speed ?
 10       Force 10 Mbps operation
 100      Force 100 Mbps operation
 auto     Enable AUTO speed configuration

and …

s2950(config-if)#duplex ?
 auto     Enable AUTO duplex configuration
 full     Force full duplex operation
 half     Force half-duplex operation


Changing Multiple ports

This is great if we have just a single or a couple of ports to change but lets say we need to change 12 or 24 or even all 48 ports. That’s quite the task! There is of course a short cut and it is the interface range command.

s2950(config)#int range fast0/1 - 24 
s2950(config-if-range)#speed 100

But I hear you say, what if the ports we need to change are not contiguous?
The answer is still the same range command, but with commas,

s2950(config)#int range fa0/4 , fa0/7 , fa0/9 
s2950(config-if-range)#speed 10

The big gotcha here is remembering to put the spaces in the right place and remembering to use the full name of the port, not just the number as in the contiguous example above.




Tweet about this on TwitterShare on Google+Share on LinkedInShare on FacebookShare on RedditShare on StumbleUponEmail this to someone