0% found this document useful (0 votes)
507 views337 pages

Switch Full Book 2017

The document discusses Cisco certifications and networking topics. It provides an agenda for a course on campus network design arranged by Engineer Ahmed Nabil from EL-DoN. The course agenda covers topics like designing LANs, CANs and data centers, choosing Cisco and Juniper switch models, enterprise network design, switch management, VLANs, trunking, STP, EtherChannels, gateway redundancy, switch virtualization, and security. It also introduces the TCP/IP model, different network types like LAN, CAN, WAN, MAN, and provides an overview of campus networks.

Uploaded by

ASA Abowally
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
507 views337 pages

Switch Full Book 2017

The document discusses Cisco certifications and networking topics. It provides an agenda for a course on campus network design arranged by Engineer Ahmed Nabil from EL-DoN. The course agenda covers topics like designing LANs, CANs and data centers, choosing Cisco and Juniper switch models, enterprise network design, switch management, VLANs, trunking, STP, EtherChannels, gateway redundancy, switch virtualization, and security. It also introduces the TCP/IP model, different network types like LAN, CAN, WAN, MAN, and provides an overview of campus networks.

Uploaded by

ASA Abowally
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 337

R K E

E T W O R S

Advanced
Scalable Campus
Multi-layer
Switched networks

Arranged by:
Eng. AHMED NABIL
(EL-DoN)

AHMED NABIL
New Cisco
Certifications model

2 AHMED NABIL
Cisco Certifications model

3 AHMED NABIL
Cisco Different Certifications Fields

CCIE Routing CCIE


CCDE
and Switching Service Provider

CCNP
CCDP CCNP SP
R&S

CCDA
CCNA
& CCNA SP
R&S
CCNA

Network Implementation Network Design Network Service Provider

CCIE CCIE CCIE


Security Voice ServiceCCIE
Provider
Wireless

CCNP CCNP CCIP


CCNP
Security collaboration
wireless

CCNA & CCNA & CCNA&


CCNA security CCNA CCNA
collaboration CCNA wireless

Network Security Voice Networks Wireless Networks

4 AHMED NABIL
Implementing Cisco IP Switched Networks (300-115)
Exam Description

Implementing Cisco IP Switched Networks (SWITCH 300-115) is a


120-minute qualifying exam with 45‒55 questions for the Cisco
CCNP Routing and Switching and CCDP certifications. The SWITCH
300-115 exam certifies the switching knowledge and skills of
successful candidates. They are certified in planning, configuring,
and verifying the implementation of complex enterprise switching
solutions that use the Cisco Enterprise Campus Architecture.
The following topics are general guidelines for the content that is
likely to be included on the exam. However, other related topics
may also appear on any specific version of the exam. To better
reflect the contents of the exam and for clarity, the following
guidelines may change at any time without notice.

1.0 Layer 2 Technologies 65%


1.1 Configure and verify switch administration
1.1.a SDM templates
1.1.b Managing MAC address table
1.1.c Troubleshoot Err-disable recovery
1.2 Configure and verify Layer 2 protocols
1.2.a CDP, LLDP
1.2.b UDLD
1.3 Configure and verify VLANs
1.3.a Access ports
1.3.b VLAN database
1.3.c Normal, extended VLAN, voice VLAN
1.4 Configure and verify trunking
1.4.a VTPv1, VTPv2, VTPv3, VTP pruning
1.4.b dot1Q
1.4.c Native VLAN
1.4.d Manual pruning
1.5 Configure and verify EtherChannels
1.5.a LACP, PAgP, manual
1.5.b Layer 2, Layer 3
1.5.c
5 Load balancing AHMED NABIL
1.6 Configure and verify spanning tree
1.6.a PVST+, RPVST+, MST
1.6.b Switch priority, port priority, path cost, STP timers
1.6.c PortFast, BPDUguard, BPDUfilter
1.6.d Loopguard and Rootguard
1.7 Configure and verify other LAN switching technologies
1.7.a SPAN, RSPAN
1.8 Describe chassis virtualization and aggregation technologies
1.8.a Stackwise

2.0 Infrastructure Security 20%


2.1 Configure and verify switch security features
2.1.a DHCP snooping
2.1.b IP Source Guard
2.1.c Dynamic ARP inspection
2.1.d Port security
2.1.e Private VLAN
2.1.f Storm control
2.2 Describe device security using Cisco IOS AAA with TACACS+
and RADIUS
2.2.a AAA with TACACS+ and RADIUS
2.2.b Local privilege authorization fallback

3.0 Infrastructure Services 15%


3.1 Configure and verify first-hop redundancy protocols
3.1.a HSRP
3.1.b VRRP
3.1.c GLBP

AHMED NABIL
Implementing Cisco IP Routing (300-101)
Exam Description

Implementing Cisco IP Routing (ROUTE 300-101) is a 120-minute


qualifying exam with 50‒60 questions for the Cisco CCNP Routing
and Switching and CCDP certifications. The ROUTE 300-101 exam
certifies the routing knowledge and skills of successful candidates.
They are certified in using advanced IP addressing and routing in
implementing scalable and highly secure Cisco routers that are
connected to LANs, WANs, and IPv6.
The exam also covers the configuration of highly secure routing
solutions to support branch offices and mobile workers.
The following topics are general guidelines for the content likely to
be included on the exam. However, other related topics may also
appear on any specific delivery of the exam. In order to better
reflect the contents of the exam and for clarity purposes, the
guidelines below may change at any time without notice.

1.0 Network Principles 10%


2.0 Layer 2 Technologies 10%
3.0 Layer 3 Technologies 40%
4.0 VPN Technologies 10%
5.0 Infrastructure Security 10%
6.0 Infrastructure Services 10%

7 AHMED NABIL
Troubleshooting and Maintaining Cisco IP Networks (300-135)
Exam Description

Troubleshooting and Maintaining Cisco IP Networks (TSHOOT 300-


135) is a 120-minute qualifying exam with 15‒25 questions for the
Cisco CCNP Routing and Switching certification. The TSHOOT
300-135 exam certifies that the successful candidate has the
knowledge and skills necessary to:

Plan and perform regular maintenance on complex enterprise


routed and switched networks
Use technology-based practices and a systematic ITIL-compliant
approach to perform network troubleshooting

The following topics are general guidelines for the content that is
likely to be included on the exam. However, other related topics
may also appear on any specific version of the exam. To better
reflect the contents of the exam and for clarity, the following
guidelines may change at any time without notice.

1.0 Network Principles


2.0 Layer 2 Technologies 40%
3.0 Layer 3 Technologies 40%
4.0 VPN Technologies
5.0 Infrastructure Security
6.0 Infrastructure Services

8 AHMED NABIL
Course Agenda by eng. Ahmed Nabil (el-Don):

1- Designing small, medium and large LANs, CANs and


DataCenters switched Network.
2- Choosing Cisco and Juniper Switch model ( platforms )
suitable for LAN, CAN & DataCenters.
3- illustrating Enterprise Composite network hierarchical
design
4- Managing Switch Files, MAC tables & L2 protocols
(CDP, LLDP)
5- Implementing and Configuring VLANs, Trunks, DTP,
VTP (ver1,2,3), Extended & Voice VLANs.
6- InterVLAN routing using router and Layer 3 Switch.
7- Link redundancy & link Load Distribution based on
Etherchannels and Link aggregation using (PAgP &
LACP)
8- Removing layer 2 loops using STP, RSTP, PVST+,
Rapid-PVST & MSTP (STPv1,2,3)
9- Gateway (Router and Layer 3 switch redundancy
protocols) using HSRP, VRRP, GLBP & VRRPE
10- Switches virtualization and aggregation technologies
using stacking and VSS.
11- Mitigating and securing Switch from famous LAN
attacks (Snooping, Spoofing, inspection, Guard,... )
12- Private VLAN
13- AAA authentication
14- Port mirroring (Switch Port Analyser) using SPAN
and RSPAN

9 AHMED NABIL
Introducing Campus
Network needs
Introducing the
Enterprise Composite Network Model
(ECNM)

10 AHMED NABIL
11
AHMED NABIL
TCP/IP Model:

Application Layer protocols:


HTTP, FTP, SMTP, POP3, Telnet, SSH, SNMP, DHCP, RIP1,RIP2,
RIPng, BGP
(notice that some routing protocols are in the application layer as
RIP & BGP), BGP needed the help of TCP that’s why its in that
layer, while RIP was in that layer as an old tradition by the
programmers which was any non primary protocol is an
application). Primary protocols as IP, TCP, UDP,…

Note: any protocol in the application layer is called application and


have a port no. (HTTP =80, RIP=520, BGP=179, but protocols in
other layer are just protocols and have a protocol no. (ICMP is
protocol no.1, IPv4 is protocol no.4, TCP no. 6, UDP no. 17, EIGRP
is 88, OSPF is 89)

Transport Layer protocols:


TCP, UDP

Internet/Network Layer protocols:


ICMP, OSPF, EIGRP, IPv4, IPv6

Network access Layer protocols:


Ethernet, dot1q, STP, ARP. Frame-relay, ATM, HDLC, PPP,
PPPoA, PPPoE,..

12
AHMED NABIL
Types of Networks:

LAN: Local Area Network


Group of devices within a controlled area (same
geographic area - ta7t elsaytara), private property
(melkeya khasa), with no need for a Service
Provider (bedon shereek)

CAN: Campus Area Network


It is simply a big LAN, mainly a LAN composed of
many buildings within a controlled area.

WAN: Wide Area Network


It is group of LANs connected within a large area that
mainly needs a Service Provider in between, that
can cover cities, countries and continents.

MAN: Metropolitan Area Network


It is simply a small WAN, that connects LANs within
same city.

13
AHMED NABIL
Campus Network overview

The OSI reference model separates data


communication into seven layers, as shown
in Table 1.
Each layer has a specific function and a
specific protocol so that two devices can
exchange data
on the same layer. A protocol data unit
(PDU) is the generic name for a block of
data that a layer
on one device exchanges with the same
layer on a peer device. A PDU is
encapsulated in a layer’s
protocol before it is made available to a
lower-level layer, or unencapsulated before
being handed to a higher-level layer.

Bits Hub

Workgroup Switch Router Bridge

14 AHMED NABIL
Traffic Switching
• What is the difference between L1, L2 & L3 switching?
L1 switching:
• It is based on shared bus mechanism, so L1 switching is
based on flooding input traffic to all other output ports
L2 Switching:
• Perform switching based on destination address field in the
ingress frame
L3 Switching:
• perform switching based on destination field in the ingress
packet

• L2 switching enhances the following points:


-Multiple collision domains (each port is a collision
domain)
-Host connections can operate at full-duplex mode
-Bandwidth is no longer shared (Micro-Segmentation)
"dedicated BW between every sender or receiver"
-Intelligent filtering & forwarding

15 AHMED NABIL
Transparent Bridging
• Transparent switching mean no host is aware of the
existence of a switch and host send frames to MAC address
of destination not the switch (switch does not modify frames
that are forwarded)
• Transparent bridge (switch) perform the following function:
1-Learning:
Forming MAC table (CAM "Content Allocation Memory" table) by
listening to source MAC address in the incoming frames

• Station A sends a frame to station C.


• Switch caches the MAC address of station A to port E0 by learning the
source address of data frames.
• The frame from station A to station C is flooded out to all ports except
port E0 (unknown unicasts are flooded).

• Station D sends a frame to station C.


• Switch caches the MAC address of station D to port E3 by
learning the source address of data frames.
• The frame from station D to station C is flooded out to all ports
except port E3 (unknown unicasts are flooded).
16 AHMED NABIL
2-Forwarding:
Switching frames to destination through listening to
destination MAC address in an incoming frames
Forwarding will be by flooding if destination is:
-Unknown unicast (does not exist in CAM table)
-Broadcast
-Multicast

• Station D sends a broadcast or multicast frame.


• Broadcast and multicast frames are flooded to
all ports other than the originating port.

• Forwarding modes:
a-Store & forward
b-Cut through
c- Modified Cut through (use both store & forward / cut
through using auto adaptation based on the traffic)

17 AHMED NABIL
(Ethernet ports and cards types)
• Ethernet is chosen as the most popular LAN technology than
(FDDI, CDDI, Token Ring, ATM), due to its low cost, ease of
installation, market availability & scalability to higher
bandwidths
• Ethernet follows the IEEE 802.3 standards and it is offered in
many flavours
1) Ethernet (10Mbps): IEEE 802.3
10Base-T, 10Base-F
2) Fast Ethernet (100Mbps): IEEE802.3u
-100Base-TX, 100Base-FX (SMF 10km & MMF 2km)
-Auto negotiation for duplex and speed can take place
between Ethernet devices, the two devices will settle on
highest speed and duplex both can offer
3) FEC (Fast Ether Channels): Cisco proprietary
bundles multiple Fast Ethernet links to provide speeds from
400Mbps to 1600Mbps
• Built on Ethernet principles
• Runs at 100 Mbps
• Uses same frame types,
lengths, and formats
• Still CSMA/CD
• Same MAC layer, new
physical layer

18 AHMED NABIL
4) Gigabit Ethernet (1000Mbps): IEEE 802.3ab (gigabit over
copper)& IEEE 802.3z (gigabit over fiber)
1000Base-T, 1000Base-SX (MMF 275m-550m), 1000Base-
LX/LH (MMF 550m, SMF 10km), 1000Base-ZX (SMF 100km)
MMF:62.5/125 or 50/125
SMF:9/125 or 8/125

5) GEC (Giga Ether Channel): Cisco proprietary


bundles multiple Gigabit Ethernet links to support speeds from
4Gbps to 16Gbps

• Enhances client/server performance across the enterprise


• Connects directly to Gbps interfaces on LAN switches that
aggregate traffic from 10- or 100-Mbps segments
• Connects distribution-layer switches in each building with a
central campus core

19 AHMED NABIL
6) 10Gigabit Ethernet (10Gbps): IEEE802.3ae
Using Fiber and using copper for a 100m distances on cat 6E / cat 7 cables,
10GbE can work as both LAN & WAN technologies, so it introduced a PMD
(Physical Media Dependent) fiber optic interfaces, they classified into:
-LAN PHY: Interconnects switches in a campus networks
-WAN PHY: Interfaces with existing SONET or SDH found in MANs
10GBase-SR/SW, 10GBase-LR/LW(10km), 10GBase-ER/EW(70km),
10GBase-Lx4/Lw4 (WDM)

*Transceiver types are denoted by a two-letter suffix. The first letter


specifies the wavelength used: S = short, L = long, E = extra-long
wavelength. The second letter specifies the PHY type: R = LAN PHY, W =
WAN PHY. In the case of LX4 and LW4, L refers to a long wavelength, X and
W refer to the coding used, and 4 refers to the number of wavelengths
transmitted. WWDM is wide-wavelength division multiplexing.
20 AHMED NABIL
7) Quad Ten Giga Ethernet:
-new technology supporting speed reaching 40 Gbps

8)Hundred (centrum) Giga Ethernet:


-newest technology supporting 100 Gbps speeds

9) Metro Ethernet: MAN technology


-used to connect enterprise sites that are distributed in
several geographic locations, so high speed
connections is desired
-service providers can offer this transport method
-R=LAN, W=WAN, S=Short, L=Long

Gigabit Ethernet ports


• Gigabit Ethernet connection take a flexibility media port for
both copper & fiber using the SFP (Small Form-factor
Pluggable) mostly for 1 Gbps, SFP+ for 10 Gbps, QSPF (Quad
SPF) for 40 Gbps & CFP(Centrum Form-Factor Pluggable)
for 100Gbps or older GBIC (Giga Bit Interface Card) with RJ-
45 (for copper cables), SC or ST or MTRJ (for fiber cables) &
Giga Stack GBIC (used to stack catalyst switches)

SFP
21

AHMED NABIL
Gigabit Ethernet Port Cables and Connectors
Gigabit Ethernet connections take a different approach by providing modular
connectivity options. Catalyst switches with Gigabit Ethernet ports have
standardized rectangular openings that can accept gigabit interface converter
(GBIC) or small form factor pluggable (SFP) modules. The GBIC and SFP
modules provide the media personality for the port so that various cable
media can connect. In this way, the switch chassis is completely modular
and requires no major change to accept a new media type. Instead, the
appropriate module is hot-swappable and is plugged into the switch to
support the new media. GBIC modules can use SC fiber-optic and RJ-45 UTP
connectors. SFP modules can use LC and MT-RJ fiber-optic and RJ-45 UTP
connectors. GBIC and SFP modules are available for the following Gigabit
Ethernet media:
■ 1000BASE-SX—Short-wavelength connectivity using SC fiber connectors
and MMF for distances up to 550 m (1804 feet).
■ 1000BASE-LX/LH—Long-wavelength/long-haul connectivity using SC fiber
connectors and either MMF or single-mode fiber (SMF); MMF can be used for
distances up to 550 m (1804 feet), and SMF can be used for distances up to
10 km (32,810 feet). MMF requires a special mode-conditioning cable for
fiber distances less than 100 m (328 feet) or greater than 300 m (984 feet).
This keeps the GBIC from overdriving the far-end receiver on a short cable
and lessens the effect of differential mode delay on a long cable.
■ 1000BASE-ZX—Extended-distance connectivity using SC fiber connectors
and SMF; works for distances up to 70 km, and even to 100 km when used
with premium grade SMF.
■ GigaStack—Uses a proprietary connector with a high-data-rate copper
cable with enhanced signal integrity and electromagnetic interference (EMI)
performance; provides a GBIC-to-GBIC connection between stacking
Catalyst switches or between any two Gigabit switch ports over a short
distance. The connection is full duplex if only one of the two stacking
connectors is used; if both connectors are used, they each become half
duplex over a shared bus.
■ 1000BASE-T—Sports an RJ-45 connector for four-pair UTP cabling; works
for distances up to 100 m (328 feet).

Caution: The fiber-based modules always have the receive fiber on the left
connector and the transmit fiber on the right connector, as you face the
connectors. These modules could produce invisible laser radiation from the
transmit connector. Therefore, always keep unused connectors covered with the
rubber plugs, and don’t ever look directly into the connectors.
AHMED NABIL
Hardware platform model numbers

AHMED NABIL
AHMED NABIL
Switch H/W Platform
To read properly the switch hardware capabilities you
should learn the below H/W platform map.

For Example on platform 2960X switch


WS-2960X-24TS …… is a 24 Twisted pair port switch plus extra SFPs uplink
WS-2960X-24PS …… is a 24 POE twisted pair switch pus extra SFPs uplinks
WS-2960X-12S ….… is a 12 port SFP switch
WS-2960X-24FS ….. is a 24 port Fiber Fast Ethernet with extra SFPs uplinks
WS-2960X-48T …….. is a 48 Twisted pair port switch with no POE, with no SFPs

For extra examples see datasheet at end of the book.

25 AHMED NABIL
Modular Switches

Juniper EX-8216 with backplane


speed 12.4Tbps with max
Number of ports 768 on 16 slots
(10/100/1000/10G)
Up to 6 power supplies

Data Center Switch


Nexus 9516 The Cisco Nexus 9516 is
a modular, 16-slot, 26-rack-unit
(26RU), Layer 2 and 3 nonblocking
with more than 60 terabits per second
(Tbps) of backplane bandwidth after
aggregation with two others 9516, the
switch supports 1, 10, 40, and 100
Gigabit Ethernet interfaces through a
comprehensive selection of modular
line cards. Configurable with up to
(2304 ports with other two extra
9516) 10 Gigabit Ethernet or (128)
100 Gigabit Ethernet ports. Up to 10
power supplies. Nexus-9508

26 AHMED NABIL
Switch Operating Systems (S/W platforms)
1) Catalyst OS (Cat OS or XDI)
• This user interface allow sessions and monitoring
commands to be intermingled with set-based
configuration commands (using set and clear
command), that OS was inherited from “Crescendo-
communications” the old company that used to
manufacture Cisco switches.
• This operating system supported only for L2
switching on 2948G, catalyst 4000 supervisor I & II,
catalyst 5000 and 6000/6500 any supervisor
• These switches now support Cisco IOS (native IOS)
2) Cisco IOS:
• This user interface is identical to Cisco routers,
where a hierarchical configuration modes are used
• This operating system can support both L2 & L3
switching for all switches (Cisco catalyst 2950,2960,
2960x, 3560, 3650,3750,3850, 4500 supIII & IV and
6000/6500/6800 any supervisor)
• Used with any Multi-Layer port (port that acts like a
router port (Layer 3) or like a switched port (Layer
2))
3) Nexus OS (NX-OS):
On the new line of products for Cisco data center
switches called Nexus switches
Note: Juniper uses JUNOS as an OS for all its
switches

Cisco Catalyst 2950, 2960,


3550 & 3560 MSFC
(Multi-layer Switch
Fabric Card)
27 AHMED NABIL
Here is a simplified chart for how to discover features
of some IOS S/W platform map

(IP plus)

(IP Lite)

(LAN Lite)

Switch IOS

28 Router IOS AHMED NABIL


Campus Network Model

• Campus network is an enterprise network consisting


of many LANs in one or more buildings, all connected
& all usually in the same geographic area

29 AHMED NABIL
Hierarchical Network Design

1-Access Layer (Edge layer):


• It is present where the end users are connected to the network
• L2 switching
• Low per port cost
• High port density
• L2 services as basic traffic filtering,
basic QOS & VLAN membership,PoE
• Uplinks to upper layers

Access Layer switches:


-Cisco Catalyst 2960x & 3650/3750/3850 SMI (Standard Multilayer S/W
Image) or Juniper EX-2200/EX-2500 for small to medium campus
-Catalyst 4500 for large campus
-Catalyst 6500 for very large campus (Catalyst 6513 support 576 10/100
port or 194 Giga ports or combination with Backplane 720Gbps or
2Tbps using supervisor engine 720 or 2T)

2960-x models

30 AHMED NABIL
2-Distribution Layer (Aggregation Layer):
• Provides interconnection between the campus network access &
core layers
• High L3 throughput
• Security & policy based connectivity & QOS
• Scalability, redundant & resilient high
speed link

Distribution Layer switches:


-Cisco Catalyst 3650/3750/3850 EMI (Enhanced Multilayer S/W
Image), 4500-E, 6500-E or Juniper EX-3200/EX-4200

3-Core Layer (Backbone Layer):


Four
• Provide connectivity of all distribution 3650
layer devices, it is referred to as the backbone switches
• very high throughput at L2 or L3
• no packet manipulation (no access list, no packet filtration)
• redundancy & resiliency
• Advanced QOS functions
Core Switches:
Cisco Catalyst 6500-E(biggest is 6513)
With backplane speed 2Tbps with
Max number of ports 576 (10/100/1000),
Catalyst 6800 with backplane speed 11.4Tbps
Or Juniper EX-8200 (biggest is EX-8216)
With backplane speed 12.4Tbps with max
Number of ports 768 (10/100/1000)

31 AHMED NABIL
Modular Network Design
(Enterprise Composite Network Model)
ECNM
• ECNM contains:
1-Enterprise Campus (Access-Distribution-Core)
2-Enterprise edge
3-Service provider edge

32 AHMED NABIL
1-Enterprise Campus Modules

a) Basic Modules:
1-Swich block:
• a group of access layer switches together with their
distribution switches
• VLANs & STP are confined with the distribution layer
boundary

33 AHMED NABIL
2-Core block:
• The campus network backbone
• It interconnects all blocks together, all traffic passing from
block to another must cross the core block
• Core block designs:
-Collapsed core:
The core layer is collapsed into distribution layer (core is a wire
between distribution layer switches)
collapsed core is not an independent block but integrated into
distribution layer

-Dual core:
A dual core connects two or more switch blocks in a redundant
fashion
This core appears as an independent module & is not merged into
any other blocks or layers
Core block could be L2 switches but in this case load-sharing will
not be achieved due to STP

34 AHMED NABIL
b) other modules:
1) Server Farm block:
• A group of enterprise servers
along with their access &
distribution layer switches
• It is a block that contains
servers or applications accessed
by most of enterprise users
• Also for redundancy their may
exist more than one server farm
block

2-Network Management block:


• A group of network management resources along with their access &
distribution layer switches
• That block is used to monitor the campus network through network
management tools as "Cisco View (web based network management
tool)", so that performance and fault conditions can be measured and
detected
• Single network management block is enough due to that block is not an
enterprise resource and not accessed by all users, rather these tools go
out to access other network devices, applications, servers & user
activity
ex:
-Network Management applications for monitoring devices (SNMP) as Cisco
works, Cisco Prime, HP openview, IBM Tivoli
-System logging (SYSLOG) servers for collection messages about changes
happening to devices as Kiwi
-Net Flow collectors for monitoring traffic
-AAA servers used as Authentication servers
-Policy management applications as Cisco NAC (Network /Admission
Control)
-Intrusion Detection (IDS) management applications
AHMED NABIL
2-Enterprise Edge Block
• A collection of services related to external network
access, along with their access & distribution
switches
• It is the block that connects the campus to the
service provider for access to external resources
• Ex:
-Internet Access
-Remote Access & VPNs for roaming users
-WAN Access to other enterprise sites
-E Commerce (support of web applications, database
serves, firewalls & security devices)

3-Service Provider Edge Block

• It is the edge of the service provider hierarchical


block (The external network services used by the
36 enterprise network) AHMED NABIL
Switch
Basic
Configuration

37 AHMED NABIL
1)Identify a switch

• L2 switch: default name is switch


Switch(config)#hostname <name>
• L3 switch: default name is router
router(config)#hostname <name>
• any command in (config) mode is saved to RAM and
to move it to NVRAM use
#copy run start

2)Passwords and user access


• Console:
(config)#line console 0
(config-line)#password <password>
(config-line)#login
• Telnet:
(config)#line vty 0 15
(config-line)#password <password>
(config-line)#login
• Enable mode:
(config)#enable password <password>
(config)#enable secret <password>
• To encrypt passwords when displayed:
(config)#service password-encryption

38 AHMED NABIL
3)Remote Access
• Access to switch remotely (ping, telnet, SNMP) require
giving switch an IP, mask & default gateway
(config)#ip default-gateway <gateway ip>
(config)#interface vlan <vlan id>
(config-if)#ip address <ip> <mask>
(config-if)#no shutdown
• the configured VLAN is called management VLAN and it
could be any VLAN, but switch can only have one
management VLAN

39 AHMED NABIL
Connecting devices
• Cross over cable is used to connect two switches
• Straight cable is used to connect switch to host
• MDI / MDIX (Media Dependent Interface / Media Dependent
Interface cross) feature that enable connecting a straight
cable between two switches or hubs

Switch Port Configuration


• CatOS..refer to switch ports as..ports
• IOS..refer to switch ports as..interfaces
1)Selecting ports to configure:
(config)#interface {ethernet<mod/no.>/
fastethernet<mod/no.>/gigabit ethernet<mod/no.>}
ex: (config)#interface fa0/1
-for non-modular switches as 2960 & 3650 they have
module no.(mod)=0

To select multiple ports:


(config)#interface range <type> <mod/no.> [,<type>
<mod/no.>,...]
ex: (config)#interface range fa0/1,fa0/5,fa0/12
or
(config)#interface range <type> <mod/first no. - last no.>
ex: (config)#interface range fa0/1 - 12
or
(config)#define interface-range <macro name> {<type>
<mod/no.> [,<type> <mod/no.>,...]/ <type> <mod/first
no. - last no.>}
(config)#interface range macro <macro name>
40 AHMED NABIL
2)Charectrizing an interface
(config-if)#description <description string>
(config-if)#speed {10/100/1000/auto}
(config-if)#duplex {half/full/auto}
(config-if)#[no] mdix auto
• Configuring port as L2:default on catalyst 2960, 3560/3650,
4500
(config-if)#switchport
• Configuring port as L3:default on catalyst 6500
(config-if)#no switchport
(config-if)#ip address <ip> <mask>
3) Managing error condition on a switch port (discussed later)
• feature that enable a port that suffer from certain errors to
automatically go to "errdisable state" as if it is shutdown
until it is reactivated manually or after predetermine time
elapsed
(config)#errdisable detect cause [all/<cause name>]
causes:(bpduguard/dtp-flap/link-flap/pagp-flap/rootguard/udld)
• Static recovery
(config-if)#shutdown
then
(config-if)#no shutdown
• dynamic recovery:
(config)#errdisable recovery cause [all/<cause name>]
-default timer =300 sec
(config)#errdisable recovery interval <sec>
41 AHMED NABIL
CDP (Cisco Discovery Protocol)
& LLDP (Link Layer Discovery Protocol)
• CDP run by default on Cisco switches & send message every 60
sec on multicast MAC 0100.0ccc.cccc, Cisco Switches regard CDP
as special address that should no be flooded (received only by
neighbors), LLDP is same to CDP but standard.
• To disable CDP
(config)#[no] cdp run
(config-if)#[no] cdp enable

Sh cdp Neighbor detail

CDP (Cisco Discovery Protocol)


Send message every 60 seconds containing:
- Device name
- H/W Platform (model)
- S/W Platform (IOS version)
- Device Capabilities (Router, switch, IP Phone, Host, …)
- Local interfaces and neighbor interfaces
- Device IP and Sometimes MAC address

In CDP ver 2:
Added to the message:
-VTP Domain
- Native VLAN
- Duplex
- Rapid error tracking for (nativeVLAN mismatch,duplex mismatch,..)
42 AHMED NABIL
Link Layer Discovery Protocol
The Link Layer Discovery Protocol (LLDP) is similar to CDP, but is
based on the IEEE 802.1ab standard. As a result, LLDP works in
multivendor networks. It is also extensible because information is
advertised by grouping attributes into Type-Length-Value (TLV)
structures.
LLDP also supports additional TLVs (messages) that are unique to
audio-visual devices such as VoIP phones. The LLDP Media
Endpoint Device (LLDP-MED) TLVs carry useful device
information like a network policy with VLAN numbers and quality of
service information needed for voice traffic, power management,
inventory management, and physical location data. LLDP supports
the LLDP-MED TLVs by default, but it cannot send both basic and
MED TLVs simultaneously on a switch port. Instead, LLDP sends
only the basic TLVs to connected devices. If a switch receives
LLDP-MED TLVs from a device, it will begin sending LLDP-MED
TLVs back to the device.
By default, LLDP is globally disabled on a Catalyst switch. To see if
it is currently running or not, use the show lldp command. You can
enable or disable LLDP with the lldp run and no lldp run
configuration commands, respectively.
(config)#lldp run
On interface:
(config-if)#[no] lldp {transmit|receive}

AHMED NABIL
Use the following command to display information about LLDP
advertisements that have been received by a switch.
Switch# show lldp neighbors [type member/module/number]
[detail]
Use the show lldp neighbors command to see a summary of
neighbors that have been discovered.

AHMED NABIL
Troubleshooting

#sh interface [<type><mod/no.>]


fastethernet 0/1 is up, line protocol is up
BW 100000kbit
keepalive not set, encapsulation ARPA
auto-duplex (half), auto-speed (100)
queuing strategy: fifo
#input errors, #crc, #runts, #giants
#collisions
#lost carrier

Switch#show interfaces fastethernet0/3

FastEthernet0/3 is up, line protocol is down


Hardware is Fast Ethernet, address is 0000.0000.0003 (bia 0000.0000.0003)
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 10Mb/s
input flow-control is off, output flow-control is off
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Queueing strategy: fifo
Output queue 0/40, 0 drops; input queue 0/75, 0 drops
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out

•To check modules (switch slots) status for modular switch


#sh modules
45 AHMED NABIL
#sh interface
-interface is administratively down line protocol down
......
interface is missing "no shutdown" command
-interface is down line protocol down ......
interface has a fatal error
-interface is up line protocol down ......
cable is cut, cable is not properly pin connected

-interface is up line protocol up ......


interface is operating properly till L2

• Speed or duplex mismatch could cause slow


response, large no. of runt errors, input errors & late
collision errors
Problem: Cannot Autonegotiate Port Speed/Duplex
– Make sure autonegotiation is configured on both ends of the
link.
– If autonegotiation fails when you connect a client NIC to the
switch, check the NIC and drivers to make sure that
autonegotiation is supported.
– If autonegotiation is supported and properly configured, turn
off autonegotiation and set the speed and duplex manually.
Tip
Beware of a duplex mismatch when both ends of a link are not
set for autonegotiation. During a mismatch, one end uses full
duplex while the other end uses half duplex. The result is that
the half-duplex station will detect a collision when both ends
transmit; it will back off appropriately.
The full-duplex station, however, will assume that it has the right
to transmit at any time. It will not stop and wait for any reason.
This can cause errors on the link and poor response times
between the stations.
46 AHMED NABIL
Switch file management
-Configuration files:
a)startup-config:(called also config.text) stored in
NVRAM/flash (part in Flash Simulated Non volatile RAM)

b)vlan.dat:stored in flash

c)running-config:Stored in RAM

• -other files:
System-env-vars:
a text file containing system variables such as the MAC
address, model number, serial number & various
module information
it is stored in ROM/copy in Flash, & displayed by:
#show version

47 AHMED NABIL
Cisco IOS File System and Devices

To check directories in flash:


#dir flash:[directory]
#show flash

To delete all flash files:


#erase flash

To delete a certain file in flash:


#delete flash:<file name>

To delete vla.dat:
#delete flash:vlan.dat
#delete vlan.dat

To erase Start-up configuration:


#erase startup-config
#erase nvram
#delete flash:config.text
#delete config.text

#copy <run/start/tftp/flash> <run/start/tftp/flash>

48 AHMED NABIL
Managing Cisco IOS Images

Switch#show flash

Directory of flash:/

2 -rwx 401 Jan 01 1970 00:01:06 env_vars


3 -rwx 2664051 Mar 02 1993 21:58:25 c2950-i6q4l2-mz.121-11.EA1.bin
4 -rwx 108 Mar 01 1993 00:01:20 info
6 drwx 640 Mar 01 1993 00:03:16 html
19 -rwx 108 Mar 01 1993 00:03:16 info.ver
20 -rwx 1636 Mar 01 1993 11:20:55 vlan.dat
23 -rwx 2193 Mar 01 1993 00:09:57 config.text

7741440 bytes total (1101312 bytes free)

– Verify that flash memory has room for the Cisco IOS
image.

49 AHMED NABIL
Troubleshooting

show debug

Processing Static
Dynamic
characteristics

Low overhead
Processing load High overhead

Gather facts
Primary use Observe processes

Considerations When Using debug Commands


– May generate output in a variety of formats that may not identify
the problem
– Require high overhead, possibly disrupting network device
operation
– Useful for obtaining information about network traffic and router
status
#sh version
#sh mac-address-table
#sh arp
#sh cdp neighbors
#sh tech-support ........ Displays many shows in same
command

#debug <command>
To cancel debug action:
#no debug <command/all>
#undebug all
50 AHMED NABIL
Password recovery
• For any model check manual or check google

The main boot up sequence for the switch is,


Switch boots IOS from flash then boot configuration from a file
called config.text, the trick used for password recovery is to
change that file name that the switch automatically boots
configuration from it.

Switch password recovery procedure


1- Restart switch (power off/on)
2- While switch is booting press/release the mode button
3- switch will start that prompt
switch:
on that mode initialize the plash memory files
Switch:flash_init
Switch:dir flash:
! All flash files will appear, IOS, VLAN.dat, Config.text, …!
Switch:rename flash:config.text flash:config.old
This command will change the original configuration file name to a
bogus name, this will help the switch when reboots to not find
the original file name so boots with no configuration.
Switch:boot
Switch will reload not loading configuration
switch>enable
Switch#show flash
! You will find IOS, VLAN.dat, Config.old, ….!
Switch#copy flash:config.old flash:config.text

51 AHMED NABIL
CDP & LLDP Questions
Question 1
What is the default interval at which Cisco devices send Cisco Discovery Protocol
advertisements?

A. 30 seconds B. 60 seconds C. 120 seconds D. 300 seconds

Question 2
Which statement about Cisco Discovery Protocol configuration on a Cisco switch is true?

A. CDP is enabled by default and can be disabled globally with the command no cdp run.
B. CDP is disabled by default and can be enabled globally with the command cdp enable.
C. CDP is enabled by default and can be disabled globally with the command no cdp enable.
D. CDP is disabled by default and can be enabled globally with the command cdp run.

Question 3
A network engineer notices inconsistent Cisco Discovery Protocol neighbors according to the
diagram that is provided. The engineer notices only a single neighbor that uses Cisco Discovery
Protocol, but it has several routing neighbor relationships. What would cause the output to
show only the single neighbor?

A. The routers are connected via a Layer 2 switch.


B. IP routing is disabled on neighboring devices.
C. Cisco Express Forwarding is enabled locally.
D. Cisco Discovery Protocol advertisements are inconsistent between the local and remote
devices.

Question 4
After the implementation of several different types of switches from different vendors, a
network engineer notices that directly connected devices that use Cisco Discovery Protocol are
not visible. Which vendor-neutral protocol could be used to resolve this issue?

A-Local Area Mobility B. Link Layer Discovery Protocol C. NetFlow D. Directed Response
Protocol

Question 5
While doing network discovery using Cisco Discovery Protocol, it is found that rapid error
tracking is not currently enabled. Which option must be enabled to allow for enhanced
reporting mechanisms using Cisco Discovery Protocol?

A. Cisco Discovery Protocol version 2


B. Cisco IOS Embedded Event Manager
C. logging buffered
D. Cisco Discovery Protocol source interface
E. Cisco Discovery Protocol logging options
52 AHMED NABIL
Question 6
A network engineer has just deployed a non-Cisco device in the network and wants to get
information about it from a connected device. Cisco Discovery Protocol is not supported, so
the open standard protocol must be configured. Which protocol does the network engineer
configure on both devices to accomplish this?

A. IRDP B. LLDP C. NDP D. LLTD

Question 7
Which statement about Cisco devices learning about each other through Cisco Discovery
Protocol is true?

A. Each device sends periodic advertisements to multicast address 01:00:0C:CC:CC:CC.


B. Each device broadcasts periodic advertisements to all of its neighbors.
C. Each device sends periodic advertisements to a central device that builds the network
topology.
D. Each device sends periodic advertisements to all IP addresses in its ARP table.

Question 8
Which option lists the information that is contained in a Cisco Discovery Protocol
advertisement?

A. native VLAN IDs, port-duplex, hardware platform


B. native VLAN IDs, port-duplex, memory errors
C. native VLAN IDs, memory errors, hardware platform
D. port-duplex, hardware platform, memory errors

Question 9
Which option describes a limitation of LLDP?

A. LLDP cannot provide information about VTP.


B. LLDP does not support TLVs.
C. LLDP can discover only Windows servers.
D. LLDP can discover up to two devices per port.

Question 10
Which statement about using native VLANs to carry untagged frames is true?

A. Cisco Discovery Protocol version 2 carries native VLAN information, but version 1 does not.
B. Cisco Discovery Protocol version 1 carries native VLAN information, but version 2 does not.
C. Cisco Discovery Protocol version 1 and version 2 carry native VLAN information.
D. Cisco Discovery Protocol version 3 carries native VLAN information, but versions 1 and 2 do
not.
53 AHMED NABIL
VLANs
&
Trunks
(Bet2arab elBe3eed
W Betba3ad el2areeb
Yaaaaaa 2asawtek)

54 AHMED NABIL
Overview
• A full layer 2 only switched network is referred to as a single
broadcast domain, so network must be subdivided into VLANs
• By definition a VLAN is a single broadcast domain, VLAN is
characterised by:
-They can allow load balancing with multiple parallel paths, so
enhancing bandwidth utilization
-They enhance network security
-They confine broadcasts, so introducing better broadcast control
-They can span multiple switches (no physical boundaries), VLAN
can group users based on their business requirements
(business departments) independent of any physical locations

• Segmentation

• Flexibility

• Security

A VLAN = A Broadcast Domain = Logical Network


(Subnet)

But using VLANs will cause the following:


- It will not simplify the network.
- It will not eliminate the need of L3 routing

55 AHMED NABIL
Deploying VLANs
• The number of VLANS will be dependent on network
requirement
• Cisco recommend the VLAN-IP relation to be one- to-
one in order of isolating VLANs broadcasts & ability to
form inter-VLAN-routing
• VLANs could be implemented using two basic methods
1) Local VLANs
2) End to End VLAN

-Local VLAN:
• It is called geographic VLANs, keeping the VLAN within a
switch block
• Local VLANs are created based on geographic or physical
locations
• Also Local VLANs design obey 20/80 rule

• Here are some local VLAN characteristics and user guidelines:


- Local VLANs should be created with physical boundaries in
mind rather
than the job functions of the users on the end devices.
- Traffic from a local VLAN is routed to reach destinations on
other networks.
56 AHMED NABIL
-End to End VLAN

• It is called Campus-wide VLAN


• Users are assigned to VLANs regardless of their physical
location, they are designed regarding their function (same
VLAN are distributed on among different switch blocks)
• End to end VLAN disobey the 80/20 rule, where all traffic
within a single VLAN could cross the core obeying 20/80
rule
• But end to end VLAN could help extending broadcast storms
& it is difficult to maintain troubleshooting
• End to end VLAN deployment is not recommended by Cisco.

• An end-to-end VLAN has these characteristics:


- The VLAN is geographically dispersed throughout the
network.
- Users are grouped into the VLAN regardless of physical
location.
- As a user moves throughout a campus, the VLAN
membership of that user remains the same.
- Users are typically associated with a given VLAN for
network management reasons.
- All devices on a given VLAN typically have addresses on
the same IP subnet.

57 AHMED NABIL
VLAN membership

1) Static VLAN membership


“Port based VLAN“
VLAN number is assigned to specific switch port, each port gets a
PVID (Port VLAN ID)
(config-if)#switchport access vlan vlan id

2)Dynamic VLAN membership


"MAC based VLAN"
When a host is connected to a switch port, the switch must query a
database to establish VLAN membership, so as to assign a
MAC address of a user to a certain VLAN, a network
administrator must assign the users MAC addresses to a
VLAN in the database of VMPS (VLAN Membership Policy
Server), which could be catalyst 6500 or external server.

58 AHMED NABIL
Types of Switch ports
• Access-Link:
-Switch port that is member in only one VLAN (native
VLAN by default)
-This port actually connect a switch to host
-This port expects to receive untagged frames and
sends untagged frames.
(config-if)#switchport mode access

• Trunk-Link:
-Switch port that is member in all VLANs by default, so
traffic from all VLANs can use a trunk link
-It is mainly used to connect two switches together or
switch and a router
-This port receives and sends tagged frames unless data
belongs to native VLAN
(config-if)#switchport mode trunk
(config-if)#switchport trunk allowed vlan list of vlans
(config-if)#switchport trunk native vlan vlan number

59 AHMED NABIL
To activate a VLAN
(config)#interface ____
(config-if)#switchort mode access
(config-if)#switchport access vlan
<vlan id>
(config)#interface Fastethernet 0/3
(config-if)#switchort mode access
(config-if)#switchport access vlan 52
Troubleshooting VLANs:
Switch#show vlan [id | name] [vlan_num | vlan_name]
#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- ------------------------------
-
1 default active Fa0/1, Fa0/2, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/11, Fa0/12
Gi0/1, Gi0/2
2 VLAN0002 active
52 Sales active Fa0/3

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
52 enet 100052 1500 - - - - - 0 0

#show vlan brief


VLAN Name Status Ports
---- -------------------------------- --------- -----------------
1 default active Fa0/1, Fa0/2, Fa0/5, Fa0/7
Fa0/8, Fa0/9,
Fa0/11, Fa0/12
Gi0/1, Gi0/2

2 VLAN0002 active
52
50 Sales active Fa0/3

1002 fddi-default active


1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
60 AHMED NABIL
Configuring VLANs
To configure VLANs there are three requirements:
1- Create VLAN
2- Optionally name the VLAN
3- Activate VLAN (assign VLAN to switchport)

Configuration:

#configure terminal
(config)#vlan <id>
(config-vlan)#name <vlan name>
Switch#configure terminal Deleting VLAN
Switch(config)#vlan 3 Switch#configure terminal
Switch(config-vlan)#name sales Switch(config)#no vlan 3
Switch(config-vlan)#exit Switch(config)#end
Switch(config)#

We can Add, Delete or Modify VLANs from that mode.

Note: Vlan1, 1002 to 1005 already exist in VLAN database.

VLAN Ranges and Mappings

VLAN Range Range Usage

0, 4095 Reserved For system use only

1 Normal Cisco default

2-1001 Normal For Ethernet VLANs

1002-1005 Normal Cisco defaults for FDDI and


Token Ring

1006-4094 Extended For Ethernet VLANs only

61 AHMED NABIL
VLAN Trunks
• To connect switch port to another switch port or a
router while deploying VLANs we need a method for
VLAN Inter-switch communication where a VLAN
can span multiple switches
• VLAN trunks will help for communication between
same VLAN members that exist on different physical
switches
Without trunking

With trunking

VLAN frame identifier


• Each frame originated from a PC and received on a switch port
must have a VLAN id before retransmitted on a trunk link, this
is called trunk VLAN tagging, this must be done to assure
VLAN inter-switch communication.
• VLAN tagging types:
1-ISL (Inter Switch Link) for Ethernet
2-IEEE 802.1q (dot1q) for Ethernet
3-Cisco extension for 802.10 for FDDI
4-LANE (LAN Emulation) for ATM

• Cisco implements VLAN tagging


using ASICs.
62 AHMED NABIL
1)ISL
• It a Cisco proprietary VLAN tagging
protocol, but it is no longer supported by
Cisco new edge switches
• It is also called double tagging, because
it encapsulates the original frame with
new header (ISL header 26byte) &
new trailer (ISL trailer 4byte new CRC)
• The ISL header contains a 10 bit for VLAN id,
which support VLANs from 0-1023,
where used VLANs are 1-1005
• Ethernet can use 1-1001 and 1002-1005 are reserved for
token ring & FDDI

Standard NIC cards and networking devices don’t


understand this giant frame. A Cisco switch must remove this
encapsulation before sending the frame out on an access
link.

• ISL is now supported only on core switches, but Cisco


Catalyst 2950 & 2960 access switches support only dot1q.
63 AHMED NABIL
2)dot1q
• It is called single tagging, where 4 byte of dot1q tag
is inserted after the source MAC of the frame and
before the length field of the frame
• The 4 bytes specify the following:

2-byte TPID (Tag Protocol Identifier)


2-byte TCI Tag Control Info (includes VLAN ID)

- 2 bytes for indication of type of encapsulated data


- 12 bit for VLAN tag, which give VLAN ranges from 0-
4095, where 0,1,1002-1005 & 4095 are reserved.
- 3 bits COS (Class Of Service), which indicates the
priority of the frame, they are called the
802.1q/802.1p bits
- 1 bit for CFI (Canonical Frame Indicator), flag which
indicates whether the frame is Ethernet or Token ring
& FDDI

To choose between the two tagging methods:


(config-if)#switchport trunk encapsulation {isl/dot1q}
That command is not available on switches supporting dot1q only,
So that command is not supported on many Cisco switches.

AHMED NABIL
• Dot1q also introduced the concept of native VLAN on a trunk,
where frames belonging to this VLAN are not tagged with any
VLAN id, using this feature 802.1q tagging device & non-
802.1q devices can co-exist on a 802.1q trunk.
• Native VLAN is by default VLAN 1, which is also called the
management VLAN (management VLAN is the VLAN that
carries frames from all protocols (CDP, VTP, DTP,….)), the
native VLAN can be changed by configuration.
• IEEE 802.3ac standard is used to extended MTU of Ethernet
frame to 1522 byte

NIC cards and networking devices can understand this


“baby giant” frame (1522 bytes). However, a Cisco
switch must remove this encapsulation before sending
the frame out on an access link.

DTP
(Dynamic Trunk Protocol)
• Cisco proprietary protocol, that is used to automatically negotiate a
common trunking mode (negotiate whether link will be access or
trunk) between two switches, also negotiation of trunk encapsulation
type can be done, DTP negotiation is made periodically every 30 sec.
• A router can not participate in DTP, so if a switch port is connected
to a router, DTP must be disabled & switch port must be manually
configured.
• Note: DTP is negotiated between switches working in the same VTP
domain or if one of these domains is null domain, so if switches are in
different domains, you must set trunk configuration to "on" or
"nonegotiate", this setting will force the trunk to be established.
65 AHMED NABIL
• DTP modes:
Mode Function

access Unconditionally sets a switch port to access


mode, regardless of other DTP functions

trunk Sets the switch port to unconditional trunking


mode and negotiates to become a trunk link,
regardless of neighbor interface mode

nonegotiate Specifies that DTP negotiation packets are


not sent on the Layer 2 interface

dynamic desirable Sets the switch port to actively send and


respond to DTP negotiation frames.
Default for Ethernet
dynamic auto Sets the switch port to respond but not to
actively send DTP negotiation frames

Configuring trunking
(config)#interface <_>
(config-if)#switchport mode {access/trunk/dynamic
desirable/dynamic auto}
-access: only in one VLAN, no negotiation (no DTP messages).
-trunk: permanently trunk & generate DTP messages.
-dynamic desirable: (default), actively (sending messages)
attempts to be trunk.
-dynamic auto: only if far end desire a trunk, it will turn to
trunk which means it is passively (does not initiate
messages) attempts to be trunk.
(config-if)#switchport nonegotiate
-nonegotiate: disables DTP & force permanent trunk.
(config-if)#switchport trunk encapsulation {isl/dot1q/negotiate}
default is negotiate, ISL is favoured if both exist on negotiating
switches.
66 AHMED NABIL
Switchport Mode Interactions

To identify native VLAN


(config-if)#switchport trunk native vlan <vlan id>
default is VLAN 1, this is used only with dot1q & trunking
mode
• To specify allowed VLANs on trunk:
(config-if)#switchport trunk allowed vlan {<vlan list> / all /
{add/except/remove} <vlan list> }

Add: add VLAN list to an existing pre-configured list


Except: means, all except a certain VLAN list
Remove: remove VLANs from existing VLAN list

By default all VLANs exist ion the trunk link.


Trunking configuration example:
Switch(config)#interface fastethernet 5/8
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport trunk allowed vlan 1,15,11,1002- 1005
Switch(config-if)#switchport mode trunk

67 AHMED NABIL
Troubleshooting
#sh dtp interface
!TOS/TAS/TNS=
Trunk Operational/Adminstrative/Neighbor State!

#sh interface <_> trunk


#sh interface <_> switchport
#sh interface <_> capabilities
#sh vlan
#sh vlan brief

Switch#show interfaces fastethernet 2/1 trunk

Port Mode Encapsulation Status Native VLAN


Fa2/1 desirable isl trunking 1

Port VLANs allowed on trunk


Fa2/1 1-1005

Port VLANs allowed and active in management domain


Fa2/1 1-2,1002-1005

Port VLANs in spanning tree forwarding state and not pruned


Fa2/1 1-2,1002-1005

Switch#show interfaces gigabitEthernet 0/1 switchport


Name: Gi0/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001

. . .

68 AHMED NABIL
Troubleshooting VLAN Issues
Configuration problems can arise when user traffic must
traverse several switches. The following sections list some
common configuration errors. But before you begin
troubleshooting, create a plan. Check the implementation plan
for any changes recently made, and determine likely problem
areas.

Troubleshooting User Connectivity


User connectivity can be affected by several things:
- Physical connectivity: Make sure the cable, network adapter,
and switch port are good. Check the port’s link LED.
- Switch configuration: If you see FCS errors or late collisions,
suspect a duplex mismatch. Check configured speed on both
sides of the link. Make sure the port is enabled and set as an
access port.
- VLAN configuration: Make sure the hosts are in the correct
VLAN.
- Allowed VLANs: Make sure that the user VLAN is allowed on
all appropriate trunk links.

Troubleshooting Trunking
When troubleshooting trunking, make sure that physical layer
connectivity is present before moving on to search for
configuration problems such as
- Are both sides of the link in the correct trunking mode?
- Is the same trunk encapsulation on both sides?
- If 802.1Q, is the same native VLAN on both sides? Look for CDP
messages warning of this error.
- Are the same VLANs permitted on both sides?
- Is a link trunking that should not be?

69 AHMED NABIL
VLAN Questions

Question 1
Which feature is automatically enabled when a voice VLAN is configured, but not
automatically disabled when a voice VLAN is removed?

A. portfast B. port-security C. spanning tree D. storm control

Question 2
In which portion of the frame is the 802.1q header found?

A. within the Ethernet header B. within the Ethernet payload C. within the Ethernet FCS
D. within the Ethernet source MAC address

Question 3
What is required for a LAN switch to support 802.1q Q-in-Q encapsulation?

A. Support less than 1500 MTU


B. Support 1504 MTU or higher
C. Support 1522 layer 3 IP and IPX packet
D. Support 1547 MTU only

Question 4
What is the size of the VLAN field inside an 802.1q frame?

A. 8-bit B. 12-bit C. 16-bit D. 32-bit

Question 5
What is the maximum number of VLANs that can be assigned to an access switchport
without a voice VLAN?

A. 0 B. 1 C. 2 D. 1024
.
Question 6
What does the command ―vlan dot1q tag native‖ accomplish when configured under global
configuration?

A. All frames within the native VLAN are tagged, except when the native VLAN is set to 1.
B. It allows control traffic to pass using the non-default VLAN.
C. It removes the 4-byte dot1q tag from every frame that traverses the trunk interface(s).
D. Control traffic is tagged.
70 AHMED NABIL
VLAN Trunking
Question 1
Refer to the exhibit.
SW-1#sh logging %SPANTREE-SP-2-RECV_PVID_ERR: Received BPDU with
inconsistent peer Vlan id 1 on GigabitEthernet1/2 VLAN2013.
%SPANTREE-SP-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/2 on VLAN0001.
Inconsistent peer vlan.
A multilayer switch has been configured to send and receive encapsulated and tagged
frames. VLAN 2013 on the multilayer switch is configured as the native VLAN. Which
option is the cause of the spanning-tree error?

A. VLAN spanning-tree in SW-2 is configured.


B. spanning-tree bpdu-filter is enabled.
C. 802.1q trunks are on both sides, both with native VLAN mismatch.
D. VLAN ID 1 should not be used for management traffic because its unsafe.

Question 2
Refer to the exhibit.
3512xl(config)#int fastEthernet 0/1
3512xl(config-if)#switchport mode trunk
3512xl(config-if)#switchport trunk encapsulation dot1q
How many bytes are added to each frame as a result of the configuration?

A. 4-bytes except the native VLAN


B. 8-bytes except the native VLAN
C. 4-bytes including native VLAN
D. 8-bytes including native VLAN

Question 3
A network engineer must implement Ethernet links that are capable of transporting
frames and IP traffic for different broadcast domains that are mutually isolated.
Consider that this is a multivendor environment. Which Cisco IOS switching feature
can be used to achieve the task?

A. PPP encapsulation with a virtual template


B. Link Aggregation Protocol at the access layer
C. dot1q VLAN trunking
D. Inter-Switch Link
71 AHMED NABIL
VLAN Trunking
Question 4
Which technique allows specific VLANs to be strictly permitted by the administrator?
A-VTP pruning B. transparent bridging C. trunk allowed VLANs D. VLAN access-
list

Question 5
For security reasons, the IT manager has prohibited users from dynamically establishing
trunks with their associated upstream switch. Which two actions can prevent interface
trunking? (Choose two)

A. Configure trunk and access interfaces manually.


B. Disable DTP on a per interface basis.
C. Apply BPDU guard and BPDU filter.
D. Enable switchport block on access ports.

Question 6
Which two protocols can be automatically negotiated between switches for trunking?
(Choose two)
A. PPP B. DTP C. ISL D. HDLC E. DLCI F. DOT1Q

Question 7
The network manager has requested that several new VLANs (VLAN 10, 20, and 30) are
allowed to traverse the switch trunk interface. After the command ―switchport trunk
allowed vlan 10,20,30″ is issued, all other existing VLANs no longer pass traffic over the
trunk. What is the root cause of the problem?

A. The command effectively removed all other working VLANs and replaced them with
the new VLANs.
B. VTP pruning removed all unused VLANs.
C. ISL was unable to encapsulate more than the already permitted VLANs across the
trunk.
D. Allowing additional VLANs across the trunk introduced a loop in the network.

Question 8
A manager tells the network engineer to permit only certain VLANs across a specific
trunk interface. Which option can be configured to accomplish this?
A. allowed VLAN list B. VTP pruning C. VACL D. L2P tunneling

72 AHMED NABIL
VTP
(VLAN Trunking Protocol)

73 AHMED NABIL
VTP Overview
• Campus network environments may consist of many interconnected
switches, so configuring & managing a large number of switches,
VLANs, & VLAN trunks can quickly get out of control, so Cisco has
developed a method to manage VLANs across the campus network.
• VTP is a messaging Cisco Proprietary protocol that uses Layer 2 trunk
frames, the standard VTP-like protocol is caled GVRP (Group VLAN
Registration Protocol) & the newest standard version MVRP (Multiple
VLAN Registration Protocol).
• VTP manages the synchronization of VLAN.dat, addition, deletion &
renaming (modify) –ADM of VLANs by exchanging VLAN configuration
between switches over trunk links.
• Only VLAN information is shared via VTP, while port information (such
as which port belong to which VLAN), is not shared.
• Further, VTP allows you to make centralized changes that are
communicated to all other switches in the network, so enhancing the
plug & play environment.
• Finally two conditions must exist:
1-VTP information are exchanged over trunks only.
2-All switches that need to exchange VTP messages must be configured in
the same VTP domain.

VTP domains
• VTP management domains are group of devices with common
VLAN requirements (VLAN names, native VLAN, pruned
VLAN,......)
A switch can belong to only one VTP domain, default domain
name is NULL (a blank string)
• So when a VLAN is added to switch in a domain, other switches
in the same domain are notified of the new VLAN through VTP
advertisements
74
AHMED NABIL
VTP Synchronization
• VTP configuration revision number:
-Indicates to the receiving switch whether the VTP message contain a new
change or not
-Every 300 sec, server switch will send out periodic advertisements for the
information it is saving, so no need for clients to process the same
information again, if no changes has occurred to the server
-Also if there are multiple servers, so some kind of synchronization is
needed to indicate which change is the most update
-Revision number starts with zero & increment with every change
configured on a server switch, the highest number means the most
updated information
-Revision number on the transparent switch is always 0, the revision
number is saved in NVRAM, so it is not affected by switching the power
off
• To reset the revision number:
-Change switch server to transparent, then to server again
-Change the domain name to a bogus (non-existing) name & back to the
original name

VTP operation
• VTP advertisements are sent as multicast frames.
• VTP servers and clients are synchronized to the latest revision number.
• VTP advertisements are sent every 5 minutes or when there is a change.

75 AHMED NABIL
VTP switch modes
• Each switch must operate in one of the following modes:
1)Server mode:
-Default mode
-Can add, delete, modify VLAN configuration
-Generate VTP messages for any VLAN configuration changes
-Can process (affected by) VTP messages
-Can propagate VTP messages from other servers
-It save the configuration on the switch vlan.dat file (NVRAM/Flash)
2)Client mode:
-Do not allow administrator to add, delete, or modify VLANs
-Can propagate VTP messages
from others Tip: Even though it seems as if a client
should strictly listen to advertisements from
-Can process (affected by) servers, a
client can and does send out its own
VTP messages advertisements. When it first powers up, a
client sends a summary advertisement from
-VTP configuration is not saved
its own stored database. It realizes that it has
on the switch a greater revision number if it receives an
inferior advertisement from a server.
-Generate VTP request message Therefore, it sends out a subset
advertisement with the greater revision
3)Transport mode: number, which VTP servers will accept as
-Does not participate in VTP more up-to-date information.

-Can add, delete, modify VLANs by configuration


-But does not generate VTP messages with the
• Creates, modifies, and deletes VLANs
• Sends and forwards
changes advertisements
• Synchronizes VLAN configurations
-Can not be affected by VTP messages • Saves configuration in vlan.dat

-Save VLAN configuration on switch


• Cannot create,
memory vlan.dat change, or delete
• Creates, modifies, and
deletes VLANs locally only
VLANs
• Forwards
file (NVRAM/Flash)
• Forwards advertisements
advertisements
• Does not
• Synchronizes VLAN synchronize VLAN
configurations configurations
• Does not save in • Saves configuration in
76 vlan.dat vlan.dat AHMED NABIL
4)Off mode:
Like transparent mode, switches in VTP off mode do not participate
in VTP; however, VTP advertisements are not relayed at all. You
can use VTP off mode to disable all VTP activity on or through a
switch.

VTP Authentication
• By default, management domains are set to a nonsecure
mode, meaning that the switches interact without using a
password.
• Adding a password automatically sets the management
domain to secure mode, a password must be configured on
every switch in the management domain to use secure
mode and assure proper authentication

VTP messages
• It is sent on special Cisco multicast address
1)Subset advertisement message:
Server generate that message after each change or after
hearing an advertisement request message
It contains:
-VTP version
-VTP domain name
-Configuration revision number
-Subset sequence number
-All VLAN status till the last change
-MD5 Hash

AHMED NABIL
2)Summary advertisement message:
Generated by a server periodically every 300sec & every time
a VLAN database change occurs
It contains:
-VTP version
-VTP domain name
- Configuration revision number
-The number of subset advertisements to follow
-MD5 encryption hash code for authentication
3) Advertisement Request message:
VTP client generates that message to request any missing VLAN
information from VTP servers (recall that clients don't store
VLAN configuration), so client will need to learn configuration
every time it boots up, also servers can use that message to
request info from another server
It contains:
-VTP version, VTP domain name, Starting subset sequence number,
MD5 Hash

4) VTP pruning message


VTP server use that message when pruning command is
configured

5) VTP join message


Sent by Serves & clients when certain VLAN is activated, so as
that VLAN will be excluded from the pruning feature

78 AHMED NABIL
VTP pruning
• Before pruning:
Unknown unicast & broadcast traffic from one VLAN will fill all trunk
links, even if the destination VLAN is not the same as source VLAN.
VTP pruning makes more efficient use of trunk bandwidth by reducing
unnecessary flooded traffic.

• After pruning:
Trunks will not forward flooded
traffic of a VLAN that does not exist on
the other side of trunk.
• Note:
-VLAN 1, 1002-1005 are ineligible to be pruned
-VTP pruning occurs as an extension to VTP version 1, using an
additional VTP message type. When a Catalyst switch has a port
associated with a VLAN, the switch sends an advertisement to its
neighbor switches that it has active ports on that VLAN. The
neighbors keep this information, enabling them to decide whether
flooded traffic from a VLAN should use a trunk port.

-Pruning does not affect transparent switches


(in VTP v1 – no pruning message)
also does not generate VTP
messages (to tell about pruned
VLANs), so pruning feature must be
configured on servers & all other
servers or clients will be affected automatically, otherwise these
switches will need to be manually configured to prune VLANs from
79 trunk links.
AHMED NABIL
VTP versions
• VTP has three versions VTP version 1, Version 2 & version 3.
• VTP v1 , v2 & v3 are incompatible with each other, by default VTP v2
can be degraded to v1 (in VTP v2, v2 is disabled by default, which mean
that v1 is enabled), v3 cannot be degraded in case of existence of
extended VLANs
• If only one server is enabled for v2, it will propagate the new version to
all capable v2 switches in the domain, causing them to automatically
enable v2 for use.
1-Version dependent transparent mode
Transparent v1 does not forward VTP messages until checking VTP domain
& version number, if they do not match with transparent switch
configuration messages will be dropped, while in v2 transparent does not
check on VTP domain & version number.
2-Consistency checks
VTP v2 perform consistency checks on VTP & VLAN parameters (name &
value) entered from CLI, help preventing errors, such as duplication in
names, but no consistency checks are performed on VTP messages that
are received on trunk links or on configuration & database in NVRAM.
3-Support of token ring VLANs added
4-Unrecognized TLV support
unrecognized new types of VTP messages is propagated & saved in NVRAM
instead of being dropped even if they are not understood

Tip: A third version of VTP addresses some of the traditional shortcomings.


For example, VTP version 3 supports extended VLAN numbers (1006 to
4095) that are compatible with the IEEE 802.1Q trunking standard.
In version 3 default mode is secondary server, only primary server allowed
to propagate configuration, so secondary act as client but save vlan.dat in
flash/NVRAM.
VTP v3 can pass other database other than vlan.dat as MST vlan to instance
database.
VTP v3 can propagate private VLAN configuration, VTP ver 3 cannot de
degraded to VTP v2 if extended VLANs or Private VLANs exist.

80 AHMED NABIL
AHMED NABIL
VTP Configuration
(config)#vtp domain <domain name>
(config)#vtp mode {server/client/transparent/off}
(config)#vtp password <password> [hidden|secret]
(config)#vtp version {1/2/3}
For VTP ver3:
Switch#vtp primary vlan
This system is becoming primary server for feature vlan
No conflicting VTP3 devices found.
Do you want to continue?[confirm]
! This command will make switch primary server for propagating
VLAN.dat and will make switch checks if there is another
primary or not, only one primary switch allowed, notice
command is in enable mode not global configuration mode !
To make the switch primary for MST (discussed later)
#vtp primary mst

(config)#vtp pruning

• Static pruning:
used with
-Servers to avoid pruning of general purpose VLANs (if exist).
-Servers connected to transparent switches.
-Servers, Clients or Transparent switches.
(config-if)#switchport trunk pruning vlan
{add/except/none/remove} <vlan list>
• note:
STP will run instances regarding all VLANs even pruned, unless
we use the command:
(config-if)#swichport trunk allowed vlans <_> .........

82 AHMED NABIL
Troubleshooting VTP

Switch#show vtp status

VTP Version : 1 to 3
VTP version running : 1
Configuration Revision : 247
Maximum VLANs supported locally : 1005
Number of existing VLANs : 33
VTP Operating Mode : Client
VTP Domain Name : Lab_Network
VTP Pruning Mode : Enabled
VTP V2 Mode : Disabled
MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49
Configuration last modified by 0.0.0.0 at 8-12-99 15:04:49
Switch#

Switch#show vtp counters

VTP statistics:
Summary advertisements received : 7
Subset advertisements received : 5
Request advertisements received : 0
Summary advertisements transmitted : 997
Subset advertisements transmitted : 13
Request advertisements transmitted : 3
Number of config revision errors : 0
Number of config digest errors : 0
Number of V1 summary errors : 0

VTP pruning statistics:


Trunk Join Transmitted Join Received Summary advts
received from
non-pruning-capable
device
---------------- ---------------- ---------------- -------------------
Fa5/8 43071 42766 5

#sh vlan
#sh vlan brief
#sh interface [_] pruning
#sh interface [_] trunk
#sh interface [_] switchport
83 AHMED NABIL
Troubleshooting VTP

The following are some common things to check when


troubleshooting problems with VTP:

- Make sure you are trunking between the switches.


VTP is sent only over trunk links.

- Make sure the domain name matches on both switches.


(The name is case sensitive.)

- If the switch is not updating its database, make sure it is not in


transparent
mode.

- If using passwords, make sure they all match.


To remove a password, use no vtp password.

- If VLANs are missing, check the Revision number for a possible


database
overwrite. Also check the number of VLANs in the domain.
There might be
too many VLANs for VTP to update properly

84 AHMED NABIL
VTP Questions
Question 1
Several new switches have been added to the existing network as VTP clients. All of the
new switches have been configured with the same VTP domain, password, and version.
However, VLANs are not passing from the VTP server (existing network) to the VTP
clients. What must be done to fix this?
A. Remove the VTP domain name from all switches with ―null‖ and then replace it with
the new domain name.
B. Configure a different native VLAN on all new switches that are configured as VTP
clients.
C. Provision one of the new switches to be the VTP server and duplicate information from
the existing network.
D. Ensure that all switch interconnects are configured as trunks to allow VTP information
to be transferred.

Question 2
After implementing VTP, the extended VLANs are not being propagated to other VTP
switches. What should be configured for extended VLANs?
A. VTP does not support extended VLANs and should be manually added to all switches.
B. Enable VTP version 3, which supports extended VLAN propagation.
C. VTP authentication is required when using extended VLANs because of their ability to
cause network instability.
D. Ensure that all switches run the same Cisco IOS version. Extended VLANs will not
propagate to different IOS versions when extended VLANs are in use.

Question 3
Which technique automatically limits VLAN traffic to only the switches that require it?
A. access lists B. DTP in nonegotiate C. VTP pruning D. PBR

Question 4
Refer to the exhibit.

Switch A, B, and C are trunked together and have been properly configured for VTP. Switch
C receives VLAN information from the VTP server Switch A, but Switch B does not receive
any VLAN information. What is the most probable cause of this behavior?
A. Switch B is configured in transparent mode.
B. Switch B is configured with an access port to Switch A, while Switch C is configured
with a trunk port to Switch B.
C. The VTP revision number of the Switch B is higher than that of Switch A.
D. The trunk between Switch A and Switch B is misconfigured.
85 AHMED NABIL
Question 5
A network is running VTPv2. After verifying all VTP settings, the network engineer notices
that the new switch is not receiving the list of VLANs from the server. Which action
resolves this problem?
A. Reload the new switch.
B. Restart the VTP process on the new switch.
C. Reload the VTP server.
D. Verify connected trunk ports.

Question 6
After configuring new data VLANs 1020 through 1030 on the VTP server, a network
engineer notices that none of the VTP clients are receiving the updates. What is the
problem?
A. The VTP server must be reloaded.
B. The VTP version number must be set to version 3.
C. After each update to the VTP server, it takes up to 4 hours propagate.
D. VTP must be stopped and restarted on the server.
E. Another switch in the domain has a higher revision number than the server.

Question 7
A network engineer is extending a LAN segment between two geographically separated
data centers. Which enhancement to a spanning-tree design prevents unnecessary traffic
from crossing the extended LAN segment?
A. Modify the spanning-tree priorities to dictate the traffic flow.
B. Create a Layer 3 transit VLAN to segment the traffic between the sites.
C. Use VTP pruning on the trunk interfaces.
D. Configure manual trunk pruning between the two locations.

Question 8
When you design a switched network using VTPv2, how many VLANs can be used to
carry user traffic?
A. 1000 B. 1001 C. 1024 D. 2048 E. 4095 F. 4096

Question 9
A new network that consists of several switches has been connected together via trunking
interfaces. If all switches currently have the default VTP domain name ―null‖, which
statement describes what happens when a domain name is configured on one of the
switches?
A. The switch with the non-default domain name restores back to ―null‖ upon reboot.
B. Switches with higher revision numbers does not accept the new domain name.
C. VTP summary advertisements are sent out of all ports with the new domain name.
86D. All other switches with the default domain name become VTP clients. AHMED NABIL
Question 10
Which VTP mode is needed to configure an extended VLAN, when a switch is
configured to use VTP versions 1 or 2?
A. transparent B. client C. server
D. Extended VLANs are only supported in version 3 and not in versions 1 or 2.

Question 11
Which VLAN range is eligible to be pruned when a network engineer enables VTP
pruning on a switch?
A. VLANs 1-1001 B. VLANs 1-4094 C. VLANs 2-1001 D. VLANs 2-
4094

Question 12
Which feature must be enabled to eliminate the broadcasting of all unknown traffic to
switches that are not participating in the specific VLAN?
A. VTP pruning B. port-security C. storm control D.
bpdguard

Question 13
Refer to the exhibit.

Switch1(config)#vlan 10
VTP vlan configuration not allowed when device is in CLIENT mode.
Switch1#show interfaces trunk

The users in an engineering department that connect to the same access switch cannot
access the network. The network engineer found that the engineering VLAN is missing
from the database. Which action resolves this problem?
A. Disable VTP pruning and disable 802.1q.
B. Update the VTP revision number.
C. Change VTP mode to server and enable 802.1q.
D. Enable VTP pruning and disable 802.1q.

Question 14
Refer to the exhibit

87 AHMED NABIL
The network switches for two companies have been connected and manually configured for
the required VLANs, but users in company A are not able to access network resources in
company B when DTP is enabled. Which action resolves this problem?
A. Delete vlan.dat and ensure that the switch with lowest MAC address is the VTP server.
B. Disable DTP and document the VTP domain mismatch.
C. Manually force trunking with switchport mode trunk on both switches.
D. Enable the company B switch with the vtp mode server command.

Question 15
A network engineer must improve bandwidth and resource utilization on the switches by
stopping the inefficient flooding of frames on trunk ports where the frames are not needed.
Which Cisco IOS feature can be used to achieve this task?
A. VTP pruning B. access list C. switchport trunk allowed VLAN D. VLAN access-
map

Question 16
Which action allows a network engineer to limit a default VLAN from being propagated
across all trunks?
A. Upgrade to VTP version 3 for advanced feature set support.
B. Enable VTP pruning on the VTP server.
C. Manually prune default VLAN with switchport trunk allowed vlans remove.
D. Use trunk pruning vlan 1.

Question 17
Refer to the exhibit.

Switch A, B, and C are trunked together and have been properly configured for VTP. Switch
B has all VLANs, but Switch C is not receiving traffic from certain VLANs. What would
cause this issue?
A. A VTP authentication mismatch occurred between Switch A and Switch B.
B. The VTP revision number of Switch B is higher than that of Switch A.
C. VTP pruning is configured globally on all switches and it removed VLANs from the
trunk interface that is connected to Switch C.
D. The trunk between Switch A and Switch B is misconfigured.

88 AHMED NABIL
Inter-VLAN Routing
Techniques

89 AHMED NABIL
Why we need Inter-VLAN Routing?
Problem: Isolated Broadcast Domains

Because of their nature, VLANs inhibit communication between


VLANs, VLAN concept is total Isolation.

Solution: Routing Between VLANs

• Communications between VLANs requires a Layer 3 services


module.

Inter-VLAN Routing methods


A- Router & a switch connected with access ports

B- Router & a switch connected with trunk ports (Router-On-a-Stick)

90 AHMED NABIL
–Using
Advantages:
Router on a stick method
• Simple to implement using any combination of
systems
• Router provides communications between VLANs
on remote switches
– Disadvantages:
• Single point of failure if only one router port is
used
• Single traffic path can become congested, There
is a possibility of inadequate bandwidth for each
VLAN
• Additional overhead on the router port can occur
• Network topology can cause performance issues
C- Routing using a MLS

Types of Interfaces
Multilayer switches can perform both Layer 2 switching
and interVLAN routing, as appropriate.
Layer 2 switching occurs between interfaces that are
assigned to Layer 2 VLANs or Layer 2 trunks. Layer 3
switching can occur between any type of interface, as
long as the interface can have a Layer 3 address
assigned to it.
As with a router, a multilayer switch can assign a Layer
3 address to a physical interface. It also can assign a
Layer 3 address to a logical interface that represents
an entire VLAN. This is known as a switched virtual
interface (SVI).
91 AHMED NABIL
MLS switch ports types:
-Switched port (Layer 2 port):
Physical Port that connect switch to end device or another
switch, this port that can be access or trunk.
-Routed port (Layer 3 port):
Physical port that connect a switch to another real router or
firewall, that port should have IP address, can have routing
protocols running on it, cannot be divided into sub interfaces,
so not suitable for inter-vlan routing, cannot be configured
as access or trunk.
-SVI port (layer 3 port):
Logical port that is internal in MLS and used for inter-vlan
routing, as MLS have 4096 SVIs

Catalyst Switch with


Various Types of Ports

Layer 2 Port (switched port) Configuration


Switch(config)# interface type mod/num
Switch(config-if)# switchport
The switchport command puts the port in Layer 2 mode. Then you
can use other switchport command keywords to configure trunking,
access VLANs, and so on.

92 AHMED NABIL
Layer 3 Port (routed port) Configuration
Switch(config)# interface type mod/num
Switch(config-if)# no switchport
Switch(config-if)# ip address ip-address mask
The no switchport command takes the port out of Layer 2 operation. You
then can assign a network address to the port, as you would to a router
interface.
SVI Port Configuration
On a multilayer switch, you also can enable Layer 3 functionality for an
entire VLAN on the switch. This allows a network address to be assigned
to a logical interface: that of the VLAN itself.
This is useful when the switch has many ports assigned to a common
VLAN, and routing is needed in and out of that VLAN.
The logical Layer 3 interface is known as an SVI. However, when it is
configured, it uses the much more intuitive interface name vlan vlan-id, as
if the VLAN itself is a physical interface. First, define or identify the VLAN
interface; then assign any Layer 3 functionality to it with the following
con.guration commands:
Switch(config)# interface vlan vlan-id
Switch(config-if)# ip address ip-address mask
Switch(config-if)#no shutdown
The VLAN must be defined and active on the switch before the SVI can be
used. Make sure the new VLAN interface also is enabled with the no
shutdown interface-configuration command.
So just configuring SVI ip addresses for the existing VLANs will activate
Inter-VLAN Routing between VLANs on a MLS, if a single MLS exist you
will not need a routing protocol (all VLANs subnets will be direct
connected), but if multiple MLS is connected together a routing protocol
must be configured to enable the routing process beside configuring SVIs.
Be aware that an SVI cannot become active until at least one Layer 2 port
assigned to the VLAN has also become active and STP has converged. By
automatically keeping the SVI down until the VLAN is ready, no other
switching or routing functions can attempt to use the SVI prematurely. This
function is called SVI autostate.
You might sometimes want the SVI to stay up even when no Layer 2 ports
are active on the VLAN. For example, you might have a Layer 2 port
configured for port mirroring to capture traffic. In that case, the port would
not be up and functioning normally, so it should be excluded from affecting
the state of the SVI. You can exclude a switch port with the following
interface configuration command:
Switch(config-if)# switchport autostate exclude

93 AHMED NABIL
Configuring Inter-VLAN Routing on a Router (Router On A Stick) -
ROAS

#sh ip route
C 10.1.1.0/24, Fa0/0.1
C 10.10.1.0/24, Fa0/0.10
C 10.20.1.0/24, Fa0/0.20

Configuring Inter-VLAN Routing on a MLS


(config)# ip routing
(config)# router eigrp 50
(config-router)#network 172.20.0.0 ….. optional
(config-router)#exit

(config)#interface vlan 20
(config-if)#ip address 172.20.128.1 255.255.255.0
(config-if)#no shutdown

(config-if)#interface vlan 30
(config-if)#ip address 172.20.129.1 255.255.255.0
(config-if)#no shutdown

#sh ip route
C 172.20.128.0/24, vlan20
C 172.20.129.0/24, vlan30

94 AHMED NABIL
Preparing switch for
IP Telephony

95 AHMED NABIL
Cisco IP Phone boot process:
Just about all the concepts discussed so far focus on the boot
process of the Cisco IP Phone.

The following list outlines the Cisco IP Phone boot process,


which is illustrated in Figure:
1. The 802.3af PoE switch sends a small DC voltage on the
Ethernet cable, detects an unpowered 802.3af device, and
supplies power to the line.
2. The switch delivers voice VLAN information to the Cisco
IP Phone using Cisco Discovery Protocol (CDP).
3. The IP Phone sends a Dynamic Host Configuration Protocol
(DHCP) request on its voice VLAN. The DHCP server replies
with IP addressing information, including DHCP Option 150,
which directs the IP phone to the TFTP server.
4. The IP phone contacts the TFTP server and downloads its
configuration file and firmware.
5. Based on the IP address listed in the configuration file, the
IP phone contacts the call processing server (the CME router,
in this case), which supports VoIP functions

96 AHMED NABIL
Implementing IP Telephony
• Some Requirements must be guaranteed to implement voice application in
enterprise networks
1) Physical layer requirements
The wiring & cabling are critical for IP Telephony, Cabling infrastructure should
be min. category 5e.
2) Bandwidth and traffic requirements
From a traffic standpoint, an IP Telephone call consists of two parts:
a- The voice carrier stream, which consists of RTP (Real-Time Transport
Protocol) packets that contain the actual voice samples.
To support VoIP compression, Cisco VoIP equipment supports these two
common codecs, G.711 and G.729, along with several other common
industry standards.
Coder-decoders (codecs) are used to convert the analog signal to a digital format.
G.711 is a common codec used for normal voice digitization. It is also the only
type supported for the Cisco Conference Connection
G.729 is a codec that provides compression of the voice traffic down to 8 kbps.
b- Te call control signaling, which consists of packets belonging to one of several
protocols, for example H.323, SIP & MGCP (Media Gateway Control Protocol),
these protocols can perform functions as setup, maintain, teardown, or redirect
the call.
The two types of traffic must be considered.
3) Security and Redundancy requirement
To help safeguard against attacks which could cause all enterprise
communication
with outside world critical. (discussed next Chapter), also redundancy is required
(discussed in previous chapters)

4) Power Requirements for IP Phone devices


IP Phone needs power as any device in the network

5) VLAN Requirements
Special VLAN required for voice service (voice VLAN)

6) Voice QoS
voice packet can’t afford a delay more than 150ms, jitter & loss
97
more than 1% is not acceptable)
AHMED NABIL
Power supplier
• A Cisco IP Phone is like any other node on the network—it must
have power to operate. There are several power levels defined
for VoIP, normal VoIP devices ranging from 4.0w to 15.4w,
depending on the VoIP phone used, advanced VoIP devices can
requires from over 15.4 watts till 30 watts.
• Power can come from two sources:

1)An external AC adapter


Plugs into a normal AC wall outlet and provides 48V DC to the
phone, These adapters, commonly called wall warts, are handy
if no other power source is available. However, if a power
failure occurs to the room or outlet where the adapter is
located, the IP Phone will fail.

2) A power injector, which connects to AC power near an Ethernet


switch and provides DC power over the network data cable

98 AHMED NABIL
3)Inline power or Power over Ethernet (PoE)
How PoE Works
A Catalyst switch can offer power over its Ethernet ports only if it is
designed to do so. It must have one or more power supplies that are rated for
the additional load that will be offered to the connected devices. PoE is
available on many Cisco Catalyst switch platforms.
(DC) over the network data cable, the same 48V DC supply is provided to an
IP Phone over the same Category 5e cable that is used for Ethernet
connectivity.
The DC power’s source is the Catalyst switch itself.
No other power source is needed, unless an AC adapter is required as a
redundant Source.
Inline power is also defined by the IEEE 802.3af standard (PoE), and IEEE
802.3at (PoE plus) “devices requiring power till 30 Watts.
Switch(config-if)# power inline {auto | never | static [max power in
milliwatts]}

You can configure a static


power budget for a switch
port if you have a device that
cannot interact with either of
the powered device-
discovery methods. Again,
you can set the maximum
power offered to the device
with max milli-watts.
Otherwise, the default value
of 15.4 W is used.

AHMED NABIL
The Catalyst switch also can be connected to an uninterruptible power supply
(UPS) so that it continues to receive and offer power even if the regular AC
source fails. This allows an IP Phone or other powered device to be available
for use even across a power failure.

Two methods provide PoE to connected devices:


a- Cisco Inline Power (ILP)—A Cisco-proprietary method developed before
the IEEE 802.3af standard, power is provided over data pairs 2 and 3 (RJ-45
pins 1,2 and 3,6) at 48V DC.
b- IEEE 802.3af—A standards-based method that offers vendor
interoperability.
(pins 1,2 and 3,6) or over pairs 1 and 4 (RJ-45 pins 4,5 and 7,8).

How Inline Power Works


1- A Catalyst switch with inline power always keeps the power disabled
when a switch port is down.
2- When a switch port first comes up, the switch must detect whether to
send power or not in order not to damage a regular PC.
3- The switch sends out a 340-kHz test tone on the transmit pair of the
twisted-pair Ethernet cable. A tone is transmitted rather than DC power
because the switch must first detect an inline power-capable device before
offering it power.
4- An IP Phone loops the transmit and receive pairs of its Ethernet
connection, even while it is powered off.
5- When it is connected to an inline power switch port, the switch can “hear”
its test tone looped back. Then it safely assumes that a powered device is
present, and power can be applied to it.
Inline power is provided over pairs 2 and 3 (RJ-45 pins 1,2 and 3,6) at 48V
DC.
Note that the switch power supply must be sized appropriately to offer
continuous power to an IP Phone on every powered switch port. Inline power
is available on the Catalyst 3550-24-PWR, Catalyst 4500, and Catalyst 6500
platforms.
6- A switch first offers a default power allocation to the powered device. On
a Catalyst 3560-24-PWR, for example, an IP Phone first receives 15.0 watts
(0.36 amps at 48V DC). Now, the device has a chance to power up and bring
its Ethernet link up, too.
7- The switch then attempts a Cisco Discovery Protocol (CDP) message
exchange with the device. This allows it to learn that the device is a Cisco IP
Phone, as well as to learn the phone’s actual power requirements. The switch
can then reduce the inline power to the amount requested by the phone.

AHMED NABIL
debug ilpower controller and debug cdp packets, can display the ILPo
operation

CAUTION A Catalyst switch waits for 4 seconds after inline power is applied
to a port to see if an IP Phone comes alive. If not, the power is removed from
the port.
Be careful if you plug an IP phone into a switch port, and then remove it and
plug in a normal Ethernet device. The inline power still could be applied
during the 4-second interval, damaging a nonpowered device. Wait 10
seconds after unplugging an IP Phone before plugging anything back into the
same port.
101 AHMED NABIL
Voice VLAN
Most Cisco IP Phone models contain a three port switch,
connecting to the:
1- Upstream Switch
2- The user PC
3- Internal VoIP data stream

• The link mode between the IP Phone and the switch is negotiated; you can
configure the switch to instruct the phone to use a special-case 802.1Q trunk
or a single VLAN access link. With a trunk, the voice traffic can be isolated
from other user data, providing security and QoS capabilities, this could be
achieved by supporting separate VLAN for the voice.
• As an access link, both voice and data must be combined over
the single VLAN. This simplifies other aspects of the switch
configuration because a separate voice VLAN is not needed,
but it could compromise the voice quality, depending on the PC
application mix and traffic load.

102 AHMED NABIL


Voice VLAN Configuration
Although you can configure the IP Phone uplink as a trunk or
nontrunk, the real consideration pertains to how the voice traffic
will be encapsulated. The voice packets must be carried over a
unique voice VLAN (known as the voice VLAN ID or VVID or
Auxiliary VLAN) or over the regular data VLAN (known as the
native VLAN or the port VLAN ID, PVID). The QoS information
from the voice packets also must be carried.
If an 802.1Q trunk is needed, a special-case trunk automatically is
negotiated by the Dynamic Trunking Protocol (DTP) and
CDP/LLDP.
Switch(config-if)# switchport voice vlan { vlan-id | dot1p | untagged | none}

103 AHMED NABIL


The default condition for every switch port is none, where a trunk
is not used. All modes except for none use the special-case
802.1Q trunk. The only difference between the dot1p and untagged
modes is the encapsulation of voice traffic. The dot1p mode puts
the voice
packets on VLAN 0, which requires a VLAN ID (not the native
VLAN) but doesn’t require a unique voice VLAN to be created.
The untagged mode puts voice packets in the native VLAN,
requiring neither a VLAN ID nor a unique voice VLAN.
The most versatile mode uses the vlan-id, as shown in case A in
Figure. Here, voice and user data are carried over separate
VLANs. VoIP packets in the voice VLAN also carry the CoS bits
in the 802.1p trunk encapsulation field.
Be aware that the special-case 802.1Q trunk automatically is
enabled through a CDP information exchange between the switch
and the IP Phone. The trunk contains only two VLANs—a voice
VLAN (tagged VVID) and the data VLAN. The switch port’s
access VLAN is used as the data VLAN that carries packets to
and from a PC that is connected to the phone’s PC port.
If an IP Phone is removed and a PC is connected to the same
switch port, the PC still will be capable of operating because the
data VLAN still will appear as the access VLAN— even though
the special trunk no longer is enabled.

104 AHMED NABIL


Two instances of STP will run on the IP Phone trunk

10
110

105 AHMED NABIL


Voice QoS
Why we need VoIP QoS?

• QoS Trust
Port connected to an IP Phone must be trusted & the device beyond it may not
be trusted

Make the trust conditional:


Switch(config-if)# mls qos trust device cisco-phone
You also can make the QoS trust conditional if a Cisco IP Phone is present.
If this command is used, the QoS parameter de.ned in step 2 is trusted only
if a Cisco phone is detected through CDP. If a phone is not detected, the
QoS parameter is not trusted.

Switch(config-if)# switchport priority extend {cos value | trust}


This command will make the switch send CDP messages to IP Phone telling
him about the extended device CoS, so IP Phone will make any extended
frames with the configures CoS or IP Phone will leave it as it is {trust}, this
command also tells the switch that anything with tagging from voice VLAN are
trusted & other VLAN is not trusted.

1 & 2 are optimum trust boundaries (access layer switches), but 3 is


recommended
106 AHMED NABIL
To reduce the complexity, Cisco introduced the Auto-QoS
feature on most switch platforms. By entering only a couple of
configuration commands, you can enable the switch to
automatically configure a variety of QoS parameters.
Auto-QoS is actually handled by a macro command, which in turn
enters many other configuration commands as if they were
entered from the command-line interface. Because of this, Auto-
QoS is best used on a switch that still has the default QoS
configuration. Otherwise,
any existing QoS commands could be overwritten or could
interfere with the commands produced by the Auto-QoS macro.
Tip: The Auto-QoS feature is designed to automatically configure
many more advanced QoS parameters in specific applications. For
example, Auto-QoS can be used on switch interfaces where Cisco
IP Phones are connected. Auto-QoS is not meant to be used on all
switches in a network. Therefore, you should consider using it in
access layer switches and not necessarily the network core.
The configuration commands resulting from Auto-QoS were
developed from rigorous testing and Cisco best practices. Auto-
QoS handles the following types of QoS configuration:
■ Enabling QoS
■ CoS-to-DSCP mapping for QoS marking
■ Ingress and egress queue tuning
■ Strict priority queues for
egress voice traffic
■ Establishing an interface
QoS trust boundary

107 AHMED NABIL


Configuring Auto QoS VoIP`
Switch(config-if)# auto qos voip {cisco-phone/cisco-softphone}
Conditional trust, if no IP Phone detected by CDP, no trust will be assumed.
Automatically enables the trusted boundary feature, which uses the CDP to
detect the presence or absence of a Cisco IP Phone.

If the interface is connected to a Cisco IP Phone, the QoS labels of incoming


packets are trusted only when the Cisco IP Phone is detected.

Switch(config-if)# auto qos voip trust


The uplink interface is connected to a trusted switch or router, and the VoIP
classification in the ingress packet is trusted. So this command is used with
uplink to another trusted switch

Switch#show auto qos


Initial configuration applied by AutoQoS:
wrr-queue bandwidth 20 1 80 0
no wrr-queue cos-map
wrr-queue cos 1 0 1 2 4
wrr-queue cos 3 3 6 7
wrr-queue cos 4 5
mls qos map cos-dscp 0 8 16 26 32 46 48 56
!
interface FastEthernet0/3
mls qos trust device cisco-phone
mls qos trust cos

Ti p: If you have already configured Auto-QoS on an interface by


using the cisco-phone,cisco-softphone, or trust keyword, you
won’t be allowed to use the auto qos voip command again on the
same interface. Instead, first remove any existing Auto-QoS by
entering the no auto qos voip command. Then use the auto qos
voip command with the desired keyword to enable Auto-QoS. AHMED NABIL
108
Remember that the auto qos voip command is actually a macro that executes
many other configuration commands for you. The auto qos voip command will
appear in the switch configuration, along with the other commands it enters.
You won’t see the additional commands until you show the running
configuration. However, using the debug auto qos EXEC command displays
the additional commands in the resulting debug messages. (Do not forget to
disable the debugging with no debug auto qos when you finish with it.)

109 AHMED NABIL


Aggregating
Switch Links
(VTAS DS NS NS ND)

110 AHMED NABIL


Switch Port Aggregation with EtherChannel
As discussed before switches can use Ethernet, Fast Ethernet, Gigabit, or
10-Gigabit Ethernet ports to scale link speeds by a factor of 10. It might
seem logical to simply add more links between two switches to scale the
bandwidth incrementally. Suppose two switches have a single Gigabit
Ethernet link between them. If you add a second link, will the available
bandwidth double? No, because each link acts independently, a bridging loop
could easily form through them. As the left portion of Figure shows, STP will
detect the loop potential and will place one of the links in the blocking state.
The end result is still a single active link between switches. Even if you add
several more links, STP will keep all but one in the blocking state, as shown
on the right portion of figure.

Cisco offers another method of scaling link bandwidth by aggregating, or


bundling, parallel links, termed the EtherChannel technology. Two to eight
links of either Fast Ethernet (FE), Gigabit Ethernet (GE), or 10-Gigabit
Ethernet (10GE) can be bundled as one logical link of Fast EtherChannel
(FEC),
Gigabit EtherChannel (GEC), or 10-Gigabit Etherchannel (10GEC),
respectively. This bundle provides a full-duplex bandwidth of up to 1600
Mbps (eight links of Fast Ethernet), 16 Gbps (eight links of GE),or 160 Gbps
(eight links of 10GE).
This also provides an easy means to “grow,” or expand, a link’s capacity
between two switches, without having to continually purchase hardware for
the next magnitude of throughput. For example, a single Fast Ethernet link
(200 Mbps throughput) can be incrementally expanded up to eight Fast
Ethernet links
(1600 Mbps) as a single Fast EtherChannel. If the traffic load grows beyond
that, the growth process can begin again with a single GE link (2 Gbps
throughput), which can be expanded up to eight GE links as a Gigabit
EtherChannel (16 Gbps). The process repeats again by moving to a single
10GE link, and so on. AHMED NABIL
Ordinarily, having multiple or parallel links between switches creates the
possibility of bridging loops, an undesirable condition. EtherChannel avoids
this situation by bundling parallel links into a single, logical link, which can
act as either an access or a trunk link. Switches or devices on each end of
the EtherChannel link must understand and use the EtherChannel technology
for proper operation. Figure demonstrates how the links added in Figure can
be configured as an EtherChannel bundle. All the bundled physical links are
collectively known by the logical EtherChannel interface, port channel 1.
Notice that none of the physical links are in the Blocking state; STP is aware
of the single port channel interface, which is kept in the Forwarding state.

Although an EtherChannel link is seen as a single logical link, the link does
not necessarily have an inherent total bandwidth equal to the sum of its
component physical links. For example, suppose that a GEC link is made up of
four full-duplex 1-Gbps GE links. Although it is possible for the GEC link to
carry a total throughput of 8 Gbps (if each link becomes fully loaded), the
single resulting GEC bundle does not operate at this speed.
Instead, traffic is distributed across the individual links within the
EtherChannel. Each of these links operates at its inherent speed (2 Gbps full
duplex for GE) but carries only the frames placed on it by the EtherChannel
hardware. If the load-distribution algorithm favors one link within the bundle,
that link will carry a disproportionate amount of traffic. In other words, the
load is not always distributed equallyamong the individual links. The load-
balancing process is explained further in the next section.
EtherChannel also provides redundancy with several bundled physical links. If
one of the links within the bundle fails, traffic sent through that link is
automatically moved to an adjacent link. Failover occurs in less than a few
milliseconds and is transparent to the end user. As more links fail, more
traffic is
moved to further adjacent links. Likewise, as links are restored, the load
automatically is redistributed among the active links.

AHMED NABIL
Switch Port Aggregation with Ether Channels
• Switches can use Ethernet, FastEthernet & Gigabit Ethernet to scale link
speeds.
• Cisco offers another method of scaling link BW by aggregating or
bundling parallel links termed as the EtherChannel technology.
• Two to eight links of FE or GE are bundled as one logical link of FEC
(FastEtherChannel) or GEC (GigaEtherChannel), that can provide a full
duplex BW up to 1600Mbps or 16Gbps

EtherChannels will provide the


switching devices with the ability
of:
– Logical aggregation of similar
links
– Viewed as one logical port
– Switch-level load balancing
– Link Level Redundancy

Bundle conditions
• All bundled ports must be
1- In the same VLAN (if they are access ports)
2- In the same Trunk mode (if they are trunk ports)
3- They must have same Allowed VLANs (if they are trunk ports)
4- All ports must be configured with identical STP settings
5- Ports must have the same Duplex & Speed
6- Port Security must be disabled
7- None of the ports can belong to SPAN destination, but no problem for
SPAN source
8-EC ports can not be in a Dynamic VLAN assignment mode (learning issue
of VMPS affect the switch)

•Use the show interface capabilities command to check the switch for
EtherChannel feature.
113 AHMED NABIL
Traffic Distribution
• Actually EtherChannel make "Traffic Distribution" among the available
links of the bundle, so load may not be equally balanced across
EtherChannel links, as a result there must be an algorithm or criteria
for selecting certain users to use certain link in the EtherChannel
bundle
• This load balancing criteria on an EC is not done on a frame-by-
frame or packet-by-packet basis, instead address in the frame or
packet run through an algorithm, which results in a binary value, this
value is then matched up with one of the connections in the EC, all
traffic with this binary value is then transported across this
connection in the EC
Link Selection Criteria
• Selection could be based on:
1-Source IP 2-Destination IP 3-Both source & destination IP
4-Source MAC 5-Destination MAC 6-Both source & destination
MAC
7-Source port 8-Destination port 9-Both source & destination
port
• If the available links are 2, so we need only one bit for the selection
criteria (0 go through first link, 1 go through second link)
• If available links are 4, so we need 2 bits to differentiate between
links
• If available links are 8, so we need 3 bits to differentiate between
links
• For selection based on Source & destination addresses together, the
XOR operation is used

Remember:
1 XOR 0=1
1 XOR 1=0
0XOR 0=0

114 AHMED NABIL


For example, an EtherChannel consisting of two links bundled together
requires a 1-bit index. If the index is 0, link 0 is selected; if the index
is 1, link 1 is used. Either the lowest-order address bit or the XOR of
the last bit of the addresses in the frame is used as the index. A four-
link bundle uses a hash of the last 2 bits. Likewise, an eight-link bundle
uses a hash of the last 3 bits. The hashing operation’s outcome selects
the EtherChannel’s outbound link. Table shows the results of an XOR
on a two-link bundle, using the source and destination addresses.

The XOR operation is performed independently on each bit position in the


address value. If the two address values have the same bit value, the
XOR result is always 0. If the two address bits differ, the XOR result is
always 1. In this way, frames can be distributed statistically among the
links with the assumption that MAC or IP addresses themselves are
distributed statistically throughout the network. In a four-link
EtherChannel, the XOR is performed on the lower 2 bits of the address
values, resulting in a 2-bit XOR value (each bit is computed separately)
or a link number from 0 to 3.

As an example, consider a packet being sent from IP address 192.168.1.1


to 172.31.67.46. Because EtherChannels can be built from two to eight
individual links, only the rightmost (least significant) 3 bits are needed
as a link index. From the source and destination addresses, these bits
are 001 (1) and 110 (6), respectively. For a two-link EtherChannel, a
1-bit XOR is performed on the rightmost address bit: 1 XOR 0 = 1,
causing Link 1 in the bundle to be used. A four-link EtherChannel
produces a 2-bit XOR: 01 XOR 10 = 11, causing Link 3 in the bundle to
be used.
A conversation between two devices always is sent through the same
EtherChannel link because the two endpoint addresses stay the same.
However, when a device talks to several other devices, chances are
that the destination addresses are distributed equally with 0s and 1s in
the last bit (even and odd address values). This causes the frames to
be distributed across the EtherChannel links.
115 AHMED NABIL
Note that the load distribution is still proportional to the
volume of traffic passing between pairs of hosts or link
indexes. For example, suppose that there are two pairs
of hosts talking across a two-link channel, and each
pair of addresses results in a unique link index. Frames
from one pair of hosts always travel over one link in the
channel, while frames from the other pair travel over
the other link. The links both are being used as a result
of the hash algorithm, so the load is being distributed
across every link in the channel.
However, if one pair of hosts has a much greater volume of
traffic than the other pair, one link in the channel will be
used much more than the other. This still can create a
load imbalance. To remedy this condition, you should
consider other methods of hashing algorithms for the
channel.
For example, a method that uses the source and
destination addresses along with UDP or TCP port
numbers can distribute traffic much differently. Then,
packets are placed on links within the bundle based on
the applications used within conversations between two
hosts.

Another Link selection example

• If source MAC is 0000.000C.1111 (last character give


binary 0001) & if destination MAC is 0000.000C.2222
(last character give binary 0010)
if we have 8 EtherChannels and the selection criteria
is based on both src & dst MAC, so 3 bits from
addresses are enough
001 XOR 010 =011 (3 in decimal), so this frame will
use the fourth link
116 AHMED NABIL
Configuring EC load distribution
(config)#port-channel load-balance <method>
mehtods:
src-ip src-mac src-port
dst-ip dst-mac dst-port
src-dst-ip src-dst-mac src-dst-port

-default on 2950, 3550 L2 is src-mac


-default on 3550 L3, 4500, 6500 is src-dst-ip
• To display the used hash algorithm
Switch#show etherchannel load-balance
Source XOR Destination IP address

• To display load on each link (percentage)


#sh etherchannel port-channel
Switch#show etherchannel 1 port-channel
Port-channels in the group:
----------------------

Port-channel: Po1
------------

Age of the Port-channel = 01d:01h:31m:38s


Logical slot/port = 1/0 Number of ports = 2
GC = 0x00020001 HotStandBy port = null
Port state = Port-channel Ag-Inuse

Ports in the Port-channel:

Index Load Port EC state


------+------+------+------------
0 00 Gi0/9 desirable-sl
0 00 Gi0/10 desirable-sl

Time since last port bundled: 00d:20h:04m:38s Gi0/9


Time since last port Un-bundled: 00d:21h:17m:20s Gi0/10
117 AHMED NABIL
Link Selection special cases
If a router is connected to an EC, the router always use its MAC, so if
src-mac criteria is used, frames will always go through the same
path, and if dst-mac is used from clients to reach router, they will
all use the same path, & if two routers are communicating together
Src-dst-mac will always be constant, so using IP criteria is better
Link redundancy
If a link in the channel fails, the default port (first port to boot in
channel, if many boot at same time, it is link having least port id)
will carry the failed link traffic, also default port carry carries
mostly all switch protocols messages (VTP, STP,...) except CDP is
carried over all links to aid the discovery process)

Avoidance of switching loops with EC


• Ordinarily, having multiple or parallel links between switches create
possibility of bridging loops, a special protection method is used with EC
to avoid bridging loops "no inbound (received) broadcast, multicasts or
any flooded traffic is sent back out over any of the remaining ports in
the channel, outbound flooded frames are load balanced like any other
traffic, so flooded traffic becomes part of the hashing calculation to
choose an outbound channel link", also STP treat EC as one physical
link, and if a link fail it does not recalculate STP & no TCN BPDU is
sent.
EtherChannel Dynamic Negotiation protocols
• To provide some dynamic link configuration, we can allow dynamic
creation of EC between switches using either PAgP (Port Aggregation
Protocol) or LACP (Link Aggregation Control Protocol)

The three major aspects to EtherChannel are as follows:


- Frame distribution
- Management of EtherChannel
- Logical port
An EtherChannel protocol has to satisfy all these
aspects
118 AHMED NABIL
1)PAgP
Port Aggregation Protocol

• PAgP is a Cisco proprietary protocol, where PAgP packets are


exchanged between switches over EtherChannels capable ports
• PAgP learn the neighbor device id & port capabilities, ports that have
same neighbor device id & port group capability of my local switch are
bundled together as a bidirectional point-to-point EtherChannel Link
• The PAgP aids in the automatic creation of Fast EtherChannel links.
PAgP packets are sent between Fast EtherChannel–capable ports to
negotiate the forming of a channel. When PAgP identifies matched
Ethernet links, it groups the links into an EtherChannel. The
EtherChannel is then added to the spanning tree as a single bridge port.
• The management of the EtherChannel is done by PAgP. PAgP packets
are sent every 30 seconds, using multicast group MAC address 01-00-
0C-CC-CC-CC. PAgP checks for configuration consistency and
manages link additions and failures between two switches. It ensures
that when EtherChannel is created all ports have the same type of
configuration. In EtherChannel, it is mandatory that all ports have the
same speed, duplex setting, and VLAN information. After the creation of
the channel The configuration you apply to the Port Channel interface
affects the entire EtherChannel. The configuration you apply to a
physical interface affects only that interface.
• The last component of EtherChannel is the creation of the logical port.
The logical port, or Agport, is composed of all the links that make up the
EtherChannel. The actual functionality and behaviour of the Agport is
not different than that of any other port. For instance, the spanning tree
algorithm treats Agport as a single port.

for example:
• if VLAN, speed, duplex of an established port in the bundle changes,
PAgP changes that parameter for all the ports of the bundle
• PAgP can be designed in active mode "desirable", actively asking the far
end for negotiation of EC, or
• PAgP can be designed in passive mode "auto", where switch negotiates
an EC if the far end initiates it, this is the default for PAgP

119 AHMED NABIL


Configuring PAgP
(config)#interface <_>
(config-if)#channel-protocol pagp
(config-if)#channel-group <group no.> mode
{on/desirable/auto/off} [non-silent]

• By default, PAgP operates in silent submode with the desirable and auto
modes, and allows ports to be added to an EtherChannel even if the
other end of the link is silent and never transmits data packets. This
might seem to go against the idea of PAgP, in which two endpoints are
supposed to negotiate a channel.

• But non-silent mode allow the EC link negotiation only if data packets
are sent across the link.

• After all, how can two switches negotiate anything if no PAgP packets
are received?
The key is in the phrase “if the other end is silent.” The silent submode
listens for any data packets from the far end, looking to negotiate a
channel. If none is received, silent submode assumes that a channel
should be built anyway, so no more data packets are expected from the
far end.
The silent submode amounts to approximately a 15-second delay.

This allows a switch to form an EtherChannel with a device such as a


file server or a network analyzer that doesn’t participate in PAgP. In the
case of a network analyzer connected to the far end, you also might
want to see the PAgP packets generated by the switch, as if you were
using a normal PAgP EtherChannel.

• If PAgP isn't heard on an active port, the port remains in UP state, but
PAgP reports to STP that port is down

120 AHMED NABIL


2)LACP
Link Aggregation Control Protocol
• It is a standard based alternative to PAgP defined in IEEE 802.3ad, also
known as IEEE 802.3 clause 43"link aggregation"
• LACP also learn the neighbor id & port group capabilities & compare it
with its local switch capability, however LACP assign roles to the EC end
points, the switch with lowest system id (2byte priority + 6byte system
MAC address) is allowed to make decisions about what ports are actively
participating in the EC (in other words the Master)
• A set of up to 16 link for EC, through LACP can be negotiated, only 8 of
the links will be active & other 8 links are used as standby for active
links, the ports are selected according to their port id (2byte priority + 2
byte port number), the 8 links with lowest port ids are chosen as active
• LACP can be configured in either "active" mode or "passive" mode,
passive is default

Configuring LACP
(config)#interface <_>
(config-if)#channel-protocol lacp
(config-if)#channel-group <group no.> mode
{on/active/passive/off}
(config-if)#lacp port-priority <priority value>
(config)#lacp system-priority <priority value>

121 AHMED NABIL


L3 EC configuration
• To configure channel group as L3 (give the channel ports 1 IP)
1- Configure normal L2 EC
2- (config)#interface port-channel <channel group no.>
This will select all the ports under channel group no.
(config-if)#no switchport
Switch#show run interface
(config-if)#ip address <ip> <mask> port-channel 1
Building configuration...
Current configuration:
!
interface Port-channel1
ip address 10.0.0.1 255.0.0.0
Configuration Example: no switchport

122 AHMED NABIL


As an example of PAgP configuration, suppose that you want a
switch to use an Ether-Channel load-balancing hash of both
source and destination port numbers. A Gigabit EtherChannel
will be built from interfaces Gigabit Ethernet 3/1 through 3/4,
with the switch actively negotiating a channel. The switch
should not wait to listen for silent partners.
You can use the following configuration commands to
accomplish this:
Switch(config)# port-channel load-balance src-dst-port
Switch(config)# interface range gig 3/1 – 4
Switch(config-if)# channel-protocol pagp
Switch(config-if)# channel-group 1 mode desirable non-silent

As an example of LACP configuration, suppose that you want


to configure a switch to negotiate a Gigabit EtherChannel
using interfaces Gigabit Ethernet 2/1 through 2/4 and 3/1
through 3/4. Interfaces Gigabit Ethernet 2/5 through 2/8 and
3/5 through 3/8 are also available, so these can be used as
standby links to replace failed links in the channel. This
switch actively should negotiate the channel and should be
the decision maker about the channel operation.
You can use the following configuration commands to
accomplish this:
Switch(config)# lacp system-priority 100
Switch(config)# interface range gig 2/1 – 4 , gig 3/1 – 4
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group 1 mode active
Switch(config-if)# lacp port-priority 100
Switch(config-if)# exit
Switch(config)# interface range gig 2/5 – 8 , gig 3/5 – 8
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group 1 mode active
Notice that interfaces Gigabit Ethernet 2/5-8 and 3/5-8 have
been left to their default port priorities of 32,768. This is
higher than the others, which were configured for 100, so
they will be held as standby interfaces.
123 AHMED NABIL
Avoiding Misconfiguration with EtherChannel Guard
Once you configure a set of physical interfaces on one switch to
participate in an EtherChannel, you should configure the
corresponding interfaces on the neighboring switch. Your goal
should be to keep the EtherChannel configurations as predictable as
possible, so that nothing unexpected can happen,
What might happen anyway? Suppose that you configure two
interfaces on Switch A to form anunconditional EtherChannel that
carries all active VLANs. Your associate configures Switch B for
the same set of two interfaces, but manages to plug the cables into
the wrong two interfaces. It is entirely possible that a bridging loop
might form over the dual links because an EtherChannel has not
formed onboth ends. STP will not operate consistently on all
interfaces because Switch A is expecting a working EtherChannel.
If you decide to use PAgP or LACP to negotiate an EtherChannel,
the chances of a misconfiguration are slim. An EtherChannel will
not be built if it cannot be negotiated on all member links on the
switches at both ends.
To reduce the chances of a misconfigured EtherChannel, Cisco
Catalyst switches run the EtherChannel Guard feature by default.
You can control the feature with the following global configuration
command
Switch(config)# [no] spanning-tree etherchannel guard misconfig
Notice that the command is directly related to STP operation over
an EtherChannel. If a misconfiguration is detected once the
interfaces are enabled, the switch will log the problem and will
automatically shut the interfaces down and place them in the
errdisable state.
In Example, two interfaces should have formed an EtherChannel,
but a misconfiguration has been detected. Notice that both member
interfaces, as well as the port channel 1 EtherChannel interface,
have been errdisabled. To see the reason behind this action, you
can use the show interfaces status errdisabled
command.

AHMED NABIL
Troubleshooting
#sh etherchannel summary Switch#show run interface gig 0/9
Building configuration...
#sh etherchannel detail
Current configuration:
#show etherchannel port !
interface GigabitEthernet 0/9
#sh (pagp/lacp) neighbor no ip address
channel-group 1 mode desirable
#sh lacp sys-id
The status of the port channel shows
the EtherChannel logical interface as a
whole. This should show SU (Layer 2
channel, in use) if the channel is
operational. You also can examine the
status of each port within the channel.
Notice that most of the channel ports
have flags (P), indicating that they are
active in the port-channel. One port
shows because it is physically not
connected or down. If a port is
connected but not bundled in the
channel, it will have an independent, or
(I), flag.

Switch#show interfaces gigabitethernet 0/9 etherchannel


Port state = Up Mstr In-Bndl
Channel group = 1 Mode = Desirable-Sl Gcchange = 0
Port-channel = Po2 GC = 0x00020001 Pseudo port-channel = Po1
Port index = 0 Load = 0x00

Flags: S - Device is sending Slow hello. C - Device is in Consistent state.


A - Device is in Auto mode. P - Device learns on physical port.
d - PAgP is down.
Timers: H - Hello timer is running. Q - Quit timer is running.
S - Switching timer is running. I - Interface timer is running.

Local information:
Hello Partner PAgP Learning Group
Port Flags State Timers Interval Count Priority Method Ifindex
Gi0/9 SC U6/S7 H 30s 1 128 Any 15

Partner's information:

Partner Partner Partner Partner Group


Port Name Device ID Port Age Flags Cap.
Gi0/9 DSW122 0005.313e.4780 Gi0/9 18s SC 20001

Age of the port in the current state: 00d:20h:00m:49s


125 AHMED NABIL
EtherChannel Questions
Notes:
The Port Aggregation Protocol (PAgP) and Link Aggregation Control Protocol (LACP) facilitate the
automatic creation of EtherChannels by exchanging packets between Ethernet interfaces. The Port
Aggregation Protocol (PAgP) is a Cisco-proprietary solution, and the Link Aggregation Control
Protocol (LACP) is standards based.
LACP modes:
+ on: the link aggregation is forced to be formed without any LACP negotiation. A port-channel is
formed only if the peer port is also in “on” mode. + off: disable LACP and prevent ports to form a
port-channel + passive: the switch does not initiate the channel, but does understand incoming
LACP packets + active: send LACP packets and willing to form a port-channel
PAgP modes:
+ on: The link aggregation is forced to be formed without any PAgP negotiation. A port-channel is formed
only if the peer port is also in “on” mode. + off: disable PAgP and prevent ports to form a port-channel +
desirable: send PAgP packets and willing to form a port-channel + auto: does not start PAgP packet
negotiation but responds to PAgP packets it receives
An EtherChannel in Cisco can be defined as a Layer 2 EtherChannel or a Layer 3 EtherChannel. + For Layer 2
EtherChannel, physical ports are placed into an EtherChannel group. A logical port-channel interface will be
created automatically. An example of configuring Layer 2 EtherChannel can be found in Question 1 in this
article.
+ For Layer 3 EtherChannel, a Layer 3 Switch Virtual Interface (SVI) is created and then the physical ports are
bound into this Layer 3 SVI.

Question 1
Refer to the exhibit.

Which set of configurations will result in all ports on both switches successfully bundling into an
EtherChannel?
A. switch1 channel-group 1 mode active switch2 channel-group 1 mode auto
B. switch1 channel-group 1 mode desirable switch2 channel-group 1 mode passive
C. switch1 channel-group 1 mode on switch2 channel-group 1 mode auto
D. switch1 channel-group 1 mode desirable switch2 channel-group 1 mode auto

Question 2
After an EtherChannel is configured between two Cisco switches, interface port channel 1 is in the
down/down state. Switch A is configured with “channel-group 1 mode active”, while Switch B is
configured with “channel-group 1 mode desirable”. Why is the EtherChannel bundle not working?
A. The switches are using mismatched EtherChannel negotiation modes.
B. The switch ports are not configured in trunking mode.
C. LACP priority must be configured on both switches.
D. The channel group identifier must be different for Switch A and Switch B.
126 AHMED NABIL
Question 3
An EtherChannel bundle has been established between a Cisco switch and a corporate web server. The
network administrator noticed that only one of the EtherChannel links is being utilized to reach the web
server. What should be done on the Cisco switch to allow for better EtherChannel utilization to the
corporate web server?
A. Enable Cisco Express Forwarding to allow for more effective traffic sharing over the EtherChannel bundle.
B. Adjust the EtherChannel load-balancing method based on destination IP addresses.
C. Disable spanning tree on all interfaces that are participating in the EtherChannel bundle.
D. Use link-state tracking to allow for improved load balancing of traffic upon link failure to the server.
E. Adjust the EtherChannel load-balancing method based on source IP addresses.

Question 4
An access switch has been configured with an EtherChannel port. After configuring SPAN to monitor this
port, the network administrator notices that not all traffic is being replicated to the management server.
What is a cause for this issue?
A. VLAN filters are required to ensure traffic mirrors effectively. B. SPAN encapsulation replication must be
enabled to capture EtherChannel destination traffic. C. The port channel can be used as a SPAN source, but
not a destination. D. RSPAN must be used to capture EtherChannel bidirectional traffic.

Question 5
Refer to the exhibit.

What is the result of the configuration?


A. The EtherChannels would not form because the load-balancing method must match on the devices.
B. The EtherChannels would form and function properly even though the load-balancing and
EtherChannel modes do not match.
C. The EtherChannels would form, but network loops would occur because the load-balancing methods
do not match.
D. The EtherChannels would form and both devices would use the dst-ip load-balancing method
because Switch1 is configured with EtherChannel mode active.

127 AHMED NABIL


Question 6
A network engineer tries to configure storm control on an EtherChannel bundle. What is the result of the
configuration?
A. The storm control settings will appear on the EtherChannel, but not on the associated physical ports.
B. The configuration will be rejected because storm control is not supported for EtherChannel.
C. The storm control configuration will be accepted, but will only be present on the physical interfaces. D.
The settings will be applied to the EtherChannel bundle and all associated physical interfaces.

Question 7
A network engineer must set the load balance method on an existing port channel. Which action must be
done to apply a new load balancing method?
A. Configure the new load balancing method using port-channel load-balance.
B. Adjust the switch SDM back to “default”.
C. Ensure that IP CEF is enabled globally to support all load balancing methods.
D. Upgrade the PFC to support the latest load balancing methods.

Question 8
A network engineer configured a fault-tolerance link on Gigabit Ethernet links G0/1, G0/2, G0/3, and G0/4
between two switches using Ethernet port-channel. Which action allows interface G0/1 to always actively
forward traffic in the port-channel?
A. Configure G0/1 as half duplex and G0/2 as full duplex.
B. Configure LACP port-priority on G0/1 to 1.
C. Configure LACP port-priority on G0/1 to 65535.
D. LACP traffic goes through G0/4 because it is the highest interface ID.

Question 9
Which statement about the use of PAgP link aggregation on a Cisco switch that is running Cisco IOS
Software is true?
A. PAgP modes are off, auto, desirable, and on. Only the combinations auto-desirable, desirable- desirable,
and on-on allow the formation of a channel.
B. PAgP modes are active, desirable, and on. Only the combinations active-desirable, desirable- desirable,
and on-on allow the formation of a channel.
C. PAgP modes are active, desirable, and on. Only the combinations active-active, desirable- desirable, and
on-on allow the formation of a channel.
D. PAgP modes are off, active, desirable, and on. Only the combinations auto-auto, desirable- desirable, and
on-on allow the formation of a channel.

128 AHMED NABIL


Question 10
Refer to the exhibit.

Which EtherChannel negotiation protocol is configured on the interface f0/13 – f0/15?


A. Link Combination Control Protocol
B. Port Aggregation Protocol
C. Port Combination Protocol
D. Link Aggregation Control Protocol

Question 11
Refer to the exhibit.

Users of PC-1 experience slow connection when a webpage is requested from the server. To
increase bandwidth, the network engineer configured an EtherChannel on interfaces Fa1/0 and
Fa0/1 of the server farm switch, as shown here:
Server_Switch#sh etherchannel load-balance EtherChannel Load-Balancing Operational State (src-
mac): Non-IP: Source MAC address IPv4: Source MAC address IPv6: Source IP address
Server_Switch#
However, traffic is still slow. Which action can the engineer take to resolve this issue?
A. Disable EtherChannel load balancing.
B. Upgrade the switch IOS to IP services image.
C. Change the load-balance method to dst-mac.
D. Contact Cisco TAC to report a bug on the switch.

129 AHMED NABIL


Question 12
A network engineer changed the port speed and duplex setting of an existing EtherChannel bundle
that uses the PAgP protocol. Which statement describes what happens to all ports in the bundle?
A. PAgP changes the port speed and duplex for all ports in the bundle.
B. PAgP drops the ports that do not match the configuration.
C. PAgP does not change the port speed and duplex for all ports in the bundle until the switch is
rebooted.
D. PAgP changes the port speed but not the duplex for all ports in the bundle.

Question 13
Which statement about using EtherChannel on Cisco IOS switches is true?
A. A switch can support up to eight compatibly configured Ethernet interfaces in an EtherChannel.
The EtherChannel provides full-duplex bandwidth up to 800 Mbps only for Fast EtherChannel or 8
Gbps only for Gigabit EtherChannel.
B. A switch can support up to 10 compatibly configured Ethernet interfaces in an EtherChannel. The
EtherChannel provides full-duplex bandwidth up to 1000 Mbps only for Fast EtherChannel or 8 Gbps
only for Gigabit EtherChannel.
C. A switch can support up to eight compatibly configured Ethernet interfaces in an EtherChannel.
The EtherChannel provides full-duplex bandwidth up to 800 Mbps only for Fast EtherChannel or 16
Gbps only for Gigabit EtherChannel.
D. A switch can support up to 10 compatibly configured Ethernet interfaces in an EtherChannel. The
EtherChannel provides full-duplex bandwidth up to 1000 Mbps only for Fast EtherChannel or 10
Gbps only for Gigabit EtherChannel.

Question 14
Refer to the exhibit.

Which statement about switch S1 is true?


A. Physical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 2 port-channel interface
using an open standard protocol.
B. Logical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 2 physical port-channel
interface using a Cisco proprietary protocol.
C. Physical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 3 port-channel interface
using a Cisco proprietary protocol.
D. Logical port Fa0/13, Fa0/14, and Fa0/15 successfully formed a Layer 3 physical port-channel
interface using an open standard protocol.
130 AHMED NABIL
Question 15
What is the maximum number of 10 Gigabit Ethernet connections that can be utilized in an
EtherChannel for the virtual switch link?
A. 4
B. 6
C. 8
D. 12

Question 16
Which statement about restrictions for multichassis LACP is true?
A. It is available only on a Cisco Catalyst 6500 Series chassis.
B. It does not support 1Gb links.
C. Converting a port channel to mLACP can cause a service disruption.
D. It is not available in VSS.

131 AHMED NABIL


STP
Spanning Tree Protocol

132 AHMED NABIL


Overview
Transparent Switch must have the ability to
remove L2 Loops. For that purpose STP
IEEE802.1d was firstly implemented on
L2 switched networks to block any
redundant connections, so avoiding L2 loops.
Spanning Tree Protocol follows an old
algorithm called Spanning tree algorithm
(STA), the STA idea is to build a loop
free path, where if multiple nodes exist
in a certain network, all of the nodes will
choose a reference point (root node)
then every non-root node will try to
choose one of its paths as the best path
to reach the reference point.
Traditional STP (802.1d) operation
1- BPDU (Bridged Protocol Data Unit) flooding
• Each switch generate a message called BPDU containing
information about itself and flood it out of all its ports every
2 seconds on well known STP multicast address
0180.c200.0000, where initially each switch announce that
it is the Root Bridge
• Two types of BPDU exist:
1) Configuration BPDU, used for STP computation, it is sent
only by the Root Bridge
2) TCN (Topology Change Notification), used to announce
changes in the network topology
The BPDU is responsible for:
• Electing a root bridge
• Determining the location of loops
• Blocking to prevent loops
• Notifying the network of changes
• Monitoring the state of the spanning tree
133 AHMED NABIL
BPDU contain:
-Message type (configuration or
TCN BPDU)
-flags (containing configuration
change flag, TCN, TCN ACK,....)
-Root Bridge ID
-Sender Bridge ID
-Accumulated Root Path Cost
-Port ID of sender switch
-Hello time
-Forward delay time
-Maximum age time

2) Electing Root Bridge:


• After BPDU flooding all switches will hear about each others
existence and each other Root Bridge ID, every switch that hear
a BPDU that has Bridge ID is lower than its local Root Bridge ID
will stop sending BPDU and elect the other one as a Root Bridge
• So finally Switch with lower Bridge ID will be elected by all
others as the Root Bridge, and only the Root Bridge will send
BPDU every 2 seconds
Bridge ID consists of:
- 2 byte STP bridge priority (default is 32768)
- 6 byte System MAC address
• Also we can extend the address if needed where each switch
can have a unique Bridge ID for every VLAN, this is called
Extended address described in 2 bytes

134 AHMED NABIL


3) Elect Root Port (RP)
• Every non-root switch must choose one of its ports to reach the Root
Bridge.
• The root port is:
1- Port having lowest root accumulated path cost is based on BW

2-Lowest sender bridge id


3-Lowest port id
port id consists of :
(1 byte priority (default 128) +
1 byte port number)

4) Elect Designated Port (DP)


Each two adjacent switches must elect a port that can better serve each
segment
Switch having a DP is called a Designated Switch.
• Designated port is port having:
1-Lowest Accumulated Root Path Cost
2-Lowest Bridge id
3-Lowest Port id
5) Elect Blocked Port (BP)
• Ports that is neither Root Port (RP), nor Designated Port (DP) are
135 Blocked Port (BP) AHMED NABIL
The root path cost value is determined in the following manner:
1. The root bridge sends out a BPDU with a root path cost value of
0 because its ports sit directly on the root bridge.
2. When the next-closest neighbor receives the BPDU, it adds the
path cost of its own port where the BPDU arrived. (This is done as
the BPDU is received.)
3. The neighbor sends out BPDUs with this new cumulative value
as the root path cost.
4. The root path cost is incremented by the ingress port path cost
as the BPDU is received at each switch down the line.
5. Notice the emphasis on incrementing the root path cost as
BPDUs are received.
When computing the spanning-tree algorithm manually, remember
to compute a new root path cost as BPDUs come in to a switch
port, not as they go out.

136 AHMED NABIL


Summarizing the STP process:
BPDU key concepts:
• Bridges save a copy of only the best BPDU seen on every
port.
• When making this evaluation, it considers all of the BPDUs
received on the port, as well as the BPDU that would be sent
on that port. (so Sent BPDU could b better than received
BPDU or vice versa.
• As every BPDU arrives, it is checked against this four-step
sequence to see if it is more attractive (lower in value) than
the existing BPDU saved for that port.
Four-Step decision Sequence
Step 1 - Lowest Root BID
Step 2 - Lowest Path Cost to Root Bridge
Step 3 - Lowest Sender BID
Step 4 – Lowest sender Port ID

• Only the lowest value BPDU is saved.


• Bridges send configuration BPDUs until a more attractive
BPDU is received.

137 AHMED NABIL


STP Example 1: Cost=19 1/1
Root
Bridge
1/2 Cost=19

Cat-A

1/1 1/1

Cat-B Cat-C
1/2 1/2

Step 1 Cost=19

• Cat-A sends out BPDUs, containing a Root Path Cost of 0.


• Cat-B receives these BPDUs and adds the Path Cost of Port 1/1 to the Root Path Cost
contained in the BPDU.
Step 2
• Cat-B add Root Path Cost 0 PLUS its Port 1/1 cost of 19 = 19
Root
Bridge
Cost=19 1/1 1/2 Cost=19

Cat-A
BPDU BPDU
Cost=0 Cost=0

BPDU BPDU
1/1 Cost=19 Cost=19 1/1

Cat-B BPDU BPDU Cat-C


1/2 1/2
Cost=19 Cost=19 BPDU
BPDU
Cost=38 (19=19) Cost=38 (19=19)
Cost=19

Step 3
• Cat-B uses this value of 19 internally and sends BPDUs with a Root Path Cost of
19 out Port 1/2.
Step 4
• Cat-C receives the BPDU from Cat-B, and increased the Root Path Cost to 38
(19+19). (Same with Cat-C sending to Cat-B.)
Root
Bridge
Cost=19 1/1 1/2 Cost=19

Cat-A
BPDU BPDU
Cost=0 Cost=0

BPDU BPDU
1/1 Cost=19 Cost=19 1/1
Root Port Root Port

Cat-B Cat-C
1/2 1/2
BPDU BPDU
Cost=38 (19=19) Cost=38 (19=19)
Step 5 Cost=19

• Cat-B calculates that it can reach the Root Bridge at a cost of 19 via Port 1/1 as
opposed to a cost of 38 via Port 1/2.
• Port 1/1 becomes the Root Port for Cat-B, the port closest to the Root Bridge.
• Cat-C goes through a similar calculation. Note: Both Cat-B:1/2 and Cat-C:1/2 save
138 the best BPDU of 19 (its own). AHMED NABIL
Electing DP:
Root
Root Path Cost = 0 Bridge Root Path Cost = 0
Cost=19 1/1 1/2 Cost=19

Segment 1 Segment 2
Cat-A

Root Path Cost = 19 Root Path Cost = 19


1/1 1/1
Root Port Root Port

Cat-B Cat-C
1/2 1/2
Root Path Cost = 19 Root Path Cost = 19
Segment 3
Cost=19

• Segment 1: Cat-A:1/1 has a Root Path Cost = 0 (after all it is the Root Bridge) and
Cat-B:1/1 has a Root Path Cost = 19.
• Segment 2: Cat-A:1/2 has a Root Path Cost = 0 (after all it is the Root Bridge) and
Cat-C:1/1 has a Root Path Cost = 19.
• Segment 3: Cat-B:1/2 has a Root Path Cost = 19 and Cat-C:1/2 has a Root Path
Cost = 19. It’s a tie!
Root
Root Path Cost = 0 Bridge Root Path Cost = 0
Cost=19 1/1 1/2 Cost=19

Segment 1 Segment 2
Cat-A
Designated Port Designated Port

Root Path Cost = 19 Root Path Cost = 19


1/1 1/1
Root Port Root Port

Cat-B Cat-C
1/2 1/2

Root Path Cost = 19 Root Path Cost = 19


Segment 3
Cost=19

• Segment 1 :Because Cat-A:1/1 has the lower Root Path Cost it becomes the
Designate Port for Segment 1.
• Segment 2 :Because Cat-A:1/2 has the lower Root Path Cost it becomes the
Designate Port for Segment 2.
Root
Root Path Cost = 0 Bridge Root Path Cost = 0
Cost=19 1/1 1/2 Cost=19

Segment 1 Cat-A Segment 2

Designated Port Designated Port

Root Path Cost = 19 Root Path Cost = 19


1/1 1/1
Root Port Root Port

Cat-B Cat-C
1/2 1/2

Root Path Cost = 19 Root Path Cost = 19


Segment 3
Cost=19

Segment 3
• Both Cat-B and Cat-C have a Root Path Cost of 19, a tie!
• When faced with a tie (or any other determination) STP always uses the four-step
decision process:
1. Lowest Root BID; 2. Lowest Path Cost to Root Bridge;
139 AHMED NABIL
Root
Root Path Cost = 0 Bridge Root Path Cost = 0
Cost=19 1/1 1/2 Cost=19

Segment 1 Segment 2
Cat-A
Designated Port Designated Port

Root Path Cost = 19 Root Path Cost = 19


1/1 Root Port Root Port 1/1

Cat-B 32,768.CC-CC-CC-CC-CC-CC Cat-C


1/2 32,768.BB-BB-BB-BB-BB-BB 1/2
Root Path Cost = 19 Root Path Cost = 19
Designated Port Segment 3 Non-Designated Port
Cost=19

Segment 3 (continued)
1) All three switches agree that Cat-A is the Root Bridge, so this is a tie.
2) Root Path Cost for both is 19, also a tie.
3) The sender’s BID is lower on Cat-B, than Cat-C, so Cat-B:1/2 becomes
the Designated Port for Segment 3.
Cat-C:1/2 therefore becomes the non-Designated Port for Segment 3.

140 AHMED NABIL


STP Example 2:

Step 1 :BPDU flooding


Fast Ethernet

RP

Ethernet
• SW X is the root bridge
• SW Y needs to elect a root port
• Which port is the root port on SW Y?
• Fast Ethernet total cost = 0 + 19
• Ethernet total cost = 0 + 100
Fast Ethernet

DP RP

DP

Ethernet
Switch X is the root bridge.
All ports on the root bridge are designated ports.

• One root bridge per network


• One root port per nonroot bridge
• One designated port per segment
• Nondesignated ports are blocked
0/2
0/1
Assume path cost and port priorities are default
(128). Port ID used in this case. Port 0/1 would
141 forward because it’s the lowest.
AHMED NABIL
STP Example 3:

Electing Root Switch

Electing Root Port & Designated Port

Blocking a port

142 AHMED NABIL


STP Port States
• Spanning tree transits each port through several different states:

BP

RP, DP, ?

BP

RP, DP

1-Disabled State:
• Port is administratively shut down, or cable is not connected, it is not
part of normal STP operation
2-Blocking State:
• Port cannot receive & transmit data traffic, does not transmit BPDU,
but can receive BPDU to detect any topology changes, (but it does not
save the BPDU on the port- discussed later)
3-Listeneing State:
• The port still cannot send or receive data frames but can process
(send or receive) BPDU to elect root bridge, root port, designated
port & blocked port
• This state lasts for the first forward delay time = 15 sec
4-Learning State:
• The port still cannot send or receive data frames but can process
(send or receive) BPDU to take another chance if needed to elect root
port, designated port & blocked port, but the switch will try to learn
from any incoming frame (build MAC table) before dropping it
• This state lasts for the second forward delay time = 15 sec
5-Forwarding State:
• Port can forward data traffic & continue learning MAC addresses, it is
either Root Port or Designated Port, So after convergence ports are
either DP, RP (FWD state), or BP (BLK state)
• But note that convergence will take (30 - 50 sec)
• To troubleshoot STP states
#sh spanning-tree interface <_>
#debug spanning-tree switch
143 AHMED NABIL
Example:

The example begins as the port administratively is disabled from the


command line. When the port is enabled, successive show spanning-
tree interface type mod/port commands display the port state as
Listening, Learning, and then Forwarding. These are shown in the
shaded text of the
example. Notice also the time stamps and port states provided by the
debug spanning-tree switch state command, which give a sense of
the timing between port states. Because this port was eligible as a
Root Port, the show command never could execute fast enough to
show the port in the Blocking state.
STP timers:
• Timers are used to
prevent bridging
loops.
• Timers determine
how long it will take
STP to converge
after a failure.

144 AHMED NABIL


STP Topology Changes
1-A topology change occurs when a switch port either goes up or down,
that switch sends a TCN BPDU out its RP to reach the root, the switch
will send that TCN every hello interval until an ACK is received from
upstream neighbor , then every switch that receive the TCN will try to
do the same until that TCN reaches the Root Bridge
2-When Root Bridge receives TCN, it will generate a configuration BPDU
with topology change flag set
3-Every switch that receive that message will flush it MAC table after
Forward delay time (15 sec), while active entries will be kept for the
sum of forward delay time + max age time (15+20), and it will not
wait for normal 300 sec to avoid tables corruption due to topology
changes, and the switch having a blocked port will put it in the
listening state once again
• Note that if a Blocked Port has not received Root Bridge BPDUs for
max age time (20 sec), it will turn to listening, & continue its STP
process, so note that once Root has failed or indirect failure take
place, the convergence will take 50 sec

BPDU TCN

Max (maximum) Age:


The time interval that a switch stores a BPDU before discarding it. While
executing the STP, each switch port keeps a copy of the “best” BPDU that
it has heard. If the switch port loses contact with the BPDU’s source (no
more BPDUs are received from it), the switch assumes that a topology
change must have occurred after the Max Age time elapsed and so the
BPDU is aged out. The default Max Age value is 20 seconds.

145 AHMED NABIL


Host based STP changes (insignificant changes):
Obviously, user ports are expected to go up and down as the users reboot
their machines, turn them on and off as they go to and from work, and so on.
Regardless, TCN messages are sent by the switch, just as if a trunk link
between switches had changed state.
To see what effect this has on the STP topology and the network, consider the
following sequence of events:
1. The PC on Catalyst port 2/12 is turned off. The switch detects the link status
going down.
2. Catalyst C begins sending TCN BPDUs toward the Root, over its Root Port(1/1).
3. The Root sends a TCN acknowledgment back to Catalyst C and then sends a
Configuration BPDU with the TCN bit set to all downstream switches. This is
done to inform every switch of a topology change somewhere in the network.
4. The TCN .ag is received from the Root, and both Catalysts B and C shorten their
bridge table aging times. This causes recently idle entries to be flushed,
leaving only the actively transmitting stations in the table. The aging time stays
short for the duration of the Forward Delay and Max Age timers.
Notice that this type of topology change is mostly cosmetic. No actual topology
change occurred because none of the switches had to change port states to
reach the Root Bridge. Instead, powering off the PC caused all the switches to
age out entries from their bridge or CAM tables much sooner than normal.
At first, this doesn’t seem like a major problem because the PC link state affects
only the “newness” of the CAM table contents. If CAM table entries are flushed
as a result, they probably will be learned again. This becomes a problem when
every user PC is considered. Now every time any PC in the network powers up
or down, every switch in the network must age out CAM table entries.
Given enough PCs, the switches could be in a constant state of flushing bridge
tables. Also remember that when a switch doesn’t have a CAM entry for a
destination, the packet must be flooded out all its ports. Flushed tables mean
more unknown unicasts, which mean more broadcasts or flooded packets
throughout the network. Fortunately, Catalyst switches have a feature that can
designate a port as a special case. You can enable the STP PortFast feature on
a port with a single attached PC. As a result, TCNs aren’t sent when the port
changes state, and the port is brought right into the Forwarding state when the
Link comes up.

146 AHMED NABIL


The theory behind topology changes is fairly straightforward, but it’s often
difficult to grasp how a working network behaves during a change. For
example, suppose you have a Layer 2 network that is stable and loop free.
If a switch uplink suddenly failed or a new uplink was added,
how would the various switches in the network react?
Would users all over the network lose connectivity while the STP
“recomputes” or reconverges?
Examples of different types of topology changes are presented in the
following sections, along with the sequence of STP events. Each type has
a different cause and a different effect.

Direct Topology Changes


A direct topology change is one that can be detected on a switch interface.
For example, if a trunk link suddenly goes down, the switch on each end of
the link immediately can detect a link failure.
The absence of that link changes the bridging topology, so other switches
should be notified.
Figure shows a network that has converged into a stable STP topology. The
VLAN is forwarding on all trunk links except port 1/2 on Catalyst C, where it
is in the Blocking state.

This network has just suffered a link failure between Catalyst A and Catalyst
C. The sequence of events unfolds as follows:
1. Catalyst C detects a link down on its port 1/1; Catalyst A detects a link
down on its port 1/2.
2. Catalyst C removes the previous “best” BPDU it had received from the
Root over port 1/1. Port 1/1 is now down so that BPDU is no longer valid.

147 AHMED NABIL


Normally, Catalyst C would try to send a TCN message out its Root Port, to
reach the Root Bridge. Here, the Root Port is broken, so that isn’t possible.
Without an advanced feature such as STP UplinkFast, Catalyst C isn’t yet
aware that another path exists to the Root.
Also, Catalyst A is aware of the link down condition on its own port 1/2. It
normally would try to send a TCN message out its Root Port, to reach the
Root Bridge. Here, Catalyst A is the Root, so that isn’t really necessary.
3. The Root Bridge, Catalyst A, sends a Configuration BPDU with the TCN
bit set out its port 1/1. This is received and relayed by each switch along
the way, informing each one of the topology change.
4. Catalysts B and C receive the TCN message. The only reaction these
switches take is to shorten their bridging table aging times to the Forward
Delay time. At this point, they don’t know how the topology has changed;
they only know to force fairly recent bridging table entries to age out.
5. Catalyst C basically just sits and waits to hear from the Root Bridge
again. The Config BPDU TCN message is received on port 1/2, which was
previously in the Blocking state. This BPDU becomes the “best” one
received from the Root, so port 1/2 becomes the new Root Port. Catalyst C
now can progress port 1/2 from Blocking through the Listening, Learning,
and Forwarding states.
As a result of a direct link failure, the topology has changed and STP has
converged again. Notice that only Catalyst C has undergone any real
effects from the failure. Switches A and B heard the news of the topology
change but did not have to move any links through the STP states. In other
words, the whole network did not go through a massive STP
reconvergence.
The total time that users on Catalyst C lost connectivity was roughly the
time that port 1/2 spent in the Listening and Learning states. With the
default STP timers, this amounts to about two times the Forward Delay
period (15 seconds), or 30 seconds total.

148 AHMED NABIL


Indirect Topology Changes
Figure shows the same network as Direct failure topology, but this time, the
link failure indirectly involves Catalysts A and C. assuming port1/2 on B is
the blocked port.
A

C B

STP can detect and recover from indirect failures, thanks to timer
mechanisms. The sequence of events unfolds as follows:
1. Link between A and B failed, B flushed immediately the best BPDU
and because it does not receive any BPDUs from C as port1/2 on C is
blocked so, B have no BPDUs from root switch, so B will claims it is
the new root (no one in the network sending BPDUs), so it will start
sending inferior BPDUs out of port1/2 on B towards C.
2. Switch C (who have the blocked port) will find two BPDUs arriving
one from A saying it is root, another from B saying it is root.
3. After max age=20 sec, switch C will flush the old BPDUs used to be
received from port1/2 from A through B.
4. Port1/2 on C will start in listening state so sending BPDU received
from port1/1 on A, this BPDU will make B stop inferior BPDUs and
know the reality (that A is still live and is the Root, and what
happened was indirect failure)
5. After 15 seconds in listening then 15 in learning (a total of 50
seconds), Blocked port will be back to life.

149 AHMED NABIL


STP
Enhancements

150 AHMED NABIL


Optimizing Spanning Tree Protocol
By default, STP is enabled for every port on the switch.
If for some reason STP has been disabled, you can re-enable it.
1) Activating Spanning tree:
If an entire instance of STP has been disabled, you can re-enable it with
the following global configuration command:
Switch(config)# spanning-tree vlan vlan-id
If STP has been disabled for a specific VLAN on a specific port, you can
re-enable it with the following interface configuration command:
Switch (config-if)# spanning-tree vlan vlan-id

2) Root Bridge Placement


Although STP is wonderfully automatic with its default values and
election processes, the resulting tree structure might perform quite
differently than expected.
Campus Network with an Inefficient Root Bridge Election

Campus Network with STP Converged

Notice that Catalyst A, one of the access-layer switches, has been


elected the Root Bridge.
Unfortunately, Catalyst A cannot take advantage of the 1-Gbps links,
unlike the other switches.
So forcing a Root bridge manually is highly recommended.
151 AHMED NABIL
802.1D 16-bit Bridge Priority Field Using the Extended System ID
If STP extended system ID is enabled, the default bridge-priority is
32,768 plus the VLAN number.

If the switch can’t support 1024 unique MAC addresses for its own use,
the extended system ID is always enabled by default. Otherwise, the
traditional method is enabled by default.
To begin using the extended system ID method, you can uses the
following global configuration command:
Switch(config)# spanning-tree extend system-id
Otherwise, you can use the traditional method by beginning the command
with the no keyword.

To force certain switch to be the root or backup root:


Switch(config)#spanning-tree vlan vlan-list root {primary/secondary}

Switch(config)#spanning-tree vlan 5, 70-77 root primary


• This command forces this switch to be the root.
Switch(config)#spanning-tree vlan 5, 70-77 root secondary
• This command configures this switch to be the secondary root.
Or
Switch(config)#spanning-tree vlan 1 priority priority
• This command statically configures the priority (in increments of 4096).

152 AHMED NABIL


• Use the primary keyword to make the switch attempt to become the
primary Root Bridge. This command modifies the switch’s bridge priority
value to become less than the bridge priority of the current Root Bridge.
If the current root priority is more than 24,576, the local switch sets its
priority to 24,576. If the current root priority is less than that, the local
switch sets its priority to 4096 less than the current root.
• For the secondary Root Bridge, the root priority is set to an artificially
low value of 28,672. There is no way to query or listen to the network to
find another potential secondary root simply because there are no
advertisements or elections of secondary Root Bridges. Instead, the fixed
secondary priority is used under the assumption that it will be less than
the default priorities (32,768) that might be used on switches elsewhere.
You can also modify the network diameter by adding the diameter
keyword to this command.

Why did this method fail? The current Root Bridge has a bridge priority of
4200. Because that priority is less than 24,576, the local switch will try to
set its priority to 4096 less than the current root. Although the resulting
priority would be 104, the local switch is using an extended system ID,
which requires bridge priority values that are multiples of 4096. The only
value that would work is 0, but the automatic method will not use it.

153 AHMED NABIL


Instead, the only other option is to manually configure the bridge priority to
0 with the following command:
Switch(config)# spanning-tree vlan 100 priority 0
Remember that on switches that use an extended system ID, the bridge
priority is the configured priority (multiple of 4096) plus the VLAN
number. Even though the priority was set to 0 with the previous
command, the switch is actually using a value of 100—priority 0 plus
VLAN number 100.

Switch#show spanning-tree bridge

Hello Max Fwd


Vlan Bridge ID Time Age Dly Protocol
---------------- --------------------------------- ----- --- --- --------
VLAN0200 49352 (49152,200) 0008.2199.2bc0 2 20 15 ieee
VLAN0202 49354 (49152,202) 0008.2199.2bc0 2 20 15 ieee
VLAN0203 49355 (49152,203) 0008.2199.2bc0 2 20 15 ieee
VLAN0204 49356 (49152,204) 0008.2199.2bc0 2 20 15 ieee
VLAN0205 49357 (49152,205) 0008.2199.2bc0 2 20 15 ieee
VLAN0206 49358 (49152,206) 0008.2199.2bc0 2 20 15 ieee

154 AHMED NABIL


3)Ports Election customization
port cost:
(config-if)#Spanning-tree [vlan <vlan id>] cost <cost>
port id (priority):
(config-if)#Spanning-tree [vlan <vlan id>] port-priority <priority>

4)Tunning STP convergence:

• change timers manually:


(config)#Spanning-tree vlan [<vlan id>] hello-time <seconds>
(config)#Spanning-tree vlan [<vlan id>] forward-time <seconds>
(config)#Spanning-tree vlan [<vlan id>] max-age <seconds>
• change timers automatically:
(config)#Spanning-tree vlan <vlan id> root {primary/secondary} [diameter
<diameter> [hello <seconds>]
• The default value of the forward delay (15 seconds) was originally
derived assuming a maximum network size of 7 bridge hops, a
maximum of three lost BPDUs, and a hello-time interval of 2 seconds.
Here, STP timers will be adjusted according to the formulas specified
in the 802.1D standard by giving only the network’s diameter (the
maximum number of switches that traffic will traverse across a Layer 2
network)
Note: if timers on a non-root switch is configured different than Root switch
timers, all non-root switches will obey the timers sent by Root witch is
sent in BPDU. So above commands need only to be configured on Root
switch for proper effect.

155 AHMED NABIL


The longest path that a packet can take through the sample network is three
switches. This is considerably less than the reference diameter of seven that
is used to calculate the default timer values. Therefore, you can safely
assume that this network diameter is three, provided that no additional
switches will be added to lengthen the longest path. Suppose that a Hello
Time of 1 second is also desired, to shorten the time needed to detect a dead
neighbor. The following command attempts to make the local switch become
the root bridge and automatically adjusts the STP timers:
Switch(config)# spanning-tree vlan 100 root primary diameter 3 hello-time 1

156 AHMED NABIL


STP considerations & Enhancements
• There are many configuration needed to optimize the operation of
STP, also Cisco has introduced many enhancements, to speed up
the convergence of STP

Enhancing STP convergence


1) Port Fast: Access Layer nodes
• On switch ports that connect only to single workstations or
specific devices, bridging loops should never be possible
• Catalyst switches offer the PortFast feature that shortens the
Listening and Learning states to a negligible amount of time. When
a workstation link comes up, the switch immediately moves the
PortFast port into the Forwarding state
• One other benefit of PortFast is that topology change notification
(TCN) BPDUs are not sent when a switch port in PortFast mode
goes up or down

Activate portFast by that command


On specific interface:
(config-if)# spanning-tree portfast
On all interfaces:
(config)#spanning-tree portfast default

switch#show spanning-tree | include {port | portfast}

Tip: You can also use a macro configuration command to force a switch port to
support a single host. The following command enables STP PortFast, sets the
port to access (nontrunking) mode, and disables PAgP to prevent the port
from participating in an EtherChannel:
Switch(config)# interface type mod/num
Switch(config-if)# switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled

157 AHMED NABIL


2) UplinkFast: Access Layer Uplinks
• Consider an access layer switch that has redundant uplink connections to
two distribution layer switches. Normally, one uplink would be in the
Forwarding state and the other in the Blocking state. If the primary uplink
went down, up to 50 seconds could elapse before the redundant uplink
could be used.
• UplinkFast keep track that when the primary Root Port uplink fails,
another blocked uplink can be immediately brought up for use, so it will be
used to detect the direct link failure.
• When UplinkFast is enabled, it is enabled for the entire switch and all
VLANs. UplinkFast works by keeping track of possible paths to the Root
Bridge. Therefore, the command is not allowed on the Root Bridge switch.
UplinkFast also makes some modifications to the local switch to ensure
that it does not become the Root Bridge and that the switch is not used as
a transit switch to get to the Root Bridge. In other words, the goal is to
keep UplinkFast limited to leaf-node switches that are farthest from the
root.
First, the switch’s bridge priority is raised to 49,152, making it unlikely
that the switch will be elected to Root Bridge status. The port cost of all
local switch ports is incremented by 3000, making the ports undesirable as
paths to the root for any downstream switches.

Example:

158 AHMED NABIL


• Configuring Uplinkfast is performed on the whole switch
Switch(config)# spanning-tree uplinkfast [max-update-rate
<pkts-per-second>]
The default is 150 packets per second (pps)
• The command also includes a max-update-rate parameter.
When an uplink on a switch goes down, UplinkFast makes it
easy for the local switch to update its bridging table of MAC
addresses to point to the new uplink. However, UplinkFast
also provides a mechanism for the local switch to notify other
upstream switches that stations downstream (or within the
access layer) can be reached over the newly activated uplink.
The switch accomplishes this by sending dummy multicast
frames to destination 0100.0ccd.cdcd on behalf of the stations
contained in its Content-Addressable Memory (CAM) table.
The MAC addresses are used as the source addresses in the
dummy frames, as if the stations actually had sent them. The
idea is to quickly send the multicast frames over the new
uplink, giving upstream hosts a chance to receive the frames
and learn of the new path to those source addresses.
These multicast frames are sent out at a rate specified by
the max-update-rate parameter in packets per second. This
limits the amount of bandwidth used for the dummy multicasts
if the CAM table is quite large. The default is 150 packets per
second (pps), but the rate can range from 0 to 65,535 pps. If
Switch# show spanning-tree uplinkfast
the value isis0,enabled
UplinkFast no dummy multicasts are sent.
Station update rate set to 150 packets/sec.
UplinkFast statistics
-----------------------
Number of transitions via uplinkFast (all VLANs) :9
Number of proxy multicast addresses transmitted (all VLANs) :5308
Name Interface List
-------------------- ------------------------------------
VLAN1 Fa6/9(fwd), Gi5/7
VLAN2 Gi5/7(fwd)
VLAN3 Gi5/7(fwd)
VLAN4
VLAN5
VLAN1002 Gi5/7(fwd)
VLAN1003 Gi5/7(fwd)
VLAN1004 Gi5/7(fwd)
VLAN1005 Gi5/7(fwd)

159 AHMED NABIL


3) BackboneFast: Redundant Backbone Paths
• In the network backbone, or core layer, a different method is used to
shorten STP convergence.
• BackboneFast works by having a switch actively determine if alternate
paths exist to the Root Bridge in the event that the switch detects an
indirect link failure (Indirect link failures occur when a link not directly
connected to a switch fails), A switch detects an indirect link failure when
it receives inferior BPDUs from its Designated Bridge on either its Root
Port or a Blocked Port (Inferior BPDUs are sent from a Designated
Bridge that has lost its connection to the Root Bridge, making it announce
itself as the new Root)
• Normally, a switch must wait for the Max Age timer to expire before
responding to the inferior BPDUs. However, BackboneFast begins to
determine if other alternate paths to the Root Bridge exist according to
the type of port that received the inferior BPDU
• BackboneFast begins to use the Root Link Query (RLQ) protocol to see if
upstream switches have stable connections to the Root Bridge
• However, BackboneFast begins to determine whether other alternative
paths to the root bridge exist according to the following port types that
received the inferior BPDU:
■ If the inferior BPDU arrives on a port in the Blocking state, the switch
considers the root port and all other blocked ports to be alternative paths
to the root bridge.
■ If the inferior BPDU arrives on the root port itself, the switch
considers all blocked ports to be alternative paths to the root bridge.
■ If the inferior BPDU arrives on the root port and no ports are blocked,
however, the switch assumes that it has lost connectivity with the root
bridge. In this case, the switch assumes that it has become the root
bridge, and BackboneFast allows it to do so before the Max Age timer
expires

Example 1:

160 AHMED NABIL


161 So we saved 20sec of max age.AHMED NABIL
If the inferior BPDU was received on a blocked port, then the root
port and any other blocked ports are considered alternates.
If the inferior BPDU was received on the root port, then all blocked
ports are considered alternates.
If the inferior BPDU was received on the root port and there are no
blocked ports, the switch assumes it has lost connectivity with the
root and advertises itself as root.
Example 2:

• Configuring BackboneFast:
BackboneFast should be enabled on all switches in the network
because BackboneFast requires the use of the RLQ Request and
Reply mechanism to inform switches of Root Path stability.
(config)# spanning-tree backbonefast

Switch#show spanning-tree backbonefast


BackboneFast is enabled

BackboneFast statistics
-----------------------
Number of transition via backboneFast (all VLANs) : 0
Number of inferior BPDUs received (all VLANs) : 0
Number of RLQ request PDUs received (all VLANs) : 0
Number of RLQ response PDUs received (all VLANs) : 0
Number of RLQ request PDUs sent (all VLANs) : 0
Number of RLQ response PDUs sent (all VLANs) : 0
162 AHMED NABIL
Spanning Tree debug Commands
Switch#debug spanning-tree all

• Displays all debugging messages for spanning tree

Switch#debug spanning-tree events

• Displays spanning-tree topology events debug messages

Switch#debug spanning-tree backbonefast

• Displays spanning-tree backbonefast events debug


messages

Switch#debug spanning-tree uplinkfast

• Displays spanning-tree uplinkfast events debug messages

163 AHMED NABIL


Protecting the
Spanning Tree
Protocol
Topology

164 AHMED NABIL


Protecting Against Unexpected BPDUs
1) Root Guard
• The Root Bridge is always expected to be seen on the Root Port and the
Alternate Ports because these are “closest” (have the best cost path) to
it. Suppose that another switch is introduced into the network with a
Bridge Priority that is more desirable (lower) than the current Root
Bridge. The new switch would then become the Root Bridge, and the STP
topology might reconverge to a new shape. This is entirely permissible by
the STP, as the switch with the lowest Bridge ID always wins the Root
election.

• The root guard feature was developed as a means to control where


candidate Root Bridges can be connected and found on a network.
Basically, a switch learns the cureent Root Bridge’s Bridge ID.
• If another switch advertises a superior BPDU, or one with a better Bridge
ID, on a port where root guard is enabled, the local switch will not allow
the new switch to become the Root. As long as the superior BPDUs are
being received on the port, the port will be kept in the root-inconsistent
STP state. No data can be sent or received in that state, but the switch
can listen to BPDUs received on the port.
• When a superior BPDU is heard on the port, the entire port, in effect,
becomes blocked, When the superior BPDUs are no longer received, the
port is cycled through the normal STP states to return to normal use.
• Configuration of Root Guard:
(config-if)# spanning-tree guard root

Switch#show running-config interface fastethernet 5/8


Building configuration...
Current configuration: 67 bytes
interface FastEthernet5/8
switchport mode access
spanning-tree guard root
Switch#show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ---------------------- ------------------
VLAN0001 FastEthernet3/1 Port Type Inconsistent
VLAN0001 FastEthernet3/2 Port Type Inconsistent
VLAN1002 FastEthernet3/1 Port Type Inconsistent

Number of inconsistent ports (segments) in the system :3

165 AHMED NABIL


2)BPDU Guard
• By definition, if you enable PortFast, you are never expecting to find
anything that can cause a bridging loop—especially another switch or
device that produces BPDUs. Suppose that a switch is connected by
mistake to a port where PortFast is enabled. Now, there is a potential for a
bridging loop to form. An even greater consequence is that the potential
now exists for a new device to advertise itself and become the new Root
Bridge.
•The BPDU guard feature was developed to
further protect the integrity of switch ports
that have PortFast enabled. If any BPDU
(whether superior to the current Root or not)
is received on a port where BPDU guard is
enabled, that port is immediately put into the
errdisable state. The port is shut down in an
error condition and must either be manually
re-enabled or automatically recovered through
the errdisable timeout function.
• Configuring BPDU Guard
-On all ports that already support PortFast:
Switch(config)# spanning-tree portfast bpduguard default
-On interface: (config-if)# spanning-tree bpduguard enable
To filter BPDUs use BPDU filtering :
BPDU filtering is another way of preventing loops in the network. It also can
be enabled either globally or at the interface, and functions differently at
each. In global config, if a Portfast interface receives any BPDUs, it is taken
out of Portfast status. At interface config mode, it prevents the port from
sending or receiving BPDUs. The commands are:
(config)# spanning-tree portfast bpdufilter default
(config-if)# spanning-tree bpdufilter enable

Otherwise it will be enabled.


Switch#show spanning-tree summary totals Tip
Root bridge for:VLAN0010 Do not confuse BPDU filtering with
EtherChannel misconfiguration guard is enabled
Extended system ID is enabled by default
the BPDU Guard feature. BPDU
Portfast is disabled by default Guard is used to detect inbound
PortFast BPDU Guard is disabled by default BPDUs on ports where BPDUs are
Portfast BPDU Filter is disabled by default not expected to be seen, then
Loopguard is disabled by default protect the STP stability by
UplinkFast is disabled
BackboneFast is disabled
preventing those BPDUs from being
Pathcost method used is long processed. In contrast, BPDU
filtering stops all BPDUs from being
Name Blocking Listening Learning received
Forwardingor sent on a switch port,
STP Active
---------------------- -------- --------- -------- effectively
----------disabling
----------
STP.
166
2 vlans 0 0 0 3 3 AHMED NABIL
Causes of Sudden Loss Of BPDU
1) Duplex Mismatch:

2) Frame Corruption:

3) Resource errors:

4)Unidirectional Links

5)Configuration mistakes
(Enabling BPDU filter on other side)
167 AHMED NABIL
Protecting Against Sudden Loss of BPDUs

1) Loop Guard
• Suppose a switch port is receiving BPDUs, and the switch
port is in the blocking state. The port makes up a redundant
path; it is blocking because it is neither a Root Port nor a
Designated Port. If, for some reason, the flow of BPDUs
stops, the last known BPDU is kept until the Max Age timer
expires. Then, that BPDU is flushed, and the switch thinks
there is no longer a need to block the port. The port moves
through the STP states until it begins to forward traffic—and
form a bridging loop. In its final state, the port becomes a
Designated Port.

Before Loop Guard

168 AHMED NABIL


• To prevent this situation, you can use the loop guard STP
feature. When enabled, loop guard keeps track of the BPDU
activity on nondesignated ports. While BPDUs are received,
the port is allowed to behave normally. When BPDUs go
missing, loop guard moves the port into the loop-
inconsistent state. The port is effectively blocking at this
point to prevent a loop from forming and to keep it in the
nondesignated role. After BPDUs are received on the port
again, loop guard allows the port to move through the
normal STP states and become active. In this fashion, loop
guard automatically governs ports without the need for
manual intervention.

With Loop Guard

Configuring loop Guard:


• By default, Loop Guard is disabled on all switch ports. You
can enable Loop Guard as a global default, affecting all
switch ports, with the following global configuration
command:
Switch(config)# spanning-tree loopguard default

Or Configured on all Blocked ports, Root ports or Alternate


ports
(config-if)# spanning-tree guard loop

Loop Guard & UDLD are nearly doing the same action with
one main factor, which is LoopGuard is topology based &
UDLD is port based feature.

169 AHMED NABIL


2) UniDirectional Link detection (UDLD) – Cisco Proprietary:
• In a campus network, switches connect together by bidirectional
(traffic can flow in two directions, as in full-duplex) links.
Clearly, if a link has a physical layer problem, the two switches
it connects detects a problem and the link is shown as not
connected. What would happen if just one side (receive or
transmit) of the link had an odd failure, such as malfunctioning
transmit circuitry in a gigabit interface converter (GBIC) or
SFP? In some cases, the two switches would still see a
functional link. However, traffic could be delivered only in one
direction and neither switch would notice.

• A unidirectional link poses a potential danger to STP topologies


because BPDUs will not be received on one end of the link. If
that end of the link should be in the blocking state, it will not be
for long. That switch thinks the absence of BPDUs means that
the port can be moved through the STP states so that traffic can
be forwarded on it. When that happens, a bridging loop forms
and the switch never realizes the mistake.
• To prevent this situation, you can use the unidirectional link
detection (UDLD) STP feature. When enabled, UDLD
interactively monitors a port to see if the link is truly
bidirectional. The switch sends special Layer 2 UDLD frames
identifying the switch port at regular intervals. UDLD expects
the far-end switch to echo those frames back across the same
link, with the far-end switch port’s identification added. If a
UDLD frame is received in return, and both neighboring ports
are identified in the frame, the link must be bidirectional.
However, if the echoed frames are not seen, the link is
unidirectional.

• You can configure the message interval used by UDLD (the


default is 15 seconds). The objective behind UDLD is to detect a
unidirectional link condition before STP has time to move a
Blocked port into the Forwarding state. The target time would
then be the Max Age timer plus two intervals of the Forward
170
Delay timer, or 50 seconds. UDLD can detect a unidirectional
AHMED NABIL
• UDLD has two modes of operation:
- Normal mode—After a unidirectional link condition is detected, the
port is allowed to continue its operation. UDLD merely marks the
port as having an undetermined state and generates a syslog
message.
- Aggressive mode—After a unidirectional link condition is detected,
the switch takes action to re-establish the link. UDLD messages
are sent out once a second for 8 seconds (8 retries). If none of
those messages are echoed back, the port is placed in the
errdisable state so that it cannot be used.
• To enable it globally, use the following global configuration
command:
(config)# udld {aggressive | enable | message time seconds}
• You can also enable or disable UDLD on individual switch ports, if
needed, using the following interface configuration command:
(config-if)# udld {aggressive | disable | enable}

Loop Guard UDLD

Per port
Configuration Per port

Per VLAN
Action granularity Per port

Yes Yes, with err-disable


Autorecovery timeout feature

Protection against STP failures caused by Yes, when enabled on


Yes, when enabled on
unidirectional links all root and alternate
all links in redundant
ports in redundant topology
topology

Protection against STP failures caused by


Yes
problem in software No
resulting in designated switch not sending
BPDU

No
Protection against miswiring Yes

Toubleshooting:
#show spanning-tree inconsistentports
#show spanning-tree interface type mod/num [detail]
#show udld [type mod/num]
• To re-enable ports that UDLD aggressive mode has errdisabled
#udld reset

171 AHMED NABIL


EXAMPLE SWITCHED TOPOLOGY

172 AHMED NABIL


Using Storm Control
Recall a LAN switch makes a network operate more efficiently by
breaking it up into many isolated portions. A single host can connect to a
single switch
port, forming a tiny collision domain. More importantly, a switch uses a
destination MAC address to deliver a frame to the switch port where the
corresponding host is connected. For the most part, each host receives
only the frames that are meant to reach it. Frame delivery is streamlined
and hosts are spared spending their resources receiving and discarding
unnecessary and unrelated frames.
Three exceptions apply to this idealized scenario:
Broadcast frames
Multicast frames
Unknown unicast frames
In each of these cases, frames have a destination MAC address that is not
specific or one that cannot be located. Therefore, the frames must be
flooded or delivered to multiple hosts over multiple switch ports.
Some amount of flooded traffic is normal and should be expected. After
all, hosts must rely on broadcasts like ARP requests to find other hosts.
Until a host transmits a frame and the switch learns its MAC address, the
switch must flood frames destined for the host.
However, it is entirely possible to have an excessive amount of flooded
traffic on a network. For example, a host might have a runaway process
or malicious software that sends a broadcast storm into its local VLAN.
Another host might set aside one network interface card (NIC) to receive
traffic and another one to transmit traffic. The receiving NIC will never
send a frame, so the switch will never learn its MAC address. As a result,
all traffic destined for the receiving NIC will be flooded to all hosts on the
VLAN as unknown unicast frames.
By default, frames will be flooded at the same rate they are received by a
switch. Under normal conditions, the volume of flooded frames should not
be too great for hosts to handle. Under extreme conditions, flooded
frames can overwhelm many hosts. You can leverage the Storm Control
feature to set limits on flooded traffic before it can cause problems on
your network.

AHMED NABIL
Storm Control is configured on a per-interface basis to monitor traffic that is
arriving or being received at the interface, as shown in Figure. The idea is to
take action on frames as they enter the switch and arrive at the internal
switching bus, before they are flooded to multiple switch ports. You can
configure thresholds for the amount of broadcast, multicast, or unknown
unicast traffic and an action to be taken when the thresholds are exceeded.

First, select an interface where frames might be received and flooded. Then
configure a threshold using the following interface configuration command:
Switch(config-if)# storm-control {broadcast | multicast | unicast}
level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]}
Select the type of threshold with the broadcast, multicast, or unicast keyword.
Keep in mind that “unicast” actually means unknown unicast; otherwise, the
threshold would limit the volume of normal unicast frames passing through
the interface.
You can set the traffic threshold with the level keyword and one of the
following keywords and values:
level [level-low]: The threshold is set to a percentage of the interface
bandwidth. The level and level-low percentages can be a value with two
decimal places from 0.00 to 100.00.
bps bps [bps-low]: The threshold is set to a specific bits per second rate. The
bps and bps-low values can range from 0.0 to 10000000000.0 (10 Gbps),
with one decimal place.
pps pps [pps-low]: The threshold is set to a specific packets per second rate.
The pps and pps-low values can range from 0.0 to 10000000000.0 (10 Gbps),
with one decimal place.
Storm Control will take action when the flooded traffic rises to the first value,
then will stop the action when the traffic falls below that value. You can set a
different falling threshold by specifying the second -low value.

AHMED NABIL
Tip
Rather than counting zeroes for large bps and pps values,
you can use k, m, and g to designate kilo-, mega-, and giga- units.
You can repeat the storm control command to define separate
thresholds for broadcast, multicast, and unknown unicast traffic.
Next, specify the action to be taken when the threshold is
exceeded. By default, the excessive frames are simply dropped as
they are received. In addition, you can use the following interface
configuration command to shut down the interface in errdisable
mode or to send an SNMP trap as an alert of a storm
condition in progress:
Switch(config-if)# storm-control action {shutdown | trap}
In Example, Storm Control is enabled for traffic received on
interface Gigabit Ethernet 1/0/1.
Because there is no storm control action command entered, the
default action to drop excessive frames will be taken. When
broadcast frames exceed 50 percent of the interface bandwidth,
they will be dropped. When the rate of multicast frames exceeds
50,000 packets per second, they will be dropped.
Finally, when the volume of unknown unicast frames rises above 20
percent and then stays above 10 percent of the interface
bandwidth, they will be dropped.
Example :
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# storm control broadcast level 50
Switch(config-if)# storm control multicast level pps 50k
Switch(config-if)# storm control unicast level 20 10
You can display the rising and falling Storm Control thresholds, in
addition to the current rate, with the following EXEC command:
Switch# show storm-control [interface-id] [broadcast | multicast |
unicast]

AHMED NABIL
STP Questions
Question 1
Which command does a network engineer use to verify the spanning-tree status for VLAN 10?
•switch# show spanning-tree vlan 10
• switch# show spanning-tree bridge
•switch# show spanning-tree brief
•switch# show spanning-tree summary
•switch# show spanning-tree vlan 10 brief

Question 2
Refer to the exhibit.

f1/0 and f1/1 have the same end-to-end path cost to the designated bridge.
Which action is needed to modify the Layer 2 spanning-tree network so that
traffic for PC1 VLAN from switch SW3 uses switchport f1/1 as a primary
port?
A. Modify the spanning-tree port-priority on SW1 f1/1 to 0 and f1/0 to 16.
B. Modify the spanning-tree port-priority on SW1 f1/1 to 16 and f1/0 to 0.
C. Modify the spanning-tree port-priority on SW2 f1/1 to 0 and f1/0 to 16.
D. Modify the spanning-tree port-priority on SW2 f1/1 to 16 and f1/0 to 0.

Question 3
Refer to the exhibit.

Why would the switch be considered as a root


bridge?
A. The bridge priority is 1 and all ports are
forwarding.
B. The switch priority for VLAN 1 and the
macro specifies ―This Bridge is the root‖.
C. The bridge priority is 128.19 and all ports
are forwarding.
D. The switch priority value is zero, it has the
lowest priority value for VLAN 1.

176 AHMED NABIL


Question 4
Refer to the exhibit.

All ports are members of VLAN 10. Considering the default cost of upstream bridges to the root
bridge is equal, which option will be the new root port for VLAN 10?
A. interface f0/13 B. interface f0/14 C. interface f0/15 D. interface f0/21

Question 5
A network engineer is trying to deploy a PC on a network. The engineer observes that when the PC
is connected to the network, it takes 30 to 60 seconds for the PC to see any activity on the network
interface card. Which Layer 2 enhancement can be used to eliminate this delay?
A. Configure port duplex and speed to auto negotiation.
B. Configure port to duplex full and speed 1000.
C. Configure spanning-tree portfast.
D. Configure no switchport.

Question 6
A network engineer configured an Ethernet switch using these commands.
Switch1(config) # spanning-tree portfast bpdufilter default
Which statement about the spanning-tree portfast feature on the switch is true?
A. If an interface is enabled for portfast receives BDPU, the port goes through the spanning-tree
listening, learning, and forwarding states.
B. If an interface is enabled for portfast receives BDPU, the port does not go through the spanning-
tree listening, learning, and forwarding states.
C. If an interface is enabled for portfast receives BDPU, the port is shut down immediately.
D. If an interface is enabled for portfast receives BDPU, the port goes into the spanning-tree
inconsistent state.

Question 7
Which statement describes what happens when a port configured with root guard receives a superior
BPDU?
A. The port goes into errdisabled state and stops forwarding traffic.
B. The port goes into BPDU-inconsistent state and stops forwarding traffic
C. The port goes into loop-inconsistent state and stops forwarding traffic.
D. The port goes into root-inconsistent state and stops forwarding traffic.

177 AHMED NABIL


Question 8
An administrator recently configured all ports for rapid transition using PortFast. After testing, it has
been determined that several ports are not transitioning as they should. What is the reason for this?
A. RSTP has been enabled per interface and not globally.
B. The STP root bridge selection is forcing key ports to remain in non-rapid transitioning mode.
C. STP is unable to achieve rapid transition for trunk links.
D. The switch does not have the processing power to ensure rapid transition for all ports.

Question 9
Pilot testing of the new switching infrastructure finds that when the root port is lost, STP immediately
replaces the root port with an alternative root port. Which spanning-tree technology is used to
accomplish backup root port selection?
A. PVST+ B. PortFast C. BackboneFast D. UplinkFast E. Loop Guard F. UDLD

Question 10
A network engineer must adjust the STP interface attributes to influence root port selection. Which two
elements are used to accomplish this? (Choose two)
A. port-priority B. cost C. forward-timers D. link type E. root guard

Question 11
For client server failover purposes, the application server team has indicated that they must not have the
standard 30 second delay before their switchport enters a forwarding state. For their disaster recovery
feature to operate successfully, they require the switchport to enter a forwarding state immediately.
Which spanning-tree feature satisfies this requirement?
A. Rapid Spanning-Tree
B. Spanning-Tree Timers
C. Spanning-Tree FastPort
D. Spanning-Tree PortFast
E. Spanning-Tree Fast Forward

178 AHMED NABIL


UDLD Questions
Question 1
Which statement about the UDLD protocol is true?
A. UDLD is a Cisco-proprietary Layer 2 protocol that enables devices to monitor the physical status
of links and detect unidirectional failures.
B. UDLD is a Cisco-proprietary Layer 2 protocol that enables devices to advertise their identity,
capabilities, and neighbors on a local area network.
C. UDLD is a standardized Layer 2 protocol that enables devices to monitor the physical status of
links and detect unidirectional failures.
D. UDLD is a standardized Layer 2 protocol that enables devices to advertise their identity,
capabilities, and neighbors on a local area network.

Question 2
Which option lists the modes that are available for configuring UDLD on a Cisco switch?
A. normal and aggressive B. active and aggressive
C. normal and active D. normal and passive

Question 3
While working in the core network building, a technician accidently bumps the fiber connection
between two core switches and damages one of the pairs of fiber. As designed, the link was placed
into a non-forwarding state due to a fault with UDLD. After the damaged cable was replaced, the
link did not recover. What solution allows the network switch to automatically recover from such an
issue?
A. macros B. errdisable autorecovery C. IP Event Dampening
D. command aliases E. Bidirectional Forwarding Detection

Question 4
After UDLD is implemented, a Network Administrator noticed that one port stops receiving UDLD
packets. This port continues to reestablish until after eight failed retries. The port then transitions
into the errdisable state. Which option describes what causes the port to go into the errdisable state?
A.Normal UDLD operations that prevent traffic loops.
B. UDLD port is configured in aggressive mode.
C. UDLD is enabled globally.
D. UDLD timers are inconsistent.

Question 5
After reviewing UDLD status on switch ports, an engineer notices that the switch LEDs are green.
Which statement describes what this indicates about the status of the port?
A. The port is fully operational and no known issues are detected.
B. The bidirectional status of ―unknown‖ indicates that the port will go into the disabled state
because it stopped receiving UDLD packets from its neighbor.
C. UDLD moved into aggressive mode after inconsistent acknowledgements were detected.
D. The UDLD port is placed in the ―unknown state for 5 seconds until the next UDLD packet is
received on the interface.
179 AHMED NABIL
Storm Control Questions
Question 1
The command storm-control broadcast level 75 65 is configured under the switch port connected to the
corporate mail server. In which three ways does this command impact the traffic? (Choose three)
A- SNMP traps are sent by default when broadcast traffic reaches 65% of the lower-level threshold.
B- The switchport is disabled when unicast traffic reaches 75% of the total interface bandwidth.
C- The switch resumes forwarding broadcasts when they are below 65% of bandwidth.
D- Only broadcast traffic is limited by this particular storm control configuration.
E- Multicast traffic is dropped at 65% and broadcast traffic is dropped at 75% of the total interface
bandwidth.
F- The switch drops broadcasts when they reach 75% of bandwidth.

Question 2
While troubleshooting a network outage, a network engineer discovered an unusually high level of
broadcast traffic coming from one of the switch interfaces. Which option decreases consumption of
bandwidth used by broadcast traffic?
A. storm control
B. SDM routing
C. Cisco IOS parser
D. integrated routing and bridging
E. Dynamic ARP Inspection

Question 3
Which switch feature prevents traffic on a LAN from being overwhelmed by continuous multicast or
broadcast traffic?
A. storm control
B. port security
C. VTP pruning
D. VLAN trunking

Question 4
Which command would a network engineer apply to error-disable a switchport when a packet-storm is
detected?
A. router(config-if)#storm-control action shutdown
B. router(config-if)#storm-control action trap
C. router(config-if)#storm-control action error
D. router(config-if)#storm-control action enable

180 AHMED NABIL


Advanced
Spanning Tree
Protocol

181 AHMED NABIL


Types of STP

1) CST (Common Spanning Tree)


• Single STP instance run for all VLANs, all BPDUs will be transmitted
over native VLAN using dot1q trunks, but any redundant links will not
ever be used.
2)PVST (Per-VLAN Spanning Tree)
• Cisco provided that proprietary version of STP that offer more
flexibility than CST, this allows the STP on each VLAN to be
configured independently by run STP instance for each VLAN, this
could allow using redundant links in a load sharing attitude, due to
proprietary nature of PVST, ISL must be used for trunking.
So no interoperability between CST & PVST (no BPDUs exchange will take
place).
3)PVST+ (PVST plus)
• Cisco introduced that version of STP, but it allow CST and PVST to
interoperate, to do this PVST+ act as a translator between CST &
PVST, Support ISL and Dot1q.

The above versions are old STP options, so now we will discuss the new
versions RSTP (STP ver2), Rapid-PVST(Cisco proprietary) & MST (STP
ver3- standard version of Rapid-PVST)

182 New versions are compatible with old versions


AHMED NABIL
Rapid Spanning Tree Protocol (RSTP)
IEEE802.1w
• The IEEE 802.1w standard was developed to take 802.1D’s principle
concepts and make the resulting convergence much faster. This is
also known as the Rapid Spanning Tree Protocol (RSTP).
• RSTP defines how switches must interact with each other to keep the
network topology loop free, in a very efficient manner. Like 802.1D,
RSTP’s basic functionality can be applied as a single or multiple
instances. This can be done as the IEEE 802.1s Multiple Spanning
Tree (MST), and also as the Cisco-proprietary, Rapid Per-VLAN
Spanning Tree Protocol (RPVST+).
• RSTP operates consistently in each, but replicating RSTP as multiple
instances requires different approach.
• RSTP calculates final topology using exactly the same criteria as
802.1d.
• There is now a difference between the role the protocol has
determined for a port and its current state.

RSTP Port Behavior


• Root Port—The one switch port on each switch that has the best root
path cost to the Root. This is identical to 802.1D. (By definition, the
Root Bridge has no Root Ports.)
• Designated Port—The switch port on a network segment that has the
best root path cost to the Root.
• Alternate Port—A port that has an alternate path to the Root, different
than the path the Root Port takes. This path is less desirable than that
of the Root Port. (An example of this is an access layer switch with two
uplink ports; one becomes the Root Port, the other is an Alternate
Port.)
• Backup Port—A port that provides a redundant (but less desirable)
connection to a segment where another switch port already connects. If
that common segment is lost, the switch might or might not have a path
back to the Root.

183 AHMED NABIL


Port Types
Every switch port can be considered one of the following types:
• Edge Port—A port at the “edge” of the network, where only a
single host connects. Traditionally, this has been identified by
enabling the STP PortFast feature. RSTP keeps the PortFast
concept for familiarity. By definition, the port cannot form a loop as
it connects to one host, so it can be immediately placed in the
Forwarding state. However, if a BPDU is ever received on an edge
port, the port immediately loses its edge port status.
• Point-to-Point Port (non-edge port) - (Designated port)—Any port
that connects to another switch and becomes a Designated Port. A
quick handshake with the neighboring switch, rather than a timer
expiration, decides the port state. BPDUs are exchanged back and
forth in the form of a proposal and an agreement.
• One switch proposes that its port becomes a Designated Port; if the
other switch agrees, it replies with an agreement message. Point-
to-point ports are automatically determined by the duplex mode in
use. Full-duplex ports are considered point-to-point because only
two switches can be present on the link. STP convergence can
quickly occur over a point-to-point link through RSTP handshake
messages.

Point-to-point ports are automatically determined by the duplex mode in


use. Full-duplex ports are considered point-to-point because only two
switches can be present on the link.
STP convergence can quickly occur over a point-to-point link through RSTP
handshake messages.
Half-duplex ports, on the other hand, are considered to be on a shared
media with possibly more than two switches present. They are not point-to-
point ports. STP convergence on a half-duplex port must occur between
several directly connected switches. Therefore, the traditional 802.1D style
convergence must be used. This results in a slower response because the
shared-media ports must go through the fixed listening and learning state
time periods.
184 AHMED NABIL
If switch detected a port to be half duplex, so port is considered
shared port (not point to point) & will not run RSTP, shared port
will run the old STP version 1,
But u can change half duplex port to run RSTP by configuring port
to be point to point.

To configure a port as an RSTP edge port


(config-if)# spanning-tree portfast

To force the port to act as a point-to-point link, use the following


interface configuration command:
(config-if)# spanning-tree link-type point-to-point
But this is indicated automatically from the duplex (if full-duplex, it
is point-to-point, which means it is connected to other switch), but
if it is connected to other switch and for any reason port operates
in half duplex mode you have to enforce it to be point-to-point
using that command
RSTP Operation
• BPDU Flooding
• RSTP uses an interactive process so that two neighboring
switches can negotiate state changes. Some BPDU bits are
used to flag messages during this negotiation.
• BPDUs are sent out every switch port at Hello Time intervals,
regardless of whether BPDUs are received from the Root. In
this way, any switch anywhere in the network can play an
active role in maintaining the topology. Switches can also
expect to receive regular BPDUs from their neighbors.
• When three BPDUs are missed in a row, that neighbor is
presumed to be down, and all information related to the port
leading to the neighbor is immediately aged out. This means
that a switch can detect a neighbor failure in three Hello
intervals (default 6 seconds), versus the Max Age Timer
interval (default 20 seconds) for 802.1D.
• Because RSTP distinguishes its BPDUs from 802.1D BPDUs,
it can coexist with switches still using 802.1D.

185 AHMED NABIL


RSTP port states
• Discarding—Incoming frames are simply dropped; no MAC
addresses are learned. (This state combines the 802.1D
Disabled, Blocking, and Listening states, as all three did not
effectively forward anything. The Listening state is not
needed, because RSTP can quickly negotiate a state change
without listening for BPDUs first.)
• Learning—Incoming frames are dropped, but MAC addresses
are learned.
• Forwarding—Incoming frames are forwarded according to
MAC addresses that have been (and are being) learned.

STP Port State RSTP Port State Port Included in Port Learning MAC
Active Topology? Addresses?
Disabled Discarding No No

Blocking Discarding No No

Listening Discarding No No

Learning Learning No Yes

Forwarding Forwarding Yes Yes

AHMED NABIL
BPDU in RSTP:

187 AHMED NABIL


RSTP Synchronization
• To participate in RSTP convergence, a switch must decide the state
of each of its ports. Nonedge ports begin in the Discarding state.
After BPDUs are exchanged between the switch and its neighbor,
the Root Bridge can be identified. If a port receives a superior BPDU
from a neighbor, that port becomes the Root Port.
For each nonedge port, the switch exchanges a proposal-agreement
handshake to decide the state of each end of the link. Each switch
assumes that its port should become the Designated Port for the
segment, and a proposal message (a Configuration BPDU) is sent to
the neighbor suggesting this (When a designated port is in a
discarding or learning state (and only in this case), it sets the
proposal bit on the BPDUs it sends out.). When a switch receives a
proposal message on a port, the following sequence of events
occurs:
1. If the proposal’s sender has a superior BPDU, the local switch
realizes that the sender should be the Designated Switch (having the
Designated Port), and that its own port must become the new Root
Port.
2. Before the switch agrees to anything, it must first synchronize itself
with the topology.
3. All nonedge ports are immediately moved into the Discarding
(blocking) state so that no bridging loops can form.
4. An agreement message (a Configuration BPDU) is sent back to the
sender, indicating that the switch is in agreement with the new
Designated Port choice. This also tells the sender that the switch is
in the process of synchronizing itself.
5. The Root Port is immediately moved to the Forwarding state. The
sender’s port can also immediately begin forwarding.
6. For each nonedge port that is currently in the Discarding state, a
proposal message is sent to the respective neighbor.
7. An agreement message is expected and received from a neighbor on a
nonedge port.
8. The nonedge port is immediately moved to the Forwarding state.

188 AHMED NABIL


RSTP Topology Changes
Recall that when an 802.1D switch detects a port state change
(either up or down), it signals the Root Bridge by sending
topology change notification (TCN) BPDUs. The Root Bridge,
in turn, must signal the topology change by sending out a TCN
message that is relayed to all switches in the STP domain.
RSTP detects a topology change only when a nonedge port
transitions to the Forwarding state. This might seem odd
because a link failure is not used as a trigger. RSTP uses all
of its rapid convergence mechanisms to prevent bridging
loops from forming. Therefore, topology changes are detected
only so that bridging tables can be updated and corrected as
hosts appear first on a failed port and then on a different
functioning port.
When a topology change is detected, a switch must propagate
news of the change to other switches in the network so that
they can correct their bridging tables, too. This process is
similar to the convergence and synchronization mechanism;
topology change (TC) messages propagate through the
network in an ever-expanding wave.
BPDUs, with their TC bit set, are sent out all of the nonedge
designated ports. This is done until the TC While timer
expires, after two intervals of the Hello time. This notifies
neighboring switches of the new link and the topology change.
In addition, all MAC addresses associated with the nonedge
designated ports are flushed from the content-addressable
memory (CAM) table. This forces the addresses to be
relearned after the change, in case hosts now appear on a
different link. All neighboring switches that receive the TC
messages also must flush the MAC addresses learned on all
ports except the one that received the TC message. Those
switches then must send TC messages out their nonedge
designated ports, and so on.

189 AHMED NABIL


Topology change example:

190 AHMED NABIL


Rapid Per-VLAN Spanning Tree Protocol
In PVST+, one spanning tree instance is created and used for
each active VLAN that is defined on the switch. Each STP
instance behaves according to the traditional 802.1D STP
rules.
You can improve the efficiency of each STP instance by
configuring a switch to begin using RSTP instead. This means
that each VLAN will have its own independent instance of
RSTP running on the switch. This mode is known as Rapid
PVST+ (RPVST+).
You need only one configuration step to change the STP mode
and begin using RPVST+. You can use the following global
configuration command to accomplish this:
Switch(config)# spanning-tree mode rapid-pvst
Be careful when you use this command on a production
network because any STP process that currently is running
must be restarted. This can cause functioning links to move
through the traditional STP states, preventing data from
.owing for a short time.

191 AHMED NABIL


Multiple Spanning Tree (MST) Protocol
IEEE802.1s
• 802.1Q—Only a single instance of STP is used for all VLANs. If there are
500 VLANs, only one instance of STP will be running. This is called the
Common Spanning Tree (CST) and operates over the trunk’s native
VLAN.
• PVST+—One instance of STP is used for each active VLAN in the
network. If there are 500 VLANs, 500 independent instances of STP will
be running.
• Multiple Spanning Tree Protocol (MSTP) reduces this loading by allowing
a single instance of spanning tree to run for multiple VLANs. Specific
configuration and verification steps must be followed to properly
implement MSTP.

The main purpose of MSTP is to reduce the total number of spanning


tree instances to match the physical topology of the network and thus
reduce the CPU loading of a switch. The instances of spanning tree are
reduced to the number of links (that is, active paths) that are available.
If the example in the diagram were implemented via Per VLAN Spanning
Tree+ (PVST+), there could potentially be 4094 instances of spanning
tree, each with its own bridge protocol data unit (BPDU) conversations,
root bridge election, and path selections.

Common Spanning Tree


Case

In this example, the goal is to achieve load distribution, with VLANs 1-


500 using one path and VLANs 501-1000 using the other path, with only
two instances of spanning tree. The two ranges of VLANs are mapped to
two MSTP instances, respectively. Rather than maintaining 1000 spanning
trees, each switch needs to maintain only two instances.

192 AHMED NABIL


MST is built on the concept
of mapping one or more
VLANs to a single STP
instance. Multiple
instances of STP can be
used (hence the name MST),
with each instance
supporting a different
group of VLANs.

• Implemented in this fashion, MSTP converges faster than PVST+ and


is backward compatible with 802.1D STP, 802.1w Rapid Spanning
Tree Protocol (RSTP), and the Cisco PVST+ architecture.
Implementation of MSTP is not required if the Enterprise Composite
Network Model (ECNM) is being employed because the number of
active VLAN instances, and hence the STP instances, would be small
and very stable due to the design. MSTP allows you to build multiple
spanning trees over trunks by grouping VLANs and associating them
with spanning tree instances. Each instance can have a topology
independent of other spanning tree instances. This architecture
provides multiple active forwarding paths for data traffic and enables
load balancing.

• MST Overview
MST is built on the concept of mapping one or more VLANs to a
single STP instance. Multiple instances of STP can be used (hence the
name MST), with each instance supporting a different group of
VLANs.
For the network shown in Figure, only two MST instances would be
needed. Each could be tuned to result in a different topology so that
Instance 1 would forward on the left uplink, whereas Instance 2 would
forward on the right uplink. Therefore, VLAN A would be mapped to
Instance 1, and VLAN B would be mapped to Instance 2.
• To implement MST in a network, you need to determine the following:
■ The number of STP instances needed to support the desired
topologies
■ Whether to map a set of VLANs to each instance

193 AHMED NABIL


MST Regions
• MST is different than 802.1Q and PVST+, although it can interoperate
with them. If a switch is configured to use MST, it must somehow
figure out which of its neighbors are using which type of STP. This is
done by configuring switches into common MST regions, where every
switch in a region runs MST with compatible parameters within the
region, all switches must run the instance of MST that is defined by the
following attributes:

- MST configuration name


- MST configuration revision number (0 to 65535)
- MST instance-to-VLAN mapping table
If two switches have the same set of attributes, they belong to the same
MST region. If not, they belong to two independent regions. MST
BPDUs contain configuration attributes so that switches receiving
BPDUs can compare them against their local MST configurations. If the
attributes match, the STP instances within MST can be shared as part
of the same region. If not, a switch is seen to be at the MST region
boundary, where one region meets another or one region meets
traditional 802.1D STP.

• Also MST use extended Bridge ID technique, MAC address reduction


splits the 16-bit field into two fields: a configurable 4-bit field and a
non-configurable 12-bit field. The non-configurable 12-bit field
carries the VLAN ID (VID) or, with MSTP, the MSTP instance number.
The two fields are merged to create the unique Bridge Priority field for
a particular VLAN or, in this case, an MSTP instance. The appending
MAC address remains the same for all instances.

194 AHMED NABIL


MST Instances
• Recall that the whole idea behind MST is the capability to map multiple
VLANs to a smaller number of STP instances. Inside a region, the actual
MST instances (MSTIs) exist alongside the IST. Cisco supports a
maximum of 16 MSTIs in each region. IST always exists as MSTI number
0, leaving MSTI 1 through 15 available for use, so The MST region
consists of one IST and an arbitrary number of MSTP instances.
• IST (Internal Spanning Tree )Instances
Within a single MST region, an (IST) instance runs to work out a loop-free
topology between the links where CST meets the region boundary and all
switches inside the region. Think of the IST instance as a locally
significant CST, bounded by the edge of the region.

MSTI instances

IST instances

Notice that within the MST cloud, there are now three independent STP
instances coexisting—MSTI1, MSTI 2, and the IST.
The IST (instance 0) runs on all bridges within an MST region.
Each of the MSTIs is significant only within a region, even if an adjacent
region has the same MSTIs in use. In other words, the MSTIs combine with
the IST only at the region boundary to form a subtree of the CST. That means
only IST (MSTI 0) BPDUs are sent into and out of a region.
The M-Record is a subfield, within the BPDU of MSTP instances, that
contains enough information (root bridge and sender bridge priority
parameters) for the corresponding instance to calculate the final topology.
MSTP instances combine with the IST at the boundary of MST regions to
become the CST, as follows:

195 AHMED NABIL


Spanning-Tree Instances Within MST
MST was designed to interoperate with all other forms of STP. Therefore, it
also must support STP instances from each. This is where MST can get
confusing. Think of the entire enterprise network as having a single CST
topology so that one instance of STP represents any and all VLANs and MST
regions present. The CST maintains a common loop-free topology while
integrating all forms of STP that might be in use.
To do this, CST must regard each MST region as a single “black box” bridge
because it has no idea what is inside the region, nor does it care. CST
maintains a loop-free topology only with the links that connect the regions to
each other and to standalone switches running 802.1Q CST.

IST Instances
Something other than CST must work out a loop-free topology inside each
MST region.
Within a single MST region, an Internal Spanning Tree (IST) instance runs to
work out a loop-free topology between the links where CST meets the region
boundary and all switches inside the region. Think of the IST instance as a
locally significant CST, bounded by the edges of the region.
The IST presents the entire region as a single virtual bridge to the CST
outside. BPDUs are exchanged at the region boundary only over the native
VLAN of trunks, as if a single CST were in operation. And, indeed, it is.
Figure shows the basic concept behind the IST instance. The network at the
left has an MST region, where several switches are running compatible MST
configurations. Another switch is outside the region because it is running only
the CST from 802.1Q.

196 AHMED NABIL


M-records are always encapsulated within MSTP BPDUs. The original
spanning trees, which are called “M-trees,” are active only within the MST
region. M-trees merge with the IST at the boundary of the MST region and
form the CST.
What if an MST region connects with a switch running traditional PVST+?
MST can detect this situation by listening to the received BPDUs. If BPDUs
are heard from more than one VLAN (the CST), PVST+ must be in use.
When the MST region sends a BPDU toward the PVST+ switch, the IST
BPDUs are replicated into all of the VLANs on the PVST+ switch trunk.

MST Configuration
• Step 1 Enable MST on the switch:
Switch(config)# spanning-tree mode mst

• Step 2 Enter the MST configuration mode:


Switch(config)# spanning-tree mst configuration

• Step 3 Assign a region configuration name (up to 32 characters):


Switch(config-mst)# name <name>

• Step 4 Assign a region configuration revision number (0 to 65,535):


Switch(config-mst)# revision <version>
It is not incremented automatically when you commit a new MSTP
configuration.
The configuration revision number gives you a means to track changes
to the MST region configuration. Each time you make changes to the
configuration, you should increase the number by one. Remember that
the region configuration (including the revision number) must match on
all switches in the region. Therefore, you also need to update the
revision numbers on the other switches to match.

• Step 5 Map VLANs to an MST instance:


Switch(config-mst)# instance <instance-id> vlan <vlan-list>
The instance-id (0 to 15) carries topology information for the VLANs
listed in vlan-list. The list can contain one or more VLANs separated
by commas. You can also add a range of VLANs to the list by
separating numbers with a hyphen. VLAN numbers can range from 1 to
4094. (Remember that by default, all VLANs are mapped to instance 0,
the IST.)

197 AHMED NABIL


Step 6 Show the pending changes you have made:
Switch(config-mst)# show pending

Step 7 Exit the MST configuration mode; commit the changes to the
active
MST region configuration:
Switch(config-mst)# exit

To identify the root for a certain instance:


Switch(config-mst)#spanning-tree mst instance_number root
{primary|secondary}

Switch#show spanning-tree mst configuration


Name [cisco]
Revision 1
Instance Vlans mapped
-------- ------------------------------
0 11-4094
1 1-10
----------------------------------------

Switch#show spanning-tree mst 1

###### MST01 vlans mapped: 1-10


Bridge address 00d0.00b8.1400 priority 32769 (32768 sysid 1)
Root this switch for MST01

Interface Role Sts Cost Prio.Nbr Status


---------------- ---- --- --------- -------- ----------------------
Fa4/4 Back BLK 1000 240.196 P2p
Fa4/5 Desg FWD 200000 128.197 P2p
Fa4/48 Boun FWD 200000 128.240 P2p Bound(STP)

198 AHMED NABIL


RSTP Questions
Question 1
After the recent upgrade of the switching infrastructure, the network engineer notices that the port roles that
were once ―blocking‖ are now defined as ―alternate‖ and ―backup‖. What is the reason for this change?
A. The new switches are using RSTP instead of legacy IEEE 802.1D STP.
B. IEEE 802.1D STP and PortFast have been configured by default on all newly implemented Cisco Catalyst
switches.
C. The administrator has defined the switch as the root in the STP domain.
D. The port roles have been adjusted based on the interface bandwidth and timers of the new Cisco Catalyst
switches.

Question 2
What happens on a Cisco switch that runs Cisco IOS when an RSTP-configured switch receives 802.1d
BPDU?
A. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch
receives an 802.1d BPDU, it responds with an 802.1d BPDU and eventually the two switches run 802.1d to
communicate.
B. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a
802.1d BPDU, it responds with a 802.1d BPDU and eventually the two switches run 802.1d to communicate.
C. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch
receives a 802.1d BPDU, it does not respond with a 802.1d BPDU.
D. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a
802.1d BPDU, it does not respond with a 802.1d BPDU and eventually the two switches run 802.1d to
communicate.

MST Questions
Question 3
A network engineer is setting up a new switched network. The network is expected to grow and add many
new VLANs in the future. Which Spanning Tree Protocol should be used to reduce switch resources and
managerial burdens that are associated with multiple spanning-tree instances?
A-RSTP
B. PVST
C. MST
D. PVST+
E. RPVST+

Question 4
When two MST instances (MST 1 and MST 2) are created on a switch, what is the total number of spanning-
tree instances running on the switch?
A. 1
B. 2
C. 3
D. 4

199 AHMED NABIL


Redundancy

(One is None
w Two Yadobak One)

200 AHMED NABIL


Cisco SONA (Formerly AVVID) Framework
• AVVID (Architecture for Voice, Video and Integrated Data)
• Cisco AVVID provides the framework for today’s internet business
solutions.
The key components of Cisco AVVID:
1- Network infrastructure.

2- Intelligent network services which include:


a- Network management.
b- Redundancy (High availability).
c- IP Multicasting.
d- Quality of service.
e- Security.
f- Network solutions ( As IP telephony).
Network Infrastructure Telephony

Security QOS

Multicasting High Availability

201 AHMED NABIL


Redundancy
1)Redundancy within the device
• Redundant Uplinks (EtherChannels)
• Redundant Fans
• Redundant Power supplies
• Hot swappable modules (line cards):
changing cards while power is on
• Redundant Supervisors
2)Redundancy within the network
(between devices)
Redundant Uplinks
• Dual cable from the supervisor uplinks, but if the supervisor engine
fail the redundant links fail

• Redundant uplink connections still leave a single point


of failure: the supervisor engine itself.

• Uplink ports on the redundant supervisor engine


are live.

202 AHMED NABIL


Power Supply redundancy
If we have two power supplies we can use them for one of three modes:
1) Combined power mode:
The total power is the sum of one-half of total power of both supplies
2) Redundant mode:
The second act as a backup if the first fail
3) In some cases both must provide power if high power consumption takes
place ( as in case of using IP Phones)
Configuration:
To choose power mode:
(config)#power redundancy-mode
{combined/redundant}
To power down a module from CLI:
(config)=[no] power enable module <slot>
To reset module:
(config)#power cycle module <slot>

203 AHMED NABIL


Redundant Catalyst supervisors
• Single supervisor engine (as MSFC (Multi layer Switching
Feature Card)) is a single point of failure of the switch.
- Redundant supervisor allows configuration for automatic
failover.
- Supervisor engine redundancy is
supported by:
1- RPR (Route processor redundancy)
Switch over in 2 to 4 min.
2- RPR+ (Route processor redundancy plus)
Switch over in 30 to 60 sec.
3-SSO (Stateful SwitchOver)
Switch over in less than 1 sec
Configuration:
(config)#redundancy
(config-red)#mode {rpr / rpr-plus/sso}
#show redundancy states

204 AHMED NABIL


You can use the following redundancy modes on Catalyst switches:
•Route Processor Redundancy (RPR)—The redundant supervisor is only
partially booted and initialized. When the active module fails, the standby
module must reload every other module in the switch and then initialize all
the supervisor functions.
•Route Processor Redundancy Plus (RPR+)—The redundant supervisor is
booted, allowing the supervisor and route engine to initialize. No Layer 2 or
Layer 3 functions are started, however. When the active module fails, the
standby module finishes initializing without reloading other switch modules.
This allows switch ports to retain their state.
•Stateful Switchover (SSO)—The redundant supervisor is fully booted and
initialized. Both the startup and running configuration contents are
synchronized between the supervisor modules. Layer 2 information is
maintained on both supervisors so that hardware switching can continue
during a failover. The state of the switch interfaces is also maintained on
both supervisors so that links don’t flap during a failover.

Standby Supervisor Readiness


as a Function of Redundancy Mode

205 AHMED NABIL


Non-Stop Forwarding (NSF)
You can enable another redundancy feature along with SSO on the
Catalyst 4500R and 6500 (Supervisor 720 or more). Non-Stop
Forwarding (NSF) is an interactive method that focuses on quickly
rebuilding the routing information base (RIB) table after a
supervisor switchover. The RIB is used to generate the FIB table
for CEF, which is downloaded to any switch modules or hardware
that can perform CEF.
Instead of waiting on any configured Layer 3 routing protocols to
converge and rebuild the FIB, a router can use NSF to get
assistance from other NSF-aware neighbors. The neighbors then
can provide routing information to the standby supervisor, allowing
the routing tables to be assembled quickly. In a nutshell, the Cisco-
proprietary NSF functions must be built into the routing protocols
on both the router that will need assistance and the router that will
provide assistance.
NSF is supported by the BGP, EIGRP, OSPF, and IS-IS routing
protocols. NSF is available on the Catalyst 6500 Supervisors 720,
1T, 2T (with the integrated MSFC3) and on the Catalyst 4500R
Supervisor III, IV, and V running IOS Software Release
12.2(20)EWA or later.

206 AHMED NABIL


NSF with SSO
Layers 2–4 convergence time is enhanced in Cisco 4500 and 6500 series
switches with redundant route processors (RP) by using NSF with SSO.
When using this, only one RP is active. The standby RP synchronizes its
configuration and dynamic state information (such as CEF, MAC, and FIB
tables) with the active RP. When the active RP fails, SSO enables the
standby RP to take over immediately. NSF keeps the switch forwarding
traffic during the switchover, using the existing route and CEF tables. The
goal of NSF with SSO is to prevent routing adjacencies from resetting,
which prevents a routing flap. The switchover to the new RP must be
completed before routing timers expire, or the router’s neighbors will tear
down their adjacency and routing will be disrupted.
When the new RP is up, the old routes are marked as stale, and the RP
asks its routing peers to refresh them. When routing is converged, it
updates the routing and CEF tables on the switch and the linecards.
NSF is supported with EIGRP, OSPF, ISIS, and BGP. An NSF-capable
router supports NSF; an NSF-aware router does not support NSF but
understands it and continues forwarding traffic during SSO.
Use NSF with SSO in locations where you do not have a duplicate switch
for failover, such as at the user access or Enterprise network edge.
Otherwise it can actually cause longer convergence. Routing protocols
timers can be tuned very short to provide fast convergence. With SSO, the
switchover to the standby RP might not occur before the tuned routing
Dead timer expires, and the adjacency would be reset.
Tip
Sometimes the redundancy mode terminology can be confusing. In addition
to the RPR, RPR+, and SSO terms, you might see single-router mode (SRM)
and dual-router mode (DRM).
SRM simply means that two route processors (integrated into the
supervisors) are being used, but only one of them is active at any time. In
DRM, two route processors are active at all times. HSRP usually is used to
provide redundancy in DRM.
Although RPR and RPR+ have only one active supervisor, the route
processor portion is not initialized on the standby unit. Therefore, SRM is
not compatible with RPR or RPR+.
SRM is inherent with SSO, which brings up the standby route processor.
You usually will find the two redundancy terms together, as “SRM with
SSO.”

207 AHMED NABIL


Redundancy between devices:

VSS (Virtual Switching System)


A VSS is a network system virtualization technology that pools
Multiple (up to two) Cisco Catalyst 4500/6500 switches into one virtual
switch, working in active/hotstandby fashion, increasing operational
efficiency, offering non stop communication and scaling system
bandwidth capacity to 1.4 Tbps (for sup 720), 2Tbps (for Sup 1T) and
so on.

One supervisor in one of the chassis controls the operation of the


logical switch. If it fails, a supervisor in the other chassis can take
over. To build the logical switch, the two chassis must be linked
together by multiple interfaces that have been configured as a virtual
switch link (VSL)

The two supervisor engines on the two different switch need to be


connected together with one or more (up to 8) 10GbE link (this link is
called VSL (Virtual Switch Link), this link will carry control signals
between the two switches and in the same time can be used for
sending data between the two switches.

208 AHMED NABIL


What are the benefits of VSS?
VSS offers superior benefits compared to traditional Layer 2/Layer 3
network design. Benefits can be grouped into four main categories:
-VSS boosts nonstop communications using (SSO+NSF)
-VSS scales system bandwidth capacity to double
- VSS increases operational efficiency by simplifying the network, reducing
switch management overhead by at least 50 percent.
- Single point of management, IP address, and routing instance for the
Cisco Catalyst 6500 virtual switch
– Single configuration file and node to manage. Removes the need to
configure redundant switches twice with identical policies.
– Only one gateway IP address is required per VLAN, instead of the three
IP addresses per VLAN used today.
– Removes the need for Hot Standby Router Protocol (HSRP), Virtual Router
Redundancy Protocol (VRRP), and Gateway Load Balancing Protocol (GLBP)

What happens if all VSL connections are lost?


VSLs can be configured with up to eight links between the two switches
across any combination of line cards or supervisor ports to provide a high
level of redundancy. If for some rare reason all VSL connections are lost
between the virtual switch members leaving both the virtual switch
members up, the VSS will transition to the dual active recovery mode.
The dual active state is detected rapidly (subsecond) by many Cisco
methods.

The VSS will transition to a state called dual active recovery mode
(Standby assumes that Active is down), in active recovery mode, all
interfaces except the VSL interfaces are in an operationally shut down state
in the formerly active switch member. The new active virtual switch
continues to forward traffic on all links. AHMED NABIL
Switch Stacking (Stackwise):
Traditionally, access layer switches have been independent physical
devices. If you needed multiple switches in one location, you had to
configure links between them. Cisco introduced the StackWise and
StackWise Plus technologies to enable separate physical switches to act as
a single logical switch. This is a similar feature as VSS but for non modular
switches, its target is to logically merge many switches as one switch unit
in order to gain higher performance, you should select one switch as stack
master (highest priority, default 1, can vary from 1-15), stack master
performs all of the management functions, all other are called stack
members, If the master switch fails, other member switches can take over
the role. When the physical switches are not part of a stack, each one
operates independently and manages its own functions.
The most famous stackable switches is available on switch models such as
the Cisco Catalyst 2960-X, 3750-E, 3750-X, and 3850 platforms.
To create a logical “stacked” switch, individual physical switches must be
connected to each other using special-purpose stacking cables. Each
switch supports two stack ports; switches are connected in a daisy-chain
fashion, one switch to the next, and one final connection connects the
chain into a closed
loop. You can think of the stacking cables as an extension of the switching
fabric. When frames need to be moved from one physical switch to
another, they are sent across the bidirectional stacking cable loop to get
there. Figure illustrates how physical switches are cabled to become one
logical stack.
The same daisy-chain scheme can be used to connect up to nine physical
switches in a closed ring fashion providing a speed of 32Gbps (stackwise)
and 64Gbps (stackwise plus).

One advantage of the closed stacking loop is that individual switches can be
inserted or removed without breaking the path between switches completely.
The ring can be broken to add or remove a switch, But if stack cable is
broken bandwidth percentage is reduced by 50%, but the remaining switches
stay connected over the rest of the ring.
AHMED NABIL
Stacking configuration: Before connecting two devices together, make sure that both devices
have the same IOS software installed. The configuration of the StackWise Cluster is done
automatically by connecting the stack cable. In other words, you can make changes to
the stack without interrupting its operation & without any further configurations.
One switch will be the master within the cluster. The election is done as follow at connect or
boot: (if no Master exists yet) then following steps will take place
1.Specified by user (higest priority (1-15), default is 1)
2.Switch with the highest IOS feature-set (Advanced Enterprise wins against Advanced IP
Services)
3.Uptime (longest running Switch wins)
4.MAC Address (Switch with the lowest mac addresses will become master)
I recommend to configure the priority value of each switch so the configuration and the
physical structure (top-down, A, B, C, etc.) keeps straight and didn’t confuse the administrator
or someone who needs to troubleshoot the infrastructure OR you have differnet switch-models
within one cluster. In our example Switch A is running for an hour and we connect another
device (same device-model, same IOS software) to the main switch with a stacking cable. The
second device ―Switch B‖ will be select as Slave, because we didn’t configure anything and
―Switch A‖ has a longer uptime. You will see that other interfaces are coming up and you can
view all devices with this:
CoreSwitch# show switch
Switch# Role Mac Address Priority State
1 Master 0016.4748.ff12 5 Ready
2 Slave 0016.9d59.db00 1 Ready
The stack member number is the same as can be seen in the interfaces:
interface GigabitEthernet1/0/1 = 1st Port of Switch with ID #1
interface GigabitEthernet2/0/1 = 1st Port of Switch with ID #2
You can define the priority of each switch. The higher the priority, the lower the switch stack-
member-number. For example, we have three switches named 1,2 and 3 from top to down, 1 is
connected with 2, 2 is connected with 3 and 3 is connected with 1 to connect a ring topology.
We configure the priority value with:
(config)#switch 1 priority 15
(Config)#switch 2 priority 14
Note: We recommend assigning the highest priority value to the switch that you prefer to be the
stack master. This ensures that the switch is re-elected as stack master if a re-election occurs

211 AHMED NABIL


What is MEC (Multi-chassis Ether Channel)?
A more robust solution involves distributing the physical links across
multiple switches at each end of the EtherChannel. This is possible when
the switches are configured as one logical or virtual switch,
such as the Cisco stackable Catalyst switches or chassis-based Virtual
Switching System (VSS) switch families. In Figure, a four-port GEC is made
up of two links connected to the first switch in a stack and two links
connected to the second switch in a stack. This is known as a multichassis
EtherChannel (MEC). Even if one switch fails within a stack, the MEC will
keep functioning thanks to the other stacked switch.

AHMED NABIL
Traditional redundant switched network architecture before EC, MEC, stacking and VSS

Enhanced logical redundant network architecture after applying EC, MEC, stacking and VSS

AHMED NABIL
Redundancy within the network (between devices)
• Router redundancy in a multilayer switched network:
- Redundancy is one method for creating highly available networks.
- Cisco supports:
1- HSRP (Hot Standby Router Protocol)
2- VRRP (Virtual Router Redundancy Protocol)
3- GLBP (Gateway Load Balancing Protocol)
to provide failover in case of a gateway failure.

• When the host tries to communicate


with a device outside its network, it
needs a gateway.

Router Redundancy Protocols


(First Hop Redundancy Protocols)
= FHRP

Hosts will see multiple


Gateways as a single
Virtual Gateway

214 AHMED NABIL


• HSRP: (RFC 2281)
(Cisco proprietary)
- It is an application using UDP port no. 1985, since HSRP is an application, so it
can deal with lower layer protocol as (IP, IPX, Apple Talk, Banyan Vines, DECnet,
XNS (Xerox))
- HSRP was developed to allow several routers to appear as a single
gateway (Virtual router), having one virtual IP (given by configuration),
and having one virtual MAC (given by the protocol)
- The routers that provide redundancy for a given gateway address are
assigned to a common HSRP group no. (0-255), if group is not defined in
configuration, HSRP assumes you are using group 0.
- Router can be a member in up to 16 HSRP group per interface.
- If multiple routers exist,
One router is elected as an active router,
One router is elected as a standby router,
The other routers are listeners.

@ startup (just after configuring HSRP):


Neighbor discover:
- The routers exchange HSRP hello messages at regular intervals so they can remain aware of
each other existence.
- Hello is sent on 224.0.0.2 ―all routers multicast address‖ every 3 sec. with hold down
time = 10 sec.

Active router discovery:


- HSRP router election:
The active router is the router that have the highest:
1- HSRP priority (0-255) by default=100.
2- Highest IP address of interface facing the LAN segment.
The standby router is the second highest priority or IP address.

• Note: An HSRP group can be assigned an arbitrary group number, from 0 to 255. This
number is locally significant to interface, so u can use same group number on two
different physical interfaces or SVI, for example for interface vlan 5 you can use HSRP
group 1 and for interface vlan 6 youcan use HSRP group 1 also.

215 AHMED NABIL


• HSRP operation:
- Each router has its unique IP address and MAC address assigned to
interface.
- In addition all router has a common IP address (virtual IP) and a well
known MAC address of the group .
- The well known MAC is 0000.0c07.acXX, where: XX is the HSRP group
no.

• The active router responds to ARP requests with the


MAC address of the virtual router.

This will be the typical addresses learned by the hosts


R1- Active, forwarding traffic; R2, R3 - hot standby, idle

HSRP ACTIVE HSRP STANDBY HSRP LISTEN

IP: 10.0.0.254 IP: 10.0.0.253 IP: 10.0.0.252


MAC: 0000.0c12.3456 MAC: 0000.0C78.9abc MAC: 0000.0cde.f123
vIP: 10.0.0.10 vIP: vIP:
vMAC: 0000.0c07acxx vMAC: vMAC:

Gateway routers
R1 R2 R3

Clients CL1 CL2 CL3

IP: 10.0.0.1 IP: 10.0.0.2 IP: 10.0.0.3


MAC: aaaa.aaaa.aa01 MAC: aaaa.aaaa.aa02 MAC: aaaa.aaaa.aa03
GW: 10.0.0.10 GW: 10.0.0.10 GW: 10.0.0.10
ARP: 0000.0c07.acxx ARP: 0000.0c07.acxx ARP: 0000.0c07.acxx
216 AHMED NABIL
•If the active router fails, the standby router will be the active and
election take place to determine the new standby router.
•If the router comes back it will be a listener even if it has higher
priority.
But if the pre-emptive effect is enabled the router that has the
highest priority will be the active.
•Note: if one router is HSRP active and does not support pre-
emption, and another gains higher priority and has pre-emption
feature begins to declare itself as active , it will not ever take the
role due to the original active must accept this action (but original
active has non pre-empt feature, so it will stay the active)

217 AHMED NABIL


• HSRP router states:
1- Disabled state. (not connected or not configured)
2- Initial state. (starting up) all routers start from that state when HSRP
was not running.
3- Learn State: Router hasn’t received any thing from neighbors yet
4- Listen state. (the router listens for hello messages from other routers,
the purpose is to determine if there are active or standby routers)
5- Speak state. (the router sends periodic hello message and is actively
participating in the election of the active/standby router.
The router will not remain in the speak state unless it will become an
active or standby router)
6- Standby state. (the router is a candidate to become the next active
router, only one standby router per group)
7- Active state. (the router is currently forwarding packets that are sent
to the virtual address of the group. HSRP Learn State
HSRP Initial State

• Router has not received a hello


• All routers begin in the initial message from an active router.
state, when HSRP is not running. • Router does not know the virtual
HSRP Listen State router IP address.
HSRP Speak State

• Router listens for hellos


• Sends periodic Hello messages
HSRP Standby State • Participates in the election of the
active and standby router
• Knows the virtual router IP address

HSRP Active State

• Candidate for active


router
• Sends hello message
• Knows the virtual router
IP address • Assumes the active forwarding
218 of packets for the virtual router
AHMED NABIL
HSRP tracking system (conceding the election):
• The active router has many links to outside. If all /or any link failed, the router
remains active and still all hosts forward traffic to it.
• HSRP has a mechanism to detect link failures, this is called interface tracking.
• When an interface fail, HSRP reduce the router priority by a certain value
(default=10).
• If the pre-emptive effect is enabled and the priority of the active router is less than
the standby router, the standby router will be the active router.

G1

G1

In this example, router A and router B reside in one building. Each of these
routers supports a Gigabit Ethernet link to the other building. Router A has
the higher priority and is the active forwarding router for standby group 1.
Router B is the standby router for that group. Routers A and B are
exchanging hello messages through their E0 interfaces.
G1

G1

The Gigabit Ethernet link between the active forwarding router for the standby group
and the other building experiences a failure. Without HSRP enabled, router A would
detect the failed link and send an Internet Control Message Protocol (ICMP) redirect to
router B. However, when HSRP is enabled, ICMP redirects are disabled. Therefore,
neither router A nor the virtual router sends an ICMP redirect. In addition, although the
G1 interface on router A is no longer functional, router A still communicates hello
messages out interface E0, indicating that router A is still the active router. Packets
sent to the virtual router for forwarding to headquarters cannot be routed. Interface
tracking enables the priority of a standby group router to be automatically adjusted,
based on availability of the interfaces of that router. When a tracked interface becomes
unavailable, the HSRP priority of the router is decreased. When properly configured,
the HSRP tracking feature ensures that a router with an unavailable key interface will
relinquish the active router role.
In this example, the E0 interface on router A tracks the G1 interface. If the link
between the G1 interface and the other building fails, the router automatically
decrements the priority on that interface and stops transmitting hello messages out
interface E0. Router B assumes the active router role when no hello messages are
detected for the specific holdtime period.
219 AHMED NABIL
• HSRP configuration:
Configuration can take place on any layer 3 port as router port, SVI
(Switched Virtual Interface) MLS interface, Ether Channel port
(config-if)# standby <group no.> ip <virtual IP>
(config-if)# standby <group no.> priority <no.>
(config-if)# standby <group no.> timers <hello> <hold down>
(config-if)# standby <group no.> preempt [delay <sec.>][reload <sec>]
(config-if)# standby <group no.> track <int. name> <decrement value>
(config-if)# standby <group no.> authentication <password>
(config-if)# standby group authentication md5 key-string password
Troubleshooting:
#show standby [brief]
#debug standby Configuring an HSRP Standby Interface

• Enabling HSRP on a Cisco router interface automatically disables ICMP


redirects.
Configuring HSRP Standby Priority

220 AHMED NABIL


Configuring HSRP Standby Preempt

• Preempt enables a router to resume the forwarding router role.

Configuring the Hello Message Timers

• The holdtime should be at least three times the


value of the hellotime.

Interface Tracking
interface Ethernet0
1
ip address 10.1.1.2 255.255.255.0
no ip redirects
standby 1 priority 105
standby 1 preempt
standby 1 ip 10.0.0.1
standby 1 track Serial0 25
If Serial 0 goes down, what will this interface’s priority value
be for standby group 1? Answer: 80 (105 – 25)
221 AHMED NABIL
Troubleshooting

Switch#show standby brief


P indicates configured to preempt.
|
Interface Grp Prio P State Active addr Standby addr Group addr
Vl11 11 100 Active local 172.16.11.112 172.16.11.115

Switch#debug standby

*Mar 1 00:22:30.443: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:32.019: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115
*Mar 1 00:22:33.331: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:34.927: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115
*Mar 1 00:22:36.231: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:37.823: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115
*Mar 1 00:22:39.163: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:40.735: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115
*Mar 1 00:22:42.119: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:43.663: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115
*Mar 1 00:22:45.067: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:46.567: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115

222 AHMED NABIL


- How to support load sharing using HSRP?
This could be done by making a router Active in a group and standby in another
group, while the other is standby in first group and Active in the second group.

• Consider a network where HSRP is used on two distribution switches to


provide a redundant gateway address for access layer users. Only one of
the two becomes the active HSRP router; the other remains in standby. All
the users send their traffic to the active router, over the uplink to the active
router. The standby router and its uplink essentially sit idle until a router
failure occurs.

Typical HSRP
Scenario with One
HSRP Group

Load balancing traffic across two uplinks to two HSRP routers


with a single HSRP group is not possible. Then, how is it
possible to load balance with HSRP? The trick is to use two
HSRP groups:
- One group assigns an active router to one switch.
- The other group assigns another active router to the other
switch.
In this way, two different virtual router or gateway
addresses can be used simultaneously. The rest of the trick is to
make each switch function as the standby router for its partner’s
HSRP group. In other words, each router is active for one group
and standby for the other group.

223 AHMED NABIL


Figure presents this scenario. Now, Catalyst A is not only the active router
for HSRP Group 1 (192.168.1.1) but is also the standby router for HSRP
Group 2 (192.168.1.2). Catalyst B is configured similarly, but with its roles
reversed. The remaining step is to configure half of the client PCs with the
HSRP Group 1 virtual router address and the other half with the Group 2
address. This makes load balancing possible and effective. Each half of the
hosts uses one switch as their gateway over one uplink.

Load Balancing
with Two HSRP
Groups

224 AHMED NABIL


• VRRP: (RFC 2338)
- IETF standard alternative to HSRP.
- VRRP group has one Master router & all other routers are in the backup
state.
- The master router has the highest priority (1-254) default=100
- If equal priorities, the highest IP address will break the tie.
- The virtual MAC of the VRRP is 0000.5e00.01XX
XX is the group no. (0-255)
- VRRP master only sends hellos on multicast address 224.0.0.18 every 1sec.
By default on IP protocol 112.
- By default pre-empt is on.
- VRRP has no mechanism for tracking interfaces but VRRP plus support
tracking.
- The virtual IP can be one of the routers given IPs, and router having
that IP have priority 255 reserved for it (Master by default)- may not
apply on Cisco devices.

-Load sharing can be achieved using the same way as the HSRP

225 AHMED NABIL


• VRRP configuration:
(config-if)# vrrp <group no.> priority <value>
(config-if)# vrrp <group no.> ip <virtual ip>
(config-if)# vrrp <group no.> timers [msec] <interval>
To disable pre-emptive effect:
(config-if)#no vrrp <group no.> preempt [delay <sec>]
- Troubleshooting :
#show vrrp [brief all]
#show vrrp interface <int. name>

226 AHMED NABIL


VRRP in multiple groups:

227 AHMED NABIL


• GLBP (Gateway Load Balancing Protocol): (Cisco proprietary)
- HSRP & VRRP provide gateway resiliency but HSRP & VRRP can accomplish load
balancing by configuring multiple groups.
- GLBP is like HSRP & VRRP but with a more dynamic and robust behavior.
- Rather than having just one active router performing forwarding, all routers in the
group can participate and offer load balancing by forwarding portion of the overall
traffic.
- So, GLBP will fully utilize resources without extra administrative burden.
- GLBP group members multicast hellos every 3 seconds to IP address 224.0.0.102,
UDP port 3222.
- GLBP group has (0-1023 group): One AVG (Active Virtual Gateway).
One AVG standby.
Up to 4 AVF (Active Virtual Forwarder).
All others are backups.

• GLBP Operation:
- The trick behind GLBP load balancing lies in electing an AVG router
that has a management role by distributing the load among all AVFs
using:
1- Round Robin technique: The default method, the traffic is distributed
equally across all routers.
2- Weighted Round Robin technique: A weight is given for every AVF, The
weight determine the amount of traffic that will send to that AVF.
3- Host Dependent technique: The host will receive the same AVF MAC
every time it generate ARP request.
- The AVG router has the highest priority (1-255) if equal the highest IP
address.
- The AVG also assigns the necessary virtual MAC addresses to each of
the routers participating in the GLBP group. Up to four virtual MAC
addresses can be used in any group. Each of these routers is referred to
as an active virtual forwarder (AVF), forwarding traffic received on its
virtual MAC.
- AVG router answers all ARP requests for the virtual router & every time
it will reply with a MAC of one of the AVFs
- An AVG can also have the role of one of the AVFs

As shown in the figure, by default, GLBP will attempt to balance


228 traffic on a per-host basis, using the round-robin algorithm. AHMED NABIL
1. When a client sends an ARP message for the gateway IP address, the
AVG returns the virtual MAC address of one of the AVFs.
2. When a second client sends an ARP message, the AVG returns the next
virtual MAC address from the list.

Having each resolved a different MAC address for the default gateway,
clients A and B will send their routed traffic to separate routers, although
they both have the same default gateway address configured. Each GLBP
router is an AVF for the virtual MAC address to which it has been assigned.

Like HSRP, GLBP can be configured to track interfaces. In the figure, the
WAN link from router R1 is lost. GLBP detects the failure.

Because interface tracking was configured on R1, the job of forwarding


packets for virtual MAC address 0000.0000.0001 will be taken over by the
secondary virtual forwarder for the MAC, router R2. Therefore, the client
sees no disruption of service nor does the client need to resolve a new MAC
address for the default gateway.
229 AHMED NABIL
Multilayer Switches in a GLBP Group

Figure shows a typical network where three multilayer switches are


participating in a common GLBP group. Catalyst A is elected the AVG,
so it coordinates the entire GLBP process. The AVG answers all ARP
requests for the virtual router 192.168.1.1. It has identified itself,
Catalyst B, and Catalyst C as AVFs for the group.

In this figure, round robin load balancing is being used. Each of the client PCs
look for the virtual router address in turn, from left to right. Each time the
AVG replies, the next sequential virtual MAC address is sent back to a client.
After the fourth PC sends a request, all three virtual MAC addresses (and
AVF routers) have been used, so the AVG cycles back to the first virtual
MAC address.
Notice that only one GLBP group has been configured, and all clients know of
only one gateway IP address — 192.168.1.1. However, all uplinks are being
utilized, and all routers are proportionately forwarding traffic.
Redundancy is also inherent in the GLBP group—Catalyst A is the AVG, but
the next-highest priority router can take over if the AVG fails. All routers
have been given an AVF role for a unique virtual MAC address in the group.
If one AVF fails, some clients remember the last known virtual MAC address
that was handed out. Therefore, another of the routers also takes over the
AVF role for
the failed router, causing the virtual MAC address to remain alive at all times.

230 AHMED NABIL


How GLBP Reacts
to a Component
Failure?

Figure shows how these redundancy features react when the current active
AVG fails. Catalyst A, prior to its failure, was the AVG because of its higher
GLBP priority. After it failed, Catalyst B became the AVG, answering ARP
requests with the appropriate virtual MAC address for gateway 192.168.1.1.
Catalyst A had also been acting as an AVF, participating in the gateway load
balancing.
Catalyst B also picks up this responsibility, using its virtual MAC address
0007.b400.0102 as well as the one Catalyst A had been using,
0007.b400.0101. Therefore, any hosts that know the gateway by any of its
virtual MAC addresses can still reach a live gateway or AVF.

231 AHMED NABIL


. The virtual MAC addresses always have the form 0007.b4xx.xxyy. The 16-
bit value denoted by xx.xx represents six zero bits followed by a 10-bit
GLBP group number. The 8-bit yy value is the virtual forwarder number.

AVF election
• GLBP uses a weighting function to determine which routers becomes
AVF
• Each router begin with maximum weight value (1-254) default 100, as
specific interface go down, the weight decrement by a configured
amount, GLBP use a threshold to determine when a router can or cannot
be an AVF
• Preemption is not supported between AVFs ( if an AVF has higher
weight it cannot pre-empt another AVF, so if an AVF fails it cannot
return back as an AVF, unless the number of AVFs is less than 4 AVFs
• Preemption is supported between AVGs
• Configuration:
For AVG:
(config-if)# glbp <group no.> load-balancing [roundrobin / weighted /
hostdependent]
(config-if)# glbp <group no.> ip <virtual IP>
(config-if)# glbp <group no.> priority <value>
(config-if)# glbp <group no.> preempt [delay <sec>]
For AVFs:
(config-if)# glbp <group no.> weighting <value> [lower <value>]
- Tracking:
(config-if)# glbp <group no.> weighting track <object no.> [decrement
<value>]
- Object:
(config)# track <object no.> interface <int. name> {line-protocol / ip routing}
- Troubleshooting :
#show glbp

232 AHMED NABIL


Configuring GLBP Load Balancing

Now standard protocol similar to GLBP is available called VRRPE (VRRP Extended)

233 AHMED NABIL


By default, GLBP uses the periodic hello messages to detect AVF failures,
too. Each router within a GLBP group must send hellos to every other GLBP
peer. Hellos also are expected from every other peer. For example, if hellos
from the AVF are not received by the AVG before its holdtime timer expires,
the AVG assumes that the current AVF has failed. The AVG then assigns the
AVF
role to another router.
Naturally, the router that is given the new AVF role might already be an AVF
for a different virtual MAC address. Although a router can masquerade as two
different virtual MAC addresses to support the two AVF functions, it doesn’t
make much sense to continue doing that for a long period of time. The AVG
maintains two timers that help resolve this condition.
The redirect timer is used to determine when the AVG will stop using the old
virtual MAC address in ARP replies. The AVF corresponding to the old
address continues to act as a gateway for any clients that try to use it.
When the timeout timer expires, the old MAC address and the virtual
forwarder using it are flushed from all the GLBP peers. The AVG assumes
that the previously failed AVF will not return to service, so the resources
assigned to it must be reclaimed. At this point, clients still using the old MAC
address in their ARP caches must refresh the entry to obtain the new virtual
MAC address.
The redirect timer defaults to 600 seconds (10 minutes) and can range from 0
to 3,600 seconds (1 hour). The timeout timer defaults to 14,400 seconds (4
hours) and can range from 700 to 64,800 seconds (18 hours). You can adjust
these timers with the following interface-configuration command:
Switch(config-if)# glbp group timers redirect redirect timeout

A Comparison of Router Redundancy Protocols

234 0007.b4xx.xxyy
234 AHMED NABIL
Securing Switch Access

235 AHMED NABIL


Overview of Switch Security Concerns
Much industry attention surrounds security attacks from outside the walls of an
organization and at the upper Open Systems Interconnection (OSI) layers.
Network security often focuses on edge routing devices and the filtering of
packets based upon Layer 3 and Layer 4 headers, ports, stateful packet
inspection, and so forth. This includes all issues surrounding Layer 3 and
above, as traffic makes its way into the campus network from the Internet.
Campus access devices and Layer 2 communication are left largely
unconsidered in most security discussions.
The default state of networking equipment highlights this focus on external
protection and internal open communication. Firewalls, placed at the
organizational borders, arrive in a secure operational mode and allow no
communication, until configured to do so. Routers and switches that are
internal to an organization and designed to accommodate communication,
delivering needful campus traffic, have a default operational mode that
forwards all traffic unless configured otherwise. Their function as devices that
facilitate communication often results in minimal security configuration and
renders them targets for malicious attacks. If an attack is launched at Layer 2
on an internal campus device, the rest of the network can be quickly
compromised, often without detection.
Many security features are available for switches and routers, but they must be
enabled to be effective. As with Layer 3, where security had to be tightened on
devices within the campus as malicious activity that compromised this layer
increased, now security measures must be taken to guard against malicious
activity at Layer 2. A new security focus centers on attacks launched by
maliciously leveraging normal Layer 2 switch operations. Security features
exist to protect switches and Layer 2 operations. However, as with access
control lists (ACLs) for upper-layer security, a policy must be established and
appropriate features configured to protect against potential malicious acts
while maintaining daily network operations.

236 AHMED NABIL


Securing Switch Access
Switch AAA
• You can manage user activity to and through a switch with
authentication, authorization, and accounting (AAA) features.

– Authentication
• Verifies a user’s identify
– Authorization
• Specifies the permitted tasks for the
user
– Accounting
• Provides billing, auditing, and
monitoring
Authentication
• Switch or network access can be granted only after a user’s identity has been
validated. User authentication is commonly used on switches and routers to
limit Telnet access to the network administration staff.
• User authentication can be handled by several methods:
- Usernames and passwords configured locally on the switch
- One or more external Remote Authentication Dial-In User Service (RADIUS)
servers
- One or more external Terminal Access Controller Access Control System+
(TACACS+) servers

237 AHMED NABIL


To use authentication on a Catalyst switch, you must configure several things in
the following order:
Step 1 Enable AAA on the switch.
By default, AAA is disabled. Therefore, all user authentication is handled locally,
by configured usernames and passwords. To enable AAA, use the following
global configuration command:
Switch(config)# aaa new-model
The new-model refers to the use of method lists, where authentication methods
and sources can be grouped or organized. The new model is much more scalable
than the ―old model,‖ where the authentication source was
explicitly configured.
Step 2 Define the source of authentication.
You can compare user credentials against locally configured usernames and
passwords, or against a database managed by external RADIUS or TACACS+
servers.
Use locally configured usernames and passwords as a last resort, when no other
authentication servers are reachable or in use on the network. To define a
username, use the following global configuration command:
Switch(config)# username username password password
RADIUS or TACACS+ servers are defined in groups. First, define each
server along with its secret shared password. This string is known only to the
switch and the server and provides a key for encrypting the authentication
session. Use one of the following global configuration commands:
Switch(config)# radius-server host { hostname | ip-address} [key string]
Switch(config)# tacacs-server host { hostname | ip-address} [key string]
Then, define a group name that will contain a list of servers, using the following
global configuration command:
Switch(config)# aaa group server {radius | tacacs+} group-name
Define each server of the group type with the following server-group
configuration command:
Switch(config)# server ip-address
You can define multiple RADIUS or TACACS+ servers by repeating these
commands.

238 AHMED NABIL


Step 3 Define a list of authentication methods to try.
You can list switch login authentication methods by giving the method a
descriptive name or as the unnamed ―default‖ method. List each method or
protocol type in the order that it should be tried. If none of the servers for the first
method respond, the switch tries the servers in the next method listed.
Use the following global configuration command to define a method list:
Switch(config)# aaa authentication login {default | list-name} method1
[ method2 ...]
Here, the methods refer to these values:
• tacacs+—Each of the TACACS+ servers configured on the switch will be
tried, in the order that it was configured.
• radius—Each of the RADIUS servers configured on the switch will be
tried, in the order that it was configured.
• local—The user’s credentials will be compared against all of the
username commands configured on the local switch.
• line—The line passwords authenticate any connected user. No usernames
can be used.
Step 4 Apply a method list to a switch line.
First, select a line (console or vty for Telnet access) using the line line command.
Then, trigger the user authentication on that line to use an AAA method list. Use
the following line configuration command:
Switch(config-line)# login authentication {default | list-name}
You can use the default method list if only one list is sufficient for all
circumstances on the switch. Otherwise, if you have configured named
method lists, you can reference one of them here.

239 AHMED NABIL


Configure Authentication
• Enable AAA on the switch.
Switch(config)# aaa new-model

• Define the source of authentication.


Switch(config)# username username password password
Switch(config)# radius-server host { hostname | ip-address}
Switch(config)# tacacs-server host { hostname | ip-address}
Switch(config)# aaa group server {radius | tacacs+} group-name
Switch(config)# server ip-address

• Define a list of authentication methods to try.


Switch(config)# aaa authentication login {default | list-name} method1 [
method2 ...]
Here, the methods refer to these values:
-tacacs+
-radius
-local
-line
-Enable
• Apply a method list to a switch line.
Switch(line)# login authentication {default | list-name}

240 AHMED NABIL


Authorization
• After a user is authenticated, the switch allows access to certain services or
switch commands based on the user’s privilege level.
• Authorization provides a means to grant specific users the ability to
perform certain tasks. Like authentication, authorization is performed by
querying external RADIUS or TACACS+ servers. If the authorization
server has an entry for a user and a service or command, the switch allows
the user to perform that task.

Accounting
• Catalyst switches also support the capability to use AAA for
producing accounting information of user activity. RADIUS and
TACACS+ servers can also collect this accounting information from
switches

241 AHMED NABIL


Port-Based Authentication
(802.1x)
• Catalyst switches can support port-based authentication, a
combination of AAA authentication and port security. This feature is
based on the IEEE 802.1x standard.
• Basically, a switch port will not pass any traffic until a user has
authenticated with the switch. If the authentication is successful, the
user can use the port normally.
• The PC must use Extensible Authentication Protocol over LANs
(EAPOL) to verify its access

802.1x authentication requires a computer (called a client) to be


authenticated before it is allowed access to the LAN. This can be
combined with port security to allow only authenticated clients with
specified MAC addresses to access a port. When a computer connects
to a switch port configured for 802.1x authentication, the following
steps occur:

Step 1. The port is in the unauthorized state, allowing only 802.1x EAP over
LAN (EAPOL) traffic.
Step 2. The client connects to the port. The switch either requests
authentication or the client sends an EAPOL frame to begin authentication.
Step 3. The switch relays authentication information between the client and a
RADIUS server that acts in proxy for the client.
Step 4. If authentication succeeds, the port transitions to the authorized state,
and normal LAN traffic is allowed through it.
242 AHMED NABIL
For port-based authentication, both the switch and the end –user’s PC must
support the 802.1x standard, using the Extensible Authentication Protocol over
LANs (EAPOL). The 802.1x standard is a cooperative effort between the client
and the switch offering network service. If the client PC is configured to use
802.1x but the switch does not support it, the PC abandons the protocol and
communicates normally. However, if the switch is configured for 802.1x but
the PC does not support it, the switch port remains in the unauthorized state so
that it will not forward any traffic to the client PC.

NOTE 802.1x EAPOL is a Layer 2 protocol. At the point where a switch


detects the presence of a device on a port, the port remains in the unauthorized
state. Therefore, the client PC cannot communicate with anything other than the
switch by using EAPOL. If the PC does not already have an IP address, it
cannot request one. The PC also has no knowledge of the switch or its IP
address, so any means other than a Layer 2 protocol is not possible. This is why
the PC must also have an 802.1x-capable application or client software.

An 802.1x switch port begins in the unauthorized state so that no data other
than the 802.1x protocol itself is allowed through the port. Either the client or
the switch can initiate an 802.1x session. The authorized state of the port ends
when the user logs out, causing the 802.1x client to inform the switch to revert
back to the unauthorized state. The switch can also time out the user’s
authorized session. In this event, the client must reauthenticate to continue
using the switch port.

243 AHMED NABIL


802.1x Configuration

• A method list is configured, defining the methods to be tried in


sequence for 802.1x purpose
Switch(config)#aaa new-model
Switch(config)# aaa authentication dot1x {default | list-name} method1
[ method2 ...]
-Methods could be:
group {group-name | radius }, dot1x is supported by radius only.
enable—The enable password
Line- line password
Local- local database
None- no authentication method

• Enable the use of 802.1x on the switch with the following global
configuration command:
Switch(config)# dot1x system-auth-control

• You must configure each switch port that will use 802.1x, because
default is force-authorize (no authentication needed)
Switch(config-if)# dot1x port-control {force-authorized | force-
unauthorized | auto}
Auto requires an 802.1x-capable application on the client PC.
• Here, the 802.1x state is one of the following:
force-authorized—The port is forced to always authorize any connected
client. No authentication is necessary. This is the default state for all
switch ports when 802.1x is enabled.
force-unauthorized—The port is forced to never authorize any connected
client. As a result, the port cannot move to the authorized state to pass
traffic to a connected client.
auto—The port uses an 802.1x exchange to move from the unauthorized
to the authorized state, if successful. This requires an 802.1x-capable
application on the client PC.

• If the switch should expect to find multiple hosts present on the switch
port
Switch(config-if)# dot1x multi-hosts

244 AHMED NABIL


245 AHMED NABIL
Switch Attack Categories

Types of
Attacks

Spanning
CAM table MAC ARP DHCP VLAN
Tree
overflow spoofing spoofing Starvation Hopping
Attack

VLAN BPDU Guard


DHCP
Port Security best Practice &
Snooping
+ 802.1x Root guard

Layer 2 malicious attacks are typically launched by a device that is connected


to the campus network. This can be a physical rogue device placed on the
network for malicious purposes or an external intrusion that takes control of
and launches attacks from a trusted device. In either case, the network sees all
traffic as originating from a legitimate connected device.
Attacks launched against switches and at Layer 2 can be grouped as follows:
•Attacks on switch devices
•MAC layer attacks (CAM table overflow, Media Access Control (MAC)
address spoofing )
• Spoof attacks (switch spoofing, ARP Spoofing & DHCP Spoofing)
• DHCP starvation
• VLAN attacks (VLAN hopping )
• Spanning-Tree Protocol (STP) manipulation
Significant attacks in these categories, known as of this writing, are discussed
in more detail in subsequent sections of the course. Each attack method is
accompanied by a standard measure for mitigating the security compromise.
246 AHMED NABIL
CAM table overflow attack
MAC Flooding
MAC flooding is the attempt to exploit the fixed hardware limitations of the
CAM table of a switch. The Catalyst switch CAM table stores the source MAC
address and the associated port of each device connected to the switch. The CAM
table on the Catalyst 6000 can contain 128,000 entries. These 128,000 entries are
organized as 8 pages that can store approximately 16,000 entries. A 17 bit hash
algorithm is used to place each entry in the CAM table. If the hash results in the
same value, each entry is stored on separate pages. Once these eight locations are
full, the traffic is flooded out all ports on the same VLAN on which the source
traffic is being received.
CAM tables are limited in size. If enough entries are entered into the CAM table
before other entries are expired, the CAM table fills up to the point that no new
entries can be accepted. Typically a network intruder will flood the switch with a
large number of invalid-source MAC addresses until the CAM table fills up.
When that occurs, the switch will flood all ports with incoming traffic because it
cannot find the port number for a particular MAC address in the CAM table.

In the diagram, the machine that


belongs to the attacker is on VLAN 10.
The attacker floods MAC addresses to
port 3/25 on the switch. When the
content addressable memory (CAM)
table threshold is reached, the switch
operates as a hub and simply floods
traffic out all ports. This flooding also
occurs on adjacent switches configured
with VLAN 10, however flooding is
limited to only the source VLAN and
does not affect other VLANs.
247 AHMED NABIL
• The switch, in essence, acts like a hub. If the intruder does not maintain the
flood of invalid-source MAC addresses, the switch will eventually time out
older MAC address entries from the CAM table and begin to act like a switch
again. CAM table overflow only floods traffic within the local VLAN so the
intruder will see only traffic within the local VLAN to which he or she is
connected.
• In May of 1999 the tool macof was released. It was written in approximately
100 lines of PERL code and was later ported to C language code and
incorporated into the dsniff package. This tool floods a switch with packets
containing randomly generated source and destination MAC and IP
addresses. When the CAM table of the switch fills up with these addresses,
the switch begins to forward all frames it receives to every port. In previous
Figure the attacker is sending out multiple packets with various source MAC
addresses. Over a short period of time the CAM table in the switch fills up
until it cannot accept new entries. As long as macof is left running, the CAM
table on the switch will remain full. When this happens the switch begins to
broadcast all packets which it receives out of every port so that packets sent
from server B to server D are also broadcast out of port 3/25 on the switch
the attacker is attached to.

Mitigating the CAM table overflow attack


The CAM table-overflow attack can be mitigated by configuring port security on
the switch . This option provides for either the specification of the MAC
addresses on a particular switch port or the specification of the number of MAC
addresses that can be learned by a switch port. When an invalid MAC address is
detected on the port, the switch can either block the offending MAC address or
shut down the port.
Specifying MAC addresses on switch ports is far too unmanageable a solution for
a production environment. Limiting the number of MAC addresses on a switch
port is manageable. A more administratively scalable solution would be the
implementation of dynamic port security at the switch. To implement dynamic
port security, specify a maximum number of MAC addresses that will be learned.

248 AHMED NABIL


• Port Security
Port security allows administrators to specify
MAC addresses for each port or to permit a
limited number of MAC addresses. When a
secure port receives a packet, the source
MAC address of the packet is compared to
the list of secure source addresses that were
manually configured or learned on the port. If
a MAC address of a device attached to the
port differs from the list of secure addresses,
the port shuts down permanently, shuts down
for a specified period of time, or drops
incoming packets from the insecure host. The
behavior of the port depends on how it is
configured to respond to a security violator.
The default behavior is to shut down
permanently.
• Cisco recommends to configure the port
security feature to issue a shutdown instead
of dropping packets from insecure hosts
through the restrict option. The restrict
option may fail under the load of an attack
and the port is disabled anyway.
• To restrict traffic through a port by limiting
and identifying MAC addresses of the
stations allowed to access the port

• Enable port security feature


Switch(config-if)# switchport port-security
• you must identify a set of allowed MAC addresses so that the port can
grant them access.
Switch(config-if)# switchport port-security maximum max-address-no.
• You can also statically define one or more MAC addresses on an
interface.
Switch(config-if)# switchport port-security mac-address mac-address
Switch(config-if)# switchport port-security mac-address sticky
• Violation action
Switch(config-if)# switchport port-security violation {shutdown | restrict |
protect}

249 AHMED NABIL


MAC spoofing – man in the middle attacks
MAC spoofing attacks involve the use of a known MAC address of another host
to attempt to make the target switch forward frames destined for the targeted host
to the network attacker. By sending a single frame with the source MAC address
of the targeted host, the network attacker overwrites the CAM table entry so that
the switch forwards packets destined for the targeted host to the network attacker.
The targeted host will not receive any traffic until it sends traffic. When the
targeted host sends out traffic, the CAM table entry is rewritten once more so that
it associates the MAC address back to the original port.
Figure shows how MAC spoofing works. In the beginning the switch has learned
that Host A is on port 1, Host B is on port 2, and Host C is on port 3. Host B
sends out a packet identifying itself with the IP address of Host B but with MAC
address of Host A. This traffic causes the switch to move the location of Host A
in its CAM table from port 1 to port 2. Traffic from Host C destined to Host A is
now visible to Host B.

Mitigating MAC spoofing attacks

Use the port security interface configuration command to mitigate MAC


spoofing attacks. The port security command provides the capability to
specify the MAC address of the system connected to a particular port. The
command also provides the ability to specify an action to take if a port security
violation occurs. However, as with the CAM table overflow attack mitigation,
specifying a MAC address on every port is an unmanageable solution.

250 AHMED NABIL


shutdown—The port is immediately put into the errdisable state, which
effectively shuts it down. It must be re-enabled manually or through errdisable
recovery to be used again.
restrict—The port is allowed to stay up, but all packets from violating MAC
addresses are dropped. The switch keeps a running count of the number of
violating packets and can send an SNMP trap and a syslog message as an alert of
the violation.
protect—The port is allowed to stay up, as in the restrict mode. Although
packets from violating addresses are dropped, no record of the violation is kept.

Troubleshooting:
This command displays port security settings for the switch or for the specified
interface, including the maximum allowed number of secure MAC addresses
for each interface, the number of secure MAC addresses on the interface, the
number of security violations that have occurred, and the violation mode.
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
----------------------------------------------------------------------------

Fa5/1 11 11 0 Shutdown
Fa5/5 15 5 0 Restrict
Fa5/11 5 4 0 Protect
----------------------------------------------------------------------------

Total Addresses in System: 20


Max Addresses limit in System:

251 AHMED NABIL


This command displays port security settings for the switch or for the specified
interface, including the maximum allowed number of secure MAC addresses for
each interface, the number of secure MAC addresses on the interface, the number
of security violations that have occurred, and the violation mode.

Switch#show port-security interface fastethernet 5/1

Port Security: Enabled


Port status: SecureUp
Violation mode: Shutdown
Maximum MAC Addresses: 11
Total MAC Addresses: 11
Configured MAC Addresses: 3
Aging time: 20 mins
Aging type: Inactivity
SecureStatic address aging: Enabled
Security Violation count: 0

Switch#show port-security address


Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0001.0001.0001 SecureDynamic Fa5/1 15
1 0001.0001.0002 SecureDynamic Fa5/1 15
1 0001.0001.1111 SecureConfigured Fa5/1 16
1 0001.0001.1112 SecureConfigured Fa5/1 -
1 0001.0001.1113 SecureConfigured Fa5/1 -
1 0005.0005.0001 SecureConfigured Fa5/5 23
1 0005.0005.0002 SecureConfigured Fa5/5 23
1 0005.0005.0003 SecureConfigured Fa5/5 23
1 0011.0011.0001 SecureConfigured Fa5/11 25
1 0011.0011.0002 SecureConfigured Fa5/11 25
-------------------------------------------------------------------
Total Addresses in System: 10
Max Addresses limit in System:

252 AHMED NABIL


MAC Table Questions
Question 1
What effect does the mac address-table aging-time 180 command have on the MAC
address-table?
A. This is how long a dynamic MAC address will remain in the CAM table.
B. The MAC address-table will be flushed every 3 minutes.
C. The default timeout period will be 360 seconds.
D. ARP requests will be processed less frequently by the switch.
E. The MAC address-table will hold addresses 180 seconds longer than the default of 10
minutes.

Question 2
In a Cisco switch, what is the default period of time after which a MAC address ages out and is
discarded?
A. 100 seconds B. 180 seconds C. 300 seconds D. 600 seconds

Question 3
If a network engineer applies the command mac-address-table notification mac-move on a
Cisco switch port, when is a syslog message generated?
A. A MAC address or host moves between different switch ports.
B. A new MAC address is added to the content-addressable memory.
C. A new MAC address is removed from the content-addressable memory.
D. More than 64 MAC addresses are added to the content-addressable memory.

Question 4
The network monitoring application alerts a network engineer of a client PC that is acting as a rogue
DHCP server. Which two commands help trace this PC when the MAC address is known? (Choose two)
A. switch# show mac address-table
B. switch# show port-security
C. switch# show ip verify source
D. switch# show ip arp inspection
E. switch# show mac address-table

253 AHMED NABIL


DHCP Spoofing:
A device Spoof itself as a DHCP server
• Attacker activates DHCP server on VLAN.
• Attacker replies to valid client DHCP requests.
• Attacker assigns IP configuration information that
establishes rogue device as client default gateway.
• Attacker establishes ―man-in-the-middle‖ attack.

As stated in RFC 2131:


"The client collects DHCPOFFER messages over a period of time,
selects one DHCPOFFER message from the (possibly many) incoming
DHCPOFFER messages (for example, the first DHCPOFFER message
or the DHCPOFFER message from the previously used server) and
extracts the server address from the `server identifier' option in the
DHCPOFFER message. The time over which the client collects messages
and the mechanism used to select one DHCPOFFER are implementation
dependent."
Mitigating DHCP Spoofing:
DHCP Snooping
A solution that can be used to mitigate various ARP-based network exploits is the
use of DHCP snooping . DHCP Snooping provides security by filtering trusted
DHCP messages and then using these messages to build and maintain a DHCP
snooping binding table. DHCP Snooping considers DHCP messages originating
from any user facing port that is not a DHCP server port or an uplink to a DHCP
server as untrusted. From a DHCP Snooping perspective these untrusted, user-
facing ports should not send DHCP server type responses such as DHCPOffer,
DHCPAck, or DHCPNak.
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It
also gives the administrator a way to differentiate between untrusted interfaces
connected to the end user and trusted interfaces connected to the DHCP server or
another switch.

254 AHMED NABIL


• DHCP snooping allows the
configuration of ports as trusted or
untrusted.
• Untrusted ports cannot process
DHCP replies.
• Configure DHCP snooping on
uplinks to a DHCP server.
• Do not configure DHCP snooping on
client ports.

• DHCP Snooping Configuration Guidelines


These are the configuration guidelines for DHCP snooping.
 DHCP snooping must be enabled globally on the switch.
 DHCP snooping is not active until DHCP snooping is enabled on a VLAN.
 Before configuring the DHCP information option on the switch, make sure to
configure the device that is acting as the DHCP server. For example, you
must specify the IP addresses that the DHCP server can assign or exclude
must be specified, or DHCP options for devices must be configured.
 The steps to configure DHCP snooping are shown in Figure .

255 AHMED NABIL


Switch# show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP Snooping is configured on the following VLANs:
10 30-40 100 200-220
Insertion of option 82 information is enabled.
Interface Trusted Rate limit (pps)
--------- ------- ----------------
FastEthernet2/1 yes none
FastEthernet2/2 yes none
FastEthernet3/1 no 20

• The DHCP Snooping Binding Table


The DHCP snooping binding table contains the MAC address, IP address,
lease time, binding type, VLAN number, and interface information
corresponding to the local untrusted interfaces of a switch. The table does not
have information about hosts interconnected with a trusted port because each
interconnected switch has its own DHCP snooping binding table.
• An untrusted interface is an interface configured to receive messages from
outside the network or firewall. A trusted interface is an interface that is
configured to receive only messages from within the network. The DHCP
snooping binding table can contain both dynamic as well as static MAC
address to IP address bindings.
• The show ip dhcp snooping binding command displays the DHCP snooping
binding entries for a switch, as shown in Figure .

Note: switch reload can cause loss of that binding


table, so can affect security, DHCP snooping
database agent can help to avoid that, it’s a
feature that can save the file in a certain location
inside the switch, in order to recall it when switch
256 boots again. AHMED NABIL
DHCP starvation attacks
• A DHCP starvation attack works by broadcasting DHCP requests with
spoofed MAC addresses . This is easily achieved with attack tools such as
gobbler. If enough requests are sent, the network attacker can exhaust the
address space available to the DHCP servers for a period of time. This is a
simple resource starvation attack, similar to how a SYN flood is a starvation
attack. The network attacker can then set up a rogue DHCP server on their
system and respond to new DHCP requests from clients on the network.

• Exhausting all of the DHCP addresses is not required to introduce a rogue


DHCP server.

• By placing a rogue DHCP server on the network, a network attacker can


provide clients with addresses and other network information. Since DHCP
responses typically include default gateway and DNS server information, the
network attacker can supply their own system as the default gateway and
DNS server resulting in a man-in-the-middle attack.

257 AHMED NABIL


Mitigating DHCP starvation attacks

• The techniques that are used to mitigate CAM table flooding can also be used
to mitigate DHCP starvation by limiting the number of MAC addresses on a
switch port. As implementation of RFC 3118, Authentication for DHCP
Messages, increases, DHCP starvation attacks will become more difficult.
• Additional features in the Catalyst family of switches, such as the DHCP
snooping feature, can be used to help guard against a DHCP starvation
attack. DHCP snooping is a security feature that filters untrusted DHCP
messages and builds and maintains a DHCP snooping binding table. The
binding table contains information such as the MAC address, IP address,
lease time, binding type, VLAN number and the interface information
corresponding to the local untrusted interfaces of a switch. Untrusted
messages are those received from outside the network or firewall and
untrusted switch interfaces are ones that are configured to receive such
messages from outside the network or firewall.
• The following commands can be used to mitigate DHCP starvation attacks
using DHCP snooping:
• switch(config)#ip dhcp snooping
switch(config)#ip dhcp snooping vlan vlan_id {,vlan_id}
switch(config-if)#ip dhcp snooping trust
switch(config-if)#ip dhcp snooping limit rate rate

• Example:

258 AHMED NABIL


• Address Resolution Protocol (ARP) is used to map IP addressing to MAC
addresses in a local area network segment where hosts of the same subnet
reside. Normally, a host will send out a broadcast ARP request to find the
MAC address of another host with a particular IP address and an ARP
response will come from the host whose address matches the request. The
requesting host will then cache this ARP response.

ARP Spoofing
Within the ARP protocol a provision is
made for hosts to perform unsolicited
ARP replies. The unsolicited ARP replies
are called gratuitous ARPs (GARP).
GARP can be exploited maliciously by
an attacker to spoof the identity of an IP
address on a LAN segment. Typically,
this is used to spoof the identity between
two hosts or all traffic to and from a
default gateway in a Man in the Middle
attack.

By crafting an ARP reply, a network


attacker can make their system
appear to be the destination host
sought by the sender . The ARP reply
causes the sender to store the MAC
address of the attacking system in the
ARP cache. This MAC address is
also stored by the switch in its CAM
table. In this way the network
attacker has inserted the MAC
address of his or her system into both
the CAM table of the switch and the
ARP cache of the sender. This allows
the network attacker to intercept
frames destined for the host that is
being spoofed.
259 AHMED NABIL
Mitigating ARP Spoofing
•Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) determines the validity of an ARP packet based
on the valid MAC address to IP address bindings stored in a DHCP snooping
database. Additionally, DAI can validate ARP packets based on user-
configurable ACLs. This allows for the inspection of ARP packets for hosts
using statically configured IP addresses. DAI allows for the use of per-port and
VLAN Access Control Lists (VACLs) to limit ARP packets for specific IP
addresses to specific MAC addresses.
NOTE:
Dynamic ARP Inspection (DAI) is not
available on the Cisco Catalyst 2950
switch. DAI is available on Catalyst
models 3550 and higher.

Switch(config)#ip arp inspection vlan vlan_id[,vlan_id]

• Enables DAI on a VLAN or range of VLANs


Switch(config-if)#ip arp inspection trust

• Enables DAI on an interface and sets the interface as a trusted interface

If you have hosts with statically configured IP address information,


there will be no DHCP message exchange that can be inspected.
Instead, you can configure an ARP access list (discussed later) that
defines static MAC-IP address bindings that are permitted.
Or use static DHCP snooping configuration:
(config)#ip dhcp snooping binding mac-address VLAN VLAN id IP
address interface interface

Note:
DHCP snooping binding on catalyst switches holds up to 8,000
entry.

260 AHMED NABIL


When ARP replies are intercepted, their contents are matched
against the access list entries first. If no match is found, the DHCP
snooping bindings database is checked next.
You can give the static keyword to prevent the DHCP bindings
database from being checked at all. In effect, this creates an implicit
deny statement at the end of the ARP access list; if no match is
found in the access list, the ARP reply is considered invalid.

Finally, you can specify further validations on the contents of ARP


reply packets. By default, only the MAC and IP addresses contained
within the ARP reply are validated. This doesn’t take the actual
MAC addresses contained in the Ethernet header of the ARP reply.
To validate that an ARP reply packet is really coming from the
address listed inside it, you can enable DAI validation with the
following configuration command:
Switch(config-if)#ip arp inspection validate {[src-mac] [dst-mac] [ip]}

Be sure to specify at least one of the options:


■ src-mac—Check the source MAC address in the Ethernet header
against the sender MAC address in the ARP reply.
■ dst-mac—Check the destination MAC address in the Ethernet
header against the target MAC address in the ARP reply.
■ ip—Check the sender’s IP address in all ARP requests; check the
sender’s IP address against the target IP address in all ARP replies

261 AHMED NABIL


IP Source Guard
Address spoofing is one type of attack that can be difficult to mitigate.
Normally, a host is assigned an IP address and is expected to use that
address in all the traffic it sends out.
IP addresses are effectively used on the honor system, where hosts are
trusted to behave themselves and use their own legitimate source addresses.
Routers or Layer 3 devices can perform some simple tests to detect spoofed
source addresses in packets passing through. For example, if the 10.10.0.0
network is known to exist on VLAN 10, packets entering from VLAN 20
should never have source addresses in that subnet.
However, it is difficult to detect spoofed addresses when they are used inside
the VLAN or subnet where they should already exist. For example, within the
10.10.0.0 network on VLAN 10, as shown in Figure, a rogue host begins to
send packets with a spoofed source address of 10.10.10.10. The 10.10.10.10
address is certainly within the 10.10.0.0/16 subnet, so it doesn’t stand out as
an obvious spoof. Therefore, the rogue host might be very successful in
attacking other hosts in its own subnet or VLAN.
Cisco Catalyst switches can use the IP source guard feature to detect and
suppress address spoofing attacks—even if they occur within the same
subnet. A Layer 2 switch, and a Layer 2 port in turn, normally learns and
stores MAC addresses. The switch must have a way to look up MAC
addresses and find out what IP address are associated with them.

IP Source Guard does this by making use of the DHCP snooping database and
static IP source binding entries. If DHCP snooping is configured and enabled,
the switch learns the MAC and IP addresses of hosts that use DHCP. Packets
arriving on a switch port can be tested for one of the following conditions:
■ The source IP address must be identical to the IP address learned by
DHCP snooping or a static entry. A dynamic port ACL is used to filter traffic.
The switch automatically creates this ACL, adds the learned source IP
address to the ACL
262 AHMED NABIL
, and applies the ACL to the interface where the address is learned.
■ The source MAC address must be identical to the MAC address learned
on the switch port and by DHCP snooping. Port security is used to filter
traffic.
If the address is something other than the one learned or statically
configured, the switch drops the packet.

Mitigate IP spoofing:
To preserve that certain source
will always access from the same
switchport , we can use the
IP source Guard.
IP source guard is configured on
untrusted L2 interfaces

For the hosts that do not use DHCP, you can configure a static IP source
binding with the following configuration command:
Switch(config)# ip source binding mac-address vlan vlan-id ip-address
interface type mod/num

Switch(config)# ip dhcp snooping

• Enables DHCP snooping globally

Switch(config)# ip dhcp snooping vlan number [number]

• Enables DHCP snooping on a specific VLAN

Switch(config-if)# ip verify source [port-security]


• Enables IP Source Guard, source IP, and source MAC address filter on a
port, The ip verify source command inspects the source IP address
only. You can add the portsecurity keyword to inspect the source
MAC address, too. But you should enable port security also.

263 AHMED NABIL


VLAN hopping attacks
• VLAN hopping is a network attack whereby an attacking system sends out
packets destined for a system on a different VLAN that cannot normally be
reached by the attacker. This traffic is tagged with VLAN ID for a VLAN
other than the one on which the attacking system belongs. The attacking
system can also attempt to behave like a switch and negotiate trunking so
that the attacker can send and receive traffic between multiple VLANs.
• Switch Spoofing
In a Switch spoofing attack, the network attacker configures a system to
spoof itself as a switch. This requires that the network attacker be capable of
emulating either ISL or 802.1q signaling along with Dynamic Trunk Protocol
(DTP) signaling. Using this method a network attacker can make a system
appear to be a switch with a trunk port. If successful, the attacking system
then becomes a member of all VLANs.
• Double Tagging
Another VLAN hopping attack involves tagging the transmitted frames with
two 802.1q headers in order to forward the frames to the wrong VLAN. The
first switch that encounters the double-tagged frame strips the first tag off the
frame and then forwards the frame. The result is that the frame is forwarded
with the inner 802.1q tag out all the switch ports, including trunk ports,
configured with the native VLAN of the network attacker. The second
switch then forwards the packet to the destination based on the VLAN
identifier in the second 802.1q header.

264 AHMED NABIL


Mitigating VLAN hopping attacks
• Mitigating VLAN hopping attacks requires several modifications to the VLAN
configuration . One of the more important elements is to use dedicated VLAN IDs for all
trunk ports. Also, disable all unused switch ports and place them in an unused VLAN. Set
all user ports to non-trunking mode by explicitly turning off DTP on those ports. This is
accomplished on IOS switches by setting the switch port mode to access with the
switchport mode access interface configuration command.
Also using the dot1x authentication method could limit that attack.
Also
• Clearly, the key to this type of attack revolves around the use of untagged
native VLANs. Therefore, to thwart VLAN hopping, you always should
carefully configure trunk links with the following steps:
• Step 1. Set the native VLAN of a trunk to a bogus or unused VLAN ID.
• Step 2. Prune the native VLAN off both ends of the trunk.
• For example, suppose that an 802.1Q trunk should carry only VLANs 10
and 20. You should set the native VLAN to an unused value, such as 800.
Then you should remove VLAN 800 from the trunk so that it is confined to
the trunk link itself.

265 AHMED NABIL


Configuring the 802.1Q Trunk to Carry Only VLANs 10 and 20
Switch(config)# vlan 800
Switch(config-vlan)# name bogus_native
Switch(config-vlan)# exit
Switch(config)# interface gigabitethernet 1/1
Switch(config-if)# switchport trunk encapsulation dot1q
Switch(config-if)# switchport trunk native vlan 800
Switch(config-if)# switchport trunk allowed vlan remove 800
Switch(config-if)# switchport mode trunk
One alternative is to force all 802.1Q trunks to add tags to
frames for the native VLAN, too.
The double-tagged VLAN hopping attack won’t work because
the switch won’t remove the first tag with the native VLAN ID
(VLAN 10 in the example). Instead, that tag will remain on the
spoofed frame as it enters the trunk. At the far end of the trunk,
the same tag will be examined, and the frame will stay on the
original access VLAN (VLAN 10).
To force a switch to tag the native VLAN on all its 802.1Q
trunks, you can use the following command:
Switch(config)# vlan dot1q tag native

266 AHMED NABIL


Spanning-Tree Protocol vulnerabilities
• Another attack against switches involves intercepting traffic by attacking the
Spanning-Tree Protocol. This protocol is used in switched networks to
prevent the creation of bridging loops in an Ethernet network topology. Upon
bootup the switches begin a process of determining a loop-free topology. The
switches identify one switch as a root bridge and block all other redundant
data paths.
• By attacking the Spanning-Tree Protocol, the network attacker hopes to
spoof his or her system as the root bridge in the topology. To do this the
network attacker broadcasts out Spanning-Tree Protocol
Configuration/Topology Change Bridge Protocol Data Units (BPDUs) in an
attempt to force spanning-tree recalculations. The BPDUs sent out by the
attacking system announce that the attacking system has a lower bridge
priority. If successful, the network attacker can see a variety of frames.
Figure illustrates how a network attacker can use Spanning-Tree Protocol to
change the topology of a network so that it appears that the attacking host is
a root bridge with a higher priority. By transmitting spoofed BPDUs, the
network attacker causes the switches to initiate spanning-tree recalculations.
The two switches then forward frames through the attacking system once it
has become the root bridge.

267 AHMED NABIL


Preventing Spanning-Tree Protocol manipulation
• To mitigate Spanning-Tree Protocol manipulation, use the root guard and
the BPDU guard features to enforce the placement of the root bridge in the
network as well as enforce the Spanning-Tree Protocol domain borders.
The root guard feature is designed to provide a way to enforce the root-
bridge placement in the network. The Spanning-Tree Protocol BPDU
guard is designed to allow network administrators to keep the active
network topology predictable. While BPDU guard may seem unnecessary
given that the administrator can set the bridge priority to zero, there is still
no guarantee that it will be elected as the root bridge because there might
be a bridge with priority zero and a lower bridge ID. BPDU guard is best
deployed towards user-facing ports to prevent rogue switch network
extensions by an attacker.
• Spanning-Tree Protocol Guard
Use the spanning-tree guard interface configuration command to enable
root guard or loop guard on all the VLANs associated with the selected
interface. Root guard restricts which interface is allowed to be the
Spanning-Tree root port or the path to the root for the switch. Loop guard
prevents alternate or root ports from becoming designated ports when a
failure creates a unidirectional link. Use the no form of this command to
return to the default setting. The syntax for the spanning-tree guard
command is shown in Figure .

268 AHMED NABIL


•Spanning-Tree Protocol BPDU Guard
Use the spanning-tree portfast global configuration command to globally
enable BPDU filtering on Port Fast-enabled ports, the BPDU guard feature on
Port Fast-enabled ports, or the Port Fast feature on all nontrunking ports. The
BPDU filtering feature prevents the switch port from sending or receiving
BPDUs. The BPDU guard feature puts Port Fast-enabled ports that receive
BPDUs in an error-disabled state. Use the no form of this command to return to
the default setting.

BPDU filtering is another way of preventing loops in the network. It also can
be enabled either globally or at the interface, and functions differently at each.
In global config, if a Portfast interface receives any BPDUs, it is taken out of
Portfast status. At interface config mode, it prevents the port from sending or
receiving BPDUs. The commands are:
(config)# spanning-tree portfast bpdufilter default
(config-if)# spanning-tree bpdufilter enable

269 AHMED NABIL


Types of ACLs available on switch:
IP ACL:
(config)#ip access-list extended name
(config-ext-nacl)# {permit|deny} protocol SrcIP Dst IP [application]
Ex:
(config)#ip access-list extended ccnp
(config-ext-nacl)#permit IP host 192.168.1.99 192.168.1.0 0.0.0.255

MAC Access-Lists
(config)#mac access-list extended <list name>
(config-ext-nacl)#permit <src mac> <dst mac>

Example
(config)# mac access-list extended ccnp
(config-ext-nacl)# Permit Host 0001.0000.0001 host 0002.0000.0001

ARP access-list:
This list is used to be checked against ARP replies, mainly used to avoid arp
spoofing attacks.
Use the following configuration
commands to define the ARP access list and one or more static entries:
Switch(config)# arp access-list acl-name
Switch(config-acl)# permit ip host sender-ip mac host sender-mac
[Repeat the previous command as needed]
Now the ARP access list must be applied to DAI with the following
configuration command:
Switch(config)# ip arp inspection filter arp-acl-name vlan vlan-range [static]
Static option means not to check ip dhcp snooping binding table (dynamic) if no
permit options is available on arp acl.

270 AHMED NABIL


VLAN Access Lists (VLAN access map)
• Access lists can manage or control traffic as it passes through a switch. Each
ACL is applied to an interface according to the direction of traffic—inbound
or outbound. Packets can then be filtered in hardware with no switching
performance penalty. However, only packets that pass between VLANs can
be filtered this way.
• Packets that stay in the same VLAN do not ever cross a VLAN or interface
boundary and do not necessarily have a direction in relation to an interface.
These packets might also be non-IP, non-IPX, or completely bridged;
therefore, they never pass through the multilayer switching mechanism.
• VLAN access lists (VACLs) are filters that can directly affect how packets
are handled within a VLAN.

VACL Configuration
• 1- Create VACL:
Switch(config)# vlan access-map map-name [ sequence-number]
Switch(config-access-map)# match {ip address { acl-number | acl-name}} |
{ipx address { acl-number | acl-name}} | {mac address acl-name}
Switch(config-access-map)# action {drop | forward [capture] | redirect
interface type mod/num}
• 2- Apply the VACL to a VLAN interface using the following global
configuration command:
Switch(config)# vlan filter map-name vlan-list vlan-list
271 AHMED NABIL
For example, suppose that you need to filter traffic within VLAN 99 so that
host 192.168.99.17 is not allowed to contact any other host on its local
subnet. Access list local-17 is created to identify traffic between this host
and anything else on its local subnet. Then a VLAN access map is defined:
If the local-17 access list permits the IP address, the packet is dropped;
otherwise, the packet is forwarded.

272 AHMED NABIL


Private VLANs
Normally, traffic is allowed to move unrestricted within a VLAN. Packets
sent from one host to another normally are heard only by the destination host
because of the nature of Layer 2 switching.

However, if one host broadcasts a packet, all hosts on the VLAN must listen.
You can use a VACL to filter packets between a source and destination in a
VLAN if both connect to the local switch.
Sometimes it would be nice to have the capability to segment traffic within a
single VLAN, without having to use multiple VLANs and a router. For
example, in a single-VLAN server farm, all servers should be capable of
communicating with the router or gateway, but the servers should not have to
listen to each other’s broadcast traffic. Taking this a step further, suppose that
each server belongs to a separate organization. Now each server should be
isolated from the others but still be capable of reaching the gateway to find
clients not on the local network..
Another application is a service provider network. Here, the provider might
want to use a single VLAN to connect to several customer networks. Each
customer needs to be able to contact the provider’s gateway on the VLAN.
Clearly, the customer sites do not need to interact with each other.

Private VLANs (PVLANs) solve this problem on Catalyst switches. In a


nutshell, a normal, or primary, VLAN can be logically associated with special
unidirectional, or secondary, VLANs.
Hosts associated with a secondary VLAN can communicate with ports on the
primary VLAN (a router, for example), but not with another secondary
VLAN.
Private VLANs are a common mechanism to restrict communications
between systems on the same logical IP subnet. Private VLANs work by
limiting the ports within a VLAN that can communicate with other ports in
the same VLAN. Isolated ports within a VLAN can communicate only with
promiscuous ports. Community ports can communicate only with other
members of the same community and promiscuous ports. Promiscuous ports
can communicate with any port.

273 AHMED NABIL


• Hosts associated with a secondary VLAN can communicate with
ports on the primary VLAN (a router, for example), but not with
another secondary VLAN.

• A secondary VLAN is configured as one of the following types:


- Isolated—Any switch ports associated with an isolated VLAN can
reach the primary VLAN but not any other secondary VLAN. In
addition, hosts associated with the same isolated VLAN cannot reach
each other. They are, in effect, isolated from everything except the
primary VLAN.
- Community—Any switch ports associated with a common
community VLAN can communicate with each other and with the
primary VLAN but not with any other secondary VLAN. This
provides the basis for server farms and workgroups within an
organization, while giving isolation between organizations.

• All secondary VLANs must be associated with one primary VLAN


to set up the unidirectional relationship. You must also define the
port with one of the following modes:
-Promiscuous (Primary VLAN port)—The switch port connects to a
router, firewall, or other common gateway device. This port can
communicate with anything else connected to the primary or any
secondary VLAN. In other words, the port is in promiscuous mode,
where the rules of private VLANs are ignored.
-Host (secondry VLAN port)—The switch port connects to a regular
host that resides on an isolated or community VLAN. The port
communicates only with a promiscuous port or ports on the same
community VLAN.

274 AHMED NABIL


Private VLAN Configuration
1) Creating Private VLAN:
• Defining any secondary VLANs that are needed for isolation
Switch(config)# vlan vlan-id
Switch(config-vlan)# private-vlan {isolated | community}

• Define the primary VLAN that will provide the underlying private VLAN
connectivity
Switch(config)# vlan vlan-id
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association { secondary-vlan-list | add
secondary-vlan-list | remove secondary-vlan-list}

2) Activating VLAN (assigning VLAN to Switchport):


• Define the function of the port that will participate on a private VLAN
Switch(config-if)# switchport mode private-vlan {host | promiscuous}

• For a nonpromiscuous port, the switch port must know how to interact
with the various VLANs
Switch(config-if)# switchport private-vlan host-association primary-vlan-
id secondary-vlan-id

• For a promiscuous port, map promiscuous mode ports to primary and


secondary VLANs:
Switch(config-if)# switchport private-vlan mapping { primary-vlan-id} {
secondary-vlan-list} | {add secondary-vlan-list} | {remove secondary-
vlan-list}

• Primary VLAN can forward traffic at Layer 3 (as any regular VLAN, can
communicate with any VLAN), the secondary VLAN associations with it
are only good at Layer 2 (can’t communicate with other VLANs). To
allow Layer 3 traffic switching coming from the secondary VLANs as
well (to other VLANs associated with another primary VLANs, not
secondary associated with same primary VLAN), you must add a private
VLAN mapping to the primary VLAN (SVI) interface, The primary
VLAN SVI function is extended to the secondary VLANs, instead of
requiring SVIs for each of them.
Switch(config-if)#interface vlan primary vlan SVI id
Switch(config-if)# private-vlan mapping { secondary-vlan-list | add
secondary-vlan-list | remove secondary-vlan-list}
275 AHMED NABIL
Configuration Example
Switch(config)# vlan 10
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 20
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 30
Switch(config-vlan)# private-vlan isolated
Switch(config)# vlan 100
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 10,20,30
Switch(config-vlan)# exit
Switch(config)# interface range fastethernet 1/1 – 1/2
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 10
Switch(config)# interface range fastethernet 1/4 – 1/5
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 20
Switch(config)# interface fastethernet 1/3
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 30
Switch(config)# interface fastethernet 2/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 10,20,30
(config)#interface vlan 100
(config-if)#ip address 192.168.199.1 255.255.255.0
(config-if)# private-vlan mapping 10,20,30

276 AHMED NABIL


Private VLAN vulnerabilities
• Private VLANs are a common mechanism to restrict communications
between systems on the same logical IP subnet. Private VLANs work by
limiting the ports within a VLAN that can communicate with other ports in
the same VLAN. Isolated ports within a VLAN can communicate only with
promiscuous ports. Community ports can communicate only with other
members of the same community and promiscuous ports. Promiscuous ports
can communicate with any port. One network attack capable of bypassing the
network security of private VLANs involves the use of a proxy to bypass
access restrictions to a private VLAN.
• Private VLAN Proxy Attack
In this network attack against private VLANs, frames are forwarded to a host
on the network connected to a promiscuous port, such as on a router. In Figure
the network attacker sends a packet with the source IP and MAC address of
their device, a destination IP address of the target system, but a destination
MAC address of the router. The switch forwards the frame to the router. The
router routes the traffic, rewrites the destination MAC address as that of the
target, and sends the packet back out. Now the packet has the proper format as
shown in Figure and is forwarded to the target system. This network attack
allows only for unidirectional traffic because any attempt by the target to send
traffic back will be blocked by the private VLAN configuration. If both hosts
are compromised, static ARP entries could be used to allow bidirectional
traffic. This scenario is not a private VLAN vulnerability because all the rules
of private VLANs were enforced. However, the network security was
bypassed.
• NOTE: Private VLANs are not configurable on the Cisco Catalyst 2950
switch.

277 AHMED NABIL


Defending private VLANs
• ACLs can be configured on the router port to mitigate private VLAN attacks.
VLAN ACLs (VACLs) can also be used to help mitigate the effects of
private VLAN attacks. An example of using ACLs on the router port is if a
server farm segment were 172.16.34.0/24, then configuring the ACLs shown
in Figure on the default gateway would mitigate the private VLAN proxy
attack.

278 AHMED NABIL


279 AHMED NABIL
• Monitoring Campus Network

- SPAN (Switch Port Analyzer)


“port mirroring”

280 AHMED NABIL


Switch Port Monitoring
• Suppose a problem exists on your switched network and you want to
use a network analyzer to gather data.
• The only time a packet is flooded to ports other than the specific
destination is when the destination MAC address has not already
been located or when the packet is destined for a broadcast or
multicast address. Therefore, your packet capture shows only the
broadcast and multicast packets that were flooded to the analyzer’s
port. None of the interesting conversation will be overheard.
• Catalyst switches can use the Switched Port Analyzer (SPAN) feature
to mirror traffic from one source switch port or VLAN to a
destination port. This allows a monitoring device, such as a network
analyzer, to be attached to the destination port for capturing traffic.
• When packets arrive on the source port or VLAN, they are specially
marked so that they can be copied to the SPAN destination port as
well as the true destination port. In this way, the packet capture
receives an exact copy of the packets that are being forwarded from
the source.
• This feature can help to use an IDS (Intrusion Detection System) to
monitor port.

• SPAN is available in several different forms:


- Local SPAN—Both the SPAN source and destination are located on the
local switch. The source is one or more switch ports.
-VLAN-based SPAN (VSPAN)—A variation of local SPAN where the
source is a VLAN rather than a physical port.
-Remote SPAN (RSPAN)—The SPAN source and destination are
located on different switches.
Mirrored traffic is copied over a special-purpose VLAN across trunks
between switches from the source to the destination.

281 AHMED NABIL


Local SPAN and VSPAN

The SPAN source can be identified as one or more physical switch ports, a
trunk, or a VLAN.
Packets that are being forwarded from the destination are also copied into
the destination port’s queue. Because the packets are merely copied, neither
the original data nor its being forwarded is affected. Figure demonstrates
two cases where a network analyzer on the SPAN destination port is
receiving frames that SPAN has copied from the source port. Here, SPAN
session A monitors all communication on VLAN 100. SPAN session B uses
a normal access mode source port to monitor communication between a
server and its client PCs.

What happens if a speed mismatch occurs between the SPAN source and
destination ports? This could easily happen if the source is a VLAN with
many hosts, or if the source is a GigabitEthernet port and the destination is
a FastEthernet port.
Packets are copied only into the destination port’s egress queue. If the
destination port becomes congested, the SPAN packets are dropped from
the queue and are not seen at the destination port.
Therefore, if the bandwidth of source traffic exceeds the destination port
speed, some packets might not be seen at the destination port. Then, traffic
from the SPAN source is not affected by any congestion at the SPAN
destination.

282 AHMED NABIL


Local SPAN and VSPAN Configuration
• Start by defining the source of the SPAN session data
Switch(config)# monitor session session id source {interface type mod/num |
vlan vlan-id} [rx | tx | both]

• SPAN sessions must be uniquely numbered using the session parameter. The
maximum number of supported sessions varies among Catalyst platforms.
For example, a Catalyst 3550 can support two sessions, whereas a Catalyst
6500 can support up to 64. If multiple sources are needed, you can repeat this
command. The SPAN source can be a physical switch interface or a Layer 2
VLAN (not a logical VLAN interface or SVI).
• Traffic can be selected for mirroring based on the direction it is traveling
through the SPAN source. For example, you can select only traffic received
on the source (rx), only traffic transmitted from the source (tx), or traffic in
both directions (both). By default, both directions are used.
• Next, identify the SPAN destination. You must assign the SPAN source and
destination ports to the same VLAN within the switch; otherwise, the switch
cannot copy frames from one VLAN to another.
• Identify the SPAN destination
Switch(config)# monitor session session id destination {{interface type
mod/num} | {vlan vlan-id} | {analysis-module slot-number}}
• The session number here must match the one configured for the SPAN
source. You can define only one destination port for each SPAN session. In
addition, SPAN sessions cannot share a destination port. The destination can
be a physical interface, a Layer 2 VLAN (not a VLAN SVI interface), or a
Network Analysis Module (NAM, Catalyst 6500 only).
• You can narrow down the data copied over from the source, if necessary. If
the source is a trunk port, you can mirror only traffic from specific VLANs
on the trunk
Switch(config)# monitor session session-number filter vlan vlan-range
• Also, if using a VACL, you can identify and mark interesting traffic for
SPAN capture. In this case, use the capture keyword in the VACL action
statement.
283 AHMED NABIL
To see the list of currently active SPAN sessions, use the show monitor
EXEC command, two SPAN sessions are in use on a Catalyst 3550.

CAUTION: After you finish using a SPAN session, you should always
disable or delete it. Otherwise, someone might try to connect to the port that
is configured as the SPAN destination at some later date. You could spend a
good bit of time troubleshooting that user’s connectivity problem only to find
that you left a SPAN session active!
NOTE: When Local SPAN or VSPAN is enabled, the Spanning Tree Protocol
(STP) is disabled on the destination port. This allows STP BPDUs to be
captured and monitored but also allows the possibility for a bridging loop to
form. Never connect a SPAN session’s destination port back into an active
network. If the monitored packets need to be sent toward another switch, use
RSPAN instead.
Notice: SPAN destination port displays an UP, DOWN (monitor) state,
While it is up and running.
284 AHMED NABIL
Remote SPAN
In a large switched network or one that is geographically separated, it might not
always be convenient to take a network analysis to the switch where a SPAN
source is located. To make SPAN more extensible, Cisco developed the Remote
SPAN (RSPAN) feature. With RSPAN, the source and destination can be located
on different switches in different locations.
The RSPAN source is identified on one switch, just as with local SPAN. The
RSPAN destination is identified on its local switch. Then, RSPAN can carry only
the mirrored data over a special-purpose VLAN across trunk links and
intermediate switches. As long as every switch along the way is RSPAN-capable,
the source can be located at the far-end switch, while the network analyzer is
conveniently located at the switch nearest you.
Figure shows an example network using RSPAN where the packets from the file
server (source port) on one switch are copied and transported over the RSPAN
VLAN on trunk links. At the destination switch, packets are pulled off the
RSPAN VLAN and copied to the network analyzer (destination port). The file
server and network analyzer are stationed in geographically separate locations.

The RSPAN VLAN has some important differences from a regular VLAN. First,
MAC address learning is disabled on the RSPAN VLAN. This is to prevent
intermediate switches that transport the RSPAN VLAN from trying to forward
the mirrored packets to their real destination MAC addresses. After all, the
purpose of SPAN or RSPAN is to simply mirror or copy interesting frames—not
forward them normally.
An RSPAN-capable switch also floods the RSPAN packets out all of its ports
belonging to the RSPAN VLAN in an effort to send them toward the RSPAN
destination. Intermediate switches have no knowledge of the RSPAN source or
destination; rather, they know only of the RSPAN VLAN itself.
285 AHMED NABIL
Remote SPAN Configuration
• RSPAN configuration begins with the definition of the special-purpose
RSPAN VLAN. If you configure the RSPAN VLAN on a VTP server, VTP
correctly propagates it to other intermediate switches. If not using VTP, be
sure to configure this VLAN for RSPAN explicitly on each intermediate
switch. Otherwise, the RSPAN packets will not be delivered correctly.
• In addition, if VTP pruning is in use, the RSPAN VLAN will be pruned from
unnecessary trunks, limiting the traffic impact in unrelated areas of the
network. Create and maintain one or more RSPAN VLANs for the special
monitoring purpose only. Set aside one RSPAN VLAN for each RSPAN
session that will be used. Don’t allow any normal hosts to join an RSPAN
VLAN. Define an RSPAN VLAN on each switch between the source and
destination with the following configuration commands:
• Define an RSPAN VLAN on each switch between the source and destination
Switch(config)# vlan vlan-id
Switch(config-vlan)# remote-span
• At the source switch, identify the source and destination
Switch(config)# monitor session session source {interface type mod/num |
vlan vlan-id} [rx | tx | both]
Switch(config)# monitor session session destination remote vlan rspan-vlan-
id
• At the destination switch, identify the RSPAN source and destination
Switch(config)# monitor session session source remote vlan rspan-vlan-id
Switch(config)# monitor session session destination {interface type | vlan
vlan-id}
Here, the roles are reversed. RSPAN packets are pulled from the RSPAN VLAN
and placed onto the destination, which is either a physical switch interface or a
Layer 2 VLAN.
NOTE Be aware that RSPAN traffic can increase the traffic load on a trunk, even
though RSPAN is restricted to one special VLAN within the trunk. If the
additional load is significant, the normal production and the monitored traffic
contend with each other for available bandwidth. As a result, both types of traffic
could suffer.
Also, RSPAN must allow the STP to run on the RSPAN VLAN to prevent
bridging loops from forming. As a result, STP BPDUs are normally sent and
received on the VLAN. You cannot monitor BPDUs with RSPAN.
286 AHMED NABIL
SPAN example
In Example, RSPAN is configured on all three switches shown in Figure. The
source is connected to Catalyst A port FastEthernet 1/1. The destination is a
network analyzer connected to port FastEthernet 4/48 on Catalyst C. Catayst B
simply passes the RSPAN session traffic over VLAN 999, transported by trunk
links.

287 AHMED NABIL


Appendix

• DHCP on Multi-Layer Switches

288 AHMED NABIL


Using DHCP with a Multilayer Switch
When a switch is configured with a Layer 3 address on an interface, it
becomes the router or default gateway that connected hosts will use to
send traffic to and from their local VLAN or subnet. How do those hosts
know to use the Layer 3 interface as their default gateway? As well,
how do those hosts know what IP address to use for their own
identities?
Hosts can be manually configured to use a static IP address, subnet
mask, default gateway address, and so on. That might be appropriate for
some devices, such as servers, which would need stable and reserved
addresses. For the majority of end user devices, static address
assignment can become a huge administrative chore.
Instead, the Dynamic Host Configuration Protocol (DHCP) is usually
leveraged to provide a means for dynamic address assignment to any
host that can use the protocol. DHCP is defined in RFC 2131 and is built
around a client/server model—hosts requesting IP addresses use a
DHCP client, whereas address assignment is handled by a DHCP server.
Suppose a host connects to the network, but doesn’t yet have an IP
address. It needs to request an address via DHCP. How can it send a
packet to a DHCP server without having a valid IP address to use as a
source address? The answer lies in the DHCP negotiation,
which plays out in the following four steps:

289 AHMED NABIL


1. The client sends a “DHCP Discover” message as a broadcast—Even
without a valid source address, the client can send to the broadcast
address to find any DHCP server that might be listening. The client’s
MAC address is included in the broadcast message.
2. A DHCP server replies with a “DHCP Offer” message—The offer
contains an offer for the use of an IP address, subnet mask, default
gateway, and some parameters for using the IP address.
The server also includes its own IP address to identify who is making the
offer. (There could be multiple addresses offered, if more than one DHCP
server received the broadcast DHCP Discover message.) Because the
client doesn’t yet have a valid IP address, the server must broadcast the
offer so the client can receive it.
3. The client sends a “DHCP Request” message—When it is satisfied with
a DHCP offer, the client formally requests use of the offered address. A
record of the offer is included so that only the server that sent the offer
will set aside the requested IP address. Again, the request is sent as a
broadcast because the client hasn’t officially started using a valid
address.
4. The DHCP server replies with a “DHCP ACK” message—The IP address
and all parameters for its use are returned to the client as formal
approval to begin using the Zsaddress. The ACK message is sent as a
broadcast.
Because DHCP is a dynamic mechanism, IP addresses are offered on a
leased basis. Before the offered lease time expires, the client must try to
renew its address; otherwise, that address may be offered up to a
different client.
Notice that DHCP is designed to work within a broadcast domain. Most of
the messages in a DHCP exchange are sent as broadcasts. On this basis,
the DHCP server would need to be located in the same broadcast domain
as the client. In this scenario, you might have a dedicated DHCP server
connected to the network and located in the same VLAN as the client.
You can also configure a multilayer switch to operate as a DHCP server if
you have
configured a Layer 3 address on the switch interface or SVI where the
client is located.

290 AHMED NABIL


Configuring an IOS DHCP Server:
After you have configured a Layer 3 address on a switch interface, you
can configure a DHCP server that runs natively on the switch itself.
The switch will intercept DHCP broadcast packets from client
machines within a VLAN. Use the following command sequence to
configure a DHCP server:
Switch(config)# ip dhcp excluded-address start-ip end-ip
Switch(config)# ip dhcp pool pool-name
Switch(config-dhcp)# network ip-address subnet-mask
Switch(config-dhcp)# default-router ip-address [ip-address2] ...
Switch(config-dhcp)#option option number
Switch(config-dhcp)# lease {infinite | {days [hours [minutes]]}}
Switch(config-dhcp)# exit
If there are addresses within the IP subnet that should be reserved and
not offered to clients, use the ip dhcp excluded-address command. You
can define a range of addresses or a single address to be excluded.
The ip dhcp pool command uses a text string pool-name to define the
pool or scope of addresses that will be offered. The network command
identifies the IP subnet and subnet mask of the address range. The
subnet should be identical to the one configured on the Layer 3
interface. In fact, the switch uses the network command to bind its
DHCP server
to the matching Layer 3 interface. By definition, the network and
broadcast addresses for the subnet won’t be offered to any client. The
default-router command identifies the default router address that will
be offered to clients. Generally, the default router should be the IP
address of the corresponding Layer 3 interface on the switch.
Finally, you can set the IP address lease duration with the lease
command. By default, leases are offered with a 1 day limit.
You can monitor the DHCP server address leases with the show ip
dhcp binding command.

291 AHMED NABIL


Configuring a DHCP Relay:
If a DHCP server is centrally located in the network, you can
configure the multilayer switch to relay DHCP messages
between clients and the server, even if they are located on
different VLANs or subnets.
First, configure a Layer 3 interface that joins the same VLAN
as the client machines. This interface can be the default
gateway for the clients and can act as a DHCP relay. Next,
use the ip helper-address command to identify the IP address
of the actual DHCP server, as in
the following example:
Switch(config)# interface vlan5
Switch(config-if)# ip address 192.168.1.1 255.255.255.0
Switch(config-if)# ip helper-address 192.168.199.4
Switch(config-if)# exit
As a DHCP relay, the switch will intercept the broadcast
DHCP messages from the client and will forward them on to
the server address as unicast messages. The switch keeps
track of the subnet where the client messages arrived so that
it can relay the DHCP server responses back appropriately.
You can configure more than one helper address by repeating
the ip helper-address command with different addresses. In
this case, the switch will relay each DHCP request from a
client to each of the helper addresses simultaneously. If more
than one server replies,
each reply will be relayed back to the client and the client will
have to choose one acceptable response.

292 AHMED NABIL


Appendix
Multi-Layer
Switching
concepts

293 AHMED NABIL


Follow the frame (frame flow)
1-A frame arrives to switch port

2-It is placed on an ingress queues


The queues each can contain frames to be forwarded, with each queue
having a different priority or service level. The switch port then can be
fine-tuned so that important frames get processed and forwarded before
less important frames. This can prevent time-critical data from being
“lost in the shuffle” during a flurry of incoming traffic.

3-The switch must figure WHERE (which egress port) to forward the frame,
WHETHER to forward the frame & HOW (which policy) to forward the
frame, these decisions must be made simultaneously by independent
portions of switching H/W.
4-WHERE: L2 forwarding table (CAM table)
The frame destination MAC and VLAN id is used as an index (key) into
the CAM to find egress port and VLAN id.
5-WHETHER & HOW:
-Security ACL (VACL, port security, MAC ACL) is compiled in the TCAM
(Ternary CAM), so as a decision of whether to forward the packet or not.
-QOS ACL, ACL is compiled in TCAM to give a frame certain classification,
so as to be marked to use egress queue.

294 AHMED NABIL


Follow the packet (packet flow)
1-A packet arrives to switch port
2-It is placed on an ingress queues
3-The switch must figure WHERE (which egress port) to forward the frame,
WHETHER & HOW (which policy) to forward the frame, these decisions
must be made simultaneously by independent portions of switching H/W
4-WHERE: L2 forwarding table (CAM table)
-The frame destination MAC and VLAN id is used as an index (key) into the
CAM table, but if the frame has destination MAC which is MAC of the L3
port of the switch, in this case CAM table results are used only to decide
that the frame should be processed at L3
-L3 forwarding table, the FIB (Forwarding Information Base) is consulted
using destination IP address as a key, the longest match is found (both
address & mask) & the resulting egress port & next-hop is obtained, the
FIB table also contains each next-hop entry L2 MAC address & egress
switch port, so further lookups is not necessary
5- WHETHER & HOW:
• Security ACL (VACL, port security, MAC ACL) is compiled in the TCAM
(Ternary CAM), so as a decision of whether to forward the packet or not
• QOS ACL, ACL is compiled in TCAM to give a frame certain
classification, so as to be marked to use egress queue

8
295 AHMED NABIL
Multi Layer Switching
(MLS)

The two core elements in switching is:


1) How to perform Multi Layer Switching
2) Where the forwarding database is stored

1-Route Caching (flow based switching)


• The first generation of MLS, requiring a Router Processor (RP) & a
Switch Engine (SE)
• The RP must process a traffic flow's first packet to determine the
destination path, the SE listens to the first packet & to the resulting
destination, & seta up a "short cut" entry in MLS cache, subsequent
packets are switched according to that shortcut entry.
• Default aging time for entry in a route cache if a corresponding flow
has not been detected is 256 sec
• This type of MLS is known as:
-Net flow LAN switching
-Flow based switching
-Route once, switch many

296 AHMED NABIL


2-Topology-Based switching
• The second generation of MLS utilizing specialized H/W.
• Route caching is pre-populated without traffic having to flow.
• It uses information in routing table to form FIB table which is a
hardware lookup table, this topology based switching is called
CEF (Cisco Express Forward), the change in routing table is
synchronized with the database contained in the H/W based FIB
lookup table dynamically with no performance penalty.

In Layer 3 switches, the


control path and data path
are relatively independent.
• The control plane code,
such as routing
protocols, runs on the
route processor to form
routing table.
• Data packets are
forwarded by the
switching fabric.
Services, which we call the
data plane, which is the FIB
table or the IP forwarding
297 table. AHMED NABIL
• The two core elements in switching is:
1)How to perform Multi Layer Switching (route caching or
topology based switching)
2)Where the forwarding database is stored
-Centralized Switching
A central forwarding table controlled by ASIC to perform L2
& L3 lookup, Uses a single, central forwarding table (i.e.
catalyst 6500/4500)

-Distributed Switching
The switching decision is made locally on a port level or on
a line card level in case of modular chassis (i.e. catalyst
6500/3550)

298 AHMED NABIL


MLS tables
1) CAM (Content Allocation Memory)
• L2 lookup requires an exact match based on 0,1 values, the key is
destination MAC & VLAN id which enters a hash function, then hash function
produces a pointer into the table
• This provide very high speed lookups, so as
you can find result without searching the entire table
• If destination MAC address is that of L3 port
on the switch in this case CAM table results are used
to decide that the frame should be processed at L3
• To form CAM statically:
(config)#mac address-table static <mac address> [vlan <vlan id>] interface
<port id>
by default, idle CAM table entries are kept for 300sec (5min.) before
they are deleted, this could be adjusted by
(config)#mac address-table aging-time <seconds>
but entry is purged immediately when same entry appear on another
port, due to MAC can never exist on two ports at the same time
verification: sw_2950#show mac-address-table
Dynamic Address Count: 2
#show mac Secure Address Count: 0
Static Address (User-defined) Count: 0
address-table
System Self Address Count: 25
[static/dynamic] Total MAC addresses: 27
Maximum MAC addresses: 8192
[address <mac>/ Non-static Address Table:
Destination Address Address Type VLAN Destination Port
interface <port id>/ ------------------- ------------ ---- -----------------
0050.0f02.3372 Dynamic 1 FastEthernet0/2
vlan <vlan>] 0000.0c11.23f4 Dynamic 1 FastEthernet0/9

#clear mac address-table [static/dynamic][address <mac>/interface <port


id>/vlan <vlan>]
to check CAM table size:#show mac address-table count

299 AHMED NABIL


Note: You should be aware that there is a slight discrepancy in the CAM
table command syntax. Until Catalyst IOS version 12.1(11)EA1, the syntax
for CAM table commands used the keywords mac-address-table. In more
recent Cisco IOS versions, the syntax has changed to use the keywords
mac address-table (first hyphen omitted). The Catalyst 4500 and 6500 IOS
Software are exceptions, however, and continue to use the mac-addres-
stable
keyword form. Many switch platforms support either syntax to ease the
transition.
2) TCAM
(Ternary CAM)

• Implemented in H/W and contain configuration of ACLs & QOS

• Most switches has multiple TCAMs, so that both inbound, outbound,


security & QOS ACLs can be checked simultaneously in parallel with a
L2 or L3 forwarding decisions

• The catalyst IOS has two components to form H/W equivalent of the
configuration in TCAM
-Feature Manager (FM):
After ACL has been configured, the FM S/W compiles or merges the ACEs
(ACL entities) in the TCAM, the TCAM then is consulted at wire speed
-Switching Database Manager (SDM):
• you can partition the TCAM into areas for different functions,
SDM configures or tunes TCAM partitions if needed

• The TCAM is an extension of the CAM table concept. Recall that a CAM
table takes in an index or key value (usually a MAC address) and looks
up the resulting value (usually a switch port or VLAN ID). Table lookup
is fast and always based on an exact key match consisting of two input
values: 0 and 1 bits, TCAM also uses a table-lookup operation but is
greatly enhanced to allow a more abstract operation. For example,
binary values (0s and 1s) make up a key into the table, but a mask value
also is used to decide which bits of the key are actually relevant. This
effectively makes a key consisting of three input values: 0, 1, and X
(don’t care) bit values—a three-fold or ternary combination.

300 AHMED NABIL


TCAM Example
• TCAM Example
• The figure below shows how the TCAM is built and
used.
• How an Access List Is Merged into TCAM
access-list 100 permit tcp host 192.168.199.14 10.41.0.0 0.0.255.255 eq telnet
access-list 100 permit ip any 192.168.100.0 0.0.0.255
access-list 100 deny udp any 192.168.5.0 0.0.0.255 gt 1024
access-list 100 deny udp any 192.168.199.0 0.0.0.255 range 1024 2047

301 AHMED NABIL


Managing Switching Table Sizes (SDM templates):
High-end Cisco switches are designed for efficient multilayer switching at
any location within a network. For example, the versatile Catalyst 4500 and
6500 models can be used equally well in the core, distribution, or access
layer because their hardware contains ample switching engines and
tablespace for any application. Other models, such as the 2960, 3750, and
3850, have a fixed architecture with limited switching table space. The CAM,
FIB, and other tables must all share resources; for one table to grow larger,
the others must grow smaller.
Fortunately, you can select a preferred type of switching that, in turn, affects
the relative size of the switching tables. To excel at Layer 2 switching, the
CAM table should increase in size, whereas the FIB or routing table space
should decrease. If a switch is used to route traffic, its FIB table space should
grow and its CAM table should shrink.
The SDM manages the memory partitions in a switch. You can display the
current partition preference and a breakdown of table sizes with the
following:
Switch# show sdm prefer
The current template is "desktop default" template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.
number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv6 multicast groups: 64
number of directly-connected IPv6 addresses: 74
number of indirect IPv6 unicast routes: 32
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 0.875k
Example shows that the switch is operating with the “desktop default”
memory template, which is tailored for the access layer. According to the
numbers, the desktop default template provides a balanced mix of Layer 2
(unicast MAC addresses, or the CAM table) and Layer 3 (IPv4 unicast routes,
or the FIB table), in addition to IPv4 ACLs, and some minimal support for
IPv6.

AHMED NABIL
You can configure a switch to operate based on other SDM templates by
using
Switch(config)# sdm prefer template
The switch must then be rebooted for the new template to take effect.

Tables list the template types along with the number of entries allowed in
each memory partition. Some rows represent the CAM and FIB table spaces.
To get a feel for the SDM templates, notice which function is favored in each
of the template types. The unicast MAC addresses and unicast routes rows

AHMED NABIL
3) FIB
(Forwarding Information Base)
• FIB is used as L3 forwarding table, match condition is
according to longest bit match, not exact match.
• The search key is the destination IP and the result is next-
hop L3 address.
• The L3 engine (Router Processor) maintains routing
information & build the routing table, then the FIB in H/W is
derived from routing table & any change in routing table
updates FIB table, this is done using CEF (Cisco
Express Forwarding)
• CEF runs by default over Catalyst platforms 6500 with
supervisor 720, 6500 with supervisor 2/MSFC 2 combination,
4500 with supervisor III or IV, CEF is also supported on
Fixed-configuration switches, such as the Catalyst 3750,
3560, 3550, 2960 and 2950

Packet Flow Through a CEF-Based


Multilayer Switch

304 AHMED NABIL


The FIB also contains the next-hop address for each entry. When a
longest-match entry is found in the FIB, the Layer 3 next-hop address is
found, too.
You might be surprised to know that the FIB also contains host route
(subnet mask 255.255.255.255) entries. These normally are not found in
the routing table unless they are advertised or manually configured. Host
routes are maintained in the FIB for the most efficient routing lookup to
directly connected or adjacent hosts.
As with a routing table, the FIB is dynamic in nature. When the Layer 3
engine sees a change in the routing topology, it sends an update to the
FIB. Any time the routing table receives a change to a route prefix or the
next-hop address, the FIB receives the same change. Also, if a next-hop
address is changed or aged out of the Address Resolution Protocol (ARP)
table, the FIB must reflect the same change.

To enable CEF, use one of the following commands depending on switch


platform on global configuration mode or interface mode:
(config) or (config-if)# ip cef
(config) or (-if)# ip route-cache cef

To enable CEF on line cards so


that the route processor can handle
packets from legacy interface
processors use:
(config) or (-if)# ip cef distributed

Displaying the FIB Contents for a Switch:

305 AHMED NABIL


Appendix

• Sample of data sheet

306 AHMED NABIL


307 AHMED NABIL
308 AHMED NABIL
309 AHMED NABIL
310 AHMED NABIL
311 AHMED NABIL
312 AHMED NABIL
313 AHMED NABIL
Appendix
Answers &
Explanation

314 AHMED NABIL


CDP & LLDP Answers
Question 1
Answer: B
Explanation
Cisco Discovery Protocol (CDP) is a proprietary protocol designed by Cisco to help in finding
information about neighboring devices. The default values are 60 seconds for advertisements.
Each neighbor will keep the information contained in a packet for 180 seconds (holddown
timer).

Question 2
Answer: A

Question 3
Answer: A
Explanation
CDP runs at Layer 2 so a router running CDP can see a Layer 2 switch that is directly connected
to it, provided that the Layer 2 switch also runs CDP.

Question 4
Answer: B
Explanation
Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2
protocol used by network devices to share information about their identities and functionality
with other network elements.

Question 5
Answer: A
Explanation
Cisco Discovery Protocol Version 2 provides more intelligent, device-tracking features than
those available in Version 1. One of the features available is an enhanced reporting mechanism
for more rapid error tracking, which helps to reduce network downtime. Errors reported include
mismatched native VLAN IDs (IEEE 802.1Q) on connected ports and mismatched port-duplex
states between connected devices. Messages about reported errors can be sent to the console
or to a logging server.

Question 6
Answer: B
Explanation
Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2
protocol used by network devices to share information about their identities and functionality
with other network elements.

315 AHMED NABIL


CDP & LLDP Answers

Question 7
Answer: A
Explanation
Cisco devices send periodic CDP announcements to the multicast destination address 01-00-
0c-cc-cc-cc out each connected network interface. These multicast packets may be received by
Cisco devices. This multicast destination is also used in other Cisco protocols such as VTP.

Question 8
Answer: A
Explanation
The information contained in Cisco Discovery Protocol announcements depends on the device
type and the version of the operating system running on it. The following are examples of the
types of information that can be contained in Cisco Discovery Protocol announcements: +
Cisco IOS XE version running on a Cisco device + Duplex setting + Hardware platform of the
device + Hostname + IP addresses of the interfaces on devices + Interfaces active on a Cisco
device, including encapsulation type + Locally connected devices advertising Cisco Discovery
Protocol + Native VLAN + VTP domain
Cisco Discovery Protocol Version 2 provides more intelligent device tracking features than
Version 1.

Question 9
Answer: A
Explanation
LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes
contain type, length, and value descriptions and are referred to as TLVs. LLDP supported
devices can use TLVs to receive and send information to their neighbors. This protocol can
advertise details such as configuration information, device capabilities, and device identity. The
switch supports these basic management TLVs. These are mandatory LLDP TLVs. + Port
description TLV + System name TLV
+ System description TLV + System capabilities TLV + Management address TLV These
organizationally specific LLDP TLVs are also advertised to support LLDP-MED. + Port VLAN ID
TLV ((IEEE 802.1 organizationally specific TLVs) + MAC/PHY configuration/status TLV(IEEE 802.3
organizationally specific TLVs)
-> No VTP information is supported in LLDP.

Question 10
Answer: A
Explanation
Cisco Discovery Protocol Version 2 has three additional type, length, values (TLVs): VTP Management
Domain Name, Native VLAN, and full/half-Duplex.

316 AHMED NABIL


VLAN Answers
Question 1
Answer: A
Explanation
The Port Fast feature is automatically enabled when voice VLAN is configured. When you disable voice
VLAN, the Port Fast feature is not automatically disabled.

Question 2
Answer: A
Explanation
802.1Q VLAN frames are distinguished from ordinary Ethernet frames by the insertion of a 4-byte VLAN
tag into the Ethernet header.

Question 3
Answer: B
Explanation
Because the 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added, you
must configure all switches in the service-provider network to be able to process maximum frames by
increasing the switch system MTU size to at least 1504 bytes.

Question 4
Answer: B
Explanation
The VLAN ID field inside an 802.1q frame consists of 12 bits. Therefore we have 212 = 4096 VLAN IDs,
theoretically.

Question 5
Answer: B
Explanation
Each access port can be only assigned to one VLAN via the ―switchport access vlan ‖ command.

Question 6
Answer: D
Explanation
This command is used to enable tagging of native VLAN frames on all 802.1Q trunk ports.
Answer A is not correct because even when the native VLAN is set to 1, all of the frames of the native
VLAN are tagged.
Answer B is not correct because the control traffic still passes via the default VLAN (VLAN 1).
Answer C is not correct because all the frames are tagged with 4-byte dot1q tag.
Only answer D is best choice because control traffic (like CDP, VTP, STP, DTP…) uses VLAN 1 for
communication. When the native VLAN is tagged (VLAN 1 by default) all control traffic is tagged too. If
the native VLAN is not VLAN 1 then all the control traffic on VLAN 1 is still tagged by default (without
using above command).

317 AHMED NABIL


VLAN Trunking
Question 1
Answer: C
Explanation
These errors are generated because the native VLAN is not matched on the two switches (the native VLAN
on SW-1 is not the default native VLAN 1 while the native VLAN on the other side is VLAN 1). The errors
indicate that spanning tree has detected mismatched native VLANs and has shut down VLAN 1 on the trunk.
We should verify that the configurations of the native VLAN ID is consistent on the interfaces on each end
of the IEEE 802.1Q trunk connection. When the configurations are consistent, spanning tree automatically
unblocks the interfaces.

Question 2
Answer: A
Explanation
In 802.1Q, the trunking device inserts a 4-byte tag into the original frame and recomputes the frame check
sequence (FCS) before the device sends the frame over the trunk link. At the receiving end, the tag is
removed and the frame is forwarded to the assigned VLAN. 802.1Q does not tag frames on the native
VLAN. It tags all other frames that are transmitted and received on the trunk.

Question 3
Answer: C
Explanation
802.1Q is a industry standards based implementation of carrying traffic for multiple VLANs on a single
trunking interface between two Ethernet switches. 802.1Q is for Ethernet networks only.

Question 4
Answer: C
Explanation
We can use the ―switchport trunk allowed vlan ‖ to specify which VLANs are allowed to go through. Other
VLANs will be dropped.

Question 5
Answer: A B
Explanation
Manually configure trunking with the ―switchport mode trunk‖ command and manually configure access
interfaces with the ―switchport mode access‖ prevent auto trunking on that interface.
Disable DTP with the ―switchport nonegotiate‖ so that DTP messages are not advertised out of the interface
is also a good way to prevent auto trunking.

Question 6
Answer: C F

318 AHMED NABIL


VLAN Trunking
Question 7
Answer: A
Explanation
By default all VLANs are allowed to go through a trunk but if we apply the ―switchport trunk
allowed vlan ‖ then only these VLANs are allowed to go through, other VLANs are dropped so be
careful when limiting VLANs on the trunks with this command.

Question 8
Answer: A
Explanation
We can use the ―switchport trunk allowed vlan ‖ to specify which VLANs are allowed to go through.
Other VLANs will be dropped.

319 AHMED NABIL


VTP Answers
Question 1
Answer: D
Explanation
VTP updates can only be forwarded on trunk links.

Question 2
Answer: B
Explanation
VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in
VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are
removed from VTP control.

Question 3
Answer: C
Explanation
VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast
frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN. In the below
example, Server switch doesn’t send broadcast frame to Sw2 because Sw2 doesn’t have ports in VLAN 10.

Question 4
Answer: A
Explanation
Switch C can receive VLAN information from Switch A so Switch B can forward it to Switch C without
updating its VLAN database -> Switch B is in VTP transparent mode.

Question 5
Answer: D
Explanation
VTP updates can only be forwarded on trunk links.

Question 6
Answer: B
Explanation
VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in
VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are
removed from VTP control.

Question 7
Answer: C
Explanation
VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast
frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN

320 AHMED NABIL


VTP Answers

Question 8
Answer: B
Explanation
VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only
in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094
are removed from VTP control.

Question 9
Answer: C
Explanation
If a VTP client or server with a null domain receives a VTP message with the domain populated, it will
assume the domain of the received message and add applicable VLANs to its database.

Question 10
Answer: D
Explanation
VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only
in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094
are removed from VTP control.

Question 11
Answer: C
Explanation
VTP pruning still applies only to VLANs 1 to 1005, and VLANs 1002 to 1005 are still reserved and
cannot be modified.

Question 12
Answer: A
Explanation
VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast
frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN

Question 13
Answer: C
Explanation
In Client mode we cannot create VLAN and Switch1 does not have any trunk links so it cannot receive
any VTP updates. There is no answer with configure trunk links so we have to choose the solution
―change VTP mode to server and enable 802.1q‖. But this is a dangerous solution because this switch can
―update‖ other switches with its VLAN database via VTP.

Question 14
Answer: C
Explanation
From the output above we see Switch Company A cannot receive VTP updates from Switch Company B.
Therefore we should check the trunking links connecting two switches. Manually force trunking may be a
good solution.
321 AHMED NABIL
VTP Answers

Question 15
Answer: A
Explanation
VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast
frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN

Question 16
Answer: C
Explanation
VLANs 2–1000 are eligible for pruning but VLAN 1 has a special meaning because it is normally used
as a management VLAN and is not eligible for pruning. The only way we can remove VLAN 1 is
through the ―switchport trunk allowed vlan remove 1″ command. But even when you remove VLAN 1
from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco
Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol
(LACP), DTP, and VTP in VLAN 1.
A good thing of clearing VLAN 1 is user data cannot travel via this VLAN anymore. BPDU traffic is also
banned on this VLAN.
Note: The Cisco IOS-based Catalyst 2900XL/3500XL switches do not allow you to clear VLAN 1 from a
trunk; however, the Catalyst 2950/3550, Cisco IOS 4000/4500, and native IOS 6000/6500 switches allow
you to clear VLAN 1.

Question 17
Answer: C

322 AHMED NABIL


EtherChannel Answers
Question 1
Answer: D
To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP). According
the two tables above we can see only “desirable” and “auto” (of PAgP) can form an Etherchannel bundle.
Note: If we want to use “on” mode, both ends must be configured in this “on” mode to create an
Etherchannel bundle.

Question 2
Answer: A
Explanation
To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP).

Question 3
Answer: E
Explanation
In this case the EtherChannel bundle was configured to load-balance based on the destination IP address
but there is only one web server (means one destination IP address). Therefore only one of the
EtherChannel links is being utilized to reach the web server. To solve this problem we should configure
load-balancing based on source IP address so that traffic to the web server would be shared among the
links in the EtherChannel bundle with different hosts.

Question 4
Answer: C

Question 5
Answer: B
Explanation
If one end is passive and another end is active then the EtherChannel will be formed regardless the two
interfaces in the same switch use different modes and different load-balancing method. Switch 1 will
load-balance based on destination IP while Switch2 will load-balance based on source MAC address.

Question 6
Answer: D
Explanation
When storm control is configured on an EtherChannel, the storm control settings propagate to the
EtherChannel physical interfaces. In the “show etherchannel” command output, The storm control
settings appear on the EtherChannel but not on the physical port of the channel.
Note: You cannot configure storm control on the individual ports of that EtherChannel.

Question 7
Answer: A
Explanation
Issue the port-channel load-balance {src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip | src-
port | dst-port | src-dst-port | mpls} global configuration command in order to configure the load
balancing.

323 AHMED NABIL


EtherChannel Answers
Question 8
Answer: B
Explanation
A LACP port priority is configured on each port using LACP. The port priority can be configured automatically
or through the CLI. LACP uses the port priority with the port number to form the port identifier. The port
priority determines which ports should be put in standby mode when there is a hardware limitation that
prevents all compatible ports from aggregating.
The syntax of LACP port priority is (configured under interface mode):
lacp port-priority priority-value
The lower the range, the more likely that the interface will be used for LACP transmission.

Question 9
Answer: A
For “on” mode, the link aggregation is forced to be formed without any PAgP negotiation. A port-channel is
formed only if the peer port is also in “on” mode.

Question 10
Answer: B
Explanation
Interfaces Fa0/13 to Fa0/15 are bundled into Port-channel 12 and it is running with “desirable” mode -> it is
using PAgP.

Question 11
Answer: C
Explanation
From the output we see currently the Server_Switch is load balancing via source MAC address. By changing
load-balance to another method the problem can be solved. In this case C is the best choice because other
answers are surely incorrect.

Question 12
Answer: A
Explanation
Configuration changes applied to the port-channel interface apply to all the physical ports assigned to the
port-channel interface. Configuration changes applied to the physical port affect only the port where you
apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration
commands to the port-channel interface, for example, spanning-tree commands or commands to configure
a Layer 2 EtherChannel as a trunk.
Note: If we only change the parameters on a physical port of the port-channel, the port-channel may go
down because of parameter mismatch. For example, if you only configure ―switchport trunk allowed vlan
…‖ on a physical port, the port-channel will go down.

324 AHMED NABIL


EtherChannel Answers
Question 13
Answer: A
Explanation
The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit
EtherChannel) between your switch and another switch or host.
Each EtherChannel can consist of up to eight compatibly configured Ethernet interfaces. All interfaces in
each EtherChannel must be the same speed, and all must be configured as either Layer 2 or Layer 3
interfaces.
Note: 800 Mbps full-duplex means data can be transmitted at 800 Mbps and received at 800 Mbps (1600
Mbps in total).

Question 14
Answer: A
Explanation
From the last line of the output, we learn physical ports Fa0/13, Fa0/14, and Fa0/15 are bundled into
Port-channel 1 and use LACP which is an open standard protocol.

Question 15
Answer: C
Explanation
The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit
EtherChannel) between your switch and another switch or host. Therefore if we have 10 Gigabit Ethernet
connections, only 8 links will be used.

Question 16 .
Answer: C
Explanation
Multichassis LACP (mLACP) is also supported on 7600 and ASR9000 series -> A is not correct.
mLACP supports both FastEthernet & GigabitEthernet -> B is not correct.
VSS mode does not support the mLACP for server access feature only. But mLACP is available in Virtual
Switching Systems (VSS). An example of combination of VSS and mLACP is shown below:

In the topology above, the mLACP is a port channel that spans the two chassis of a VSS. Notice that the
two chassis of this VSS is connected via a Virtual Switch Link (VSL). VSL is a special link that carries control
and data traffic between the two chassis of a VSS. In this case the VSL is implemented as an EtherChannel
with two links.
+ mLACP does not support Fast Ethernet. + mLACP does not support half-duplex links. + mLACP does not
support multiple neighbors. + Converting a port channel to mLACP can cause a service disruption (in a
short time) -> D is not correct.
325 AHMED NABIL
STP Answers
Question 1
Answer: A
Explanation
If we want to view the spanning-tree status of a specific VLAN, use the ―spanning-tree vlan ‖ command.
An example of the output of this command is shown below:

Question 2
Answer: C
Explanation
SW3 needs to block one of its ports to SW2 to avoid a bridging loop between the two switches. But how
does SW3 select its blocked port? Well, the answer is based on the BPDUs it receives from SW2. A
BPDU is superior than another if it has:
1. A lower Root Bridge ID 2. A lower path cost to the Root
3. A lower Sending Bridge ID 4. A lower Sending Port ID
These four parameters are examined in order. In this specific case, all the BPDUs sent by SW2 have the
same Root Bridge ID, the same path cost to the Root and the same Sending Bridge ID. The only
parameter left to select the best one is the Sending Port ID (Port ID = port priority + port index). The
lower value of port priority, the higher priority that port has. Therefore we must change the port-priority
on F1/1 to a lower value than that of Fa1/0. Zero is the lowest value we can assign to a port so we can
assign this value to SW2 F1/1 and configure a higher value on Fa1/0. This is the command to complete
this task: SW2(config)#interface f1/1 SW2(config-if)#spanning-tree vlan port-priority 0

Note: If we don’t change the port priority, SW3 will compare port index values, which are unique to each
port on the switch, and because Fa1/0 is inferior to Fa1/1, SW3 will select Fa1/0 as its root port and
block the other port.

Question 3
Answer: D
Explanation
After powered on, the switches start sending BPDUs to elect a root bridge. A BPDU is superior than
another if it has:
1. A lower Root Bridge ID 2. A lower path cost to the Root 3. A lower Sending Bridge ID 4. A lower
Sending Port ID
From the output above, we learn that SW1 is the root bridge for VLAN 1 (from ―this bridge is the root‖
line). SW1 has the ―Bridge ID Priority‖ of 1 because SW1 has been configured with switch priority
value of 0, which is also the lowest priority value (highest priority). This value is then added with the
VLAN ID (VLAN 1 in this case) so the final value is 1.
326 AHMED NABIL
STP Answers
Question 4
Answer: D
Explanation
After receiving BPDUs from upstream bridges, the switch add the STP cost of that port and choose the
lowest value as its root port -> the STP cost of Fa0/21 is smallest so it is chosen as root port.

Question 5
Answer: C
Explanation
Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to
forwarding state immediately without passing the listening and learning state. Therefore it can save about 30
to 45 seconds to transition through these states. To enable this feature, configure this command under
interface mode:
Switch(config-if)#spanning-tree portfast

Question 6
Answer: A
Explanation
The ―spanning-tree portfast bpdufilter default‖ command enables BPDU filtering on Portfast-enabled
interfaces. This command prevents interfaces that are in a Portfast-operational state from sending BPDUs. If
a BPDU is received on a Port Fast-enabled interface, the interface loses its Portfast-operational status, and
BPDU filtering is disabled.
In conclusion, above command only affects ports that were configured with Portfast. It prevents these ports
from sending BPDUs (notice that Portfast interfaces still send BPDUs) but the funny thing is that if it
receives a BPDU, it will disable BPDU filtering and Portfast features.

Question 7
Answer: D
Explanation
Root guard does not allow the port to become a STP root port, so the port is always STP-
designated. If a better BPDU arrives on this port, root guard does not take the BPDU into
account and elect a new STP root. Instead, root guard puts the port into the root-
inconsistent STP state which is equal to a listening state. No traffic is forwarded across
this port.

Below is an example of where to configure Root Guard


on the ports. Notice that Root Guard is always configure
on designated ports.
To configure Root Guard use this command:
Switch(config-if)# spanning-tree guard root

327 AHMED NABIL


STP Answers
Question 8
Answer: C
Explanation
Although RSTP was configured on all ports but only edge-ports allow to run RSTP. RSTP cannot work on a
trunk port. If we try to configure RSTP on a trunk port (support Fa0/24) we will receive this message:
%Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs,
concentrators, switches, bridges, etc… to this interface when portfast is enabled, can cause temporary
bridging loops. Use with CAUTION
%Portfast has been configured on FastEthernet0/24 but will only have effect when the interface is in a non-
trunking mode.

Question 9
Answer: D
Explanation
UplinkFast is a Cisco specific feature that improves the convergence time of the Spanning-Tree Protocol
(STP) in the event of the failure of an uplink. The UplinkFast feature is designed to run in a switched
environment when the switch has at least one alternate/backup root port (port in blocking state), that is why
Cisco recommends that UplinkFast be enabled only for switches with blocked ports, typically at the access-
layer.
For example in the topology below:
Suppose S1 is the root bridge in the topology above. S3 is connected to S1 via two paths: one direct path and
another goes through S2. Suppose the port directly connected to S1 is root port -> port connected to S2 will
be in Blocking state. If the primary link goes down, the blocked port will need about 50 seconds to move
from Blocking -> Listening -> Learning -> Forwarding to be used.
To shorten the downtime, a feature called Uplink Fast can be used. When the primary (root) link fails,
another blocked link can be brought up immediately for use. When UplinkFast is enabled, it is enabled for
the entire switch and all VLANs. It cannot be enabled for individual VLANs.

Question 10
Answer: A B
Explanation
Every non-root bridge needs to elect a root port. The election of root port is as follows:
1) Based on lowest cost path to the root bridge 2) Then based on lowest upstream Bridge ID (Bridge ID =
Bridge Priority + MAC) 3) Then based on lowest upstream Port ID (Port ID = Port Priority + Port Index)
Therefore we can use STP cost and port-priority to select the root port.

Question 11
Answer: D
Explanation
Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to
forwarding state immediately without passing the listening and learning state. Therefore it can save about 30
to 45 seconds to transition through these states. To enable this feature, configure this command under
interface mode:
Switch(config-if)#spanning-tree portfast
328 AHMED NABIL
UDLD Answers
Question 1
Answer: A
Explanation
UDLD is a Layer 2 protocol that enables devices connected through fiber-optic or twisted-pair
Ethernet cables to monitor the physical configuration of the cables and detect when a unidirectional
link exists. All connected devices must support UDLD for the protocol to successfully identify and
disable unidirectional links. When UDLD detects a unidirectional link, it administratively shuts
down the affected port and alerts you. Unidirectional links can cause a variety of problems,
including spanning-tree topology loops.

Question 2
Answer: A
Explanation
A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but
traffic from the neighbor is not received by the local device.
UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode,
UDLD can detect unidirectional links due to misconnected interfaces on fiber-optic connections. In
aggressive mode, UDLD can also detect unidirectional links due to one-way traffic on fiber-optic
and twisted pair links and to misconnected interfaces on fiber-optic links.

Question 3
Answer: B
Explanation
When unidirectional link occurs, UDLD can put that port into errdisable state (same as shutdown).
The administrator must manually shut/no shut to bring that interface up. If we want the interface to
automatically recover then configure the ―errdisable autorecovery‖. For example:
(config)#errdisable recovery cause udld
(config)#errdisable recovery interval 30
By doing so, the port will be place back in up state (no err-disabled state) after 30 seconds, if the
port still has violation it will be placed again in ―err-disabled‖ state, otherwise it will remain in up
state.

Question 4
Answer: B
Explanation
UDLD aggressive mode is disabled by default. Configure UDLD aggressive mode only on point-to-
point links between network devices that support UDLD aggressive mode. With UDLD aggressive
mode enabled, when a port on a bidirectional link that has a UDLD neighbor relationship established
stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After
eight failed retries, the port is disabled.

Question 5
Answer: A
329 AHMED NABIL
Storm control Answers
Question 1
Answer: C D F
Explanation
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on
one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic
and degrading network performance. Errors in the protocol-stack implementation, mistakes in network
configurations, or users issuing a denial-of-service attack can cause a storm. Storm control (or traffic
suppression) monitors packets passing from an interface to the switching bus and determines if the packet
is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received
within the 1-second time interval and compares the measurement with a predefined suppression-level
threshold.
Storm control uses one of these methods to measure traffic activity: + Bandwidth as a percentage of the
total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic + Traffic
rate in packets per second at which broadcast, multicast, or unicast packets are received + Traffic rate in bits
per second at which broadcast, multicast, or unicast packets are received
With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked
until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal
forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate
drops below the rising suppression level. In general, the higher the level, the less effective the protection
against broadcast storms.
The command “storm-control broadcast level 75 65″ limits the broadcast traffic up to 75% of the bandwidth
(75% is called the rising threshold). The port will start forwarding broadcast traffic again when it drops
below 65% of the bandwidth (65% is called the falling threshold).
Note: If you don‟t configure the falling threshold, it will use the same value of the rising threshold.

Question 2
Answer: A
Explanation
By using the “storm-control broadcast level [falling-threshold]” we can limit the broadcast traffic on the
switch.

Question 3
Answer: A

Question 4
Answer: A
Explanation
The command “storm-control action {shutdown | trap} ” specifies the action to be taken when a storm is
detected. The default is to filter out the traffic and not to send traps. + Select the shutdown keyword to
error-disable the port during a storm. + Select the trap keyword to generate an SNMP trap when a storm is
detected.

330 AHMED NABIL


RSTP Questions
Question 1
Answer: A
Explanation

Question 2
Answer: A
Explanation
RSTP is backward compatible with STP 802.1D. If a RSTP enabled port receives a (legacy) 802.1d BPDU, it
will automatically configure itself to behave like a legacy port. It sends and receives 802.1d BPDUs only.

MST Questions
Question 3
Answer: C
Explanation
Instead of using Per-VLAN Spanning Tree (PVST) or Rapid PVST which runs a separate STP instance for
each active VLAN (there will have 20 STP instances for 20 VLANs), Multiple Spanning Tree (MST) maps
multiple VLANs into a spanning tree instance, thereby reducing the number of spanning-tree instances
needed. MST also reduces switch resources and managerial burdens.

Question 4
Answer: C
Explanation
Besides two MST instances 1 & 2, Instance 0 is a special instance for a region, known as the Internal
Spanning Tree (IST). The IST always exists on all ports; you cannot delete the IST. By default, all VLANs
are assigned to the IST. All other MST instances are numbered from 1 to 4094. The IST is the only STP
instance that sends and receives BPDUs. All of the other MSTI information is contained in MST records (M-
records), which are encapsulated within MST BPDUs.

331 AHMED NABIL


MAC Table Answers
Question 1
Answer: A
Explanation
The command “mac address-table aging-time 180″ specifies the time before an entry ages out and
is discarded from the MAC address table. The default is 300 seconds. Entering the value 0 disables
the MAC aging.

Question 2
Answer: C

Question 3
Answer: A
Explanation
The switch learns which port the host is attaching by examining the source MAC address in frames received
on a port. For example switch receives a frame with source MAC of 0000.0000.aaaa (abbreviated as “aaaa”)
on port Fa0/1, it populates its MAC address-table with an entry like this “host aaaa on Fa0/1″. If the switch
receives a frame with the same “aaaa” MAC from Fa0/2 then there will be a flap and the switch will log
something like this: %MAC_MOVE-SP-4-NOTIF: Host 0000.0000.aaaa in vlan 1 is flapping between port 0/1
and port 0/2
This flapping phenomenon may be the result of a Layer loop somewhere in your network, especially when
STP is disabled for some reasons.
If you don‟t want to see this message then issue the “no mac-address-table notification mac-move” or
place a static entry with the “mac-address-table static 000.0000.aaaa vlan 1 interface fa0/1″on the switch.
The command “mac-address-table notification mac-move” is disabled by default on 6500 & 7600 series but
enabled by default on other series.

Question 4
Answer: A E
Explanation
The command “show mac address-table” displays the MAC address table along with the
port associated for the switch. The „show mac address-table address ” gives a more
specific view of a specific MAC address

332 AHMED NABIL


Redundancy
Appendix
• VSS Configuration

333 AHMED NABIL


Configuration Steps
STEP1: Assigning Virtual Switch Domain and Switch Numbers
First you have to configure the same virtual switch domain number on both
switches of the VSS. The virtual switch domain is a number between 1 and
255.After domain number you must configure one switch to be switch number 1
and the other switch to be switch number 2.
SW1#conf t
SW1(config)#switch virtual domain 10
Domain ID 10 config will take effect only after the exec command 'switch convert
mode virtual' is issued
SW1(config-vs-domain)#switch 1
SW1(config-vs-domain)#exit
SW2#conf t
SW2(config)#switch virtual domain 10
Domain ID 10 config will take effect only after the exec command 'switch convert
mode virtual' is issued
SW2(config-vs-domain)#switch 2

STEP2: Configuring VSL Port Channel


Then you need to configure VSL with a unique port channel on each switch.
During the conversion, the VSS configures both port channels on the VSS Active
switch. If the VSS Standby switch VSL port channel number has been configured
for another use, the VSS comes up in RPR mode. To avoid this situation, check
that both port channel numbers are available on both of the switches.
SW1(config)#int port-channel 5
SW1(config-if)#switchport
SW1(config-if)#switch virtual link 1
SW1(config-if)#no shut
*Jan 24 05:19:57.092: %SPANTREE-6-PORTDEL_ALL_VLANS: Port-channel5
deleted from all Vlans
SW2(config)#int port-channel 10
SW2(config-if)#switchport
SW2(config-if)#switch virtual link 2
SW2(config-if)#no shut
*Jan 24 05:14:17.273: %SPANTREE-6-PORTDEL_ALL_VLANS: Port-
channel10 deleted from all Vlans
334 AHMED NABIL
Configuration Steps
STEP3: Converting the Switch to Virtual Switch Mode:
You need to enter the “switch convert mode virtual” command on Switch 1 for
Converting to Virtual Switch Mode .After you enter this command it will
prompted to confirm the action. Enter yes. The system creates a converted
configuration file, and saves the file to the bootflash:
SW1#switch convert mode virtual
This command will convert all interface names to naming convention "interface-
type switch-number/slot/port", save the running config to startup-config and
reload the switch.
Converting interface names Building configuration

Similarly you need to enter the “switch convert mode virtual” command on
Switch 2 for converting to Virtual Switch Mode.
SW2#switch convert mode virtual​

For troubleshooting VSS:


SW1#sh switch virtual
Executing the command on VSS member switch role = VSS Active,
id = 1
Switch mode : Virtual Switch
Virtual switch domain number : 10
Local switch number :1
Local switch operational role: Virtual Switch Active
Peer switch number :2
Peer switch operational role : Virtual Switch Standby
Executing the command on VSS member switch role = VSS
Standby, id = 2
Switch mode : Virtual Switch
Virtual switch domain number : 10
Local switch number :2
Local switch operational role: Virtual Switch Standby
Peer switch number :1
Peer switch operational role : Virtual Switch Active

335 AHMED NABIL


The End
Finally I would like to thank all of my beloved
friends whom read that book and I hope you all
get the full benefit from that training, you are
the future, please make our future reaches its
best, don't forget our famous rule “one is none,
two are one”, by respect & keeping morals we
will be all together over the top.
Always Remember me with the best
God bless you All

Ahmed Nabil
DoN
AHMED NABIL
DoN

Switch Course

Eng.Ahmed Nabil
DoN

2017
abil 337
AHMED NABIL

You might also like