Switch Full Book 2017
Switch Full Book 2017
E T W O R S
Advanced
Scalable Campus
Multi-layer
Switched networks
Arranged by:
Eng. AHMED NABIL
(EL-DoN)
AHMED NABIL
New Cisco
Certifications model
2 AHMED NABIL
Cisco Certifications model
3 AHMED NABIL
Cisco Different Certifications Fields
CCNP
CCDP CCNP SP
R&S
CCDA
CCNA
& CCNA SP
R&S
CCNA
4 AHMED NABIL
Implementing Cisco IP Switched Networks (300-115)
Exam Description
AHMED NABIL
Implementing Cisco IP Routing (300-101)
Exam Description
7 AHMED NABIL
Troubleshooting and Maintaining Cisco IP Networks (300-135)
Exam Description
The following topics are general guidelines for the content that is
likely to be included on the exam. However, other related topics
may also appear on any specific version of the exam. To better
reflect the contents of the exam and for clarity, the following
guidelines may change at any time without notice.
8 AHMED NABIL
Course Agenda by eng. Ahmed Nabil (el-Don):
9 AHMED NABIL
Introducing Campus
Network needs
Introducing the
Enterprise Composite Network Model
(ECNM)
10 AHMED NABIL
11
AHMED NABIL
TCP/IP Model:
12
AHMED NABIL
Types of Networks:
13
AHMED NABIL
Campus Network overview
Bits Hub
14 AHMED NABIL
Traffic Switching
• What is the difference between L1, L2 & L3 switching?
L1 switching:
• It is based on shared bus mechanism, so L1 switching is
based on flooding input traffic to all other output ports
L2 Switching:
• Perform switching based on destination address field in the
ingress frame
L3 Switching:
• perform switching based on destination field in the ingress
packet
15 AHMED NABIL
Transparent Bridging
• Transparent switching mean no host is aware of the
existence of a switch and host send frames to MAC address
of destination not the switch (switch does not modify frames
that are forwarded)
• Transparent bridge (switch) perform the following function:
1-Learning:
Forming MAC table (CAM "Content Allocation Memory" table) by
listening to source MAC address in the incoming frames
• Forwarding modes:
a-Store & forward
b-Cut through
c- Modified Cut through (use both store & forward / cut
through using auto adaptation based on the traffic)
17 AHMED NABIL
(Ethernet ports and cards types)
• Ethernet is chosen as the most popular LAN technology than
(FDDI, CDDI, Token Ring, ATM), due to its low cost, ease of
installation, market availability & scalability to higher
bandwidths
• Ethernet follows the IEEE 802.3 standards and it is offered in
many flavours
1) Ethernet (10Mbps): IEEE 802.3
10Base-T, 10Base-F
2) Fast Ethernet (100Mbps): IEEE802.3u
-100Base-TX, 100Base-FX (SMF 10km & MMF 2km)
-Auto negotiation for duplex and speed can take place
between Ethernet devices, the two devices will settle on
highest speed and duplex both can offer
3) FEC (Fast Ether Channels): Cisco proprietary
bundles multiple Fast Ethernet links to provide speeds from
400Mbps to 1600Mbps
• Built on Ethernet principles
• Runs at 100 Mbps
• Uses same frame types,
lengths, and formats
• Still CSMA/CD
• Same MAC layer, new
physical layer
18 AHMED NABIL
4) Gigabit Ethernet (1000Mbps): IEEE 802.3ab (gigabit over
copper)& IEEE 802.3z (gigabit over fiber)
1000Base-T, 1000Base-SX (MMF 275m-550m), 1000Base-
LX/LH (MMF 550m, SMF 10km), 1000Base-ZX (SMF 100km)
MMF:62.5/125 or 50/125
SMF:9/125 or 8/125
19 AHMED NABIL
6) 10Gigabit Ethernet (10Gbps): IEEE802.3ae
Using Fiber and using copper for a 100m distances on cat 6E / cat 7 cables,
10GbE can work as both LAN & WAN technologies, so it introduced a PMD
(Physical Media Dependent) fiber optic interfaces, they classified into:
-LAN PHY: Interconnects switches in a campus networks
-WAN PHY: Interfaces with existing SONET or SDH found in MANs
10GBase-SR/SW, 10GBase-LR/LW(10km), 10GBase-ER/EW(70km),
10GBase-Lx4/Lw4 (WDM)
SFP
21
AHMED NABIL
Gigabit Ethernet Port Cables and Connectors
Gigabit Ethernet connections take a different approach by providing modular
connectivity options. Catalyst switches with Gigabit Ethernet ports have
standardized rectangular openings that can accept gigabit interface converter
(GBIC) or small form factor pluggable (SFP) modules. The GBIC and SFP
modules provide the media personality for the port so that various cable
media can connect. In this way, the switch chassis is completely modular
and requires no major change to accept a new media type. Instead, the
appropriate module is hot-swappable and is plugged into the switch to
support the new media. GBIC modules can use SC fiber-optic and RJ-45 UTP
connectors. SFP modules can use LC and MT-RJ fiber-optic and RJ-45 UTP
connectors. GBIC and SFP modules are available for the following Gigabit
Ethernet media:
■ 1000BASE-SX—Short-wavelength connectivity using SC fiber connectors
and MMF for distances up to 550 m (1804 feet).
■ 1000BASE-LX/LH—Long-wavelength/long-haul connectivity using SC fiber
connectors and either MMF or single-mode fiber (SMF); MMF can be used for
distances up to 550 m (1804 feet), and SMF can be used for distances up to
10 km (32,810 feet). MMF requires a special mode-conditioning cable for
fiber distances less than 100 m (328 feet) or greater than 300 m (984 feet).
This keeps the GBIC from overdriving the far-end receiver on a short cable
and lessens the effect of differential mode delay on a long cable.
■ 1000BASE-ZX—Extended-distance connectivity using SC fiber connectors
and SMF; works for distances up to 70 km, and even to 100 km when used
with premium grade SMF.
■ GigaStack—Uses a proprietary connector with a high-data-rate copper
cable with enhanced signal integrity and electromagnetic interference (EMI)
performance; provides a GBIC-to-GBIC connection between stacking
Catalyst switches or between any two Gigabit switch ports over a short
distance. The connection is full duplex if only one of the two stacking
connectors is used; if both connectors are used, they each become half
duplex over a shared bus.
■ 1000BASE-T—Sports an RJ-45 connector for four-pair UTP cabling; works
for distances up to 100 m (328 feet).
Caution: The fiber-based modules always have the receive fiber on the left
connector and the transmit fiber on the right connector, as you face the
connectors. These modules could produce invisible laser radiation from the
transmit connector. Therefore, always keep unused connectors covered with the
rubber plugs, and don’t ever look directly into the connectors.
AHMED NABIL
Hardware platform model numbers
AHMED NABIL
AHMED NABIL
Switch H/W Platform
To read properly the switch hardware capabilities you
should learn the below H/W platform map.
25 AHMED NABIL
Modular Switches
26 AHMED NABIL
Switch Operating Systems (S/W platforms)
1) Catalyst OS (Cat OS or XDI)
• This user interface allow sessions and monitoring
commands to be intermingled with set-based
configuration commands (using set and clear
command), that OS was inherited from “Crescendo-
communications” the old company that used to
manufacture Cisco switches.
• This operating system supported only for L2
switching on 2948G, catalyst 4000 supervisor I & II,
catalyst 5000 and 6000/6500 any supervisor
• These switches now support Cisco IOS (native IOS)
2) Cisco IOS:
• This user interface is identical to Cisco routers,
where a hierarchical configuration modes are used
• This operating system can support both L2 & L3
switching for all switches (Cisco catalyst 2950,2960,
2960x, 3560, 3650,3750,3850, 4500 supIII & IV and
6000/6500/6800 any supervisor)
• Used with any Multi-Layer port (port that acts like a
router port (Layer 3) or like a switched port (Layer
2))
3) Nexus OS (NX-OS):
On the new line of products for Cisco data center
switches called Nexus switches
Note: Juniper uses JUNOS as an OS for all its
switches
(IP plus)
(IP Lite)
(LAN Lite)
Switch IOS
29 AHMED NABIL
Hierarchical Network Design
2960-x models
30 AHMED NABIL
2-Distribution Layer (Aggregation Layer):
• Provides interconnection between the campus network access &
core layers
• High L3 throughput
• Security & policy based connectivity & QOS
• Scalability, redundant & resilient high
speed link
31 AHMED NABIL
Modular Network Design
(Enterprise Composite Network Model)
ECNM
• ECNM contains:
1-Enterprise Campus (Access-Distribution-Core)
2-Enterprise edge
3-Service provider edge
32 AHMED NABIL
1-Enterprise Campus Modules
a) Basic Modules:
1-Swich block:
• a group of access layer switches together with their
distribution switches
• VLANs & STP are confined with the distribution layer
boundary
33 AHMED NABIL
2-Core block:
• The campus network backbone
• It interconnects all blocks together, all traffic passing from
block to another must cross the core block
• Core block designs:
-Collapsed core:
The core layer is collapsed into distribution layer (core is a wire
between distribution layer switches)
collapsed core is not an independent block but integrated into
distribution layer
-Dual core:
A dual core connects two or more switch blocks in a redundant
fashion
This core appears as an independent module & is not merged into
any other blocks or layers
Core block could be L2 switches but in this case load-sharing will
not be achieved due to STP
34 AHMED NABIL
b) other modules:
1) Server Farm block:
• A group of enterprise servers
along with their access &
distribution layer switches
• It is a block that contains
servers or applications accessed
by most of enterprise users
• Also for redundancy their may
exist more than one server farm
block
37 AHMED NABIL
1)Identify a switch
38 AHMED NABIL
3)Remote Access
• Access to switch remotely (ping, telnet, SNMP) require
giving switch an IP, mask & default gateway
(config)#ip default-gateway <gateway ip>
(config)#interface vlan <vlan id>
(config-if)#ip address <ip> <mask>
(config-if)#no shutdown
• the configured VLAN is called management VLAN and it
could be any VLAN, but switch can only have one
management VLAN
39 AHMED NABIL
Connecting devices
• Cross over cable is used to connect two switches
• Straight cable is used to connect switch to host
• MDI / MDIX (Media Dependent Interface / Media Dependent
Interface cross) feature that enable connecting a straight
cable between two switches or hubs
In CDP ver 2:
Added to the message:
-VTP Domain
- Native VLAN
- Duplex
- Rapid error tracking for (nativeVLAN mismatch,duplex mismatch,..)
42 AHMED NABIL
Link Layer Discovery Protocol
The Link Layer Discovery Protocol (LLDP) is similar to CDP, but is
based on the IEEE 802.1ab standard. As a result, LLDP works in
multivendor networks. It is also extensible because information is
advertised by grouping attributes into Type-Length-Value (TLV)
structures.
LLDP also supports additional TLVs (messages) that are unique to
audio-visual devices such as VoIP phones. The LLDP Media
Endpoint Device (LLDP-MED) TLVs carry useful device
information like a network policy with VLAN numbers and quality of
service information needed for voice traffic, power management,
inventory management, and physical location data. LLDP supports
the LLDP-MED TLVs by default, but it cannot send both basic and
MED TLVs simultaneously on a switch port. Instead, LLDP sends
only the basic TLVs to connected devices. If a switch receives
LLDP-MED TLVs from a device, it will begin sending LLDP-MED
TLVs back to the device.
By default, LLDP is globally disabled on a Catalyst switch. To see if
it is currently running or not, use the show lldp command. You can
enable or disable LLDP with the lldp run and no lldp run
configuration commands, respectively.
(config)#lldp run
On interface:
(config-if)#[no] lldp {transmit|receive}
AHMED NABIL
Use the following command to display information about LLDP
advertisements that have been received by a switch.
Switch# show lldp neighbors [type member/module/number]
[detail]
Use the show lldp neighbors command to see a summary of
neighbors that have been discovered.
AHMED NABIL
Troubleshooting
b)vlan.dat:stored in flash
c)running-config:Stored in RAM
• -other files:
System-env-vars:
a text file containing system variables such as the MAC
address, model number, serial number & various
module information
it is stored in ROM/copy in Flash, & displayed by:
#show version
47 AHMED NABIL
Cisco IOS File System and Devices
To delete vla.dat:
#delete flash:vlan.dat
#delete vlan.dat
48 AHMED NABIL
Managing Cisco IOS Images
Switch#show flash
Directory of flash:/
– Verify that flash memory has room for the Cisco IOS
image.
49 AHMED NABIL
Troubleshooting
show debug
Processing Static
Dynamic
characteristics
Low overhead
Processing load High overhead
Gather facts
Primary use Observe processes
#debug <command>
To cancel debug action:
#no debug <command/all>
#undebug all
50 AHMED NABIL
Password recovery
• For any model check manual or check google
51 AHMED NABIL
CDP & LLDP Questions
Question 1
What is the default interval at which Cisco devices send Cisco Discovery Protocol
advertisements?
Question 2
Which statement about Cisco Discovery Protocol configuration on a Cisco switch is true?
A. CDP is enabled by default and can be disabled globally with the command no cdp run.
B. CDP is disabled by default and can be enabled globally with the command cdp enable.
C. CDP is enabled by default and can be disabled globally with the command no cdp enable.
D. CDP is disabled by default and can be enabled globally with the command cdp run.
Question 3
A network engineer notices inconsistent Cisco Discovery Protocol neighbors according to the
diagram that is provided. The engineer notices only a single neighbor that uses Cisco Discovery
Protocol, but it has several routing neighbor relationships. What would cause the output to
show only the single neighbor?
Question 4
After the implementation of several different types of switches from different vendors, a
network engineer notices that directly connected devices that use Cisco Discovery Protocol are
not visible. Which vendor-neutral protocol could be used to resolve this issue?
A-Local Area Mobility B. Link Layer Discovery Protocol C. NetFlow D. Directed Response
Protocol
Question 5
While doing network discovery using Cisco Discovery Protocol, it is found that rapid error
tracking is not currently enabled. Which option must be enabled to allow for enhanced
reporting mechanisms using Cisco Discovery Protocol?
Question 7
Which statement about Cisco devices learning about each other through Cisco Discovery
Protocol is true?
Question 8
Which option lists the information that is contained in a Cisco Discovery Protocol
advertisement?
Question 9
Which option describes a limitation of LLDP?
Question 10
Which statement about using native VLANs to carry untagged frames is true?
A. Cisco Discovery Protocol version 2 carries native VLAN information, but version 1 does not.
B. Cisco Discovery Protocol version 1 carries native VLAN information, but version 2 does not.
C. Cisco Discovery Protocol version 1 and version 2 carry native VLAN information.
D. Cisco Discovery Protocol version 3 carries native VLAN information, but versions 1 and 2 do
not.
53 AHMED NABIL
VLANs
&
Trunks
(Bet2arab elBe3eed
W Betba3ad el2areeb
Yaaaaaa 2asawtek)
54 AHMED NABIL
Overview
• A full layer 2 only switched network is referred to as a single
broadcast domain, so network must be subdivided into VLANs
• By definition a VLAN is a single broadcast domain, VLAN is
characterised by:
-They can allow load balancing with multiple parallel paths, so
enhancing bandwidth utilization
-They enhance network security
-They confine broadcasts, so introducing better broadcast control
-They can span multiple switches (no physical boundaries), VLAN
can group users based on their business requirements
(business departments) independent of any physical locations
• Segmentation
• Flexibility
• Security
55 AHMED NABIL
Deploying VLANs
• The number of VLANS will be dependent on network
requirement
• Cisco recommend the VLAN-IP relation to be one- to-
one in order of isolating VLANs broadcasts & ability to
form inter-VLAN-routing
• VLANs could be implemented using two basic methods
1) Local VLANs
2) End to End VLAN
-Local VLAN:
• It is called geographic VLANs, keeping the VLAN within a
switch block
• Local VLANs are created based on geographic or physical
locations
• Also Local VLANs design obey 20/80 rule
57 AHMED NABIL
VLAN membership
58 AHMED NABIL
Types of Switch ports
• Access-Link:
-Switch port that is member in only one VLAN (native
VLAN by default)
-This port actually connect a switch to host
-This port expects to receive untagged frames and
sends untagged frames.
(config-if)#switchport mode access
• Trunk-Link:
-Switch port that is member in all VLANs by default, so
traffic from all VLANs can use a trunk link
-It is mainly used to connect two switches together or
switch and a router
-This port receives and sends tagged frames unless data
belongs to native VLAN
(config-if)#switchport mode trunk
(config-if)#switchport trunk allowed vlan list of vlans
(config-if)#switchport trunk native vlan vlan number
59 AHMED NABIL
To activate a VLAN
(config)#interface ____
(config-if)#switchort mode access
(config-if)#switchport access vlan
<vlan id>
(config)#interface Fastethernet 0/3
(config-if)#switchort mode access
(config-if)#switchport access vlan 52
Troubleshooting VLANs:
Switch#show vlan [id | name] [vlan_num | vlan_name]
#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- ------------------------------
-
1 default active Fa0/1, Fa0/2, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/11, Fa0/12
Gi0/1, Gi0/2
2 VLAN0002 active
52 Sales active Fa0/3
…
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
52 enet 100052 1500 - - - - - 0 0
…
2 VLAN0002 active
52
50 Sales active Fa0/3
Configuration:
#configure terminal
(config)#vlan <id>
(config-vlan)#name <vlan name>
Switch#configure terminal Deleting VLAN
Switch(config)#vlan 3 Switch#configure terminal
Switch(config-vlan)#name sales Switch(config)#no vlan 3
Switch(config-vlan)#exit Switch(config)#end
Switch(config)#
61 AHMED NABIL
VLAN Trunks
• To connect switch port to another switch port or a
router while deploying VLANs we need a method for
VLAN Inter-switch communication where a VLAN
can span multiple switches
• VLAN trunks will help for communication between
same VLAN members that exist on different physical
switches
Without trunking
With trunking
AHMED NABIL
• Dot1q also introduced the concept of native VLAN on a trunk,
where frames belonging to this VLAN are not tagged with any
VLAN id, using this feature 802.1q tagging device & non-
802.1q devices can co-exist on a 802.1q trunk.
• Native VLAN is by default VLAN 1, which is also called the
management VLAN (management VLAN is the VLAN that
carries frames from all protocols (CDP, VTP, DTP,….)), the
native VLAN can be changed by configuration.
• IEEE 802.3ac standard is used to extended MTU of Ethernet
frame to 1522 byte
DTP
(Dynamic Trunk Protocol)
• Cisco proprietary protocol, that is used to automatically negotiate a
common trunking mode (negotiate whether link will be access or
trunk) between two switches, also negotiation of trunk encapsulation
type can be done, DTP negotiation is made periodically every 30 sec.
• A router can not participate in DTP, so if a switch port is connected
to a router, DTP must be disabled & switch port must be manually
configured.
• Note: DTP is negotiated between switches working in the same VTP
domain or if one of these domains is null domain, so if switches are in
different domains, you must set trunk configuration to "on" or
"nonegotiate", this setting will force the trunk to be established.
65 AHMED NABIL
• DTP modes:
Mode Function
Configuring trunking
(config)#interface <_>
(config-if)#switchport mode {access/trunk/dynamic
desirable/dynamic auto}
-access: only in one VLAN, no negotiation (no DTP messages).
-trunk: permanently trunk & generate DTP messages.
-dynamic desirable: (default), actively (sending messages)
attempts to be trunk.
-dynamic auto: only if far end desire a trunk, it will turn to
trunk which means it is passively (does not initiate
messages) attempts to be trunk.
(config-if)#switchport nonegotiate
-nonegotiate: disables DTP & force permanent trunk.
(config-if)#switchport trunk encapsulation {isl/dot1q/negotiate}
default is negotiate, ISL is favoured if both exist on negotiating
switches.
66 AHMED NABIL
Switchport Mode Interactions
67 AHMED NABIL
Troubleshooting
#sh dtp interface
!TOS/TAS/TNS=
Trunk Operational/Adminstrative/Neighbor State!
. . .
68 AHMED NABIL
Troubleshooting VLAN Issues
Configuration problems can arise when user traffic must
traverse several switches. The following sections list some
common configuration errors. But before you begin
troubleshooting, create a plan. Check the implementation plan
for any changes recently made, and determine likely problem
areas.
Troubleshooting Trunking
When troubleshooting trunking, make sure that physical layer
connectivity is present before moving on to search for
configuration problems such as
- Are both sides of the link in the correct trunking mode?
- Is the same trunk encapsulation on both sides?
- If 802.1Q, is the same native VLAN on both sides? Look for CDP
messages warning of this error.
- Are the same VLANs permitted on both sides?
- Is a link trunking that should not be?
69 AHMED NABIL
VLAN Questions
Question 1
Which feature is automatically enabled when a voice VLAN is configured, but not
automatically disabled when a voice VLAN is removed?
Question 2
In which portion of the frame is the 802.1q header found?
A. within the Ethernet header B. within the Ethernet payload C. within the Ethernet FCS
D. within the Ethernet source MAC address
Question 3
What is required for a LAN switch to support 802.1q Q-in-Q encapsulation?
Question 4
What is the size of the VLAN field inside an 802.1q frame?
Question 5
What is the maximum number of VLANs that can be assigned to an access switchport
without a voice VLAN?
A. 0 B. 1 C. 2 D. 1024
.
Question 6
What does the command ―vlan dot1q tag native‖ accomplish when configured under global
configuration?
A. All frames within the native VLAN are tagged, except when the native VLAN is set to 1.
B. It allows control traffic to pass using the non-default VLAN.
C. It removes the 4-byte dot1q tag from every frame that traverses the trunk interface(s).
D. Control traffic is tagged.
70 AHMED NABIL
VLAN Trunking
Question 1
Refer to the exhibit.
SW-1#sh logging %SPANTREE-SP-2-RECV_PVID_ERR: Received BPDU with
inconsistent peer Vlan id 1 on GigabitEthernet1/2 VLAN2013.
%SPANTREE-SP-2-BLOCK_PVID_PEER: Blocking GigabitEthernet1/2 on VLAN0001.
Inconsistent peer vlan.
A multilayer switch has been configured to send and receive encapsulated and tagged
frames. VLAN 2013 on the multilayer switch is configured as the native VLAN. Which
option is the cause of the spanning-tree error?
Question 2
Refer to the exhibit.
3512xl(config)#int fastEthernet 0/1
3512xl(config-if)#switchport mode trunk
3512xl(config-if)#switchport trunk encapsulation dot1q
How many bytes are added to each frame as a result of the configuration?
Question 3
A network engineer must implement Ethernet links that are capable of transporting
frames and IP traffic for different broadcast domains that are mutually isolated.
Consider that this is a multivendor environment. Which Cisco IOS switching feature
can be used to achieve the task?
Question 5
For security reasons, the IT manager has prohibited users from dynamically establishing
trunks with their associated upstream switch. Which two actions can prevent interface
trunking? (Choose two)
Question 6
Which two protocols can be automatically negotiated between switches for trunking?
(Choose two)
A. PPP B. DTP C. ISL D. HDLC E. DLCI F. DOT1Q
Question 7
The network manager has requested that several new VLANs (VLAN 10, 20, and 30) are
allowed to traverse the switch trunk interface. After the command ―switchport trunk
allowed vlan 10,20,30″ is issued, all other existing VLANs no longer pass traffic over the
trunk. What is the root cause of the problem?
A. The command effectively removed all other working VLANs and replaced them with
the new VLANs.
B. VTP pruning removed all unused VLANs.
C. ISL was unable to encapsulate more than the already permitted VLANs across the
trunk.
D. Allowing additional VLANs across the trunk introduced a loop in the network.
Question 8
A manager tells the network engineer to permit only certain VLANs across a specific
trunk interface. Which option can be configured to accomplish this?
A. allowed VLAN list B. VTP pruning C. VACL D. L2P tunneling
72 AHMED NABIL
VTP
(VLAN Trunking Protocol)
73 AHMED NABIL
VTP Overview
• Campus network environments may consist of many interconnected
switches, so configuring & managing a large number of switches,
VLANs, & VLAN trunks can quickly get out of control, so Cisco has
developed a method to manage VLANs across the campus network.
• VTP is a messaging Cisco Proprietary protocol that uses Layer 2 trunk
frames, the standard VTP-like protocol is caled GVRP (Group VLAN
Registration Protocol) & the newest standard version MVRP (Multiple
VLAN Registration Protocol).
• VTP manages the synchronization of VLAN.dat, addition, deletion &
renaming (modify) –ADM of VLANs by exchanging VLAN configuration
between switches over trunk links.
• Only VLAN information is shared via VTP, while port information (such
as which port belong to which VLAN), is not shared.
• Further, VTP allows you to make centralized changes that are
communicated to all other switches in the network, so enhancing the
plug & play environment.
• Finally two conditions must exist:
1-VTP information are exchanged over trunks only.
2-All switches that need to exchange VTP messages must be configured in
the same VTP domain.
VTP domains
• VTP management domains are group of devices with common
VLAN requirements (VLAN names, native VLAN, pruned
VLAN,......)
A switch can belong to only one VTP domain, default domain
name is NULL (a blank string)
• So when a VLAN is added to switch in a domain, other switches
in the same domain are notified of the new VLAN through VTP
advertisements
74
AHMED NABIL
VTP Synchronization
• VTP configuration revision number:
-Indicates to the receiving switch whether the VTP message contain a new
change or not
-Every 300 sec, server switch will send out periodic advertisements for the
information it is saving, so no need for clients to process the same
information again, if no changes has occurred to the server
-Also if there are multiple servers, so some kind of synchronization is
needed to indicate which change is the most update
-Revision number starts with zero & increment with every change
configured on a server switch, the highest number means the most
updated information
-Revision number on the transparent switch is always 0, the revision
number is saved in NVRAM, so it is not affected by switching the power
off
• To reset the revision number:
-Change switch server to transparent, then to server again
-Change the domain name to a bogus (non-existing) name & back to the
original name
VTP operation
• VTP advertisements are sent as multicast frames.
• VTP servers and clients are synchronized to the latest revision number.
• VTP advertisements are sent every 5 minutes or when there is a change.
75 AHMED NABIL
VTP switch modes
• Each switch must operate in one of the following modes:
1)Server mode:
-Default mode
-Can add, delete, modify VLAN configuration
-Generate VTP messages for any VLAN configuration changes
-Can process (affected by) VTP messages
-Can propagate VTP messages from other servers
-It save the configuration on the switch vlan.dat file (NVRAM/Flash)
2)Client mode:
-Do not allow administrator to add, delete, or modify VLANs
-Can propagate VTP messages
from others Tip: Even though it seems as if a client
should strictly listen to advertisements from
-Can process (affected by) servers, a
client can and does send out its own
VTP messages advertisements. When it first powers up, a
client sends a summary advertisement from
-VTP configuration is not saved
its own stored database. It realizes that it has
on the switch a greater revision number if it receives an
inferior advertisement from a server.
-Generate VTP request message Therefore, it sends out a subset
advertisement with the greater revision
3)Transport mode: number, which VTP servers will accept as
-Does not participate in VTP more up-to-date information.
VTP Authentication
• By default, management domains are set to a nonsecure
mode, meaning that the switches interact without using a
password.
• Adding a password automatically sets the management
domain to secure mode, a password must be configured on
every switch in the management domain to use secure
mode and assure proper authentication
VTP messages
• It is sent on special Cisco multicast address
1)Subset advertisement message:
Server generate that message after each change or after
hearing an advertisement request message
It contains:
-VTP version
-VTP domain name
-Configuration revision number
-Subset sequence number
-All VLAN status till the last change
-MD5 Hash
AHMED NABIL
2)Summary advertisement message:
Generated by a server periodically every 300sec & every time
a VLAN database change occurs
It contains:
-VTP version
-VTP domain name
- Configuration revision number
-The number of subset advertisements to follow
-MD5 encryption hash code for authentication
3) Advertisement Request message:
VTP client generates that message to request any missing VLAN
information from VTP servers (recall that clients don't store
VLAN configuration), so client will need to learn configuration
every time it boots up, also servers can use that message to
request info from another server
It contains:
-VTP version, VTP domain name, Starting subset sequence number,
MD5 Hash
78 AHMED NABIL
VTP pruning
• Before pruning:
Unknown unicast & broadcast traffic from one VLAN will fill all trunk
links, even if the destination VLAN is not the same as source VLAN.
VTP pruning makes more efficient use of trunk bandwidth by reducing
unnecessary flooded traffic.
• After pruning:
Trunks will not forward flooded
traffic of a VLAN that does not exist on
the other side of trunk.
• Note:
-VLAN 1, 1002-1005 are ineligible to be pruned
-VTP pruning occurs as an extension to VTP version 1, using an
additional VTP message type. When a Catalyst switch has a port
associated with a VLAN, the switch sends an advertisement to its
neighbor switches that it has active ports on that VLAN. The
neighbors keep this information, enabling them to decide whether
flooded traffic from a VLAN should use a trunk port.
80 AHMED NABIL
AHMED NABIL
VTP Configuration
(config)#vtp domain <domain name>
(config)#vtp mode {server/client/transparent/off}
(config)#vtp password <password> [hidden|secret]
(config)#vtp version {1/2/3}
For VTP ver3:
Switch#vtp primary vlan
This system is becoming primary server for feature vlan
No conflicting VTP3 devices found.
Do you want to continue?[confirm]
! This command will make switch primary server for propagating
VLAN.dat and will make switch checks if there is another
primary or not, only one primary switch allowed, notice
command is in enable mode not global configuration mode !
To make the switch primary for MST (discussed later)
#vtp primary mst
(config)#vtp pruning
• Static pruning:
used with
-Servers to avoid pruning of general purpose VLANs (if exist).
-Servers connected to transparent switches.
-Servers, Clients or Transparent switches.
(config-if)#switchport trunk pruning vlan
{add/except/none/remove} <vlan list>
• note:
STP will run instances regarding all VLANs even pruned, unless
we use the command:
(config-if)#swichport trunk allowed vlans <_> .........
82 AHMED NABIL
Troubleshooting VTP
VTP Version : 1 to 3
VTP version running : 1
Configuration Revision : 247
Maximum VLANs supported locally : 1005
Number of existing VLANs : 33
VTP Operating Mode : Client
VTP Domain Name : Lab_Network
VTP Pruning Mode : Enabled
VTP V2 Mode : Disabled
MD5 digest : 0x45 0x52 0xB6 0xFD 0x63 0xC8 0x49
Configuration last modified by 0.0.0.0 at 8-12-99 15:04:49
Switch#
VTP statistics:
Summary advertisements received : 7
Subset advertisements received : 5
Request advertisements received : 0
Summary advertisements transmitted : 997
Subset advertisements transmitted : 13
Request advertisements transmitted : 3
Number of config revision errors : 0
Number of config digest errors : 0
Number of V1 summary errors : 0
#sh vlan
#sh vlan brief
#sh interface [_] pruning
#sh interface [_] trunk
#sh interface [_] switchport
83 AHMED NABIL
Troubleshooting VTP
84 AHMED NABIL
VTP Questions
Question 1
Several new switches have been added to the existing network as VTP clients. All of the
new switches have been configured with the same VTP domain, password, and version.
However, VLANs are not passing from the VTP server (existing network) to the VTP
clients. What must be done to fix this?
A. Remove the VTP domain name from all switches with ―null‖ and then replace it with
the new domain name.
B. Configure a different native VLAN on all new switches that are configured as VTP
clients.
C. Provision one of the new switches to be the VTP server and duplicate information from
the existing network.
D. Ensure that all switch interconnects are configured as trunks to allow VTP information
to be transferred.
Question 2
After implementing VTP, the extended VLANs are not being propagated to other VTP
switches. What should be configured for extended VLANs?
A. VTP does not support extended VLANs and should be manually added to all switches.
B. Enable VTP version 3, which supports extended VLAN propagation.
C. VTP authentication is required when using extended VLANs because of their ability to
cause network instability.
D. Ensure that all switches run the same Cisco IOS version. Extended VLANs will not
propagate to different IOS versions when extended VLANs are in use.
Question 3
Which technique automatically limits VLAN traffic to only the switches that require it?
A. access lists B. DTP in nonegotiate C. VTP pruning D. PBR
Question 4
Refer to the exhibit.
Switch A, B, and C are trunked together and have been properly configured for VTP. Switch
C receives VLAN information from the VTP server Switch A, but Switch B does not receive
any VLAN information. What is the most probable cause of this behavior?
A. Switch B is configured in transparent mode.
B. Switch B is configured with an access port to Switch A, while Switch C is configured
with a trunk port to Switch B.
C. The VTP revision number of the Switch B is higher than that of Switch A.
D. The trunk between Switch A and Switch B is misconfigured.
85 AHMED NABIL
Question 5
A network is running VTPv2. After verifying all VTP settings, the network engineer notices
that the new switch is not receiving the list of VLANs from the server. Which action
resolves this problem?
A. Reload the new switch.
B. Restart the VTP process on the new switch.
C. Reload the VTP server.
D. Verify connected trunk ports.
Question 6
After configuring new data VLANs 1020 through 1030 on the VTP server, a network
engineer notices that none of the VTP clients are receiving the updates. What is the
problem?
A. The VTP server must be reloaded.
B. The VTP version number must be set to version 3.
C. After each update to the VTP server, it takes up to 4 hours propagate.
D. VTP must be stopped and restarted on the server.
E. Another switch in the domain has a higher revision number than the server.
Question 7
A network engineer is extending a LAN segment between two geographically separated
data centers. Which enhancement to a spanning-tree design prevents unnecessary traffic
from crossing the extended LAN segment?
A. Modify the spanning-tree priorities to dictate the traffic flow.
B. Create a Layer 3 transit VLAN to segment the traffic between the sites.
C. Use VTP pruning on the trunk interfaces.
D. Configure manual trunk pruning between the two locations.
Question 8
When you design a switched network using VTPv2, how many VLANs can be used to
carry user traffic?
A. 1000 B. 1001 C. 1024 D. 2048 E. 4095 F. 4096
Question 9
A new network that consists of several switches has been connected together via trunking
interfaces. If all switches currently have the default VTP domain name ―null‖, which
statement describes what happens when a domain name is configured on one of the
switches?
A. The switch with the non-default domain name restores back to ―null‖ upon reboot.
B. Switches with higher revision numbers does not accept the new domain name.
C. VTP summary advertisements are sent out of all ports with the new domain name.
86D. All other switches with the default domain name become VTP clients. AHMED NABIL
Question 10
Which VTP mode is needed to configure an extended VLAN, when a switch is
configured to use VTP versions 1 or 2?
A. transparent B. client C. server
D. Extended VLANs are only supported in version 3 and not in versions 1 or 2.
Question 11
Which VLAN range is eligible to be pruned when a network engineer enables VTP
pruning on a switch?
A. VLANs 1-1001 B. VLANs 1-4094 C. VLANs 2-1001 D. VLANs 2-
4094
Question 12
Which feature must be enabled to eliminate the broadcasting of all unknown traffic to
switches that are not participating in the specific VLAN?
A. VTP pruning B. port-security C. storm control D.
bpdguard
Question 13
Refer to the exhibit.
Switch1(config)#vlan 10
VTP vlan configuration not allowed when device is in CLIENT mode.
Switch1#show interfaces trunk
The users in an engineering department that connect to the same access switch cannot
access the network. The network engineer found that the engineering VLAN is missing
from the database. Which action resolves this problem?
A. Disable VTP pruning and disable 802.1q.
B. Update the VTP revision number.
C. Change VTP mode to server and enable 802.1q.
D. Enable VTP pruning and disable 802.1q.
Question 14
Refer to the exhibit
87 AHMED NABIL
The network switches for two companies have been connected and manually configured for
the required VLANs, but users in company A are not able to access network resources in
company B when DTP is enabled. Which action resolves this problem?
A. Delete vlan.dat and ensure that the switch with lowest MAC address is the VTP server.
B. Disable DTP and document the VTP domain mismatch.
C. Manually force trunking with switchport mode trunk on both switches.
D. Enable the company B switch with the vtp mode server command.
Question 15
A network engineer must improve bandwidth and resource utilization on the switches by
stopping the inefficient flooding of frames on trunk ports where the frames are not needed.
Which Cisco IOS feature can be used to achieve this task?
A. VTP pruning B. access list C. switchport trunk allowed VLAN D. VLAN access-
map
Question 16
Which action allows a network engineer to limit a default VLAN from being propagated
across all trunks?
A. Upgrade to VTP version 3 for advanced feature set support.
B. Enable VTP pruning on the VTP server.
C. Manually prune default VLAN with switchport trunk allowed vlans remove.
D. Use trunk pruning vlan 1.
Question 17
Refer to the exhibit.
Switch A, B, and C are trunked together and have been properly configured for VTP. Switch
B has all VLANs, but Switch C is not receiving traffic from certain VLANs. What would
cause this issue?
A. A VTP authentication mismatch occurred between Switch A and Switch B.
B. The VTP revision number of Switch B is higher than that of Switch A.
C. VTP pruning is configured globally on all switches and it removed VLANs from the
trunk interface that is connected to Switch C.
D. The trunk between Switch A and Switch B is misconfigured.
88 AHMED NABIL
Inter-VLAN Routing
Techniques
89 AHMED NABIL
Why we need Inter-VLAN Routing?
Problem: Isolated Broadcast Domains
90 AHMED NABIL
–Using
Advantages:
Router on a stick method
• Simple to implement using any combination of
systems
• Router provides communications between VLANs
on remote switches
– Disadvantages:
• Single point of failure if only one router port is
used
• Single traffic path can become congested, There
is a possibility of inadequate bandwidth for each
VLAN
• Additional overhead on the router port can occur
• Network topology can cause performance issues
C- Routing using a MLS
Types of Interfaces
Multilayer switches can perform both Layer 2 switching
and interVLAN routing, as appropriate.
Layer 2 switching occurs between interfaces that are
assigned to Layer 2 VLANs or Layer 2 trunks. Layer 3
switching can occur between any type of interface, as
long as the interface can have a Layer 3 address
assigned to it.
As with a router, a multilayer switch can assign a Layer
3 address to a physical interface. It also can assign a
Layer 3 address to a logical interface that represents
an entire VLAN. This is known as a switched virtual
interface (SVI).
91 AHMED NABIL
MLS switch ports types:
-Switched port (Layer 2 port):
Physical Port that connect switch to end device or another
switch, this port that can be access or trunk.
-Routed port (Layer 3 port):
Physical port that connect a switch to another real router or
firewall, that port should have IP address, can have routing
protocols running on it, cannot be divided into sub interfaces,
so not suitable for inter-vlan routing, cannot be configured
as access or trunk.
-SVI port (layer 3 port):
Logical port that is internal in MLS and used for inter-vlan
routing, as MLS have 4096 SVIs
92 AHMED NABIL
Layer 3 Port (routed port) Configuration
Switch(config)# interface type mod/num
Switch(config-if)# no switchport
Switch(config-if)# ip address ip-address mask
The no switchport command takes the port out of Layer 2 operation. You
then can assign a network address to the port, as you would to a router
interface.
SVI Port Configuration
On a multilayer switch, you also can enable Layer 3 functionality for an
entire VLAN on the switch. This allows a network address to be assigned
to a logical interface: that of the VLAN itself.
This is useful when the switch has many ports assigned to a common
VLAN, and routing is needed in and out of that VLAN.
The logical Layer 3 interface is known as an SVI. However, when it is
configured, it uses the much more intuitive interface name vlan vlan-id, as
if the VLAN itself is a physical interface. First, define or identify the VLAN
interface; then assign any Layer 3 functionality to it with the following
con.guration commands:
Switch(config)# interface vlan vlan-id
Switch(config-if)# ip address ip-address mask
Switch(config-if)#no shutdown
The VLAN must be defined and active on the switch before the SVI can be
used. Make sure the new VLAN interface also is enabled with the no
shutdown interface-configuration command.
So just configuring SVI ip addresses for the existing VLANs will activate
Inter-VLAN Routing between VLANs on a MLS, if a single MLS exist you
will not need a routing protocol (all VLANs subnets will be direct
connected), but if multiple MLS is connected together a routing protocol
must be configured to enable the routing process beside configuring SVIs.
Be aware that an SVI cannot become active until at least one Layer 2 port
assigned to the VLAN has also become active and STP has converged. By
automatically keeping the SVI down until the VLAN is ready, no other
switching or routing functions can attempt to use the SVI prematurely. This
function is called SVI autostate.
You might sometimes want the SVI to stay up even when no Layer 2 ports
are active on the VLAN. For example, you might have a Layer 2 port
configured for port mirroring to capture traffic. In that case, the port would
not be up and functioning normally, so it should be excluded from affecting
the state of the SVI. You can exclude a switch port with the following
interface configuration command:
Switch(config-if)# switchport autostate exclude
93 AHMED NABIL
Configuring Inter-VLAN Routing on a Router (Router On A Stick) -
ROAS
#sh ip route
C 10.1.1.0/24, Fa0/0.1
C 10.10.1.0/24, Fa0/0.10
C 10.20.1.0/24, Fa0/0.20
(config)#interface vlan 20
(config-if)#ip address 172.20.128.1 255.255.255.0
(config-if)#no shutdown
(config-if)#interface vlan 30
(config-if)#ip address 172.20.129.1 255.255.255.0
(config-if)#no shutdown
#sh ip route
C 172.20.128.0/24, vlan20
C 172.20.129.0/24, vlan30
94 AHMED NABIL
Preparing switch for
IP Telephony
95 AHMED NABIL
Cisco IP Phone boot process:
Just about all the concepts discussed so far focus on the boot
process of the Cisco IP Phone.
96 AHMED NABIL
Implementing IP Telephony
• Some Requirements must be guaranteed to implement voice application in
enterprise networks
1) Physical layer requirements
The wiring & cabling are critical for IP Telephony, Cabling infrastructure should
be min. category 5e.
2) Bandwidth and traffic requirements
From a traffic standpoint, an IP Telephone call consists of two parts:
a- The voice carrier stream, which consists of RTP (Real-Time Transport
Protocol) packets that contain the actual voice samples.
To support VoIP compression, Cisco VoIP equipment supports these two
common codecs, G.711 and G.729, along with several other common
industry standards.
Coder-decoders (codecs) are used to convert the analog signal to a digital format.
G.711 is a common codec used for normal voice digitization. It is also the only
type supported for the Cisco Conference Connection
G.729 is a codec that provides compression of the voice traffic down to 8 kbps.
b- Te call control signaling, which consists of packets belonging to one of several
protocols, for example H.323, SIP & MGCP (Media Gateway Control Protocol),
these protocols can perform functions as setup, maintain, teardown, or redirect
the call.
The two types of traffic must be considered.
3) Security and Redundancy requirement
To help safeguard against attacks which could cause all enterprise
communication
with outside world critical. (discussed next Chapter), also redundancy is required
(discussed in previous chapters)
5) VLAN Requirements
Special VLAN required for voice service (voice VLAN)
6) Voice QoS
voice packet can’t afford a delay more than 150ms, jitter & loss
97
more than 1% is not acceptable)
AHMED NABIL
Power supplier
• A Cisco IP Phone is like any other node on the network—it must
have power to operate. There are several power levels defined
for VoIP, normal VoIP devices ranging from 4.0w to 15.4w,
depending on the VoIP phone used, advanced VoIP devices can
requires from over 15.4 watts till 30 watts.
• Power can come from two sources:
98 AHMED NABIL
3)Inline power or Power over Ethernet (PoE)
How PoE Works
A Catalyst switch can offer power over its Ethernet ports only if it is
designed to do so. It must have one or more power supplies that are rated for
the additional load that will be offered to the connected devices. PoE is
available on many Cisco Catalyst switch platforms.
(DC) over the network data cable, the same 48V DC supply is provided to an
IP Phone over the same Category 5e cable that is used for Ethernet
connectivity.
The DC power’s source is the Catalyst switch itself.
No other power source is needed, unless an AC adapter is required as a
redundant Source.
Inline power is also defined by the IEEE 802.3af standard (PoE), and IEEE
802.3at (PoE plus) “devices requiring power till 30 Watts.
Switch(config-if)# power inline {auto | never | static [max power in
milliwatts]}
AHMED NABIL
The Catalyst switch also can be connected to an uninterruptible power supply
(UPS) so that it continues to receive and offer power even if the regular AC
source fails. This allows an IP Phone or other powered device to be available
for use even across a power failure.
AHMED NABIL
debug ilpower controller and debug cdp packets, can display the ILPo
operation
CAUTION A Catalyst switch waits for 4 seconds after inline power is applied
to a port to see if an IP Phone comes alive. If not, the power is removed from
the port.
Be careful if you plug an IP phone into a switch port, and then remove it and
plug in a normal Ethernet device. The inline power still could be applied
during the 4-second interval, damaging a nonpowered device. Wait 10
seconds after unplugging an IP Phone before plugging anything back into the
same port.
101 AHMED NABIL
Voice VLAN
Most Cisco IP Phone models contain a three port switch,
connecting to the:
1- Upstream Switch
2- The user PC
3- Internal VoIP data stream
• The link mode between the IP Phone and the switch is negotiated; you can
configure the switch to instruct the phone to use a special-case 802.1Q trunk
or a single VLAN access link. With a trunk, the voice traffic can be isolated
from other user data, providing security and QoS capabilities, this could be
achieved by supporting separate VLAN for the voice.
• As an access link, both voice and data must be combined over
the single VLAN. This simplifies other aspects of the switch
configuration because a separate voice VLAN is not needed,
but it could compromise the voice quality, depending on the PC
application mix and traffic load.
10
110
• QoS Trust
Port connected to an IP Phone must be trusted & the device beyond it may not
be trusted
Although an EtherChannel link is seen as a single logical link, the link does
not necessarily have an inherent total bandwidth equal to the sum of its
component physical links. For example, suppose that a GEC link is made up of
four full-duplex 1-Gbps GE links. Although it is possible for the GEC link to
carry a total throughput of 8 Gbps (if each link becomes fully loaded), the
single resulting GEC bundle does not operate at this speed.
Instead, traffic is distributed across the individual links within the
EtherChannel. Each of these links operates at its inherent speed (2 Gbps full
duplex for GE) but carries only the frames placed on it by the EtherChannel
hardware. If the load-distribution algorithm favors one link within the bundle,
that link will carry a disproportionate amount of traffic. In other words, the
load is not always distributed equallyamong the individual links. The load-
balancing process is explained further in the next section.
EtherChannel also provides redundancy with several bundled physical links. If
one of the links within the bundle fails, traffic sent through that link is
automatically moved to an adjacent link. Failover occurs in less than a few
milliseconds and is transparent to the end user. As more links fail, more
traffic is
moved to further adjacent links. Likewise, as links are restored, the load
automatically is redistributed among the active links.
AHMED NABIL
Switch Port Aggregation with Ether Channels
• Switches can use Ethernet, FastEthernet & Gigabit Ethernet to scale link
speeds.
• Cisco offers another method of scaling link BW by aggregating or
bundling parallel links termed as the EtherChannel technology.
• Two to eight links of FE or GE are bundled as one logical link of FEC
(FastEtherChannel) or GEC (GigaEtherChannel), that can provide a full
duplex BW up to 1600Mbps or 16Gbps
Bundle conditions
• All bundled ports must be
1- In the same VLAN (if they are access ports)
2- In the same Trunk mode (if they are trunk ports)
3- They must have same Allowed VLANs (if they are trunk ports)
4- All ports must be configured with identical STP settings
5- Ports must have the same Duplex & Speed
6- Port Security must be disabled
7- None of the ports can belong to SPAN destination, but no problem for
SPAN source
8-EC ports can not be in a Dynamic VLAN assignment mode (learning issue
of VMPS affect the switch)
•Use the show interface capabilities command to check the switch for
EtherChannel feature.
113 AHMED NABIL
Traffic Distribution
• Actually EtherChannel make "Traffic Distribution" among the available
links of the bundle, so load may not be equally balanced across
EtherChannel links, as a result there must be an algorithm or criteria
for selecting certain users to use certain link in the EtherChannel
bundle
• This load balancing criteria on an EC is not done on a frame-by-
frame or packet-by-packet basis, instead address in the frame or
packet run through an algorithm, which results in a binary value, this
value is then matched up with one of the connections in the EC, all
traffic with this binary value is then transported across this
connection in the EC
Link Selection Criteria
• Selection could be based on:
1-Source IP 2-Destination IP 3-Both source & destination IP
4-Source MAC 5-Destination MAC 6-Both source & destination
MAC
7-Source port 8-Destination port 9-Both source & destination
port
• If the available links are 2, so we need only one bit for the selection
criteria (0 go through first link, 1 go through second link)
• If available links are 4, so we need 2 bits to differentiate between
links
• If available links are 8, so we need 3 bits to differentiate between
links
• For selection based on Source & destination addresses together, the
XOR operation is used
Remember:
1 XOR 0=1
1 XOR 1=0
0XOR 0=0
Port-channel: Po1
------------
for example:
• if VLAN, speed, duplex of an established port in the bundle changes,
PAgP changes that parameter for all the ports of the bundle
• PAgP can be designed in active mode "desirable", actively asking the far
end for negotiation of EC, or
• PAgP can be designed in passive mode "auto", where switch negotiates
an EC if the far end initiates it, this is the default for PAgP
• By default, PAgP operates in silent submode with the desirable and auto
modes, and allows ports to be added to an EtherChannel even if the
other end of the link is silent and never transmits data packets. This
might seem to go against the idea of PAgP, in which two endpoints are
supposed to negotiate a channel.
• But non-silent mode allow the EC link negotiation only if data packets
are sent across the link.
• After all, how can two switches negotiate anything if no PAgP packets
are received?
The key is in the phrase “if the other end is silent.” The silent submode
listens for any data packets from the far end, looking to negotiate a
channel. If none is received, silent submode assumes that a channel
should be built anyway, so no more data packets are expected from the
far end.
The silent submode amounts to approximately a 15-second delay.
• If PAgP isn't heard on an active port, the port remains in UP state, but
PAgP reports to STP that port is down
Configuring LACP
(config)#interface <_>
(config-if)#channel-protocol lacp
(config-if)#channel-group <group no.> mode
{on/active/passive/off}
(config-if)#lacp port-priority <priority value>
(config)#lacp system-priority <priority value>
AHMED NABIL
Troubleshooting
#sh etherchannel summary Switch#show run interface gig 0/9
Building configuration...
#sh etherchannel detail
Current configuration:
#show etherchannel port !
interface GigabitEthernet 0/9
#sh (pagp/lacp) neighbor no ip address
channel-group 1 mode desirable
#sh lacp sys-id
The status of the port channel shows
the EtherChannel logical interface as a
whole. This should show SU (Layer 2
channel, in use) if the channel is
operational. You also can examine the
status of each port within the channel.
Notice that most of the channel ports
have flags (P), indicating that they are
active in the port-channel. One port
shows because it is physically not
connected or down. If a port is
connected but not bundled in the
channel, it will have an independent, or
(I), flag.
Local information:
Hello Partner PAgP Learning Group
Port Flags State Timers Interval Count Priority Method Ifindex
Gi0/9 SC U6/S7 H 30s 1 128 Any 15
Partner's information:
Question 1
Refer to the exhibit.
Which set of configurations will result in all ports on both switches successfully bundling into an
EtherChannel?
A. switch1 channel-group 1 mode active switch2 channel-group 1 mode auto
B. switch1 channel-group 1 mode desirable switch2 channel-group 1 mode passive
C. switch1 channel-group 1 mode on switch2 channel-group 1 mode auto
D. switch1 channel-group 1 mode desirable switch2 channel-group 1 mode auto
Question 2
After an EtherChannel is configured between two Cisco switches, interface port channel 1 is in the
down/down state. Switch A is configured with “channel-group 1 mode active”, while Switch B is
configured with “channel-group 1 mode desirable”. Why is the EtherChannel bundle not working?
A. The switches are using mismatched EtherChannel negotiation modes.
B. The switch ports are not configured in trunking mode.
C. LACP priority must be configured on both switches.
D. The channel group identifier must be different for Switch A and Switch B.
126 AHMED NABIL
Question 3
An EtherChannel bundle has been established between a Cisco switch and a corporate web server. The
network administrator noticed that only one of the EtherChannel links is being utilized to reach the web
server. What should be done on the Cisco switch to allow for better EtherChannel utilization to the
corporate web server?
A. Enable Cisco Express Forwarding to allow for more effective traffic sharing over the EtherChannel bundle.
B. Adjust the EtherChannel load-balancing method based on destination IP addresses.
C. Disable spanning tree on all interfaces that are participating in the EtherChannel bundle.
D. Use link-state tracking to allow for improved load balancing of traffic upon link failure to the server.
E. Adjust the EtherChannel load-balancing method based on source IP addresses.
Question 4
An access switch has been configured with an EtherChannel port. After configuring SPAN to monitor this
port, the network administrator notices that not all traffic is being replicated to the management server.
What is a cause for this issue?
A. VLAN filters are required to ensure traffic mirrors effectively. B. SPAN encapsulation replication must be
enabled to capture EtherChannel destination traffic. C. The port channel can be used as a SPAN source, but
not a destination. D. RSPAN must be used to capture EtherChannel bidirectional traffic.
Question 5
Refer to the exhibit.
Question 7
A network engineer must set the load balance method on an existing port channel. Which action must be
done to apply a new load balancing method?
A. Configure the new load balancing method using port-channel load-balance.
B. Adjust the switch SDM back to “default”.
C. Ensure that IP CEF is enabled globally to support all load balancing methods.
D. Upgrade the PFC to support the latest load balancing methods.
Question 8
A network engineer configured a fault-tolerance link on Gigabit Ethernet links G0/1, G0/2, G0/3, and G0/4
between two switches using Ethernet port-channel. Which action allows interface G0/1 to always actively
forward traffic in the port-channel?
A. Configure G0/1 as half duplex and G0/2 as full duplex.
B. Configure LACP port-priority on G0/1 to 1.
C. Configure LACP port-priority on G0/1 to 65535.
D. LACP traffic goes through G0/4 because it is the highest interface ID.
Question 9
Which statement about the use of PAgP link aggregation on a Cisco switch that is running Cisco IOS
Software is true?
A. PAgP modes are off, auto, desirable, and on. Only the combinations auto-desirable, desirable- desirable,
and on-on allow the formation of a channel.
B. PAgP modes are active, desirable, and on. Only the combinations active-desirable, desirable- desirable,
and on-on allow the formation of a channel.
C. PAgP modes are active, desirable, and on. Only the combinations active-active, desirable- desirable, and
on-on allow the formation of a channel.
D. PAgP modes are off, active, desirable, and on. Only the combinations auto-auto, desirable- desirable, and
on-on allow the formation of a channel.
Question 11
Refer to the exhibit.
Users of PC-1 experience slow connection when a webpage is requested from the server. To
increase bandwidth, the network engineer configured an EtherChannel on interfaces Fa1/0 and
Fa0/1 of the server farm switch, as shown here:
Server_Switch#sh etherchannel load-balance EtherChannel Load-Balancing Operational State (src-
mac): Non-IP: Source MAC address IPv4: Source MAC address IPv6: Source IP address
Server_Switch#
However, traffic is still slow. Which action can the engineer take to resolve this issue?
A. Disable EtherChannel load balancing.
B. Upgrade the switch IOS to IP services image.
C. Change the load-balance method to dst-mac.
D. Contact Cisco TAC to report a bug on the switch.
Question 13
Which statement about using EtherChannel on Cisco IOS switches is true?
A. A switch can support up to eight compatibly configured Ethernet interfaces in an EtherChannel.
The EtherChannel provides full-duplex bandwidth up to 800 Mbps only for Fast EtherChannel or 8
Gbps only for Gigabit EtherChannel.
B. A switch can support up to 10 compatibly configured Ethernet interfaces in an EtherChannel. The
EtherChannel provides full-duplex bandwidth up to 1000 Mbps only for Fast EtherChannel or 8 Gbps
only for Gigabit EtherChannel.
C. A switch can support up to eight compatibly configured Ethernet interfaces in an EtherChannel.
The EtherChannel provides full-duplex bandwidth up to 800 Mbps only for Fast EtherChannel or 16
Gbps only for Gigabit EtherChannel.
D. A switch can support up to 10 compatibly configured Ethernet interfaces in an EtherChannel. The
EtherChannel provides full-duplex bandwidth up to 1000 Mbps only for Fast EtherChannel or 10
Gbps only for Gigabit EtherChannel.
Question 14
Refer to the exhibit.
Question 16
Which statement about restrictions for multichassis LACP is true?
A. It is available only on a Cisco Catalyst 6500 Series chassis.
B. It does not support 1Gb links.
C. Converting a port channel to mLACP can cause a service disruption.
D. It is not available in VSS.
Cat-A
1/1 1/1
Cat-B Cat-C
1/2 1/2
Step 1 Cost=19
Cat-A
BPDU BPDU
Cost=0 Cost=0
BPDU BPDU
1/1 Cost=19 Cost=19 1/1
Step 3
• Cat-B uses this value of 19 internally and sends BPDUs with a Root Path Cost of
19 out Port 1/2.
Step 4
• Cat-C receives the BPDU from Cat-B, and increased the Root Path Cost to 38
(19+19). (Same with Cat-C sending to Cat-B.)
Root
Bridge
Cost=19 1/1 1/2 Cost=19
Cat-A
BPDU BPDU
Cost=0 Cost=0
BPDU BPDU
1/1 Cost=19 Cost=19 1/1
Root Port Root Port
Cat-B Cat-C
1/2 1/2
BPDU BPDU
Cost=38 (19=19) Cost=38 (19=19)
Step 5 Cost=19
• Cat-B calculates that it can reach the Root Bridge at a cost of 19 via Port 1/1 as
opposed to a cost of 38 via Port 1/2.
• Port 1/1 becomes the Root Port for Cat-B, the port closest to the Root Bridge.
• Cat-C goes through a similar calculation. Note: Both Cat-B:1/2 and Cat-C:1/2 save
138 the best BPDU of 19 (its own). AHMED NABIL
Electing DP:
Root
Root Path Cost = 0 Bridge Root Path Cost = 0
Cost=19 1/1 1/2 Cost=19
Segment 1 Segment 2
Cat-A
Cat-B Cat-C
1/2 1/2
Root Path Cost = 19 Root Path Cost = 19
Segment 3
Cost=19
• Segment 1: Cat-A:1/1 has a Root Path Cost = 0 (after all it is the Root Bridge) and
Cat-B:1/1 has a Root Path Cost = 19.
• Segment 2: Cat-A:1/2 has a Root Path Cost = 0 (after all it is the Root Bridge) and
Cat-C:1/1 has a Root Path Cost = 19.
• Segment 3: Cat-B:1/2 has a Root Path Cost = 19 and Cat-C:1/2 has a Root Path
Cost = 19. It’s a tie!
Root
Root Path Cost = 0 Bridge Root Path Cost = 0
Cost=19 1/1 1/2 Cost=19
Segment 1 Segment 2
Cat-A
Designated Port Designated Port
Cat-B Cat-C
1/2 1/2
• Segment 1 :Because Cat-A:1/1 has the lower Root Path Cost it becomes the
Designate Port for Segment 1.
• Segment 2 :Because Cat-A:1/2 has the lower Root Path Cost it becomes the
Designate Port for Segment 2.
Root
Root Path Cost = 0 Bridge Root Path Cost = 0
Cost=19 1/1 1/2 Cost=19
Cat-B Cat-C
1/2 1/2
Segment 3
• Both Cat-B and Cat-C have a Root Path Cost of 19, a tie!
• When faced with a tie (or any other determination) STP always uses the four-step
decision process:
1. Lowest Root BID; 2. Lowest Path Cost to Root Bridge;
139 AHMED NABIL
Root
Root Path Cost = 0 Bridge Root Path Cost = 0
Cost=19 1/1 1/2 Cost=19
Segment 1 Segment 2
Cat-A
Designated Port Designated Port
Segment 3 (continued)
1) All three switches agree that Cat-A is the Root Bridge, so this is a tie.
2) Root Path Cost for both is 19, also a tie.
3) The sender’s BID is lower on Cat-B, than Cat-C, so Cat-B:1/2 becomes
the Designated Port for Segment 3.
Cat-C:1/2 therefore becomes the non-Designated Port for Segment 3.
RP
Ethernet
• SW X is the root bridge
• SW Y needs to elect a root port
• Which port is the root port on SW Y?
• Fast Ethernet total cost = 0 + 19
• Ethernet total cost = 0 + 100
Fast Ethernet
DP RP
DP
Ethernet
Switch X is the root bridge.
All ports on the root bridge are designated ports.
Blocking a port
BP
RP, DP, ?
BP
RP, DP
1-Disabled State:
• Port is administratively shut down, or cable is not connected, it is not
part of normal STP operation
2-Blocking State:
• Port cannot receive & transmit data traffic, does not transmit BPDU,
but can receive BPDU to detect any topology changes, (but it does not
save the BPDU on the port- discussed later)
3-Listeneing State:
• The port still cannot send or receive data frames but can process
(send or receive) BPDU to elect root bridge, root port, designated
port & blocked port
• This state lasts for the first forward delay time = 15 sec
4-Learning State:
• The port still cannot send or receive data frames but can process
(send or receive) BPDU to take another chance if needed to elect root
port, designated port & blocked port, but the switch will try to learn
from any incoming frame (build MAC table) before dropping it
• This state lasts for the second forward delay time = 15 sec
5-Forwarding State:
• Port can forward data traffic & continue learning MAC addresses, it is
either Root Port or Designated Port, So after convergence ports are
either DP, RP (FWD state), or BP (BLK state)
• But note that convergence will take (30 - 50 sec)
• To troubleshoot STP states
#sh spanning-tree interface <_>
#debug spanning-tree switch
143 AHMED NABIL
Example:
BPDU TCN
This network has just suffered a link failure between Catalyst A and Catalyst
C. The sequence of events unfolds as follows:
1. Catalyst C detects a link down on its port 1/1; Catalyst A detects a link
down on its port 1/2.
2. Catalyst C removes the previous “best” BPDU it had received from the
Root over port 1/1. Port 1/1 is now down so that BPDU is no longer valid.
C B
STP can detect and recover from indirect failures, thanks to timer
mechanisms. The sequence of events unfolds as follows:
1. Link between A and B failed, B flushed immediately the best BPDU
and because it does not receive any BPDUs from C as port1/2 on C is
blocked so, B have no BPDUs from root switch, so B will claims it is
the new root (no one in the network sending BPDUs), so it will start
sending inferior BPDUs out of port1/2 on B towards C.
2. Switch C (who have the blocked port) will find two BPDUs arriving
one from A saying it is root, another from B saying it is root.
3. After max age=20 sec, switch C will flush the old BPDUs used to be
received from port1/2 from A through B.
4. Port1/2 on C will start in listening state so sending BPDU received
from port1/1 on A, this BPDU will make B stop inferior BPDUs and
know the reality (that A is still live and is the Root, and what
happened was indirect failure)
5. After 15 seconds in listening then 15 in learning (a total of 50
seconds), Blocked port will be back to life.
If the switch can’t support 1024 unique MAC addresses for its own use,
the extended system ID is always enabled by default. Otherwise, the
traditional method is enabled by default.
To begin using the extended system ID method, you can uses the
following global configuration command:
Switch(config)# spanning-tree extend system-id
Otherwise, you can use the traditional method by beginning the command
with the no keyword.
Why did this method fail? The current Root Bridge has a bridge priority of
4200. Because that priority is less than 24,576, the local switch will try to
set its priority to 4096 less than the current root. Although the resulting
priority would be 104, the local switch is using an extended system ID,
which requires bridge priority values that are multiples of 4096. The only
value that would work is 0, but the automatic method will not use it.
Tip: You can also use a macro configuration command to force a switch port to
support a single host. The following command enables STP PortFast, sets the
port to access (nontrunking) mode, and disables PAgP to prevent the port
from participating in an EtherChannel:
Switch(config)# interface type mod/num
Switch(config-if)# switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
Example:
Example 1:
• Configuring BackboneFast:
BackboneFast should be enabled on all switches in the network
because BackboneFast requires the use of the RLQ Request and
Reply mechanism to inform switches of Root Path stability.
(config)# spanning-tree backbonefast
BackboneFast statistics
-----------------------
Number of transition via backboneFast (all VLANs) : 0
Number of inferior BPDUs received (all VLANs) : 0
Number of RLQ request PDUs received (all VLANs) : 0
Number of RLQ response PDUs received (all VLANs) : 0
Number of RLQ request PDUs sent (all VLANs) : 0
Number of RLQ response PDUs sent (all VLANs) : 0
162 AHMED NABIL
Spanning Tree debug Commands
Switch#debug spanning-tree all
2) Frame Corruption:
3) Resource errors:
4)Unidirectional Links
5)Configuration mistakes
(Enabling BPDU filter on other side)
167 AHMED NABIL
Protecting Against Sudden Loss of BPDUs
1) Loop Guard
• Suppose a switch port is receiving BPDUs, and the switch
port is in the blocking state. The port makes up a redundant
path; it is blocking because it is neither a Root Port nor a
Designated Port. If, for some reason, the flow of BPDUs
stops, the last known BPDU is kept until the Max Age timer
expires. Then, that BPDU is flushed, and the switch thinks
there is no longer a need to block the port. The port moves
through the STP states until it begins to forward traffic—and
form a bridging loop. In its final state, the port becomes a
Designated Port.
Loop Guard & UDLD are nearly doing the same action with
one main factor, which is LoopGuard is topology based &
UDLD is port based feature.
Per port
Configuration Per port
Per VLAN
Action granularity Per port
No
Protection against miswiring Yes
Toubleshooting:
#show spanning-tree inconsistentports
#show spanning-tree interface type mod/num [detail]
#show udld [type mod/num]
• To re-enable ports that UDLD aggressive mode has errdisabled
#udld reset
AHMED NABIL
Storm Control is configured on a per-interface basis to monitor traffic that is
arriving or being received at the interface, as shown in Figure. The idea is to
take action on frames as they enter the switch and arrive at the internal
switching bus, before they are flooded to multiple switch ports. You can
configure thresholds for the amount of broadcast, multicast, or unknown
unicast traffic and an action to be taken when the thresholds are exceeded.
First, select an interface where frames might be received and flooded. Then
configure a threshold using the following interface configuration command:
Switch(config-if)# storm-control {broadcast | multicast | unicast}
level {level [level-low] | bps bps [bps-low] | pps pps [pps-low]}
Select the type of threshold with the broadcast, multicast, or unicast keyword.
Keep in mind that “unicast” actually means unknown unicast; otherwise, the
threshold would limit the volume of normal unicast frames passing through
the interface.
You can set the traffic threshold with the level keyword and one of the
following keywords and values:
level [level-low]: The threshold is set to a percentage of the interface
bandwidth. The level and level-low percentages can be a value with two
decimal places from 0.00 to 100.00.
bps bps [bps-low]: The threshold is set to a specific bits per second rate. The
bps and bps-low values can range from 0.0 to 10000000000.0 (10 Gbps),
with one decimal place.
pps pps [pps-low]: The threshold is set to a specific packets per second rate.
The pps and pps-low values can range from 0.0 to 10000000000.0 (10 Gbps),
with one decimal place.
Storm Control will take action when the flooded traffic rises to the first value,
then will stop the action when the traffic falls below that value. You can set a
different falling threshold by specifying the second -low value.
AHMED NABIL
Tip
Rather than counting zeroes for large bps and pps values,
you can use k, m, and g to designate kilo-, mega-, and giga- units.
You can repeat the storm control command to define separate
thresholds for broadcast, multicast, and unknown unicast traffic.
Next, specify the action to be taken when the threshold is
exceeded. By default, the excessive frames are simply dropped as
they are received. In addition, you can use the following interface
configuration command to shut down the interface in errdisable
mode or to send an SNMP trap as an alert of a storm
condition in progress:
Switch(config-if)# storm-control action {shutdown | trap}
In Example, Storm Control is enabled for traffic received on
interface Gigabit Ethernet 1/0/1.
Because there is no storm control action command entered, the
default action to drop excessive frames will be taken. When
broadcast frames exceed 50 percent of the interface bandwidth,
they will be dropped. When the rate of multicast frames exceeds
50,000 packets per second, they will be dropped.
Finally, when the volume of unknown unicast frames rises above 20
percent and then stays above 10 percent of the interface
bandwidth, they will be dropped.
Example :
Switch(config)# interface gigabitethernet1/0/1
Switch(config-if)# storm control broadcast level 50
Switch(config-if)# storm control multicast level pps 50k
Switch(config-if)# storm control unicast level 20 10
You can display the rising and falling Storm Control thresholds, in
addition to the current rate, with the following EXEC command:
Switch# show storm-control [interface-id] [broadcast | multicast |
unicast]
AHMED NABIL
STP Questions
Question 1
Which command does a network engineer use to verify the spanning-tree status for VLAN 10?
•switch# show spanning-tree vlan 10
• switch# show spanning-tree bridge
•switch# show spanning-tree brief
•switch# show spanning-tree summary
•switch# show spanning-tree vlan 10 brief
Question 2
Refer to the exhibit.
f1/0 and f1/1 have the same end-to-end path cost to the designated bridge.
Which action is needed to modify the Layer 2 spanning-tree network so that
traffic for PC1 VLAN from switch SW3 uses switchport f1/1 as a primary
port?
A. Modify the spanning-tree port-priority on SW1 f1/1 to 0 and f1/0 to 16.
B. Modify the spanning-tree port-priority on SW1 f1/1 to 16 and f1/0 to 0.
C. Modify the spanning-tree port-priority on SW2 f1/1 to 0 and f1/0 to 16.
D. Modify the spanning-tree port-priority on SW2 f1/1 to 16 and f1/0 to 0.
Question 3
Refer to the exhibit.
All ports are members of VLAN 10. Considering the default cost of upstream bridges to the root
bridge is equal, which option will be the new root port for VLAN 10?
A. interface f0/13 B. interface f0/14 C. interface f0/15 D. interface f0/21
Question 5
A network engineer is trying to deploy a PC on a network. The engineer observes that when the PC
is connected to the network, it takes 30 to 60 seconds for the PC to see any activity on the network
interface card. Which Layer 2 enhancement can be used to eliminate this delay?
A. Configure port duplex and speed to auto negotiation.
B. Configure port to duplex full and speed 1000.
C. Configure spanning-tree portfast.
D. Configure no switchport.
Question 6
A network engineer configured an Ethernet switch using these commands.
Switch1(config) # spanning-tree portfast bpdufilter default
Which statement about the spanning-tree portfast feature on the switch is true?
A. If an interface is enabled for portfast receives BDPU, the port goes through the spanning-tree
listening, learning, and forwarding states.
B. If an interface is enabled for portfast receives BDPU, the port does not go through the spanning-
tree listening, learning, and forwarding states.
C. If an interface is enabled for portfast receives BDPU, the port is shut down immediately.
D. If an interface is enabled for portfast receives BDPU, the port goes into the spanning-tree
inconsistent state.
Question 7
Which statement describes what happens when a port configured with root guard receives a superior
BPDU?
A. The port goes into errdisabled state and stops forwarding traffic.
B. The port goes into BPDU-inconsistent state and stops forwarding traffic
C. The port goes into loop-inconsistent state and stops forwarding traffic.
D. The port goes into root-inconsistent state and stops forwarding traffic.
Question 9
Pilot testing of the new switching infrastructure finds that when the root port is lost, STP immediately
replaces the root port with an alternative root port. Which spanning-tree technology is used to
accomplish backup root port selection?
A. PVST+ B. PortFast C. BackboneFast D. UplinkFast E. Loop Guard F. UDLD
Question 10
A network engineer must adjust the STP interface attributes to influence root port selection. Which two
elements are used to accomplish this? (Choose two)
A. port-priority B. cost C. forward-timers D. link type E. root guard
Question 11
For client server failover purposes, the application server team has indicated that they must not have the
standard 30 second delay before their switchport enters a forwarding state. For their disaster recovery
feature to operate successfully, they require the switchport to enter a forwarding state immediately.
Which spanning-tree feature satisfies this requirement?
A. Rapid Spanning-Tree
B. Spanning-Tree Timers
C. Spanning-Tree FastPort
D. Spanning-Tree PortFast
E. Spanning-Tree Fast Forward
Question 2
Which option lists the modes that are available for configuring UDLD on a Cisco switch?
A. normal and aggressive B. active and aggressive
C. normal and active D. normal and passive
Question 3
While working in the core network building, a technician accidently bumps the fiber connection
between two core switches and damages one of the pairs of fiber. As designed, the link was placed
into a non-forwarding state due to a fault with UDLD. After the damaged cable was replaced, the
link did not recover. What solution allows the network switch to automatically recover from such an
issue?
A. macros B. errdisable autorecovery C. IP Event Dampening
D. command aliases E. Bidirectional Forwarding Detection
Question 4
After UDLD is implemented, a Network Administrator noticed that one port stops receiving UDLD
packets. This port continues to reestablish until after eight failed retries. The port then transitions
into the errdisable state. Which option describes what causes the port to go into the errdisable state?
A.Normal UDLD operations that prevent traffic loops.
B. UDLD port is configured in aggressive mode.
C. UDLD is enabled globally.
D. UDLD timers are inconsistent.
Question 5
After reviewing UDLD status on switch ports, an engineer notices that the switch LEDs are green.
Which statement describes what this indicates about the status of the port?
A. The port is fully operational and no known issues are detected.
B. The bidirectional status of ―unknown‖ indicates that the port will go into the disabled state
because it stopped receiving UDLD packets from its neighbor.
C. UDLD moved into aggressive mode after inconsistent acknowledgements were detected.
D. The UDLD port is placed in the ―unknown state for 5 seconds until the next UDLD packet is
received on the interface.
179 AHMED NABIL
Storm Control Questions
Question 1
The command storm-control broadcast level 75 65 is configured under the switch port connected to the
corporate mail server. In which three ways does this command impact the traffic? (Choose three)
A- SNMP traps are sent by default when broadcast traffic reaches 65% of the lower-level threshold.
B- The switchport is disabled when unicast traffic reaches 75% of the total interface bandwidth.
C- The switch resumes forwarding broadcasts when they are below 65% of bandwidth.
D- Only broadcast traffic is limited by this particular storm control configuration.
E- Multicast traffic is dropped at 65% and broadcast traffic is dropped at 75% of the total interface
bandwidth.
F- The switch drops broadcasts when they reach 75% of bandwidth.
Question 2
While troubleshooting a network outage, a network engineer discovered an unusually high level of
broadcast traffic coming from one of the switch interfaces. Which option decreases consumption of
bandwidth used by broadcast traffic?
A. storm control
B. SDM routing
C. Cisco IOS parser
D. integrated routing and bridging
E. Dynamic ARP Inspection
Question 3
Which switch feature prevents traffic on a LAN from being overwhelmed by continuous multicast or
broadcast traffic?
A. storm control
B. port security
C. VTP pruning
D. VLAN trunking
Question 4
Which command would a network engineer apply to error-disable a switchport when a packet-storm is
detected?
A. router(config-if)#storm-control action shutdown
B. router(config-if)#storm-control action trap
C. router(config-if)#storm-control action error
D. router(config-if)#storm-control action enable
The above versions are old STP options, so now we will discuss the new
versions RSTP (STP ver2), Rapid-PVST(Cisco proprietary) & MST (STP
ver3- standard version of Rapid-PVST)
STP Port State RSTP Port State Port Included in Port Learning MAC
Active Topology? Addresses?
Disabled Discarding No No
Blocking Discarding No No
Listening Discarding No No
AHMED NABIL
BPDU in RSTP:
• MST Overview
MST is built on the concept of mapping one or more VLANs to a
single STP instance. Multiple instances of STP can be used (hence the
name MST), with each instance supporting a different group of
VLANs.
For the network shown in Figure, only two MST instances would be
needed. Each could be tuned to result in a different topology so that
Instance 1 would forward on the left uplink, whereas Instance 2 would
forward on the right uplink. Therefore, VLAN A would be mapped to
Instance 1, and VLAN B would be mapped to Instance 2.
• To implement MST in a network, you need to determine the following:
■ The number of STP instances needed to support the desired
topologies
■ Whether to map a set of VLANs to each instance
MSTI instances
IST instances
Notice that within the MST cloud, there are now three independent STP
instances coexisting—MSTI1, MSTI 2, and the IST.
The IST (instance 0) runs on all bridges within an MST region.
Each of the MSTIs is significant only within a region, even if an adjacent
region has the same MSTIs in use. In other words, the MSTIs combine with
the IST only at the region boundary to form a subtree of the CST. That means
only IST (MSTI 0) BPDUs are sent into and out of a region.
The M-Record is a subfield, within the BPDU of MSTP instances, that
contains enough information (root bridge and sender bridge priority
parameters) for the corresponding instance to calculate the final topology.
MSTP instances combine with the IST at the boundary of MST regions to
become the CST, as follows:
IST Instances
Something other than CST must work out a loop-free topology inside each
MST region.
Within a single MST region, an Internal Spanning Tree (IST) instance runs to
work out a loop-free topology between the links where CST meets the region
boundary and all switches inside the region. Think of the IST instance as a
locally significant CST, bounded by the edges of the region.
The IST presents the entire region as a single virtual bridge to the CST
outside. BPDUs are exchanged at the region boundary only over the native
VLAN of trunks, as if a single CST were in operation. And, indeed, it is.
Figure shows the basic concept behind the IST instance. The network at the
left has an MST region, where several switches are running compatible MST
configurations. Another switch is outside the region because it is running only
the CST from 802.1Q.
MST Configuration
• Step 1 Enable MST on the switch:
Switch(config)# spanning-tree mode mst
Step 7 Exit the MST configuration mode; commit the changes to the
active
MST region configuration:
Switch(config-mst)# exit
Question 2
What happens on a Cisco switch that runs Cisco IOS when an RSTP-configured switch receives 802.1d
BPDU?
A. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch
receives an 802.1d BPDU, it responds with an 802.1d BPDU and eventually the two switches run 802.1d to
communicate.
B. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a
802.1d BPDU, it responds with a 802.1d BPDU and eventually the two switches run 802.1d to communicate.
C. 802.1d does not understand RSTP BPDUs because they are different versions, but when a RSTP switch
receives a 802.1d BPDU, it does not respond with a 802.1d BPDU.
D. 802.1d understands RSTP BPDUs because they are the same version, but when a RSTP switch receives a
802.1d BPDU, it does not respond with a 802.1d BPDU and eventually the two switches run 802.1d to
communicate.
MST Questions
Question 3
A network engineer is setting up a new switched network. The network is expected to grow and add many
new VLANs in the future. Which Spanning Tree Protocol should be used to reduce switch resources and
managerial burdens that are associated with multiple spanning-tree instances?
A-RSTP
B. PVST
C. MST
D. PVST+
E. RPVST+
Question 4
When two MST instances (MST 1 and MST 2) are created on a switch, what is the total number of spanning-
tree instances running on the switch?
A. 1
B. 2
C. 3
D. 4
(One is None
w Two Yadobak One)
Security QOS
The VSS will transition to a state called dual active recovery mode
(Standby assumes that Active is down), in active recovery mode, all
interfaces except the VSL interfaces are in an operationally shut down state
in the formerly active switch member. The new active virtual switch
continues to forward traffic on all links. AHMED NABIL
Switch Stacking (Stackwise):
Traditionally, access layer switches have been independent physical
devices. If you needed multiple switches in one location, you had to
configure links between them. Cisco introduced the StackWise and
StackWise Plus technologies to enable separate physical switches to act as
a single logical switch. This is a similar feature as VSS but for non modular
switches, its target is to logically merge many switches as one switch unit
in order to gain higher performance, you should select one switch as stack
master (highest priority, default 1, can vary from 1-15), stack master
performs all of the management functions, all other are called stack
members, If the master switch fails, other member switches can take over
the role. When the physical switches are not part of a stack, each one
operates independently and manages its own functions.
The most famous stackable switches is available on switch models such as
the Cisco Catalyst 2960-X, 3750-E, 3750-X, and 3850 platforms.
To create a logical “stacked” switch, individual physical switches must be
connected to each other using special-purpose stacking cables. Each
switch supports two stack ports; switches are connected in a daisy-chain
fashion, one switch to the next, and one final connection connects the
chain into a closed
loop. You can think of the stacking cables as an extension of the switching
fabric. When frames need to be moved from one physical switch to
another, they are sent across the bidirectional stacking cable loop to get
there. Figure illustrates how physical switches are cabled to become one
logical stack.
The same daisy-chain scheme can be used to connect up to nine physical
switches in a closed ring fashion providing a speed of 32Gbps (stackwise)
and 64Gbps (stackwise plus).
One advantage of the closed stacking loop is that individual switches can be
inserted or removed without breaking the path between switches completely.
The ring can be broken to add or remove a switch, But if stack cable is
broken bandwidth percentage is reduced by 50%, but the remaining switches
stay connected over the rest of the ring.
AHMED NABIL
Stacking configuration: Before connecting two devices together, make sure that both devices
have the same IOS software installed. The configuration of the StackWise Cluster is done
automatically by connecting the stack cable. In other words, you can make changes to
the stack without interrupting its operation & without any further configurations.
One switch will be the master within the cluster. The election is done as follow at connect or
boot: (if no Master exists yet) then following steps will take place
1.Specified by user (higest priority (1-15), default is 1)
2.Switch with the highest IOS feature-set (Advanced Enterprise wins against Advanced IP
Services)
3.Uptime (longest running Switch wins)
4.MAC Address (Switch with the lowest mac addresses will become master)
I recommend to configure the priority value of each switch so the configuration and the
physical structure (top-down, A, B, C, etc.) keeps straight and didn’t confuse the administrator
or someone who needs to troubleshoot the infrastructure OR you have differnet switch-models
within one cluster. In our example Switch A is running for an hour and we connect another
device (same device-model, same IOS software) to the main switch with a stacking cable. The
second device ―Switch B‖ will be select as Slave, because we didn’t configure anything and
―Switch A‖ has a longer uptime. You will see that other interfaces are coming up and you can
view all devices with this:
CoreSwitch# show switch
Switch# Role Mac Address Priority State
1 Master 0016.4748.ff12 5 Ready
2 Slave 0016.9d59.db00 1 Ready
The stack member number is the same as can be seen in the interfaces:
interface GigabitEthernet1/0/1 = 1st Port of Switch with ID #1
interface GigabitEthernet2/0/1 = 1st Port of Switch with ID #2
You can define the priority of each switch. The higher the priority, the lower the switch stack-
member-number. For example, we have three switches named 1,2 and 3 from top to down, 1 is
connected with 2, 2 is connected with 3 and 3 is connected with 1 to connect a ring topology.
We configure the priority value with:
(config)#switch 1 priority 15
(Config)#switch 2 priority 14
Note: We recommend assigning the highest priority value to the switch that you prefer to be the
stack master. This ensures that the switch is re-elected as stack master if a re-election occurs
AHMED NABIL
Traditional redundant switched network architecture before EC, MEC, stacking and VSS
Enhanced logical redundant network architecture after applying EC, MEC, stacking and VSS
AHMED NABIL
Redundancy within the network (between devices)
• Router redundancy in a multilayer switched network:
- Redundancy is one method for creating highly available networks.
- Cisco supports:
1- HSRP (Hot Standby Router Protocol)
2- VRRP (Virtual Router Redundancy Protocol)
3- GLBP (Gateway Load Balancing Protocol)
to provide failover in case of a gateway failure.
• Note: An HSRP group can be assigned an arbitrary group number, from 0 to 255. This
number is locally significant to interface, so u can use same group number on two
different physical interfaces or SVI, for example for interface vlan 5 you can use HSRP
group 1 and for interface vlan 6 youcan use HSRP group 1 also.
Gateway routers
R1 R2 R3
G1
G1
In this example, router A and router B reside in one building. Each of these
routers supports a Gigabit Ethernet link to the other building. Router A has
the higher priority and is the active forwarding router for standby group 1.
Router B is the standby router for that group. Routers A and B are
exchanging hello messages through their E0 interfaces.
G1
G1
The Gigabit Ethernet link between the active forwarding router for the standby group
and the other building experiences a failure. Without HSRP enabled, router A would
detect the failed link and send an Internet Control Message Protocol (ICMP) redirect to
router B. However, when HSRP is enabled, ICMP redirects are disabled. Therefore,
neither router A nor the virtual router sends an ICMP redirect. In addition, although the
G1 interface on router A is no longer functional, router A still communicates hello
messages out interface E0, indicating that router A is still the active router. Packets
sent to the virtual router for forwarding to headquarters cannot be routed. Interface
tracking enables the priority of a standby group router to be automatically adjusted,
based on availability of the interfaces of that router. When a tracked interface becomes
unavailable, the HSRP priority of the router is decreased. When properly configured,
the HSRP tracking feature ensures that a router with an unavailable key interface will
relinquish the active router role.
In this example, the E0 interface on router A tracks the G1 interface. If the link
between the G1 interface and the other building fails, the router automatically
decrements the priority on that interface and stops transmitting hello messages out
interface E0. Router B assumes the active router role when no hello messages are
detected for the specific holdtime period.
219 AHMED NABIL
• HSRP configuration:
Configuration can take place on any layer 3 port as router port, SVI
(Switched Virtual Interface) MLS interface, Ether Channel port
(config-if)# standby <group no.> ip <virtual IP>
(config-if)# standby <group no.> priority <no.>
(config-if)# standby <group no.> timers <hello> <hold down>
(config-if)# standby <group no.> preempt [delay <sec.>][reload <sec>]
(config-if)# standby <group no.> track <int. name> <decrement value>
(config-if)# standby <group no.> authentication <password>
(config-if)# standby group authentication md5 key-string password
Troubleshooting:
#show standby [brief]
#debug standby Configuring an HSRP Standby Interface
Interface Tracking
interface Ethernet0
1
ip address 10.1.1.2 255.255.255.0
no ip redirects
standby 1 priority 105
standby 1 preempt
standby 1 ip 10.0.0.1
standby 1 track Serial0 25
If Serial 0 goes down, what will this interface’s priority value
be for standby group 1? Answer: 80 (105 – 25)
221 AHMED NABIL
Troubleshooting
Switch#debug standby
*Mar 1 00:22:30.443: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:32.019: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115
*Mar 1 00:22:33.331: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:34.927: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115
*Mar 1 00:22:36.231: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:37.823: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115
*Mar 1 00:22:39.163: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:40.735: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115
*Mar 1 00:22:42.119: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:43.663: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115
*Mar 1 00:22:45.067: SB11: Vl11 Hello out 172.16.11.111 Active pri 100 ip 172.16.11.115
*Mar 1 00:22:46.567: SB11: Vl11 Hello in 172.16.11.112 Standby pri 50 ip 172.16.11.115
Typical HSRP
Scenario with One
HSRP Group
Load Balancing
with Two HSRP
Groups
-Load sharing can be achieved using the same way as the HSRP
• GLBP Operation:
- The trick behind GLBP load balancing lies in electing an AVG router
that has a management role by distributing the load among all AVFs
using:
1- Round Robin technique: The default method, the traffic is distributed
equally across all routers.
2- Weighted Round Robin technique: A weight is given for every AVF, The
weight determine the amount of traffic that will send to that AVF.
3- Host Dependent technique: The host will receive the same AVF MAC
every time it generate ARP request.
- The AVG router has the highest priority (1-255) if equal the highest IP
address.
- The AVG also assigns the necessary virtual MAC addresses to each of
the routers participating in the GLBP group. Up to four virtual MAC
addresses can be used in any group. Each of these routers is referred to
as an active virtual forwarder (AVF), forwarding traffic received on its
virtual MAC.
- AVG router answers all ARP requests for the virtual router & every time
it will reply with a MAC of one of the AVFs
- An AVG can also have the role of one of the AVFs
Having each resolved a different MAC address for the default gateway,
clients A and B will send their routed traffic to separate routers, although
they both have the same default gateway address configured. Each GLBP
router is an AVF for the virtual MAC address to which it has been assigned.
Like HSRP, GLBP can be configured to track interfaces. In the figure, the
WAN link from router R1 is lost. GLBP detects the failure.
In this figure, round robin load balancing is being used. Each of the client PCs
look for the virtual router address in turn, from left to right. Each time the
AVG replies, the next sequential virtual MAC address is sent back to a client.
After the fourth PC sends a request, all three virtual MAC addresses (and
AVF routers) have been used, so the AVG cycles back to the first virtual
MAC address.
Notice that only one GLBP group has been configured, and all clients know of
only one gateway IP address — 192.168.1.1. However, all uplinks are being
utilized, and all routers are proportionately forwarding traffic.
Redundancy is also inherent in the GLBP group—Catalyst A is the AVG, but
the next-highest priority router can take over if the AVG fails. All routers
have been given an AVF role for a unique virtual MAC address in the group.
If one AVF fails, some clients remember the last known virtual MAC address
that was handed out. Therefore, another of the routers also takes over the
AVF role for
the failed router, causing the virtual MAC address to remain alive at all times.
Figure shows how these redundancy features react when the current active
AVG fails. Catalyst A, prior to its failure, was the AVG because of its higher
GLBP priority. After it failed, Catalyst B became the AVG, answering ARP
requests with the appropriate virtual MAC address for gateway 192.168.1.1.
Catalyst A had also been acting as an AVF, participating in the gateway load
balancing.
Catalyst B also picks up this responsibility, using its virtual MAC address
0007.b400.0102 as well as the one Catalyst A had been using,
0007.b400.0101. Therefore, any hosts that know the gateway by any of its
virtual MAC addresses can still reach a live gateway or AVF.
AVF election
• GLBP uses a weighting function to determine which routers becomes
AVF
• Each router begin with maximum weight value (1-254) default 100, as
specific interface go down, the weight decrement by a configured
amount, GLBP use a threshold to determine when a router can or cannot
be an AVF
• Preemption is not supported between AVFs ( if an AVF has higher
weight it cannot pre-empt another AVF, so if an AVF fails it cannot
return back as an AVF, unless the number of AVFs is less than 4 AVFs
• Preemption is supported between AVGs
• Configuration:
For AVG:
(config-if)# glbp <group no.> load-balancing [roundrobin / weighted /
hostdependent]
(config-if)# glbp <group no.> ip <virtual IP>
(config-if)# glbp <group no.> priority <value>
(config-if)# glbp <group no.> preempt [delay <sec>]
For AVFs:
(config-if)# glbp <group no.> weighting <value> [lower <value>]
- Tracking:
(config-if)# glbp <group no.> weighting track <object no.> [decrement
<value>]
- Object:
(config)# track <object no.> interface <int. name> {line-protocol / ip routing}
- Troubleshooting :
#show glbp
Now standard protocol similar to GLBP is available called VRRPE (VRRP Extended)
234 0007.b4xx.xxyy
234 AHMED NABIL
Securing Switch Access
– Authentication
• Verifies a user’s identify
– Authorization
• Specifies the permitted tasks for the
user
– Accounting
• Provides billing, auditing, and
monitoring
Authentication
• Switch or network access can be granted only after a user’s identity has been
validated. User authentication is commonly used on switches and routers to
limit Telnet access to the network administration staff.
• User authentication can be handled by several methods:
- Usernames and passwords configured locally on the switch
- One or more external Remote Authentication Dial-In User Service (RADIUS)
servers
- One or more external Terminal Access Controller Access Control System+
(TACACS+) servers
Accounting
• Catalyst switches also support the capability to use AAA for
producing accounting information of user activity. RADIUS and
TACACS+ servers can also collect this accounting information from
switches
Step 1. The port is in the unauthorized state, allowing only 802.1x EAP over
LAN (EAPOL) traffic.
Step 2. The client connects to the port. The switch either requests
authentication or the client sends an EAPOL frame to begin authentication.
Step 3. The switch relays authentication information between the client and a
RADIUS server that acts in proxy for the client.
Step 4. If authentication succeeds, the port transitions to the authorized state,
and normal LAN traffic is allowed through it.
242 AHMED NABIL
For port-based authentication, both the switch and the end –user’s PC must
support the 802.1x standard, using the Extensible Authentication Protocol over
LANs (EAPOL). The 802.1x standard is a cooperative effort between the client
and the switch offering network service. If the client PC is configured to use
802.1x but the switch does not support it, the PC abandons the protocol and
communicates normally. However, if the switch is configured for 802.1x but
the PC does not support it, the switch port remains in the unauthorized state so
that it will not forward any traffic to the client PC.
An 802.1x switch port begins in the unauthorized state so that no data other
than the 802.1x protocol itself is allowed through the port. Either the client or
the switch can initiate an 802.1x session. The authorized state of the port ends
when the user logs out, causing the 802.1x client to inform the switch to revert
back to the unauthorized state. The switch can also time out the user’s
authorized session. In this event, the client must reauthenticate to continue
using the switch port.
• Enable the use of 802.1x on the switch with the following global
configuration command:
Switch(config)# dot1x system-auth-control
• You must configure each switch port that will use 802.1x, because
default is force-authorize (no authentication needed)
Switch(config-if)# dot1x port-control {force-authorized | force-
unauthorized | auto}
Auto requires an 802.1x-capable application on the client PC.
• Here, the 802.1x state is one of the following:
force-authorized—The port is forced to always authorize any connected
client. No authentication is necessary. This is the default state for all
switch ports when 802.1x is enabled.
force-unauthorized—The port is forced to never authorize any connected
client. As a result, the port cannot move to the authorized state to pass
traffic to a connected client.
auto—The port uses an 802.1x exchange to move from the unauthorized
to the authorized state, if successful. This requires an 802.1x-capable
application on the client PC.
• If the switch should expect to find multiple hosts present on the switch
port
Switch(config-if)# dot1x multi-hosts
Types of
Attacks
Spanning
CAM table MAC ARP DHCP VLAN
Tree
overflow spoofing spoofing Starvation Hopping
Attack
Troubleshooting:
This command displays port security settings for the switch or for the specified
interface, including the maximum allowed number of secure MAC addresses
for each interface, the number of secure MAC addresses on the interface, the
number of security violations that have occurred, and the violation mode.
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
----------------------------------------------------------------------------
Fa5/1 11 11 0 Shutdown
Fa5/5 15 5 0 Restrict
Fa5/11 5 4 0 Protect
----------------------------------------------------------------------------
Question 2
In a Cisco switch, what is the default period of time after which a MAC address ages out and is
discarded?
A. 100 seconds B. 180 seconds C. 300 seconds D. 600 seconds
Question 3
If a network engineer applies the command mac-address-table notification mac-move on a
Cisco switch port, when is a syslog message generated?
A. A MAC address or host moves between different switch ports.
B. A new MAC address is added to the content-addressable memory.
C. A new MAC address is removed from the content-addressable memory.
D. More than 64 MAC addresses are added to the content-addressable memory.
Question 4
The network monitoring application alerts a network engineer of a client PC that is acting as a rogue
DHCP server. Which two commands help trace this PC when the MAC address is known? (Choose two)
A. switch# show mac address-table
B. switch# show port-security
C. switch# show ip verify source
D. switch# show ip arp inspection
E. switch# show mac address-table
• The techniques that are used to mitigate CAM table flooding can also be used
to mitigate DHCP starvation by limiting the number of MAC addresses on a
switch port. As implementation of RFC 3118, Authentication for DHCP
Messages, increases, DHCP starvation attacks will become more difficult.
• Additional features in the Catalyst family of switches, such as the DHCP
snooping feature, can be used to help guard against a DHCP starvation
attack. DHCP snooping is a security feature that filters untrusted DHCP
messages and builds and maintains a DHCP snooping binding table. The
binding table contains information such as the MAC address, IP address,
lease time, binding type, VLAN number and the interface information
corresponding to the local untrusted interfaces of a switch. Untrusted
messages are those received from outside the network or firewall and
untrusted switch interfaces are ones that are configured to receive such
messages from outside the network or firewall.
• The following commands can be used to mitigate DHCP starvation attacks
using DHCP snooping:
• switch(config)#ip dhcp snooping
switch(config)#ip dhcp snooping vlan vlan_id {,vlan_id}
switch(config-if)#ip dhcp snooping trust
switch(config-if)#ip dhcp snooping limit rate rate
• Example:
ARP Spoofing
Within the ARP protocol a provision is
made for hosts to perform unsolicited
ARP replies. The unsolicited ARP replies
are called gratuitous ARPs (GARP).
GARP can be exploited maliciously by
an attacker to spoof the identity of an IP
address on a LAN segment. Typically,
this is used to spoof the identity between
two hosts or all traffic to and from a
default gateway in a Man in the Middle
attack.
Note:
DHCP snooping binding on catalyst switches holds up to 8,000
entry.
IP Source Guard does this by making use of the DHCP snooping database and
static IP source binding entries. If DHCP snooping is configured and enabled,
the switch learns the MAC and IP addresses of hosts that use DHCP. Packets
arriving on a switch port can be tested for one of the following conditions:
■ The source IP address must be identical to the IP address learned by
DHCP snooping or a static entry. A dynamic port ACL is used to filter traffic.
The switch automatically creates this ACL, adds the learned source IP
address to the ACL
262 AHMED NABIL
, and applies the ACL to the interface where the address is learned.
■ The source MAC address must be identical to the MAC address learned
on the switch port and by DHCP snooping. Port security is used to filter
traffic.
If the address is something other than the one learned or statically
configured, the switch drops the packet.
Mitigate IP spoofing:
To preserve that certain source
will always access from the same
switchport , we can use the
IP source Guard.
IP source guard is configured on
untrusted L2 interfaces
For the hosts that do not use DHCP, you can configure a static IP source
binding with the following configuration command:
Switch(config)# ip source binding mac-address vlan vlan-id ip-address
interface type mod/num
BPDU filtering is another way of preventing loops in the network. It also can
be enabled either globally or at the interface, and functions differently at each.
In global config, if a Portfast interface receives any BPDUs, it is taken out of
Portfast status. At interface config mode, it prevents the port from sending or
receiving BPDUs. The commands are:
(config)# spanning-tree portfast bpdufilter default
(config-if)# spanning-tree bpdufilter enable
MAC Access-Lists
(config)#mac access-list extended <list name>
(config-ext-nacl)#permit <src mac> <dst mac>
Example
(config)# mac access-list extended ccnp
(config-ext-nacl)# Permit Host 0001.0000.0001 host 0002.0000.0001
ARP access-list:
This list is used to be checked against ARP replies, mainly used to avoid arp
spoofing attacks.
Use the following configuration
commands to define the ARP access list and one or more static entries:
Switch(config)# arp access-list acl-name
Switch(config-acl)# permit ip host sender-ip mac host sender-mac
[Repeat the previous command as needed]
Now the ARP access list must be applied to DAI with the following
configuration command:
Switch(config)# ip arp inspection filter arp-acl-name vlan vlan-range [static]
Static option means not to check ip dhcp snooping binding table (dynamic) if no
permit options is available on arp acl.
VACL Configuration
• 1- Create VACL:
Switch(config)# vlan access-map map-name [ sequence-number]
Switch(config-access-map)# match {ip address { acl-number | acl-name}} |
{ipx address { acl-number | acl-name}} | {mac address acl-name}
Switch(config-access-map)# action {drop | forward [capture] | redirect
interface type mod/num}
• 2- Apply the VACL to a VLAN interface using the following global
configuration command:
Switch(config)# vlan filter map-name vlan-list vlan-list
271 AHMED NABIL
For example, suppose that you need to filter traffic within VLAN 99 so that
host 192.168.99.17 is not allowed to contact any other host on its local
subnet. Access list local-17 is created to identify traffic between this host
and anything else on its local subnet. Then a VLAN access map is defined:
If the local-17 access list permits the IP address, the packet is dropped;
otherwise, the packet is forwarded.
However, if one host broadcasts a packet, all hosts on the VLAN must listen.
You can use a VACL to filter packets between a source and destination in a
VLAN if both connect to the local switch.
Sometimes it would be nice to have the capability to segment traffic within a
single VLAN, without having to use multiple VLANs and a router. For
example, in a single-VLAN server farm, all servers should be capable of
communicating with the router or gateway, but the servers should not have to
listen to each other’s broadcast traffic. Taking this a step further, suppose that
each server belongs to a separate organization. Now each server should be
isolated from the others but still be capable of reaching the gateway to find
clients not on the local network..
Another application is a service provider network. Here, the provider might
want to use a single VLAN to connect to several customer networks. Each
customer needs to be able to contact the provider’s gateway on the VLAN.
Clearly, the customer sites do not need to interact with each other.
• Define the primary VLAN that will provide the underlying private VLAN
connectivity
Switch(config)# vlan vlan-id
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association { secondary-vlan-list | add
secondary-vlan-list | remove secondary-vlan-list}
• For a nonpromiscuous port, the switch port must know how to interact
with the various VLANs
Switch(config-if)# switchport private-vlan host-association primary-vlan-
id secondary-vlan-id
• Primary VLAN can forward traffic at Layer 3 (as any regular VLAN, can
communicate with any VLAN), the secondary VLAN associations with it
are only good at Layer 2 (can’t communicate with other VLANs). To
allow Layer 3 traffic switching coming from the secondary VLANs as
well (to other VLANs associated with another primary VLANs, not
secondary associated with same primary VLAN), you must add a private
VLAN mapping to the primary VLAN (SVI) interface, The primary
VLAN SVI function is extended to the secondary VLANs, instead of
requiring SVIs for each of them.
Switch(config-if)#interface vlan primary vlan SVI id
Switch(config-if)# private-vlan mapping { secondary-vlan-list | add
secondary-vlan-list | remove secondary-vlan-list}
275 AHMED NABIL
Configuration Example
Switch(config)# vlan 10
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 20
Switch(config-vlan)# private-vlan community
Switch(config)# vlan 30
Switch(config-vlan)# private-vlan isolated
Switch(config)# vlan 100
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 10,20,30
Switch(config-vlan)# exit
Switch(config)# interface range fastethernet 1/1 – 1/2
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 10
Switch(config)# interface range fastethernet 1/4 – 1/5
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 20
Switch(config)# interface fastethernet 1/3
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 30
Switch(config)# interface fastethernet 2/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 10,20,30
(config)#interface vlan 100
(config-if)#ip address 192.168.199.1 255.255.255.0
(config-if)# private-vlan mapping 10,20,30
The SPAN source can be identified as one or more physical switch ports, a
trunk, or a VLAN.
Packets that are being forwarded from the destination are also copied into
the destination port’s queue. Because the packets are merely copied, neither
the original data nor its being forwarded is affected. Figure demonstrates
two cases where a network analyzer on the SPAN destination port is
receiving frames that SPAN has copied from the source port. Here, SPAN
session A monitors all communication on VLAN 100. SPAN session B uses
a normal access mode source port to monitor communication between a
server and its client PCs.
What happens if a speed mismatch occurs between the SPAN source and
destination ports? This could easily happen if the source is a VLAN with
many hosts, or if the source is a GigabitEthernet port and the destination is
a FastEthernet port.
Packets are copied only into the destination port’s egress queue. If the
destination port becomes congested, the SPAN packets are dropped from
the queue and are not seen at the destination port.
Therefore, if the bandwidth of source traffic exceeds the destination port
speed, some packets might not be seen at the destination port. Then, traffic
from the SPAN source is not affected by any congestion at the SPAN
destination.
• SPAN sessions must be uniquely numbered using the session parameter. The
maximum number of supported sessions varies among Catalyst platforms.
For example, a Catalyst 3550 can support two sessions, whereas a Catalyst
6500 can support up to 64. If multiple sources are needed, you can repeat this
command. The SPAN source can be a physical switch interface or a Layer 2
VLAN (not a logical VLAN interface or SVI).
• Traffic can be selected for mirroring based on the direction it is traveling
through the SPAN source. For example, you can select only traffic received
on the source (rx), only traffic transmitted from the source (tx), or traffic in
both directions (both). By default, both directions are used.
• Next, identify the SPAN destination. You must assign the SPAN source and
destination ports to the same VLAN within the switch; otherwise, the switch
cannot copy frames from one VLAN to another.
• Identify the SPAN destination
Switch(config)# monitor session session id destination {{interface type
mod/num} | {vlan vlan-id} | {analysis-module slot-number}}
• The session number here must match the one configured for the SPAN
source. You can define only one destination port for each SPAN session. In
addition, SPAN sessions cannot share a destination port. The destination can
be a physical interface, a Layer 2 VLAN (not a VLAN SVI interface), or a
Network Analysis Module (NAM, Catalyst 6500 only).
• You can narrow down the data copied over from the source, if necessary. If
the source is a trunk port, you can mirror only traffic from specific VLANs
on the trunk
Switch(config)# monitor session session-number filter vlan vlan-range
• Also, if using a VACL, you can identify and mark interesting traffic for
SPAN capture. In this case, use the capture keyword in the VACL action
statement.
283 AHMED NABIL
To see the list of currently active SPAN sessions, use the show monitor
EXEC command, two SPAN sessions are in use on a Catalyst 3550.
CAUTION: After you finish using a SPAN session, you should always
disable or delete it. Otherwise, someone might try to connect to the port that
is configured as the SPAN destination at some later date. You could spend a
good bit of time troubleshooting that user’s connectivity problem only to find
that you left a SPAN session active!
NOTE: When Local SPAN or VSPAN is enabled, the Spanning Tree Protocol
(STP) is disabled on the destination port. This allows STP BPDUs to be
captured and monitored but also allows the possibility for a bridging loop to
form. Never connect a SPAN session’s destination port back into an active
network. If the monitored packets need to be sent toward another switch, use
RSPAN instead.
Notice: SPAN destination port displays an UP, DOWN (monitor) state,
While it is up and running.
284 AHMED NABIL
Remote SPAN
In a large switched network or one that is geographically separated, it might not
always be convenient to take a network analysis to the switch where a SPAN
source is located. To make SPAN more extensible, Cisco developed the Remote
SPAN (RSPAN) feature. With RSPAN, the source and destination can be located
on different switches in different locations.
The RSPAN source is identified on one switch, just as with local SPAN. The
RSPAN destination is identified on its local switch. Then, RSPAN can carry only
the mirrored data over a special-purpose VLAN across trunk links and
intermediate switches. As long as every switch along the way is RSPAN-capable,
the source can be located at the far-end switch, while the network analyzer is
conveniently located at the switch nearest you.
Figure shows an example network using RSPAN where the packets from the file
server (source port) on one switch are copied and transported over the RSPAN
VLAN on trunk links. At the destination switch, packets are pulled off the
RSPAN VLAN and copied to the network analyzer (destination port). The file
server and network analyzer are stationed in geographically separate locations.
The RSPAN VLAN has some important differences from a regular VLAN. First,
MAC address learning is disabled on the RSPAN VLAN. This is to prevent
intermediate switches that transport the RSPAN VLAN from trying to forward
the mirrored packets to their real destination MAC addresses. After all, the
purpose of SPAN or RSPAN is to simply mirror or copy interesting frames—not
forward them normally.
An RSPAN-capable switch also floods the RSPAN packets out all of its ports
belonging to the RSPAN VLAN in an effort to send them toward the RSPAN
destination. Intermediate switches have no knowledge of the RSPAN source or
destination; rather, they know only of the RSPAN VLAN itself.
285 AHMED NABIL
Remote SPAN Configuration
• RSPAN configuration begins with the definition of the special-purpose
RSPAN VLAN. If you configure the RSPAN VLAN on a VTP server, VTP
correctly propagates it to other intermediate switches. If not using VTP, be
sure to configure this VLAN for RSPAN explicitly on each intermediate
switch. Otherwise, the RSPAN packets will not be delivered correctly.
• In addition, if VTP pruning is in use, the RSPAN VLAN will be pruned from
unnecessary trunks, limiting the traffic impact in unrelated areas of the
network. Create and maintain one or more RSPAN VLANs for the special
monitoring purpose only. Set aside one RSPAN VLAN for each RSPAN
session that will be used. Don’t allow any normal hosts to join an RSPAN
VLAN. Define an RSPAN VLAN on each switch between the source and
destination with the following configuration commands:
• Define an RSPAN VLAN on each switch between the source and destination
Switch(config)# vlan vlan-id
Switch(config-vlan)# remote-span
• At the source switch, identify the source and destination
Switch(config)# monitor session session source {interface type mod/num |
vlan vlan-id} [rx | tx | both]
Switch(config)# monitor session session destination remote vlan rspan-vlan-
id
• At the destination switch, identify the RSPAN source and destination
Switch(config)# monitor session session source remote vlan rspan-vlan-id
Switch(config)# monitor session session destination {interface type | vlan
vlan-id}
Here, the roles are reversed. RSPAN packets are pulled from the RSPAN VLAN
and placed onto the destination, which is either a physical switch interface or a
Layer 2 VLAN.
NOTE Be aware that RSPAN traffic can increase the traffic load on a trunk, even
though RSPAN is restricted to one special VLAN within the trunk. If the
additional load is significant, the normal production and the monitored traffic
contend with each other for available bandwidth. As a result, both types of traffic
could suffer.
Also, RSPAN must allow the STP to run on the RSPAN VLAN to prevent
bridging loops from forming. As a result, STP BPDUs are normally sent and
received on the VLAN. You cannot monitor BPDUs with RSPAN.
286 AHMED NABIL
SPAN example
In Example, RSPAN is configured on all three switches shown in Figure. The
source is connected to Catalyst A port FastEthernet 1/1. The destination is a
network analyzer connected to port FastEthernet 4/48 on Catalyst C. Catayst B
simply passes the RSPAN session traffic over VLAN 999, transported by trunk
links.
3-The switch must figure WHERE (which egress port) to forward the frame,
WHETHER to forward the frame & HOW (which policy) to forward the
frame, these decisions must be made simultaneously by independent
portions of switching H/W.
4-WHERE: L2 forwarding table (CAM table)
The frame destination MAC and VLAN id is used as an index (key) into
the CAM to find egress port and VLAN id.
5-WHETHER & HOW:
-Security ACL (VACL, port security, MAC ACL) is compiled in the TCAM
(Ternary CAM), so as a decision of whether to forward the packet or not.
-QOS ACL, ACL is compiled in TCAM to give a frame certain classification,
so as to be marked to use egress queue.
8
295 AHMED NABIL
Multi Layer Switching
(MLS)
-Distributed Switching
The switching decision is made locally on a port level or on
a line card level in case of modular chassis (i.e. catalyst
6500/3550)
• The catalyst IOS has two components to form H/W equivalent of the
configuration in TCAM
-Feature Manager (FM):
After ACL has been configured, the FM S/W compiles or merges the ACEs
(ACL entities) in the TCAM, the TCAM then is consulted at wire speed
-Switching Database Manager (SDM):
• you can partition the TCAM into areas for different functions,
SDM configures or tunes TCAM partitions if needed
• The TCAM is an extension of the CAM table concept. Recall that a CAM
table takes in an index or key value (usually a MAC address) and looks
up the resulting value (usually a switch port or VLAN ID). Table lookup
is fast and always based on an exact key match consisting of two input
values: 0 and 1 bits, TCAM also uses a table-lookup operation but is
greatly enhanced to allow a more abstract operation. For example,
binary values (0s and 1s) make up a key into the table, but a mask value
also is used to decide which bits of the key are actually relevant. This
effectively makes a key consisting of three input values: 0, 1, and X
(don’t care) bit values—a three-fold or ternary combination.
AHMED NABIL
You can configure a switch to operate based on other SDM templates by
using
Switch(config)# sdm prefer template
The switch must then be rebooted for the new template to take effect.
Tables list the template types along with the number of entries allowed in
each memory partition. Some rows represent the CAM and FIB table spaces.
To get a feel for the SDM templates, notice which function is favored in each
of the template types. The unicast MAC addresses and unicast routes rows
AHMED NABIL
3) FIB
(Forwarding Information Base)
• FIB is used as L3 forwarding table, match condition is
according to longest bit match, not exact match.
• The search key is the destination IP and the result is next-
hop L3 address.
• The L3 engine (Router Processor) maintains routing
information & build the routing table, then the FIB in H/W is
derived from routing table & any change in routing table
updates FIB table, this is done using CEF (Cisco
Express Forwarding)
• CEF runs by default over Catalyst platforms 6500 with
supervisor 720, 6500 with supervisor 2/MSFC 2 combination,
4500 with supervisor III or IV, CEF is also supported on
Fixed-configuration switches, such as the Catalyst 3750,
3560, 3550, 2960 and 2950
Question 2
Answer: A
Question 3
Answer: A
Explanation
CDP runs at Layer 2 so a router running CDP can see a Layer 2 switch that is directly connected
to it, provided that the Layer 2 switch also runs CDP.
Question 4
Answer: B
Explanation
Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2
protocol used by network devices to share information about their identities and functionality
with other network elements.
Question 5
Answer: A
Explanation
Cisco Discovery Protocol Version 2 provides more intelligent, device-tracking features than
those available in Version 1. One of the features available is an enhanced reporting mechanism
for more rapid error tracking, which helps to reduce network downtime. Errors reported include
mismatched native VLAN IDs (IEEE 802.1Q) on connected ports and mismatched port-duplex
states between connected devices. Messages about reported errors can be sent to the console
or to a logging server.
Question 6
Answer: B
Explanation
Unlike CDP, Link Layer Discovery Protocol (LLDP) is an open IEEE-standard (802.1AB) Layer 2
protocol used by network devices to share information about their identities and functionality
with other network elements.
Question 7
Answer: A
Explanation
Cisco devices send periodic CDP announcements to the multicast destination address 01-00-
0c-cc-cc-cc out each connected network interface. These multicast packets may be received by
Cisco devices. This multicast destination is also used in other Cisco protocols such as VTP.
Question 8
Answer: A
Explanation
The information contained in Cisco Discovery Protocol announcements depends on the device
type and the version of the operating system running on it. The following are examples of the
types of information that can be contained in Cisco Discovery Protocol announcements: +
Cisco IOS XE version running on a Cisco device + Duplex setting + Hardware platform of the
device + Hostname + IP addresses of the interfaces on devices + Interfaces active on a Cisco
device, including encapsulation type + Locally connected devices advertising Cisco Discovery
Protocol + Native VLAN + VTP domain
Cisco Discovery Protocol Version 2 provides more intelligent device tracking features than
Version 1.
Question 9
Answer: A
Explanation
LLDP supports a set of attributes that it uses to discover neighbor devices. These attributes
contain type, length, and value descriptions and are referred to as TLVs. LLDP supported
devices can use TLVs to receive and send information to their neighbors. This protocol can
advertise details such as configuration information, device capabilities, and device identity. The
switch supports these basic management TLVs. These are mandatory LLDP TLVs. + Port
description TLV + System name TLV
+ System description TLV + System capabilities TLV + Management address TLV These
organizationally specific LLDP TLVs are also advertised to support LLDP-MED. + Port VLAN ID
TLV ((IEEE 802.1 organizationally specific TLVs) + MAC/PHY configuration/status TLV(IEEE 802.3
organizationally specific TLVs)
-> No VTP information is supported in LLDP.
Question 10
Answer: A
Explanation
Cisco Discovery Protocol Version 2 has three additional type, length, values (TLVs): VTP Management
Domain Name, Native VLAN, and full/half-Duplex.
Question 2
Answer: A
Explanation
802.1Q VLAN frames are distinguished from ordinary Ethernet frames by the insertion of a 4-byte VLAN
tag into the Ethernet header.
Question 3
Answer: B
Explanation
Because the 802.1Q tunneling feature increases the frame size by 4 bytes when the metro tag is added, you
must configure all switches in the service-provider network to be able to process maximum frames by
increasing the switch system MTU size to at least 1504 bytes.
Question 4
Answer: B
Explanation
The VLAN ID field inside an 802.1q frame consists of 12 bits. Therefore we have 212 = 4096 VLAN IDs,
theoretically.
Question 5
Answer: B
Explanation
Each access port can be only assigned to one VLAN via the ―switchport access vlan ‖ command.
Question 6
Answer: D
Explanation
This command is used to enable tagging of native VLAN frames on all 802.1Q trunk ports.
Answer A is not correct because even when the native VLAN is set to 1, all of the frames of the native
VLAN are tagged.
Answer B is not correct because the control traffic still passes via the default VLAN (VLAN 1).
Answer C is not correct because all the frames are tagged with 4-byte dot1q tag.
Only answer D is best choice because control traffic (like CDP, VTP, STP, DTP…) uses VLAN 1 for
communication. When the native VLAN is tagged (VLAN 1 by default) all control traffic is tagged too. If
the native VLAN is not VLAN 1 then all the control traffic on VLAN 1 is still tagged by default (without
using above command).
Question 2
Answer: A
Explanation
In 802.1Q, the trunking device inserts a 4-byte tag into the original frame and recomputes the frame check
sequence (FCS) before the device sends the frame over the trunk link. At the receiving end, the tag is
removed and the frame is forwarded to the assigned VLAN. 802.1Q does not tag frames on the native
VLAN. It tags all other frames that are transmitted and received on the trunk.
Question 3
Answer: C
Explanation
802.1Q is a industry standards based implementation of carrying traffic for multiple VLANs on a single
trunking interface between two Ethernet switches. 802.1Q is for Ethernet networks only.
Question 4
Answer: C
Explanation
We can use the ―switchport trunk allowed vlan ‖ to specify which VLANs are allowed to go through. Other
VLANs will be dropped.
Question 5
Answer: A B
Explanation
Manually configure trunking with the ―switchport mode trunk‖ command and manually configure access
interfaces with the ―switchport mode access‖ prevent auto trunking on that interface.
Disable DTP with the ―switchport nonegotiate‖ so that DTP messages are not advertised out of the interface
is also a good way to prevent auto trunking.
Question 6
Answer: C F
Question 8
Answer: A
Explanation
We can use the ―switchport trunk allowed vlan ‖ to specify which VLANs are allowed to go through.
Other VLANs will be dropped.
Question 2
Answer: B
Explanation
VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in
VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are
removed from VTP control.
Question 3
Answer: C
Explanation
VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast
frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN. In the below
example, Server switch doesn’t send broadcast frame to Sw2 because Sw2 doesn’t have ports in VLAN 10.
Question 4
Answer: A
Explanation
Switch C can receive VLAN information from Switch A so Switch B can forward it to Switch C without
updating its VLAN database -> Switch B is in VTP transparent mode.
Question 5
Answer: D
Explanation
VTP updates can only be forwarded on trunk links.
Question 6
Answer: B
Explanation
VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only in
VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094 are
removed from VTP control.
Question 7
Answer: C
Explanation
VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast
frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN
Question 8
Answer: B
Explanation
VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only
in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094
are removed from VTP control.
Question 9
Answer: C
Explanation
If a VTP client or server with a null domain receives a VTP message with the domain populated, it will
assume the domain of the received message and add applicable VLANs to its database.
Question 10
Answer: D
Explanation
VTP version 1 and version 2 support VLANs 1 to 1000 only. Extended-range VLANs are supported only
in VTP version 3. If converting from VTP version 3 to VTP version 2, VLANs in the range 1006 to 4094
are removed from VTP control.
Question 11
Answer: C
Explanation
VTP pruning still applies only to VLANs 1 to 1005, and VLANs 1002 to 1005 are still reserved and
cannot be modified.
Question 12
Answer: A
Explanation
VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast
frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN
Question 13
Answer: C
Explanation
In Client mode we cannot create VLAN and Switch1 does not have any trunk links so it cannot receive
any VTP updates. There is no answer with configure trunk links so we have to choose the solution
―change VTP mode to server and enable 802.1q‖. But this is a dangerous solution because this switch can
―update‖ other switches with its VLAN database via VTP.
Question 14
Answer: C
Explanation
From the output above we see Switch Company A cannot receive VTP updates from Switch Company B.
Therefore we should check the trunking links connecting two switches. Manually force trunking may be a
good solution.
321 AHMED NABIL
VTP Answers
Question 15
Answer: A
Explanation
VTP Pruning makes more efficient use of trunk bandwidth by forwarding broadcast and unknown unicast
frames on a VLAN only if the switch on the receiving end of the trunk has ports in that VLAN
Question 16
Answer: C
Explanation
VLANs 2–1000 are eligible for pruning but VLAN 1 has a special meaning because it is normally used
as a management VLAN and is not eligible for pruning. The only way we can remove VLAN 1 is
through the ―switchport trunk allowed vlan remove 1″ command. But even when you remove VLAN 1
from a trunk port, the interface continues to sent and receive management traffic, for example, Cisco
Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol
(LACP), DTP, and VTP in VLAN 1.
A good thing of clearing VLAN 1 is user data cannot travel via this VLAN anymore. BPDU traffic is also
banned on this VLAN.
Note: The Cisco IOS-based Catalyst 2900XL/3500XL switches do not allow you to clear VLAN 1 from a
trunk; however, the Catalyst 2950/3550, Cisco IOS 4000/4500, and native IOS 6000/6500 switches allow
you to clear VLAN 1.
Question 17
Answer: C
Question 2
Answer: A
Explanation
To form an Etherchannel both sides must use the same Etherchannel protocol (LACP or PAgP).
Question 3
Answer: E
Explanation
In this case the EtherChannel bundle was configured to load-balance based on the destination IP address
but there is only one web server (means one destination IP address). Therefore only one of the
EtherChannel links is being utilized to reach the web server. To solve this problem we should configure
load-balancing based on source IP address so that traffic to the web server would be shared among the
links in the EtherChannel bundle with different hosts.
Question 4
Answer: C
Question 5
Answer: B
Explanation
If one end is passive and another end is active then the EtherChannel will be formed regardless the two
interfaces in the same switch use different modes and different load-balancing method. Switch 1 will
load-balance based on destination IP while Switch2 will load-balance based on source MAC address.
Question 6
Answer: D
Explanation
When storm control is configured on an EtherChannel, the storm control settings propagate to the
EtherChannel physical interfaces. In the “show etherchannel” command output, The storm control
settings appear on the EtherChannel but not on the physical port of the channel.
Note: You cannot configure storm control on the individual ports of that EtherChannel.
Question 7
Answer: A
Explanation
Issue the port-channel load-balance {src-mac | dst-mac | src-dst-mac | src-ip | dst-ip | src-dst-ip | src-
port | dst-port | src-dst-port | mpls} global configuration command in order to configure the load
balancing.
Question 9
Answer: A
For “on” mode, the link aggregation is forced to be formed without any PAgP negotiation. A port-channel is
formed only if the peer port is also in “on” mode.
Question 10
Answer: B
Explanation
Interfaces Fa0/13 to Fa0/15 are bundled into Port-channel 12 and it is running with “desirable” mode -> it is
using PAgP.
Question 11
Answer: C
Explanation
From the output we see currently the Server_Switch is load balancing via source MAC address. By changing
load-balance to another method the problem can be solved. In this case C is the best choice because other
answers are surely incorrect.
Question 12
Answer: A
Explanation
Configuration changes applied to the port-channel interface apply to all the physical ports assigned to the
port-channel interface. Configuration changes applied to the physical port affect only the port where you
apply the configuration. To change the parameters of all ports in an EtherChannel, apply configuration
commands to the port-channel interface, for example, spanning-tree commands or commands to configure
a Layer 2 EtherChannel as a trunk.
Note: If we only change the parameters on a physical port of the port-channel, the port-channel may go
down because of parameter mismatch. For example, if you only configure ―switchport trunk allowed vlan
…‖ on a physical port, the port-channel will go down.
Question 14
Answer: A
Explanation
From the last line of the output, we learn physical ports Fa0/13, Fa0/14, and Fa0/15 are bundled into
Port-channel 1 and use LACP which is an open standard protocol.
Question 15
Answer: C
Explanation
The EtherChannel provides full-duplex bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit
EtherChannel) between your switch and another switch or host. Therefore if we have 10 Gigabit Ethernet
connections, only 8 links will be used.
Question 16 .
Answer: C
Explanation
Multichassis LACP (mLACP) is also supported on 7600 and ASR9000 series -> A is not correct.
mLACP supports both FastEthernet & GigabitEthernet -> B is not correct.
VSS mode does not support the mLACP for server access feature only. But mLACP is available in Virtual
Switching Systems (VSS). An example of combination of VSS and mLACP is shown below:
In the topology above, the mLACP is a port channel that spans the two chassis of a VSS. Notice that the
two chassis of this VSS is connected via a Virtual Switch Link (VSL). VSL is a special link that carries control
and data traffic between the two chassis of a VSS. In this case the VSL is implemented as an EtherChannel
with two links.
+ mLACP does not support Fast Ethernet. + mLACP does not support half-duplex links. + mLACP does not
support multiple neighbors. + Converting a port channel to mLACP can cause a service disruption (in a
short time) -> D is not correct.
325 AHMED NABIL
STP Answers
Question 1
Answer: A
Explanation
If we want to view the spanning-tree status of a specific VLAN, use the ―spanning-tree vlan ‖ command.
An example of the output of this command is shown below:
Question 2
Answer: C
Explanation
SW3 needs to block one of its ports to SW2 to avoid a bridging loop between the two switches. But how
does SW3 select its blocked port? Well, the answer is based on the BPDUs it receives from SW2. A
BPDU is superior than another if it has:
1. A lower Root Bridge ID 2. A lower path cost to the Root
3. A lower Sending Bridge ID 4. A lower Sending Port ID
These four parameters are examined in order. In this specific case, all the BPDUs sent by SW2 have the
same Root Bridge ID, the same path cost to the Root and the same Sending Bridge ID. The only
parameter left to select the best one is the Sending Port ID (Port ID = port priority + port index). The
lower value of port priority, the higher priority that port has. Therefore we must change the port-priority
on F1/1 to a lower value than that of Fa1/0. Zero is the lowest value we can assign to a port so we can
assign this value to SW2 F1/1 and configure a higher value on Fa1/0. This is the command to complete
this task: SW2(config)#interface f1/1 SW2(config-if)#spanning-tree vlan port-priority 0
Note: If we don’t change the port priority, SW3 will compare port index values, which are unique to each
port on the switch, and because Fa1/0 is inferior to Fa1/1, SW3 will select Fa1/0 as its root port and
block the other port.
Question 3
Answer: D
Explanation
After powered on, the switches start sending BPDUs to elect a root bridge. A BPDU is superior than
another if it has:
1. A lower Root Bridge ID 2. A lower path cost to the Root 3. A lower Sending Bridge ID 4. A lower
Sending Port ID
From the output above, we learn that SW1 is the root bridge for VLAN 1 (from ―this bridge is the root‖
line). SW1 has the ―Bridge ID Priority‖ of 1 because SW1 has been configured with switch priority
value of 0, which is also the lowest priority value (highest priority). This value is then added with the
VLAN ID (VLAN 1 in this case) so the final value is 1.
326 AHMED NABIL
STP Answers
Question 4
Answer: D
Explanation
After receiving BPDUs from upstream bridges, the switch add the STP cost of that port and choose the
lowest value as its root port -> the STP cost of Fa0/21 is smallest so it is chosen as root port.
Question 5
Answer: C
Explanation
Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to
forwarding state immediately without passing the listening and learning state. Therefore it can save about 30
to 45 seconds to transition through these states. To enable this feature, configure this command under
interface mode:
Switch(config-if)#spanning-tree portfast
Question 6
Answer: A
Explanation
The ―spanning-tree portfast bpdufilter default‖ command enables BPDU filtering on Portfast-enabled
interfaces. This command prevents interfaces that are in a Portfast-operational state from sending BPDUs. If
a BPDU is received on a Port Fast-enabled interface, the interface loses its Portfast-operational status, and
BPDU filtering is disabled.
In conclusion, above command only affects ports that were configured with Portfast. It prevents these ports
from sending BPDUs (notice that Portfast interfaces still send BPDUs) but the funny thing is that if it
receives a BPDU, it will disable BPDU filtering and Portfast features.
Question 7
Answer: D
Explanation
Root guard does not allow the port to become a STP root port, so the port is always STP-
designated. If a better BPDU arrives on this port, root guard does not take the BPDU into
account and elect a new STP root. Instead, root guard puts the port into the root-
inconsistent STP state which is equal to a listening state. No traffic is forwarded across
this port.
Question 9
Answer: D
Explanation
UplinkFast is a Cisco specific feature that improves the convergence time of the Spanning-Tree Protocol
(STP) in the event of the failure of an uplink. The UplinkFast feature is designed to run in a switched
environment when the switch has at least one alternate/backup root port (port in blocking state), that is why
Cisco recommends that UplinkFast be enabled only for switches with blocked ports, typically at the access-
layer.
For example in the topology below:
Suppose S1 is the root bridge in the topology above. S3 is connected to S1 via two paths: one direct path and
another goes through S2. Suppose the port directly connected to S1 is root port -> port connected to S2 will
be in Blocking state. If the primary link goes down, the blocked port will need about 50 seconds to move
from Blocking -> Listening -> Learning -> Forwarding to be used.
To shorten the downtime, a feature called Uplink Fast can be used. When the primary (root) link fails,
another blocked link can be brought up immediately for use. When UplinkFast is enabled, it is enabled for
the entire switch and all VLANs. It cannot be enabled for individual VLANs.
Question 10
Answer: A B
Explanation
Every non-root bridge needs to elect a root port. The election of root port is as follows:
1) Based on lowest cost path to the root bridge 2) Then based on lowest upstream Bridge ID (Bridge ID =
Bridge Priority + MAC) 3) Then based on lowest upstream Port ID (Port ID = Port Priority + Port Index)
Therefore we can use STP cost and port-priority to select the root port.
Question 11
Answer: D
Explanation
Portfast is often configured on switch ports that connect to hosts. Interfaces with Portfast enabled will go to
forwarding state immediately without passing the listening and learning state. Therefore it can save about 30
to 45 seconds to transition through these states. To enable this feature, configure this command under
interface mode:
Switch(config-if)#spanning-tree portfast
328 AHMED NABIL
UDLD Answers
Question 1
Answer: A
Explanation
UDLD is a Layer 2 protocol that enables devices connected through fiber-optic or twisted-pair
Ethernet cables to monitor the physical configuration of the cables and detect when a unidirectional
link exists. All connected devices must support UDLD for the protocol to successfully identify and
disable unidirectional links. When UDLD detects a unidirectional link, it administratively shuts
down the affected port and alerts you. Unidirectional links can cause a variety of problems,
including spanning-tree topology loops.
Question 2
Answer: A
Explanation
A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but
traffic from the neighbor is not received by the local device.
UDLD supports two modes of operation: normal (the default) and aggressive. In normal mode,
UDLD can detect unidirectional links due to misconnected interfaces on fiber-optic connections. In
aggressive mode, UDLD can also detect unidirectional links due to one-way traffic on fiber-optic
and twisted pair links and to misconnected interfaces on fiber-optic links.
Question 3
Answer: B
Explanation
When unidirectional link occurs, UDLD can put that port into errdisable state (same as shutdown).
The administrator must manually shut/no shut to bring that interface up. If we want the interface to
automatically recover then configure the ―errdisable autorecovery‖. For example:
(config)#errdisable recovery cause udld
(config)#errdisable recovery interval 30
By doing so, the port will be place back in up state (no err-disabled state) after 30 seconds, if the
port still has violation it will be placed again in ―err-disabled‖ state, otherwise it will remain in up
state.
Question 4
Answer: B
Explanation
UDLD aggressive mode is disabled by default. Configure UDLD aggressive mode only on point-to-
point links between network devices that support UDLD aggressive mode. With UDLD aggressive
mode enabled, when a port on a bidirectional link that has a UDLD neighbor relationship established
stops receiving UDLD packets, UDLD tries to reestablish the connection with the neighbor. After
eight failed retries, the port is disabled.
Question 5
Answer: A
329 AHMED NABIL
Storm control Answers
Question 1
Answer: C D F
Explanation
Storm control prevents traffic on a LAN from being disrupted by a broadcast, multicast, or unicast storm on
one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic
and degrading network performance. Errors in the protocol-stack implementation, mistakes in network
configurations, or users issuing a denial-of-service attack can cause a storm. Storm control (or traffic
suppression) monitors packets passing from an interface to the switching bus and determines if the packet
is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received
within the 1-second time interval and compares the measurement with a predefined suppression-level
threshold.
Storm control uses one of these methods to measure traffic activity: + Bandwidth as a percentage of the
total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic + Traffic
rate in packets per second at which broadcast, multicast, or unicast packets are received + Traffic rate in bits
per second at which broadcast, multicast, or unicast packets are received
With each method, the port blocks traffic when the rising threshold is reached. The port remains blocked
until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal
forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate
drops below the rising suppression level. In general, the higher the level, the less effective the protection
against broadcast storms.
The command “storm-control broadcast level 75 65″ limits the broadcast traffic up to 75% of the bandwidth
(75% is called the rising threshold). The port will start forwarding broadcast traffic again when it drops
below 65% of the bandwidth (65% is called the falling threshold).
Note: If you don‟t configure the falling threshold, it will use the same value of the rising threshold.
Question 2
Answer: A
Explanation
By using the “storm-control broadcast level [falling-threshold]” we can limit the broadcast traffic on the
switch.
Question 3
Answer: A
Question 4
Answer: A
Explanation
The command “storm-control action {shutdown | trap} ” specifies the action to be taken when a storm is
detected. The default is to filter out the traffic and not to send traps. + Select the shutdown keyword to
error-disable the port during a storm. + Select the trap keyword to generate an SNMP trap when a storm is
detected.
Question 2
Answer: A
Explanation
RSTP is backward compatible with STP 802.1D. If a RSTP enabled port receives a (legacy) 802.1d BPDU, it
will automatically configure itself to behave like a legacy port. It sends and receives 802.1d BPDUs only.
MST Questions
Question 3
Answer: C
Explanation
Instead of using Per-VLAN Spanning Tree (PVST) or Rapid PVST which runs a separate STP instance for
each active VLAN (there will have 20 STP instances for 20 VLANs), Multiple Spanning Tree (MST) maps
multiple VLANs into a spanning tree instance, thereby reducing the number of spanning-tree instances
needed. MST also reduces switch resources and managerial burdens.
Question 4
Answer: C
Explanation
Besides two MST instances 1 & 2, Instance 0 is a special instance for a region, known as the Internal
Spanning Tree (IST). The IST always exists on all ports; you cannot delete the IST. By default, all VLANs
are assigned to the IST. All other MST instances are numbered from 1 to 4094. The IST is the only STP
instance that sends and receives BPDUs. All of the other MSTI information is contained in MST records (M-
records), which are encapsulated within MST BPDUs.
Question 2
Answer: C
Question 3
Answer: A
Explanation
The switch learns which port the host is attaching by examining the source MAC address in frames received
on a port. For example switch receives a frame with source MAC of 0000.0000.aaaa (abbreviated as “aaaa”)
on port Fa0/1, it populates its MAC address-table with an entry like this “host aaaa on Fa0/1″. If the switch
receives a frame with the same “aaaa” MAC from Fa0/2 then there will be a flap and the switch will log
something like this: %MAC_MOVE-SP-4-NOTIF: Host 0000.0000.aaaa in vlan 1 is flapping between port 0/1
and port 0/2
This flapping phenomenon may be the result of a Layer loop somewhere in your network, especially when
STP is disabled for some reasons.
If you don‟t want to see this message then issue the “no mac-address-table notification mac-move” or
place a static entry with the “mac-address-table static 000.0000.aaaa vlan 1 interface fa0/1″on the switch.
The command “mac-address-table notification mac-move” is disabled by default on 6500 & 7600 series but
enabled by default on other series.
Question 4
Answer: A E
Explanation
The command “show mac address-table” displays the MAC address table along with the
port associated for the switch. The „show mac address-table address ” gives a more
specific view of a specific MAC address
Similarly you need to enter the “switch convert mode virtual” command on
Switch 2 for converting to Virtual Switch Mode.
SW2#switch convert mode virtual
Ahmed Nabil
DoN
AHMED NABIL
DoN
Switch Course
Eng.Ahmed Nabil
DoN
2017
abil 337
AHMED NABIL