Friday, August 10, 2007

WAN Switching

In Depth
Switches are not only used in LAN networks; they are also used extensively in wide area networks (WANs). In an Ethernet switching environment, the switch utilizes Carrier Sense Multiple Access with Collision Detection (CSMA/CD). The switch or host sends out a packet and detects if a collision occurs. If there is a collision, the sender waits a random amount of time and then retransmits the packet. If the host does not detect a collision, it sends out the next packet. You may think that if the switch or host is set to full−duplex, there will be no collision—that is correct, but the host still waits between sending packets.
In a Token Ring switching environment, a token is passed from one port to the next. The host must have possession of the token to transmit. If the token is already in use, the host passes the token on and waits for it to come around again. All stations on the network must wait for an available token. An active monitor, which could be any station on the segment, performs a ring maintenance function and generates a new token if the existing token is lost or corrupted.
As you can see, both Token Ring and Ethernet switching require the node to wait. The node must wait either for the token or for the frame to reach the other nodes. This is not the most efficient utilization of bandwidth. In a LAN environment, this inefficiency is not a major concern; in a WAN, it becomes unacceptable. Can you imagine if your very expensive T1 link could be used only half the time? To overcome this problem, WAN links utilize serial transmission.Serial transmission sends the electric signal (bits) down the wire one after another. It does not wait for one frame to reach the other end before transmitting the next frame. To identify the beginning and the end of the frame, a timing mechanism is used. The timing can be either synchronous or asynchronous. Synchronous signals utilize an identical clock rate, and the clocks are set to a reference clock. Asynchronous signals do not require a common clock; the timing signals come from special characters in the transmission stream. Asynchronous serial transmissions put a start bit and a stop bit between each character (usually 1 byte). This is an eight−to−two ratio of data to overhead, which is very expensive in a WAN link. Synchronous serial transmissions do not have such high overhead, because they do not require the special characters; they also have a larger payload. Are synchronous serial transmissions the perfect WAN transmission method? No; the problem lies in how to synchronize equipment miles apart. Synchronous serial transmission is only suitable for distances where the time required for data to travel the link does not distort the synchronization. So, first we said that serial is the way to go, and now we’ve said that serial has either high overhead or cannot travel a long distance. What do we use? Well, we use both, and cheat a little bit. We use synchronous serial transmission for a short distance and then use asynchronous for the remaining, long distance. We cheat by putting multiple characters in each frame and limiting the overhead. When a frame leaves a host and reaches a router, the router uses synchronous serial transmission to pass the frame on to a WAN transmission device. The WAN device puts multiple characters into each WAN frame and sends it out. To minimize the variation of time between when the frames leave the host and when they reach the end of the link, each frame is divided and put into a slot in the WAN frame. This way, the frame does not have to wait for the transmission of other frames before it is sent. (Remember, this process is designed to minimize wait time.) If there is no traffic to be carried in a slot, that slot is wasted. Figure 1 shows a diagram of a packet moving from LAN nodes to the router and the WAN device.
Figure 1: A packet’s journey from a host to a WAN device. The WAN transmission is continuous and does not have to wait for acknowledgement or permission.
Let’s take a look at how this process would work in a T1 line. T1 has 24 slots in each frame; each slot is 8 bits, and there is 1 framing bit:
24 slots x 8 bits + 1 framing bit = 193 bits
T1 frames are transmitted 8,000 frames per second, or one frame every 125 microseconds:
193 bits x 8,000 = 1,544,000 bits per second (bps)
When you have a higher bandwidth, the frame is bigger and contains more slots (for example, E1 has 32 slots). As you can see, this is a great increase in the effective use of the bandwidth.
Another asynchronous serial transmission method is Asynchronous Transfer Mode (ATM). ATM is a cell−based switching technology. It has a fixed size of 53 octets: 5 octets of overhead and 48 octets of payload. Bandwidth in ATM is available on demand. It is even more efficient relative to the serial transmission method because it does not have to wait for assigned slots in the frame. One Ethernet frame can consist of multiple consecutive cells. ATM also enables Quality of Service (QoS). Cells can be assigned different levels of priority. If there is any point of congestion, cells with higher priority will have preference to the bandwidth. ATM is the most widely used WAN serial transmission method.

WAN Transmission Media
The physical transmission media that carry the signals in WAN are divided into two kinds: narrowband and broadband. A narrowband transmission consists of a single channel carried by a single medium. A broadband transmission consists of multiple channels in different frequencies carried on a single medium. The most common narrowband transmission types are T1, E1, and J1. See Table 1 for the differences among the transmission types and where each is used. The time slots specify how much bandwidth (bit rate) the narrowband transmissions have.
Table 1: Narrowband transmission types
Narrowband is most commonly used by businesses as their WAN medium because of its low cost. If more bandwidth is needed than narrowband can provide, most businesses use multiple narrowband connections. The capability of broadband to carry multiple signals enables it to have a higher transmission speed. Table 2
displays the various broadband transmissions, which require more expensive and specialized transmitters and
receivers.Table 2: The different broadband transmission types and their bandwidth.

Digital signal 2 (DS2), E2, E3, and DS3 describe digital transmission across copper or fiber cables. OC/STS resides almost exclusively on fiber−optic cables. The OC designator specifies an optical transmission, whereas the STS designator specifies the characteristics of the transmission (except the optical interface). There are two types of fiber−optic media:

Single−mode fiber—Has a core of 8.3 microns and a cladding of 125 microns. A single light wave powered by a laser is used to generate the transmission. Single−mode can be used for distances up to 45 kilometers; it has no known speed limitation. Figure 2 shows an example of a single−mode fiber.

Figure 2: Single mode fiber.
Multimode fiber—Has a core of 62.5 microns and a cladding of 125 microns. Multiple light waves powered by a light−emitting diode (LED) are used to power the transmission. Multimode has a distance limit of two kilometers; it has a maximum data transfer rate of 155Mbps in WAN applications. (It has recently been approved for use for Gigabit Ethernet.) Figure 3 shows an example of a multimode fiber. The core and cladding boundary work as a mirror to reflect the light waves down the fiber.

Figure 3: Multimode fiber.
Synchronous Transport Signal (STS)
Synchronous transport signal (STS) is the basic building block of the Synchronous Optical Network (SONET). It defines the framing structure of the signal. It consist of two parts: STS overhead and STS payload. In STS−1, the frame is 9 rows of 90 octets. Each row has 3 octets of overhead and 87 octets of payload, resulting in 6,489 bits per frame. A frame occurs every 125 microseconds, yielding 51.84Mbps.

STS−n is an interleaving of multiple (n) STS−1s. The size of the payload and the overhead are multiplied by n. Figure 4 displays an STS diagram.

Figure 4: The STS−1 framing and STS−n framing. The overhead and payload are proportionate to the n value, with the STS−1 frame as the base.
You may wonder why we’re talking about synchronous transmission when we said it is only used over short distances. Where did the asynchronous transmission go? Well, the asynchronous traffic is encapsulated in theSTS payload. The asynchronous serial transmission eliminates the need for the synchronization of the end transmitting equipment. In SONET, most WAN links are a point−to−point connection utilizing light as the signaling source. The time required for the signal to travel the link does not distort the synchronization. The OC−n signal itself is used for the synchronization between equipment. This combination of asynchronous and synchronous serial transmission enables signals to reach across long distances with minimal overhead.

Monday, August 6, 2007

Simple Network Management Protocol

Simple Network Management Protocol
Since its introduction in 1988, the Simple Network Management Protocol (SNMP)has become the most popular network management protocol for TCP/IP based networks.The IETF created SNMP to allow remote management of IP based devicesusing a standardized set of operations. It is now widely supported by servers, printers,hubs, switches, modems, UPS systems, and (of course) Cisco routers.The SNMP set of standards define much more than a communication protocol usedfor management traffic. The standards also define how management data should beaccessed and stored, as well as the entire distributed framework of SNMP agents andservers. The IETF has officially recognized SNMP as a fully standard part of the IPprotocol suite. The original SNMP definition is documented in RFC 1157.In 1993, SNMP Version 2 (SNMPv2) was created to address a number of functionaldeficiencies that were apparent in the original protocol. The added and improvedfeatures included better error handling, larger data counters (64-bit), improved efficiency(get-bulk transfers), confirmed event notifications (informs), and most notably,security enhancements. Unfortunately, SNMPv2 did not become widelyaccepted because the IETF was unable to come to a consensus on the SNMP securityfeatures.

So, a revised edition of SNMPv2 was released in 1996, which included all of the proposedenhancements except for the security facility. It is discussed in RFCs 1905,1906, and 1907. The IETF refers to this new version as SNMPv2c and it uses thesame insecure security model as SNMPv1. This model relies on passwords calledcommunity strings that are sent over the network as clear-text. SNMPv2c neverenjoyed widespread success throughout the IP community. Consequently, mostorganizations continue to use SNMPv1 except when they need to access the occasionallarge counter variable. The IETF recently announced that SNMPv3 would bethe new standard, with SNMPv1, SNMPv2, and SNMPv2c being considered purelyhistorical.

The compromise that became SNMPv2c left the management protocol without satisfactorysecurity features. So, in 1998, the IETF began working on SNMPv3, which isdefined in RFCs 2571–2575. Essentially, SNMPv3 is a set of security enhancementsto be used in conjunction with SNMPv2c. This means that SNMPv3 is not a standalonemanagement protocol and does not replace SNMPv2c or SNMPv1.SNMPv3 provides a secure method for accessing devices using authentication, messageintegrity, and encryption of SNMP packets throughout the network. We haveincluded a recipe describing how to use the SNMPv3 security enhancements

SNMP Management Model
SNMP defines two main types of entities, managers and agents. A manager is a serverthat runs network management software that is responsible for a particular network.These servers are commonly referred to as Network Management Stations (NMS). There are several excellent commercial NMS platforms on the market. Throughoutthis book we will refer to the freely distributed NET-SNMP system as a reference NMS.
An agent is an embedded piece of software that resides on a remote device that youwish to manage. In fact, almost every IP-capable device provides some sort of built-inSNMP agent. The agent has two main functions. First, the agent must listen forincoming SNMP requests from the NMS and respond appropriately. And second, theagent must monitor internal events and create SNMP traps to alert the NMS thatsomething has happened. This chapter will focus mainly on how to configure the router’s agent.

The NMS is usually configured to poll all of the key devices in the network periodically using SNMP Get requests. These are UDP packets sent to the agent on the wellknown SNMP port 161. The SNMP Get request prompts the remote device to respond with one or more pieces of relevant operating information. However, because there could be hundreds or thousands of remote devices, it is often not practical to poll a particular remote device more often than once every few minutes (and in many networks you are lucky if you can poll each device more than a few times per hour). On a schedule like this, a remote device may suffer a serious problem that goes undetected—it’s possible to crash and reboot in between polls from the NMS. So, on the next poll, the NMS will see everything operating normally and never know that it completely missed a catastrophe.
Therefore, an SNMP agent also has the ability to send information using an SNMP trap without having to wait for a poll. A trap is an unsolicited piece of information, usually representing a problem situation (although some traps are more informational in nature). Traps are UDP packets sent from the agent to the NMS on the other well-known SNMP port number, 162. There are many different types of traps that an agent can send, depending on what type of equipment it manages. Some traps represent non-critical issues. It is often up to the network administrator to decide which types of traps will be useful.The NMS does not acknowledge traps, and since traps are often sent to report network problems, it is not uncommon for trap reports to get lost and never make it to the NMS. In many cases, this is acceptable because the trap represents a transient transmission problem that the NMS will discover by other means if this trap is not delivered. However, critical information can sometimes be lost when a trap is not delivered.
To address this shortcoming, SNMPv2c and SNMPv3 include another type of packet called an SNMP inform. This is nearly identical to a standard trap, except that the SNMP agent will wait for an acknowledgement. If the agent does not receive an acknowledgement within a certain amount of time, it will attempt to retransmit the inform.
SNMP informs are not common today because SNMPv2c was never widely adopted. However, SNMPv3 also includes informs. Since SNMPv3 promises to become the mainstream SNMP protocol, it seems inevitable that enhancements such as SNMP informs will start to be more common.

MIBs and OIDs
SNMP uses a special tree structure called a Management Information Base (MIB) to organize the management data. People will often talk about different MIBs, such as the T1 MIB, or an ATM MIB. In fact, these are all just branches or extensions of the same global MIB tree structure. However, the relative independence of these different branches makes it convenient to talk about them this way. A particular SNMP agent will care only about those few MIB branches that are relevant to the particular remote device this agent runs on. If the device doesn’t have any T1 interfaces, then the agent doesn’t need to know anything about the T1 branch of the global MIB tree. Similarly, the NMS for a network containing no ATM doesn’t need to be able to resolve any of the variables in the ATM branches of the MIB tree.
The MIB tree structure is defined by a long sequence of numbers separated by dots, such as . This number is called an Object Identifier (OID). Since we will be working with OID strings throughout this chapter, it is worthwhile to briefly review how they work and what they mean. The OID is a numerical representation of the MIB tree structure. Each digit represents a node in this tree structure. The trunk of the tree is on the left; the leaves are on the right. In the example string, ., the first digit, .1, signifies that this variable is part of the MIB that is administered by the International Standards Organization (ISO). There are other nodes at this top level of the tree. The International Telephone and Telegraph Consultative Committee (CCITT) administers the .0 tree structure. The ISO and CCITT jointly administer .2. The first node under the ISO MIB tree of this example is .3. The ISO has allocated this node for all other organizations. The U.S. Department of Defense (DOD) is designated by the branch number .6. The DOD, in turn has allocated branch number .1 for the Internet Activities Board (IAB). So, just about every SNMP MIB variable you will ever see will begin with . There are four commonly used subbranches under the IAB (also called simply “Internet”) node. These are designated directory (1), mgmt (2), experimental (3) and private (4). The directory node is seldom used in practice. The mgmt node is used for all IETF-standard MIB extensions, which are documented in RFCs. This would include, for example, the T1 and ATM examples mentioned earlier. However, it would not include any vendor-specific variables such as the CPU utilization on a Cisco router. SNMP protocol and application developers use the experimental subtree to hold data that is not yet standard. This allows you to use experimental MIBs in a production network without fear of causing conflicts. Finally, the private subtree contains vendor specific MIB variables. Before returning to the example, we want to take a brief detour down the private tree, because many of the examples in this book include Cisco-specific MIB variables.
A good example of a Cisco MIB variable is ., which gives the amount of free memory in a Cisco router. There is only one subtree under the private node, and it is called enterprises, . Of the hundreds of registered owners of private MIB trees, Cisco is number 9, so all Cisco-specific MIB extensions begin with .
Referring again to the previous example string (., you can see this represents a variable in the mgmt subtree, . The next digit is .1 here, which represents an SNMP MIB variable. The following digit, .1, refers to a specific group of variables, which, in the case of mgmt variables, would be defined by an RFC. In this particular case, the value .1 refers to the system MIB, which is detailed in RFC 1450.
From this level down, a special naming convention is adopted to help you to remember which MIB you are looking at. The names of every variable under the system node begin with “sys”. They are sysDescr (1), sysObjectID (2), sysUpTime (3), sys-Contact (4), sysName (5), sysLocation (6), sysServices (7), sysORLastChange (8), and sysORTable (9). You can find detailed descriptions of what all of these mean in RFC1450.
In fact, reading through MIB descriptions is not only an excellent way to understand the hierarchical structure of the MIB, but it’s also extremely useful when you are trying to decide what information you can and should be extracting from your equipment.
In the example string, ., the value is .4, for sysContact. The following .0 tells the agent to send the contents of this node, rather than treating it as the root of further subtrees. So the OID string uniquely identifies a single piece of information. In this case, that information is the contact information for the device.

How to Choose the Best Router Switching Path for Your Network (Part II)

Cisco Express Forwarding
Cisco Express Forwarding, also uses a 256 way data structure to store forwarding and MAC header rewrite information, but it does not use a tree. Cisco Express Forwarding uses a trie, which means the actual information being searched for is not in the data structure; instead, the data is stored in a separate data structure, and the trie simply points to it. In other words, rather than storing the outbound interface and MAC header rewrite within the tree itself, Cisco Express Forwarding stores this information in a separate data structure called the adjacency table.

This separation of the reachability information (in the Cisco Express Forwarding table) and the forwarding information (in the adjacency table), provides a number of benefits:
The adjacency table can be built separately from the Cisco Express Forwarding table, allowing both to build without process switching any packets.
· The MAC header rewrite used to forward a packet isn't stored in cache entries, so changes in a MAC header rewrite string do not require invalidation of cache entries.
· Recursive routes can be resolved by pointing to the recursed next hop, rather than directly to the forwarding information.
Essentially, all cache aging is eliminated, and the cache is pre−built based on the information contained in the routing table and ARP cache. There is no need to process switch any packet to build a cache entry.

Other Entries in the Adjacency Table
The adjacency table can contain entries other than MAC header rewrite strings and outbound interface
information. Some of the various types of entries that can be placed in the adjacency table include:
cache A MAC header rewrite string and outbound interface used to reach a particular adjacent host or router.
· receive Packets destined to this IP address should be received by the router. This includes broadcast addresses and addresses configured on the router itself.
· drop Packets destined to this IP address should be dropped. This could be used for traffic denied by an access list, or routed to a NULL interface.
· punt Cisco Express Forwarding cannot switch this packet; pass it to the next best switching method(generally fast switching) for processing.
· glean The next hop is directly attached, but there are no MAC header rewrite strings currently

Glean Adjacencies
A glean adjacency entry indicates that a particular next hop should directly connected, but there is no MAC header rewrite information available. How do these get built and used? A router running Cisco Express Forwarding and attached to a broadcast network, as shown in the figure below, builds a number of adjacencytable entries by default.

The four adjacency table entries built by default are:, version 17, attached, connected
0 packets, 0 bytes
via Ethernet2/0, 0 dependencies
valid glean adjacency, version 4, receive, version 3, receive, version 5, receive

Note there are four entries: three receives, and one glean. Each receive entry represents a broadcast address or an address configured on the router, while the glean entry represents the remainder of the address space on the attached network. If a packet is received for host, the router attempts to switch it, and finds it resolved to this glean adjacency. Cisco Express Forwarding then signals that an ARP cache entry is needed for, the ARP process sends an ARP packet, and the appropriate adjacency table entry is built from the
new ARP cache information. After this step is complete, the adjacency table has an entry for, version 17, attached, connected
0 packets, 0 bytes
via Ethernet2/0, 0 dependencies
valid glean adjacency, version 4, receive, version 3, receive, version 12, cached adjacency
0 packets, 0 bytes
via, Ethernet2/0, 1 dependency
next hop, Ethernet2/0
valid cached adjacency, version 5, receive

The next packet the router receives destined for is switched through this new adjacency.

Load Sharing
Cisco Express Forwarding also takes advantage of the separation between the Cisco Express Forwarding table and the adjacency table to provide a better form of load sharing than any other interrupt context switching mode. A loadshare table is inserted between the Cisco Express Forwarding table and the adjacency table, as illustrated in the figure below.

The Cisco Express Forwarding table points to this loadshare table, which contains pointers to the various adjacency table entries for available parallel paths. The source and destination addresses are passed through a hash algorithm to determine which loadshare table entry to use for each packet. Per packet load sharing can be configured, in which case each packet uses a different loadshare table entry.

Each loadshare table has 16 entries among which the paths available are divided based on the traffic share counter in the routing table. If the traffic share counters in the routing table are all 1 (as in the case of multiple equal cost paths), each possible next hop receives an equal number of pointers from the loadshare table. If the number of available paths is not evenly divisible into 16 (since there are 16 loadshare table entries), some paths will have more entries than others.
Beginning in IOS 12.0, the number of entries in the loadshare table is reduced to make certain each path has a proportionate number of loadshare table entries. For instance, if there are three equal cost paths in the routing table, only 15 loadshare table entries are used.

Which Switching Path Is Best?
Whenever possible, you want your routers to be switching in the interrupt context because it is at least an order of a magnitude faster than process level switching. Cisco Express Forwarding switching is definitely faster and better than any other switching mode. We recommend you use Cisco Express Forwarding if the protocol and IOS you are running supports it. This is particularly true if you have a number of parallel linksacross which traffic should be load shared.

How to Choose the Best Router Switching Path for Your Network (Part I)

There are a plethora of switching paths available to various Cisco routers and Cisco IOS releases. Which is the best one for your network, and how do they all work? This white paper is an attempt to explain each of the following switching paths so you can make the best decision about which switching path fits your network.
First, examine the forwarding process itself. There are three steps to forwarding a packet through a router:
1. Determine if the packet's destination is reachable.
Determine the next hop toward the destination, and the interface through which that next hop is reachable.
2.Rewrite the Media Access Control (MAC) header on the packet so it will successfully reach its next hop.
3.Each of these steps is critical for the packet to reach its destination.

Note: Throughout this document, we use the IP switching path as an example; virtually all the information provided here is applicable to equivalent switching paths for other protocols, if they exist.

Process Switching
Process switching is the lowest common denominator in switching paths; it is available on every version of IOS, on every platform, and for every type of traffic being switched. Process switching is defined by two essential concepts:
The forwarding decision and information used to rewrite the MAC header on the packet are taken from the routing table (from the routing information base, or RIB) and the Address Resolution Protocol (ARP) cache, or from some other table that contains the MAC header information mapped to the IP address of each host that is directly connected to the router.
· The packet is switched by a normal process running within IOS. In other words, the forwarding decision is made by a process scheduled through the IOS scheduler and running as a peer to other processes on the router, such as routing protocols. Processes that normally run on the router aren't interrupted to process switch a packet.
The figure below illustrates the process switching path.

Examine this diagram in more detail:
The interface processor first detects there is a packet on the network media, and transfers this packet to the input/output memory on the router.
1.The interface processor generates a receive interrupt. During this interrupt, the central processor determines what type of packet this is (assume it is an IP packet), and copies it into processor memory if necessary (this decision is platform dependent). Finally, the processor places the packet on the appropriate process' input queue and the interrupt is released.
2.The next time the scheduler runs, it notes the packet in the input queue of ip_input, and schedules this process to run.
3.When ip_input runs, it consults the RIB to determine the next hop and the output interface, then consults the ARP cache to determine the correct physical layer address for this next hop.
4.ip_input then rewrites the packet's MAC header, and places the packet on the output queue of the correct outbound interface.
5.The packet is copied from the output queue of the outbound interface to the transmit queue of the outbound interface; any outbound quality of service takes place between these two queues.
6.The output interface processor detects the packet on its transmit queue, and transfers the packet onto the network media.
7.Almost all features that effect packet switching, such as Network Address Translation (NAT) and Policy Routing, make their debut in the process switching path. Once they have been proven, and optimized, these features may, or may not, appear in interrupt context switching.

Interrupt Context Switching
Interrupt context switching is the second of the primary switching methods used by Cisco routers. The primary differences between interrupt context switching and process switching are:
The process currently running on the processor is interrupted to switch the packet. Packets are
switched on demand, rather than switched only when the ip_input process can be scheduled.
The processor uses some form of route cache to find all the information needed to switch the packet.
The following figure illustrates interrupt context switching.

Examine this diagram in more detail:
The interface processor first detects there is a packet on the network media, and transfers this packet to the input/output memory on the router.
1.The interface processor generates a receive interrupt. During this interrupt, the central processor determines what type of packet this is (assume it is an IP packet), and then begins to switch the packet.
2.The processor searches the route cache to determine if the packet's destination is reachable, what the output interface should be, what the next hop towards this destination is, and finally, what MAC header the packet should have to successfully reach the next hop. The processor uses this information to rewrite the packet's MAC header.
3.The packet is now copied to either the transmit or output queue of the outbound interface (depending on various factors). The receive interrupt now returns, and the process that was running on the processor before the interrupt occurred continues running.
4.The output interface processor detects the packet on its transmit queue, and transfers the packet onto the network media.
5.The first question that comes to mind after reading this description is "What is in the cache?" There are three possible answers, depending on the type of interrupt context switching:
· Fast Switching
· Optimum Switching
· Cisco Express Forwarding
We will look at each of these route cache types (or switching paths) one at a time.

Fast Switching
Fast switching stores the forwarding information and MAC header rewrite string using a binary tree for quick lookup and reference. The following figure illustrates a binary tree.

In Fast Switching, the reachability information is indicated by the existence of a node on the binary tree forthe destination of the packet. The MAC header and outbound interface for each destination are stored as part
of the node's information within the tree. The binary tree can actually have 32 levels?the tree above is extremely abbreviated for the purpose of illustration.
To search a binary tree, you simply start from the left (with the most significant digit) in the (binary) number you are looking for, and branch right or left in the tree based on that number. For instance, if you're looking for the information related to the number 4 in this tree, you would begin by branching right, because the first binary digit is 1. You would follow the tree down, comparing the next digit in the (binary) number, until you reach the end.

Characteristics of the Fast Switching
Fast Switching has several characteristics that are a result of the binary tree structure and the storage of the MAC header rewrite information as part of the tree nodes.
Since there is no correlation between the routing table and the fast cache contents (MAC header
rewrite, for example), building cache entries involves all the processing that must be done in the
process switching path. Therefore, fast cache entries are built as packets are process switched.
· Since there is no correlation between the MAC headers (used for rewrites) in the ARP cache and the structure of the fast cache, when the ARP table changes, some portion of the fast cache must be invalidated (and recreated through the process switching of packets).
· The fast cache can only build entries at one depth (one prefix length) for any particular destination within the routing table.
· There is no way to point from one entry to another within the fast cache (the MAC header and
outbound interface information are expected to be within the node), so all routing recursions must be resolved while a fast cache entry is being built. In other words, recursive routes can't be resolved within the fast cache itself.

Aging Fast Switching Entries
To keep the fast switching entries from losing their synchronization with the routing table and ARP cache, and
to keep unused entries in the fast cache from unduly consuming memory on the router, 1/20th of the fast cache
is invalidated, randomly, every minute. If the routers memory drops below a very low watermark, 1/5th of the
fast cache entries are invalidated every minute.
Fast Switching Prefix Length
What prefix length does the fast switching build entries for if it can only build to one prefix length for every
destination? Within the terms of the fast switching, a destination is a single reachable destination within the

routing table, or a major network. The rules for deciding what prefix length to build a given cache entry are:
· If building a fast policy entry, always cache to /32.
If building an entry against an Multiprotocol over ATM virtual circuit (MPOA VC), always cache to/32.
· If the network is not subnetted (it is a major network entry):
. If it is directly connected, use /32;
. Otherwise use the major net mask.
· If it is a supernet use the supernet's mask.

If the network is subnetted:
. If directly connected, use /32;
. If there are multiple paths to this subnet, use /32;
In all other cases, use longest prefix length in this major net.

Load Sharing
Fast switching is entirely destination based; load sharing occurs on a per−destination basis. If there are multiple equal cost paths for a particular destination network, fast cache has one entry for each host reachable within that network, but all traffic destined to a particular host follows one link.

Optimum Switching
Optimum switching stores the forwarding information and the MAC header rewrite information in a 256 way multiway tree (256 way mtree). Using an mtree reduces the number of steps which must be taken when looking up a prefix, as illustrated in the next figure.

Each octet is used to determine which of the 256 branches to take at each level of the tree, which means there are, at most, 4 lookups involved in finding any destination. For shorter prefix lengths, only one−three lookups may be required. The MAC header rewrite and output interface information are stored as part of the tree node, so cache invalidation and aging still occur as in the fast switching. Optimum Switching also determines the prefix length for each cache entry in the same way as fast switching.

Monday, July 16, 2007

Network Switching (Part VI)

The Rule of the Network Road

Network administrators and designers have traditionally strived to design networks using the 80/20 rule. Using this rule, a network designer would try to design a network in which 80 percent of the traffic stayed on local segments and 20 percent of the traffic went on the network backbone.This was an effective design during the early days of networking, when the majority of LANs were departmental and most traffic was destined for data that resided on the local servers. However, it is not a good design in today’s environment, where the majority of traffic is destined for enterprise servers or the Internet.A switch’s ability to create multiple data paths and provide swift, low−latency connections allows network administrators to permit up to 80 percent of the traffic on the backbone without causing a massive overload of the network. This ability allows for the introduction of many bandwidth−intensive uses, such as network video, video conferencing, and voice communications.Multimedia and video applications can demand as much as 1.5Mbps or more of continuous bandwidth. In a typical environment, users can rarely obtain this bandwidth if they share an average 10Mbps network with dozens of other people. The video will also look jerky if the data rate is not sustained. In order to support this application, a means of providing greater throughput is needed. The ability of switches to provide dedicated bandwidth at wire−speed meets this need.

Switched Ethernet Innovations

Around 1990, many vendors offered popular devices known as intelligent multiport bridges; the first known usage of the term switch was the Etherswitch, which Kalpana brought to the market in 1990. At the time, these devices were used mainly to connect multiple segments—they usually did very little to improve performance other than the inherent benefits bridges provide, such as filtering and broadcast suppression. Kalpana changed that by positioning its devices as performance enhancers. A number of important features made the Kalpana switches popular, such as using multiple transmission paths for network stations and cut−through switching.Cut−through switching reduced the delay problems associated with standard bridges by providing the means to have multiple transmissions paths to network devices. Each device could have its own data path to the switch and did not need to be in a shared environment.Kalpana was able to do this by dedicating one pair of the station wiring to transmitting data and one pair to receiving data. This improvement allowed the Kalpana designers to ignore the constraints of collision detection and carrier sense, because the cables were dedicated to one station. Kalpana continued its history of innovation with the introduction in 1993 of full−duplex Ethernet.

Full−Duplex Ethernet

Prior to the introduction of full−duplex (FDX) Ethernet, Ethernet stations could either transmit or receive data; they could not do both at the same time, because there was no way to ensure a collision−free environment. This was known as half−duplex (HDX) operation.FDX has been a feature of WANs for years, but only the advent of advances in LAN switching technology made it practical to now consider FDX on the LAN. In FDX operation, both the transmission and reception paths can be used simultaneously. Because FDX operation uses a dedicated link, there are no collisions, which greatly simplifies the MAC protocol. Some slight modifications in the way the packet header is formatted enable FDX to maintain compatibility with HDX Ethernet.You don’t need to replace the wiring in a 10BaseT network, because FDX operation runs on the same two−pair wiring used by 10BaseT. It simultaneously uses one pair for transmission and another pair for reception. A switched connection has only two stations: the station itself and the switch port. This setup makes simultaneous transmission possible and has the net effect of doubling a 10Mbps LAN.This last point is an important one. In theory, FDX operation can provide double the bandwidth of HDX operation, giving 10Mbps speeds in each direction. However, achieving this speed would require that the two stations have a constant flow of data and that the applications themselves would benefit from a two−way data flow. FDX links are extremely beneficial in connecting switches to each other. If there were servers on both sides of the link between switches, the traffic between switches would tend to be more symmetrical.

Fast Ethernet

Another early innovation in the switching industry was the development of Fast Ethernet. Ethernet as a technology has been around since the early 1970s, but by the early 1990s its popularity began to wane. Competing technologies such as FDDI running at 100Mbps showed signs of overtaking Ethernet as a de facto standard, especially for high−speed backbones.Grand Junction, a company founded by many of the early Ethernet pioneers, proposed a new Ethernet technology that would run at 10 times the 10Mbps speed of Ethernet. They were joined by most of the top networking companies—with the exception of Hewlett−Packard (HP), which had a competing product. HP’s product, known as 100Mbps VG/AnyLAN, was in most respects far superior to the product proposed by Grand Junction. It had a fatal flaw, though: It was incompatible with existing Ethernet standards and was notbackward compatible to most of the equipment in use at the time. Although the standards bodies debated the merits of each of the camps, the marketplace decided for them. Fast Ethernet is the overwhelming winner, so much so that even HP sells Fast Ethernet on almost all its products.Note In 1995, Cisco purchased both Kalpana and Grand Junction and incorporated their innovations into its hardware. These devices became the Catalyst line of Cisco products.

Gigabit Ethernet

In order to implement Gigabit Ethernet (GE), the CSMA/CD method was changed slightly to maintain a 200−meter collision diameter at gigabit−per−second data rates. This slight modification prevented Ethernet packets from completing transmission before the transmitting station sensed a collision, which would violate the CSMA/CD rule. GE maintains a packet length of 64 bytes, but provides additional modifications to the Ethernet specification.The minimum CSMA/CD carrier time and the Ethernet slot time have been extended from 64 bytes to 512 bytes. Also, packets smaller than 512 bytes have an extra carrier extension added to them. These changes, which can impact the performance of small packets, have been offset by implementing a feature called packet bursting, which allows servers, switches, and other devices to deliver bursts of small packets in order to utilize the available bandwidth.Because it follows the same form, fit, and function as its 10− and 100Mbps predecessors, GE can be integrated seamlessly into existing Ethernet and Fast Ethernet networks using LAN switches or routers to adapt between the different physical line speeds. Because GE is Ethernet, only faster, network managers will find the migration from Fast Ethernet to Gigabit Ethernet to be as smooth as the migration from Ethernet to Fast Ethernet.

Avoiding Fork−Lift Upgrades

Although dedicated switch connections provide the maximum benefits for network users, you don’t want to get stuck with fork−lift upgrades. In a fork−lift upgrade, you pay more to upgrade your computer or networking equipment than it would cost to buy the equipment already installed. The vendor knows that you are not going to buy all new equipment, so the vendor sells you the upgrade at an enormous price. In order to exchange it for the bigger, better, faster equipment It may sometimes be necessary to support legacy equipment.Fortunately for Ethernet switches you can provide connectivity in a number of ways. You can attach shared hubs to any port on the switch in the same manner that you connect end stations. Doing so makes for a larger collision domain, but you avoid paying the high costs of upgrades.Typically, your goal would be to migrate toward single−station segments as bandwidth demands increase. This migration will provide you with the increased bandwidth you need without wholesale replacement of existing equipment or cabling. In this lower cost setup, a backbone switch is created in which each port is attached to the now−larger collision domain or segment. This switch replaces existing connections to routers or bridges and provides communication between each of the shared segments.

Network Switching (Part V)

Switched Forwarding

Switches route data based on the destination MAC address contained in the frame’s header. This approach allows switches to replace Layer 2 devices such as hubs and bridges.After a frame is received and the MAC address is read, the switch forwards data based on the switching mode the switch is using. This strategy tends to create very low latency times and very high forwarding rates. Switches use three switching modes to forward information through the switching fabric:· Store−and−forward· Cut−through· FragmentFreeTip Switching fabric is the route data takes to get from the input port on the switch to the output port on the switch. The data may pass through wires, processors, buffers, ASICs, and many other components.

Store−and−Forward Switching

Pulls the entire packet received into its onboard buffers, reads the entire packet, and calculates its cyclic redundancy check (CRC). It then determines if the packet is good or bad. If the CRC calculated on the packet matches the CRC calculated by the switch, the destination address is read and the packet is forwarded out the correct port on the switch. If the CRC does not match the packet, the packet is discarded. Because this type of switching waits for the entire packet before forwarding, latency times can become quite high, which can result in some delay of network traffic.

Cut−Through Switching

Sometimes referred to as realtime switching or FastForward switching, cut−through switching was developed to reduce the latency involved in processing frames as they arrive at the switch and are forwarded on to the destination port. The switch begins by pulling the frame header into its network interface card buffer. As soon as the destination MAC address is known (usually within the first 13 bytes), the switch forwards the frame out the correct port.This type of switching reduces latency inside the switch; however, if the frame is corrupt because of a late collision or wire interference, the switch will still forward the bad frame. The destination receives the bad frame, checks its CRC, and discards it, forcing the source to resend the frame. This process will certainly waste bandwidth; and if it occurs too often, major impacts can occur on the network.In addition, cut−through switching is limited by its inability to bridge different media speeds. In particular, some network protocols (including NetWare 4.1 and some Internet Protocol [IP] networks) use windowing technology, in which multiple frames may be sent without a response. In this situation, the latency across a switch is much less noticeable, so the on−the−fly switch loses its main competitive edge. In addition, the lack of error checking poses a problem for large networks. That said, there is still a place for the fast cut−through switch for smaller parts of large networks.

FragmentFree Switching

Also known as runtless switching, FragmentFree switching was developed to solve the late−collision problem.These switches perform a modified version of cut−through switching. Because most corruption in a packet occurs within the first 64 bytes, the switch looks at the entire first 64 bytes to get the destination MAC address, instead of just reading the first 13 bytes. The minimum valid size for an Ethernet frame is 64 bytes. By verifying the first 64 bytes of the frame, the switch then determines if the frame is good or if a collision occurred during transit.

Combining Switching Methods

To resolve the problems associated with the switching methods discussed so far, a new method was developed. Some switches, such as the Cisco Catalyst 1900, 2820, and 3000 series, begin with either cut−through or FragmentFree switching. Then, as frames are received and forwarded, the switch also checks the frame’s CRC. Although the CRC may not match the frame itself, the frame is still forwarded before the CRC check and after the MAC address is reached. The switch performs this task so that if too many bad frames are forwarded, the switch can take a proactive role, changing from cut−through mode to store−and−forward mode. This method, in addition to the development of high−speed processors, has reduced many of the problems associated with switching.Only the Catalyst 1900, 2820, and 3000 series switches support cut−through and FragmentFree switching. You might ponder the reasoning behind the faster Catalyst series switches not supporting this seemingly faster method of switching. Well, store−and−forward switching is not necessarily slower than cut−through switching—when switches were first introduced, the two modes were quite different. With better processors and integrated−circuit technology, store−and−forward switching can perform at the physical wire limitations.This method allows the end user to see no difference in the switching methods.

Switched Network Bottlenecks

This section will take you step by step through how bottlenecks affect performance, some of the causes ofbottlenecks, and things to watch out for when designing your network. A bottleneck is a point in the networkat which data slows due to collisions and too much traffic directed to one resource node (such as a server). Inthese examples, I will use fairly small, simple networks so that you will get the basic strategies that you canapply to larger, more complex networks.Let’s start small and slowly increase the network size. We’ll take a look at a simple way of understanding howswitching technology increases the speed and efficiency of your network. Bear in mind, however, thatincreasing the speed of your physical network increases the throughput to your resource nodes and doesn’talways increase the speed of your network. This increase in traffic to your resource nodes may create abottleneck.

Figure 1.6 shows a network that has been upgraded to 100Mbps links to and from the switch for all the nodes.Because all the devices can send data at 100Mbps or wire−speed to and from the switch, a link that receives data from multiple nodes will need to be upgraded to a faster link than all the other nodes in order to process and fulfill the data requests without creating a bottleneck. However, because all the nodes—including the file servers—are sending data at 100Mbps, the link between the file servers that is the target for the data transfers for all the devices becomes a bottleneck in the network.

Figure 1.6: A switched network with only two servers.

Notice that the sheer number of clients sending data to the servers can overwhelm the cable and slow the data traffic. Many types of physical media topologies can be applied to this concept. In this demonstration, we will utilize Ethernet 100BaseT. Ethernet 10BaseT and 100BaseT are most commonly found in the networks of today.We’ll make an upgrade to the network and alleviate our bottleneck on the physical link from the switch to each resource node or server. By upgrading this particular link to a Gigabit Ethernet link, as shown in Figure1.7, you can successfully eliminate this bottleneck.

Figure 1.7: The addition of a Gigabit Ethernet link on the physical link between the switch and the server.It would be nice if all network bottleneck problems were so easy to solve. Let’s take a look at a more complex model. In this situation, the demand nodes are connected to one switch and the resource nodes are connected to another switch. As you add additional users to switch A, you’ll find out where our bottleneck is. As you cansee from Figure 1.8, the bottleneck is now on the trunk link between the two switches. Even if all the switches have a VLAN assigned to each port, a trunk link without VTP pruning enabled will send all the VLANs to the next switch.

Figure 1.8: : A new bottleneck on the trunk link between the two switches.To resolve this issue, you could implement the same solution as the previous example and upgrade the trunk between the two switches to a Gigabit Ethernet. Doing so would eliminate the bottleneck. You want to put switches in place whose throughput is never blocked by the number of ports. This solution is referred to as using non−blocking switches.

Non−Blocking Switch vs. Blocking Switch

We call a switch a blocking switch when the switch bus or components cannot handle the theoretical maximum throughput of all the input ports combined. There is a lot of debate over whether every switch should be designed as a non−blocking switch; but for now this situation is only a dream, considering the current pricing of non−blocking switches.Let’s get even more complicated and introduce another solution by implementing two physical links between the two switches and using full−duplexing technology. Full duplex essentially means that you have two physical wires from each port—data is sent on one link and received on another. This setup not only virtually guarantees a collision−free connection, but also can increase your network traffic to almost 100 percent on each link.You now have 200 percent throughput by utilizing both links. If you had 10Mbps on the wire at half duplex, by implementing full duplex you now have 20Mbps flowing through the wires. The same thing goes with a 100BaseT network: Instead of 100Mbps, you now have a 200Mbps link.Tip If the interfaces on your resource nodes can implement full duplex, it can also be a secondary solution for your servers.Almost every Cisco switch has an acceptable throughput level and will work well in its own layer of the Cisco hierarchical switching model or its designed specification. Implementing VLANs has become a popular solution for breaking down a segment into smaller collision domains.

Internal Route Processor vs. External Route Processor

Routing between VLANs has been a challenging problem to overcome. In order to route between VLANs, you must use a Layer 3 route processor or router. There are two different types of route processors: an external route processor and an internal route processor. An external route processor uses an external router to route data from one VLAN to another VLAN. An internal route processor uses internal modules and cards located on the same device to implement the routing between VLANs.Now that you have a pretty good idea how a network should be designed and how to monitor and control bottlenecks, let’s take a look at the general traffic rule and how it has changed over time.

Network Switching (Part IV)

Why Upgrade to Switches?

As an administrator, you may not realize when it is time to convert your company to a switched network and implement VLANs. You may also not be aware of the benefits that can occur from replacing your Layer 2 hubs and bridges with switches, or how the addition of some modules in your switches to implement routing and filtering ability can help improve your network’s performance.When your flat topology network starts to slow down due to traffic, collisions, and other bottlenecks, you may want to investigate the problems. Your first reaction is to find out what types of data are flowing through your network. If you are in command of the network sniffer or other such device, you may begin to find over−utilization errors on the sniffer occurring when the Ethernet network utilization reaches above only 40 percent.Why would this happen at such a low utilization percentage on the network? Peak efficiency on a flat topology Ethernet network is about 40 percent utilization. Sustained utilization above this level is a strong indicator that you may want to upgrade the physical network into a switched environment. When you start to notice that your state−of−the−art Pentiums are performing poorly, many network administrators don’t realize the situation may be due to the hundreds of other computers on their flat hub and bridged networks. To resolve the issue, your network administrator may even upgrade your PC to a faster CPU or more RAM. This allows your PC to generate more input/output (I/O), increasing the saturation on the network. In this type of environment, every data packet is sent to every machine, and each station has to process every frame on the network.The processors in the PCs handle this task, taking away from the processing power needed for other tasks. Every day, I visit users and networks with this problem. When I upgrade them to a switched network, it is typically a weekend job. The users leave on Friday with their high−powered Pentiums stacked with RAM acting like 486s. When they come back Monday morning, we hear that their computers boot up quickly and run faster, and that Internet pages come up instantly.In many cases, slow Internet access times were blamed on the users’ WAN connections. The whole time, the problem wasn’t their WAN connections—it was their LAN saturated to a grinding halt with frames from every interface on the network.When network performance gets this bad, it’s time to call in a Cisco consultant or learn how to implement switching. Either way, you are reading this book because you are very interested in switching or in becoming Cisco certified. Consider yourself a network hero of this generation in training.To fix the immediate problems on your 10BaseT network with Category 3 or Category 4 cabling, you might need to upgrade to Category 5 cabling and implement a Fast Ethernet network. Then you need to ask yourself, is this only a temporary solution for my network? What types of new technologies are we considering? Are we going to upgrade to Windows 2000? Will we be using Web services or implementing Voice Over IP? Do we have any requirements for using multicast, unicast, video conferencing, or CAD applications? The list of questions goes on. Primarily, you need to ask yourself if this is a temporary solution or one that will stand the test of time.

Unshielded Twisted−Pair Cable

Category 3 unshielded twisted−pair (UTP) is cable certified for bandwidths of up to 10Mbps with signaling rates of up to 16MHz. Category 4 UTP cable is cable certified for bandwidths of up to 16Mbps with signaling rates up to 20MHz. Category 4 cable is classified as voice and data grade cabling. Category 5 cabling is cable certified for bandwidths of up to 100Mbps and signaling rates of up to 100MHz. New cabling standards for Category 5e and Category 6 cable support bandwidths of up to 1Gbps.

In many cases, network administrators don’t realize that implementing a switched network will allow your network to run at almost wire speed. Upgrading the backbone (not the wiring), eliminating the data collisions, making the network segments smaller, and getting those users off hubs and bridges is the answer. In terms of per−port costs, this is usually a much cheaper solution. It’s also a solution you can grow with. Of course, a 100Mbps network never hurts; but even a switched 10BaseT network that has been correctly implemented can have almost the same effect of providing your network with increased performance.Network performance is usually measured by throughput. Throughput is the overall amount of data traffic that can be carried by the physical lines through the network. It is measured by the maximum amount of data that can pass through any point in your network without suffering packet loss or collisions.Packet loss is the total number of packets transmitted at the speed of the physical wire minus the number that arrive correctly at their destination. When you have a large percentage of packet losses, your network is functioning less efficiently than it would if the multiple collisions of the transmitted data were eliminated. The forwarding rate is another consideration in network throughput. The forwarding rate is the number of packets per second that can be transmitted on the physical wire. For example, if you are sending 64−byte packets on a 10BaseT Ethernet network, you can transmit a maximum of about 14,880 packets per second. Poorly designed and implemented switched networks can have awful effects. Let’s take a look at the effects of a flat area topology and how we can design, modify, and upgrade Ethernet networks to perform as efficiently as possible.

Properly Switched Networks

Properly switched networks use the Cisco hierarchical switching model to place switches in the proper location in the network and apply the most efficient functions to each. In the model you will find switches in three layers:

  • Access layer
  • Distribution layer
  • Core layer

The Access layer’s primary function is to connect to the end−user’s interface. It routes traffic between ports and broadcasts collision domain traffic to its membership broadcast domain. It is the access point into the network for the end users. It can utilize lower−end switches such as the Catalyst 1900, 2800, 2900, 3500, 4000, and 5000 series switches.The Access layer switch blocks meet at the Distribution layer. It uses medium−end switches with a little more processing power and stronger ASICs. The function of this layer is to apply filters, queuing, security, and routing in some networks. It is the main processor of frames and packets flowing through the network. Switches found at this layer belong to the 5500, 6000, and 6500 series. The Core layer’s only function is to route data between segments and switch blocks as quickly as possible. No filtering or queuing functions hould be applied at this layer. The highest−end Cisco Catalyst switches are typically found at this layer, such as the 500, 6500, 8500, 8600 GSR, and 12000 GSR series switches.How you configure your broadcast and collision domains—whether in a switched network or a flat network topology—can have quite an impact on the efficiency of your network. Let’s take a look at how utilization is measured and the different effects bandwidth can have on different media types and networks.

Network Utilization

Network administrators vary on the utilization percentage values for normal usage of the network. Table 1.1 shows the average utilization that should be seen on the physical wire. Going above these averages of network utilization on the physical wire is a sign that a problem exists in the network, that you need to make changes to the network configuration, or that you need to upgrade the network.

Table 1.1: The average limits in terms of physical wire utilization. Exceeding these values indicates a network problem.

You can use a network monitor such as a sniffer to monitor your utilization and the type of traffic flowing through your network. Devices such as WAN probes let you monitor the traffic on the WAN.

Network Switching (Part III)

Network Design

When designing or upgrading your network, you need to keep some basic rules of segmenting in mind. You segment your network primarily to relieve network congestion and route data as quickly and efficiently as possible. Segmentation is often necessary to satisfy the bandwidth requirements of a new application or type of information that the network needs to support. Other times, it may be needed due to the increased traffic inthe segment or subnet. You should also plan for increased levels of network usage or unplanned increases in network population.Some areas you need to consider are the types of nodes, user groups, security needs, population of the network, applications used, and the network needs for all the interfaces on the network. When designing your network, you should create it in a hierarchical manner. Doing so provides you with the ability to easily make additions to your network. Another important consideration should be how your data flows through the network.For example, let’s say your users are intermingled with your servers in the same geographical location. If you create a switched network in which the users’ data must be switched through a number of links to another geographical area and then back again to create a connection between the users and file servers, you have not designed the most efficient path to the destination.Single points of failure need to be analyzed, as well. As we stated earlier, every large−network user has suffered through his or her share of network outages and downtime. By analyzing all the possible points of failure, you can implement redundancy in the network and avoid many network outages. Redundancy is the addition of an alternate path through the network. In the event of a network failure, the alternate paths can be used to continue forwarding data throughout the network.The last principle that you should consider when designing your network is the behavior of the different protocols. The actual switching point for data does not have to be the physical wire level. Your data can be rerouted at the Data Link and Network layers, as well. Some protocols introduce more network traffic than others. Those operating at Layer 2 can be encapsulated or tagged to create a Layer−3−like environment. This environment allows the implementation of switching, and thereby provides security, protocol priority, and Quality of Service (QoS) features through the use of Application−Specific Integrated Circuits (ASICs) instead of the CPU on the switch. ASICs are much faster than CPUs. ASICs are silicon chips that provide only one or two specific tasks faster than a CPU. Because they process data in silicon and are assigned to a certain task, less processing time is needed, and data is forwarded with less latency and more efficiency to the end destinations.In order to understand how switches work, we need to understand how collision domains and broadcast domains differ.

Collision Domains

A switch can be considered a high−speed multiport bridge that allows almost maximum wire−speed transfers. Dividing the local geographical network into smaller segments reduces the number of interfaces in each segment. Doing so will increase the amount of bandwidth available to all the interfaces. Each smaller segment is considered a collision domain.In the case of switching, each port on the switch is its own collision domain. The most optimal switching configuration places only one interface on each port of a switch, making the collision domain two nodes: the switch port interface and the interface of the end machine.Let’s look at a small collision domain consisting of two PCs and a server, shown in Figure 1.4. Notice that if both PCs in the network transmit data at the same time, the data will collide in the network because all three computers are in their own collision domain. If each PC and server was on its own port on the switch, each would be in its own collision domain.

Figure 1.4: A small collision domain consisting of two PCs sending data simultaneously to a server.

Switch ports are assigned to virtual LANs (VLANs) to segment the network into smaller broadcast domains. If you are using a node attached to a switch port assigned to a VLAN, broadcasts will only be received from members of your assigned VLAN. When the switch is set up and each port is assigned to a VLAN, a broadcast sent in VLAN 1 is seen by those ports assigned to VLAN 1 even if they are on other switches attached by trunk links. A switch port can be a member of only one VLAN and requires a Layer 3 device such as an internal route processor or router to route data from one VLAN to another.Although the nodes on each port are in their own collision domain, the broadcast domain consists of all of the ports assigned to a particular VLAN. Therefore, when a broadcast is sent from a node in VLAN 1, all the devices attached to ports assigned to VLAN 1 will receive that broadcast. The switch segments the users connected to other ports, thereby preventing data collisions. For this reason, when traffic remains local to each segment or workgroup, each user has more bandwidth available than if all the nodes are in one segment. On a physical link between the port on the switch and a workstation in a VLAN with very few nodes, data can be sent at almost 100 percent of the physical wire speed. The reason? Virtually no data collisions. If the VLAN contains many nodes, the broadcast domain is larger and more broadcasts must be processed by all ports on the switch belonging to each VLAN. The number of ports assigned to a VLAN make up the broadcast domain, which is discussed in the following section.

Broadcast Domains

In switched environments, broadcast domains consist of all the ports or collision domains belonging to a VLAN. In a flat network topology, your collision domain and your broadcast domain are all the interfaces in your segment or subnet. If no devices (such as a switch or a router) divide your network, you have only one broadcast domain. On some switches, the number of broadcast domains or VLANs that can be configured is almost limitless. VLANs allow a switch to divide the network segment into multiple broadcast domains. Each port becomes its own collision domain. Figure 1.5 shows an example of a properly switched network.

Figure 1.5: An example of a properly switched network.

Note Switching technology complements routing technology, and each has its place in the network. The valueof routing technology is most noticeable when you get to larger networks that utilize WAN solutions in the network environment.

Network Switching (Part II)

The Pieces of Technology

In 1980, a group of vendors consisting of Digital Equipment Corporation (DEC), Intel, and Xerox created what was known as the DIX standard. Ultimately, after a few modifications, it became the IEEE 802.3 standard. It is the 802.3 standard that most people associate with the term Ethernet.The Ethernet networking technology was invented by Robert M. Metcalfe while he was working at the Xerox Palo Alto Research Center in the early 1970s. It was originally designed to help support research on the “office of the future.” At first, the network’s speed was limited to 3Mbps.Ethernet is a multiaccess, packet−switched system with very democratic principles. The stations themselves provide access to the network, and all devices on an Ethernet LAN can access the LAN at any time. Ethernet signals are transmitted serially, one bit at a time, over a shared channel available to every attached station. To reduce the likelihood of multiple stations transmitting at the same time, Ethernet LANs use a mechanism known as Carrier Sense Multiple Access Collision Detection (CSMA/CD) to listen to the network and see if it is in use. If a station has data to transmit, and the network is not in use, the station sends the data. If two stations transmit at the same time, a collision occurs. The stations are notified of this event, and they instantly reschedule their transmissions using a specially designed back−off algorithm. As part of this algorithm, each station involved chooses a random time interval to schedule the retransmission of the frame. In effect, this process keeps the stations from making transmission attempts at the same time and prevents a collision.After each frame transmission, all stations on the network contend equally for the next frame transmission. This competition allows access to the network channel in a fair manner. It also ensures that no single station can lock out the other stations from accessing the network. Access to the shared channel is determined by theMedia Access Control (MAC) mechanism on each Network Interface Card (NIC) located in each network node. The MAC address uses a physical address which, in terms of the OSI Reference Model, contains the lowest level address. This is the address used by a switch. The router at Layer 3 uses a protocol address, which is referred as a logical address.CSMA/CD is the tool that allows collisions to be detected. Each collision of frames on the network reduces the amount of network bandwidth that can be used to send information across the physical wire. CSMA/CD also forces every device on the network to analyze each individual frame and determine if the device was the intended recipient of the packet. The process of decoding and analyzing each individual packet generates additional CPU usage on each machine, which degrades each machine’s performance.As networks grew in popularity, they also began to grow in size and complexity. For the most part, networks began as small isolated islands of computers. In many of the early environments, the network was installed over a weekend—when you came in on Monday, a fat orange cable was threaded throughout the organization, connecting all the devices. A method of connecting these segments had to be derived. In the next few sections, we will look at a number of approaches by which networks can be connected. We will look at repeaters, hubs, bridges, and routers, and demonstrate the benefits and drawbacks to each approach.


The first LANs were designed using thick coaxial cables, with each station physically tapping into the cable. In order to extend the distance and overcome other limitations on this type of installation, a device known as a repeater is used. Essentially, a repeater consists of a pair of back−to−back transceivers. The transmit wire on one transceiver is hooked to the receive wire on the other, so that bits received by one transceiver are immediately retransmitted by the other.Repeaters work by regenerating the signals from one segment to another, and they allow networks to overcome distance limitations and other factors. Repeaters amplify the signal to further transmit it on the segment because there is a loss in signal energy caused by the length of the cabling. When data travels through the physical cable it loses strength the further it travels. This loss of the signal strength is referred to as attenuation.These devices do not create separate networks; instead, they simply extend an existing one. A standard rule of thumb is that no more than three repeaters may be located between any two stations. This is often referred to as the 5−4−3 rule, which states that no more than 5 segments may be attached by no more than 4 repeaters, with no more than 3 segments populated with workstations. This limitation prevents propagation delay, which is the time it takes for the packet to go from the beginning of the link to the opposite end.As you can imagine, in the early LANs this method resulted in a host of performance and fault−isolation problems. As LANs multiplied, a more structured approach called 10BaseT was introduced. This method consists of attaching all the devices to a hub in the wiring closet. All stations are connected in a point−to−point configuration between the interface and the hub.


A hub, also known as a concentrator, is a device containing a grouping of repeaters. Similar to repeaters, hubs are found at the Physical layer of the OSI Model. These devices simply collect and retransmit bits. Hubs are used to connect multiple cable runs in a star−wired network topology into a single network. This design is similar to the spokes of a wheel converging on the center of the wheel.Many benefits derive from this type of setup, such as allowing interdepartmental connections between hubs, extending the maximum distance between any pair of nodes on the network, and improving the ability to isolate problems from the rest of the network.Six types of hubs are found in the network:

  • Active hubs—Act as repeaters and eliminate attenuation by amplifying the signals they replicate to all the attached ports.
  • Backbone hubs—Collect other hubs into a single collection point. This type of design is also knownas a multitiered design. In a typical setup, servers and other critical devices are on high−speed FastEthernet or Gigabit uplinks. This setup creates a very fast connection to the servers that thelower−speed networks can use to prevent the server or the path to the server from being a bottleneckin the network.
  • Intelligent hubs—Contain logic circuits that shut down a port if the traffic indicates that malformedframes are the rule rather than the exception.
  • Managed hubs—Have Application layer software installed so that they can be remotely managed.Network management software is very popular in organizations that have staff responsible for anetwork spread over multiple buildings.
  • Passive hubs—Aid in producing attenuation. They do not amplify the signals they replicate to all theattached ports. These are the opposite of active hubs.
  • Stackable hubs—Have a cable to connect hubs that are in the same location without requiring the datato pass through multiple hubs. This setup is commonly referred to as daisy chaining.

In all of these types of hub configurations, one crucial problem exists: All stations share the bandwidth, andthey all remain in the same collision domain. As a result, whenever two or more stations transmit simultaneously on any hub, there is a strong likelihood that a collision will occur. These collisions lead tocongestion during high−traffic loads. As the number of stations increases, each station gets a smaller portionof the LAN bandwidth. Hubs do not provide microsegmentation and leave only one collision domain.


A bridge is a relatively simple device consisting of a pair of interfaces with some packet buffering and simplelogic. The bridge receives a packet on one interface, stores it in a buffer, and immediately queues it fortransmission by the other interface. The two cables each experience collisions, but collisions on one cable donot cause collisions on the other. The cables are in separate collision domains.Note Some bridges are capable of connecting dissimilar topologies.The term bridging refers to a technology in which a device known as a bridge connects two or more LANsegments. Bridges are OSI Data Link layer, or Layer 2, devices that were originally designed to connect twonetwork segments. Multiport bridges were introduced later to connect more than two network segments, andthey are still in use in many networks today. These devices analyze the frames as they come in and makeforwarding decisions based on information in the frames themselves.To do its job effectively, a bridge provides three separate functions:

  • Filtering the frames that the bridge receives to determine if the frame should be forwarded
  • Forwarding the frames that need to be forwarded to the proper interface
  • Eliminating attenuation by amplifying received data signals

Bridges learn the location of the network stations without any intervention from a network administrator or any manual configuration of the bridge software. This process is commonly referred to as self−learning. When a bridge is turned on and begins to operate, it examines the MAC addresses located in the headers of frames passed through the network. As the traffic passes through the bridge, the bridge builds a table of known source addresses, assuming the port from which the bridge received the frame is the port to which the device is a sending device is attached.In this table, an entry exists that contains the MAC address of each node along with the bridge interface and port on which it resides. If the bridge knows that the destination is on the same segment as the source, it drops the packet because there is no need to transmit it. If the bridge knows that the destination is on another segment, it transmits the packet on that segment or port to that segment only. If the bridge does not know the destination segment, the bridge transmits a copy of the frame to all the interface ports in the source segment using a technique known as flooding. For each packet an interface receives, the bridge stores in its table the following information:

  • The frame’s source address
  • The interface the frame arrived on
  • The time at which the switch port received the source address and entered it into the switching table

Note Bridges and switches are logically equivalent.

There are four kinds of bridges:

  • Transparent bridge—Primarily used in Ethernet environments. They are called transparent bridgesbecause their presence and operation are transparent to network hosts. Transparent bridges learn andforward packets in the manner described earlier.
  • Source−route bridge—Primarily used in Token Ring environments. They are called source−routebridges because they assume that the complete source−to−destination route is placed in frames sentby the source.
  • Translational bridge—Translators between different media types, such as Token Ring and Ethernet.
  • Source−route transparent bridge—A combination of transparent bridging and source−route bridgingthat enables communication in mixed Ethernet and Token Ring environments.

Broadcasts are the biggest problem with bridges. Some bridges help reduce network traffic by filtering packets and allowing them to be forwarded only if needed. Bridges also forward broadcasts to devices on all segments of the network. As networks grow, so does broadcast traffic. Instead of frames being broadcast through a limited number of devices, bridges often allow hundreds of devices on multiple segments to broadcast data to all the devices. As a result, all devices on all segments of the network are now processing data intended for one device. Excessive broadcasts reduce the amount of bandwidth available to end users.This situation causes bandwidth problems called network broadcast storms. Broadcast storms occur when broadcasts throughout the LAN use up all available bandwidth, thus grinding the network to a halt. Network performance is most often affected by three types of broadcast traffic: inquiries about the availability of a device, advertisements for a component’s status on the network, and inquiries from one device trying to locate another device. The following are the typical types of network broadcasts:

  • Address Resolution Protocol (ARP)
  • Internetwork Packet Exchange (IPX)
  • Get Nearest Server (GNS) requests
  • IPX Service Advertising Protocol (SAP)
  • Multicast traffic broadcasts
  • NetBIOS name requests

These broadcasts are built into the network protocols and are essential to the operation of the network devices using these protocols.Due to the overhead involved in forwarding packets, bridges also introduce a delay in forwarding traffic. This delay is known as latency. Latency delay is measured from the moment a packet enters the input port on the switch until the time the bridge forwards the packet out the exit port. Bridges can introduce 20 to 30 percent loss of throughput for some applications. Latency is a big problem with some timing−dependent technologies, such as mainframe connectivity, video, or voice.High levels of latency can result in loss of connections and noticeable video and voice degradation. The inherent problems of bridging over multiple segments including those of different LAN types with Layer 2 devices became a problem to network administrators. To overcome these issues, a device called a router, operating at OSI Layer 3, was introduced.


Routers are devices that operate at Layer 3 of the OSI Model. Routers can be used to connect more than one Ethernet segment with or without bridging. Routers perform the same basic functions as bridges and also forward information and filter broadcasts between multiple segments. Figure 1.2 shows routers segmenting multiple network segments. Using an OSI network Layer 3 solution, routers logically segment traffic intosubnets.

Figure 1.2: Routers connecting multiple segments.

Routers were originally introduced to connect dissimilar network media types as well as to provide a means to route traffic, filter broadcasts across multiple segments, and improve overall performance. This approach eliminated broadcasts over multiple segments by filtering broadcasts. However, routers became a bottleneck in some networks and also resulted in a loss of throughput for some types of traffic.When you are connecting large networks, or when you are connecting networks to a WAN, routers are very important. Routers will perform media conversion, adjusting the data link protocol as necessary. With a router, as well as with some bridges, you can connect an Ethernet network and a Token Ring network. Routers do have some disadvantages. The cost of routers is very high, so they are an expensive way to segment networks. If protocol routing is necessary, you must pay this cost. Routers are also difficult to configure and maintain, meaning that you will have a difficult time keeping the network up and running.Knowledgeable workers who understand routing can be expensive.Routers are also somewhat limited in their performance, especially in the areas of latency and forwarding rates. Routers add about 40 percent additional latency from the time packets arrive at the router to the time they exit the router. Higher latency is primarily due to the fact that routing requires more packet assembly and disassembly. These disadvantages force network administrators to look elsewhere when designing many large network installations.


A new option had to be developed to overcome the problems associated with bridges and routers. These new devices were called switches. The term switching was originally applied to packet−switch technologies, such as Link Access Procedure, Balanced (LAPB); Frame Relay; Switched Multimegabit Data Service (SMDS); and X.25. Today, switching is more commonly associated with LAN switching and refers to a technology that is similar to a bridge in many ways.Switches allow fast data transfers without introducing the latency typically associated with bridging. They create a one−to−one dedicated network segment for each device on the network and interconnect these segments by using an extremely fast, high−capacity infrastructure that provides optimal transport of data on a LAN; this structure is commonly referred to as a backplane. This setup reduces competition for bandwidth on the network, allows maximum utilization of the network, and increases flexibility for network designers and implementers.Ethernet switches provide a number of enhancements over shared networks. Among the most important is microsegmentation, which is the ability to divide networks into smaller and faster segments that can operate at the maximum possible speed of the wire (also known as wire−speed).To improving network performance, switches must address three issues:

  • They must stop unneeded traffic from crossing network segments.
  • They must allow multiple communication paths between segments.
  • They cannot introduce performance degradation.

Routers are also used to improve performance. Routers are typically attached to switches to connect multiple LAN segments. A switch forwards the traffic to the port on the switch to which the destination device is connected, which in turn reduces the traffic to the other devices on the network. Information from the sending device is routed directly to the receiving device. No device other than the router, switch, and end nodes sees or processes the information.The network now becomes less saturated, more secure, and more efficient at processing information, and precious processor time is freed on the local devices. Routers today are typically placed at the edge of the network and are used to connect WANs, filter traffic, and provide security. See Figure 1.3.

Figure 1.3: Routers and switches

Like bridges, switches perform at OSI Layer 2 by examining the packets and building a forwarding table based on what they hear. Switches differ from bridges by helping to meet the following needs for network designers and administrators:

  • Provide deterministic paths
  • Relieve network bottlenecks
  • Provide deterministic failover for redundancy
  • Allow scalable network growth
  • Provide fast convergence
  • Act as a means to centralize applications and servers
  • Have the capacity to reduce latency

Network Switching (Part I)

Physical Media and Switching Types

The following are the most popular types of physical media in use today:
Ethernet—Based on the Institute of Electrical and Electronics Engineers (IEEE) 802.3 standard. However, it doesn’t rely on the Carrier Sense Multiple Access Collision Detection (CSMA/CD) technology. It includes 10Mbps LANs, as well as Fast Ethernet and Gigabit Ethernet.

  • Token−Ring—Not as popular as Ethernet switching. Token−Ring switching can also be used to improve LAN performance.

  • FDDI—Rarely used, chiefly due to the high expense of Fiber Distributed Data Interface (FDDI) equipment and cabling.

The following are some of the protocol and physical interface switching types in use today:

  • Port switching—Takes place in the backplane of a shared hub. For instance, ports 1, 2, and 3 could be connected to backplane 1, whereas ports 4, 5, and 6 could be connected to backplane 2. This method is typically used to form a collapsed backbone and to provide some improvements in the network.

  • Cell switching—Uses Asynchronous Transfer Mode (ATM) as the underlying technology. Switch paths can be either permanent virtual circuits (PVCs) that never go away, or switched virtual circuits (SVCs) that are built up, used, and torn down when you’re finished.

Networking Architectures

Network designers from the beginnings of networking were faced with the limitations of the LAN topologies.In modern corporate networks, LAN topologies such as Ethernet, Token Ring, and FDDI are used to provide network connectivity. Network designers often try to deploy a design that uses the fastest functionality that can be applied to the physical cabling. Many different types of physical cable media have been introduced over the years, such as Token Ring, FDDI, and Ethernet. At one time, Token Ring was seen as a technically superior product and a viable alternative to Ethernet. Many networks still contain Token Ring, but very few new Token Ring installations are being implemented. One reason is that Token Ring is an IBM product with very little support from other vendors. Also, the prices of Token Ring networks are substantially higher than those of Ethernet networks. FDDI networks share some of the limitations of Token Ring. Like Token Ring, FDDI offers excellent benefits in the area of high−speed performance and redundancy. Unfortunately, however, it has the same high equipment and installation costs. More vendors are beginning to recognize FDDI and are offering support, services, and installation for it—especially for network backbones. Network backbones are generally high−speed links running between segments of the network. Normally,backbone cable links run between two routers; but they can also be found between two switches or a switch and a router. Ethernet has by far overwhelmed the market and obtained the highest market share. Ethernet networks are open−standards based, more cost−effective than other types of physical media, and have a large base of vendors that supply the different Ethernet products. The biggest benefit that makes Ethernet so popular is the large number of technical professionals who understand how to implement and support it.Early networks were modeled on the peer−to−peer networking model. These worked well for the small number of nodes, but as networks grew they evolved into the client/server network model of today. Let’s take a look at these two models in more depth.

Peer−to−Peer Networking Model

A small, flat network or LAN often contains multiple segments connected with hubs, bridges, and repeaters. This is an Open Systems Interconnection (OSI) Reference Model Layer 2 network that can actually be connected to a router for access to a WAN connection. In this topology, every network node sees the conversations of every other network node.In terms of scalability, the peer−to−peer networking model has some major limitations—especially with the technologies that companies must utilize to stay ahead in their particular fields. No quality of service, prioritizing of data, redundant links, or data security can be implemented here, other than encryption. Every node sees every packet on the network. The hub merely forwards the data it receives out of every port, asshown in Figure 1.1.

Figure 1.1: A flat network topology.

Early networks consisted of a single LAN with a number of workstations running peer−to−peer networks and sharing files, printers, and other resources. Peer−to−peer networks share data with one another in a non−centralized fashion and can span only a very limited area, such as a room or building.

Client/Server Network Model

Peer−to−peer model networks evolved into the client/server model, in which the server shares applicationsand data storage with the clients in a somewhat more centralized network. This setup includes a little more security, provided by the operating system, and ease of administration for the multiple users trying to access data.A LAN in this environment consists of a physical wire connecting the devices. In this model, LANs enable multiple users in a relatively small geographical area to exchange files and messages, as well as to access shared resources such as file servers and printers. The isolation of these LANs makes communication between different offices or departments difficult, if not impossible. Duplication of resources means that the same hardware and software have to be supplied to each office or department, along with separate support staff for each individual LAN.WANs soon developed to overcome the limitations of LANs. WANs can connect LANs across normal telephone lines or other digital media (including satellites), thereby ignoring geographical limitations in dispersing resources to network clients.In a traditional LAN, many limitations directly impact network users. Almost anyone who has ever used a shared network has had to contend with the other users of that network and experienced the impacts. These effects include such things as slow network response times, making for poor network performance. They are due to the nature of shared environments.When collision rates increase, the usefulness of the bandwidth decreases. As applications begin having to resend data due to excessive collisions, the amount of bandwidth used increases and the response time for users increases. As the number of users increases, the number of requests for network resources rises, as well.This increase boosts the amount of traffic on the physical network media and raises the number of data collisions in the network. This is when you begin to receive more complaints from the network’s users regarding response times and timeouts. These are all telltale signs that you need a switched Ethernet network. Later in this chapter, we will talk more about monitoring networks and solutions to these problems. But before we cover how to monitor, design, and upgrade your network, let’s look at the devices you will find in the network.