Module 1-6

Durham College, student ID=100966138

Student Name =Dilraj Singh
Module Title: Basic Device Configuration
Module Objective: Configure devices using security best practices.

Packet Tracer - Logical and Physical Mode Exploration

The network model in this Packet Tracer Physical Mode (PTPM) activity
incorporates many of the technologies that you can master in Cisco
Networking Academy courses. It represents a simplified version of how a
small to medium-sized business network might look.
Most of the devices in the Seward branch office and Warrenton data center
are already deployed and configured. You have just been hired to review the
devices and networks deployed. It is not important that you understand
everything you see and do in this activity. Feel free to explore the network on
your own. If you wish to proceed more systematically, follow the steps below.
Answer the questions to the best of your ability.

Switch Boot Sequence

Before you can configure a switch, you need to turn it on and allow it to go
through the five-step boot sequence. This topic covers the basics of
configuring a switch and includes a lab at the end.
After a Cisco switch is powered on, it goes through the following five-step
boot sequence:
Step 1: First, the switch loads a power-on self-test (POST) program stored in
ROM. POST checks the CPU subsystem. It tests the CPU, DRAM, and the
portion of the flash device that makes up the flash file system.
Step 2: Next, the switch loads the boot loader software. The boot loader is a
small program stored in ROM that is run immediately after POST successfully
completes.
Step 3: The boot loader performs low-level CPU initialization. It initializes the
CPU registers, which control where physical memory is mapped, the quantity
of memory, and its speed.
Step 4: The boot loader initializes the flash file system on the system board.
Step 5: Finally, the boot loader locates and loads a default IOS operating
system software image into memory and gives control of the switch over to
the IOS.
Duplex Communication
The ports of a switch can be configured independently for different needs.
This topic covers how to configure switch ports, how to verify your
configurations, common errors, and how to troubleshoot switch configuration
issues.
Full-duplex communication increases bandwidth efficiency by allowing both
ends of a connection to transmit and receive data simultaneously. This is also
known as bidirectional communication and it requires microsegmentation. A
microsegmented LAN is created when a switch port has only one device
connected and is operating in full-duplex mode. There is no collision domain
associated with a switch port operating in full-duplex mode.
Unlike full-duplex communication, half-duplex communication is
unidirectional. Half-duplex communication creates performance issues
because data can flow in only one direction at a time, often resulting in
collisions. Half-duplex connections are typically seen in older hardware, such
as hubs. Half-duplex hubs have been replaced by switches that use full-
duplex communications by default.

Verify Switch Port Configuration

The show running-config command can be used to verify that the switch
has been correctly configured. From the sample abbreviated output on S1,
some important information is shown in the figure:
 Fast Ethernet 0/18 interface is configured with the management VLAN
99
 VLAN 99 is configured with an IPv4 address of 172.17.99.11
255.255.255.0
 The default gateway is set to 172.17.99.1

The show interfaces command is another commonly used command,

which displays status and statistics information on the network
interfaces of the switch. The show interfaces command is frequently
used when configuring and monitoring network devices.
The first line of the output for the show interfaces fastEthernet
0/18 command indicates that the FastEthernet 0/18 interface is up/up,
 meaning that it is operational. Further down, the output shows that the
duplex is full and the speed is 100 Mbps.

Interface Input and Output Errors

“Input errors” is the sum of all errors in datagrams that were received
on the interface being examined. This includes runts, giants, CRC, no
buffer, frame, overrun, and ignored counts. The reported input errors
from the show interfaces command include the following:
“Output errors” is the sum of all errors that prevented the final
transmission of datagrams out the interface that is being examined.
The reported output errors from the show interfaces command
include the following:
 Collisions - Collisions in half-duplex operations are normal. However,
you should never see collisions on an interface configured for full-
duplex communication.
 Late collisions - A late collision refers to a collision that occurs after
512 bits of the frame have been transmitted. Excessive cable lengths
are the most common cause of late collisions. Another common cause
is duplex misconfiguration. For example, you could have one end of a
connection configured for full-duplex and the other for half-duplex. You
would see late collisions on the interface that is configured for half-
duplex. In that case, you must configure the same duplex setting on
both ends. A properly designed and configured network should never
have late collisions.

Troubleshooting Network Access Layer Issues

Most issues that affect a switched network are encountered during the
original implementation. Theoretically, after it is installed, a network
continues to operate without problems. However, cabling gets damaged,
configurations change, and new devices are connected to the switch that
require switch configuration changes. Ongoing maintenance and
troubleshooting of the network infrastructure is required.
To troubleshoot scenarios involving no connection, or a bad connection,
between a switch and another device, follow the general process shown in
the figure.
Use the show interfaces command to check the interface status.
If the interface is down:
 Check to make sure that the proper cables are being used.
Additionally, check the cable and connectors for damage. If a bad or
incorrect cable is suspected, replace the cable.
 If the interface is still down, the problem may be due to a mismatch in
speed setting. The speed of an interface is typically autonegotiated;
therefore, even if it is manually applied to one interface, the
connecting interface should autonegotiate accordingly. If a speed
mismatch does occur through misconfiguration, or a hardware or
software issue, then that may result in the interface going down.
Manually set the same speed on both connection ends if a problem is
suspected.
If the interface is up, but issues with connectivity are still present:
 Using the show interfaces command, check for indications of
excessive noise. Indications may include an increase in the counters
for runts, giants, and CRC errors. If there is excessive noise, first find
and remove the source of the noise, if possible. Also, verify that the
cable does not exceed the maximum cable length and check the type
of cable that is used.

Configure Basic Router Settings

Up to now, this module has only covered switches. If you want devices to be
able to send and receive data outside of your network, you will have to
configure routers. This topic teaches you basic router configuration and
provides two Syntax Checkers and a Packet Tracer activity so you can
practice these skills.
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# hostname R1
R1(config)# enable secret class
R1(config)# line console 0
R1(config-line)# password cisco
R1(config-line)# login
R1(config-line)# exit
R1(config)# line vty 0 4
R1(config-line)# password cisco
R1(config-line)# login
R1(config-line)# exit
R1(config)# service password-encryption
R1(config)#
Configure a banner to provide legal notification of unauthorized
access, as shown in the example.
R1(config)# banner motd #Authorized Access Only!#
R1(config)#
Save the changes on a router, as shown in the example.
R1# copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
Configure Router Interfaces
Routers support LANs and WANs and can interconnect different types of
networks; therefore, they support many types of interfaces. For example, G2
ISRs have one or two integrated Gigabit Ethernet interfaces and High-Speed
WAN Interface Card (HWIC) slots to accommodate other types of network
interfaces, including serial, DSL, and cable interfaces.
To be available, an interface must be:
 Configured with at least one IP address - Use the ip address ip-
address subnet-mask and the ipv6
address ipv6-address/prefix interface configuration commands.
 Activated - By default, LAN and WAN interfaces are not activated
(shutdown). To enable an interface, it must be activated using the no
shutdown command. (This is similar to powering on the interface.)
The interface must also be connected to another device (a hub, a
switch, or another router) for the physical layer to be active.
  Description - Optionally, the interface could also be configured with a
short description of up to 240 characters. It is good practice to
configure a description on each interface. On production networks, the
benefits of interface descriptions are quickly realized as they are
helpful in troubleshooting and in identifying a third-party connection
and contact information.

The following example shows the configuration for the interfaces on R1.
R1(config)# interface gigabitethernet 0/0/0
R1(config-if)# ip address 192.168.10.1 255.255.255.0
R1(config-if)# ipv6 address 2001:db8:acad:1::1/64
R1(config-if)# description Link to LAN 1
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface gigabitethernet 0/0/1
R1(config-if)# ip address 192.168.11.1 255.255.255.0
R1(config-if)# ipv6 address 2001:db8:acad:2::1/64
R1(config-if)# description Link to LAN 2
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)# interface serial 0/0/0
R1(config-if)# ip address 209.165.200.225 255.255.255.252
R1(config-if)# ipv6 address 2001:db8:acad:3::225/64
R1(config-if)# description Link to R2
R1(config-if)# no shutdown
R1(config-if)# exit
R1(config)#
Syntax Checker - Configure Router Interfaces
In this Syntax Checker activity, you will configure R2 with its IPv4 and IPv6
interfaces.
Configure GigabitEthernet 0/0/0.
 Use g0/0/0 to enter interface configuration mode.
 Configure the IPv4 address 10.1.1.1 and subnet
mask 255.255.255.0.
 Configure the IPv6 address 2001:db8:acad:4::1/64.
 Describe the link as Link to LAN 3.
 Activate the interface.
Router(config)#

Interface Verification Commands

There is no point in configuring your router unless you verify the
configuration and connectivity. This topic covers the commands to use
to verify directly connected networks. It includes two Syntax Checkers
and a Packet Tracer.
There are several show commands that can be used to verify the
operation and configuration of an interface. The topology in the figure
is used to demonstrate the verification of router interface settings.
The following commands are especially useful to quickly identify the
status of an interface:
 show ip interface brief and show ipv6 interface brief - These
display a summary for all interfaces including the IPv4 or IPv6 address
of the interface and current operational status.
 show running-config interface interface-id - This displays the
commands applied to the specified interface.
 show ip route and show ipv6 route - These display the contents of
the IPv4 or IPv6 routing table stored in RAM. In Cisco IOS 15, active
interfaces should appear in the routing table with two related entries
identified by the code ‘C’ (Connected) or ‘L’ (Local). In previous IOS
versions, only a single entry with the code ‘C’ will appear.
 Verify Interface Status
The output of the show ip interface brief and show ipv6 interface
brief commands can be used to quickly reveal the status of all
interfaces on the router. You can verify that the interfaces are active
and operational as indicated by the Status of “up” and Protocol of “up”,
as shown in the example. A different output would indicate a problem
with either the configuration or the cabling.

MODULE – 2

Switching in Networking
The concept of switching and forwarding frames is universal in networking
and telecommunications. Various types of switches are used in LANs, WANs,
and in the public switched telephone network (PSTN).
The decision on how a switch forwards traffic is made based on the flow of
that traffic. There are two terms associated with frames entering and leaving
an interface:
 Ingress - This is used to describe the port where a frame enters the
device.
 Egress - This is used to describe the port that frames will use when
leaving the device.
A LAN switch maintains a table that is referenced when forwarding traffic
through the switch. The only intelligence of a LAN switch is its ability to use
its table to forward traffic. A LAN switch forwards traffic based on the ingress
port and the destination MAC address of an Ethernet frame. With a LAN
switch, there is only one master switching table that describes a strict
association between MAC addresses and ports; therefore, an Ethernet frame
with a given destination address always exits the same egress port,
regardless of the ingress port it enters.
Alleviate Network Congestion
LAN switches have special characteristics that help them alleviate network
congestion. By default, interconnected switch ports attempt to establish a
link in full-duplex, therefore eliminating collision domains. Each full-duplex
port of the switch provides the full bandwidth to the device or devices that
are connected to that port. Full-duplex connections have dramatically
increased LAN network performance, and are required for 1 Gbps Ethernet
speeds and higher.
Switches interconnect LAN segments, use a MAC address table to determine
egress ports, and can lessen or eliminate collisions entirely. Characteristics of
switches that alleviate network congestion include the following:
 Fast port speeds - Ethernet switch port speeds vary by model and
purpose. For instance, most access layer switches support 100 Mbps
and 1 Gbps port speeds. Distribution layer switches support 100 Mbps,
1 Gbps, and 10 Gbps port speeds and core layer and data center
switches may support 100 Gbps, 40 Gbps, and 10 Gbps port speeds.
Switches with faster port speeds cost more but can reduce congestion.
 Fast internal switching - Switches use a fast internal bus or shared
memory to provide high performance.
 Large frame buffers - Switches use large memory buffers to
temporarily store more received frames before having to start dropping
them. This enables ingress traffic from a faster port (e.g., 1 Gbps) to be
forwarded to a slower (e.g., 100 Mbps) egress port without losing
frames.
 High port density - A high port density switch lowers overall costs
because it reduces the number of switches required. For instance, if 96
access ports were required, it would be less expensive to buy two 48-
port switches instead of four 24-port switches. High port density
switches also help keep traffic local, which helps alleviate congestion.
 MODULE - 3
VLANs allow an administrator to segment networks based on factors such as
function, team, or application, without regard for the physical location of the users
or devices. Each VLAN is considered a separate logical network. Devices within a
VLAN act as if they are in their own independent network, even if they share a
common infrastructure with other VLANs. Any switch port can belong to a VLAN.

Unicast, broadcast, and multicast packets are forwarded and flooded only to
end devices within the VLAN where the packets are sourced. Packets
destined for devices that do not belong to the VLAN must be forwarded
through a device that supports routing.
Multiple IP subnets can exist on a switched network, without the use of
multiple VLANs. However, the devices will be in the same Layer 2 broadcast
domain. This means that any Layer 2 broadcasts, such as an ARP request,
will be received by all devices on the switched network, even by those not
intended to receive the broadcast.
A VLAN creates a logical broadcast domain that can span multiple physical
LAN segments. VLANs improve network performance by separating large
broadcast domains into smaller ones. If a device in one VLAN sends a
broadcast Ethernet frame, all devices in the VLAN receive the frame, but
devices in other VLANs do not.
Using VLANs, network administrators can implement access and security
policies according to specific groupings of users. Each switch port can be
assigned to only one VLAN (except for a port connected to an IP phone or to
another switch).

Default VLAN
The default VLAN on a Cisco switch is VLAN 1. Therefore, all switch ports are
on VLAN 1 unless it is explicitly configured to be on another VLAN. By
default, all Layer 2 control traffic is associated with VLAN 1.
Important facts to remember about VLAN 1 include the following:
 All ports are assigned to VLAN 1 by default.
 The native VLAN is VLAN 1 by default.
 The management VLAN is VLAN 1 by default.
 VLAN 1 cannot be renamed or deleted.
For instance, in the show VLAN brief output, all ports are currently assigned
to the default VLAN 1. No native VLAN is explicitly assigned and no other
VLANs are active; therefore, the network is designed with the native VLAN
the same as the management VLAN. This is considered a security risk.

Native VLAN
User traffic from a VLAN must be tagged with its VLAN ID when it is sent to
another switch. Trunk ports are used between switches to support the
transmission of tagged traffic. Specifically, an 802.1Q trunk port inserts a 4-
byte tag in the Ethernet frame header to identify the VLAN to which the
frame belongs.
A switch may also have to send untagged traffic across a trunk link.
Untagged traffic is generated by a switch and may also come from legacy
devices. The 802.1Q trunk port places untagged traffic on the native VLAN.
The native VLAN on a Cisco switch is VLAN 1 (i.e., default VLAN).
It is a best practice to configure the native VLAN as an unused VLAN, distinct
from VLAN 1 and other VLANs. In fact, it is not unusual to dedicate a fixed
VLAN to serve the role of the native VLAN for all trunk ports in the switched
domain.
Defining VLAN Trunks
VLANs would not be very useful without VLAN trunks. VLAN trunks allow all
VLAN traffic to propagate between switches. This enables devices connected
to different switches but in the same VLAN to communicate without going
through a router.
A trunk is a point-to-point link between two network devices that carries
more than one VLAN. A VLAN trunk extends VLANs across an entire network.
Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet, Gigabit
Ethernet, and 10-Gigabit Ethernet interfaces.
A VLAN trunk does not belong to a specific VLAN. Instead, it is a conduit for
multiple VLANs between switches and routers. A trunk could also be used
between a network device and server or another device that is equipped with
an appropriate 802.1Q-capable NIC. By default, on a Cisco Catalyst switch,
all VLANs are supported on a trunk port.
In the figure, the highlighted links between switches S1 and S2, and S1 and
S3 are configured to transmit traffic coming from VLANs 10, 20, 30, and 99
Network with VLANs
VLANs are associated with and configured on individual switch ports. Devices
attached to those ports have no concept of VLANs. However, these devices
are configured with IP addressing and are members of a specific IP network.
This is where the connection between VLAN and IP network is apparent. A
VLAN is the equivalent to an IP network (or subnet). VLANs are configured on
the switch, whereas IP addressing is configured on the device.
Click Play in the animation to see that the same network has now been
segmented using two VLANs. Faculty devices are assigned to VLAN 10 and
student devices are assigned to VLAN 20. When a broadcast frame is sent
from the faculty computer, PC1, to switch S2, the switch forwards that
broadcast frame only to those switch ports configured to support VLAN 10.
Native VLANs and 802.1Q Tagging
The IEEE 802.1Q standard specifies a native VLAN for trunk links, which
defaults to VLAN 1. When an untagged frame arrives on a trunk port it is
assigned to the native VLAN. Management frames that are sent between
switches is an example of traffic that is typically untagged. If the link
between two switches is a trunk, the switch sends the untagged traffic on
the native VLAN.
Tagged Frames on the Native VLAN
Some devices that support trunking add a VLAN tag to native VLAN traffic.
Control traffic sent on the native VLAN should not be tagged. If an 802.1Q
trunk port receives a tagged frame with the VLAN ID that is the same as the
native VLAN, it drops the frame. Consequently, when configuring a switch
port on a Cisco switch, configure devices so that they do not send tagged
frames on the native VLAN. Devices from other vendors that support tagged
frames on the native VLAN include IP phones, servers, routers, and non-Cisco
switches.
Untagged Frames on the Native VLAN
When a Cisco switch trunk port receives untagged frames (which are unusual
in a well-designed network), it forwards those frames to the native VLAN. If
there are no devices associated with the native VLAN (which is not unusual)
and there are no other trunk ports (which is not unusual), then the frame is
dropped. The default native VLAN is VLAN 1. When configuring an 802.1Q
trunk port, a default Port VLAN ID (PVID) is assigned the value of the native
VLAN ID. All untagged traffic coming in or out of the 802.1Q port is forwarded
based on the PVID value. For example, if VLAN 99 is configured as the native
VLAN, the PVID is 99 and all untagged traffic is forwarded to VLAN 99. If the
native VLAN has not been reconfigured, the PVID value is set to VLAN 1.
VLAN Creation Commands
When configuring normal range VLANs, the configuration details are stored in
flash memory on the switch in a file called vlan.dat. Flash memory is
persistent and does not require the copy running-config startup-
config command. However, because other details are often configured on a
Cisco switch at the same time that VLANs are created, it is good practice to
save running configuration changes to the startup configuration.
VLAN Port Assignment Commands
After creating a VLAN, the next step is to assign ports to the VLAN.
The table displays the syntax for defining a port to be an access port and
assigning it to a VLAN. The switchport mode access command is optional,
but strongly recommended as a security best practice. With this command,
the interface changes to strictly access mode. Access mode indicates that
the port belongs to a single VLAN and will not negotiate to become a trunk
link.

Trunk Configuration Commands

Now that you have configured and verified VLANs, it is time to configure and
verify VLAN trunks. A VLAN trunk is a Layer 2 link between two switches that
carries traffic for all VLANs
The example shows the configuration of port F0/1 on switch S1 as a trunk
port. The native VLAN is changed to VLAN 99 and the allowed VLAN list is
restricted to 10, 20, 30, and 99.
S1(config)# interface fastEthernet 0/1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk native vlan 99
S1(config-if)# switchport trunk allowed vlan 10,20,30,99
S1(config-if)# end
Note: This configuration assumes the use of Cisco Catalyst 2960 switches
which automatically use 802.1Q encapsulation on trunk links. Other switches
may require manual configuration of the encapsulation. Always configure
both ends of a trunk link with the same native VLAN. If 802.1Q trunk
configuration is not the same on both ends, Cisco IOS Software reports
errors.

MODULE – 4

What is Inter-VLAN Routing?

VLANs are used to segment switched Layer 2 networks for a variety of
reasons. Regardless of the reason, hosts in one VLAN cannot communicate
with hosts in another VLAN unless there is a router or a Layer 3 switch to
provide routing services.
Inter-VLAN routing is the process of forwarding network traffic from one VLAN
to another VLAN.
There are three inter-VLAN routing options:
 Legacy Inter-VLAN routing - This is a legacy solution. It does not
scale well.
 Router-on-a-Stick - This is an acceptable solution for a small to
medium-sized network.
  Layer 3 switch using switched virtual interfaces (SVIs) - This is
the most scalable solution for medium to large organizations.

Router-on-a-Stick Inter-VLAN Routing

 The ‘router-on-a-stick’ inter-VLAN routing method overcomes the limitation of the legacy inter-
VLAN routing method. It only requires one physical Ethernet interface to route traffic between
multiple VLANs on a network.
 A Cisco IOS router Ethernet interface is configured as an 802.1Q trunk and connected to a
trunk port on a Layer 2 switch. Specifically, the router interface is configured using
subinterfaces to identify routable VLANs.
 The configured subinterfaces are software-based virtual interfaces. Each is associated with a
single physical Ethernet interface. Subinterfaces are configured in software on a router. Each
subinterface is independently configured with an IP address and VLAN assignment.
Subinterfaces are configured for different subnets that correspond to their VLAN assignment.
This facilitates logical routing.
 When VLAN-tagged traffic enters the router interface, it is forwarded to the VLAN subinterface.
After a routing decision is made based on the destination IP network address, the router
determines the exit interface for the traffic. If the exit interface is configured as an 802.Q
subinterface, the data frames are VLAN-tagged with the new VLAN and sent back out the
physical interface.

1. Create and name the VLANs.

First, the VLANs are created and named. VLANs are only created after you exit out of VLAN
subconfiguration mode.

S1(config)# vlan 10

S1(config-vlan)# name LAN10

S1(config-vlan)# exit

S1(config)# vlan 20

S1(config-vlan)# name LAN20

S1(config-vlan)# exit

S1(config)# vlan 99

S1(config-vlan)# name Management

S1(config-vlan)# exit
S1(config)#

S2 VLAN and Trunking Configuration

S2(config)# vlan 10

S2(config-vlan)# name LAN10

S2(config-vlan)# exit

S2(config)# vlan 20

S2(config-vlan)# name LAN20

S2(config-vlan)# exit

S2(config)# vlan 99

S2(config-vlan)# name Management

S2(config-vlan)# exit

S2(config)#

S2(config)# interface vlan 99

S2(config-if)# ip add 192.168.99.3 255.255.255.0

S2(config-if)# no shut

S2(config-if)# exit

S2(config)# ip default-gateway 192.168.99.1

S2(config)# interface fa0/18

S2(config-if)# switchport mode access

S2(config-if)# switchport access vlan 20

S2(config-if)# no shut

S2(config-if)# exit

S2(config)# interface fa0/1

S2(config-if)# switchport mode trunk

S2(config-if)# no shut

S2(config-if)# exit

S2(config-if)# end

*Mar 1 00:23:52.137: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1,

changed state to up

R1 Subinterface Configuration
R1(config)# interface G0/0/1.10
R1(config-subif)# description Default Gateway for VLAN 10
R1(config-subif)# encapsulation dot1Q 10
R1(config-subif)# ip add 192.168.10.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/0/1.20
R1(config-subif)# description Default Gateway for VLAN 20
R1(config-subif)# encapsulation dot1Q 20
R1(config-subif)# ip add 192.168.20.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/0/1.99
R1(config-subif)# description Default Gateway for VLAN 99
R1(config-subif)# encapsulation dot1Q 99
R1(config-subif)# ip add 192.168.99.1 255.255.255.0
R1(config-subif)# exit
R1(config)#
R1(config)# interface G0/0/1
R1(config-if)# description Trunk link to S1
R1(config-if)# no shut
R1(config-if)# end
R1#
*Sep 15 19:08:47.015: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1,
changed state to down
*Sep 15 19:08:50.071: %LINK-3-UPDOWN: Interface GigabitEthernet0/0/1,
changed state to up
*Sep 15 19:08:51.071: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/0/1, changed state to up
R1#

Routing on a Layer 3 Switch

If VLANs are to be reachable by other Layer 3 devices, then they must be
advertised using static or dynamic routing. To enable routing on a Layer 3
switch, a routed port must be configured.
A routed port is created on a Layer 3 switch by disabling the switchport
feature on a Layer 2 port that is connected to another Layer 3 device.
Specifically, configuring the no switchport interface configuration
command on a Layer 2 port converts it into a Layer 3 interface. Then the
interface can be configured with an IPv4 configuration to connect to a router
or another Layer 3 switch.
Routing Configuration on a Layer 3 Switch
Complete the following steps to configure D1 to route with R1:
Step 1. Configure the routed port.
Step 2. Enable routing.
Step 3. Configure routing.
Step 4. Verify routing.
Step 5. Verify connectivity.
Switch Trunk Port Issues
Another issue for inter-VLAN routing includes misconfigured switch ports. In a
legacy inter-VLAN solution, this could be caused when the connecting router
port is not assigned to the correct VLAN.
However, with a router-on-a-stick solution, the most common cause is a
misconfigured trunk port.
For example, assume PC1 was able to connect to hosts in other VLANs until
recently. A quick look at maintenance logs revealed that the S1 Layer 2
switch was recently accessed for routine maintenance. Therefore, you
suspect the problem may be related to that switch.
Router Configuration Issues
Router-on-a-stick configuration problems are usually related to subinterface
misconfigurations. For example, an incorrect IP address was configured or
the wrong VLAN ID was assigned to the subinterface.
R1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES unset administratively down down
GigabitEthernet0/0/1 unassigned YES unset up up
Gi0/0/1.10 192.168.10.1 YES manual up up
Gi0/0/1.20 192.168.20.1 YES manual up up
Gi0/0/1.99 192.168.99.1 YES manual up up
Serial0/1/0 unassigned YES unset administratively down down
Serial0/1/1 unassigned YES unset administratively down down
R1#
 MODULE -5

Redundancy in Layer 2 Switched Networks

This topic covers the causes of loops in a Layer 2 network and briefly
explains how spanning tree protocol works. Redundancy is an important part
of the hierarchical design for eliminating single points of failure and
preventing disruption of network services to users. Redundant networks
require the addition of physical paths, but logical redundancy must also be
part of the design. Having alternate physical paths for data to traverse the
network makes it possible for users to access network resources, despite
path disruption. However, redundant paths in a switched Ethernet network
may cause both physical and logical Layer 2 loops.
Ethernet LANs require a loop-free topology with a single path between any
two devices. A loop in an Ethernet LAN can cause continued propagation of
Ethernet frames until a link is disrupted and breaks the loop.
Spanning Tree Protocol
Spanning Tree Protocol (STP) is a loop-prevention network protocol that
allows for redundancy while creating a loop-free Layer 2 topology. IEEE
802.1D is the original IEEE MAC Bridging standard for STP.
Broadcast Storm
A broadcast storm is an abnormally high number of broadcasts
overwhelming the network during a specific amount of time. Broadcast
storms can disable a network within seconds by overwhelming switches and
end devices. Broadcast storms can be caused by a hardware problem such
as a faulty NIC or from a Layer 2 loop in the network.
Layer 2 broadcasts in a network, such as ARP Requests are very common. A
Layer 2 loop is likely to have immediate and disabling consequences on the
network. Layer 2 multicasts are typically forwarded the same way as a
broadcast by the switch. So, although IPv6 packets are never forwarded as a
Layer 2 broadcast, ICMPv6 Neighbor Discovery uses Layer 2 multicasts.
The Spanning Tree Algorithm
STP is based on an algorithm invented by Radia Perlman while working for
Digital Equipment Corporation, and published in the 1985 paper "An
Algorithm for Distributed Computation of a Spanning Tree in an Extended
LAN.” Her spanning tree algorithm (STA) creates a loop-free topology by
selecting a single root bridge where all other switches determine a single
least-cost path.
Without the loop prevention protocol, loops would occur rendering a
redundant switch network inoperable.
Steps to a Loop-Free Topology
Now you know how loops are created and the basics of using spanning tree
protocol to prevent them. This topic will take you, step by step, through the
operation of STP. Using the STA, STP builds a loop-free topology in a four-step
process:
1. Elect the root bridge.
2. Elect the root ports.
3. Elect designated ports.
4. Elect alternate (blocked) ports.
During STA and STP functions, switches use Bridge Protocol Data Units
(BPDUs) to share information about themselves and their connections.
BPDUs are used to elect the root bridge, root ports, designated ports, and
alternate ports. Each BPDU contains a bridge ID (BID) that identifies which
switch sent the BPDU. The BID is involved in making many of the STA
decisions including root bridge and port roles. As shown in the figure, the BID
contains a priority value, an extended system ID, and the MAC address of the
switch. The lowest BID value is determined by the combination of these three
fields.
The graphic shows three boxes, each representing a component of the bridge
ID. From left to right the first box is Bridge Priority which is 4 bits in length,
the second box is Extended System ID which is 12 bits in length, and the
third box is the MAC address which is 48 bits in length. Text to the right of the
boxes reads Bridge ID with the Extended System ID. Text at the bottom of the
graphic reads The BID includes the Bridge Priority, the Extended System ID,
and the MAC address of the switch.

Bridge Priority
The default priority value for all Cisco switches is the decimal value 32768.
The range is 0 to 61440 in increments of 4096. A lower bridge priority is
preferable. A bridge priority of 0 takes precedence over all other bridge
priorities.
Extended System ID
The extended system ID value is a decimal value added to the bridge priority
value in the BID to identify the VLAN for this BPDU.
Early implementations of IEEE 802.1D were designed for networks that did
not use VLANs. There was a single common spanning tree across all
switches. For this reason, in older switches, the extended system ID was not
included in the BPDUs. As VLANs became common for network infrastructure
segmentation, 802.1D was enhanced to include support for VLANs, which
required that the 12-bit VLAN ID be included in the BPDU frame. VLAN
information is included in the BPDU frame through the use of the extended
system ID.
The extended system ID allows later implementations of STP to have
different root bridges for different sets of VLANs. This can allow for
redundant, non-forwarding links in a STP topology for one set of VLANs to be
used by a different set of VLANs using a different root bridge.
MAC address
When two switches are configured with the same priority and have the same
extended system ID, the switch having the MAC address with the lowest
value, expressed in hexadecimal, will have the lower BID.
Determine the Root Path Cost
When the root bridge has been elected for a given spanning tree instance,
the STA starts the process of determining the best paths to the root bridge
from all destinations in the broadcast domain. The path information, known
as the internal root path cost, is determined by the sum of all the individual
port costs along the path from the switch to the root bridge.
Note: The BPDU includes the root path cost. This is the cost of the path from
the sending switch to the root bridge.
When a switch receives the BPDU, it adds the ingress port cost of the
segment to determine its internal root path cost.
The default port costs are defined by the speed at which the port operates.
The table shows the default port costs suggested by IEEE. Cisco switches by
default use the values as defined by the IEEE 802.1D standard, also known
as the short path cost, for both STP and RSTP. However, the IEEE standard
suggests using the values defined in the IEEE-802.1w, also known as long
path cost, when using 10 Gbps links and faster.
Per-VLAN Spanning Tree
Up until now, we have discussed STP in an environment where there is only
one VLAN. However, STP can be configured to operate in an environment
with multiple VLANs.
In Per-VLAN Spanning Tree (PVST) versions of STP, there is a root bridge
elected for each spanning tree instance. This makes it possible to have
different root bridges for different sets of VLANs. STP operates a separate
instance of STP for each individual VLAN. If all ports on all switches are
members of VLAN 1, then there is only one spanning tree instance.
PortFast and BPDU Guard
When a device is connected to a switch port or when a switch powers up, the
switch port goes through both the listening and learning states, each time
waiting for the Forward Delay timer to expire. This delay is 15 seconds for
each state, listening and learning, for a total of 30 seconds. This delay can
present a problem for DHCP clients trying to discover a DHCP server. DHCP
messages from the connected host will not be forwarded for the 30 seconds
of Forward Delay timers and the DHCP process may timeout. The result is
that an IPv4 client will not receive a valid IPv4 address.
Note: Although this may occur with clients sending ICMPv6 Router
Solicitation messages, the router will continue to send ICMPv6 Router
Advertisement messages so the device will know how to obtain its address
information.
When a switch port is configured with PortFast, that port transitions from
blocking to forwarding state immediately, bypassing the usual 802.1D STP
transition states (the listening and learning states) and avoiding a 30 second
delay. You can use PortFast on access ports to allow devices connected to
these ports, such as DHCP clients, to access the network immediately, rather
than waiting for IEEE 802.1D STP to converge on each VLAN. Because the
purpose of PortFast is to minimize the time that access ports must wait for
spanning tree to converge, it should only be used on access ports. If you
enable PortFast on a port connecting to another switch, you risk creating a
spanning tree loop. PortFast is only for use on switch ports that connect to
end devices.

MODULE – 6
EtherChannel Operation
Link Aggregation
There are scenarios in which more bandwidth or redundancy between
devices is needed than what can be provided by a single link. Multiple links
could be connected between devices to increase bandwidth. However,
Spanning Tree Protocol (STP), which is enabled on Layer 2 devices like Cisco
switches by default, will block redundant links to prevent switching loops, as
shown in the figure.
A link aggregation technology is needed that allows redundant links between
devices that will not be blocked by STP. That technology is known as
EtherChannel.
EtherChannel is a link aggregation technology that groups multiple physical
Ethernet links together into one single logical link. It is used to provide fault-
tolerance, load sharing, increased bandwidth, and redundancy between
switches, routers, and servers.
EtherChannel technology makes it possible to combine the number of
physical links between the switches to increase the overall speed of switch-
to-switch communication.

Advantages of EtherChannel
EtherChannel technology has many advantages, including the following:
 Most configuration tasks can be done on the EtherChannel interface
instead of on each individual port, ensuring configuration consistency
throughout the links.
 EtherChannel relies on existing switch ports. There is no need to
upgrade the link to a faster and more expensive connection to have
more bandwidth.
 Load balancing takes place between links that are part of the same
EtherChannel. Depending on the hardware platform, one or more load-
balancing methods can be implemented. These methods include
source MAC and destination MAC load balancing, or source IP and
destination IP load balancing, across the physical links.
 EtherChannel creates an aggregation that is seen as one logical link.
When several EtherChannel bundles exist between two switches, STP
may block one of the bundles to prevent switching loops. When STP
blocks one of the redundant links, it blocks the entire EtherChannel.
This blocks all the ports belonging to that EtherChannel link. Where
there is only one EtherChannel link, all physical links in the
EtherChannel are active because STP sees only one (logical) link.
 EtherChannel provides redundancy because the overall link is seen as
one logical connection. Additionally, the loss of one physical link within
the channel does not create a change in the topology. Therefore, a
 spanning tree recalculation is not required. Assuming at least one
physical link is present; the EtherChannel remains functional, even if
its overall throughput decreases because of a lost link within the
EtherChannel.
Implementation Restrictions
EtherChannel implementation on the catalyst 2960 switch has certain
implementation restrictions, including the following:
 Interface types cannot be mixed. For example, Fast Ethernet and
Gigabit Ethernet cannot be mixed within a single EtherChannel.
 Currently each EtherChannel can consist of up to eight compatibly-
configured Ethernet ports. EtherChannel provides full-duplex
bandwidth up to 800 Mbps (Fast EtherChannel) or 8 Gbps (Gigabit
EtherChannel) between one switch and another switch or host.
 The Cisco Catalyst 2960 Layer 2 switch currently supports up to six
EtherChannels. However, as new IOSs are developed and platforms
change, some cards and platforms may support increased numbers of
ports within an EtherChannel link, as well as support an increased
number of Gigabit EtherChannels.
 The individual EtherChannel group member port configuration must be
consistent on both devices. If the physical ports of one side are
configured as trunks, the physical ports of the other side must also be
configured as trunks within the same native VLAN. Additionally, all
ports in each EtherChannel link must be configured as Layer 2 ports.
 Each EtherChannel has a logical port channel interface, as shown in
the figure. A configuration applied to the port channel interface affects
all physical interfaces that are assigned to that interface.
PAgP Operation
PAgP (pronounced “Pag - P”) is a Cisco-proprietary protocol that aids in the
automatic creation of EtherChannel links. When an EtherChannel link is
configured using PAgP, PAgP packets are sent between EtherChannel-capable
ports to negotiate the forming of a channel. When PAgP identifies matched
Ethernet links, it groups the links into an EtherChannel. The EtherChannel is
then added to the spanning tree as a single port.
When enabled, PAgP also manages the EtherChannel. PAgP packets are sent
every 30 seconds. PAgP checks for configuration consistency and manages
link additions and failures between two switches. It ensures that when an
EtherChannel is created, all ports have the same type of configuration.
Note: In EtherChannel, it is mandatory that all ports have the same speed,
duplex setting, and VLAN information. Any port-channel modification after
the creation of the channel also changes the aggregated channel ports.
PAgP helps create the EtherChannel link by detecting the configuration of
each side and ensuring that links are compatible so that the EtherChannel
link can be enabled when needed. The modes for PAgP as follows:
 On - This mode forces the interface to channel without PAgP. Interfaces
configured in the on mode do not exchange PAgP packets.
 PAgP desirable - This PAgP mode places an interface in an active
negotiating state in which the interface initiates negotiations with
other interfaces by sending PAgP packets.
 PAgP auto - This PAgP mode places an interface in a passive
negotiating state in which the interface responds to the PAgP packets
that it receives but does not initiate PAgP negotiation.
The modes must be compatible on each side. If one side is configured to be
in auto mode, it is placed in a passive state, waiting for the other side to
initiate the EtherChannel negotiation. If the other side is also set to auto, the
negotiation never starts and the EtherChannel does not form. If all modes
are disabled by using the no command, or if no mode is configured, then the
EtherChannel is disabled.
The on mode manually places the interface in an EtherChannel, without any
negotiation. It works only if the other side is also set to on. If the other side is
set to negotiate parameters through PAgP, no EtherChannel forms, because
the side that is set to on mode does not negotiate.
No negotiation between the two switches means there is no checking to
make sure that all the links in the EtherChannel are terminating on the other
side, or that there is PAgP compatibility on the other switch.
Configuration Guidelines
Now that you know what EtherChannel is, this topic explains how to
configure it. The following guidelines and restrictions are useful for
configuring EtherChannel:
 EtherChannel support - All Ethernet interfaces must support
EtherChannel with no requirement that interfaces be physically
contiguous.
 Speed and duplex - Configure all interfaces in an EtherChannel to
operate at the same speed and in the same duplex mode.
  VLAN match - All interfaces in the EtherChannel bundle must be
assigned to the same VLAN or be configured as a trunk (shown in the
figure).
 Range of VLANs - An EtherChannel supports the same allowed range
of VLANs on all the interfaces in a trunking EtherChannel. If the
allowed range of VLANs is not the same, the interfaces do not form an
EtherChannel, even when they are set to auto or desirable mode.

 Configuring EtherChannel with LACP requires the following three steps:

 Step 1. Specify the interfaces that compose the EtherChannel group using the interface
range interface global configuration mode command. The range keyword allows you to
select several interfaces and configure them all together.
 Step 2. Create the port channel interface with the channel-group identifier mode
active command in interface range configuration mode. The identifier specifies a channel
group number. The mode active keywords identify this as an LACP EtherChannel
configuration.
 Step 3. To change Layer 2 settings on the port channel interface, enter port channel
interface configuration mode using the interface port-channel command, followed by the
interface identifier. In the example, S1 is configured with an LACP EtherChannel. The port
channel is configured as a trunk interface with the allowed VLANs specified.

S1(config)# interface range FastEthernet 0/1 - 2

S1(config-if-range)# channel-group 1 mode active
Creating a port-channel interface Port-channel 1
S1(config-if-range)# exit
S1(config)# interface port-channel 1
S1(config-if)# switchport mode trunk
S1(config-if)# switchport trunk allowed vlan 1,2,20