Sandip Jadav

Prepared By : Sandip Jadav

1

( Faculty of ICT )
B.Sc. IT-IMS and Cloud Management
Course Code : 10930904
 ENTERPRISE
NETWORK

Prepared By : Sandip Jadav

COURSE CODE :
10930904

2
Sr. Teaching Weightage
Topics
No. Hrs. (%)
Accessing the Cisco Catalyst Switch CLI. Cisco Catalyst 5 12.5
1 Switches. Accessing the Cisco IOS CLI. Cabling the
Console Connection. Accessing the CLI with Telnet
and SSH. User and Enable (Privileged) Modes.

Prepared By : Sandip Jadav

Password Security for CLI Access from the Console.
CLI Help Features. The debug and show Commands.
Configuring Cisco IOS Software. Configuration Sub
modes and Contexts. Storing Switch Configuration
Files. Copying and Erasing Configuration Files.

LAN Switching Concepts. Overview of Switching Logic. 4 10

2 Forwarding Known Unicast Frames. Learning MAC
Addresses. Flooding Unknown Unicast and Broadcast
Frames. Avoiding Loops Using Spanning Tree Protocol.
LAN Switching Summary. Verifying and Analyzing
Ethernet Switching. Demonstrating MAC Learning.
Switch Interfaces. Finding Entries in the MAC Address
Table. Managing the MAC Address Table (Aging,
Clearing). MAC Address Tables with Multiple
3
Switches.
 Securing the Switch CLI. Securing User Mode and 5 12.5
Privileged Mode with Simple Passwords. Securing User
Mode Access with Local Usernames and Passwords.
Securing User Mode Access with External
Authentication Servers. Securing Remote Access with
Secure Shell. Enabling IPv4 for Remote Access. Host
3
and Switch IP Settings. Configuring IPv4 on a Switch.
Configuring a Switch to Learn Its IP Address with DHCP.
Verifying IPv4 on a Switch. Miscellaneous Settings

Prepared By : Sandip Jadav

Useful in the Lab. History Buffer Commands. The
logging synchronous, exec-timeout, and no ip domain-
lookup Commands.
Configuring Switch Interfaces. Configuring Speed, 8 20
4 Duplex, and Description. Configuring Multiple
Interfaces with the interface range Command.
Administratively Controlling Interface State with
shutdown. Removing Configuration with the no
Command. Autonegotiation. Autonegotiation Under
Working Conditions. Autonegotiation Results When
Only One Node Uses. Autonegotiation.
Autonegotiation and LAN Hubs. Analyzing Switch
Interface Status and Statistics. Interface Status Codes
and Reasons for Nonworking States. Interface Speed 4
and Duplex Issues. Common Layer 1 Problems on
Working Interfaces.
5 Virtual LAN Concepts. Creating Multiswitch VLANs Using8 20
Trunking. VLAN Tagging Concepts. The 802.1Q and ISL VLAN
Trunking Protocols. Forwarding Data Between VLANs. The
Need for Routing Between VLANs. Routing Packets Between
VLANs with a Router. VLAN and VLAN Trunking Configuration
and Verification. Creating VLANs and Assigning Access
VLANs to an Interface. VLAN Configuration.
VLAN Trunking Configuration. Implementing Interfaces
Connected to Phones. Data and Voice VLAN Concepts. Data

Prepared By : Sandip Jadav

and Voice VLAN Configuration and Verification. Access
VLANs Undefined or Disabled. Mismatched Trunking
Operational States. The Supported VLAN List on Trunks.
Mismatched Native VLAN on a Trunk.

6 STP and RSTP Basics. The Need for Spanning Tree. What 5 12.5
Spanning Tree Does. How Spanning Tree Works. The STP
Bridge ID and Hello BPDU. Electing the Root Switch.
Choosing Each Switch’s Root Port. Choosing the Designated
Port on Each LAN Segment. Configuring to Influence the STP
Topology. Details Specific to STP (and Not RSTP). STP Activity
When the Network Remains Stable. STP Timers That
Manage STP Convergence. Changing Interface States with
STP. Rapid STP Concepts. Comparing STP and RSTP. RSTP and
the Alternate (Root) Port Role. RSTP States and Processes.
RSTP and the Backup (Designated) Port Role. RSTP Port 5
Types. Optional STP Features. EtherChannel. PortFast. BPDU
Guard.
7 Understanding RSTP Through Configuration. The Need 5 12.5
for Multiple Spanning Trees. STP Modes and Standards.
The Bridge ID and System ID Extension. How Switches
Use the Priority and System ID Extension. RSTP
Methods to Support Multiple Spanning Trees. Other
RSTP Configuration Options. Configuring Layer 2
EtherChannel. Configuring a Manual Layer 2
EtherChannel. Configuring Dynamic EtherChannels.

Prepared By : Sandip Jadav

Physical Interface Configuration and EtherChannels.
EtherChannel Load Distribution. Configuration Options
for EtherChannel Load Distribution. The Effects of the
EtherChannel Load Distribution Algorithm.

6
 Prepared By : Sandip Jadav
Unit 1

Accessing the Cisco Catalyst Switch CLI 7

Switch

The Switch is an intelligent device with address learning mechanism and

connects to multiple LAN segments. This operates at the second layer.

Prepared By : Sandip Jadav

8
Types of LAN

There are two types of LANs as shown in the following illustration: SOHO
LAN and Enterprise LAN.

Prepared By : Sandip Jadav

9
SOHO LANs
Small Office/Home Office (SOHO) LAN is a type of Local Area Network suited
for small businesses having close to 10 employees. SOHO LAN connects
multiple devices such as computers, laptops, printers, switches and routers for
internet access. The option of working from home is popular due to lesser
deployment cost of a SOHO LAN. This allows the user to access web, email or
VoIP from home

Prepared By : Sandip Jadav

10
Enterprise LANs
An Enterprise LAN is usually deployed in organizations where data traffic
will be high. It is a multilayered network which consists of routers, switches,
firewall, wireless APs, servers, and storage etc.

Cisco uses a three-layer cost effective hierarchical model to simplify the

Enterprise network

Prepared By : Sandip Jadav

Layer3 • Access Layer

Layer2 • Distribution Layer

Layer1 • Core Layer

11
Access layer: It controls user and workgroup access to the resources of a
internetwork. This also includes switches that are connected to end
devices such as PCs, Laptops, Servers, etc.
Function: Access layer switches provide better scalability to end devices.

Prepared By : Sandip Jadav

Distribution Layer: This layer provides routing, data filtering and access
control.
Function: In the distribution layer, Routers and layer3 switches identify
all possible errors. Routers and switches also correct errors to provide
reliable delivery, high performance and better redundancy.

Core Layer: The Core layer is the backbone of an Enterprise network.

Failure in this layer will affect every user
Function: The Core layer provides high speed data transmission and
connects different geographical locations
12
Cisco Switches
Cisco Switches are the organization’s flagship modular switching
platform, required for both data center unified fabric deployments and
also for highly scalable campus core deployments. Following are the
salient features:

• These are designed for exceptional scalability. Switches have some of

Prepared By : Sandip Jadav

the industry’s highest resiliency features.

• Switches also have unmatched deployment flexibility for the data

center core, aggregation, access and campus core.

• Switches also have features like system scalability, network scalability,

operational continuity, network consolidation, segmentation, and
virtualization.

• Some switches also have virtual switching systems, network

virtualization and security
13
Types of Switching

Various types of switching are used in network communication. Some of

the major types of switching are as shown in Figure

Circuit Switching

Prepared By : Sandip Jadav

Packet Switching

Datagram Packet Switching

Virtual Circuit Packet Switching

14
Circuit Switching
Circuit switching is a method of implementing an end-to-end circuit (communication)
channel between nodes before establishing the actual connection. In this method, a
dedicated path is established across the sender and the receiver. This is maintained
for the entire duration of the communication session.

Circuit switching is generally used in public telecommunication networks to send

Prepared By : Sandip Jadav

digital signals (data) over a voice network (analog signals)

15
Packet Switching
In the Packet Switching method, data is divided into packets. Each packet includes:

 A header
Source
Destination
Intermediate device address information

Prepared By : Sandip Jadav

 Data
Individual packets in this method take different routes to reach their
destination.

There are two types of Packet Switching methods commonly in use as shown in
the figure 2.3.3

Packet Switching

Virtual Circuit Packet

Datagram Packet Switching 16
Switching
Datagram Packet Switching
In this mode:
• Individual packets are forwarded independently based on their
destination address.
• Routing decisions are made dynamically by the routing protocol.
• The routing protocol determines the path which results in sending and
receiving of packets in a different order in a network

Prepared By : Sandip Jadav

17
Note : Internet is the best example for datagram packet switching.
 Prepared By : Sandip Jadav
18
Packet Switching
Virtual Circuit Packet Switching
In this mode:
• A route is created before packets are forwarded to the
destinations.
• The data moves in the same route.
• The routing through the network becomes very easy.
• The packets are received in the correct order. A Frame-Relay type

Prepared By : Sandip Jadav

of network is an example for virtual circuit packet switching.

19
Ethernet Addressing
In networking terminology, Ethernet addressing is referred to as the ‘MAC
address’. The MAC address is a unique 48-bit hexadecimal address
assigned to a NIC (Network Interface Controller) that is attached to the
system. Observe the following figure:

Prepared By : Sandip Jadav

OUI and UAA The entire 48-bit MAC address is separated as follows: The
first 24-bits is called OUI which is assigned by IEEE to a particular vendor
and the last 24-bits is called UAA which is a unique serial number assigned
by the manufacturer.
Terminology 20
• OUI — Organizationally Unique Identifier
• UAA—Universally Administered Address
Ethernet II Frame Type

Prepared By : Sandip Jadav

Preamble: This offers synchronization since both the sender and receiver interface
cards are running with different system clocks.
SFD (Start Frame Delimeter): This tells the Ethernet software where to start reading
the frame.
Destination address: A 6 byte destination address can be a unicast, multicast or
broadcast.
Source address: A 6 byte source address can only be a unicast.
Length or Type: 802.3 use a ‘Length’ field but Ethernet II uses a ‘Type’ or ‘Ether type’
field to identify the network layer protocol. It sets the kind of packet that is in the data
field.
Data: This is a packet sent down to the data link layer from the network layer. The size
can vary from 46 to 1500 bytes.
FCS (Frame Check Sequence): is a field to store the cyclic redundancy check (CRC) 21
answer which provides error detection of any corrupted data within the frame at the
time of transmission
Types of Data Transmission
Based on the method, the transmission of data is classified into three types

Data Transmission
Unicast

Prepared By : Sandip Jadav

Multicast

Broadcast

Unicast: Transmits a frame or packet from one host direct to another host
(destination)

Multicast: Transmits a frame or packet to multiple destinations. (Ex: TV

channels)
22
Broadcast: Transmits a frame or packet from one host to all other hosts in
the network.
Error Detection with Frame Check Sequence – FCS
If some bits are erroneously received by the destination due to noise on
the cable or crosstalk, then the checksum computed by the destination will
not match with the transmitted or sent checksum. This leads to error
detection. The CRC is a mathematical algorithm that is run when each
frame is built based on the data in the frame

Prepared By : Sandip Jadav

23
LAN Switching
LAN switching is a type of packet switching technology used in a Local Area
Network. Though the basic switching is commonly done at layer 2, this
method uses different layer devices such as layer 2 switches and layer 3
switches3 .This is more expensive than using a layer 2 switch

Hubs, Bridges, and Switches

Prepared By : Sandip Jadav

Hubs: Hubs are physical layer devices typically used in small networks, where
the volume of data going across the network is low.

Bridges: Bridges operate at layer 2. This is the Data link layer, commonly used
to connect multiple LAN segments. Bridges have both the address learning
mechanism and maintain MAC tables. Since bridges are full-duplex, a two-
way communication is possible

Switches: Switches are layer2 devices that connect computers, printers and
servers within a segment, building or campus. A switch serves as a controller,
enabling networked devices to communicate to each other efficiently. There 24
are two types of Switches, namely:
1. Manmanaged Switches. 2. Managed Switches.
Unmanaged Switches These types of Switches are used in SOHO
networking. Unmanageable switches cannot be configured. They possess a
preinstalled default configuration.

Prepared By : Sandip Jadav

Managed Switches Managed Switches are either used in a campus or in a
corporate network environment. These types of switches are configurable.
The network segments can be monitored and controlled locally or remotely
through the console port.

25
Bridges vs. Switches
Performance of a network is normally affected when an Ethernet
environment is using hubs that have a large collision domain. Bridges
were developed to avoid this issue.

Functions of a Bridge
A bridge isolates one collision domain from another while still connecting

Prepared By : Sandip Jadav

them and selectively allowing frames to pass from one to the other. This
device connects two similar network segments. The most important
function of a bridge is to keep traffic separated in each segment of the
network. Bridges have only few ports but are slow.

Functions of a Switch
A switch is a bigger, faster bridge. Every port on a switch or bridge is its
own collision domain. Switches also perform the same functions as a
bridge, but connect multiple network segments together; they have a
large buffer memory with multi ports. Switches have a dedicated chip
called ASIC for address learning to forward the Ethernet frames. They can
26
also have different port speeds like Fast Ethernet or Gigabit.
 Bridges vs. Switches

Bridging Switching

Prepared By : Sandip Jadav

• Bridges are software base
• Bridge can have only one
spanning-tree instance per
bridge
• Bridges have less number of
ports
• Switches are hardware
based
• Switches have many
spanning-tree instances
• Switches have higher
number of ports

In switches ASIC chips are used to make filtering decisions. 27

ASIC = Application Specific Integrated Chip

Some of the common functions of bridges and switches are

• Both bridges and switches forward layer 2 broadcasts.

• Both bridges and switches learn MAC addresses by examining the
source address of each frame received.
• Both bridges and switches make forwarding decisions based on layer 2
addresses.

Prepared By : Sandip Jadav

Important Functions of Layer 2 Switches
Switches perform three important functions as follows:
• Addresses Learning
• The Forward/Filter Decision
• Loop avoidance

28
Address Learning
When a new switch is powered on, it does not have a MAC-table
populated in its memory. Once the host transmits data to other hosts, the
switch broadcasts the frame to all the connected ports. When the other
host replies, it learns the MAC address of both the hosts and stores it in
the MAC table.

Prepared By : Sandip Jadav

MAC Address Table In the aforementioned diagram, Device C sends data to
Device A. The switch will broadcast to all the ports expect port fa0/3 since 29
the address is learned. If device A replies, the switch will learn the MAC
address of A and the port number is stored in the MAC table.
 Loop Avoidance
Having multiple paths to destinations for the purpose of redundancy is a good
design for a network. This enables the traffic to take an alternate link if one link is
not performing.

Prepared By : Sandip Jadav

However, this feature can often cause a lot of problems on the network for
switches. Example: If a broadcast is sent out of multiple links, it will flood all links
and could result in a congested network. This congestion is known as a ‘Broadcast
Storm’. Whenever an incorrect broadcast frame is sent, it receives multiple
incorrect replies from different hosts and the broadcast process grows as further
30
broadcasts are sent out. This will quickly cause network congestion and slowly
affect the performance of a network.
 Switching Modes

Most of Bridges operates in a transparent mode, while switches operate

in different modes. Cisco Switches have three modes to control the
latency in traffic. It depends upon how thoroughly you want the frame to
be checked before it is passed on. If there are more checks, then more
latency is created in the switch

Prepared By : Sandip Jadav

The three different modes are:
• Cut-through
• Fragment-free
• Store and forward

31
Cut-through The Cut-through switching mode provides fastest switching functions
with the lowest latency. The Switch copies the destination MAC address to its
memory and reads only the first 6 bytes of the frame. Once the frame reaches the
destination, the switch then checks its MAC table in order for the port to forward the
frame. It then sends it on its way. There is no error checking in the cut-through
mode.

Fragment-free The Fragment-free mode is also referred as ‘Hybrid’ or ‘Modified cut-

Prepared By : Sandip Jadav

through’. In this mode, the switch works like a cut-through mode with the exception
that, it reads and stores the first 64 bytes of the frame before it is forwarded to the
destination. Most of the network collisions, errors and fragments in frames occur
during the first 64 bytes of a frame. The fragment-free switch inspects the first 64
bytes, and if no error is found, it passes the frame to its destination. If errors are
found, it sends the frame to the transport layer in order to re-check the fragment.
Latency is the medium in this mode.

Store and Forward The Store and Forward is a default switching mode for the
distribution layer switches. The entire frame is read and copied to memory. A
complete Cyclic Redundancy Check (CRC) will take place to check for errors in order
to compare the frame’s FCS value with the CRC output value.
32
Inspecting and connecting to your hardware
Before configuring your Cisco switch, you’ll need to be able to identify the power
cable, switch ports, console ports. In addition, all Cisco switches come with LEDs that
let you know the current state of your switch.
Connect the switch’s power cable to the power source, and wait for the lights to
come up.
Check the front side of the switch. The switch’s (SYST) System’s LEDs are as follow:

Prepared By : Sandip Jadav

Off: The system is not powered. If power cables are connected but LEDs are off,
check the power source or switch’s power cable.
Green: The switch is operational.
Blinking green: The system’s software is loading.
Amber: Power is ok, but the system is not functional.
Blinking amber: Fault with either: network module, power supply, or fan

33
Inspecting and connecting to your hardware

Check the lights. They vary according to the Cisco Switch series, but generally, you
should see the System light (as displayed above), along with other lights like
Console, Active, RPS, Stack, PoE, Duplex, Speed, etc.

Check the backside of the switch. Behind the switch, you should be able to see the
power supply and console port. The console port of switches can be either, Serial or

Prepared By : Sandip Jadav

Mini USB. You should also see the IOS label on the backside, which shows the
operating system version that comes by default.

34
How to connect to a Cisco Switch?
Connect to the console (management) port using a console cable.
Depending on the console port of the Cisco Switch, you should use different
adapters. Generally, there are two types of cable adapters: a Serial DB-9/Ethernet
RJ45 Console cable (as shown below) and a USB/Serial DB-9 adapter (if your
computer does not have a serial port).

Prepared By : Sandip Jadav

35
How to connect to a Cisco Switch?

How to physically connect your laptop or PC to the console port?

Plug the serial DB9 end of the console cable into your computer’s serial port and
connect the RJ45 end on the Cisco Switch. But if your computer does not have a
serial DB-9 port, connect the serial DB9 console cable end into the Serial-to-USB
adapter and then plug it into your laptop. Bear in mind that these adapters work
with a software driver.

Prepared By : Sandip Jadav

To establish a serial connection to your computer, you’ll need to use software that
controls serial lines. A well-known software that can do this is PuTTy. This software
is a free SSH, Telnet, rlogin, and TCP client. Unfortunately, PuTTy is only supported
by Windows. So if you are running Linux or macOS, there are some alternatives such
as SecureCRT and MobaXTerm.

Ensure you are connected to the console port of the Cisco switch using the correct
cable, as shown in the previous section.

36
How to connect to a Cisco Switch?

Look for the COM (communication port) established by your computer. A COM port
is the name of the serial port interface on PCs. It refers to physical ports and
emulated ports like those of USB adapters. So, if you are using a USB/RJ45 adapter,
you’ll need to find the COM port. To do this, go to Windows Device Manager and
check your Ports. Then, locate the cable (with driver) that you are using and record
the COM number (in this case, COM 1).

Prepared By : Sandip Jadav

37
How to connect to a Cisco Switch?

Let’s configure the serial connection lines in your computer.

Open PuTTY. Go to Configuration > Connection > Serial. Set the following
parameters.
The serial line to connect to The COM # you found in the previous section.
Speed: varies according to your hardware — 9600 to 115200 (bps).
Data Bits: 8

Prepared By : Sandip Jadav

Stop Bits: 1
Parity: None
Flow Control: None
Save your connection and click on Open. You’ll be instantly connected to the switch.

38
Command Modes

3. Moving through command modes

Once connected to the switch, you’ll be greeted with the prompt:

Switch>

The hostname “Switch” is the current name of the switch, and the “>” means you

Prepared By : Sandip Jadav

are in “unprivileged” command mode. In this mode, you’ll only be able to display
information but not change any configuration. To start configuring your Cisco
switch, you’ll need to scale your user privileges.

Navigate through Cisco’s command modes

There are two privilege level modes:

The “Unprivileged” User EXEC: “>” is the default mode.
Here you can only display and see certain debug information.
Switch>en

The “Privileged” User EXEC: “#” configuration mode.

There are other modes within the privilege mode, including global, interface, 39
subinterface, router, and line configuration modes.
Switch#
How to connect to a Cisco Switch?

The “Global Configuration” User EXEC: “conf-t” Global configuration mode.

Global configuration commands apply to features that affect the system as a whole.
Switch(config)#

Prepared By : Sandip Jadav

To move across these modes, you can use the following commands
enable. Change from unprivileged (>) to privileged (#)
disable. Switch from privileged (#) to unprivileged (>).
Configure terminal. Enter global configuration mode.
exit. Revert one mode.
end. Revert to the privilege enable mode.

40
Flash : This memory store iOS of Router/Switch
Switch#sh flash

RAM : This will have temp storage

Switch#sh run

NVRAM : This will have permanent storage

router#sh start

Prepared By : Sandip Jadav

Router#wr ( to save configuration)
Router#copy run start ( to save configuration)
router#sh ver
router#sh history
router#terminal history size 10
router#sh clock
router#clock set 10:27:10 08 AUG 2023
router(config)#banner motd % Lab4 CCNA, Do not shutdown the switch %
41
router#sh ip int brief
router#sh ip route
 Securing the Switch CLI. Securing User Mode and

Prepared By : Sandip Jadav

Privileged Mode with Simple Passwords. Securing
User Mode Access with Local Usernames and
Passwords. Securing User Mode Access with
External Authentication Servers. Securing Remote
Unit 3 Access with Secure Shell. Enabling IPv4 for Remote
Access. Host and Switch IP Settings. Configuring
IPv4 on a Switch. Configuring a Switch to Learn Its IP
Address with DHCP. Verifying IPv4 on a Switch.
Miscellaneous Settings Useful in the Lab. History
Buffer Commands. The logging synchronous, exec-
timeout, and no ip domain-lookup Commands.

42
User Mode and Privileged Mode Security
In this lesson, we’ll take a look at how you can secure user mode and privileged
(enable) mode. By default, there is no authentication required. If you connect a Cisco
console cable to your switch or router, here’s what happens:

Switch con0 is now available

Press RETURN to get started.

Prepared By : Sandip Jadav

Switch>

Once you press the enter button, we end up in user mode right away. There’s no
password or anything. The same thing applies to the enable mode:

Switch>enable
Switch#

43
User Mode Security
Simple Password
The most simple option to protect user mode is to add a password. Here’s how to do
this:
Switch(config)#line console 0

First, we need to enter the console settings. Here’s where we have to add two

Prepared By : Sandip Jadav

commands:
Switch(config-line)#password cisco
Switch(config-line)#login

We configure a password (cisco) and use the login command to tell Cisco IOS to
prompt for this password. Next time you open the console, this will happen:

Switch con0 is now available

Press RETURN to get started.
User Access Verification
Password: 44
Switch>
Username and Password
Instead of a single password, it’s also possible to use usernames and passwords
instead. This is a better option if you have multiple people that need to access your
router or switch. Here’s how to do this:

Switch(config)#line console 0
Switch(config-line)#login local

Prepared By : Sandip Jadav

Switch(config-line)#exit
Switch(config)#username admin password cisco

Under the console settings, we use the login local command to tell the switch to refer
to a local database of usernames and passwords for authentication. In the global
config, we create a username “admin” with password “cisco”.

45
Next time you open the console, here’s what you see:

Switch con0 is now available

Press RETURN to get started.
User Access Verification
Username: admin

Prepared By : Sandip Jadav

Password:
Switch>

The switch asks for our username and password.

46
Enable Mode Security

What about enable mode / privileged mode? We can also add a password there. You
need to do this from the configuration mode:

Switch#configure terminal

Now we can set a password for enable mode:

Prepared By : Sandip Jadav

Switch(config)#enable password cisco

Let’s see if our password “cisco” works. Let’s get out of enable mode:

Switch#disable

And jump right back in:

Switch>enable Password:

The switch now asks for the password. 47

Password Encryption
In the examples above, we used passwords but there is one problem…they all show
up in clear text in our configuration. Take a look below:

Switch#show running-config | include password

no service password-encryption
enable password cisco username admin password 0 cisco

Prepared By : Sandip Jadav

It’s all clear text. If someone steals one of your switches or routers, they will have
your passwords. If you ever backup your configuration and forget to remove the
passwords, same problem.

Cisco IOS has a command that lets you encrypt all clear text passwords in your
configuration. Here’s how:

Switch(config)#service password-encryption

The service password-encryption command will encrypt every password that is

plain text. Here you can see the result:

48
Switch#show running-config | include password
service password-encryption
enable password 7 13061E010803
username admin password 7 110A1016141D

Prepared By : Sandip Jadav

Now you might get a warm fuzzy feeling that everything is encrypted but in
reality, this is a very poor (broken) encryption algorithm. There are websites that
let you decrypt these encrypted strings on the fly. If you want to try this,
here’s one of those websites. http://password-decrypt.com/

We need something stronger…

49
Secret
Cisco IOS supports something called a secret as an alternative to the password. Let’s
try this for the enable mode:

Switch(config)#enable secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies a MD5 HASHED secret will follow

Prepared By : Sandip Jadav

8 Specifies a PBKDF2 HASHED secret will follow
9 Specifies a SCRYPT HASHED secret will follow
LINE The UNENCRYPTED (cleartext) 'enable' secret
level Set exec level password

Above you can see this switch supports MD5, PBKDF2 and SCRYPT hashes.
Older IOS devices only support MD5 authentication.
Let’s give this a try:

Switch(config)#enable secret cisco

50
Our secret will be “cisco”. Let’s see what we find in the configuration:

Switch#show running-config | include secret

enable secret 5 $1$CANW$U9Y8O6KeFhrFR4l1Qo07h/

Prepared By : Sandip Jadav

You now find an MD5 hash in the configuration. The “5” that you see behind
“enable secret” is the algorithm that we use, 5 means MD5.

MD5 is not considered secure nowadays. It’s very easy to brute force simple
passwords. For example, try this website for the MD5 hash that was created for
my secret “cisco”. It will only take a few seconds to recover.

Let’s try one of the other algorithms that are considered secure nowadays.
Here’s how you can select the algorithm for the enable mode:
Switch(config)#enable algorithm-type ?
md5 Encode the password using the MD5 algorithm
scrypt Encode the password using the SCRYPT hashing algorithm 51
sha256 Encode the password using the PBKDF2 hashing algorithm
Let’s try the PBKDF2 (SHA256) hashing algorithm:

Switch(config)#enable algorithm-type sha256 secret cisco

When we look at our configuration, we’ll see the new hash:

Switch#show running-config | include secret

enable secret 8 $8$dvX/fx/FJ0Snk2$HhqrOUaEtBgk4zJvG2IQuAJNUicZmmELelC/L6.Fcl2

Prepared By : Sandip Jadav

The “8” behind “enable secret” refers to PBKDF2 hashing algorithm that we used.
In the example above I changed the hashing algorithm for the enable mode but we
can also do this for usernames. Here’s an example:

Switch(config)#username sandip algorithm-type sha256 secret cisco

My username now uses SHA256 as well for password “cisco”. Here’s what it looks
like:

Switch#show running-config | include sandip

username sandip secret 8 52
$8$dyzsAmZjA3w.aY$YBZn8LBI6CK04ij5ZmqQ/88OrFdc3jzGb6v7SSQI0cw
External Authentication Servers
Configuring usernames and secrets on your Cisco IOS devices is a good
practice but one issue we have is scalability. If you have a network with
multiple devices, you will have to configure your usernames/secrets on all
devices. If you change your password, you have to do it on all devices.

In larger networks, we typically use authentication servers called RADIUS or

Prepared By : Sandip Jadav

TACACS+ servers. On these servers, we configure our usernames. When
someone tries to access the console or enable mode on one of your
switches or routers, they check the credentials on the authentication server.

This allows you to keep your authentication centralized. This is something

we will cover in other lessons.

Authentication, authorization, and accounting (AAA) is a security framework

that controls access to computer resources, enforces policies, and audits
usage. AAA and its combined processes play a major role in network
management and cybersecurity by screening users and keeping track of
their activity while they are connected. 53
Authentication
Authentication involves a user providing information about who they are.
Users present login credentials that affirm they are who they claim. As an
identity and access management (IAM) tool, a AAA server compares a
user’s credentials with its database of stored credentials by checking if the
username, password, and other authentication tools align with that specific
user.

Prepared By : Sandip Jadav

The three types of authentication include something you know, like a
password, something you have, like a Universal Serial Bus (USB) key; and
something you are, such as your fingerprint or other biometrics.

Authorization
Authorization follows authentication. During authorization, a user can be
granted privileges to access certain areas of a network or system. The areas
and sets of permissions granted a user are stored in a database along with
the user’s identity. The user’s privileges can be changed by an
administrator. Authorization is different from authentication in that
authentication only checks a user’s identity, whereas authorization dictates
54
what the user is allowed to do.
For example, a member of the IT team may not have the privileges
necessary to change the access passwords for a company-wide virtual
private network (VPN). However, the network administrator may choose
to give the member access privileges, enabling them to alter the VPN
passwords of individual users. In this manner, the team member will be
authorized to access an area they were previously barred from.

Prepared By : Sandip Jadav

Accounting
Accounting keeps track of user activity while users are logged in to a
network by tracking information such as how long they were logged in,
the data they sent or received, their Internet Protocol (IP) address, the
Uniform Resource Identifier (URI) they used, and the different services
they accessed.

Accounting may be used to analyze user trends, audit user activity, and
provide more accurate billing. This can be done by leveraging the data
collected during the user’s access. For example, if the system charges
users by the hour, the time logs generated by the accounting system can
report how long the user was logged in to the router and inside the 55

system, and then charge them accordingly.

 Prepared By : Sandip Jadav
56
AAA Practical
AAA : Router’s Command

router>en
router#conf t
router(config)#hostname RRR
RRR(config)#enable password cisco

Prepared By : Sandip Jadav

RRR(config)#int fa0/1
RRR(config-if)#ip add 192.168.10.1 255.255.255.0
RRR(config-if)#no shut
RRR(config-if)#exit
RRR(config)#aaa new-model
RRR(config)#tacacs-server host 192.168.10.2 key secret
RRR(config)#aaa authentication login telnet group tacacs+
RRR(config)#line vty 0 4
RRR(config-line)#login authentication telnet
57
AAA : Server’s Configuration

Prepared By : Sandip Jadav

58
TACACS packet capture in simulation

Prepared By : Sandip Jadav

59
Secure Shell (SSH) is a protocol that provides a secure, remote connection to a
device. SSH provides more security for remote connections than Telnet does by
providing strong encryption when a device is authenticated. This software release
supports SSH Version 1 (SSHv1) and SSH Version 2 (SSHv2).
Router(config)#hostname R1
R1(config)#ip domain-name NETWORKLESSONS.LOCAL
R1(config)#crypto key generate rsa

Prepared By : Sandip Jadav

R1(config)#ip ssh version 2
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login local
R1(config)#username admin password cisco

Pc> ssh –l admin 192.168.10.1

60
How to Configure DHCP Server on Cisco Switches
The DHCP service allows hosts to automatically obtain their IP configuration from the
DHCP server. The DHCP service is available on Cisco switches. If you have a Cisco
switch in your network, you can also use it as a DHCP server.
The following table lists the commands that are required to configure a switch to act
as a DHCP server.
Switch>enable
Switch#configure terminal

Prepared By : Sandip Jadav

Switch(config)#ip dhcp excluded-address 192.168.1.1 192.168.1.10
Switch(config)#ip dhcp pool test
Switch(dhcp-config)#network 192.168.1.0 255.255.255.0
Switch(dhcp-config)#default-router 192.168.1.1
Switch(dhcp-config)#dns-server 4.4.4.4
Switch(dhcp-config)#exit
Switch(config)#interface vlan 1
Switch(config-if)#ip address 192.168.1.5 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#exit

To view IP addresses leased by the DHCP server, use the 'show ip dhcp binding' 61

To view DHCP pool statistics and information, use the 'show ip dhcp pool
 Configuring Switch Interfaces. Configuring Speed,

Prepared By : Sandip Jadav

Duplex, and Description. Configuring Multiple
Interfaces with the interface range Command.
Administratively Controlling Interface State with
shutdown. Removing Configuration with the no
Unit 4 Command. Autonegotiation. Autonegotiation Under
Working Conditions. Autonegotiation Results When
Only One Node Uses. Autonegotiation.
Autonegotiation and LAN Hubs. Analyzing Switch
Interface Status and Statistics. Interface Status
Codes and Reasons for Nonworking States. Interface
Speed and Duplex Issues. Common Layer 1
Problems on Working Interfaces.
62
Understanding Interface Types

This section describes the different types of interfaces supported by the

switch with references to chapters that contain more detailed information
about configuring these interface types. The rest of the chapter describes
configuration procedures for switch ports.

Prepared By : Sandip Jadav

Switch ports are Layer 2-only interfaces associated with a physical port.
They are used for managing the physical interface and associated Layer 2
protocols and do not handle routing or bridging. A switch port can be an
access port or a trunk port.
You can configure a port as an access port or trunk port or let the Dynamic
Trunking Protocol (DTP) operate on a per-port basis to determine if a
switch port should be an access port or a trunk port by negotiating with
the port on the other end of the link.

Note The physical switch ports switches can be 10/100 Ethernet

ports, 10/100/1000 Ethernet ports, 100BASE-FX ports,
1000BASE-SX ports, GBIC module ports, and Long-Reach Ethernet
63
(LRE) ports. For more information, refer to the switch hardware
installation guide.
Access Port

An access port belongs to and carries the traffic of only one VLAN. Traffic is
received and sent in native formats with no VLAN tagging. Traffic arriving on an
access port is assumed to belong to the VLAN assigned to the port. If an access
port receives an802.1P- or 802.1Q-tagged packet for the VLAN assigned to the
port, the packet is forwarded. If the port receives an 802.1P- or 802.1Q-tagged
packet for another VLAN, the packet is dropped, the source address is not learned,

Prepared By : Sandip Jadav

and the frame is counted in the No destination statistic.
The Catalyst 2950 switch does not support ISL-tagged packets. If the switch
receives an ISL-tagged packet, the packet is flooded in the native VLAN of the port
on which it was received because the MAC destination address in the ISL-tagged
packet is a multicast address.
Two types of access ports are supported:
• Static access ports are manually assigned to a VLAN.
• VLAN membership of dynamic access ports is learned through incoming packets.
By default, a dynamic access port is a member of no VLAN, and forwarding to and
from the port is enabled only when the VLAN membership of the port is
discovered. Dynamic access ports on the switch are assigned to a VLAN by a VLAN
Membership Policy Server (VMPS). The VMPS can be a Catalyst 6000 series switch;
the Catalyst 2950 switch does not support the function of a VMPS.
64
Using the Interface Command
To configure a physical interface (port), use the interface global configuration
command to enter interface configuration mode and to specify the interface type,
slot, and number.

• Type—Fast Ethernet (fastethernet or fa) for 10/100 Ethernet or Gigabit

Ethernet (gigabitethernet or gi)
• Slot—The slot number on the switch (always 0 on this switch).

Prepared By : Sandip Jadav

• Port number—The interface number on the switch. The port numbers always
begin at 1, starting at the left when facing the front of the switch, for example,
fastethernet 0/1, fastethernet 0/2. If there is more than one media type (for
example, 10/100 ports and Gigabit Ethernet ports), the port number starts again
with the second media: gigabitethernet 0/1, gigabitethernet 0/2.

You can identify physical interfaces by physically checking the interface location
on the switch. You can also use the IOS show privileged EXEC commands to
display information about a specific interface or all the interfaces on the switch.
The remainder of this chapter primarily provides physical interface configuration
procedures.

This section describes how to configure all types of interfaces and how to 65

configure a range of interfaces:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch# show interfaces

You can use the interface range global configuration command to configure

Prepared By : Sandip Jadav

multiple interfaces with the same configuration parameters. When you enter
the interface-range configuration mode, all command parameters that you
enter are attributed to all interfaces within that range until you exit this mode.

Switch# configure terminal

Switch(config)# interface range fastethernet0/1 – 5
Switch(config)# interface range fastethernet0/1 - 3, gigabitethernet0/1 - 2
Switch(config-if-range)# no shutdown

66
Configuring and Using Interface-Range Macros

You can create an interface-range macro to automatically select a range of interfaces

for configuration. Before you can use the macro keyword in the interface range
macro global configuration command string, you must use the define interface-
range global configuration command to define the macro.

Switch# configure terminal

Prepared By : Sandip Jadav

Switch(config)# define interface-range enet_list fastethernet0/1 - 4
Switch(config)# end
Switch# show running-config | include define

Switch# configure terminal

Switch(config)# define interface-range macro1 gi0/1 - 2, fa0/5 - 7
Switch(config)# end

Switch(config)# interface range macro enet_list

Switch(config-if-range)#

Switch(config)# no define interface-range enet_list

67
Note : This command is not run in the packet tracer, it’s work on real Cisco Switch.
Configuring Interface Speed and Duplex Mode

The 10/100 Ethernet interfaces on the Catalyst 2950 switch operate in 10

or 100 Mbps and in either full- or half- duplex mode. (There are no 10/100
Ethernet interfaces on the Catalyst 2950 LRE switch.) The 10/100/1000
Ethernet interfaces operate in 10, 100, or 1000 Mbps only in full-duplex
mode.

Prepared By : Sandip Jadav

In full-duplex mode, two stations can send and receive at the same time.
When packets can flow in both directions simultaneously, effective
Ethernet bandwidth doubles to 20 Mbps for 10-Mbps interfaces, to 200
Mbps for Fast Ethernet interfaces, and to 2 Gbps for Gigabit interfaces.

Full-duplex communication is often an effective solution to collisions,

which are major constrictions in Ethernet networks. Normally, 10-Mbps
ports operate in half-duplex mode, which means that stations can either
receive or send.

68
Configuring Interface Speed and Duplex Mode

On the Catalyst 2950 LRE switch, the copper media (10/100/1000) of the
Gigabit interface operate in 10/100 full-duplex or half-duplex mode and 1000
Mbps only in full-duplex mode. The fiber-optic media of the Gigabit interface
only operate in 1000 Mbps and full-duplex mode.

Prepared By : Sandip Jadav

You can configure interface speed on Fast Ethernet (10/100-Mbps) and Gigabit
Ethernet (10/100/1000-Mbps) interfaces on the Catalyst 2950 switch; you
cannot configure speed on 100BASE-FX, 1000BASE-SX, and Gigabit Interface
Converter (GBIC) module interfaces.

You can configure duplex mode on any Fast Ethernet interfaces that are not
set to autonegotiate; you cannot configure duplex mode on 100BASE-FX,
1000BASE-SX, and GBIC-module interfaces. The 10/100/1000 interfaces can
operate only in full-duplex mode.

69
Configuration Guidelines

When configuring an interface speed and duplex mode, note these guidelines:

•Ethernet ports set to 1000 Mbps should always be set to full duplex.

•Gigabit Ethernet ports that do not match the settings of an attached device can
lose connectivity and do not generate statistics.

Prepared By : Sandip Jadav

•If both ends of the line support autonegotiation, we highly recommend the
default setting of autonegotiation.

•When connecting an interface to a 100BASE-T device that does not

autonegotiate, set the duplex mode to full or half to match the device, and set the
speed to auto. Autonegotiation for the speed setting selects the correct speed
even if the attached device does not autonegotiate, but duplex mode must be
explicitly set.

70
Configuration Guidelines

•When connecting an interface to a Gigabit Ethernet device that does not

autonegotiate, disable autonegotiation on the switch and set the duplex and
flow control parameters to be compatible with the remote device.

•100BASE-FX ports operate only at 100 Mbps and in full-duplex mode.

Prepared By : Sandip Jadav

•1000BASE-SX ports operate only at 1000 Mbps and in full-duplex mode.

•GigaStack-to-GigaStack cascade connections operate in half-duplex mode, and

GigaStack-to-GigaStack point-to-point connections operate in full-duplex mode.

•When Spanning Tree Protocol (STP) is enabled and a port is reconfigured, the
switch can take up to 30 seconds to check for loops. The port LED is amber while
STP reconfigures.

71
Configuration Guidelines

Switch# configure terminal

Switch(config)# interface fastethernet0/3

Switch(config-if)# speed 10

Prepared By : Sandip Jadav

Switch(config-if)# duplex half

Switch(config)# end

Switch# show running-config

72
Configuring Media Types for Gigabit Interfaces

You can use the media-type interface configuration command to

configure the media-type for Gigabit interfaces. The media-type interface
configuration command allows you to enable or disable fiber-optic or
copper connections on a Long-Reach Ethernet (LRE) switch. It also allows
you to manually set the port to select an SFP connector or an RJ45
connector. Use the no form of this command to return to the default

Prepared By : Sandip Jadav

setting of SFP-preferred. To configure media types, use the media-type
{auto-select | sfp | rj45} interface configuration command.

Refer to the Catalyst 2950 Desktop Switch Command Reference for

further details.

73
Configuring IEEE 802.3X Flow Control on Gigabit Ethernet Ports

Flow control is supported only on switch and module ports operating at

1000 Mbps. Flow control enables connected Gigabit Ethernet ports to
control traffic rates during congestion by allowing congested nodes to
pause link operation at the other end. If one port experiences congestion
and cannot receive any more traffic, it notifies the other port to stop
sending until the condition clears. When the local device detects any

Prepared By : Sandip Jadav

congestion at its end, it can notify the link partner or the remote device of
the congestion by sending a pause frame. Upon receipt of a pause frame,
the remote device stops sending any data packets, which prevents any loss
of data packets during the congestion period.

Flow control can be implemented in two forms, symmetric and

asymmetric. The symmetric implementation is suitable for point-to-point
links, and asymmetric is suitable for hub-to-end node connections, where
it is desirable for the hub to pause the end system, but not vice-versa. You
use the flowcontrol interface configuration command to set the interface's
ability to receive and send pause frames to on, off, or desired. The default
74
state for Gigabit Ethernet ports is receive off and send desired. The default
state for Fast Ethernet ports is receive off and send off.
These rules apply to flow control settings on the device:

•receive on (or desired) and send on: Flow control operates in both directions;
both the local and the remote devices can send pause frames to show link
congestion.

•receive on (or desired) and send desired: The port can receive pause frames and

Prepared By : Sandip Jadav

can send pause frames if the attached device supports flow control.

•receive on (or desired) and send off: The port cannot send pause frames but can
operate with an attached device that is required to or can send pause frames; the
port can receive pause frames.

•receive off and send on: The port sends pause frames if the remote device
supports flow control but cannot receive pause frames from the remote device.

•receive off and send desired: The port cannot receive pause frames but can
send pause frames if the attached device supports flow control.

•receive off and send off: Flow control does not operate in either direction. In 75
case of congestion, no indication is given to the link partner, and no pause frames
are sent or received by either device.
Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# flowcontrol receive off
Switch(config-if)# flowcontrol send off
Switch(config-if)# end
Switch# show running-config

Prepared By : Sandip Jadav

Adding a Description for an Interface
You can add a description about an interface to help you remember its function.
The description appears in the output of these commands: show configuration,
show running-config, and show interfaces.

Switch# config terminal

Switch(config)# interface fastethernet0/4
Switch(config-if)# description Connects to Marketing
Switch(config-if)# end
Switch# show interfaces fastethernet0/4 description

76
Monitoring Interface and Controller Status
Commands entered at the privileged EXEC prompt display information about the
interface, including the version of the software and the hardware, the controller
status, and statistics about the interfaces. Table lists some of these interface
monitoring commands. (You can display the full list of show commands by using the
show ? command at the privileged EXEC prompt.) These commands are fully
described in the Cisco IOS Interface Command Reference for Release 12.1.

Prepared By : Sandip Jadav

Table Show Commands for Interfaces
Command
show interfaces [interface-id]
show interfaces interface-id status [err-disabled]
show interfaces [media | <interface-id> media]
Purpose
Display the status and configuration of all interfaces or a
specific interface.
Display interface status or a list of interfaces in error-
disabled state.
Display the output of the media-type that is configured.

show interfaces [interface-id] switchport Display administrative and operational status of

show interfaces [interface-id] description
show ip interface [interface-id]
show running-config interface [interface-id]
show version
switching (nonrouting) ports.
Display the description configured on an interface or all
interfaces and the interface status.
Display the usability status of all interfaces configured
for IP or the specified interface.
Display the running configuration in RAM for the
interface. 77
Display the hardware configuration, software version,
the names and sources of configuration files, and the
boot image
 Virtual LAN Concepts. Creating Multiswitch VLANs
Using Trunking. VLAN Tagging Concepts. The 802.1Q
and ISL VLAN Trunking Protocols. Forwarding Data

Prepared By : Sandip Jadav

Between VLANs. The Need for Routing Between
VLANs. Routing Packets Between VLANs with a
Router. VLAN and VLAN Trunking Configuration and
Unit 5 Verification. Creating VLANs and Assigning Access
VLANs to an Interface. VLAN Configuration.
VLAN Trunking Configuration. Implementing
Interfaces Connected to Phones. Data and Voice
VLAN Concepts. Data and Voice VLAN Configuration
and Verification. Access VLANs Undefined or
Disabled. Mismatched Trunking Operational States.
The Supported VLAN List on Trunks. Mismatched
Native VLAN on a Trunk.
78
Prepared By : Sandip Jadav
79
Virtual LAN Concepts

Virtual LAN (VLAN) is a concept in which we can divide the devices logically on
layer 2 (data link layer). Generally, layer 3 devices divide the broadcast domain
but the broadcast domain can be divided by switches using the concept of VLAN.

A broadcast domain is a network segment in which if a device broadcast a packet

then all the devices in the same broadcast domain will receive it. The devices in

Prepared By : Sandip Jadav

the same broadcast domain will receive all the broadcast packets but it is limited
to switches only as routers don’t forward out the broadcast packet. To forward
out the packets to different VLAN (from one VLAN to another) or broadcast
domains, inter Vlan routing is needed. Through VLAN, different small-size sub-
networks are created which are comparatively easy to handle.

VLAN ranges:
 VLAN 0, 4095: These are reserved VLAN which cannot be seen or used.
 VLAN 1: It is the default VLAN of switches. By default, all switch ports are in
VLAN. This VLAN can’t be deleted or edit but can be used.
 VLAN 2-1001: This is a normal VLAN range. We can create, edit and delete
these VLAN.
 VLAN 1002-1005: These are CISCO defaults for fddi and token rings. These
VLAN can’t be deleted. 80
 Vlan 1006-4094: This is the extended range of Vlan.
VLANs offer several features and benefits, including:
•Improved network security: VLANs can be used to separate network traffic and
limit access to specific network resources. This improves security by preventing
unauthorized access to sensitive data and network resources.

•Better network performance: By segregating network traffic into smaller logical

networks, VLANs can reduce the amount of broadcast traffic and improve network
performance.

Prepared By : Sandip Jadav

•Simplified network management: VLANs allow network administrators to group
devices together logically, rather than physically, which can simplify network
management tasks such as configuration, troubleshooting, and maintenance.

•Flexibility: VLANs can be configured dynamically, allowing network administrators

to quickly and easily adjust network configurations as needed.

•Cost savings: VLANs can help reduce hardware costs by allowing multiple virtual
networks to share a single physical network infrastructure.

•Scalability: VLANs can be used to segment a network into smaller, more

manageable groups as the network grows in size and complexity. 81
Types of connections in VLAN
There are three ways to connect devices on a VLAN, the type of connections are
based on the connected devices i.e. whether they are VLAN-aware(A device that
understands VLAN formats and VLAN membership) or VLAN-unaware(A device
that doesn’t understand VLAN format and VLAN membership).

1. Trunk Link

Prepared By : Sandip Jadav

All connected devices to a trunk link must be VLAN-aware. All frames on this
should have a special header attached to it called tagged frames.

2. Access link
It connects VLAN-unaware devices to a VLAN-aware bridge. All frames on the
access link must be untagged.

3. Hybrid link
It is a combination of the Trunk link and Access link. Here both VLAN-unaware and
VLAN-aware devices are attached and it can have both tagged and untagged
frames.

82
Advantages
• Performance –
The network traffic is full of broadcast and multicast. VLAN reduces the need to
send such traffic to unnecessary destinations. e.g.-If the traffic is intended for 2
users but as 10 devices are present in the same broadcast domain, therefore,
all will receive the traffic i.e. wastage of bandwidth but if we make VLANs, then
the broadcast or multicast packet will go to the intended users only.
• Formation of virtual groups –

Prepared By : Sandip Jadav

As there are different departments in every organization namely sales, finance
etc., VLANs can be very useful in order to group the devices logically according
to their departments.
• Security –
In the same network, sensitive data can be broadcast which can be accessed by
the outsider but by creating VLAN, we can control broadcast domains, set up
firewalls, restrict access. Also, VLANs can be used to inform the network
manager of an intrusion. Hence, VLANs greatly enhance network security.
• Flexibility –
VLAN provide flexibility to add, remove the number of host we want.
• Cost reduction –
VLANs can be used to create broadcast domains which eliminate the need for
expensive routers. 83
By using Vlan, the number of small size broadcast domain can be increased
which are easy to handle as compared to a bigger broadcast domain.
Disadvantages of VLAN
1) Complexity: VLANs can be complex to configure and manage, particularly in
large or dynamic cloud computing environments.

2) Limited scalability: VLANs are limited by the number of available VLAN IDs,
which can be a constraint in larger cloud computing environments.

3) Limited security: VLANs do not provide complete security and can be

Prepared By : Sandip Jadav

compromised by malicious actors who are able to gain access to the network.

4) Limited interoperability: VLANs may not be fully compatible with all types of
network devices and protocols, which can limit their usefulness in cloud
computing environments.

5) Limited mobility: VLANs may not support the movement of devices or users
between different network segments, which can limit their usefulness in
mobile or remote cloud computing environments.

6) Cost: Implementing and maintaining VLANs can be costly, especially if

specialized hardware or software is required.
84
7) Limited visibility: VLANs can make it more difficult to monitor and
troubleshoot network issues, as traffic is isolated in different segments.
Real-Time Applications of VLAN
Virtual LANs (VLANs) are widely used in cloud computing environments to improve
network performance and security. Here are a few examples of real-time applications
of VLANs:

1.Voice over IP (VoIP) : VLANs can be used to isolate voice traffic from data traffic,
which improves the quality of VoIP calls and reduces the risk of network congestion.

Prepared By : Sandip Jadav

2.Video Conferencing : VLANs can be used to prioritize video traffic and ensure that it
receives the bandwidth and resources it needs for high-quality video conferencing.

3.Remote Access : VLANs can be used to provide secure remote access to cloud-
based applications and resources, by isolating remote users from the rest of the
network.

4.Cloud Backup and Recovery : VLANs can be used to isolate backup and recovery
traffic, which reduces the risk of network congestion and improves the performance
of backup and recovery operations.

5.Gaming : VLANs can be used to prioritize gaming traffic, which ensures that gamers
receive the bandwidth and resources they need for a smooth gaming experience.
85

6.IoT : VLANs can be used to isolate Internet of Things (IoT) devices from the rest of
the network, which improves security and reduces the risk of network congestion.
VLAN Configuration Command

switch1(config)#vlan 2
switch1(config-vlan)#vlan accounts

Prepared By : Sandip Jadav

Switch(config)#int fa0/0
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access Vlan 2

Switch(config)#int range fa0/0-2

Switch(config-if)#switchport mode access
Switch(config-if) #switchport access Vlan 2

86
What is trunk and what is trunking in networking?
A network trunk is a communications line or link designed to carry
multiple signals simultaneously to provide network access between two points.
Trunks typically connect switching centers in a communications system. The signals
can convey any type of communications data.

A networking trunk can consist of several wires, cables or fiber optic strands
bundled together in a single physical cable to maximize the available bandwidth.

Prepared By : Sandip Jadav

Or it can consist of a single high-capacity link over which many signals
are multiplexed.

Trunk ports. In switch port mode trunk setting, a port will concurrently carry traffic
between several VLAN switches on the same physical link. A trunk port adds special
identifying tags to isolate traffic on the different switches. IEEE (Institute of
Electrical and Electronics Engineers) open standard 802.1Q describes the vendor-
agnostic encapsulation protocol for VLAN tagging. A tag gets placed
on Ethernet frames as they pass between switches. This ensures each frame is
routed to its intended VLAN at the other end of the trunked link. A trunk port is
commonly used for connecting two switches, connecting switches to servers and
routers, and connecting hypervisors to switches.
87
What is trunk and what is trunking in networking?

Prepared By : Sandip Jadav

Switch(config-if)#int f0/3 (Selecting fast ethernet port 3)
Switch(config-if)#switchport mode trunk (Configuring the port as Trunk. This port
is connected to another switch)
88
Inter-Switch Link (ISL) and IEEE 802.1Q
VLANs are used to divide broadcast domain at layer 2. By default, all the switch ports
are in VLAN 1. Configuration of VLANs other than VLAN 1 then to carry traffic of
these VLANs, user has to make a switch port trunk which is connected to another
switch. If the frame is forwarded out to an access link then it is considered that the
frame belongs to the VLAN which is configured on that switch port. But if the frame

Prepared By : Sandip Jadav

is forwarded out to a trunk link then how did the other device know that the traffic
belongs to which VLAN?

There comes the concept of VLAN identification methods.

VLAN Identification methods – If the frame is forwarded out to a trunk link then a
header or tag is added to the frame header which specifies the VLAN to which the
frame belongs. The frame is encapsulated at the sender’s switch and removed at the
89
receiver’s switch and then forwarded out to the ports which belongs to that VLAN
(according to the processing of switch). There are 2 VLAN identification methods:
Inter-Switch Link (ISL) and IEEE 802.1Q
Inter-Switch Link (ISL) – This is a VLAN identification method in which VLAN
information is explicitly tagged onto Ethernet frame. ISL is proprietary to CISCO
switches. ISL functions at layer 2 by encapsulating a data frame with a new header
and by performing a new cyclic redundancy check (CRC). In ISL, the original frame is
encapsulated and an additional header is added before the frame is carried over a
trunk link. At the receiving end, the header is removed and the frame is forwarded
to the assigned VLAN. ISL supports upto 1000 vlans. The concept of native VLAN is

Prepared By : Sandip Jadav

not important for ISL as all frames including the ones for native VLAN are tagged.

The ISL frame encapsulation is of 30 bytes, 26 byte header, and a 4 byte FCS (frame
check sequence) are inserted. Hence a total of 30 Bytes of overhead. Therefore, it is
less preferred. Even Cisco advises to use 802.1Q. Configuration (ISL):

90
Configuration of Router on a stick

Switches divide broadcast domain through VLAN (Virtual LAN). VLAN is a

partitioned broadcast domain from a single broadcast domain. Switch doesn’t
forward packets across different VLANs by itself. If we want to make these virtual
LANs communicate with each other, a concept of Inter VLAN Routing is used.

Inter VLAN Routing :

Prepared By : Sandip Jadav

Inter VLAN routing is a process in which we make different virtual LANs
communicate with each other irrespective of where the VLANs are present (on
same switch or different switch). Inter VLAN Routing can be achieved through a
layer-3 device i.e. Router or layer-3 Switch. When the Inter VLAN Routing is done
through Router it is known as Router on a stick.

91
Router On a Stick :
The Router’s interface is divided into sub-interfaces, which acts as a default gateway
to their respective VLANs.

Prepared By : Sandip Jadav

92
Router configuration
Router>en
Router#conf t
Router(config)#int fa0/0
Router(config-if)#no shut
Router(config-if)#exit

Router(config)#int fa0/0.1

Prepared By : Sandip Jadav

Router(config-subif)#encapsulation dot1Q 2
Router(config-subif)#ip add 192.168.10.1 255.255.255.248
Router(config-subif)#no shut
Router(config-subif)#exit

Router(config)#int fa0/0.2
Router(config-subif)#encapsulation dot1Q 3
Router(config-subif)#ip add 192.168.10.9 255.255.255.248
Router(config-subif)#no shut
Router(config-subif)#exit

93
Switch configuration
Switch>en
Switch#conf t
Switch(config)#int fa0/2
Switch(config-if)#exit

Switch(config)#vlan 2
Switch(config-vlan)#name sales

Prepared By : Sandip Jadav

Switch(config-vlan)#vlan 3
Switch(config-vlan)#name mkt
Switch(config-vlan)#exit

Switch(config)#int range fa0/2-3

Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit

Switch(config-if)#int range fa0/4-5

Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit

Switch(config-if)#int fa0/1 94

Switch(config-if)#switchport mode trunk

Switch(config-if)#exit
VLAN Trunking Protocol (VTP)

VTP is a Layer 2 messaging protocol that maintains VLAN consistency by

managing the addition, deletion, and renaming of VLANs within a VTP domain. A
VTP domain is made up of one or more network devices that share the same VTP
domain name and that are connected with trunk interfaces. Each network device
can be in only one VTP domain.

Prepared By : Sandip Jadav

Layer 2 trunk interfaces, Layer 2 port channels, and virtual port channels (vPCs)
support VTP functionality.

The VTP is disabled by default on the device. You can enable and configure VTP
using the command-line interface (CLI). When VTP is disabled, the device does
not relay any VTP protocol packets.

95
VTP - Modes

•Transparent—Allows you to relay all VTP protocol packets that it receives on

a trunk port to all other trunk ports. When you create or modify a VLAN that
is in VTP transparent mode, those VLAN changes affect only the local device.
A VTP transparent network device does not advertise its VLAN configuration
and does not synchronize its VLAN configuration based on received
advertisements. You cannot configure VLANs 1002 to 1005 in VTP

Prepared By : Sandip Jadav

client/server mode because these VLANs are reserved for Token Ring.

•Server— Allows you to create, remove, and modify VLANs over the entire
network. You can set other configuration options like the VTP version and also
turn on or off VTP pruning for the entire VTP domain. VTP servers advertise
their VLAN configuration to other switches in the same VTP domain and
synchronize their VLAN configuration with other switches based on messages
received over trunk links. Beginning with Release 5.1(1), the server mode is
the default mode. The VLAN information is stored on the bootflash and is not
erased after a reboot.

96
VTP - Modes

•Client— Allows you to create, change, and delete VLANs on the local device.
In VTP client mode, a switch stores the last known VTP information including
the configuration revision number, on the bootflash. A VTP client might or
might not start with a new configuration when it powers up.

•Off— Behaves similarly to the transparent mode but does not forward any

Prepared By : Sandip Jadav

VTP packets. The off mode allows you to monitor VLANs by using the CISCO-
VTP-MIB without having to run VTP. On Cisco Nexus 7000 Series devices,
because VTP is a conditional service, its MIB is loaded only when the
corresponding feature is enabled. The CISCO-VTP-MIB does not follow this
convention. It is loaded by the VLAN manager and will always return the
correct values whether the VTP process is enabled or disabled.

97
Switch configuration
For Server Switch---------------------------------------
Switch>en
Switch#conf t
Switch(config)#vlan 2
Switch(config-vlan)#name sales
Switch(config-vlan)#vlan 3
Switch(config-vlan)#name mkt

Prepared By : Sandip Jadav

Switch(config-vlan)#vlan 4
Switch(config-vlan)#name account
Switch(config-vlan)#exit

Switch(config)#vtp mode server

Switch(config)#vtp domain jet
Switch(config)#vtp password cisco

Switch(config)#int range fa0/1-3

Switch(config-if-range)#switchport mode trunk
For Clinet Switch--------------------------
Switch(config)#vtp mode client
98
Switch(config)#vtp domain jet
Switch(config)#vtp password cisco
 STP and RSTP Basics. The Need for Spanning Tree.
What Spanning Tree Does. How Spanning Tree
Works. The STP Bridge ID and Hello BPDU. Electing
the Root Switch. Choosing Each Switch’s Root Port.
Choosing the Designated Port on Each LAN

Prepared By : Sandip Jadav

Segment. Configuring to Influence the STP Topology.
Unit 6 Details Specific to STP (and Not RSTP). STP Activity
When the Network Remains Stable. STP Timers That
Manage STP Convergence. Changing Interface
States with STP. Rapid STP Concepts. Comparing STP
and RSTP. RSTP and the Alternate (Root) Port Role.
RSTP States and Processes. RSTP and the Backup
(Designated) Port Role. RSTP Port Types. Optional
STP Features. EtherChannel. PortFast. BPDU Guard.

99
Introduction to Spanning-Tree
Spanning-tree is a protocol that runs on our switches that helps us to solve
loops. Spanning-tree is one of the protocols that you must understand as a
network engineer and you will encounter it for sure if you decide to face
the Cisco CCNA R&S exam. This lesson is an introduction to spanning-tree,
you will learn why we need it, how it works and how you can check the
spanning-tree topology on your Cisco switches.

Prepared By : Sandip Jadav

Why do we need spanning-tree?

What is a loop, and how do we

get one?
In the picture above, we have two
switches. These switches are
connected with a single cable, so
there is a single point of failure.
To get rid of this single point of
failure, we will add another cable: 100
Introduction to Spanning-Tree

Prepared By : Sandip Jadav

With the extra cable, we now have redundancy. Unfortunately for us, redundancy
also brings loops. Why do we have a loop in the scenario above? Let me describe it to
you:

1.H1 sends an ARP request because it’s looking for the MAC address of H2. An ARP
request is a broadcast frame.

2.SW1 will forward this broadcast frame on all it interfaces, except the interface
where it received the frame on. 101

3.SW2 will receive both broadcast frames.

Introduction to Spanning-Tree

Now, what does SW2 do with those broadcast frames?

1.It will forward it from every interface except the interface where it received the
frame.
2.This means that the frame that was received on interface Fa0/0 will be forwarded
on Interface Fa1/0.

Prepared By : Sandip Jadav

3. The frame that was received on Interface Fa1/0 will be forwarded on Interface
Fa0/0.

Do you see where this is going? We have a loop! Both switches will keep forwarding
over and over again until the following happens:

•You fix the loop by disconnecting one of the cables.

•One of your switches will crash because they are overburdened with traffic.

Ethernet frames don’t have a TTL (Time to Live) value, so they will loop around
forever. Besides ARP requests, many frames are broadcasted. For example,
whenever the switch doesn’t know about a destination MAC address, it will be
flooded. 102
How spanning-tree solves loops
Spanning-tree will help us to create a loop-free topology by blocking certain
interfaces. Let’s take a look at how spanning-tree work! Here’s an example:

We have three switches,

Prepared By : Sandip Jadav

and as you can see, we have
added redundancy by
connecting the switches in a
triangle, this also means we
have a loop here. I have
added the MAC addresses
but simplified them for this
example:

SW1: MAC AAA

SW2: MAC BBB
SW3: MAC CCC
103
How spanning-tree solves loops
Since spanning-tree is enabled, all our switches will send a special frame to each
other called a BPDU (Bridge Protocol Data Unit). In this BPDU, there are two
pieces of information that spanning-tree requires:

•MAC address
•Priority

Prepared By : Sandip Jadav

The MAC address and
the priority together make up
the bridge ID. The BPDU is
sent between switches as
shown in the following
picture:

104
Spanning-tree requires the bridge ID for its calculation. Let me explain how it works:

•First of all, spanning-tree will elect a root bridge; this root bridge will be the one that
has the best “bridge ID”.
•The switch with the lowest bridge ID is the best one.
•By default, the priority is 32768, but we can change this value if we want.

So who will become the root bridge? In

Prepared By : Sandip Jadav

our example, SW1 will become the root
bridge! Priority and MAC address make
up the bridge ID. Since the priority is the
same on all switches, it will be the MAC
address that is the tiebreaker. SW1 has
the lowest MAC address thus the best
bridge ID and will become the root
bridge.
The ports on our root bridge are
always designated, which means they are
in a forwarding state. Take a look at the
following picture:
105
Above, you see that SW1 has been
elected as the root bridge and the “D” on
the interfaces stands for designated.
How spanning-tree solves loops
Now we have agreed on the root bridge, our next step for all our “non-root”
bridges (so that’s every switch that is not the root) will have to find the shortest path
to our root bridge! The shortest path to the root bridge is called the “root port”. Take
a look at my example:

I’ve put an “R” for “root

port” on SW2 and SW3. Their

Prepared By : Sandip Jadav

Fa0/0 interface is the shortest
path to get to the root bridge.
In my example, I’ve kept things
simple, but “shortest path” in
spanning-tree means it will
actually look at the speed of
the interface. Each interface
has a certain cost, and the path
with the lowest cost will be
used. Here’s an overview of the
interfaces and their cost:

•10 Mbit = Cost 100 106

•100 Mbit = Cost 19
•1000 Mbit = Cost 4
How spanning-tree solves loops
Excellent!…we have designated ports on our root bridge and root ports on our non-
root bridges, we still have a loop, however, so we need to shut down a port between
SW2 and SW3 to break that loop. So which port are we going to shut down? The one
on SW2 or the one on SW3? We’ll look again at the best bridge ID:

•Bridge ID = Priority + MAC address.

Prepared By : Sandip Jadav

Lower is better, both switches have
the same priority, but the MAC
address of SW2 is lower, which means
that SW2 will “win this battle”. SW3 is
our loser here which means it will
have to block its port, effectively
breaking our loop! Take a look at my
example:

107
What are STP port states?
When STP is enabled on a network bridge, each port is set to one of five states to
control frame forwarding:

1.Disabled. The port does not participate in frame forwarding or STP operations.

2.Blocking. The port does not participate in frame forwarding and discards frames
received from the attached network segment. However, the port continues to listen

Prepared By : Sandip Jadav

for and process BPDUs.

3.Listening. From the blocking state, the port transitions to the listening state. The
port discards frames from the attached network segment or forwarded from another
port. However, it receives BPDUs and redirects them to the switch module for
processing.

4. Learning. The port moves from the listening state to the learning state. It listens
for and processes BPDUs but discards frames from the attached network segment or
forwarded from another port. It also starts updating the address table with the
information it's learned. In addition, it processes user frames but does not forward
those frames.
108
What are STP port states?
5. Forwarding. The port moves from the learning state to the forwarding state and
starts forwarding frames across the network segments. This includes frames from
the attached network segment and those forwarded from another port. The port
also continues to receive and process BPDUs, and the address table continues to
be updated.

Prepared By : Sandip Jadav

109
Types of Spanning Tree Protocol

Prepared By : Sandip Jadav

110
Types of Spanning Tree Protocol (STP) –
1. 802.1D – This is also known as CST (Common Spanning Tree). It is a spanning
tree standard developed by IEEE which elects only one root bridge per whole
topology. All the traffic flows over the same path (the best path to the root bridge)
but this doesn’t hold good always as there can be scenarios in which the
optimised path to reach a VLAN is different than the path obtained on electing the
root bridge. It is very slow as it takes 32 seconds to converge.

Prepared By : Sandip Jadav

Advantages:
•Less CPU and memory required.

Disadvantages:
•Lesser optimisation as the path calculated as the best cost to root bridge might
not be the best path to reach a network.
•No load balancing.

111
Per VLAN Spanning Tree + (PVST+) – It is a spanning tree standard developed by
Cisco for its devices which finds the root bridge per VLAN. It is a Cisco default
version of STP. It finds separate 802.1d spanning tree instance for each VLAN. It
also provides backward comparability with 802.1d or CST. This is more optimized
to the IEEE because it provides optimal path selection as separate instance of
STP per VLAN is find. This is as slow as CST.

Prepared By : Sandip Jadav

Advantages:
•PVST+ provides more optimization on the performance of a network than CST
as it selects root bridges per VLAN.

•Bandwidth consumption is lesser than CST.

•Optimum load balancing is achieved.

Disadvantages:
•This is slow as CST i.e. convergence time is slow. By default, Cisco switches take
50 seconds for converging.

•More resources (CPU and memory) is required. 112

3. 802.1w – Rapid Spanning Tree Protocol (RSTP) – It is a spanning standard
developed by IEEE which provides faster convergence than CST but holds the same
idea of finding a single root bridge in the topology. The bridge resources needed in
RSTP is higher than CST but less than PVST+ .

Advantages:
•Prevents network loops.

Prepared By : Sandip Jadav

•Prevents redundancy.
•Faster Convergence.
•Backward compatible with STP.

4. Rapid Per VLAN Spanning Tree + (RPVST+) –This Spanning Tree standard is
developed by Cisco which provides faster convergence than PVST+ and finds
separate instance of 802.1w per VLAN. It requires much more CPU and memory
than other STP standards.

113
5. 802.1s (Multiple Spanning Tree) :-This standard is developed by IEEE in which
grouping of VLANs is done and for each single group, RSTP is run. This is basically
a Spanning Tree Protocol running over another Spanning Tree Protocol.

Advantages:
•High redundancy
•load balancing can be achieved.

Prepared By : Sandip Jadav

•lower CPU and memory usage is required

Disadvantages:
•More configuration is required and not easy to implement.

114
STP timers
There are several STP timers, as this list shows:
Hello — The hello time is the time between each bridge protocol data unit (BPDU)
that is sent on a port. This time is equal to 2 seconds (sec) by default, but you can
tune the time to be between 1 and 10 seconds.

Forward delay — The forward delay is the time spent in the listening and learning
state. This time is equal to 15 seconds by default, but you can tune the time to be

Prepared By : Sandip Jadav

between 4 and 30 seconds.

Max age — The max age timer controls the maximum length of time that passes
before a bridge port saves its configuration BPDU information. This time is 20
seconds by default, but you can tune the time to be between 6 and 40 seconds.

Each configuration BPDU contains these three parameters. In addition, each BPDU
configuration contains another time-related parameter that is known as the message
age. The message age is not a fixed value. The message age contains the length of
time that has passed since the root bridge initially originated the BPDU. The root
bridge sends all its BPDUs with a message age value of 0, and all subsequent
switches add 1 to this value. Effectively, this value contains the information on how
far you are from the root bridge when you receive a BPDU. 115
 Understanding RSTP Through Configuration. The
Need for Multiple Spanning Trees. STP Modes and
Standards. The Bridge ID and System ID Extension.
How Switches Use the Priority and System ID
Extension. RSTP Methods to Support Multiple

Prepared By : Sandip Jadav

Spanning Trees. Other RSTP Configuration Options.
Unit 7 Configuring Layer 2 EtherChannel. Configuring a
Manual Layer 2 EtherChannel. Configuring Dynamic
EtherChannels. Physical Interface Configuration and
EtherChannels. EtherChannel Load Distribution.
Configuration Options for EtherChannel Load
Distribution. The Effects of the EtherChannel Load
Distribution Algorithm.

116
EtherChannel

EtherChannel is a port link aggregation technology in which multiple physical port

links are grouped into one logical link. It is used to provide high-speed links and
redundancy. A maximum of 8 links can be aggregated to form a single logical link.
EtherChannel, also known as Link Aggregation Control Protocol (LACP), is a

Prepared By : Sandip Jadav

technique used in computer networks to combine multiple physical links between
two network switches into a single logical link. This logical link provides increased
bandwidth and redundancy, as well as improved load balancing.

EtherChannel works by grouping two or more physical links between switches into
a single logical link. This logical link is treated as a single entity, with the switches
treating it as a single link. Traffic is distributed across the physical links in the
logical link, providing increased bandwidth and improved load balancing.
117
Here is a topology in which two switches are connected with one PC
each. The link between the switches and PC is 1000mb/s and the link
between the switches is 100mb/s.

Prepared By : Sandip Jadav

Now, suppose if you want to send traffic of more than 100mb/s then we
have congestion as the link between the switches is of 100mb/s only and
packets will start dropping. Now, to solve this problem, we should have a
high-speed link between the switches. To achieve this, We can simply
replace the current link with a high-speed link or we can bundle up more
than one link of the same speed of 100mb/s. By forming an
EtherChannel, you can bundle up more than one link into a single logical
link.

But, as you connect the switches with more than one link, STP (Spanning
Tree Protocol) will block the least redundant link. As we have made an
EtherChannel, all the links (that are grouped as one logical link k) will be
118
treated as single logical links therefore no link will be blocked and also, it
will provide us high-speed link and redundancy in our network.
Criteria – To form an EtherChannel, all ports should have:
1.Same duplex
2.Same speed
3.Same VLAN configuration (i.e., native VLAN and allowed VLAN should be same)
4.Switch port modes should be the same (access or trunk mode)

Prepared By : Sandip Jadav

119
Port Aggregation Protocol (PAgP)
EtherChannel protocols – To form an EtherChannel, there are 2 protocols, port
aggregation Protocol (PAgP) and link aggregation control protocol (LACP).

1. Port Aggregation Protocol (PAgP) –

The Cisco proprietary protocol Port Aggregation Protocol (PAgP) is an EtherChannel
technology. It’s a type of data/traffic load balancing that involves the logical
aggregation of Cisco Ethernet switch ports. A PAgP EtherChannel can merge up to

Prepared By : Sandip Jadav

eight physical links into one virtual link. LACP, or Link Aggregation Control Protocol,
is an IEEE open standard. These are namely:

1. ON: In this mode, the interface will be a part of EtherChannel but no negotiation
takes place.

2. Desirable: In this mode, the interface will continuously attempt to convert the
other side interface into an EtherChannel.

3. Auto: In this mode, the interface will become a part of EtherChannel if and only if
it is requested by the opposite interface.

4. Off: No EtherChannel configured on the interface. 120

 Prepared By : Sandip Jadav
There is a small topology in which 2 switches S1 and S2 are connected with each
other and we have to bundle these two links into a single logical link.

S1(config)# interface fa0/1

S1(config-if)# channel-group 1 mode desirable
S1(config)# interface fa0/2
S1(config-if)# channel-group 1 mode desirable

S1(config)# interface port-channel 1

S1(config-if)# switchport trunk encapsulation dot1q
S1(config-if)# switchport mode trunk
Here, the user has used the mode desirable and switch-port mode trunk. The
modes should be the same on both switches therefore the user will configure this
121
on the other switch also.
Now, configuring on switch S2:

S2(config)# interface fa0/1

S2(config-if)# channel-group 1 mode desirable
S2(config)# interface fa0/2
S2(config-if)# channel-group 1 mode desirable
S2(config)# interface port-channel 1

Prepared By : Sandip Jadav

S2(config-if)# switchport trunk encapsulation dot1q
S2(config-if)# switchport mode trunk

122
Link Aggregation Control Protocol (LACP)
2. Link Aggregation Control Protocol (LACP) –
Link Aggregation Control Protocol is an IEEE protocol, originally defined in
802.3ad, used to form an EtherChannel. This protocol is almost similar to Cisco
PAgP. There are different modes in which you can configure your interface. These
are namely:

1. ON: In this mode, the interface will be a part of EtherChannel but no

Prepared By : Sandip Jadav

negotiation takes place

2. Active: In this mode, the interface will continuously attempt to convert the
other side interface into an EtherChannel.

3. Passive: In this mode, the interface will become a part of EtherChannel if and
only if it is requested by the opposite interface.

4. Off: No EtherChannel configured on the interface.

123
Taking the same topology, you will now configure LACP on both switches. First,

Prepared By : Sandip Jadav

configuring for S1:

S1(config)# interface fa0/1

S1(config-if)# channel-group mode active
S1(config)# interface fa0/2
S1(config-if)# channel-group mode active

S1(config)# interface port-channel 1

S1(config-if)# switchport trunk encapsulation dot1q
S1(config-if)# switchport mode trunk

124
Now, configuring for S2:

S2(config)# interface fa0/1

S2(config-if)# channel-group mode active
S2(config)# interface fa0/2
S2(config-if)# channel-group mode active

Prepared By : Sandip Jadav

S2(config)# interface port-channel 1
S2(config-if)# switchport trunk encapsulation dot1q
S2(config-if)# switchport mode trunk

125
EtherChannel has several advantages, including
Increased bandwidth: By combining multiple physical links into a single logical link,
EtherChannel provides increased bandwidth between switches. This can help
improve network performance and reduce bottlenecks.

Improved redundancy: EtherChannel provides improved redundancy by allowing

traffic to be routed over multiple physical links. If one link fails, traffic is
automatically routed over the remaining links.

Prepared By : Sandip Jadav

Load balancing: EtherChannel distributes traffic across multiple physical links,
providing improved load balancing and preventing congestion on any one link.

Simplified network configuration: EtherChannel simplifies network configuration by

treating multiple physical links as a single logical link. This can reduce the complexity
of network configurations and make troubleshooting easier.

Cost-effective: EtherChannel can be a cost-effective way to increase bandwidth and

redundancy in a network, as it allows existing physical links to be used rather than
requiring new hardware.

126
EtherChannel Load Balancing

EtherChannel supports load balancing. However, it does not mean that the traffic
is distributed equally among the links. The traffic that goes through the port-
channel interface is not forwarded on a round-robin basis. Instead, EtherChannel
load balancing uses a hash algorithm to forward packets.

The calculated load balancing hash determines which physical interface will be

Prepared By : Sandip Jadav

used to forward the packet. The load balancing method can be configured using
the ‘port-channel load-balance <hash>’ global configuration command and have
the following hash options or keywords which are based on the source and
destination IP address, MAC address, and TCP/UDP ports:

127
EtherChannel Load Balancing
dst-ip – Destination IP address
dst-mac – Destination MAC address
dst-port – Destination TCP/UDP port
dst-mixed-ip-port – Destination IP address and destination TCP/UDP port
src-ip – Source IP address

Prepared By : Sandip Jadav

src-mac – Source MAC address
src-port – Source TCP/UDP port
src-dst-ip – Source and destination IP addresses
src-dest-ip-only – Source and destination IP addresses only
src-dst-mac – Source and destination MAC addresses
src-dst-port – Source and destination TCP/UDP ports only
src-mixed-ip-port – Source IP address and source TCP/UDP port
src-dst-mixed-ip-port – Source and destination IP addresses and source and
128
destination TCP/UDP ports
EtherChannel Load Balancing
Moreover, the hash is a binary function. So to be consistent, the number of
links should be in powers of two, 2, 4, 8, etc. Load balancing on a 3-
port EtherChannel is not as effective as load balancing on a 2-port or 4-
port EtherChannel.

Changing the hash may result in a different distribution ratio among the
links if they are unevenly distributed. Let’s say a port channel is formed

Prepared By : Sandip Jadav

with a router, it will use a MAC address as part of the hash and it might
affect traffic flow because the source or destination will always be the
router’s MAC address. Using the source/destination IP address or the
TCP/UDP ports would be better options.

The default EtherChannel load-balancing option is ‘src-mac’ or the source

MAC address, which means that the traffic from one MAC address will be
forwarded using the same physical interface.

129
EtherChannel Load Balancing
EtherChannel Load Balancing Configuration
In our example below, you’ll see that we’ve got a router, two switches, and two
PCs. Switch2 has got the default configuration of ‘src-mac’, which is fine because
there are two PCs that have different MAC addresses. PC1’s traffic will be sent
down Switch2’s G0/0 interface, for example, and PC2’s traffic will be sent down
Switch2’s G0/1 interface. We’ve got two PCs and two physical links, therefore
depending on the traffic volume, it’s close to a 1:1 EtherChannel distribution

Prepared By : Sandip Jadav

ratio.

EtherChannel load balancing

With Switch1, this is not the same case. Since there’s a single router, which
means a single MAC address, using the default algorithm of ‘src-mac’ would be
unfavorable. A single link will be used, either G0/0 or G0/1, for the traffic coming
from Router1.

To change the load balancing method, we use the ‘port-channel load-

balance’ command. For Switch1, we will use the ‘dst-mac’ for the load balancing
to use the destination MAC addresses instead.
130
 Prepared By : Sandip Jadav
Switch1(config)#port-channel load-balance dst-mac

In this way, the traffic from Router1 will be load balanced depending on the
destination MAC address. It could be that the traffic going to PC1 will be sent
down to Switch1’s G0/1 interface, and the traffic going to PC2 will be sent down
to Switch1’s G0/0 interface. Now, the two physical links are utilized.

131
EtherChannel Load Balancing Verification
To check the EtherChannel load balancing algorithm, we can use the command
‘show EtherChannel load-balance’. It will also show the traffic load balancing
method based on its type, non-IP, IPv4, or IPv6.

Switch1# show EtherChannel load-balance

EtherChannel Load-Balancing Operational State (dst-mac):
Non-IP: Destination MAC address

Prepared By : Sandip Jadav

IPv4: Destination MAC address
IPv6: Destination MAC address

Switch2# show EtherChannel load-balance

EtherChannel Load-Balancing Operational State (src-mac):
Non-IP: Source MAC address
IPv4: Source MAC address
IPv6: Source MAC address

To check the link usage, ‘show EtherChannel port’ command is used. It is under the
Load in hex values and it is used to determine the traffic distribution on the 132
different EtherChannel interfaces.