|
|
This chapter explains some of the switching concepts that you need to understand to configure Catalyst 2900 switches. You can enable or customize many of the following features with the Cisco Visual Switch Manager Software or with the Cisco IOS command-line interface (CLI):
A virtual LAN (VLAN) is a switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to those stations within the VLAN. You can assign ports to a VLAN by using the web-based manager software, the CLI, or SNMP.
Because a VLAN is considered a separate logical network, it contains its own bridge MIB information and supports its own implementation of the Spanning-Tree Protocol (STP). A Catalyst 2900 switch supports up to 64 VLANs, each with its own instance of STP. VLANs are identified with a number between 1 and 1001.
When a port belongs to a VLAN, the switch learns and manages the addresses associated with the port on a per-VLAN basis. See the section "Addresses and Address Learning" in this chapter for more information.
A Catalyst 2900 is a preconfigured switch, and all ports belong by default to VLAN 1. When you assign ports to a VLAN, you are really moving them from one VLAN to another.
Two types of ports can belong to a VLAN:
Both access ports and multi-VLAN ports support normal Ethernet frame formats: no tags are added to forwarded traffic.
Figure 2-1 shows two work groups that belong to different VLANs. If one of the users in VLAN 8 is transferred to the work group in VLAN 7, you can make the change by assigning the port to which the user's station is attached to VLAN 7.
A multi-VLAN port connected to a router can link two or more VLANs. Intra-VLAN traffic stays within the boundaries of the respective VLANs, and connectivity between VLANs is via the router connected to the multi-VLAN port. Figure 2-2 shows a Cisco router connected to a multi-VLAN port providing connectivity to different VLANs.
A multi-VLAN port functions normally in all its assigned VLANs. For example, when an unknown MAC address is received on a multi-VLAN port, it is learned by all the VLANs that the port belongs to. Multi-VLAN ports also respond to the STP messages generated by the different instances of STP in each VLAN.
| Caution Avoid unpredictable STP behavior by strictly limiting the connection of multi-VLAN ports to routers or servers. |
With multiple Media Access Control (MAC) address support on all ports, you can connect any port on the switch to individual workstations, repeaters, switches, routers, or other network devices. The switch provides dynamic addressing by learning the source address of packets it receives on each port and adding the address and its associated port number to the address table. As stations are added or removed from the network, the switch updates the address table, adding new dynamic addresses and aging out those that are currently not in use.
You can configure the amount of time the switch waits before dropping a dynamic address. This aging interval is configured on a per-switch basis. However, the switch maintains an address table for each VLAN , and STP can accelerate the aging interval on a per-VLAN basis. For a description of accelerated aging, see the section "Spanning-Tree Protocol and Accelerated Address Aging" in this chapter.
A static address has the following characteristics:
Static addresses are entered for the switch and are not associated with an individual port. When you enter an address, you use the Static Address Forwarding Map to define how the switch forwards packets with that address. There can be a different list of destination ports for each source port.
Static addresses that forward to Fast EtherChannel (FEC) port groups must be entered according to certain rules. A port group is treated by the switch as if it were a single port, and you define the forwarding of a static address to a port group based on whether the port group is a source-based port group or a destination-based port group. See the section "Fast EtherChannel Port Grouping" in this chapter for definitions of these terms and more information on port groups.
When using the Static Address Forwarding Map to define address forwarding to a port group, apply these rules:
The section "Address Management" in the "Web-Based Management" chapter describes how to enter and configure static addresses.
A secure address is a manually entered unicast address that does not age. There is only one destination port for a secure address, but more than one secure addresses can be associated with the port. The switch does not forward packets to a secure port if the destination address is not a secure address associated with the port.
The number of devices on a secured port can range from 1 to 132. You can assign the addresses for the devices on the port or the switch can sticky-learn them. Sticky-learning is when the address table for a secured port does not contain a full complement of secure addresses. The port sticky-learns the source address of incoming packets and automatically assigns them as secure addresses. This continues until the table contains the maximum number of secure addresses allowed for the port. If a secure address is deleted from the address table, the port begins sticky learning again.
See the section "Secure Ports" in this chapter for more information on enabling port security.
All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Multicast addresses, for example, could be forwarded to port 1 in VLAN 1 and ports 9, 10, and 11 in VLAN 5. Also, a known address in one VLAN is unknown in another until it is learned or statically associated with a port in that VLAN. As such, the switch can forward the same address to a port in one VLAN and flood it to all ports in other VLANs.
An address can be secure in one VLAN and dynamic in another. Addresses that are statically entered in one VLAN must be static addresses in all other VLANs.
Catalyst 2900 switches transfer, or forward, packets between any combination of ports, based on the destination address of the received packet. Using the MAC address table, the switch forwards the packet only to the port or ports associated with the destination address. If the destination address is on the port that sent the packet, the packet is filtered and not forwarded.
Use the Static Address-Forwarding Map to define how the switch forwards packets for a given static address. You can enter a list of ports that the static address can send packets to. You can also use the Static Address Forwarding Map for source-port filtering: packets received on specified ports on a VLAN are forwarded to just the ports you define. Packets to these destinations received on other ports in the same VLAN are not forwarded. Packets to these destinations received on ports in different VLANs are flooded to all ports, unless they are also entered as static addresses in the other VLANs.
A Catalyst 2900 switch always forwards packets by using the store-and-forward method: complete packets are stored and checked for errors before transmission.
When the switch receives a packet with a destination address that it has not learned, it floods the packet to all ports in the VLAN. Multi-VLAN ports flood traffic to all VLANs that they belong to.
Flooding ensures that packets always arrive at their destination. Catalyst 2900 switches also flood multicast and broadcast packets. The rest of this section discusses some of the ways that you can set your switch to inhibit unnecessary flooding.
When a Catalyst 2900 switch receives a unicast packet with an unknown destination address, it floods it to all ports in the VLAN. However, when ports have only manually assigned addresses or single stations attached, there are no unknown destinations, and flooding serves no purpose. In this case, you can disable flooding on a per-port basis. See the "Flooding Controls" section in the "Web-Based Management" chapter for more information on disabling flooding.
You can also reduce flooding by assigning a network port. When a network port is defined for the VLAN, unknown unicast packets are only forwarded to that port. When a port is configured as the network port, it cannot be a secure port or a monitor port, and the switch does not learn addresses from packets received on it.
A Catalyst 2900 switch normally floods unknown multicast or broadcast packets it receives to all ports in the VLAN. You can use the web interface or SNMP to register multicast addresses and the list the ports that can receive those specific packets. You can also disable the normal flooding of unregistered multicast packets on a per-port basis. Besides reducing unnecessary traffic, these features provide the possibility of using multicast packets for dedicated groupcast applications.
Cisco Group Management Protocol (CGMP) limits the forwarding of IP multicast packets to only those ports associated with IP multicast clients. These clients automatically join and leave groups that receive IP multicast traffic, and the switch dynamically changes its forwarding behavior according to these requests.
CGMP works with the Internet Protocol Group Management Protocol (IGMP) and requires a connection to a router running both CGMP and IGMP. The router forwards any IGMP requests (leave or join) from a client to the switch in a CGMP packet. The switch uses this information to alter its forwarding behavior accordingly.
CGMP registers the port VLAN assignments and can forward the same multicast packets to different clients in different VLANs.
Usually, a CGMP-enabled router does not remove a CGMP group until all members have been removed from the group. The CGMP Fast Leave option accelerates the removal of ports by checking a port segment for other members when a leave message is received. If there are no group clients attached to the port, the port is dropped from the group. If there are no other ports in the group, the entire group is removed.
Clients must be running IGMP v2 for the Fast Leave option to be enabled.
A broadcast storm occurs when a large number of broadcast packets are received from a given port. Forwarding these packets can cause the network to slow down or time out. To avoid this, use broadcast storm control to set a threshold for the number of broadcast packets that can be received from a port before forwarding is blocked. You can set a second threshold to define when to re-enable the normal forwarding of broadcast packets.
Broadcast storm control operates on a per-port basis. By default, broadcast storm control does not monitor broadcast traffic and thus does not block traffic or send alerts based on broadcast storms.
Secured ports restrict the use of a port to a user-defined group of stations. When you assign secure addresses to a secure port, the switch does not forward any packets with source addresses outside the group. If you define the address table of a secure port to contain only one address, the workstation or server attached to that port is guaranteed the full bandwidth of the port.
Secured ports generate address-security violations under the following conditions:
When you secure a port, you cannot enable other switch features on the port. See the section "Configuration Conflicts" in this chapter for more information.
The Switched Port Analyzer (SPAN) mirrors the traffic at one port to a predefined SPAN port. Any port can be designated as the SPAN port, and the traffic can be mirrored from any number of ports. The SPAN port has to be in the same VLAN as the ports being monitored. You can use a sniffer on the SPAN port to troubleshoot network problems by examining traffic on other ports or segments.
Changes to the VLAN membership of monitor ports and ports being monitored is not allowed unless port monitoring is disabled. Other port-configurations can affect your ability to assign a port as the monitor port. See the section "Configuration Conflicts" in this chapter for a list of possible conflicts.
Fast EtherChannel (FEC) port groups are logical high-speed connections between switches. For example, a port group with four 100BaseT ports running in full-duplex can support up to 800 Mbps between switches.
The switch can support up to 12 port groups, and you can configure them to forward based on the source address or the destination address of a received packet. Port groups that forward based on the source address can have as many as eight ports. Port groups that forward based on the destination address can have any number of ports.
Because a port group is considered a single logical port, all ports in the group share the same STP and flooding characteristics. If an STP parameter is changed for one port, the switch sets that parameter to the same value for all ports in the group. Fast EtherChannel ports are always in the same VLAN and are always the same VLAN port mode, access or multi-VLAN. Also, a port that belongs to a Fast EtherChannel port group cannot be a monitor port or a secure port.
A Catalyst 2900 switch normally forwards packets by reading the destination address of a packet and forwarding the packet to the port where the address was first recorded. To maximize Fast EtherChannel bandwidth, port groups by default forward based on the source address of a packet. When source-based forwarding is enabled, packets are distributed among the ports in the port group, added to the address table, and evenly distributed thereafter. Figure 2-3 shows an example of when to use source-based forwarding. You can also create port groups that forward on destination address.
Source-based port groups can have as many as eight ports; destination-based groups can have any number of ports. Port groups that link switches are configured independently and can be configured differently on each switch. For example, if four ports connect
Catalyst 2900 switches A and B, you can configure the ports on switch A in a port group that forwards by source address, and you can configure the ports on switch B in a port group that forwards by destination address.
Follow these guidelines when creating port groups:
Forwarding static address to port groups can cause the switch to forward a packet more than once or to lose packets. If you are entering static addresses for a port group, see the section "Forwarding Static Addresses to Port Groups" in this chapter for guidelines to follow.
The Remote Monitoring (RMON) MIB is a tool used by network managers to monitor remote devices. An RMON implementation consists of a software probe that continually collects statistics about a LAN and a management station that communicates with the probe. The probe transfers information to the management station on request or when a predefined threshold is crossed.
The Catalyst 2900 supports four RMON groups as defined in RFC 1757. Default statistic rows are created for each port when you start the switch. You can obtain information about the four supported groups by using any SNMP management application. Table 2-1 describes the supported RMON groups.
| Group Name | Description |
This group collects traffic and error statistics for a specific interface. For example, you could use this group to determine how many error packets have been seen on a given port. Statistics from this group can be used by the history group to record historical views of network performance. A statistics row is established by default for each switch port. | |
This group can periodically sample the counters generated by the statistics group. This information can be used to establish baseline information regarding network activity. You can define the intervals you want to record information for, and you can define how many of the samples are to be stored. | |
This group generates alarms according to user-defined thresholds. You could, for example, configure RMON to generate an alarm when alignment errors on a port exceeded a predefined limit. Rising and falling thresholds can be defined, and the events group can generate traps and automated responses based on the alarms. | |
For more information about enabling CDP and using the network view, see the "Switch Network View" chapter.
Spanning-Tree Protocol (STP) is a standardized technique for maintaining a network of multiple bridges or switches. As part of the IEEE 802.1D standard, STP interoperates with compliant bridges and switches from other vendors. When the topology changes, it transparently reconfigures bridges to avoid the creation of loops and to establish redundant paths in the event of lost connections. All ports are included in Catalyst 2900 STP support, and management of STP is through the standard bridge MIB.
Each Catalyst 2900 VLAN is treated as a separate bridge, and a separate instance of STP and the bridge MIB is applied to each VLAN.
You can create a redundant backbone with STP by connecting two of the switch ports to another device or to two different devices. STP automatically disables one port, but enables it if the other port is lost. If one link is high-speed and the other low-speed, the low-speed link is always disabled. If the speed of the two links is the same, the port priority and port ID are added together and STP disables the link with the lowest value.
You can also create redundant links between switches by using Fast EtherChannel port groups. Fast EtherChannel groups treat any number of ports as if they were one port. If one of the ports in the group goes down, the other ports forward and receive the traffic of the disabled port. This approach maximizes the forwarding capacity of the ports because a disabled port need not be kept in reserve.
Dynamic addresses are aged and dropped from the address table after a configurable period of time. The default for aging dynamic addresses is 5 minutes. However, a reconfiguration of the spanning tree can cause many station locations to change. Because this could mean that these stations were unreachable for 5 minutes or more, the address-aging time is accelerated so that station addresses can be dropped from the address table and then relearned. The accelerated aging is the same as the forward-delay parameter value when STP reconfigures.
Because each VLAN is a separate instance of STP, the switch accelerates aging on a per-VLAN basis. A reconfiguration of STP on one VLAN can cause the dynamic addresses learned on that VLAN to be subject to accelerated aging. Dynamic addresses on other VLANs can be unaffected and remain subject to the aging interval entered for the switch.
You can configure a port so that other switch features are not available to the port. For example, assigning a port as network port for a VLAN conflicts with the concept of securing a port. As such, a secured port cannot be a network port. Table 2-2 describes how some switch features conflict. Refer to this table when enabling the features listed in this table.
| Port Group | Port Security | Monitor Port | Multi-VLAN Port | Network Port | |
|---|---|---|---|---|---|
| Port Group | - | No | No | Yes | Yes |
| Port Security | No | - | No | No | No |
| Monitor Port | No | No | - | No | No |
| Multi-VLAN Port | Yes | No | No | - | Yes |
| Network Port | Yes | No | No | Yes | - |
Posted: Tue May 11 12:04:35 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.
