CCNP Study Guide
53
CCNP SWITCH (300-115) Study Guide By: Steve Simeus
-
Upload
steve-simeus-mbaccna -
Category
Documents
-
view
401 -
download
0
Transcript of CCNP Study Guide
CCNP SWITCH (300-115) Study Guide
By: Steve Simeus
1.0
Layer 2 Technologies
1. 1.1 Configure and verify switch administration 1. 1.1.a SDM templates
SDM stands for Switching Database Manager. It manages layer 2 and layer 3 switching information.
2. 1.1.b Managing MAC address table
1. The MAC address table contains address information that the switch uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses:
2. • Dynamic address: a source MAC address that the switch learns and then ages when it is not in use.
3. • Static address: a manually entered unicast address that does not age and that is not lost when the switch resets.
4. The address table lists the destination MAC address, the associated VLAN ID, and port number associated with the address and the type (static or dynamic).
5. MAC address table management can be used with the STP, MSTP, and REP features.
* By default, MAC address learning is enabled on all interfaces and VLANs on the router.
*Disabling MAC address learning on an interface or VLAN could cause flooding in the network.
*We recommend that you disable MAC address learning only in VLANs with two ports. If you disable MAC address learning on a VL` ``AN with more than two ports, every packet entering the switch is flooded in that VLAN domain.
3. 1.1.c Troubleshoot Err-disable recovery 1. Error Disable Recovery is the act of a switch detecting an error condition and
then automatically turns the err-disabled interface back on after a default time.2. When a port goes into err-disabled it will shut down and stop sending and
receiving traffic. The LED changes to orange and err-disabled will be shown under the show interfaces command.
* The reason why an interface would go into err-disable is because of an error condition. This tells a network engineer there is a problem with the port and prevents the port from causing other ports to fail.
COMMANDS:
SW#show errdisable recovery to display the Err Disable Reason column and find out if you have auto recovery enabled.
errdisable recovery cause cause-name To enable auto recovery
SW#show interfaces status err-disabled will display any interfaces currently in err-disabled status.SW#show errdisable detect to show the current settings of err disable. Mainly to check if err disable detection is enabled for different settings.
errdisable recovery interval timer_interval_seconds To automatically recover. To re-enable an err-disabled port, you must shutdown the port and issue a no shutdown command.
2. 1.2 Configure and verify Layer 2 protocols 1. 1.2.a CDP, LLDP
Using CDP, a device can advertise its existence to other devices and receive information about other devices on the same LAN or on the remote side of a WAN. Runs on all media that support SNAP, including LANs, Frame Relay, and ATM media.
* Cisco Discovery Protocol. Media- and protocol-independent device-discovery protocol that runs on all Cisco-manufactured equipment including routers, access servers, bridges, and switches.
* Layer 2 protocol- CDP is enabled on Cisco routers by default.
* When a large amount of CDP neighbor announcements are sent, it is possible to consume all memory of an available device. This causes a crash or other abnormal behavior.
COMMANDS:
No cdp run to disable it.
cdp run to re-enable CDP. In global configuration mode.
show cdp neighbors to verify whether CDP is enabled or disabled on your Cisco device.
show cdp neighbors detail and show cdp entry commands displays additional information about the neighboring devices that include network-layer protocol information and version.
LLDP-Link Layer Discover Protocol IEEE 802.1AB
To support non-Cisco devices, LLDP is a neighbor discovery protocol that is used for network devices to advertise information about themselves to other devices on the
network. This protocol runs over the data-link layer, which allows two systems running different network layer protocols to learn about each other.
*LLDP supports a set of attributes that it uses to discover neighbor devices.
*These attributes contain type, length, and value descriptions and are referred to as TLVs.
*By default, all LLDP-MED TLVs are enabled.
MANDATORY LLDP TLVs
• Port description TLV
• System name TLV
• System description TLV
• System capabilities TLV
• Management address TLV
LLDP holdtime (before discarding) 120 seconds
LLDP timer (packet update frequency) 30 seconds
LLDP reinitialization delay 2 seconds
COMMANDS:
Enabling LLDP
Beginning in privileged EXEC mode, follow these steps to enable LLDP:
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 lldp run Enable LLDP globally on the switch.
Step 3 interface interface-id Specify the interface on which you are enabling LLDP, and enter interface configuration mode.
Step 4 lldp transmit Enable the interface to send LLDP packets.
Step 5 lldp receive Enable the interface to receive LLDP packets.
Step 6 end Return to privileged EXEC mode.
Step 7 show lldp Verify the configuration.
Step 8 copy running-config (Optional) Save your entries in the configuration
startup-config file.
To disable LLDP, use the no lldp run global configuration command. To disable LLDP on an interface, use the no lldp transmit and the no lldp receive interface configuration commands.
This example shows how to globally enable LLDP.
Switch# configure terminal Switch(config)# lldp run Switch(config)# end
This example shows how to enable LLDP on an interface.
Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# lldp transmit Switch(config-if)# lldp receive Switch(config-if)# end
2. 1.2.b UDLD 1. UDLD is a Layer 2 protocol that enables devices connected
through fiber-optic or twisted-pair Ethernet cables to monitor the physical configuration of the cables and detect when a unidirectional link exists. All connected devices must support UDLD for the protocol to successfully identify and disable unidirectional links. When UDLD detects a unidirectional link, it disables the affected port and alerts you. Unidirectional links can cause a variety of problems, including spanning-tree topology loops.
* UDLD supports two modes of operation: normal (the default) and aggressive.
Normal Mode- UDLD can detect unidirectional links due to misconnected ports on fiber-optic connections.
Aggressive Mode- UDLD can also detect unidirectional links due to one-way traffic on fiber-optic and twisted-pair links and to misconnected ports on fiber-optic links.
* A unidirectional link occurs whenever traffic sent by a local device is received by its neighbor but traffic from the neighbor is not received by the local device.
* In a point-to-point link, UDLD hello packets can be considered as a heartbeat whose presence guarantees the health of the link. Conversely, the loss of the heart beat means that the link must be shut down if it is not possible to re-establish a bidirectional link.
Feature Default Setting
UDLD global enable state Globally disabled
UDLD per-port enable state for fiber-optic media
Disabled on all Ethernet fiber-optic ports
UDLD per-port enable state for twisted-pair (copper) media
Disabled on all Ethernet 10/100 and 1000BASE-TX ports
UDLD aggressive mode Disabled
Configuration Guidelines
These are the UDLD configuration guidelines:
• UDLD is not supported on ATM ports.
• A UDLD-capable port cannot detect a unidirectional link if it is connected to a UDLD-incapable port of another switch.
• When configuring the mode (normal or aggressive), make sure that the same mode is configured on both sides of the link.
COMMANDS:
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 udld {aggressive | enable | message time message-timer-interval}
Specify the UDLD mode of operation:
• aggressive—Enables UDLD in aggressive mode on all fiber-optic ports.
• enable—Enables UDLD in normal mode on all fiber-optic ports on the switch. UDLD is disabled by default.
An individual interface configuration overrides the setting of the udld enable global configuration command.
For more information about aggressive and
normal modes, see the "Modes of Operation" section.
• message time message-timer-interval—Configures the period of time between UDLD probe messages on ports that are in the advertisement phase and are detected to be bidirectional. The range is from 1 to 90 seconds. The default value is 15.
Note This command affects fiber-optic ports only. Use the udld interface configuration command to enable UDLD on other port types. For more information, see the "Enabling UDLD on an Interface" section.
Step 3 end Return to privileged EXEC mode.
Step 4 show udld Verify your entries.
Step 5 copy running-config startup-config
(Optional) Save your entries in the configuration file.
3. 1.3 Configure and verify VLANs
A VLAN defines a broadcast domain. A VLAN is a switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users. VLANs have the same attributes as physical LANs, but you can group end stations even if they are not physically located on the same LAN segment. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router or a switch supporting fallback bridging. Because a VLAN is considered a separate logical network, it contains its own bridge Management Information Base (MIB) information and can support its own implementation of spanning tree.
1. 1.3.a Access ports
* An access port can have only one VLAN configured on the interface; it can carry traffic for only one VLAN.
*If an access port receives a packet with an 802.1Q tag in the header other than the access VLAN value, that port drops the packet without learning its MAC source address.
* Access Ports: hosts and peripherals, who can't send bpdu (like a switch) and neither VLAN information’s.
* BPDU (Bridge Protocol Data Unit)- are data messages that are exchanged across the switches within an extended LAN that uses a spanning tree protocol topology. BPDU packets contain information on ports, addresses, priorities and costs and ensure that the data ends up where it was intended to go.
2. 1.3.b VLAN database 1. When the switch is in VTP server or transparent mode, you can
configure VLANs in the VLAN database mode. When you configure VLANs in VLAN database mode, the VLAN configuration is saved in the vlan.dat file, not the running-config or startup-config files. To display the VLAN configuration, enter the show running-config vlan command.
Commands:
Command Purpose
Step 1 Switch# vlan database
Enters VLAN database mode.
Step 2 Switch(vlan)# vlan vlan_ID
Adds an Ethernet VLAN.Note You cannot delete the default VLANs for these
media types: Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005.When you delete a VLAN, any LAN interfaces configured as access ports assigned to that VLAN become inactive. They remain associated with the VLAN (and thus inactive) until you assign them to a new VLAN.
You can use the no keyword to delete a VLAN.
Step 3 Switch(vlan)# exit
Returns to enable mode.
Step 4 Switch# show vlan [id | name] vlan_name
Verifies the VLAN configuration.
VTP Modes:
o Servero Creates, modifies, and deletes VLANso Sends and forwards advertisement’so Synchronizes VLAN configurations
o Cliento Cannot create, modify, or delete VLANso Sends and forwards advertisement’so Synchronizes VLAN Configurations
o Transparento Creates, modifies, and deletes local VLANs onlyo Forwards advertisements o Does not synchronize VLAN configuration
1. 1.3.c Normal, extended VLAN, voice VLAN
VLAN Ranges:
VLANs Range Usage
Propagatedby VTP
0, 4095 Reserved For system use only. You cannot see or use these VLANs.
N/A
1 Normal Cisco default. You can use this VLAN but you cannot delete it.
Yes
2-1001 Normal Used for Ethernet VLANs; you can create, use, and delete these VLANs.
Yes
1002-1005 Normal Cisco defaults for FDDI and Token Ring. You cannot delete VLANs 1002-1005.
Yes
1006-4094 Extended For Ethernet VLANs only. When configuring extended-range VLANs, note the following:
• Layer 3 ports and some software features require internal VLANs. Internal VLANs are allocated from 1006 and up. You cannot use a VLAN that has been allocated for such use. To display the VLANs used internally, enter the show vlan internal usagecommand.
• Switches running Catalyst product family software do not support configuration of VLANs 1006-1024. If you configure VLANs 1006-1024, ensure that the VLANs do not extend to any switches running Catalyst product family software.
• You must enable the extended system ID to use extended range VLANs. See the"Enabling the Extended System ID" section.
No
You can configure extended-range VLANs only in global configuration mode.
o Voiceo Some benefits of converged voice, video, and data into a single network include:
o Expense reducer – if only a single cable drop is required per user, cabling and network provisioning costs go down. PSTN costs also go down as more calls can use the existing data network and not the public phone service.
o Efficiencies in bandwidth – for example, if a voice call is not in progress, data can be transmitted on the same link. That’s not the case with traditional phone lines.
o Innovative features - VoIP allows new services to be added including unifying several modes of communication (ex. voicemail, email, IM). Service providers can also sell new services and provide more flexible pricing arrangements.
VoIP networkRequirements• Low bandwidth, delay, jitter, packet loss• PoE• Medium security• High management• Highly available network
Video networkRequirements• Low delay, jitter, and packet loss• Medium security and management• High availability
Data networkRequirements• High bandwidth, availability, and security• Jitter and delay are not that crucial• Medium management
o Call Signalingo The first is the call control signaling, used to setup, tear-down, maintain, and redirect
calls. Some examples of call signaling protocols include H.323, SIP, and MGCP. Make sure you do not confuse these protocols with the voice compression protocols like G.729 and G.711 (for bandwidth (voice codecs)).
o The second is the actual UDP voice traffic itself, which used RTP (Real-Time Transport Protocol) to encapsulate the traffic.
o Voice Vlan’so Voice VLANs are a way for Cisco switches to dynamically tag and assign voice traffic
including placing it in its own separate VLAN/subnet.o Voice VLANs are disabled by default.
Cisco IP phones have a small internal switch that places an 802.1q tag on the voice traffic and marks the Class of Service (CoS) bits in the tag. Data traffic (from the attached PC) is sent over the native VLAN, while all voice traffic is sent over the configured VLAN on the access port. Cisco calls this setup a multi-VLAN access port. This whole process of enabling voice VLANs also enables the switch to forward frames with specific 802.1P markings. 802.1P designates how QoS is applied at the MAC layer.
POE Switches- Two different power standards exist for PoE, Cisco Inline PoE and IEEE 802.3af. IEEE 802.3af- Relies on the devices to let the switch know how much power it
needs. Cisco Inline POE- Cisco’s devices can additionally use CDP The new 802.3at standard, also known as PoE+, will specify up to 30 Watts of
power. Some current Cisco switches can supply up to 20W. Note: Non-CDP devices always get 15.4 W allocated to them.
POE Configuration- Cisco switches automatically detect and provide power, but if you need to disable it or re-enable it, use the following commands:
Switch(config-if)# power inline {never | auto}To view power information for all ports:
Switch# show power inline [interface]
Video Video traffic, from Cisco’s perspective, falls into one of three categories:
Many to many• Examples include Telepresence, WebEx,peer-to-peer video apps• Data flows client-to-client or MCU-to-client• Bandwidth requirements for high-defvideo can be up to 12 Mbs per location (with compression)
Many to few• Examples include IP surveillance cameras.• Typically require up to 4 Mbs ofbandwidth
Few to many• Example is Internet streaming from asingle source• Quality not as critical• Traffic flows storage to client or server toclient
QOS(Quality of Service)- Quality of Service is a very important part of operating a VoIP platform on a campus network. There are three main drivers for applying QoS: jitter, packet loss, and delay.
Trust Boundaries- The place where a decision about priority marking on incoming frames/packets is done is called the trust boundary. When IP traffic comes into an interface and is already marked, the switch has the following options:
• Trust the DSCP value• Trust the IP Precedence value• Trust the CoS value in the frame• Classify the traffic based on an IP ACL or MAC ACL
Cisco recommends marking the traffic as close to the source as possible. IP phones can mark their own traffic and other clients can be marked at the access switch. If that is not an option - mark at the distribution layer, but never at the core. Marking slows traffic down, so it has no place being in the core. All devices within the network path should be configured to trust the marking and provide service based on that.
Configure QOS:Before rolling out VoIP in your environment, think through the following planning steps:
1. PoE - Ensure there is enough power for all the phones and has a UPS backup2. Voice VLAN - Think through the number of VLANs/subnets required, add DHCP scopes for thephones, add voice networks to routing protocols3. QoS - Decide on which marking and queues you plan on using. Cisco recommends implementingAutoQoS and then tuning as needed.4. Fast Convergence - tune routing and HSRP/VRRP/GLBP timers 5. Test Plan - Test the implementation before rolling it out to real users. Some things to look for include making sure the phone and PC have the correct IP addresses, the phone registers itself, and calls can be made.
Configuring Auto QoSConfigures the interface to trust CoS on incoming traffic
Switch(config-if)# auto qos voip trust
Configures the interface to trust CoS only if Cisco phone is connected (requires CDP)Switch(config-if)# auto qos voip cisco-phone
Displays the Auto QoS configurationSwitch# show auto qos
Manual QoS ConfigurationSwitch(config-if)# switchport voice vlan vlan-IDAssociates a voice VLAN with a switch port
Switch(config-if)# mls qos trust {dscp | cos}Trust markings on traffic entering an interface. Effectively moves the trust boundary to the attached
device (often an IP phone or server).
Switch(config-if)# mls qos trust device cisco-phoneTrust markings only if a Cisco phone is connected
Switch(config-if)# switchport priority extend cos cos-valueInstructs the IP phone to set/overwrite CoS value for data coming from a PC attached the phone.
The phone would then be the new trust boundary because it is now doing the marking on the data traffic. Also important to note that the CoS vlaue assigned at the end of the statement is a number between 0 and 7.. 7 being the highest priority and 0 being the default value.
Switch(config-if)# switchport priority extend trustInstructs the phone to trust the priority of the data coming from the attached PC.
Switch# show interfaces interface-id switchportVerify interface parameters
Switch# show mls qos interface interface-idVerify QoS parameters on an interface
1.4 Configure and verify trunking o 1.4.a VTPv1, VTPv2, VTPv3, VTP pruning
Vtp has two versions (1&2) that are not interoperable. All that is required to change from v1 to v2 across the network is to change one server Switch to v2 and it will send out an advertisement to all other switches to make the change as well. V1 is the default.
A third version of VTP address some of the traditional shortcomings. For example, VTP version supports extended VLAN numbers (1 to 4095) that are compatible with the IEEE 802.1Q trunkning standard
Configure:
Switch(config)# vtp version 2
NOTE: VTP information will not be exchange without first configure the VTP domain name.
COMMANDS:
Switch# config t
Switch(config)# vtp mode server
Switch(config)# vtp domain domain_name
VTP Pruning
o VTP Pruning makes more efficient use of trunk bandwidth by reducing unnecessary flooded traffic over trunk links.
o By default, VTP Pruning is disable; to enable it: (go to the server device)
Switch(config)#Vtp pruning
o When pruning is enable on a server, it propagates the pruning to all switches in the management domain.
o Vlans 2-1001 is eligible for pruning by default.
1.4.b dot1Q o 802.1Q is an open standard, inserts its own 4 byte tag within frame and
recalculates the CRC value, allows for native VLANs (untagged frames to go through).
o 802.1Q is often used by service providers for tunneling secure VPNs. 802.1Q tunneling feature allows ISPs to segregate different customer’s traffic throughout their infrastructure.
o 802.1Q can be used for VLAN identification w/Ethernet trunks. Trunk (Middle Solution/to carry traffic for multiple VLANS)
By default, all Vlans are allowed on a Trunk. Before allowed on a trunk, it must be tagged (802.1Q/ISL)
1.4.c Native VLAN (don’t put any traffic/management only)o 802.1Q introduce the concept of a native VLAN on a trunk.o Frames belonging to this VLAN are not encapsulated with any tagging information.o Native VLAN is the “default” VLAN that allows frames to be passed through the trunk
untagged.
1.4.d Manual pruning o To modify the default list of pruning eligibility with the following
interface-configuration command:
Switch(config)# interface type mod/num
Switch(config-if)# switchport trunk pruning vlan {{{add | except | remove | vlan-list} | none}
1.5 Configure and verify Ether Channels EtherChannel is a term used to describe bundling or aggregating 2-8 parallel links into
one. EtherChannel provides a level of link redundancy “For each EtherChannel on a switch, you must choose the EtherChannel negotiation
protocol and assign individual switch ports to the EtherChannel.”o *If there are two redundant EtherChannel bundles, one entire Ether Channel
will be blocked by STP to prevent a loop.
o 1.5.a LACP, PAgP, manual LACP(Link Aggregation Control Protocol) “The switch with the lowest system priority (a 2-byte priority value
followed by a 6-byte switch MAC address) is allowed to make decisions about what ports actively are participating in the EtherChannel at a given time.”
An open standard to PAgp IEEE 802.3ab Uses priority system for end switches
Switch with the lowest system priority (2 byte value followed by MAC – lowest wins) determines which ports are active in the Ether Channel at any given time.
Uses port priority to determine which ports to place in standby mode if hardware limitations don not allow all ports to participate in the Ether Channel.
Most leave the system and port priority to defaults
EtherChannel Negotiation Protocols Summary
o Configurationo “Switch(config)# lacp system-priority priorityo Switch(config)# interface type member/module/numbero Switch(config-if)# channel-protocol lacpo Switch(config-if)# channel-group number mode {on | passive | active}o Switch(config-if)# lacp port-priority priority”
PAgP (Port Aggregation Protocol)o Cisco Proprietaryo Forms EtherChannel only if ports are configured for
identical static VLAN or trunkingo Will automatically modify interface parameters on all
ports in the bundle if the Ether Channel interface is changed.
o STP sends packets over only one physical link in a PAgP bundle. Because STP’s algorithm uses the lowest port priority (priority + port ID), if defaults are set, STP will always use the lowest number port for BPDUs.
o “By default, PAgP operates in silent submode with the desirable and auto modes”
PAgP aids in the automatic creation of EtherChannel links. PAgP packets are sent between EtherChannel-capable ports in order to negotiate the formation of a channel. Some restrictions are deliberately introduced into PAgP. The restrictions are:
o PAgP does not form a bundle on ports that are configured for dynamic VLANs. PAgP requires that all ports in the channel belong to the same VLAN or are configured as trunk ports. When a bundle already exists and a VLAN of a port is modified, all ports in the bundle are modified to match that VLAN.
o PAgP does not group ports that operate at different speeds or port duplex. If speed and duplex change when a bundle exists, PAgP changes the port speed and duplex for all ports in the bundle.
o PAgP modes are off, auto, desirable, and on. Only the combinations auto-desirable, desirable-desirable, and on-on allow the formation of a channel. The device on the other side must have PAgP set to on if a device on one side of the channel does not support PAgP, such as a router.
o Configuration “Switch(config)# interface type member/module/number Switch(config-if)# channel-protocol pagp Switch(config-if)# channel-group number mode {on | {{auto |
desirable} [non-silent]}}”
o 1.5.c Load balancing Ether Channel load balancing can use MAC addresses, IP addresses, or Layer 4
port numbers with a Policy Feature Card 2 (PFC2) and either source mode, destination mode, or both. The mode you select applies to all Ether Channels that you configure on the switch.
Configure Load Balancing: SW1#config t SW1(config)#port-channel load-balance method
Methods:• src-ip source IP• dst-ip destination IP• src-dst-ip source and destination IP (XOR)
**DEFAULT METHOD**• src-mac source MAC• dst-mac destination MAC
• src-dst-mac source and destination MAC (XOR)• src-port source port
• dst-port destination port• src-dst-port source and destination port (XOR)
1.5.d Ether Channel misconfiguration guard o You can use Ether Channel guard to detect an Ether Channel
misconfiguration between the switch and a connected device.o If the switch detects a misconfiguration on the other device, Ether
Channel guard places the switch interfaces in the error-disabled state, and displays an error message.
Configuration- You can enable this feature by using the spanning-tree etherchannel guard
misconfig global configuration command.
o 1.6 Configure and verify spanning tree o Spanning Tree Protocol (STP) is designed to prevent problems related to
bridging loops. STP solves the problem by blocking redundant paths and allowing only a single active path. Spanning tree works by selecting a root switch then selecting a loop-free path from the root switch to every other switch. To do that spanning tree must choose a single root bridge, one root port for each non-root switch, and a single designated port for each network segment.
STP Path Selectiono Spanning tree builds the tree
structure attempting to use the fastest links it has available for the active paths. STP uses the following steps to select its paths:
o 1. Lowest root bridge ID (BID)o 2. Lowest path cost to the rooto 3. Lowest sender bridge IDo 4. Lowest sender port ID (PID)
STP Definitions
o Bridge ID – bridge priority + MAC Address
o Bridge Priority – 0-65,535o Default Priority – 32,768o Port ID – port priority + port
numbero Port Priority – 0-240 (default is
128, increments of 16)
o Path Cost – The cumulative cost of all links between the switch and the root bridge.
STP Convergence1. Root bridge electionEach VLAN elects one root bridge. All ports on the root bridge act as designated ports, which send and receive traffic as well as BPDUs. The bridge with the lowest priority becomes root.
2. Root ports are determined on all non-root bridgesEach non-root bridge is assigned a single root port that sends and receives traffic. The root port is chosen based on the port with the lowest-cost path between the non-root bridge and the root bridge. If two paths are equal cost, the port with the lowest port ID (priority + port number) will win.
3. Designated port selectionEach segment has a single designated port. Designated ports are chosen from on non-root ports that have the lowest path cost to the root bridge. In the event of a tie, the bridge ID acts as a tiebreaker (lowest wins). All ports on a root bridge are designated ports.
STP Port RolesRoot port• On non-root bridges only• Forwards traffic towards the root bridge• Only one per switch• Can populate the MAC table
Designated port• On root and non-root bridges• All ports on root bridge are designated ports• Receives and forwards frames towards the root bridge as needed• Only one per segment• Can populate the MAC table
Non-designated port• Does not forward packets (blocking)• Does not populate the MAC table• Disabled port o A port that is shut down
Spanning-tree uses a link cost calculation to determine the root ports on non-root switches. It is calculated by adding the costs of all links between theroot bridge and the local switch.10 Gbps > Cost 21 Gbps > Cost 4100 Mbps > Cost 1910 Mbps > Cost 100
1. 1.6.a 1. PVST + - One instance of STP per VLAN, more resources required, slow convergence
still, includes port fast, BPDU guard, BPDU filter, Root Guard, and Loop Guard.
RPVST+ - Rapid Spanning Tree Protocol (IEEE 802.1w) was introduced to dramatically speed up STP’s convergence when network changes occur. RSTP can revert to 802.1D (common spanning-tree) to inter-operate with legacy bridges on a per-port basis. A rapid version of PVST+, RPVST+ is a per-VLAN implementation of rapid spanning-tree.
RSTP Port States
Discarding• Merges the former disabled, blocking, and listening states• Prevents the forwarding of frames• Seen in both stable/active and synchronization/changes
Learning• Receives frames to populate the MAC table• Seen in both stable/active and synchronization/changes
Forwarding• Forwarding ports determine the active topology• An agreement process between switches occurs
before frames can be forwarded • Only seen in stable/active topologies
2. MST - Multiple Spanning Tree extends the IEEE 802.1w RST algorithm to multiple spanning trees. The main purpose of MST is to reduce the total number of spanning-tree instances to match the physical topology of the network and thus reduce the CPU cycles of a switch.
3. In most networks, a single MST region is sufficient, although you can configure more than one region. Within the region, all switches must run the instance of MST that is defined by the following attributes:
1. MST configuration name (32 characters)2. MST configuration revision number (0 to 65535)3. MST instance-to-VLAN mapping table (4096 entries)
1. Quick Tips MST: MST allows you to map multiple VLANs to single
spanning-tree instances. With MST, use trunks and do not prune VLANs from
trunks. MST instance 0 is the only one that communicates to
other regions and non-MST switches.
1.1. Configuration/ Enable MST
1. Switch(config)# spanning-tree mode mst2. Switch(config)# spanning-tree mst configuration3. Assign a region configuration name (up to 32
characters):Switch(config-mst)# name name4. Assign a region configuration revision number (0 to 65,535):
Switch(config-mst)# revision version5. Map VLANs to an MST instance: Switch(config-mst)# instance
instance-id vlan vlan-list6. Switch(config-mst)#show pending7. Switch(config-mst)#show current 8. Switch(config-mst)# exit
2. 1.6.b Switch priority- Each VLAN on the switch has a unique 8-byte bridge ID. The 2 most-significant bytes are used for the switch priority, and the remaining 6 bytes are derived from the switch MAC address. (Switch Priority is 32768 by default)
Switch Priority Value Extended System ID (Set Equal to the VLAN ID)
Bit 16 Bit 15Bit 14
Bit 13
Bit 12
Bit 11
Bit 10
Bit 9
Bit 8
Bit 7
Bit 6
Bit 5
Bit 4
Bit 3
Bit 2 Bit 1
32768 16384 8192 4096 2048 1024 512 256 128 64 32 16 8 4 2 1
3. Switch port priority- If a loop occurs, spanning tree uses the port priority when selecting an interface to put into the forwarding state.
1. Configuration:2. Switch# config t3. Switch(Config) # interface port-channel4. Switch(Config-if) # spanning-tree port-priority5. Switch(Config-if) # spanning-tree vlan (vlan-id) priority 6. Switch# end
4. Switch path cost- The spanning-tree path cost default value is derived from the media speed of an interface.
1. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state.
2. You can assign lower cost values to interfaces that you want selected first and higher cost values that you want selected last.
3. If all interfaces have the same cost value, spanning tree puts the interface with the lowest interface number in the forwarding state and blocks the other interfaces.
4. Configuration:1. Switch# config t2. Switch(config) #interface (interface-id)3. Switch(config-if) # spanning-tree cost4. Switch(config-if) # spanning-tree vlan (vlan-id) cost (cost)5. End6. Verify your entries: Switch# Show spanning-tree interface
STP timers - There are several STP timers, as this list shows:• Hello—The hello time is the time between each bridge protocol data unit (BPDU) that is sent
on a port. This time is equal to 2 seconds (sec) by default, but you can tune the time to be between 1 and 10 sec.
• Forward delay—The forward delay is the time that is spent in the listening and learning state. This time is equal to 15 sec by default, but you can tune the time to be between 4 and 30 sec.
• Max age—The max age timer controls the maximum length of time that passes before a bridge port saves its configuration BPDU information. This time is 20 sec by default, but you can tune the time to be between 6 and 40 sec.
Each configuration BPDU contains these three parameters. In addition, each BPDU configuration contains another time-related parameter that is known as the message age. The message age is not a fixed value. The message age contains the length of time that has passed since the root bridge initially originated the BPDU. The root bridge sends all its BPDUs with a message age value of 0, and all subsequent switches add 1 to this value. Effectively, this value contains the information on how far you are from the root bridge when you receive a BPDU. This diagram
illustrates the concept:
Configure STP timers:o Hello Timer
Switch# config t Switch(config) #spanning-tree vlan (vlan-id) hello-timeer (seconds) End
o Forward Delay Timer Switch# config t Switch(config) # spanning-tree vlan (vlan-id) forward-time (seconds) End
o Max Age Timer Switch# config t Switch(config) # spanning-tree vlan (vlan-id) max-age (seconds) End
2. 1.6.c 1. Port Fast
Spanning Tree Port fast causes layer 2 switch interfaces to enter forwarding state immediately, bypassing the listening and learning states. It should be used on ports connected directly to end hosts like servers or workstations.
*Note: If Port fast isn’t enabled, DHCP timeouts can occur while STP converges, causing more problems.
Configure2. Switch#config t
3. Switch(config)# int fa 3/14. Switch(config-int) [no] spanning-tree port fast
3. To verify port fast on an interface:1. Switch# sh spanning-tree int fa 3/1 port fast
1. Bridge Protocol Data Unit- Bridge Protocol Data Units (BPDUs) are frames that contain information about the Spanning tree protocol (STP). Switches send BPDUs using a unique MAC address from its origin port and a multicast address as destination MAC (01:80:C2:00:00:00).
2. BPDU guard- Prevents problems related to switches accidentally being connected to Port Fast-enabled ports. Bridging loops would normally instantly occur. It places the port in err-disable state if it receives a BPDU - disabling the interface.
1. Configure:1. To enable BPDU Guard globally on the switch:
Switch(config)# spanning-tree port fast edge bpdu guard default2. To enable BPDU Guard at the interface level:
Switch(config-if)# spanning-tree bpdu guard enable
Example case: BPDU guard is a port fast feature that protects your spanning tree on edge ports (Access ports). It (in layman's terms) monitors your port for BPDUs. If it see's one (presumably from a switch), it shuts the port down (err-disabled). This feature ensures that the device connected to a particular port is NOT capable of sending a BPDU (possibly superior to your root bridge) to your network and potentially becoming Root Bridge, which can have some very serious implications in a switched environment.
3. BPDU filter- When Port Fast is enabled on a port, the port will send out BPDUs and will accept and process received BPDUs. The BPDU Guard feature prevents the port from
receiving any BPDUs but does not prevent it from sending them. The BPDU Filter feature effectively disables STP on the selected ports by preventing them from sending or receiving any BPDUs.
1. Configure:2. Switch# config t3. Switch(config) #spanning-tree portfast bpdufilter default < To enable BPDU filtering
globally on the switch>4. Switch (config-itf # spanning-tree bpdufilter enable < To enable BPDU filtering at the
interface level>5. Switch#sho spanning-tree summary < to verify Portfast BPDU Filter Default is enable>
4. 1.6.d 1. Loopguard- Most bridging loops that occur when STP is active happen when a port in
blocking state stops receiving BPDUs on the interface and therefore transition the port to forwarding state – creating an all-ports-forwarding loop. It blocks ports on a per-VLAN basis, so on trunks it will only block that VLAN – not the whole trunk. Loop guard should be applied to all non-designated ports (ex. root, alternate).
1. Configuration:2. Globally3. Switch# config t4. Switch(config) #spanning-tree loopguard default 5. Interface6. Switch# config t
7. Switch(config)# int fa 4/48. Switch(config-if) #spanning-tree loopguard default
2. Rootguard - Root guard was developed to control where root bridges can be located within the network. Switches learn about and elect root bridges based on BPDUs they receive, so if a new switch is added to the environment with a lower bridge priority than the current root bridge, the new switch will become root –and in turn disrupt your carefully planned traffic patterns. To prevent this from occurring, root guard can be applied to interface where a root bridge should never been seen.
1. Configuration:2. Switch# config t3. Switch(config)# int fa 4/44. Switch(config-int) #spanning-tree guard root
1.7 Configure and verify other LAN switching technologies - You can analyze network traffic passing through ports or VLANs by using SPAN or RSPAN to send a copy of the traffic to another port on the switch or on another switch that has been connected to a network analyzer or other monitoring or security device.
1.7.a SPAN(Switch Port Analyzer)- copies (or mirrors) traffic received or sent (or both) on source ports or source VLANs to a destination port for analysis. SPAN does not affect the switching of network traffic on the source ports or VLANs. You must dedicate the destination port for SPAN use.
Configuration: Switch1# configure terminal Switch1(config)# monitor session 1 source interface fastEthernet0/2 Switch1(config)# monitor session 1 destination interface fastEthernet0/24 Switch1(config)#end
1.7.b RSPAN-An extension of SPAN called remote SPAN or RSPAN. RSPAN allows you to monitor traffic from source ports distributed over multiple switches, which means that you can centralize your network capture, devices. RSPAN works by mirroring the traffic from the source ports of an RSPAN session onto a VLAN that is dedicated for the RSPAN session. This VLAN is then trunked
to other switches, allowing the RSPAN session traffic to be transported across multiple switches. On the switch that contains the destination port for the session, traffic from the RSPAN session VLAN is simply mirrored out the destination port.
Configuration:
Create a RSPAN VLAN Switch 1 Switch1# configure terminal Switch1(config)# vlan 200 Switch1(config-vlan)# remote-span Switch1(config-vlan)# end Create a RSPAN VLAN Switch 2
Switch2# configure terminal Switch2(config)# vlan 200 Switch2(config-vlan)# remote-span Switch2(config-vlan)# end Configure the RSPAN on Source switch Switch1# configure terminal Switch1(config)# monitor session 1 source interface fastEthernet0/2 rx Switch1(config)# monitor session 1 destination remote vlan 200 reflector-port fastEthernet0/24 Switch1(config)# exit Configure the RSPAN on Destination switch
Switch2# configure terminal Switch2(config)# monitor session 1 source remote vlan 200 Switch2(config)# monitor session 1 destination interface fastEthernet0/3 Switch2(config)# exit
1.8 Describe chassis virtualization and aggregation technologies- A Virtual Switching System (VSS) combines a pair of Catalyst 6500 series switches into a single logical network element. An access switch connects to both chassis of the VSS using one logical port channel. The VSS manages the redundant links, which externally act as a single port channel. The VSS simplifies network configuration and operation by reducing the number of Layer 3 routing neighbors and by providing a loop-free Layer 2 topology.
1.8.a Stackwise- A switch stack is a set of up to nine stacking-capable switches connected through their Stack Wise Plus or Stack Wise ports. You can connect only one switch type in a stack, or you can connect a mix of Catalyst 3750-X, Catalyst 3750-E, and Catalyst 3750 switches in the stack. Catalyst 3750-X and Catalyst 3750-E stack members have Stack Wise Plus ports, and Catalyst 3750 members have Stack Wise ports. The stack can have one of these configurations:
• Homogeneous stack—A Catalyst 3750-E-only stack with only Catalyst 3750-E switches as stack members or a Catalyst 3750-X-only stack with only Catalyst 3750-X switches as stack members.
• Mixed stack
1. 2.1 Configure and verify switch security features
2.1.a DHCP snooping - DHCP snooping protects against DHCP spoofing attacks and is a security feature that when enabled, only ports that uplink to an authorized DHCP server are trusted and allowed to pass all DCHP traffic. All other ports are untrusted (default) and can only send DHCP requests. If a DCHP response (“offer”) is heard on an untrusted interface, it is shutdown.
Configuration: Switch# config t
1. Switch(config) ip dhcp snooping
2.1.b IP Source Guard- IP Source Guard can be applied to access ports. IP Source Guard keeps track of the host’s IP address and/or MAC address associated with each port. If traffic sourced from another address enters that interface, it isdropped.
Configuration: Switch# config t Switch(config)# int (port number) Switch(config-if)# ip verify source (uses just IP address filtering) Switch# sho IP source binding
2.1.c Dynamic ARP inspection - Dynamic ARP Inspection (DAI) is a security mechanism that works with DHCP snooping to define trusted and untrusted interfaces. DAI intercepts, logs,and drops ARP messages on untrusted ports that do not match the DHCP snooping MAC/IP bindings. All traffic that matches is passed; all traffic that does not match is dropped.
DIA is supported on access ports, trunk ports, Ether Channels, and private VLAN interfaces. Dynamic ARP Inspection should be only applied to ingress interfaces. All access ports should be untrusted and all trunks (including connections to routers) should be configured as trusted. Enable DAI on one or more VLANs, and then configure the trusted interfaces. It matches IP and MAC by default.
Configuration: Switch# config t
Switch(config)# ip arp inspection vlan vlan-id Switch(config-if)# ip arp inspection trust
2.1.d Port security - Port security can put limits on both what MAC addresses are allowed to be connected to a switch port and how many at any given time. Using port security specific MACs can be statically allowed, or dynamically “learned” using the sticky command.
Configuration: Switch# config t Switch(config)# interface fa 1/1 Switch(config-if)# switchport port-security Specify the maximum number of MACs allowed (default is one) Switch(config-if)# switchport port-security maximum number
2.1.e Private VLAN- A private VLAN partitions the Layer 2 broadcast domain of a VLAN into subdomains, allowing you to isolate the ports on the switch from each other. A subdomain consists of a primary VLAN and one or more secondary VLANs. All VLANs in a private VLAN domain share the same primary VLAN. The secondary VLAN ID differentiates one subdomain from another. The secondary VLANs may either be isolated VLANs or community VLANs. A host on an isolated VLAN can only communicate with the associated promiscuous port in its primary VLAN. Hosts on community VLANs can communicate among themselves and with their associated promiscuous port but not with ports in other community VLANs.
*Note You must first create the VLAN before you can convert it to a private VLAN, either primary or secondary.
A private VLAN domain has only one primary VLAN. Each port in a private VLAN domain is a member of the primary VLAN; the primary VLAN is the entire private VLAN domain.
Secondary VLANs provide isolation between ports within the same private VLAN domain. The following two types are secondary VLANs within a primary VLAN:
Isolated VLANs—Ports within an isolated VLAN cannot communicate directly with each other at the Layer 2 level.
Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other community VLANs or in any isolated VLANs at the Layer 2 level.
The types of private VLAN ports are as follows:
Promiscuous—A promiscuous port belongs to the primary VLAN. Isolated VLAN —An isolated VLAN is a secondary VLAN that carries unidirectional traffic
upstream from the hosts toward the promiscuous ports. Community VLAN—A community VLAN is a secondary VLAN that carries upstream traffic
from the community ports to the promiscuous port and to other host ports in the same community.
Configuration:
This example shows how to assign VLAN 5 to a private VLAN as the primary VLAN:
switch# configure terminal switch(config)# vlan 5 switch(config-vlan)# private-vlan primary
This example shows how to assign VLAN 100 to a private VLAN as a community VLAN:
switch(config-vlan)# exit switch(config)# vlan 100 switch(config-vlan)# private-vlan community
This example shows how to assign VLAN 109 to a private VLAN as an insolated VLAN:
switch(config-vlan)# exit switch(config)# vlan 109 switch(config-vlan)# private-vlan isolated
2.1.f Storm control - which allows an administrator to suppress excessive inbound unicast, multicast, or broadcast traffic on layer two interfaces. This can be handy to protect against broadcast storms resulting from spanning tree misconfiguration, or even unicast storms created by malfunction host NICs.
o Configuration: Switch# config t Switch(config)# interface fa 1/1
o Switch(config-if)# storm control broadcast level bps 1m 500k
In the above example, we have configured storm control for broadcast traffic with a 1 Mbps rising threshold and a 500 Kbps falling threshold. Note that specifying a falling threshold is optional; if omitted, the falling threshold will default to the value of the rising threshold (effectively removing it).
2.2 Describe device security using Cisco IOS AAA with TACACS+ and RADIUS 2.2.a AAA with TACACS+ and RADIUS - Access control is the way you control
who is allowed access to the network server and what services they are allowed to use once they have access. Authentication, authorization, and accounting (AAA) network security services provide the primary framework through which you set up access control on your router or access server.
Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. All authorization methods must be defined through AAA.
*Radius is the only supported server type!o Configuration:o Switch(config)# aaa new-model (enables AAA globally, with default
lists applied to the VTYs)o Switch(config)# aaa authentication dot1x default group radiuso Switch(config)# dot1x system-auth-control (globally enables 802.1x
on switch)
2.2.b Local privilege authorization fallback
The local database can act as a fallback method for several functions. This behavior is designed to help prevent accidental lockout . For users who need fallback support, it is recommended that their usernames and passwords in the local database match their usernames and passwords in the AAA servers. This provides transparent fallback support. Because the user cannot determine whether a AAA server or the local database is providing the service, using usernames and passwords on AAA servers that are different than the usernames and passwords in the local database means that the user cannot be certain which username and password should be given.
The local database supports the following fallback functions:
● Console and enable password authentication—When you use the aaa authentication console command, you can add the LOCAL keyword after the AAA server group tag. If the servers in the group all are unavailable, the security appliance uses the local database to authenticate administrative access. This can include enable password authentication, too.
● Command authorization—When you use the aaa authorization command command, you can add the LOCAL keyword after the AAA server group tag. If the TACACS + servers in the group all are unavailable, the local database is used to authorize commands based on privilege levels.
● VPN authentication and authorization—VPN authentication and authorization are supported to enable remote access to the security appliance if AAA servers that normally support these VPN services are unavailable. The authentication-server-group command, available in tunnel-group general attributes mode, lets you specify the LOCAL keyword when you are configuring attributes of a tunnel group. When VPN client of an administrator specifies a tunnel group configured to fallback to the local database, the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured with the necessary attributes.
3.1 Configure and verify first-hop redundancy protocols
1. 3.1.a Hot Standby Router Protocol (HSRP) - HSRP is Cisco's standard method of providing high network availability by providing first-hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address. HSRP routes IP traffic without relying on the availability of any single router. It enables a set of router interfaces to work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN.
HSRP Operation
With HSRP, two routers Router1 and Router2 in this case will be seen as only one router. HSRP uses a virtual MAC and IP address for the two routers to represent with hosts as a single default gateway. For example, the virtual IP address is 192.168.1.254 and the virtual MAC is 0000.0c07.AC0A. All the hosts will point their default gateway to this IP address.
One router, through the election process, is designated as active router while the other router is designated as standby router. Both active and standby router listen but only the active router proceed and forwards packets. Standby router is backup when active router fails by monitoring periodic hellos sent by the active router (multicast to 224.0.0.2, UDP port 1985) to detect a failure of the active router.
When a failure on the active router detected, the standby router assumes the role of the forwarding router. Because the new forwarding router uses the same (virtual) IP and MAC addresses, the hosts see no disruption in communication. A new standby router is also elected at that time (in the case of there are more than two routers in a HSRP group).
Note: All routers in a HSRP group send hello packets.
By default, the hello timer is set to 3 seconds and the dead timer is set to 10 seconds.
It means that a hello packet is sent between the HSRP standby group devices every 3 seconds, and the standby device becomes active when a hello packet has not been received for 10 seconds
Note: The virtual MAC address of HSRP version 1 is 0000.0C07.ACxx, where xx is the HSRP group number in hexadecimal based on the respective interface. For example, HSRP group 10 uses the HSRP virtual MAC address of 0000.0C07.AC0A. HSRP version 2 uses a virtual MAC address of 0000.0C9F.FXXX
2. HSRP States
HSRP consists of 5 states:
State Description
Initial This is the beginning state. It indicates HSRP is not running. It happens when the configuration changes or the interface is first turned on
ListenThe router knows both IP and MAC address of the virtual router but it is not the active or standby router. For example, if there are 3 routers in HSRP group, the router which is not in active or standby state will remain in listen state.
Speak The router sends periodic HSRP hellos and participates in the election of the active or standby router.
Standby In this state, the router monitors hellos from the active router and it will take the active state when the current active router fails (no packets heard from active router)
Active The router forwards packets that are sent to the HSRP group. The router also sends periodic hello messages
Fun Facts:
HSRP is Cisco proprietary which allows several routers or multilayer switches to appear as a single gateway IP address.+ HSRP has 5 states: Initial, listen, speak, standby and active.+ HSRP allows multiple routers to share a virtual IP and MAC address so that the end-user hosts do not realize when a failure occurs.+ The active (or Master) router uses the virtual IP and MAC addresses.+ Standby routers listen for Hellos from the Active router. A hello packet is sent every 3 seconds by default. The hold time (dead interval) is 10 seconds.
+ Virtual MAC of 0000.0C07.ACxx , where xx is the hexadecimal number of HSRP group.+ The group numbers of HSRP version 1 range from 0 to 255. HSRP does support group number of 0 so HSRP version 1 supports up to 256 group numbers. HSRP version 2 supports 4096 group numbers.
Configuration: Switch# config t Switch(config)# int (interface number) HSRP Configuration
o Switch(config-if)# standby (group-number 0-255) ip (enter ip-address) To set HSRP priority value for a router
o Switch(config-if)# standby (group-number 0-255) priority (priority-value) To change active router to the router you want to be active
o Switch(config-if)# standby (group-number 0-255) preempt
HSRP Timers- HSRP uses two important timers between the active/standby routers. Hello timers are used to exchange HSRP information while the hold down timer is used to determine how long before a router is declared to be down in a group. The default hello times are 3 seconds and the default hold down timer is10 seconds. That means there could be up to a 10 second delay before the standby router begins forwarding traffic if the active goes down. To tune the timers (in seconds):
Configuration:o Switch(config-if)# standby (group-number 0-255)timers {hello time} {hold time}o Example: Switch(config-if)# standby 10 timers 1 3
HSRP Version: HSRP comes in two versions, 1 and 2. The most significant difference is that v1 only allows up to 255 group numbers and v2 allows up to 4095 – making it now possible to correspond group numbers with VLAN IDs.
2. 3.1.b VRRP- VRRP is an open standard redundancy protocol that is similar to Cisco’s HSRP. One difference is that the virtual IP can either be a virtual one (as is the case with HSRP) or it can be the actual IP address of the active router.
The VRRP ”master” forwards the traffic and is chosen because it owns the real IP address or has the highest priority (default is 100). The “backup” router takes over if the master fails. Priority values are between 1-255.
If the master router fails, it advertises a priority of 0, forcing an election amongst the backup routers without waiting for the hold down timer to expire.
Configuration:o Switch#config to Switch(config)# int (interface –id)o Switch(config-if) # vrrp (group-number 0-255) ip (virtual-ip-address)o Switch(config-if) #vrrp group-number 0-255) priority (priority-Value)
VRRP Timers
Advertisements, or hellos – default 1 second • Master down interval = 3 times the advertisement time + skew (essentially the same as HSRP’s
hold down timer) • Skew time = (256-priority)/256. Used to ensure the highest priority backup router becomes
master.o Note: Make changes on the master because changes in timers are then propagated to the
backups automaticallyo Configuration:
Switch#config t Switch(config)# int (interface –id) Switch(config-if)# vrrp (group-number 0-255) advertise (time-in-seconds)
3.1.c GLBP - One of the major limitations to both HSRP and VRRP is that a single router handles traffic for the whole group, leaving the others inactive until the master router fails. GLBP or Gateway Load Balancing Protocol solves this dilemma by load balancing traffic over up to four gateways, maximizing bandwidth. One virtual IP is used, but each participating router uses a virtual MAC address, which is used to respond to ARP requests.
There are three load-sharing options:
Weighted load balancing- based on preconfigured weights assigned to gateways
Host-dependent load balancing – each hosts uses a specific gateway
Round-robin load balancing – Each MAC is used to respond in turn (default)
The routers running GLBP elect a single Active Virtual Gateway (AVG), which manages the load balancing and responds to ARPs. The highest priority router wins; in a tie highest IP address wins. Group member’s sends hello multicasts every 3 seconds (multicast address 224.0.0.102), if a router goes down, another will answer for its requests. The job of the AVG is to assign virtual MAC addresses to each of the other GLBP routers and to assign each network host to one of the GLBP routers . The routers that receive the MAC address assignment are the Active Virtual Forwarders, or AVFs
Configuratuion:o Switch#config to Switch(config)# int (interface –id)o Switch(config-if) # glbp (group-number 0-255) ip (virtual-ip-address)o Switch(config-if) #glbp (group-number 0-255) priority (priority-Value)
Note* Remember that the default gateway IP address that is configured on the end hosts should be set to the virtual IP address.
IRDP- Some newer hosts use the ICMP Router Discovery Protocol (RFC 1256) to find a new router when a route becomes available. A host running IRDP listens for hello multicast messages from its configured router and uses an alternate router when that router is no longer available. It is not necessary to understand the technical details of how IRDP works, but be aware that it is a valid first hop redundancy protocol.
Security SimulationExample:PROBLEMThe Fresh Fish Factory is a growing mid-size company with a specialty in producing tasteless crustaceans to retail chains at the lowest possible cost. After a recent financial server security breach, they decide to make security a priority - beginning with their HR Accounting VLAN.The Fresh Fish Factory has decided to restrict access to VLAN 35 to the 10.1.35.0 /24 range as well as implement 802.1x port security on all access switches for enhanced user authentication. Please complete the following:1. Configure port-based authentications on AccessSW that will be done using a Radius server.Radius server IP address: 10.1.1.29.Radius key: pass1232. Restrict VLAN 35 to devices in the 10.1.35.0 /24 address range.3. Packets from devices in any other network range should be explicitly dropped.4. Filtering should be implemented as close to the server farm as possible.You are able to make any necessary configuration changes to both AccessSW and DistSW.
SOLUTIONConfigure AccessSW:
1. Enable AAA on the switch:1. AccessSW# configure terminal2. AccessSW(config)# aaa new-model
2. Define the Radius server with the shared secret key:1. AccessSW(config)# radius-server host 10.1.1.29 key pass123
3. Enable Radius server authentication on the switch:1. AccessSW(config)# aaa authentication dot1x default group radius
4. Enable 802.1x on the switch:1. AccessSW# configure terminal2. AccessSW(config)# dot1x system-auth-control
5. Configure interface Fast Ethernet 0/12 for 802.1x:1. AccessSW(config)# interface fa 0/122. AccessSW(config-if)# switchport mode access3. AccessSW(config-if)# dot1x port-control auto4. AccessSW(config-if)# exit
Configure DistSW1. Create an access list:
1. DistSW(config)# ip access-list standard 102. DistSW(config-std-nacl)# permit 10.1.35.0 0.0.0.2553. DistSW(config-std-nacl)# exit
2. Define an access map that uses the access list we just created:1. DistSW(config)# vlan access-map TEST 12. DistSW(config-access-map)# match ip address 10
3. DistSW(config-access-map)# action forward4. DistSW(config-access-map)# exit5. DistSW(config)# vlan access-map TEST 26. DistSW(config-access-map)# action drop7. DistSW(config-access-map)# exit
3. Apply the VLAN map to VLAN 35:1. DistSW(config)# vlan filter TEST vlan-list 35
EtherChannel + STPSimulation Example:PROBLEMThe Better Butter Company has recently replaced an edge switch in a wiring closet due to a hardware failure. Unfortunately theconfiguration was not backed up and now you are tasked with getting the new switch (AccessSW) up and running as fast as possiblebased on the following requirements.• DistSW should not need any configuration changes made, as it worked properly before the outage. It is running rapid spanning tree and VTPtransparent mode.• AccessSW needs to have three VLANs configured on the correct interfaces as shown in the diagram below. It also needs to be running thesame VTP and STP mode as DistSW. DistSW must remain the spanning tree root bridge for all active VLANs.• The connection between the two switches must be configured using a redundant, non-proprietary protocol with DistSW controlling theactivation. VLANs should be manually pruned to prevent unnecessary broadcast propagation.• All VLANs traversing the trunk need to be tagged except for VLAN 99, which should not be tagged.Additional requirements for AccessSW:- All active access ports must transition immediately to forwarding state- No routing is supported on AccessSW- SVI VLAN 1 needs to be configured with IP address 192.168.1.22 /24
SOLUTION4. Create the VLAN 1’s SVI:
1. AccessSW# conf t2. AccessSW(config)# interface vlan 13. AccessSW(config-if)# ip address 192.168.1.22 255.255.255.04. AccessSW(config-if)# no shut5. AccessSW(config-if)# exit
6. Configure STP:1. AccessSW(config)# spanning-tree mode rapid-pvst2. AccessSW(config)# spanning-tree vlan 1,50-52 priority 65535
7. Configure VTP mode:1. AccessSW(config)# vtp mode transparent
4. Configure the access ports:AccessSW(config)# interface range fastEthernet 0/11-12AccessSW(config-if)# switchport mode accessAccessSW(config-if)# switchport access vlan 50AccessSW(config-if)# spanning-tree portfastAccessSW(config-if)# no shut
AccessSW(config)# interface range fastEthernet 0/13-14AccessSW(config-if)# switchport mode accessAccessSW(config-if)# switchport access vlan 51AccessSW(config-if)# spanning-tree portfastAccessSW(config-if)# no shut
AccessSW(config)# interface range fastEthernet 0/15-16AccessSW(config-if)# switchport mode access
AccessSW(config-if)# switchport access vlan 52AccessSW(config-if)# spanning-tree portfastAccessSW(config-if)# no shutAccessSW(config-if)# exit
5. Next, configure the trunking ports for a non-proprietary EtherChannel:AccessSW(config)# interface range fastEthernet 0/1-2AccessSW(config-if)# channel-protocol lacpAccessSW(config-if)# channel-group 1 mode passiveAccessSW(config-if)# no shutAccessSW(config-if)# exit
6. Finally, create the EtherChannel and configure trunk:AccessSW(config)# interface port-channel 1AccessSW(config-if)# switchport trunk encapsulation dot1qAccessSW(config-if)# switchport mode trunkAccessSW(config-if)# switchport trunk allowed vlan 1,99,50-52AccessSW(config-if)# switchport trunk native vlan 99AccessSW(config-if)# no shutAccessSW(config-if)# exit
MLS Simulation Example:PROBLEMVLANs 2, 3, and 4 were recently added to the multilayer switch shown in the diagram to the right and have not been configured. Users in all three VLAN need to be able to connect to the server, which resides behind the router. You have been tasked with configuring layer 3 connectivity on the multilayer switch so that PCs in all three VLANs can successfully ping the server.
Additional requirements:• All routed ports and SVIs must use the lowest available IP address within its subnet.• Use EIGRP for dynamic routing, no static routes or other routing protocols can be used.• EIGRP AS 700 needs to be configured• The access ports are already configured, so do not make any changes totheir configurations
SOLUTION1. Configure the switch’s routed interface:
1. Switch# configure terminal2. Switch(config)# int gi 0/13. Switch(config-if)#no switchport4. Switch(config-if)# ip address 10.10.10.1 255.255.255.05. Switch(config-if)# no shutdown6. Switch(config-if)# exit
1. Configure the VLAN SVIs:1. Switch(config)# int vlan 22. Switch(config-if)# ip address 192.168.1.1 255.255.255.2243. Switch(config-if)# no shutdown4. Switch(config-if)# int vlan 35. Switch(config-if)# ip address 192.168.1.33 255.255.255.2246. Switch(config-if)# no shutdown7. Switch(config-if)# int vlan 48. Switch(config-if)# ip address 192.168.2.1 255.255.255.2559. Switch(config-if)# no shutdown10. Switch(config-if)#exit
1. Enable and configure routing:1. Switch(config)# ip routing2. Switch(config)# router eigrp 7003. Switch(config-router)# network 10.10.10.0 0.0.0.2554. Switch(config-router)# network 192.168.1.0 0.0.0.315. Switch(config-router)# network 192.168.1.32 0.0.0.316. Switch(config-router)# network 192.168.2.0 0.0.0.2557. Switch(config-router)# exit
Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5123-5133). . Kindle Edition.
CCNP Cisco Certified Network Professional Switch Study Guide Exam 300-115 3rd edition. CCNPGuide.com
Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5123-5133). . Kindle Edition.
![Ccnp Iscw Portable Command Guide Self Study Guide[1].9781587201868.31512](https://static.fdocuments.us/doc/165x107/5531e0d155034641568b4bc9/ccnp-iscw-portable-command-guide-self-study-guide1978158720186831512.jpg)
