An incorrectly configured switch can be a critical error. In this video, you’ll learn about stopping switching loops with spanning tree protocol, managing VLAN assignments, and best practices for configuring access control lists.
As you’re probably aware, at the Mac address level, there’s no mechanism for counting how many times a frame might be seen on a network. For that reason, we have to be very careful that we don’t create a loop on our switch network, because those frames will continue to circle and circle and circle around that network until you unplug one of those connections. That’s one of the reasons that it’s so important to have spanning tree enabled on your network so that any potential loop could be stopped before that traffic starts looping.
Obviously switches forward traffic based on the destination Mac address that’s inside of a frame. So every unicast packet has a single destination on where that packet should be heading. There are some packets that are sent to multiple devices on the network simultaneously. Broadcasts and multicasts are a very good example of a single frame that can go into a switch, and that single frame can be transmitted out every other interface on that switch. With IP, we have a time to live field.
This time to live field prevents any particular packet from circling indefinitely around the network, but there’s nothing in the frame on a switch network that can prevent that type of loop. A normal switch network might have a switch on one end of the network and a switch on the other end of the network, and they’re connected with one cable. When we send traffic across that network, it traverses that cable to make its way to the destination device.
But inside of a wiring closet, it’s very easy to add a separate connection accidentally, thereby creating a loop on the network. Now whenever traffic traverses this network, it’s trying to find its way to the other side of the network, but instead it loops around and around and around the network, and as more traffic is added to the network, that traffic also loops around the network until, very quickly, both switches are overwhelmed and the network comes to a grinding halt.
This is why many network administrators turn on spanning tree to prevent loops on the network. But how does spanning tree know where these different switches are and how is it able to prevent loops? One of the mechanisms used by spanning tree protocol is the Bridge Protocol Data Unit or BPDU. All of these switches are sending Mac layer multicast to each other that contain these Bridge Protocol Data Unit frames. Any other switch that is on this local broadcast domain will see these multicasts and see that they contain configuration details and they inform whenever there’s any topology change.
The default for spanning tree is to send these BPDUs out every two seconds, so we know that every switch that is on our broadcast domain is getting an update from our switch every two seconds, and our switch is receiving updates from other switches every two seconds. But if we don’t see these hello frames arriving every two seconds, we wait and see if another two seconds goes by without an update. And if, finally, we see three of those that are missed, the link is considered to be down.
At this point, spanning tree realizes there’s been a change to the topology of the network and it redesigns itself to prevent any loops. Spanning tree relies on the concept of a root bridge. This root bridge is elected when the network is first started. All of the bridges participate in this root bridge election, and they choose the best connection to be able to communicate to that root bridge. You can manually configure which bridge you’d like to use as the root bridge by setting its bridge ID to be a low value.
You can set these bridge IDs to be between zero and 61,440, and the one that has the lowest bridge ID is the root bridge. If you have multiple switches with the same bridge ID, the switch that has the lowest Mac address number is the one that becomes the root bridge. Once the root bridge is elected, all of the other switches configure their settings so that they know exactly how to communicate back to this root bridge. As an example, we have this network with a number of switches on it.
We have bridge 1, bridge 6, bridge 5, bridge 21, and bridge 11, and all of these switches are connecting multiple networks to each other. When this network was created, a root bridge was determined. This is the bridge at the top. That is bridge 1, and you can see that this bridge has two designated ports that are connecting the root to the rest of the network. All the other switches are configured with a root port, and that root port is the port that you would take to get back to the root bridge.
And they may also have designated ports that are active and passing traffic. Some switches might also have blocked ports. These ports have been blocked by spanning tree to prevent any loops on this network. For example, if we wanted to connect from network A and connect to a device in network M, we can simply pass through bridge 6. We could also go all the way through the network to a different bridge, but you’ll see there is a blocked port that would prevent us from looping around this network thanks to spanning tree protocol.
This configuration works great and we can communicate between network A and network M without a problem. But what if we run into an issue where we lose connectivity between network A and bridge 6? We now have no way to communicate from network A to network M because we have these blocked ports that originally were blocking a loop. Spanning tree recognizes that this connection has failed because the hello was not seen within three updates, and spanning tree will now go into a mode to reconfigure the network.
It first removes those blocked ports from those bridges so now network A can communicate through network Y, network C, network J, through the root, and finally, to network M. This is how spanning tree is able to change the configuration of the network in real time to allow us to communicate to these different networks without causing a loop on the network. Spanning tree can put these interfaces into different states. We’ve already seen the blocking state or the discarding state so that it’s not going to pass traffic through that particular interface.
There’s also a listening mode that spanning tree will use before making any changes to the network. It’s listening for other switches that might be on that local broadcast domain, and it’s able to set its configuration based on the other switches that it sees. It then begins learning and adding information to the Mac address table inside of the switch, and once it knows whether that particular interface should be enabled or disabled, it puts it into either a forwarding mode or a blocking mode.
And if you want to be sure that spanning tree will never use a particular interface to forward traffic, you can put it into a disabled mode where the administrator of the network has administratively turned off that port. If you’ve connected a device to the network and it’s received an IP address, but yet it still can’t communicate to other devices that are on the same network, you may have a problem with a VLAN configuration. Every interface on a switch is associated with a particular VLAN.
This may be a single VLAN for a single device. We refer to those as access ports and each access port is assigned a particular VLAN ID. You can see on this switch some of these interfaces are on VLAN 254 and other interfaces are on VLAN 100. If you’re connecting a device to switch interface number four and you’re not sure which VLAN is associated with switch interface number four, you’ll need to check the configuration of your switch and determine what specific VLAN is assigned to that physical interface.
It may be that we were expecting switch interface four to be on VLAN 254, so we would need to make a change to our switch configuration to be able to change that ID or we would need to move to an available interface that’s already configured for VLAN 254. You’ll find that this is a very common issue, especially when your network has a large number of VLANs, but fortunately, it’s something that can be resolved relatively quickly.
Even after configuring the correct VLAN, plugging into the network and receiving the correct IP addresses and configuration settings, you still might find that you’re not able to communicate across the network. You’ve looked at your switch configuration and your routing tables and everything appears to be configured properly, but you may find that packets are still being dropped and not making it to its final destination. You could be configuring everything correctly inside of your switch and your router, but if you’ve got access control lists somewhere along the way, it could be blocking some of the traffic that you’re sending.
You’ll need to check the switches and routers on your network to see if any access control lists have been configured on any of those interfaces. This is usually a very quick check, and it should be part of your normal troubleshooting process, especially if you find that no traffic is able to communicate from one network to another. Access control lists work very similar to a firewall rule base. We would like to have the more granular rules at the top of the list. The access control list stops evaluating these after finding a match, so having the more common matches at the top of the list would make the network that much more efficient.
This also means that we can fire on more granular controls at the top of this list than the broader controls that might be lower down in the ACL. As a best practice, if you’re making any changes to an access control list, you might want to disable the ACL functionality first. It’s very possible to make a change to an ACL that would effectively remove your access to the same switch. Also, remember, if you add an access list to an interface, the default for many devices is to automatically deny all traffic that’s not specifically listed in an access control list. So building an empty ACL would effectively filter all communication through that device.