Switching and Bridging

This section covers Layer 2 devices that are used to bridge, or switch, frames using common techniques to improve network utilization, such as VLANs. The terms switch and bridge are used to refer to the same technology.

Switching, or bridging, is defined as a process of taking an incoming frame from one interface and delivering it through another interface. Source stations are discovered and placed in a switch address table (called a content-addressable memory [CAM] table in Cisco terms). Routers use Layer 3 switching to route packets, and Layer 2 switches use Layer 2 switching to forward frames.

Switches build CAM tables when activity is noted on switch ports. Example 1-1 displays a sample CAM table on a Cisco Catalyst 5000 switch.

Example 1-1 CAM Table or Bridge Table CAT5513 (enable) show cam ?

Usage: show cam [count] <dynamic|static|permanent|system> [vlan]

show cam <dynamic | static | permanent| system> <mod_num/port_num> show cam <mac_addr> [vlan] show cam agingtime show cam mlsrp <ip_addr> [vlan] CAT5513 (enable) show cam dynamic

* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry. X = P ort Security Entry

VLAN Dest MAC/Route Des Destination Ports or VCs / [Protocol Type]

36

00-10

7b

54

37

c6

8/13

[ALL]

35

00-09

43

3b

ac

20

8/5

[ALL]

101

00-01

02

00

4a

ff

1/1

[ALL]

1

00-01

02

00

4a

ff

1/1

[ALL]

102

0

e3

5e

ac

81

1/1

[ALL]

101

00-00

0c

92

0c

af

1/1

[ALL]

102

0

e3

53

7f

81

1/1

[ALL]

102

0

e3

5e

ae

c1

1/1

[ALL]

37

0

e3

63

55

80

8/9

[ALL]

102

0

e3

5e

a9

01

1/1

[ALL]

Example 1-1 displays a CAM table on a Catalyst switch with the CatOS command show cam dynamic. You can use other CatOS commands to view specific ports (show cam dynamic 8/13 would show only devices discovered on port 8/13). Example 1-1 displays that the MAC address 01-10-7b-54-37-c6 is located via the port 8/13.

NOTE The examples in this chapter display the traditional Cisco CatOS operating system. The CCIE Security exams test on both Cisco CatOS and Cisco IOS. Chapter 8, "CCIE Security Self-Study Lab," displays CAM tables of the newest form of Cisco IOS-based switches so that you have exposure to both operating systems.

A Cisco switch populates the CAM tables as new devices send frames, so a switch bases all bridging decisions on the source MAC address. When a device first sends a frame to a connected port on a switch, the switch adds the incoming source address to the CAM table. Any broadcasts (packets sent by a host that are destined for all hosts in the same broadcast domain) received because the switch has no CAM entry are sent out all ports except the port the frame was received on. The switch then adds the source MAC address on the source port. Frames that are received as broadcasts are sent out all ports active in spanning tree.

NOTE Transparent bridges can operate in two traditional modes. Cut-through switching occurs when, after the destination MAC address is received, the switch immediately forwards the frame to the outgoing port. If a switch in cut-through mode encounters a large number of frames with CRCs, it drops down to store-and-forward mode. This technique is known as adaptive cut-through. Store-and-forward switching occurs when the entire frame is received before forwarding the frame. The CRC is checked to ensure that frames containing errors or CRCs are not forwarded. Although cut-through switching is faster, the switch could potentially forward frames with errors, because the CRC is not checked. The default mode is typically store-and-forward on Cisco switches. Routers can also be configured to bridge packets. The most common form of switching is adaptive cut-through.

Spanning tree is a Layer 2 protocol used to ensure a loop-free topology. A Layer 2 loop is devastating to a network, because a frame circulates (meaning frames are not dropped by intelligent Layer 2 devices) the entire broadcast domain until all the switches eventually run out of memory because of the intensive broadcast storm that occurs. Broadcasts must be forwarded to all ports except the source port.

NOTE A broadcast domain is defined as a group of all devices that receive broadcast frames originating from any device within the group. Broadcast domains are typically bound by routers, because routers do not forward broadcast frames. Switches, on the other hand, must forward all broadcasts out all ports except the port the frame was received from.

Spanning tree is used when there are multiple LAN segments or VLANs. A VLAN is a defined group of devices on one or more LANs that are configured (using management software, such as Catalyst switch code or CatOS) to communicate as if they were attached to the same wire when, in fact, they are located on a number of different LAN segments. VLANs are based on logical instead of physical connections and must be connected to a Layer 3 device, such as a router, to allow communication between all segments or VLANs.

To create a VLAN on a Catalyst switch, the CatOS command is set vlan vlan-id (where vlan-id is a number between 2 and 1005). By default, Cisco switches have VLAN 1 already configured. Previously, VLAN 1 could not be removed for management purposes, but in the newest versions of operating system software, you can disable it for security reasons. Cisco IOS-based switches now extend VLAN coverage from 1-1005 to the extended ranges of 1025-4094. You can disable Cisco Discovery Protocol (CDP) and spanning tree (not recommended in large switches networks).

Spanning tree is on by default on all Catalyst switches, and before data can be received or sent on any given port, STP goes through a root bridge election phase. A root bridge election takes into account the bridge priority (value between 0 and 65535, default is 32768), and a lower priority is better. If the bridge priority is equal in a segment with multiple bridges, the lowest MAC address associated with the bridge is elected as the root bridge.

Bridges communicate using frames called bridge protocol data units (BPDUs). BPDUs are sent out all ports that are not in a blocking state. A root bridge has all ports in a forwarding state. To ensure a loop-free topology, nonroot bridges block any paths to the root that are not required. BPDUs use the destination MAC address 01-08-C2-00-00-00 in Ethernet environments.

0 0

Post a comment