Switch Operations N10-009

Slide 1 of 10  |  N10-009 Obj 2.3  |  Chapter 8
Switch Operations:
From MAC Learning to Port Security
A rogue device can flood your CAM table. Understanding how switches work prevents it.
A rogue device is flooding your switch with fake MAC addresses. Your CAM table is full and the switch is acting like a hub — forwarding every frame out every port. Understanding switch operations and port security prevents this.
10 Slides N10-009 Obj 2.3 Data Link Layer (Layer 2) Architecture + Security
Slide 2 of 10
How Switches Learn — The MAC Table
Switches build a MAC address table (also called the CAM table) dynamically. Entries expire after about 5 minutes by default.
Switch MAC Address Table
MAC Address Port Type Age (sec)
00:1A:2B:3C:4D:01 Gi0/1 Dynamic 210
00:1A:2B:3C:4D:02 Gi0/2 Dynamic 45
00:1A:2B:3C:4D:03 Gi0/3 Static --
FF:FF:FF:FF:FF:FF All Built-in --
Learning Process
When a frame arrives, the switch reads the source MAC address and records which port it came from. This is passive and automatic — every device that sends a frame teaches the switch about its location.
Forwarding Decision
When a frame arrives for a destination MAC: if the switch knows the port, it forwards only there (unicast). If it does not know the destination, it floods out all ports except the incoming one.
CAM Table Flood Attack
Flood the switch with frames using thousands of fake source MACs. The CAM table fills up. Now the switch cannot learn real MACs and must flood every frame — it behaves like a hub. An attacker can capture all traffic. This is MAC flooding.
Slide 3 of 10
Switching Methods — When Does the Frame Leave?
Three methods differ in how much of a frame the switch reads before forwarding it. Each trades latency against error detection.
Safest
Store-and-Forward
Reads: The entire frame before forwarding.
Error check: Full CRC check. Corrupt frames are discarded.
Latency: Highest — must wait for last bit.
When used: Default on modern enterprise switches. Required for QoS decisions.

The only method that can catch a bad frame before it propagates to other devices.
Fastest
Cut-Through
Reads: Only the first 6 bytes (destination MAC) then immediately forwards.
Error check: None — corrupt frames are forwarded.
Latency: Lowest possible. Begins forwarding before the frame fully arrives.

Two sub-modes: Fast-Forward (forwards after DA only) and Fragment-Free (see below). Used in low-latency trading and HPC environments.
Compromise
Fragment-Free
Reads: First 64 bytes before forwarding.
Rationale: Most errors and all collision fragments are contained in the first 64 bytes.
Error check: Partial — catches collision-damaged frames but not bit errors in the payload.

A middle ground between cut-through latency and store-and-forward reliability.
Exam tip: Store-and-forward is the correct answer for "which switching method performs error checking?" Cut-through is correct for "which method has the lowest latency?" Fragment-free reads the first 64 bytes — the minimum Ethernet frame size.
Slide 4 of 10
Port Security — Locking Down MACs per Port
Port security limits how many MAC addresses can use a port and what happens when the limit is violated.
! Enable port security on an interface
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security violation shutdown
Sticky MAC
The sticky keyword causes the switch to automatically learn the first MAC(s) up to the maximum and then store them as if they were statically configured. Saves manual entry but still locks the port.
Maximum MACs
Set to 1 for a port serving a single workstation. Set to 2 if a VoIP phone is daisy-chained (phone + PC share one port). Default maximum is 1.
Shutdown
Port immediately goes to err-disabled state. No traffic flows. Admin must manually re-enable with no shutdown. Generates a syslog message and SNMP trap.
Use for: High-security environments. Best protection. Most visible.
Restrict
Frames from unknown MACs are dropped silently. The violation counter increments. A syslog message is generated. Port stays up and legitimate traffic continues flowing.
Use for: Monitoring while keeping the port operational.
Protect
Frames from unknown MACs are dropped silently. No syslog. No counter increment. No notification of any kind. Port stays up.
Use for: Environments where you want silent dropping with no log noise. Least visible — not ideal for security auditing.
Slide 5 of 10
PoE — Power Over Ethernet
Three standards. Know the wattage. Know the use cases. Know what a power budget is.
Standard Also Known As Max per Port Max at PSE Pairs Used Common Use Cases
802.3af PoE 15.4W 12.95W 2 pairs IP phones, basic Wi-Fi access points, IP cameras
802.3at PoE+ 30W 25.5W 2 pairs High-power APs (802.11n/ac), video phones, pan-tilt cameras
802.3bt PoE++ / 4PPoE 60W / 90W 51W / 71.3W 4 pairs 802.11ax APs, thin clients, LED lighting, small switches
Power Budget
A 48-port PoE switch might have a total power budget of 740W. If every port draws 15.4W (802.3af), you hit the limit at 48 ports — exactly. More powerful devices reduce how many ports you can run simultaneously.
PSE vs PD
PSE (Power Sourcing Equipment) = the switch providing power. PD (Powered Device) = the device receiving power (camera, phone, AP). The switch negotiates with the device to determine how much power to deliver.
PoE Injectors
If your switch does not support PoE, a PoE injector sits inline between the switch and the PD. It adds DC power to the Ethernet cable without replacing the network path. Midspan devices provide similar functionality for multiple ports.
Slide 6 of 10
Port Mirroring — SPAN and Traffic Analysis
You cannot plug a packet sniffer into a switch port and see all traffic. Port mirroring solves this.
SPAN — Switched Port Analyzer
Copies traffic from one or more source ports (or VLANs) to a destination port. A network tap, IDS, or Wireshark captures traffic on the destination port without interrupting the live path. Traffic flows bidirectionally unless you specify ingress-only or egress-only.

Example: Mirror Gi0/1 and Gi0/2 to Gi0/24 where your IDS lives. All traffic on those ports is copied to the IDS without inserting any device in the data path.
RSPAN — Remote SPAN
Extends SPAN across multiple switches using a dedicated RSPAN VLAN. The mirrored traffic traverses the network to reach a monitoring device on a different switch. Useful when your IDS is in a central monitoring rack and the monitored ports are on edge switches.
CDP — Cisco Discovery Protocol
Layer 2 proprietary Cisco protocol. Advertises device type, hostname, IP address, IOS version, and connected interface. Runs on Cisco devices only. Sends multicast frames every 60 seconds. Security concern: CDP leaks device information. Disable on untrusted ports (customer-facing, external).
LLDP — Link Layer Discovery Protocol
IEEE 802.1AB standard equivalent of CDP. Vendor-neutral. Works across Cisco, Juniper, HP, and any 802.1AB-compliant device. Advertises similar information: device ID, port ID, capabilities, management address. Used by IP phones to auto-discover the voice VLAN from the switch. Enable selectively — same security cautions apply as CDP.
Exam distinction: CDP is Cisco-proprietary, LLDP is IEEE standard. Both operate at Layer 2. Both should be disabled on ports connected to untrusted devices or public-facing infrastructure.
Slide 7 of 10
QoS Basics — Prioritizing Time-Sensitive Traffic
Quality of Service ensures voice and video are not starved when the network is congested. Switches enforce QoS at Layer 2.
Priority 1
Voice (VoIP)
Requires <150ms one-way delay, <30ms jitter, <1% packet loss. Highest queue priority. Any dropped voice packet is audible as a gap or click.
Priority 2
Video / Real-Time
Requires low jitter but slightly more tolerant than voice. Video conferencing and surveillance streams go here. Buffering is noticeable but not catastrophic.
Priority 3
Critical Data
Business-critical applications — ERP, database queries, VDI. Humans are waiting on responses. Gets forwarding preference over background traffic.
Best Effort
Bulk / Background
Backups, software updates, file transfers. Gets whatever bandwidth remains after higher tiers are served. Can be rate-limited to prevent congestion.
802.1p — CoS (Class of Service)
3-bit field in the 802.1Q VLAN tag. Values 0-7. 7 = highest priority. Used by switches to classify and queue traffic at Layer 2.
DSCP — Layer 3 Marking
Differentiated Services Code Point. 6-bit field in the IP header. Preserved end-to-end. Switches can mark, trust, or remark DSCP values.
Slide 8 of 10
Managed vs Unmanaged Switches
The difference matters for where in the network each type belongs and what features you can configure.
Unmanaged Switch
Configuration: None — plug in and it works
VLANs: Not supported
Port security: Not available
QoS: Not available
SPAN: Not available
Management interface: None
STP: Basic (some models)
Use case: Home, small office, temporary deployments, connecting a few devices under a managed switch
Managed Switch
Configuration: CLI (SSH/Telnet), web GUI, or SNMP
VLANs: Full 802.1Q VLAN support
Port security: MAC limiting, violation modes
QoS: 802.1p CoS, DSCP marking/trust
SPAN: Traffic mirroring to monitoring device
Management interface: Out-of-band MGMT port
STP: Full RSTP, PVST+, MSTP
Use case: All enterprise environments. Any network that needs segmentation, monitoring, or security.
In enterprise networks, all switches in the wiring closet or data center are managed. Unmanaged switches occasionally appear in conference rooms or small remote offices under a managed distribution layer switch, but you should never place them where VLANs, port security, or monitoring are required.
Slide 9 of 10
Troubleshooting — show Commands That Matter
The CAM table flood scenario started this presentation. These commands diagnose it and every other Layer 2 problem.
show mac address-table
Switch# show mac address-table
Mac Address Table
Vlan Mac Address Type Ports
---- --------------- ------ -----
1 00a0.1b2c.3d4e DYNAMIC Gi0/1
1 00a0.1b2c.3d4f DYNAMIC Gi0/2
-- If thousands of entries, CAM flood in progress
show port-security
Switch# show port-security interface Gi0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Security Violation Count : 0
show mac address-table count
Switch# show mac address-table count
Mac Entries for Vlan 1:
Dynamic Address Count : 14
Static Address Count : 1
Total Mac Addresses : 15
-- Normal. Thousands = CAM flood
show interfaces — err-disabled check
Switch# show interfaces status
Port Name Status Vlan
Gi0/1 connected 1
Gi0/4 err-disabled 1
-- err-disabled = port security fired
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
You see thousands of MAC entries in the CAM table and the switch is flooding all traffic. First: identify the source port. Then: enable port security with maximum 1 and violation shutdown. The rogue device's port goes err-disabled the moment it sends a second MAC.
Slide 10 of 10  |  N10-009 Obj 2.3
Switch Operations — Complete Picture
The rogue device flooded your CAM table with fake MACs. Your switch started acting like a hub. You ran show mac address-table count — thousands of entries. You identified the port, enabled port-security maximum 1 violation shutdown, and the rogue device's port went err-disabled on its next frame. Traffic returned to normal. CAM flood: prevented.
5 Facts to Carry Out of This Presentation
1 Switches learn by source MAC. Unknown destinations are flooded. A full CAM table causes all traffic to flood — the MAC flood attack.
2 Three switching methods: store-and-forward (CRC check, most reliable), cut-through (first 6 bytes, fastest), fragment-free (first 64 bytes, partial check).
3 Port security violation modes: shutdown (err-disabled, most secure), restrict (drop + log), protect (silent drop, no log).
4 PoE standards: 802.3af = 15.4W, 802.3at = 30W, 802.3bt = 60/90W. Know the wattage per standard.
5 show mac address-table diagnoses CAM floods. show port-security shows violation counts. CDP = Cisco-only, LLDP = IEEE standard.