Module 2: Network Access

• Lesson 1: Configure and verify VLANs (normal • Lesson 6: Compare Cisco Wireless Architectures
range) spanning multiple switches and AP modes

• Lesson 7: Describe physical infrastructure

• Lesson 2: Configure and verify interswitch connections of WLAN components (AP, WLC,
connectivity access/trunk ports, and LAG)
• Lesson 8: Describe AP and WLC management
• Lesson 3: Configure and verify Layer 2 discovery access connections (Telnet, SSH, HTTP, HTTPS,
protocols (Cisco Discovery Protocol and LLDP) console, and TACACS+/RADIUS)

• Lesson 9: Configure the components of a wireless

• Lesson 4: Configure and verify (Layer 2/Layer 3) LAN access for client connectivity using GUI only
EtherChannel (LACP) such as WLAN creation, security settings, QoS
profiles, and advanced WLAN settings
• Lesson 5: Describe the need for and basic
operations of Rapid PVST+ Spanning Tree Protocol
and identify basic operations
 Module 2: Network Access
Lesson 1: Configure and verify VLANs (normal range) spanning
multiple switches

• Access ports (data and voice)

• Default VLAN
• Connectivity
 Module 2: Network Access
Lesson 1: Configure and verify VLANs (normal range) spanning
multiple switches
VLANs
• A virtual local area network (VLAN) is a
logical grouping of network devices
connected to administratively defined
ports on a switch
• Using VLANs create multiple, and smaller
broadcast domains
• Broadcast control – many apps use
broadcasts and multicasts creating lots of
traffic on the network, which makes it
imperative to segment traffic with VLANs
– each VLAN created also creates a
separate broadcast domain
 Module 2: Network Access
Lesson 1: Configure and verify VLANs (normal range) spanning
multiple switches
• Switchports are layer 2 only interfaces
mapped to a physical port
• Switchports can be assigned one VLAN if
in access mode and many VLANs if in
trunking mode
• Access ports
• Does not need to check the frame for VLAN
ID, assumes it is in that VLAN and forwards it
• Removes VLAN information before it
gets forwarded out to an access link
device
• Voice access ports
• Only exception to add a second VLAN to a
switchport
• Purpose is for voice traffic, permits you to
connect a phone or PC to a switchport
 Module 2: Network Access
Lesson 1: Configure and verify VLANs (normal range) spanning
multiple switches
• Trunk ports
• Trunk link – point to point link between
two switches, switch and router, or switch
and
server
• Carries traffic for multiple VLANs – from 1 to
4094 at a time!
• Very useful for large switch deployments
and allowing VLANs over many switches
• Frame Tagging
• Each switch that the frame passes
through identifies the VLAN ID from the
frame tag
• Then the switch determines what port to
forward the frame on, if it’s a trunk port its
forwarded, if its an access port, the VLAN ID is
removed and forwarded
 Module 2: Network Access
Lesson 1: Configure and verify VLANs (normal range) spanning
multiple switches
• Default VLAN
• Default port VLAN ID (PVID) is assigned to the
trunk port which will be used by all untagged
traffic
• Also known as Native VLAN
• VLAN 1 by default but can be configured
differently
• Very useful for large switch deployments
and allowing VLANs over many switches
 Module 2: Network Access
• Lesson 1: Configure and verify VLANs (normal • Lesson 6: Compare Cisco Wireless Architectures
range) spanning multiple switches and AP modes

• Lesson 7: Describe physical infrastructure

• Lesson 2: Configure and verify interswitch connections of WLAN components (AP, WLC,
connectivity access/trunk ports, and LAG)
• Lesson 8: Describe AP and WLC management
• Lesson 3: Configure and verify Layer 2 discovery access connections (Telnet, SSH, HTTP, HTTPS,
protocols (Cisco Discovery Protocol and LLDP) console, and TACACS+/RADIUS)

• Lesson 9: Configure the components of a wireless

• Lesson 4: Configure and verify (Layer 2/Layer 3) LAN access for client connectivity using GUI only
EtherChannel (LACP) such as WLAN creation, security settings, QoS
profiles, and advanced WLAN settings
• Lesson 5: Describe the need for and basic
operations of Rapid PVST+ Spanning Tree Protocol
and identify basic operations
 Module 2: Network Access
Lesson 2: Configure and verify interswitch connectivity

• Trunk Ports
• 802.1q
• Native VLAN
• Inter-VLAN Routing
• Configuring VLANs
 Module 2: Network Access
Lesson 2: Configure and verify interswitch connectivity
IEEE 802.1Q
• Created by the IEEE as standard
method of frame tagging
• Inserts a field into the frame with
VLAN information
• Use 802.1Q when trunking between
switches
• 12 bit VLAN ID field 212 - 2 = 4094
VLANs
• Define each port that will be
trunking with 802.1q encapsulation
• Traffic for native VLAN is untagged
(VLAN 1 is default)
 Module 2: Network Access
Lesson 2: Configure and verify interswitch connectivity
Inter-VLAN Routing
• Devices can communicate with other devices in
their own VLAN
• A layer 3 interface is needed for devices to
communicate outside of their VLAN
• Layer 3 device could be a router or Layer 3 switch
• Router could have an interface for each VLAN, or
one interface divided int sub-interfaces for each
VLAN (this option is known as router on a stick).
• Traffic would go from device on a VLAN, to its
gateway on the router, then to the destination
VLANs gateway, and finally to the destination
device
 Module 2: Network Access
Lesson 2: Configure and verify interswitch connectivity
Switch(config)#vlan ?
<1-4094> ISL VLAN IDs 1-1005
Configuration of VLANs Switch(config)#vlan 2
Switch(config-vlan)#name Data
• Configure vlans on a 2960 switch Switch(config-vlan)#vlan 3
Switch(config-vlan)#name Voice
• Use a show command to display the VLANs Switch(config-vlan)#vlan 4
Switch(config-vlan)#name
• Notice they are not tied to any interfaces yet Printer Switch(config-vlan)#exit
Switch(config)#exit
• Since VLAN1 is default interface, it is applied Switch#
unless another VLAN is specified %SYS-5-CONFIG_I: Configured from console by
console
show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
2 Data active
3 Voice active
4 Printer active
 Module 2: Network Access
Lesson 2: Configure and verify interswitch connectivity
Switch(config)#interface f0/1
Switch(config-if)#description Data and Voice

Assign Switchports to VLANs Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 2
Switch(config-if)#switchport voice vlan 3
• Set switchports to access mode Switch(config-if)#exit
Switch(config)#interface f0/2
• Configure access and voice vlans Switch(config-if)#description Printer
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 4
Switch(config-if)#exit
Switch(config)#exit

Switch#show interface status

Port Name Status Vlan Duplex Speed Type
Fa0/1 Data and Voice notconnect 2 auto auto 10/100BaseTX
Fa0/2 Printer notconnect 4 auto auto 10/100BaseTX
Fa0/3 notconnect 1 auto auto 10/100BaseTX

Switch#show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------
1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24
2 Data active Fa0/1
3 Voice active Fa0/1
4 Printer active Fa0/2
 Module 2: Network Access
Lesson 2: Configure and verify interswitch connectivity
Configure Trunk Ports Switch(config)#int g0/1
• For a Cisco 2960 switch, you do not have to Switch(config-if)#description Trunk to Switch2
Switch(config-if)#switchport mode trunk
specify the encapsulation method (802.1Q) Switch(config-if)#switchport trunk allowed vlan 2,3,4
because it is automatically using it Switch(config-if)#switchport trunk native vlan ?
<1-4094> VLAN ID of the native VLAN when this port is in trunking mode
• Switchport modes: Switch(config-if)#exit
• Switchport mode access: non-trunking Switch(config)#exit
Switch# sho interface trunk
• Switchport mode dynamic auto: can convert link
Port Mode Encapsulation Status Native vlan
to trunk link if other side is set to trunk or
Gig0/1 on 802.1q trunking 1
desirable Gig0/2 on 802.1q trunking 1
• Switchport mode dynamic desirable: interface will
actively attempt to convert link to trunk link.
Neighboring interface needs to be trunk, desirable or Port Vlans allowed on trunk
auto. Default mode on all modern Cisco switches Gig0/1 2-4
• Switchport mode trunk: permanent trunking mode Gig0/2 2-4
• Switchport nonnegotiate: prevents interface
from generating DTP frames
• Define allowed VLANs on the trunk
• Native VLAN is 1 but can be changed
 Module 2: Network Access
Lesson 2: Configure and verify interswitch connectivity
Switch(config)#int g0/2
Switch(config-if)#Description Trunk to Router
Configure Inter-VLAN Routing Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk allowed vlan 2,3,4
• Configure trunk port on switch just like the
previous example Router(config)#int g0/0
Router(config-if)#no shut
• Configure router with sub-interfaces for each Router(config-if)#int g0/0.2
Router(config-subif)#encapsulation dot1q 2
VLAN. Known as router on a stick Router(config-subif)#ip address 10.10.2.1 255.255.255.0
• Need to specify encapsulation method on the Router(config-subif)#description VLAN 2 - Data
Router(config-subif)#int g0/0.3
router Router(config-subif)#encapsulation dot1q 3
Router(config-subif)#ip address 10.10.3.1 255.255.255.0
• Now devices have the ability to communicate Router(config-subif)#description VLAN 3 - Voice
with each other across VLANs! Router(config-subif)#int g0/0.4
Router(config-subif)#encapsulation dot1q 4
Router(config-subif)#ip address 10.10.4.1 255.255.255.0
Router(config-subif)#description VLAN 4 - Printer

sh ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES unset up up
GigabitEthernet0/0.2 10.10.2.1 YES manual up up
GigabitEthernet0/0.3 10.10.3.1 YES manual up up
GigabitEthernet0/0.4 10.10.4.1 YES manual up up
GigabitEthernet0/1 unassigned YES unset administratively down
 Module 2: Network Access
• Lesson 1: Configure and verify VLANs • Lesson 6: Compare Cisco Wireless
(normal range) spanning multiple switches Architectures and AP modes

• Lesson 7: Describe physical infrastructure

• Lesson 2: Configure and verify connections of WLAN components (AP,
interswitch connectivity WLC,
access/trunk ports, and LAG)
• Lesson 8: Describe AP and WLC management
• Lesson 3: Configure and verify Layer 2 access connections (Telnet, SSH, HTTP, HTTPS,
discovery protocols (Cisco Discovery Protocol and console, and TACACS+/RADIUS)
LLDP)
• Lesson 9: Configure the components of a
wireless LAN access for client connectivity using
• Lesson 4: Configure and verify (Layer 2/Layer GUI only such as WLAN creation, security settings,
3) EtherChannel (LACP) QoS
profiles, and advanced WLAN settings
• Lesson 5: Describe the need for and basic
operations of Rapid PVST+ Spanning Tree Protocol
and identify basic operations
 Module 2: Network Access
Lesson 3: Configure and verify Layer 2 discovery protocols

• Cisco Discovery Protocol

• LLDP
 Module 2: Network Access
Lesson 3: Configure and verify Layer 2 discovery protocols

Cisco Discovery Protocol (CDP)

• Cisco proprietary protocol
• Designed to gain information about
locally attached devices
• Very useful when there is a need to
‘walk the network’ which could be
when troubleshooting an issue and
there is no network diagram
• Uses multicast for device
communication
 Module 2: Network Access
Lesson 3: Configure and verify Layer 2 discovery protocols

Cisco Discovery Protocol (CDP)

Switch1#sh cdp
• CDP timer – how often CDP packets Global CDP information:
are transmitted out active Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
interfaces Sending CDPv2 advertisements is enabled
• CDP holdtime – amount of time the
device will hold packets received
from neighbors
 Module 2: Network Access
Lesson 3: Configure and verify Layer 2 discovery protocols

Cisco Discovery Protocol (CDP)

• To gather neighbor information, use the
‘show cdp neighbor’ command
• You will only see what is DIRECTLY
attached
• Use ‘show cdp neighbor detail’ to gain
more information about each device
 Module 2: Network Access
Lesson 3: Configure and verify Layer 2 discovery protocols

Cisco Discovery Protocol (CDP)

• Show cdp neighbor detail (continued)
 Module 2: Network Access
Lesson 3: Configure and verify Layer 2 discovery protocols

Link Layer Discovery Protocol (LLDP) Switch1(config)#no lldp run

• IEEE created standardized discovery Switch1(config)#lldp run
Switch1(config)#int f0/1
protocol 802.1AP Switch1(config-if)#no lldp transmit
• Works very similar to CDP, but in multi- Switch1(config-if)#no lldp receive
Switch1(config-if)#
vendor environments Switch1(config-if)#lldp transmit
• LLDP enhanced to address voice Switch1(config-if)#lldp receive
applications, called LLDP-MED
• LLDP must be enabled on the device, is
only supported on physical interfaces, can
discover Linux servers
• Use ‘lldp run’ to turn LLDP on for all
interfaces, ‘lldp transmit’ and ‘lldp
receive’ to turn on for specific interface
 Module 2: Network Access
• Lesson 1: Configure and verify VLANs (normal • Lesson 6: Compare Cisco Wireless Architectures
range) spanning multiple switches and AP modes

• Lesson 7: Describe physical infrastructure

• Lesson 2: Configure and verify interswitch connections of WLAN components (AP, WLC,
connectivity access/trunk ports, and LAG)
• Lesson 8: Describe AP and WLC management
• Lesson 3: Configure and verify Layer 2 discovery access connections (Telnet, SSH, HTTP, HTTPS,
protocols (Cisco Discovery Protocol and LLDP) console, and TACACS+/RADIUS)

• Lesson 9: Configure the components of a wireless

• Lesson 4: Configure and verify (Layer 2/Layer 3) LAN access for client connectivity using GUI only
EtherChannel (LACP) such as WLAN creation, security settings, QoS
profiles, and advanced WLAN settings
• Lesson 5: Describe the need for and basic
operations of Rapid PVST+ Spanning Tree Protocol
and identify basic operations
 Module 2: Network Access
Lesson 4: Configure and verify (Layer 2/Layer 3) EtherChannel
(LACP)

• Configure and verify (Layer 2/Layer 3)

EtherChannel (LACP)
 Module 2: Network Access
Lesson 4: Configure and verify (Layer 2/Layer 3) EtherChannel
(LACP)
EtherChannel
• Enables the ability to aggregate multiple layer2
Ethernet connections between directly
connected devices
• Bundles together multiple physical
connections into one logical one
• Provides redundancy – if one link fails in the
etherchannel, the connection is still up
• Increase bandwidth – you can go from a single
1Gbps link to four in an etherchannel giving
you 4Gbps
• Less administration – configuration is done on
the logical interface, not each individual
connection
 Module 2: Network Access
Lesson 4: Configure and verify (Layer 2/Layer 3) EtherChannel
(LACP)
EtherChannel (continued)
• Can bond up to 8 interfaces together
(8 Gigabit Ethernet interfaces = 8Gbps)
• Ports must be configured for same
speed, trunk encapsulation type and
duplex
EtherChannel Protocols
Protocol Description
PAgP Cisco proprietary. Enables connected devices to group similarly
configured portsy dynamically into a single channel
LACP IEEE 802.3ad standard. Similar to PAgP, learns from a connected device
which ports between the two are identically configured and dynamically
forms a channel between them
 Module 2: Network Access
Lesson 4: Configure and verify (Layer 2/Layer 3) EtherChannel
(LACP)
EtherChannel Modes
Mode Protocol Description
auto PAgP Passively listens for PAgP queries from a Cisco device using desirable or on.
Not part of a channel by default.
desirable PAgP Initiates PAgP queries to form a channel but not part of channel by default.
on PAgP Generates PAgP queries and assumes the port is part of a channel.
active LACP Enables a channel if the other side responds to its LACP messages.
passive LACP Passively listens for LACP messages to form a channel from an active port

* If one side of a PAgP channel is set to auto, the other side

needs to set to either on or desirable to bring the channel
up.
 Module 2: Network Access
Lesson 4: Configure and verify (Layer 2/Layer 3) EtherChannel
(LACP) Switch2(config)#int range f0/23 - 24
EtherChannel Configuration Switch2(config-if-range)#switchport mode trunk
Switch2(config-if-range)#channel-group 1 mode ?
• Configure interfaces for trunking active Enable LACP unconditionally
• Create and add the interfaces into the auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
port channel (etherchannels are on Enable Etherchannel only
known as port channels in some passive Enable LACP only if a LACP device is detected
models of switches, the example here Switch2(config-if-range)#channel-group 1 mode active
is on a 2960) Creating a port-channel interface Port-channel 1
Switch2(config)#int port-channel 1
• Add the VLANs onto the port channel Switch2(config-if)#switchport mode trunk
Switch2(config-if)#switchport trunk allowed vlan 1,2,3,4
• Do all steps on both sides of the port
channel!
 Module 2: Network Access
Lesson 4: Configure and verify (Layer 2/Layer 3) EtherChannel
(LACP)
EtherChannel Configuration
• Verify the port channel is up and the correct
interfaces are participating and the VLANs are
passing
 Module 2: Network Access
Lesson 4: Configure and verify (Layer 2/Layer 3) EtherChannel
(LACP)
EtherChannel Layer 3 Configuration Router1(config-if)#int port-channel 2
Router1(config-if)#ip address 10.10.10.2 255.255.255.0
• Used when connecting multiple switchports to Router1(config-if)#exit
a router Router1(config)#int range g0/0 - 1
• Configure the port channel by assigning it to the Router1(config-if-range)#channel-group 2
interfaces
interface Port-channel2
• Assign an IP address to the port channel ip address 10.10.10.2 255.255.255.0
interface (not the specific interfaces)
interface GigabitEthernet0/0
no ip address
channel-group 2 mode on
duplex auto
speed auto

interface GigabitEthernet0/1
no ip address
channel-group 2 mode on
duplex auto
speed auto
 Module 2: Network Access
• Lesson 1: Configure and verify VLANs (normal • Lesson 6: Compare Cisco Wireless Architectures
range) spanning multiple switches and AP modes

• Lesson 7: Describe physical infrastructure

• Lesson 2: Configure and verify interswitch connections of WLAN components (AP, WLC,
connectivity access/trunk ports, and LAG)
• Lesson 8: Describe AP and WLC management
• Lesson 3: Configure and verify Layer 2 discovery access connections (Telnet, SSH, HTTP, HTTPS,
protocols (Cisco Discovery Protocol and LLDP) console, and TACACS+/RADIUS)

• Lesson 9: Configure the components of a wireless

• Lesson 4: Configure and verify (Layer 2/Layer 3) LAN access for client connectivity using GUI only
EtherChannel (LACP) such as WLAN creation, security settings, QoS
profiles, and advanced WLAN settings
• Lesson 5: Describe the need for and basic
operations of Rapid PVST+ Spanning Tree Protocol
and identify basic operations
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid PVST+
Spanning Tree Protocol and identify basic operations

• Root port, root bridge (primary/secondary),

and other port names
• Port states (forwarding/blocking)
• PortFast benefits
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations

• Primary purpose for Spanning Tree

Protocol is to avoid layer 2 loops,
which can be caused by broadcast
traffic
• Network are designed to build in
redundancy. Layer 3 has
mechanisms to prevent loops with
routing protocols. Layer 2 needs
Spanning Tree to avoid loops.
• There are many forms of Spanning
Tree including Rapid PVST+
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Spanning Tree Components
Component Description
Root bridge Bridge with lowest bridge ID. This is considered the best bridge so it is set as root bridge, and the rest
of the spanning tree topology is based on it. Decisions such as ports on non-root bridges being in
blocked or forwarding state are based on root bridge. All other bridges must create a single path to
the root bridge.
Root port The port on a bridge with the best path to the root bridge
Non-root bridge All bridges that are not the root bridge. Non-root bridges exchange BPDUs with all the other bridges
and update STP topology database.
BPDU Bridge Protocol Data Unit – what is exchanged between switches to determine STP topology initially,
and if a new convergence needs to happen. Bridge ID is in the BPDU
Bridge ID Used to keep track of all switches in the network. Used the bridge priority which is 32,768 by default
and the MAC address. Bridge with lowest bridge ID becomes root bridge. You can set the bridge
priority lower than 32,768 to intentionally make a specific switch the root bridge.

Port cost Determines the best path when there are multiple links between two switches.

Path cost Calculated by adding each port cost between the switch and the root bridge. Deciding factor used by
every bridge to find the most efficient path to root bridge.
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Spanning Tree Bridge Port Roles
Role Description
Root port Link with the lowest path cost to the root bridge. If more than one link connects to root bridge, then a
port cost is found by checking the bandwidth of each link. Root bridge never has root ports. Each
other switch will have 1 root port. When multiple links connect to the same device, the port
connected to the lowest port number on the upstream switch will be the one that is used.
Designated port Best cost on a given network segment compared to other ports on that segment. Will be marked as
forwarding. Only one designated port on a given segment
Non-designated port Higher cost than designated port. Will be in blocking or discarding mode.

Forwarding port Forwards frames and will be either a designated port or root port
Blocked port Won’t forward frames in order to prevent loops. Will listen to BPDU frames but will drop all other
frames received and will not transmit a frame.
Alternate port Same as blocking state of 802.1d (IEEE standard). Used with 802.1w (Cisco Rapid Spanning Tree).
Alternate port is on a switch connected to a segment with two or more switches and one of the other
switches has the designated port.
Backup port Same as blocking state of 802.1d (IEEE standard). Used with 802.1w (Cisco Rapid Spanning Tree).
Another port on the switch is acting as the designated port.
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Spanning Tree Bridge Port States
• Causes what feels like a delay when you connect a new device to the network. Is actually STP running through the
below states to ensure a loop is not created.

State Description
Disabled Administratively disabled and does not participate in the STP process. Non-operational.

Blocking Does not forward frames. Listens to BPDUs. Prevents loops. All ports start in blocking state initially.
Listening Listens to BPDUs to make sure no loops occur before forwarding frames. Prepares to forward frames
without populating the MAC address table.

Learning Listens to BPDUs and learns all paths in the network. Port learning state populates MAC address table.
Does not forward frames. Forward delay is the time between listening and learning state or learning
and forwarding. 15 seconds by default
Forwarding Sends and receives all data frames on the bridged port. If port is designated or root by end of learning
state, it will enter the forwarding state.
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Spanning Tree Link Costs
• Port cost is based on the speed of the link, a single link. Path cost is the sum of the various port costs leading to the
root bridge.

Speed Cost
10 Mbps 100

100 Mbps 19
1000 Mbps 4

10000 Mbps 2
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Convergence
• Occurs when all ports on all bridges or switches
have transitioned to either forwarding or blocking
mode.
• No frames are forwarded until convergence is
complete.
• So, everything stops until all devices have a
workable STP database. Goal is to have this
happen as quickly as possible.
• 802.1d STP takes 50 seconds by default
• Other versions of STP are faster
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Spanning Tree Operation
• Root Bridge is determined by priority. MAC
address is the tie breaker, lowest MAC wins
• All ports on Root Bridge are forwarding
• Root Port is best Path Cost to Root Bridge from
each switch. Path Cost is determined by adding
up the Port Cost on each link.
• Remaining ports need to determine if they are
going to be forwarding or blocking. Lower Bridge
ID is forwarding, higher is blocking
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Types of Spanning Tree
• IEEE 802.1d – Common Spanning Tree (CST)
• PVST+ - Per VLAN Spanning Tree (Cisco default)
• IEEE 802.1w Rapid Spanning Tree Protocol (RSTP)
• IEEE 802.1s – Multiple Spanning Tree Protocol
(MSTP)
• Rapid PVST+ - Cisco version of RSTP and also uses
PVST+
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Common Spanning Tree 802.1d
• Slowest form of spanning tree when it comes to
convergence (50 seconds)
• In a network with redundant links, an election
happens to determine root bridge.
• The switch that becomes root bridge will be so for
ALL VLANs.
• Each switch in the network will create a path to
the root bridge.
• Root bridge may not be the best for all VLANs
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Per VLAN Spanning Tree+
• Cisco proprietary
• Provides SEPARATE spanning tree instance for
each VLAN
• Convergence time is still as slow as CST (50
seconds)
• Root bridge for each VLAN
• Provides better optimal path for each VLAN
• Field added into the BPDU called Sys-id-ext so
there can be a root bridge configured on a per
VLAN basis
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Rapid Spanning Tree Protocol 802.1w
• Evolution of 802.1d, and backwards
compatible
802.1d CST 802.1w RSTP
• Much faster convergence (can be under 10 Disabled Discarding
seconds)
Blocking Discarding
• One root bridge for all VLANs, still has
suboptimal traffic for some VLANs Listening Discarding
Learning Learning
• Moderately more CPU and RAM needed
Forwarding Forwarding
• Some terminology
• Discarding adjustments
-> Learning -> Forwarding
• Alternate Port, Backup Port (both blocking)
• The process of choosing root bridge, root ports,
designated ports does not change
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Rapid Per VLAN Spanning Tree+
• Cisco proprietary
• Like a combination or PVST and RST
• Separate instance of 802.1w for each VLAN
• Much faster convergence (can be under 10
seconds)
• Provides SEPARATE spanning tree instance for
each VLAN
• Significantly more CPU and RAM needed
• The process of choosing root bridge, root ports,
designated ports does not change
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Multiple Spanning Tree Protocol
(MSTP) 802.1s
• Fast convergence like RSTP
• Maps multiple VLANs into the same spanning tree
instance
• Much faster convergence (can be under 10
seconds)
• Moderately to significantly more CPU and RAM
needed
• The process of choosing root bridge, root ports,
designated ports does not change
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Configuring Spanning Tree
• Viewing Spanning Tree
• Show spanning-tree summary
• Show spanning-tree
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Configuring Spanning Tree
• Viewing Spanning Tree
• Show spanning-tree
• Blocking port
• Show spanning-tree vlan X
• Modifying Bridge ID
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Configuring Spanning Tree
• Changing Spanning Tree mode to Rapid PVST+
• Spanning-tree mode rapid-pvst
 Module 2: Network Access
Lesson 5: Describe the need for and basic operations of Rapid
PVST+ Spanning Tree Protocol and identify basic operations
Configuring Spanning Tree
• Portfast
• Used on ports that do not need to go through
the spanning-tree election process (50 seconds)
• Usually access mode ports where end user devices (PCs,
phones, printers, etc) are connected
• Port will come right up instead of spending the
50 seconds converging
• BPDU Guard
• When using Portfast, use BPDU Guard
• A switchport enabled with Portfast that receives a BPDU
will go into error-disabled state (basically shut down)
• This guards against someone connecting a switch into a
port that is meant for an end user device
• Global command is:
• Spanning-tree portfast bpduguard default
• Interface specific command is:
• Spanning-tree bpduguard enable
 Module 2: Network Access
• Lesson 1: Configure and verify VLANs (normal • Lesson 6: Compare Cisco Wireless Architectures
range) spanning multiple switches and AP modes

• Lesson 7: Describe physical infrastructure

• Lesson 2: Configure and verify interswitch connections of WLAN components (AP, WLC,
connectivity access/trunk ports, and LAG)
• Lesson 8: Describe AP and WLC management
• Lesson 3: Configure and verify Layer 2 discovery access connections (Telnet, SSH, HTTP, HTTPS,
protocols (Cisco Discovery Protocol and LLDP) console, and TACACS+/RADIUS)

• Lesson 9: Configure the components of a wireless

• Lesson 4: Configure and verify (Layer 2/Layer 3) LAN access for client connectivity using GUI only
EtherChannel (LACP) such as WLAN creation, security settings, QoS
profiles, and advanced WLAN settings
• Lesson 5: Describe the need for and basic
operations of Rapid PVST+ Spanning Tree Protocol
and identify basic operations
 Module 2: Network Access
Lesson 6: Compare Cisco Wireless Architectures and AP modes

• Compare Cisco Wireless Architectures and AP

modes
 Module 2: Network Access
Lesson 6: Compare Cisco Wireless Architectures and AP modes

Autonomous AP Architecture
• An AP in autonomous mode is a self
sufficient device that will be on a wired
network and capable of broadcasting out
SSID(s) for wireless clients to connect
• Each autonomous AP needs to be
manually configured with an IP for
management purposes. This type of AP is
individually managed.
• Management platform such as Cisco DNA
center is able to manage autonomous APs
 Module 2: Network Access
Lesson 6: Compare Cisco Wireless Architectures and AP modes

Cloud Based AP Architecture

• AP management is completely cloud
based. Cisco Meraki is a good example.
• This type of AP can be automatically
deployed as it will register with the cloud
management.
• Commonly seen in environments such as
K-12 educational
• Management traffic uses control plane
• End user traffic uses data plane
 Module 2: Network Access
Lesson 6: Compare Cisco Wireless Architectures and AP modes

Controller Based AP Architecture

• Also known as lightweight AP architecture
• APs are completely controlled by a Wireless Lan
Controller (WLC)
• WLC connected to network via a Link Aggregation
Group (LAG) which provides redundancy and load
balancing
• Split-MAC architecture – Lightweight AP (LAP)
interacts with wireless client on the media access
control (MAC) layer. Management functions travel
back to the WLC to be processed.
AP MAC Function WLC MAC Function
Beacons and probe responses Authentication
Packet acknowledgements and retransmission Association and re-association of roaming clients
Frame queueing and packet prioritization Frame translation to other protocols
MAC layer data encryption and decryption Termination of 802.11 traffic on a wired interface
 Module 2: Network Access
Lesson 6: Compare Cisco Wireless Architectures and AP modes

Controller Based AP Architecture

• Control and Provisioning of Wireless Access Points
(CAPWAP)
• CAPWAP is a tunneling protocol to permit split-
MAC functions
• CAPWAP control tunnel: Configures the LAP and
manages its operation. Control messages are
authenticated and encrypted. Uses UDP port 5246
• CAPWAP data tunnel: Used for packets traveling to
and from wireless clients that are associated with
the AP. Not encrypted by default. Uses UDP port
5247
 Module 2: Network Access
Lesson 6: Compare Cisco Wireless Architectures and AP modes

AP Modes
• Local Mode: Default mode where the LAP has a
CAPWAP tunnel to the WLC where all traffic passes
• Bridged Mode: Utilize AP to connect two networks
together. For example two networks in physically
separate buildings that are close to each other. AP
in bridged mode is authenticated to remote
wireless network
• FlexConnect Mode: LAPs can pass traffic directly
between clients and to the LAN. This traffic would
normally all go back to the WLC. Used in branch
office setups where the WLC is located across the
WAN. APs can still operate even if CAPWAP goes
down!
 Module 2: Network Access
Lesson 6: Compare Cisco Wireless Architectures and AP modes

AP Modes
• Mesh Mode: One WAP connects to another WAP,
extending the wireless network without using a
cable. AP in mesh mode is known as a mesh access
point (MAP)
• Monitor Mode: Used for security purposes.
Watches activity on the wireless network for
situations such as rogue APs. Does not transmit
wireless signals, only receives them.
• Sniffer Mode: Used for troubleshooting purposes.
Captures the wireless traffic and sends to remote
computer for packet/frame analysis.
 Module 2: Network Access
• Lesson 1: Configure and verify VLANs (normal • Lesson 6: Compare Cisco Wireless Architectures
range) spanning multiple switches and AP modes

• Lesson 7: Describe physical infrastructure

• Lesson 2: Configure and verify interswitch connections of WLAN components (AP, WLC,
connectivity access/trunk ports, and LAG)
• Lesson 8: Describe AP and WLC management
• Lesson 3: Configure and verify Layer 2 discovery access connections (Telnet, SSH, HTTP, HTTPS,
protocols (Cisco Discovery Protocol and LLDP) console, and TACACS+/RADIUS)

• Lesson 9: Configure the components of a wireless

• Lesson 4: Configure and verify (Layer 2/Layer 3) LAN access for client connectivity using GUI only
EtherChannel (LACP) such as WLAN creation, security settings, QoS
profiles, and advanced WLAN settings
• Lesson 5: Describe the need for and basic
operations of Rapid PVST+ Spanning Tree Protocol
and identify basic operations
 Module 2: Network Access
Lesson 7: Describe physical infrastructure connections of WLAN
components (AP, WLC, access/trunk ports, and LAG)

• Describe physical infrastructure connections of

WLAN components (AP, WLC, access/trunk
ports, and LAG)
 Module 2: Network Access
Lesson 7: Describe physical infrastructure connections of WLAN
components (AP, WLC, access/trunk ports, and LAG)

• Wireless LAN Controller – 3504

• 802.11ac
• 4 Gbps throughput
• 3000 clients
• 4096 VLANs
• Wireless Access Point – 3702i
• 2.4 and 5 GHz
• 4x4 antennas
• 802.11 n/a/g/ac clients
 Module 2: Network Access
Lesson 7: Describe physical infrastructure connections of WLAN
components (AP, WLC, access/trunk ports, and LAG)
• Centralized WLAN Deployment
• WLC is managing LAPs and all
communication must flow through the
WLC
• Placement of WLC should be
considered as extreme distance could
cause delays on the wireless network
• If WLC goes down, LAPs are no longer
functional
• Converged WLAN Deployment
• LAPs and WLC are connected to the
same switch
• Need multiple WLCs deployed for
multiple parts of the network
 Module 2: Network Access
Lesson 7: Describe physical infrastructure connections of WLAN
components (AP, WLC, access/trunk ports, and LAG)
• Dist-Switch01
 Module 2: Network Access
• Lesson 1: Configure and verify VLANs (normal • Lesson 6: Compare Cisco Wireless Architectures
range) spanning multiple switches and AP modes

• Lesson 7: Describe physical infrastructure

• Lesson 2: Configure and verify interswitch connections of WLAN components (AP, WLC,
connectivity access/trunk ports, and LAG)
• Lesson 8: Describe AP and WLC management
• Lesson 3: Configure and verify Layer 2 discovery access connections (Telnet, SSH, HTTP, HTTPS,
protocols (Cisco Discovery Protocol and LLDP) console, and TACACS+/RADIUS)

• Lesson 9: Configure the components of a wireless

• Lesson 4: Configure and verify (Layer 2/Layer 3) LAN access for client connectivity using GUI only
EtherChannel (LACP) such as WLAN creation, security settings, QoS
profiles, and advanced WLAN settings
• Lesson 5: Describe the need for and basic
operations of Rapid PVST+ Spanning Tree Protocol
and identify basic operations
 Module 2: Network Access
Lesson 8: Describe AP and WLC management access connections
(Telnet, SSH, HTTP, HTTPS, console, and TACACS+/RADIUS)

• Describe AP and WLC management access

connections (Telnet, SSH, HTTP, HTTPS,
console, and TACACS+/RADIUS)
 Module 2: Network Access
Lesson 8: Describe AP and WLC management access connections
(Telnet, SSH, HTTP, HTTPS, console, and TACACS+/RADIUS)

• Management from CLI

• Use console port for
local access
• Use telnet or SSH for
remote access
• Only use for APs if they
are in autonomous
mode (otherwise they
are managed by WLC)
 Module 2: Network Access
Lesson 8: Describe AP and WLC management access connections
(Telnet, SSH, HTTP, HTTPS, console, and TACACS+/RADIUS)

• Management from Web

• Connect to management
IP (initially) or DNS name
via HTTP or HTTPS using
a web browser
• Provides full
configuration capabilities
with an interactive
graphical interface
 Module 2: Network Access
Lesson 8: Describe AP and WLC management access connections
(Telnet, SSH, HTTP, HTTPS, console, and TACACS+/RADIUS)

• TACACS+/RADIUS
• WLC is capable of
utilizing an
authentication service
such as TACACS+ or
RADIUS
• This provides the
security of having
someone who wants to
connect to be
authenticated by an
external authentication
system
 Module 2: Network Access
• Lesson 1: Configure and verify VLANs (normal • Lesson 6: Compare Cisco Wireless Architectures
range) spanning multiple switches and AP modes

• Lesson 7: Describe physical infrastructure

• Lesson 2: Configure and verify interswitch connections of WLAN components (AP, WLC,
connectivity access/trunk ports, and LAG)
• Lesson 8: Describe AP and WLC management
• Lesson 3: Configure and verify Layer 2 discovery access connections (Telnet, SSH, HTTP, HTTPS,
protocols (Cisco Discovery Protocol and LLDP) console, and TACACS+/RADIUS)

• Lesson 9: Configure the components of a wireless

• Lesson 4: Configure and verify (Layer 2/Layer 3) LAN access for client connectivity using GUI only
EtherChannel (LACP) such as WLAN creation, security settings, QoS
profiles, and advanced WLAN settings
• Lesson 5: Describe the need for and basic
operations of Rapid PVST+ Spanning Tree Protocol
and identify basic operations
 Module 2: Network Access
Lesson 9: Configure the components of a wireless LAN access for
client connectivity using GUI

• WLAN creation
• Create Dynamic Interface
• Controller -> Interfaces -> New
• Enter Interface Name
• Enter VLAN ID
• Enter IP address within the
range of the network
 Module 2: Network Access
Lesson 9: Configure the components of a wireless LAN access for
client connectivity using GUI

• WLAN creation
• Create WLAN
• WLANs -> Create New
• Enter profile name
• Enter SSID
• Click Apply
 Module 2: Network Access
Lesson 9: Configure the components of a wireless LAN access for
client connectivity using GUI

• Security settings
• Security -> WPA+WPA2 on
Layer 2 tab
• Select WPA2 Policy, AES and
PSK
• Select ASCII and fill in PSK
 Module 2: Network Access
Lesson 9: Configure the components of a wireless LAN access for
client connectivity using GUI

• QoS profiles
• Helps to dictate how traffic
is prioritized:
• Platinum - voice
• Gold - video
• Silver – regular traffic
• Bronze – background traffic
 Module 2: Network Access
Lesson 9: Configure the components of a wireless LAN access for
client connectivity using GUI

• Advanced WLAN settings

• Specify session timeout
value
• URL filtering
• Maximum number of
clients
• And more!
Thank You !!!