Introduction

In recent years, Ethernet has all but replaced Token Ring and FDDI technology on LANs. Many consider Ethernet to be a technology that is inferior in some ways to Token Ring and FDDI. These technologies provide more robust error-checking capabilities and more predictable access to media than Ethernet; however, the simplicity and low cost of Ethernet has seen it win over the other technologies.

With gigabit Ethernet well established and affordable, Ethernet is now also replacing aging, expensive, and very complex ATM equipment, which was popular in the mid-1990s for providing high-speed switch interconnectivity (also known as trunking).

Ethernet LANs use a concept called transparent bridging to enable the transmission of frames over multiple LAN devices called bridges. A bridge is a Layer 2 device that is used to segment collision domains and increase LAN performance. In this section, you learn about transparent bridging and the concepts of broadcast domains and collision domains which are important in understanding the benefits that switches and VLANs provide. You then learn about VLANs and how they are implemented on Cisco Catalyst switches. The following topics are discussed:

• Bridging overview

• VLAN concepts

Bridging Overview

To understand the primary operation of a switch, you must understand how transparent bridging works. All Ethernet LAN switches implement transparent bridging, so it is crucial that you be familiar with this process. Both bridges and switches offer performance benefits over using Layer 1 devices by providing LAN segmentation, which is the process of reducing large collision domains into smaller, more manageable collision domains. Collision domains are defined as an area of the LAN where only a single device can access the Ethernet network at any one time (i.e., multiple devices must contend for access to the network). The following are covered in this bridging overview:

• Transparent bridging

• LAN segmentation

Transparent Bridging

An Ethernet switch is a Layer 2 device that essentially operates as a transparent bridge. A transparent bridge is a device that understands Layer 2 addressing and can make intelligent Layer 2 forwarding decisions. The bridge operates by maintaining a table of MAC addresses and associated egress ports. The table tells the bridge where stations are located within the LAN, which enables the bridge to determine how to forward Layer 2 frames by reading the destination MAC address of each frame and looking up the corresponding egress port on the bridge. Table 2-1 shows a simple bridging table.

In Table 2-1, each MAC address entry represents a destination hostfor example if a frame is received with a destination MAC address of 0000.01a0.64b1, the frame will be sent out the FastEthernet0/1 interface.

The MAC address entries in the bridge table shown in Table 2-1 must somehow be populated, and this information must be accurate to ensure frames are delivered correctly. Transparent bridging allows a bridge or switch to learn the location of devices in the LAN based upon frames received on a particular port.

Figure 2-1 illustrates the algorithm that occurs when a frame is received on an interface.

Figure 2-2 explains the processes shown in Figure 2-1 in terms of a sample network topology.

In Figure 2-2, assume that Host A (aaaa.aaaa.aaaa) is communicating with Host B (bbbb.bbbb.bbbb). The following processes occur:

1. Learning Host A sends a frame to Host B. The bridge examines the source address (aaaa.aaaa.aaaa) of received frames and associates the ingress port (1/0) of the received frame with the source address of the frame by adding an entry to the bridging table.

2. Flooding The bridge examines the destination address (bbbb.bbbb.bbbb), looks in the local bridging table, and finds no entry for the destination address. Because the received frame is sent to an unknown destination, the bridge floods the frame out all ports (except for the ingress port 1/0) to ensure the frame reaches the destination.

   NOTE

   Broadcast frames are always flooded by virtue of the fact that they are intended to be transmitted to all hosts within the LAN. Depending on the bridging device, multicast frames may also be flooded or may be forwarded out multiple egress ports if the bridging device supports multicast traffic control.

   
   

3. Forwarding Host B receives the frame due to the flooding process. Host B replies to the frame. The bridge receives the frame, examines the source address (bbbb.bbbb.bbbb), and writes an entry to the bridge table, associating Host B with the port upon which the reply has been received (port 1/2). The bridge then examines the destination address (aaaa.aaaa.aaaa), looks in the bridging table, and finds the entry for Host A generated by step 1. Thus, the bridge only forwards the frame out the specified egress port (port 1/0) towards Host A.

4. Filtering Assume that Host C and Host D are communicating and the bridge knows that these hosts exist and has respective entries for each in the local bridging table. When Host C sends a frame to Host D, the frame will be propagated to the bridge. The bridge follows the procedure of Figure 2-1 and finds that the source and destination address are associated with the same port (1/1). Thus, the bridge filters (drops) the frame, because the frame has already reached its destination.

5. Aging When the entry for Host B is created in the bridging table, an idle timer is started for that entry. Every time a new frame is received from Host B, this idle timer is reset to zero. Assume Host B is shut down. No more traffic is generated from Host B; thus, the idle timer keeps on incrementing. Once the timer reaches the aging timeout value (e.g., 5 minutes), the entry for Host B is removed from the table, which saves precious memory resources and also ensures any location changes for Host B are reflected in the bridge table. If Host B comes back online, the bridging table is repopulated as soon as Host B sends a frame towards the bridge.

LAN Segmentation

One of the key requirements of a LAN protocol is performance; users expect to be able to transfer information between locally connected systems quickly and are not very forgiving when the LAN is running slow. LAN performance can be affected by many factorsone very important factor is the concept of LAN segmentation or rather the lack of. Ethernet is a shared media technology, and the performance of Ethernet diminishes as more and more devices contend for the shared bandwidth. LAN segmentation breaks up the LAN into smaller pieces, both at a physical level (Layer 1) and at a Layer 2 level. This segmentation ensures the performance and scalability of the LAN. LAN segmentation involves two key design parameters:

• Collision domains

• Broadcast domains

Collision Domains

A collision domain is an area of a single LAN where end stations contend for access to the network because all end stations are connected to a shared physical medium. If two connected devices transmit onto the media at the same time, a collision occurs. When a collision occurs, a JAM signal is sent on the network, indicating that a collision has occurred and that devices should ignore any fragmented data associated with the collision. Both sending devices back off sending their data for a random amount and then try again if the medium is free for transmission. Therefore, collisions effectively delay transmission of data, lowering the effective throughput available to a device. The more devices that are attached to a collision domain, the greater the chances of collisions; this results in lower bandwidth and performance for each device attached to the collision domain. Bridges and switches terminate the physical signal path of a collision domain, allowing you to segment separate collision domains, breaking them up into multiple smaller pieces to provide more bandwidth per user within the new collision domains formed.

Broadcast Domains

A broadcast domain is the area over which LAN broadcast frames are propagated, or the area over which LAN devices can communicate directly with each other using Ethernet. Unlike collision domains, which are bounded by a shared physical media, broadcast domains are not so restricted. The devices that terminate a broadcast domain are Layer 3 devices, such as routers, which will not normally forward LAN (Layer 2) broadcasts. A broadcast domain typically maps to a Layer 3 subnetwork, such as an IP subnet, and is also commonly referred to as a LAN. If a broadcast domain becomes too large, due to the sheer number of devices attached to the LAN, it is likely that the LAN will suffer from performance problems due to the high proportion of broadcast traffic. This varies depending on the operating system of your LAN devices, because some operating systems make use of broadcast traffic more than others. You can increase the performance of a broadcast domain by splitting it into two or more pieces, which in turn creates several smaller broadcast domains. You segment broadcast domains using a Layer 3 device, such as a router.

NOTE

It is important to understand that a broadcast domain can consist of multiple collision domains; however, a collision domain only ever belongs to a single broadcast domain. Routers, which separate broadcast domains, automatically terminate collision domains, preventing a collision domain from crossing a router.

Increasing Performance Using LAN Segmentation

In a worst-case scenario, a LAN consists of a single broadcast domain with one large collision domain. This arrangement means that all devices attached to the LAN are contending for access to the same physical shared media and that a broadcast sent by any device is propagated throughout the LAN.

LAN segmentation allows you to split a large collision domain into smaller collision domains, which increases the available bandwidth to devices because fewer devices are contending for shared bandwidth within the smaller collision domains. To segment large collision domains into smaller collision domains, you need bridges and switches.

LAN segmentation also allows you to split a large broadcast domain into several smaller broadcast domains, which reduces the proportion of broadcast traffic in each broadcast domain, increasing network efficiency and performance. You need Layer 3 switches or routers to segment broadcast domains into smaller broadcast domains.

Figure 2-3 shows a simple LAN, which has two broadcast domains, each with one or more collision domains.

In Figure 2-3 notice that all hubs and connected devices comprise a collision domain, while each bridge terminates collision domains. This termination occurs because a bridge (or switch) terminates the electrical signal path, inspects frames received, and forwards the frames appropriately. A hub merely propagates signals (frames) out all other ports, effectively extending the electrical signal path.

Both bridges and switches allow you to reduce the size of collision domains in a LAN. A major and important difference between bridges and switches is that bridges typically connect only to other networking devices (such as hubs or bridges), while switches connect to both end devices and other networking devices. This difference is not a technical limitation, but rather one driven by cost. Bridges historically were expensive, with low port density, meaning it didn't make sense to connect users to bridges. Switches, however, are relatively cheap and have high port densities, so the benefits of a bridge/switch can be extended to user devices.

In a fully switched network, each switch port represents a separate collision domain, if half-duplex operation is used. You can totally eliminate all collision domains by configuring full duplex, provided of course that each device supports full-duplex 10-Mbps or 100-Mbps operation. Thus in Figure 2-3, if the router ports are working at full-duplex operation, no collision domain exists between the router and bridges, assuming of course that the connected bridge ports are also operating in full-duplex mode. Eliminating collision domains altogether means devices can use 80-90 percent of the available bandwidth (e.g., 80-90 Mbps on a Fast Ethernet port) because devices do not need to execute the carrier sense multiple access collision detect (CSMA/CD) algorithm. This available bandwidth is compared with a maximum of 40-50 percent on two or more devices sharing Ethernet media (i.e., when a collision domain exists).

Ethernet devices can operate at half duplex or full duplex when connected to LAN switches. In half-duplex operation, the transmit and receive wires on the network interface card (NIC) are connected to the same transmission circuit, so a collision can occur if the local device and remote switch port transmit at the same time. In full-duplex operation, the transmit circuit is wired directly to the remote receive circuit and vice versa, which eliminates the possibility of a collision at all. Figure 2-4 compares a 4-port switch containing 2 half-duplex ports and 2 full-duplex ports with a 4-port hub.

In Figure 2-4, notice that even if a device connected to a switch operates at half duplex, the collision domain is limited to just the device and the switch port it is connected to. If the device is connected using full-duplex operation, no collisions will ever occur, because the signal pathways are physically separate for transmit and receive on a full-duplex port. The switched environment experiences significantly fewer collisions than the hub environment, increasing network performance and efficiency.

NOTE

A common issue in switched LANs is duplex mismatches. For example, if a switch port is configured to operate at half duplex and a connected device is configured to operate at full duplex, the connected device disables the CSMA/CD algorithm because it should never experience collisions. However, this disabling seriously degrades performance and causes excessive errors because one party of the Ethernet connection is not using the CSMA/CD algorithm. This topic is covered in more detail in Chapter 10, "Maintenance, Monitoring, and Troubleshooting."

VLAN Concepts

VLANs provide a mechanism that enables you to split LAN infrastructure into multiple broadcast domains, in effect creating virtual LANs (hence, the name). Each VLAN places a group of physical ports into a logical broadcast domain, which allows devices within the VLAN to communicate at Layer 2. Multiple VLANs can be supported on a switch, meaning that although devices may be connected to the same physical switch, these devices can communicate at Layer 2 only with devices that belong to the same VLAN. VLANs can also be extended over multiple switches, which means that a user that belongs to a particular VLAN can move to another floor or building, connect to a physical port on a separate switch, and still belong to the same broadcast domain (VLAN). Cisco Catalyst switches all support VLANs because VLANs are an essential component of modern LANs. In this section the following topics are discussed:

• Introduction to VLANs

• Cisco Catalyst VLAN implementation

Introduction to VLANs

So far you have seen basically how LANs functioned up until the early to mid-1990s. Around this time, a new device known as the switch emerged. Essentially, a switch is a bridge and performs all the functions of a bridge; however, it does have some differences:

• A bridge is normally limited to a few ports and, hence, connects only to other networking equipment and not to end devices. A switch typically has high port densities that allow end devices to connect to it.

• A bridge normally operates in a single LAN; a switch can operate in multiple LANs, appearing as a virtual bridge for each LAN.

NOTE

This second statement is not strictly true; some bridges do support multiple LANs. For example, Cisco IOS routers can act as a bridge and do support multiple LANs. However, the major point here is that, from a purist point of view, a simple bridge operates only in a single LAN.

A bridge operates in software, while a switch typically operates in hardware, which means that a switch has much higher performance.

Today, the bridge has all but disappeared, supplanted by switches, which have much lower costs per port and much higher performance. The cost per port today for switches is low enough that many LANs are completely switched, which means all devices are connected to switches on the network. The most important technical feature of a switch is its ability to service multiple logical LANs or broadcast domains at once. Refer back to Figure 2-3; separate bridges and hubs service each LAN, which is the legacy method of LAN networking. Figure 2-5 shows the network of Figure 2-3, this time with a switch included.

Notice in Figure 2-5 that a single physical switch is capable of servicing each broadcast domain. Within each broadcast domain, or VLAN, devices can communicate at a Layer 2 level (intra-VLAN communications). The switch maintains complete separation between each broadcast domain, which means that devices in separate VLANs cannot communicate directly with each other at a Layer 2 level. To enable inter-VLAN communications, a Layer 3 protocol, such as IP, is required; this means that any traffic between devices in separate VLANs must traverse the router.

NOTE

It is very important to understand that you require some form of Layer 3 router to allow devices from different VLANs to communicate. A switch with multiple VLANs configured with no router connected cannot enable communication between VLANs because this sort of communication is a routing function that the switch cannot understand. Layer 3 switches add Layer 3 routing functionality to a switch, which then removes the need for separate external routers.

Each LAN in Figure 2-5 is referred to as a virtual LAN (VLAN). The switch emulates a single LAN for each device connected to it (hence, the term virtual), yet supports devices from multiple LANs.

Cisco Catalyst VLAN Implementation

Cisco Catalyst switches support VLANs. Some newer Cisco Catalyst switches support up to 4096 VLANs, but traditionally, Cisco Catalyst switches support only up to 1024 VLANs. For most networks, 1024 VLANs are more than enough because implementing even 50 VLANs for a single LAN infrastructure can become impractical.

NOTE

Service providers are an exception because they are increasingly providing Ethernet services to customers and need to provide logical separation from other customers. The simplest method of creating this separation is to create a VLAN for each customer. However, this method must be able to scale; hence, the difference between 1024 and 4096 VLANs can be significant for a service provider.

Cisco Catalyst switches historically have supported only up to 1024 VLANs due to the use of 10-bit VLAN ID tag used in the Cisco proprietary Inter-Switch Link (ISL) trunking protocol. Trunking provides the ability for a single Layer 2 port to transport the traffic from multiple VLANs, rather than from just a single VLAN. To support this functionality, a tag is required that identifies the VLAN ID the frame is associated with. You learn more about trunking in Chapter 3, "Trunking and Bandwidth Aggregation." Later versions of ISL use a 15-bit VLAN ID tag and the standards-based IEEE 802.1Q trunking protocol uses a 12-bit VLAN ID tag, which provides for up to 4096 VLANs. ISL was used before 802.1Q protocol support was present; hence, a large number of Catalyst switches support only 1024 VLANs.

A Catalyst switch maintains a VLAN database, which is a listing of all VLANs, associated parameters such as VLAN ID and name, and a list of each port associated with each VLAN. Table 2-2 shows a sample VLAN database.

Table 2-2 shows some of the basic parameters for each VLAN; many others are not shown. As you can see, each VLAN is associated with a set of ports. Only ports within the same VLAN can communicate with each other at a Layer 2 level (e.g., Ethernet). In Table 2-2, port 2/11 can communicate directly only with ports 2/13 and 2/14. If a device connected to port 2/11 wanted to communicate with a device on port 2/1, the frame has to be sent to a Layer 3 router with connectivity to both VLANs.

The VLAN database implementation varies based upon the Catalyst switch operating system. The next sections examine the VLAN database implementation for each of the following operating systems:

• Catalyst OS

• Cisco IOS

Catalyst OS

The Catalyst OS (CatOS) VLAN database implementation is simple to understand. It is stored in the switch configuration file that is loaded during bootup. This configuration file contains all of the configuration settings for the switch, so this makes it a single, central configuration storage point.

Cisco IOS

Cisco IOS-based switches differ from CatOS-based switches in that they store the VLAN database separately from the main configuration file. By default, the VLAN database is saved in a file called VLAN.DAT, which is located in the root file system on the local Flash storage device. That the VLAN database is stored separately is an important point to remember; even if you clear the main configuration of a Cisco IOS-based switch, the VLAN database is still maintained. The VLAN.DAT file is a binary file that you should not manually delete or edit. Make any configuration changes to the VLAN database through the Cisco IOS interface; the binary file is updated appropriately by Cisco IOS after changes have been made.

NOTE

In later versions of Cisco IOS, you can store VLAN configuration information in the main switch configuration file; however, the switch must be operating in VTP transparent mode (VTP is discussed in more detail in Chapter 3).