You are on page 1of 188

CHRIS BRYANT’S

CCNP
SWITCH 300-115 STUDY GUIDE

C H R I S B R YA N T

Table of Content s

Chris Bryant, CCIE #12933
“The Computer Certification Bulldog”
Copyright © 2015 The Bryant Advantage, Inc.
All rights reserved.
Disclaimers and Legal Notices:
Copyright © The Bryant Advantage, 2015.
All rights reserved. This book or any portion thereof may not be reproduced or used in any manner whatsoever
without the express written permission of the publisher, except for the use of brief quotations in a book review.
No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including
but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written
permission of the publisher.
The Bryant Advantage, Inc., has attempted throughout this book to distinguish proprietary trademarks from
descriptive terms by following the capitalization style used by the manufacturer. Copyrights and trademarks of all
products and services listed or described herein are property of their respective owners and companies. All rules
and laws pertaining to said copyrights and trademarks are inferred.
This study guide is intended to prepare candidates for Cisco’s CCNP SWITCH 300-115 certification exam. The
book has been made as accurate and complete as possible. No warranty or fitness is inferred or implied. Neither the
author nor The Bryant Advantage, Inc. has liability or responsibility to any entity or individual regarding loss or
damage arising from the use of this book. Passing the CCNP SWITCH exam is not guaranteed in any fashion.
The terms CCIE, CCNP, CCNA, Cisco IOS, Cisco Systems, IOS, and StackWise are all registered trademarks of Cisco
Systems, Inc. As always, no challenge to any trademark or copyright is intended in any of my books or video-based
courses.
ISBN: 1517351227
ISBN 10: 9781517351229

Chapter 1 Switching Fundamentals����������������������������������������������������������������������������������������������������������������������� 1
Chapter 2 The When, Where, and How Of VLANs����������������������������������������������������������������������������������������� 22
Chapter 3 Trunking����������������������������������������������������������������������������������������������������������������������������������������������� 40
Chapter 4 The VLAN Trunking Protocol (VTP) ��������������������������������������������������������������������������������������������� 63
Chapter 5 The Fundamentals Of STP����������������������������������������������������������������������������������������������������������������� 83
Chapter 6 STP -- Advanced Features and Versions������������������������������������������������������������������������������������������������������������������ 123
Chapter 7 Etherchannels������������������������������������������������������������������������������������������������������������������������������������� 157
Chapter 8 Multilayer Switching And High Availability Protocols��������������������������������������������������������������� 172
Chapter 9 Securing The Switches����������������������������������������������������������������������������������������������������������������������� 238
Chapter 10 Monitoring The Switches����������������������������������������������������������������������������������������������������������������� 319
Chapter 11 Network Design And Models����������������������������������������������������������������������������������������������������������� 361

A V E RY Br ief I nt roduc t ion
Before We G et St a r ted…
Thank you for making The Bryant Advantage part of your CCNP success story! I know you
have a lot of training options out there, from books to videos and everything in between,
and all of us here at TBA are very appreciative of your purchase.
During your studies, check out my YouTube channel! I’m starting an all-new CCNP SWITCH
300-115 Playlist in October 2015. With over 300 free videos there already, I know there’s
something there you’ll enjoy.
https://www.youtube.com/user/ccie12933
You’ll find additional free resources via these links:
Facebook: goo.gl/u72n1M
Google+: https://plus.google.com/+ccie12933
GNS3 (Free CCNP SWITCH Course!): goo.gl/yk2loM
Thanks again for your purchase, and now, let’s get started!
Chris Bryant
“The Computer Certification Bulldog”

but the item on the left is a hub.C hapter 1: SWITCHING FUNDAMENTALS Your mastery of switching fundamentals can make the difference on exam day. our hosts had to share transmission media via a hub. so let’s give this material a good going-over before heading on to new material! Before proceeding. (You’ll sometimes see a double-headed arrow on top of the icon representing a hub. 1 . let’s have a moment of silence for two old friends.) Back in the day. the predecessor to today’s switches. We won’t spend any time discussing floppy disks.

we must have rules on when a host may transmit data. If the media is in use. The sending hosts will then invoke a backoff timer. thankfully referred to as CSMA/CD. and those built-in delays were a small domain. It’s not a term you hear often. Here’s the overall process… You know what wasn’t around though? Voice and video conferencing. one collision domain” setup as microsegmentation. We’ll start breaking up those broadcast domains in the Virtual LAN (VLAN) section of the course. the host backs off for a few milliseconds before listening to the wire again. 2 3 . That takes care of the collision domain issue. which in turn means unnecessary work for the switch and for the hosts.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Dog videos. all kinds of ultra-delay-sensitive voice and video traffic is present in today’s network that we were only dreaming about back in the days of the hub. Cat videos. indicating a data collision. but it’s certainly a good one to know when you’re reading Cisco docs. If the media is not in use. a separate collision domain is created for each host. we also get a lot more bandwidth! When hosts are connected to individual switch ports. Since that backoff timer is set to a random value. because the data involved in the collision is going to “explode” when that collision occurs. rendering the collided signals useless. right switch config and network cards. With the When the sending hosts detect that voltage change. assuming FastEthernet ports. Some Cisco documentation refers to this “one host. Thanks to our switch. With one big collision At the time. and by doing A host with data to send must first listen to the wire. but it’s not. If two hosts happen to send data at the exact same time. they will each begin the CSMA/CD process from the very beginning by listening to the wire. Donkey videos. they no longer have to share bandwidth with other hosts. a broadcast or multicast sent by any host connected to that switch will be received by every other host on that switch. In short. Vimeo. Otherwise. When each host’s backoff timer expires. they’ll send a jam signal indicating to the other hosts that they should not send data right now. The hub might as well be a bomb at that point. each host can theoretically run at 200 Mbps (100 sending and 100 receiving). will be almost continually colliding with another host’s data. the voltage on the wire will change. we were darn glad to have CSMA/CD. and there’s no guarantee that another collision won’t occur when that retransmission occurs! The set of rules for transmitting over Ethernet via shared media is Carrier Sense Multiple Access with Collision Detection. One reason we love switches is the creation of smaller collision domains. and all data involved is unusable. it’s unlikely that the data collision will reoccur. Collisions literally cannot occur! see if another host is currently sending data. By default. VoIP phones. one host’s data price to pay for sharing media. Having one big collision domain just would not do today. YouTube. meaning it checks the shared media to so. That’s a lot of unnecessary broadcasts flying around our network. but we still have one large broadcast domain. the host sends the data. The hosts then have to retransmit the data. Today’s networks typically have each host connected to their own individual port on a switch. set to a random number of milliseconds.115 S T U DY G U I D E C H R I S B R YA N T Having just one collision domain may sound good.

That doesn’t mean I’m lazy. There drawback. using an odd topology to illustrate one forwarding option in particular. Every time you add a host to a switch. it’s easy to forget to remove the old entry. filter it. the network admins. it means I’m smart.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I’ll let the hardware do it every time. which leads to even more unnecessary troubleshooting when the bad port is fixed and another host is eventually connected to it.115 S T U DY G U I D E C H R I S B R YA N T that host. We’ll take a Let’s take a look at how a switch builds that all-important MAC address table. After all. When a switch receives a frame.” That’s not the only reason for this behavior. When I have a choice between letting the hardware do the work and me doing the work. switch. so the switches have to build their MAC address tables in another fashion (or fashions). but it’s the major reason. you’d have to make a static MAC entry for 4 will be some entries for the CPU. The logical question to that answer would be: “Why does the switch even care where the frame came from?” The answer: “Because source addresses of incoming frames are how the switch builds and maintains its MAC address table. There is no equivalent to those protocols at Layer 2. Our routing table is helped along by dynamic routing protocols like EIGRP and OSPF. to handle everything statically. which in turn leads to unnecessary troubleshooting. what common value does the switch look at first? B are connected to a hub. the only way for the switch to get the frame where it needs to go is to look at its intended destination. and we’ll also look at each process right after this pop quiz! see each of those frame forwarding options in action. you won’t have full connectivity until you add a new static entry for that host’s MAC address. The more information you add statically. Decisions” you and I. or flood it. In the heat of battle. which brings up another We could build a MAC address table with all static entries. but that approach has a serious important point. and they’ll look something like this: 5 . We’ll start with four hosts and one When a frame enters a switch. Hosts A and It makes perfect sense that the switch would look at the frame’s destination address first. the greater the chance of a mistyped entry. which in turn is connected to a switch. If a port goes down and you switch the host connected to the bad port to a good port. When you first boot a switch. It’s much more efficient to let the hardware carry out dynamic operations rather than forcing “Decisions. the MAC address table isn’t empty. that switch will forward it. right? Wrong! The switch will actually look at the source MAC address before any other value. We’ll assume the switch has just been added to the network.

host resources. or flooded? That depends on the answer to the next question the switch asks itself: “Do I have an entry for this destination address in my MAC address table?” The answer is no. We’ll start our walkthrough with Host A sending a frame to Host C.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . filtered. itself one simple question: “Do I have an entry for this address in my MAC address table?” the switch has to send 63 copies of the frame – 62 of which are totally unnecessary! There’s no grey area here – the answer is either yes or no! There’s nothing wrong with a little frame flooding as you add a host or switch to a network – Since we just turned the switch on. and switch resources.cccc. so the switch makes one. since the frame is a unicast (destined for one particular host). not scalable) or let the switch learn their addresses dynamically.cccc STATIC CPU All 0100.aaaa DYNAMIC Fa0/1 1 cccc. All 0100.aaaa. ------------ --------. MLS _ 1#show mac address-table dynamic Mac Address Table Vlan Mac Address Type Ports 1 aaaa. and it also guarantees the other hosts will get the frame. We know what happens when the switch receives that frame. 6 Mac Address Table Vlan Mac Address Type Ports 1 aaaa. sending a copy of the frame out of every single port on the switch except the port the frame rode in on.aaaa DYNAMIC Fa0/1 No entry for cccc. we get to the frame forwarding decision! Will this frame be forwarded. This is an unknown unicast frame.aaaa DYNAMIC Fa0/1 At long last. If this is a 64-port switch and there’s a host on every port. there’s no entry for Host A’s address in the MAC table.0ccc. which is a huge waste of bandwidth.cccc DYNAMIC Fa0/2 7 . the switch then looks at the source MAC address of the frame and asks This flooding ensures the frame will go out the port leading to the correct host. but will there be an entry for the source MAC of that frame? MLS _ 1#show mac address-table dynamic Mac Address Table Vlan Mac Address Type ---.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1#show mac address-table Mac Address Table Vlan Mac Address Type Ports ---. ------------ --------.cccc.0ccc.cccc. The frame enters the switch on fast0/1. so the switch floods the frame.cccd STATIC CPU The only way the switch can learn where the hosts are is for you and I to add a bunch of static entries (clumsy. it really can’t be avoided – but after the initial add. we’d rather not have much flooding.aaaa.aaaa. MLS _ 1#show mac address-table dynamic Ports 1 aaaa. Our dynamic entries in that table are as follows: Host C will now respond to Host A with a frame of its own. but there is no entry for this address in the MAC table. so the switch will create one.

the 1 dddd. and sees that they’re both found off the same port! Frames with a destination MAC of all Fs (ffff. Please note that this is not a topology you’re going to see in many Flooding occurs when the switch has no entry for the frame’s destination MAC. From the switch’s point of view. Frames flowing from Host A to Host C will now be forwarded out This messes with the switch’s mind for just a moment. MLS _ 1#show mac address-table dynamic Mac Address Table Forwarding happens when the switch has an entry for the frame’s destination MAC. filtering also occurs when a frame is not sent out of a port because the destination is a known unicast.bbbb. and the switch then filters the frame. I’m strictly presenting it to you to illustrate the switch’s third option for frame forwarding. “Filter” is a fancy big-city way of saying “the frame is dropped”. 1 aaaa. -------. If Host A responds to Host C. as will the switch.aaaa. Forwarded frames are sent out only via the port indicated by the MAC address table. where unknown unicast frames are sent to all hosts as a side effect of the frame flooding. Unknown unicast frames are always flooded. Fa0/2 rather than being flooded.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . We have an unusual setup where Hosts A and B are connected to a hub that is in turn connected to a switch.bbbb DYNAMIC Fa0/1 8 Filtering happens when the source and destination MAC addresses are found off the same port.5e00. both of those hosts are found off port Fa0/1. Broadcast frames are actually intended for all hosts.ffff and are treated in the same fashion as broadcast frames. MAC entry for each host. When Host A sends a frame to Host B. a copy of it is sent out of every port on the switch except the one it came in on.aaaa. Vlan Mac Address Type Ports ---. frame is flooded.aaaa in that table. The switch checks for 1 cccc. and are treated in the same manner as unknown unicast frames.dddd DYNAMIC Fa0/3 switch will forward the frame via Fa0/1.cccc. The switch checks for the source addresses in its MAC address table. Technically.dddd.115 S T U DY G U I D E C H R I S B R YA N T The dynamic entries in the table will now start to work in our favor. Multicast frames have a destination MAC in the range 0100. the switch will have an entry for Host C’s MAC address where it didn’t have one earlier.ffff) are called broadcast frames. Let’s jump ahead to a scenario where the topology is the same and the switch has a dynamic Let’s review those decisions and add a little broadcast / multicast discussion.aaaa DYNAMIC Fa0/1 1 bbbb.cccc DYNAMIC Fa0/2 the frame’s destination address of aaaa. 9 . ----------.0000 – 0100.5e7f. B will get a copy of it through the hub. and since there is one. When a production networks (if at all).ffff.

H . and minutes. Let’s fix that: MLS _ 1(config)#mac address-table aging-time 600 Verify with show mac address-table aging-time. I .Repeater.Source Route Bridge S . r . I’m sure you won- based commands use megabits.Trans Bridge. P .) MLS _ 1#show mac address-table int fast 0/3 Mac Address Table 11 . as long as the switch hears from a host within any five-minute period. Right now.IGMP. T .CVTA. you’ll want to use this filter. I’ll need to know the port ROUTER_3 is connected to. and you already knew that the command to change that value is mac addresstable aging-time.Remote. M .Phone. it’s really wrong. 10 minutes. Data- I shall now hop down from Ye Olde Soapbox and we’ll march forward! Another factor in favor of dynamic MAC address table entries is the switch’s ability to dynamically adapt to a change in physical ports.Switch.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and that timer is reset when a frame comes in with that particular source MAC address. gigabits – you get the idea. be sure to use IOS Help to check the unit of time that particular command uses. MLS _ 1#show mac address-table aging-time Global Aging Time: 600 10 Capability Codes: R . C . In short. B . let’s use show mac address-table dynamic interface to get info about only that particular port.Two-port Mac Relay Device ID Local Intrfce Holdtme ROUTER _ 1 Fas 0/1 177 R S I 2801 Fas 0/0 ROUTER _ 3 Fas 0/3 136 R S I 2801 Fas 0/0 Capability Platform Port ID Right! More about CDP later in the course. For example. (When you have 48 or so dynamically learned addresses. Time-related commands When I was waxing poetic about dynamically learned MAC addresses. The default aging time for dynamically friends – that’s why it’s there! learned MAC addresses is 300 seconds. IOS Help reveals that the time unit for this commands is seconds… MLS _ 1#show cdp neighbor MLS _ 1(config)#mac address-table aging-time ? <0-0> Do you know a command that will give us information about directly connected Cisco devices? Enter 0 to disable aging <10-1000000> Aging time in seconds MLS _ 1(config)#mac address-table aging-time … so our dynamic entries are now aging out in just 10 seconds. hours. kilobits. D . you might be tempted to enter the following: MLS _ 1(config)#mac address-table aging-time 10 Not only is that wrong. With time-based IOS commands.Router. if I asked you to set the MAC address aging time to use different combinations of seconds. Use IOS Help. my dered how long those addresses stay in the table. To demo this. that host’s MAC address stays in the table. days.115 S T U DY G U I D E C H R I S B R YA N T More About That MAC Address Table I strongly urge you to use IOS Help to check any numeric value. milliseconds.Host.

115 S T U DY G U I D E Vlan Mac Address Type ---. It’s common for multilayer switches to have multiple TCAM tables to go along with the multiple functions an MLS must handle. MLS _ 1#show vlan brief VLAN Name Status Ports ---. TCAM tables have three values – 0. and our Cisco switch ports belong to VLAN 1 by default. they’re 0 and 1). here’s a reminder. There is one thing you have to do manually in this situation. Success! ROUTER_3’s MAC address is correctly listed in the table. While CAM table lookups use two values (no surprise. 1. You’ll find more info on the TCAM in the Multilayer Switching portion of the course. all we need to do is move that cable to a port that’s 1 default active working. the entry for that address on Fa0/3 was removed. and Quality of Service (QoS) to name just a few! Vlan Mac Address Type Ports ---. I’ll move it to Fast0/11 and check the full dynamic address table. -------. -------. advanced security. The MAC address table is also known as the Content Addressable Memory (CAM) table. and for Layer 2 switching. so it’s good time to tell you the other name for this table.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . You may have an MLS that spends most of its time routing. Fa0/13 We’ve been working with the MAC address table for a while now.474a DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 2 For these tasks.ca96.ca96. No aging was necessary – once the switch saw frames from ROUTER_3 come in on a new port. (All ports except those in #13) 13 VLAN0013 active Fa0/1. Earlier show commands told us that the previous port belonged to VLAN 13.59e2. ----------. so good! But now… port Fa0/3 goes BAD. -------------------------------.2754 DYNAMIC Ports C H R I S B R YA N T how to change a port’s VLAN membership. we’ll need the help of a Ternary Content Addressable Memory (TCAM) table. If not. 13 . and there’s plenty of additional work with VLANs ahead! Fa0/3 Total Mac Addresses for this criterion: 1 MLS _ 1(config)#int fast 0/13 MLS _ 1(config-if)#switchport access vlan 13 So far. by default. Multilayer switches have other challenges and tasks besides Mac Address Table switching – routing. and “x” for “don’t care”. the resources are split up pretty much evenly between routing. 13 001f. ----------. With dynamically learned addresses. You likely remember 12 Switch Roles And The SDM The great thing about multilayer switches is their ability to fit almost any role in your network. ---------. Fa0/3. having “just” the CAM table MLS _ 1#show mac address-table dynamic is enough to get the job done. while others act pretty much as L2 switches.2754 DYNAMIC Fa0/13 13 0017. 1 001f. and that’s changing the VLAN membership of that port. The default allocation of switch resources may not fit the role of the switch.

so do your homework before applying this template. you may un-cringe – these templates are already created! Let’s see the SDM number of IPv4 IGMP groups + multicast routes: 1K templates available on my switch: number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K MLS _ 1(config)#sdm prefer ? number of indirect IPv4 routes: 2K Access Access bias number of IPv4 policy based routing aces: 0 Default Default bias number of IPv4/MAC qos aces: 0. this template can come in handy. 14 Well. the first thing that’s going to happen is you and I being told we have to reload the switch for the template switch to take effect. but when they can be changed. we really do have to reload the switch! I’ll do so now and run show sdm prefer after the reload. The selected template optimizes the resources in 15 . VLAN – Supports the CAM table’s growth to contain the maximum number of unicast MAC addresses.5K dual-ipv4-and-ipv6 Support both IPv4 and IPv6 number of IPv4/MAC security aces: 1K routing Unicast bias vlan VLAN bias Let’s load the VLAN template and see what happens.) MLS _ 1#show sdm prefer The current template is “desktop default” template. we can do just that on many Cisco switches. but cannot take Access – If your MLS is running a whoooole lot of ACLs. SDM uses templates to allocate system resources. Wouldn’t it be great if we could allocate more system resources C H R I S B R YA N T To see the currently loaded template and its allocation settings. effect until the next reload. MLS _ 1#show sdm prefer The current template is “desktop vlan” template. and security. including IPv6 multicast.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . SDM does that for us with ease! (This is not the Security Device Manager that you may have used and studied previously. and if you cringe when you hear the word number of unicast mac addresses: 6K “template”. as it will allocate resources to handle the maximum number of ACLs. This template doesn’t support everything IPv6-wise. this SDM is the Switching Database Manager.115 S T U DY G U I D E switching. Some switches have default source allocations that can’t be changed. to routing if the MLS is primarily going to route? How about making a larger MAC address table possible for an MLS that’s primarily going to switch? Thanks to SDM. Use ‘show sdm prefer’ to see what SDM preference is currently active. it means business! Here’s a quick look at each template and its MLS _ 1(config)#sdm prefer vlan capabilities: Changes to the running SDM preferences have been stored. When IOS Help says “bias”. There’s no workaround for this one. run show sdm prefer. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. Routing – Enhances the environment for IPv4 unicast routing. Very important: This template disables hardware routing. and it treats all functions more or less equally Dual-ipv4-and-ipv6 – Great for an MLS running dual stack (both IPv4 and v6 at the same time). Default – That’s the default template.

Can run in half. number of unicast mac addresses: 4K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 6K number of directly-connected IPv4 hosts: 4K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0.115 S T U DY G U I D E C H R I S B R YA N T the switch to support this level of features for number of IPv4 policy based routing aces: 0. number of IPv4/MAC qos aces: 0. but not the best. 17 . using the SDM vlan template! The selected template optimizes the resources in the switch to support this level of features for Let’s load the routing template and check the results.5K number of IPv4/MAC security aces: 2K The selected template optimizes the resources in the switch to support this level of features for Just Some Reminders… 8 routed interfaces and 1024 VLANs.5K 8 routed interfaces and 1024 VLANs.5K number of IPv4/MAC qos aces: 0. Use ‘show sdm prefer’ to see what SDM preference is currently active. but cannot take effect until the next reload. here’s the allocation when the access template is in use. Important stuff to keep in mind! Before we move on. Most Cisco switch ports we’ll number of directly-connected IPv4 hosts: 3K use in this course are FE ports. but look at that Additional resources are indeed reserved for IPv4 unicast and PBR. 8 routed interfaces and 1024 VLANs. MLS _ 1(config)#sdm prefer vlan Changes to the running SDM preferences have been stored. After the reload: MLS _ 1#show sdm prefer The current template is “desktop routing” template.5K number of IPv4/MAC security aces: 1K Quite a difference! We now have twice the space for unicast mac addresses. number of indirect IPv4 routes: 8K 16 Ethernet: 10 Mbps. The SDM routing template doesn’t disable switching.or full-duplex mode. but we still have some room for MAC addresses. MLS _ 1#show sdm prefer tradeoff! There’s no room for IPv4 unicast routes or PBR. The Ethernet types and speeds we’ll see in this course: number of unicast mac addresses: 3K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 11K FastEthernet: 100 Mbps. just for shiggles. The original. but the SDM vlan template does disable routing.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Something to keep in mind when The current template is “desktop access IPv4” template.5K number of IPv4/MAC security aces: 1K number of unicast mac addresses: 12K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 0 number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0.

Wikipedia: “Half-duplex giga- The FLP is basically a declaration of the capabilities of the sending device with regards to bit links connected through hubs are allowed by the specification. ROUTER_3’s Fast 0/0 interface is connected to 0/7 on MLS_1. but requires higher-grade cables (Cat 6a or Cat7). both devices will send fast link pulses and duplex settings on MLS_1. Does not support half-duplex links. to the other. Now. The obvious question is: “Fast compared to what?” They’re fast compared to normal link pulses (NLPs): As expected. Duplex. Can be run on The fundamental autonegotiation rules: copper cables. Not much to decide here. our FLPs give more pulses in the same amount of time. both are in the public domain. use autonegotiation on both ends of a connection and you’re gold. (Both drawings courtesy of Wikipedia. If both ports support different speeds. With that in mind. Here.) MLS _ 1(config)#int fast 0/7 MLS _ 1(config-if)#speed ? 10 Force 10 Mbps operation 100 Force 100 Mbps operation Auto Enable AUTO speed configuration 18 19 . But what happens if MLS_1 is not running autonegotiation at all? Let’s find out while hardcoding the speed With both interfaces enabled for autonegotiation.115 S T U DY G U I D E C H R I S B R YA N T Gig Ethernet: 1 Gbps (1000 Mbps). allowing a decision as to speed and duplex that is as fast and efficient as not updated anymore and full-duplex usage with switches is used exclusively.” possible without exceeding device capabilities.and full-duplex. the highest common speed is preferred. 10 Gig Ethernet: 10 Gbps (10. full-duplex is (thankfully) always preferred.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . And Autonegotiation If both ports support half. Also expressed as GbE. let’s discuss some things that can go wrong with autonegotiation. since the max capabilities are the same on both sides! Both involved ports end up running at FastEthernet speed. port speeds. but the specification is speed and duplex. set to full-duplex. and port duplex settings. back to the demo… In the real world.000 Mbps). Port Speed.

we end up with parallel detection. PD brings us some good news: The device running autonegotiation can detect the speed of the remote device and adjust its speed accordingly.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and it’s a problem that’s not always easy to spot. address is 001f. rxload 1/255 In short. MTU 1500 bytes.2754) has. so it must set its own port to the dreaded half-duplex.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config-if)#speed 10 MLS _ 1(config-if)#duplex ? Auto Enable AUTO duplex configuration Full Force full duplex operation Half Force half-duplex operation MLS _ 1(config-if)#duplex full Now we have a problem. so that interface will transmit or receive. The router can’t assume full-duplex on that remote endpoint. line protocol is up ROUTER_3 is running at half-duplex. but our old pal Keepalive set (10 sec) CDP will let you know about ‘em in a heartbeat: Half-duplex.2754 (bia 001f. ROUTER_3 detects the 10 Mbps speed on the remote endpoint and sets its own speed accordingly. DLY 1000 usec. reliability 255/255. ROUTER _ 3#show int fast 0/0 FastEthernet0/0 is up. BW 10000 Kbit/sec. loopback not set These duplex mismatches can be tough to spot just by looking at the config. ROUTER_3 will see data coming in at the same time it’s FastEthernet0/0 is up.ca96. MLS_1 will go at data transmission with all guns blazing. ROUTER _ 3#show int fast 0/0 since it’s running at full-duplex. 10Mb/s. line protocol is up (connected) With one endpoint running autonegotiation and the other end not. (That’s verified by the show interface output just above. Encapsulation ARPA. and a totally unnecessary one at that. txload 1/255.) *Apr 11: %CDP-4-DUPLEX _ MISMATCH: duplex mismatch discovered on FastEthernet0/0 (not full duplex). as Router_3 will be unable to detect the remote endpoint’s duplex setting. That’s about as self-explanatory as a console message can get! Coming up next: The wonderful world of VLANs! 20 21 . but it will not do both at the same time. it’s not all good with PD. you end up with a real mess. line protocol is up transmitting.ca96. 100BaseTX/FX Sadly. with MLS _ 1 FastEthernet0/7 (full duplex). and will think a data collision has occurred when in reality no such collision Hardware is Gt96k FE. The physical interfaces and line protocols are still up on both devices: ROUTER _ 3(config)#int fast 0/0 ROUTER _ 3(config-if)#speed auto MLS _ 1#show int fast 0/7 ROUTER _ 3(config-if)#duplex auto FastEthernet0/7 is up.

smaller broadcast domains. (For clarity. making this a flat network Cisco’s best practice is to have one VLAN per IP subnet.) Our hosts are all in the same broadcast domain. the switch bunch of unnecessary broadcasts. On a switch with 24.) 22 23 . Rest assured that this is not one of them. By default. and they’re going to be all over your SWITCH exam. not give them away. this broadcast flooding would have a negative impact on mastering VLAN fundamentals. We’re in the exam room to score points. don’t breeze through this section. WHERE. but we don’t run into many 5-host networks in the real world. (More on that in the design section of this course. Cisco also recommends that a VLAN doesn’t reach beyond the distribution layer in its 3-layer switching model.” That’s where VLANs come in. VLANs are the core of your switching network. or 60+ ports. not shown. overall switch operation. works really well in real-world networking. and part of scoring points is books. AND HOW OF VLANS I pride myself on presenting as many real-world networking examples as possible in my Even if you’ve just earned your CCNA. and this is a best practice that topology. you’re creating multiple. ing these questions: “Why don’t we just use physical LANs? Why do we need virtual ones?” One great use for VLANs is to limit the scope of our old pal. a switch will take an incoming broadcast and send a copy of it out of every single port except the port that received the original broadcast. In the following example. the broadcast. let’s jump to the most fundamental of fundamentals by answer- actually needs the broadcast. which in turn lowers the number of overall broadcasts. Broadcast propagation wouldn’t be a huge deal in a 5-host network. and your available bandwidth would start to get sucked up by a Speaking of that.C H R I S B R YA N T C hapter 2: THE WHEN. When you create VLANs. cabling is forwarded only to hosts in the same VLAN as the original sender of the broadcast. 48. a fancy way of saying “let’s only send the broadcasts where they need to go rather than just sending them everywhere. Broadcasts are will forward a copy of the incoming broadcast to every other host. It’s doubtful that every host connected to your switch We limit the overall number of broadcasts by limiting their scope.

Fa0/7.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E C H R I S B R YA N T The method used to determine a host’s VLAN membership depends on the kind of VLAN 1002 fddi-default act/unsup you’re using. 1 default active Status ---. Let’s take our first look at show vlan. -----------------. All 12 ports on this particular switch are in the default VLAN. -------------------------------. it gives you a lot of info you be deleted. Fa0/12 25 . Fa0/8 1 default active Fa0/9. really don’t need to start troubleshooting or to verify your work. and static VLAN member- 1003 token-ring-default act/unsup ship is dependent on the port the host is connected to. the You may never use VLANs 1002 – 1005 in real-world networking. It’s only important to the port to which the designed for use with FDDI and Token Ring. Fa0/12 24 Ports Fa0/1. Fa0/1. The terms “static” and “dynamic” refer to how the host is assigned VLAN membership. (Never say “old” in networking. Fa0/6. Fa0/11. Fa0/4. “legacy”. ---------. the membership depends on the host’s MAC address. VLAN 1. Fa0/6. Fa0/10. The five VLANs shown are default VLANs and cannot To be blunt. Fa0/10. always say host is connected. ---------. Fa0/7. Remote SPAN VLANs Primary Secondary Type Ports ------. SW1#show vlan SW1#show vlan brief VLAN Name Status Ports VLAN Name ---. -------------------------------. we’ll concentrate on static VLANs. Fa0/3. Fa0/9. not to how the VLAN is actually created. 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN Type SAID 1 With dynamic VLANs.) Keep them in mind for the exam. Fa0/3. Fa0/4 Fa0/5. while this is an important command to know. Fa0/11. ---------. Fa0/8. Fa0/5. Whether you’re using static or dynamic VLANs. The actual MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 enet 100001 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr - - - - 0 0 101003 1500 - 1004 fdnet 101004 1500 - - - - - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 VLAN membership determination is still done by the switch. Fa0/2. They’re legacy VLANs host doesn’t care about its VLAN membership. In this course. Fa0/2. I prefer show vlan brief.

3 Type escape sequence to abort. which is all we need to get started.4.115 S T U DY G U I D E C H R I S B R YA N T 1002 fddi-default act/unsup I’ve used ping to test connectivity in the lab. The ping results will look different than they Type escape sequence to abort. 1003 token-ring-default act/unsup (Always test your basic connectivity before starting a lab. VLANs are always in use. round-trip min/avg/max = 4/10/32 ms Right now.1.1. 100-byte ICMP Echos to 10. The second command defines VLAN membership. using this four-host network for a lab. timeout is 2 seconds: munications issue comes down to a port being in a different VLAN than you thought it !!!!! was! Success rate is 100 percent (5/5). Each VLAN is its own broadcast domain. you’ll be surprised at how often a host-to-host com- Sending 5. round-trip min/avg/max = 4/4/8 ms Let’s practice limiting the broadcast scope.1. 26 27 .3. We know what that means – a broadcast that comes in on any of these ports will be forwarded out every other port on the switch. The first command puts the port into access mode. 100-byte ICMP Echos to 10.) I’ll show the ping results here 1004 fddinet-default act/unsup only from H1 to save a little space. and right now.1.” and while that admin may not have configured VLANs.1. round-trip min/avg/max = 4/6/8 ms I occasionally hear a network admin say “we don’t use VLANs. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1. as I’m using Cisco routers as my hosts. Sending 5.1.0 /24. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). (I know I’m hitting you over the head with this.1. which means it can belong to one and only one VLAN. Type escape sequence to abort. Cisco switch ports are in VLAN 1 by default.1. we’ll use the single IP subnet 10.2.1. and the host number will HOST1#ping 10.1. To meet Cisco’s best practices. would on a PC. all hosts are in one single broadcast domain. their own VLAN! We’ll place those two hosts into the not-yet-existent VLAN 12 with switchport mode access and switchport access vlan 12. As your studies and career progress.4 serve as the last octet in the host’s IP address. I know you’ll take my word on the others! 1005 trnet-default act/unsup HOST1#ping 10. HOST1#ping 10. The pain will stop soon.1.1. 100-byte ICMP Echos to 10.2 This command shows you only the port memberships.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and every host can ping every other host. any broadcast sent by any host will be received by all of our other hosts. Sending 5.) Let’s configure our switch to allow broadcasts sent by H1 to be forwarded only to H2 by putting them in their own little broadcast domain – that is.1.

Fa0/9. This dynamic tb-vlan2 creation of a VLAN does NOT make this a dynamic VLAN. bump revision number. Fa0/6 Fa0/10 . Fa0/12 12 VLAN0012 active 20 ACCOUNTING active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup 29 Fa0/1. Fa0/7. this interfaces VLAN is controlled by VMPS ste Maximum number of Spanning Tree Explorer hops for this VLAN (or zero if none specified) SW1(config-if)#switchport access vlan 12 stp Spanning tree characteristics of the VLAN % Access VLAN does not exist. Creating vlan 12 tb-vlan1 ID number of the first translational VLAN for this VLAN (or zero if none) If you try to put ports into a non-existent VLAN.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . VLAN configuration commands: Are If you earned your CCNA with me. Fa0/4. Fa0/8.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/1 parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs SW1(config-if)#switchport mode access private-vlan Configure a private VLAN SW1(config-if)#switchport access ? remote-span Configure as Remote SPAN VLAN vlan Set VLAN when interface is in access mode ring Ring number of FDDI or Token Ring type VLANs said IEEE 802. ---------. Fa0/11. you know what I’m going to say.10 SAID SW1(config-if)#switchport access vlan ? shutdown Shutdown VLAN switching <1-1005> VLAN ID of the VLAN when this port is in access mode state Operational state of the VLAN dynamic When in access mode. Trust your config. -------------------------------. and exit mode media Media type of the VLAN mtu VLAN Maximum Transmission Unit name Ascii name of the VLAN no Negate a command or set its defaults 28 Fa0/3. To create a VLAN manually. not the method of VLAN creation. The name command is the only one of these options we need to concern ourselves with. but Maximum number of All Route Explorer hops for this VLAN (or 1 default active zero if none specified) Backupcrf Backup CRF mode of the VLAN bridge Bridging characteristics of the VLAN exit Apply changes. SW1(config)#vlan 20 verify it! SW1#show vlan brief VLAN Name SW1(config-vlan)#? Status Ports ---. use the vlan command. and then we’ll leave that VLAN alone for the duration of the lab. I’ll create VLAN 20 on this switch. The terms “static” and “dynamic” ID number of the second translational VLAN for this VLAN (or zero if none) refer to the method used to place hosts into a VLAN. Fa0/2 Fa0/5. name it ACCOUNTING. the switch will do it for you.

For brevity’s sake. Fa0/4. Fa0/6 Fa0/10 Fa0/11. Inter-VLAN traffic requires the routing layer of the OSI model to get involved. and then we’ll move on.1. Fa0/8.. Sometimes. SW1(config)#vlan 12 SW1(config-vlan)#name SUCCESS HOST1#ping 10. Fa0/12 12 Or… IS it? SUCCESS active 20 ACCOUNTING active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Fa0/1.3 Ports ..1. The bad news is that no traffic is going from H1 to H3 or H4.. Let’s ping the network from H1. Fa0/9.. I’ll rename VLAN 12 “SUCCESS”. and VLAN 12 contains fast 0/1 and 0/2.1. 1 default active Fa0/3.115 S T U DY G U I D E C H R I S B R YA N T Bingo! VLAN 20 sits empty.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . we could enable IP routing on the switch and then work something out. for the rest of this section I’ll show only the ping and ping result. and all is well! The good news is that broadcasts from H1 aren’t going to H3 or H4. Fa0/2 HOST1#ping 10.1. ---.1. We’ll look at 30 31 . even though they’re in the same IP subnet. If this is strictly a Layer 2 switch. -------------------------------.4 ... ---------. If this is a Multi-Layer Switch (MLS).2 !!!!! SW1#show vlan brief VLAN Name Status HOST1#ping 10. we’ll need to get a router involved.. Congratulations! Assuming all hosts are sending roughly the same number of broadcasts. a solution leads to another issue. in networking.. Fa0/7.1. you just cut broadcast traffic in your network by 66%. Fa0/5.

Fa0/2 20 OREGON active Fa0/9 35 GREENBAY active Fa0/10 42 OHIOSTATE active Fa0/8 You’re likely thinking “Hey Chris. It’s really easy for the eye to skip up a line as you read this output.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and we need to move that host to 0/5. what’s the big deal?” I admit that it’s not a ton of work. 35 GREENBAY active Fa0/10 32 33 . 1 default active Fa0/3. Fa0/12 SW1(config)#int fast 0/4 SW1(config-if)#no switchport access vlan 12 10 KANSASCITY active Fa0/6 SW1(config-if)#int fast 0/5 12 active SW1(config-if)#switchport mode access SUCCESS Fa0/1. -------------------------------.115 S T U DY G U I D E C H R I S B R YA N T using an MLS in this situation later in the course. 1002 fddi-default act/unsup but the more manual configuration you do. Fa0/7 Fa0/11. and the VLAN membership adjusted automatically? That’s what VMPS brings to the table. ---------. When the switch sees frames coming in on 0/5 with a source MAC address that was in its SW1#show vlan id 35 MAC address table as belonging to 0/4… VLAN Name Status Ports ---. When you have one or two VLANs. For now. and as good network admins. One of the painful things about static VLANs becomes apparent when you need to move a host from one port to another. VMPS uses the source MAC address of incoming frames to determine the VLAN membership of the port receiving those frames. If you read fast0/10 as belonging to VLAN 42. the core of dynamic VLAN configuration. use show vlan id followed by the VLAN number. it’s easy to misread.) Ports ---. Fa0/4. let me give you a real-world networking tip that’s saved my hash on more than one occasion. the larger the chance of a simple misconfigura- 1003 token-ring-default act/unsup tion. but you should be familiar with the basics of the VLAN Membership Policy Server (VMPS). Let’s say a problem has arisen with 0/4 on our current switch. as in the following: Dynamic VLANs The actual configuration of dynamic VLANs is way out of the CCNP SWITCH exam scope. keep in mind that inter-VLAN traffic requires Layer 3 involvement. ---------. All you have to do is enter “21” for “12” on that 0/5 config and you have more trouble 1005 trnet-default act/unsup than you started with. that’s just going to make your troubleshooting harder! To see the ports in one particular VLAN. so moving the cable is all we have to do. we’d keep up with our network housekeeping and VLAN Name Status remove the config from 0/4. -------------------------------. and ports spread out among them. SW1(config-if)#switchport access vlan 12 Wouldn’t it be great if you could just detach the cable from 0/4 and plug it into 0/5. (I’ll leave 0/4 as an access port. Before we hit dynamic VLANs. We’d need to manually configure 0/5 for SW1#show vlan brief that host. Fa0/5. Once you get more VLANs. the output of show vlan brief is easy to read. especially when one of your company’s VPs is yelling at you while you write the con- 1004 fddinet-default act/unsup fig.

You have to disable port security on a port in order for that port dedicated to carrying voice traffic. another to a PC. It can then be disabled if you like. they able. Using a trunk gives us the advantage of creating a voice VLAN (VVID). since by definition trunk ports already belong to all VLANs. Using this can be a big help with host DHCP issues.” Chris Bryant defines jitter as “that really annoying continual interruption in a voice stream that makes you want to tear your own eardrums out. I know. the PC is unaware and it doesn’t care! The key to keeping end users happy with voice-based traffic is to deliver it without jitter. (Yeah. non-voice data streams. The VMPS Server must be configured before you can dynamically assign any VLAN mem- The link between the switch and the IP phone can be configured as either an 802. don’t play together at all. 34 35 . A quick reminder: PortFast allows a port to go straight from blocking mode to forwarding in electronics and telecommunications. which can lead to time-related delivery issues with the voice traffic. With Cisco IP phones. Whichever definition you use. As far as the direct connection to the IP phone is concerned. Actually. As far as the PC is concerned. and the third is an internal connection to an Application-Specific Integrated Circuit (ASIC). “duh”.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . a VLAN Port security and dynamic VLAN memberships don’t play well together. …the switch will realize what’s happened.1q trunk or bership. The VVID allows the highest Quality of Service avail- to get a dynamic VLAN assignment.115 S T U DY G U I D E C H R I S B R YA N T A Word Or Two On Voice VLANs Cisco IP Phones have three ports. it is attached directly to that switch. and will then dynamically change the VLAN membership of 0/5 and update its MAC address table.” mode. it’s really annoying. Some VMPS notes: Jitter is defined by Wikipedia as “the deviation from true periodicity of a presumed signal A somewhat odd default of VMPS is that PortFast is automatically enabled for a port when it receives its VLAN membership dynamically. Using an access link results in voice and data traffic being carried in the same VLAN. often in relation to a reference clock source.) access link. giving the delay-sensitive voice traffic priority over normal. Trunk ports can’t receive a dynamic VLAN assignment. there is no special config needed on the PC. One will be connected to a switch. The human ear will only accept 140 – 150 milliseconds of delay before it notices a problem with voice delivery.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

Should the voice traffic start to be delayed, your end users begin to get annoyed, and your

dot1p

Priority tagged on PVID

support center phones start to ring!

none

Don’t tell telephone about voice vlan

We have four options for the switch-to-phone link:
Use an access link

untagged
Untagged on PVID

The <1 – 4094> option creates a voice VLAN and a dot1q trunk between the switch and IP
phone. As with data VLANs, if the VVID has not been previously created, the switch will

Use a trunk and use 802.1p

create it for you.

Use a trunk without tagging voice traffic
SW1(config-if)#switchport voice vlan 10

Use a trunk and specify a VVID

% Voice VLAN does not exist. Creating vlan 10

The question “Who’s The Boss?” has stumped the great scholars and live-in housekeepers
of eras past and present, but in this situation the boss is the switch, which tells the phone
which of those four options will be used.

Verify with show interface switchport. The output of this command is huge, so I’ll show only
the VLAN information here.
SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)

The interface is using VLAN 100 for normal data, and the native VLAN is unchanged from
the default, verified by this partial output of show interface switchport.

Administrative Native VLAN tagging: enabled
Voice VLAN: 10 (VLAN0010)

SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

Using dot1p results in the IP phone granting voice traffic high priority, and voice traffic will

The PVID shown in the following options is the port VLAN ID, the number identifying the
non-voice VLAN.

be sent through VLAN 0.
SW1(config-if)#switchport voice vlan dot1p

SW1(config)#int fast 0/1
SW1(config-if)#switchport voice vlan ?
<1-4094> Vlan for voice traffic
36

SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)

37

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Administrative Native VLAN tagging: enabled

Voice VLAN: untagged

Voice VLAN: dot1p

A quick Portfast note to end our VVID discussion: Portfast is automatically enabled on
Using untagged results in voice packets being placed into the native VLAN.

a port when a voice VLAN is created, verified by show config and show spanning interface
portfast. Here’s that info for 0/2, which is using VLAN 100 for data and VLAN 11 for voice.

SW1(config-if)#switchport voice vlan untagged
SW1#show int fast 0/1 switchport

I didn’t manually enable portfast, but there it is!
interface FastEthernet0/2

Access Mode VLAN: 100 (VLAN0100)

switchport access vlan 100

Trunking Native Mode VLAN: 1 (default)

switchport mode access

Administrative Native VLAN tagging: enabled

switchport voice vlan 11

Voice VLAN: untagged

spanning-tree portfast
SW1#show spanning int fast 0/2 portfast
VLAN0011 enabled
VLAN0100 enabled

You’re unlikely to find all ports in a given VLAN to be on the same switch. With that in
Finally, none sets the port back to its default, where a trunk is not used and the voice and

mind, let’s head to the next section!

non-voice traffic use the access VLAN.
SW1(config-if)#switchport voice vlan none
SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)

38

39

C H R I S B R YA N T

A trunk is a member of all VLANs by default, allowing traffic for any and all VLANs to cross
the trunk (good idea). That includes broadcast traffic (not-so-good idea).
Theoretically, you need a crossover cable for a switch-to-switch connection, and that’s
what I’m using here. Some Cisco switch models allow you to use a straight-through cable

C hapter 3:

TRUNKING

for trunking. In any case, verify with show interface trunk.
SW2#show int trunk
Port

Mode

Encapsulation Status

Native vlan

Fa0/11 auto

n-802.1q trunking 12

Fa0/12 auto

n-802.1q trunking 12

It’s nice and neat to have all hosts in a VLAN connected to a single switch. It’s also
unlikely. In the next example, we have hosts in VLANs 1 and 12 connected to separate

Port

switches. The switches are connected via two crossover cables. Trunks do not require

Fa0/11 1-4094

you to use the identically numbered port on each switch (port 0/11 on each switch, for

Fa0/12 1-4094

Vlans allowed on trunk

example), but in labs it’s a great organizational tool.
Port

Vlans allowed and active in management domain

Fa0/11 1,12
Fa0/12 1,12
Port

Vlans in spanning tree forwarding state and not pruned

Fa0/11 none
Fa0/12 1,12

From left to right, that command shows us…
The ports attempting to trunk (if none are shown, none are trunking)
For frames to flow flawlessly and freely between two switches, a trunk must be established.
Sometimes all it takes to create a trunk is physically connecting the switches. On occasion,
it takes a little fine-tuning to get the job done. It’s a safe bet that your CCNP SWITCH exam
will test you on both scenarios!

The trunking mode each port is using
The encapsulation type
The status of the trunk (either “trunking” or “not trunking”)
The “native vlan”

40

41

1 default active Fa0/1.4 !!!!! Success rate is 100 percent (5/5). Gi0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Our pal show vlan brief will not show ports that are trunking. Fa0/23. vendor switching environment. Fa0/10. Fa0/17.115 S T U DY G U I D E C H R I S B R YA N T Know where you will not find your trunk ports? Aaaaaand it’s good! Trunking is a beautiful thing. where the frame has a VLAN VLAN Name Status ID attached by the sending switch.1. Fa0/16. Fa0/22. If you’re looking for a specific port’s VLAN membership and you don’t So much for the similarities! Now. only Cisco switches understand ISL. since trunk ports are members of all VLANs. we need to be Fa0/9. Fa0/3. Our trunk is up and running. !!!!! Success rate is 100 percent (5/5). Fa0/13. You can’t use ISL in a multi- see it here. check to see if the port is trunking. Gi0/1. HOST1#ping 10. Fa0/2. Fa0/8 as the trunking protocol. placing both a header and trailer VLAN.2 onto the frame (“double tagging”). That doesn’t sound like a big deal. ---------.1. for the differences… ISL is Cisco-proprietary. In turn. but as with everything good in networking. Fa0/14. ---. with a switch at each endpoint. Fa0/24. The similarities end pretty quickly. Ports and that switch knows that the VLAN ID indicates the destination VLAN. Fa0/18.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/7.1q (“dot1q”) is used Fa0/5. there’s a little SW2#show vlan brief overhead involved. Fa0/19. While most Cisco switches no longer support ISL. Fa0/4 The amount of overhead involved depends on whether ISL or IEEE 802.1. Fa0/21. Fa0/6. round-trip min/avg/max = 4/6/8 ms 42 43 . very clear on the features and drawbacks of each for our CCNP SWITCH exam. Fa0/15. which has to remove the encapsulation. The overhead here involves frame tagging. We’ll start by pinging H2 from H1 and then H4 from H3. so let’s make sure we can ping between hosts in the same ISL will encapsulate every frame going across the trunk.1. -------------------------------. that VLAN ID is read by the receiving switch. but the cumulative effect of adding that overhead to every frame adds up to a lot of extra effort on the part of both the sender and the receiver. Both of these trunking protocols are point-to-point protocols. Fa0/20. round-trip min/avg/max = 4/5/8 ms HOST3#ping 10.

12 active Status ACCOUNTING A few more dot1q tidbits for you: Ports Fa0/1. that switch assumes the native VLAN is the destination ---. (VLANs 1002 – 1005 not shown in following lab. Fa0/3. An access port belongs to one and only one VLAN. The 4-byte trailer contains a Cyclic Redundancy Check (CRC) value. making it suitable for use in a VLAN Name multi-vendor switching environment. ---------. ISL adds a total overhead of 30 bytes. Fa0/5. For this reason. No need to tag frames traversing access ports. Now. which in turn saves a great deal of overall overhead. so it’s often referred to as “single tagging”. Fa0/9.115 S T U DY G U I D E Everything we do on a Cisco switch has a cost in terms of time and effort. as it likely is. Those little overhead savings add up! If there is a particular VLAN responsible for a majority of traffic. ---------. and that includes encapsulation and de-encapsulation.) Using IEEE 802. Double tagging means double the workload on the switches! There’s even more to dislike regarding ISL. The CRC is C H R I S B R YA N T Both ISL and dot1q bring a 4-byte addition to a frame. Fa0/23.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . you’ll sometimes hear dot1q referred to as “internal tagging”. Gi0/1. Dot1q SW1#show vlan brief places only a 4-byte header on each frame.1Q (“dot1q”) results in much less overhead on our frames. Fa0/2. That saves a little bit of overhead per frame. we might want to change the native VLAN. and if the frame is destined for the native VLAN. SW2#show vlan brief Dot1q is the industry-standard trunking protocol. VLAN. but they’re in different locations: ISL’s 4-byte trailer is just that – a trailer. -------------------------------. even that header isn’t put on the frame! When the receiving switch sees a VLAN Name frame with no VLAN ID. 44 1 Status default active Ports Fa0/22. so there’s no need for any VLAN ID info. 26 bytes of that is in the header. Fa0/8. Fa0/7. ---. which includes the VLAN ID. Dot1q’s 4-byte addition is in the form of a tag inserted into the frame. Dot1q adds only one tag. Fa0/24. -------------------------------. ISL doesn’t understand the concept of the native VLAN (the default VLAN). Fa0/10 Dot1q embeds the tagging information into the frame itself. We’ll see why that’s so important in just a moment. about that native VLAN… a frame validity scheme that checks the frame’s integrity. Verifying And Changing The Native VLAN When dot1q is our trunking protocol. This is an excellent reason to make sure your switches agree on the native 1 default active VLAN. Gi0/2 45 . Fa0/4. frames destined for the native VLAN are not tagged. Fa0/6.

I’ll finish the config here and then hop back to SW1. Inconsistent peer vlan. followed by the error message you can expect to see after you change the native VLAN on one switch and before you change it on the other switch.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Port consistency restored. Port consistency restored. Fa0/13. Fa0/2. I’ll use the always-handy interface range config option to change the native VLAN on both trunking ports on SW1 at one time. Inconsistent local vlan. Inconsistent local vlan.12 SW2(config-if-range)#switchport trunk native vlan 12 SW1# 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/12 on VLAN0001. 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/11 on VLAN0001. Fa0/20. Fa0/19. Fa0/17. 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/12 on VLAN0012. SW2(config)#int range fast 0/11 .12 SW1(config-if-range)#switchport trunk ? allowed Set allowed VLAN characteristics when interface is in trunking mode native Set trunking native characteristics when interface is in trunking mode pruning Set pruning VLAN characteristics when interface is in trunking mode SW1(config-if-range)#switchport trunk native ? vlan Set native VLAN when interface is in trunking mode SW1(config-if-range)#switchport trunk native VLAN ? <1-1005> VLAN ID of the native VLAN when this port is in trunking mode SW1(config-if-range)#switchport trunk native VLAN 12 ? <cr> 08:14:55: %SPANTREE-2-BLOCK _ PVID _ LOCAL: Blocking FastEthernet0/12 on VLAN0012. 08:14:55: %SPANTREE-2-BLOCK _ PVID _ PEER: Blocking FastEthernet0/11 on VLAN000 SW1#1. Fa0/9. 08:14:55: %SPANTREE-2-BLOCK _ PVID _ PEER: Blocking FastEthernet0/12 on VLAN0001. Fa0/10. Fa0/7. Fa0/14. SW1(config)#int range fast 0/11 . 08:14:55: %SPANTREE-2-RECV _ PVID _ ERR: Received BPDU with inconsistent peer vlan id 1 on FastEthernet0/11 VLAN12. Port consistency restored. 08:14:55: %SPANTREE-2-BLOCK _ PVID _ LOCAL: Blocking FastEthernet0/11 on VLAN0012. Fa0/8. Fa0/4. just finish your config and all will be well. Fa0/6. Assume an analysis of traffic going over the trunk has revealed that most frames are destined for VLAN 12. Fa0/16.115 S T U DY G U I D E 12 ACCOUNTING active C H R I S B R YA N T Fa0/1. Fa0/15. It can panic even the calmest network admin when six error messages come up at once. Inconsistent peer vlan. along with all the talk of blocking ports! No worries. Port consistency restored. Fa0/18. It would make sense to make that our native VLAN. We’ll use switchport trunk native vlan on both switches to make that happen. 47 . I received this stack of messages on SW1: 08:14:55: %SPANTREE-2-RECV _ PVID _ ERR: Received BPDU with inconsistent peer vlan id 1 on FastEthernet0/12 VLAN12. I’ll use IOS Help to illustrate the options (or lack of) with this command. Fa0/21 After completing that config. 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/11 on SW1(config-if-range)#switchport trunk native VLAN 12 46 VLAN0 012. Fa0/5. Fa0/3.

Here’s a review of the trunking modes: SW1#show int trunk Trunk mode is unconditional trunking. which can run either ISL or dot1q. but if the remote port initiates trunking. In other words.1q trunking 1 Fa0/12 auto n-802.in front of the encapsulation type on SW2? That means the encapsulation type was negotiated rather than manually configured. I’ve erased the previous switch configs and reloaded both switches. C H R I S B R YA N T Note the default trunk modes are different.115 S T U DY G U I D E All looks well. Here’s why… Port Mode Encapsulation Status Native vlan Fa0/11 desirable 802. the auto port will accept that. desirable. or auto mode. Should Trunking Negotiate? For this section. shown here on both switches.1q trunking 12 is running trunk. A port in auto mode SW2#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802. as SW2 is.1q trunking 12 a trunk with the port at the remote end of the point-to-point connection. use this command with the negotiate option.1q trunking encapsulation when trunking 49 . Encapsulation Status Native vlan Dynamic desirable (shown as “desirable”) means that the port is actively attempting to form Port Mode Fa0/11 desirable 802. If the encap type is configured and you want the port to negotiate instead. so they’re now both running at their defaults.1q trunking 12 will not initiate a trunk.1q trunking 1 Fa0/12 desirable 802.1q trunking 12 Fa0/12 auto n-802. but that’s no longer the case. you can configure the switch. If the remote port Fa0/12 desirable 802. Encapsulation Status Native vlan Fa0/11 auto n-802.1q trunking 1 Mode encap type with switchport trunk encapsulation. I’m not going to change the setting here – I just want to show you the options on this particular SW2#show int trunk Port If your switch is capable of running both ISL and dot1q. a trunk will form. but verify with show interface trunk. the remote port has to ask a port in auto mode to trunk. SW1 doesn’t SW1#show int trunk show the encap type as negotiated. “Desirable” used to be the default for all Cisco switches.1q trunking 1 48 SW2(config)#int fast 0/11 SW2(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802. Oddly enough. We’ll again concentrate on the top of the output of show interface trunk. Dynamic auto (shown as “auto”) is the wallflower of trunking modes. Did you notice the n.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

) It’s generally recommended that all ports have DTP disabled. including 2950 switches. DTP comes with a cost. ing mode be set to unconditional trunking. In that case. there’s no need for that same port to send DTP frames. not with disabling DTP. Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status. We’ll do just that in our next lab.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . We had the same command rejected twice since that’s how many ports we had in our interface range. When a port is configured as an unconditional trunk port. why have the DTP overhead? 50 You’ll get slightly different messages from the IOS in this situation depending on the switch model and IOS version. the IOS will Leaving DTP running on ports that aren’t actually trunking is a BIG security risk. mode SW1(config-if-range)#switchport mode trunk SW1(config-if-range)#switchport nonegotiate To DTP Or Not To DTP The Dynamic Trunking Protocol (DTP) handles the actual trunk negotiation workload.115 S T U DY G U I D E isl C H R I S B R YA N T Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on interface That’s all fine. A port running DTP will send DTP frames out every 30 seconds. I highly recommend that you use the pipe option to skip to the interface you want. Verify DTP settings with show interface switchport. for example). Also. nor ours. If the ports are not in unconditional trunking mode. (A rogue switch looks like a legit part of the network. The encapsulation option won’t DTP on such ports makes it easier for an intruder to introduce a rogue switch to our net- even be available! work.12 mode SW1(config-if-range)#switchport nonegotiate pruning Set pruning VLAN characteristics when interface is in trunking Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status. if there’s a device on the other end of the p-t-p connection that literally can’t trunk (a firewall. and we’re most interested in the “Negotiation Of Trunking” setting. as the switch is kind SW1(config-if)#switchport trunk ? allowed Set allowed VLAN characteristics when interface is in trunking enough to tell us! mode native Set trunking native characteristics when interface is in trunking SW1(config)#interface range fast 0/11 . starting with SW1. but it’s under the intruder’s control. as shown on this Cisco 2950. they must be configured as such before using switchport nonegotiate. and trunk- SW1(config-if)#switchport trunk encapsulation ^ % Invalid input detected at ‘^’ marker. which is now off. because this is one verbose command when left on its own! There’s some handy info in this output. As with everything in networking. When this Cisco-proprietary point-to-point protocol is in action. We’ll disable DTP at the interface level with switchport nonegotiate. it attempts to negotiate a trunk with the remote port. Leaving not recognize this command. We had no issue moving the interfaces from desirable to trunk mode. 51 . but what does that have to do with the “n-“ not being on SW1? Some Cisco switches only support dot1q.

We need to define which Name: Fa0/12 encapsulation protocol the port is going to use.1q trunking 1 Fa0/12 on 802. indicating that the port is in unconditional trunking mode. 52 Verify the trunk mode with show interface trunk and then verify DTP has been disabled with show interface switchport. let’s verify the trunks on SW1. As we saw ear- SW1#show interface switchport | begin Fa0/12 lier. There’s a good reason you can’t go straight from auto to trunk mode.1q trunking encapsulation when trunking negotiate Device Access Mode VLAN: 1 (default) Port dot1q Encapsulation Status Native vlan Fa0/11 on 802.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . SW2#show int trunk 53 . but I just want to point out why we only received one rejection when two Trunking Native Mode VLAN: 12 (VLAN0012) ports are in the range. Operational Mode: trunk % Range command terminated because it failed on FastEthernet0/11 Administrative Trunking Encapsulation: dot1q SW2(config-if-range)# Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off This particular switch IOS rejected the command once and then terminated the range com- Access Mode VLAN: 1 (default) mand. SW2 is capable of both ISL and dot1q encapsulation. The mode for 0/11 is now “on”. since negotiation is no longer involved. which indicates that the port is unconditionally trunking. and then we can go from auto to Switchport: Enabled trunk. Port 0/11 no longer has the “n-“ in front of the encap type.1q trunking 1 The mode has changed to “on”. No big deal. SW2(config-if-range)#switchport mode trunk SW2(config-if-range)#switchport nonegotiate SW1#show int trunk Mode Interface uses only 802. Administrative Mode: trunk Operational Mode: trunk SW2(config-if-range)#switchport trunk encapsulation ? Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off isl Interface uses only ISL trunking encapsulation when trunking will negotiate trunking encapsulation with peer on interface Trunking Native Mode VLAN: 1 (default) SW2(config-if-range)#switchport trunk encapsulation dot1q While we’re here. Let’s head to SW2 and repeat the process.115 S T U DY G U I D E C H R I S B R YA N T SW1#show interface switchport | begin Fa0/11 SW2(config)#int range fast 0/11 .12 Name: Fa0/11 SW2(config-if-range)#switchport mode trunk Switchport: Enabled Command rejected: An interface whose trunk encapsulation is “Auto” cannot be Administrative Mode: trunk configured to “trunk” mode.

SW2#show int trunk SW2(config-if)#switchport mode ? access Filtering The VLANs Allowed To Use The Trunk Set trunking mode to TRUNK unconditionally We have an option for “off”. 54 Native vlan 55 . Negotiation of Trunking: Off SW2#show interface fast 0/11 trunk Name: Fa0/12 Switchport: Enabled Port Mode Encapsulation Status Administrative Mode: trunk Fa0/11 off 802.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-4094 Fa0/12 1-4094 off. When I change 0/11’s mode to access. Setting a port to access mode turns trunking Port Mode Encapsulation Status Fa0/11 auto n-802.1q trunking 1 C H R I S B R YA N T SW2(config)#int fast 0/11 SW2(config-if)#switchport mode access SW2#show int trunk SW2#show interface switchport | begin Fa0/11 Name: Fa0/11 Port Mode Switchport: Enabled Fa0/12 trunk Encapsulation Status 802.115 S T U DY G U I D E Port Mode Encapsulation Status Native vlan Fa0/11 on 802.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1q trunking 1 Fa0/12 on 802. I’ve erased the config on both switches and set them back to their default There’s an oddity in the switchport mode options: Set trunking mode to ACCESS unconditionally dot1q-tunnel set trunking mode to TUNNEL unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode private-vlan Set private-vlan mode trunk settings. After a reload.1q Native vlan trunking 1 Administrative Mode: trunk Operational Mode: trunk To see trunk settings for a particular port. That’s where you’ll see the trunk Operational Trunking Encapsulation: dot1q mode actually set to off.1q Native vlan not-trunking 12 Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off For our next lab. run show interface (interface type and number) trunk.1q trunking 1 Fa0/12 auto n-802. here’s the full output of show interface trunk on SW2. even one that isn’t showing up in show interface Administrative Trunking Encapsulation: dot1q trunk. but not for “on”. the trunk is immediately lost.

SW1 to SW2 (and vice versa).1q trunking 1 Fa0/12 auto n-802.12 Port C H R I S B R YA N T SW1(config)#interface range fast 0/11 .101-199.12 Fa0/12 1. Here’s one great reason: SW1#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-99.201-4094 57 . VLANs 100 and 200 are no longer allowed on Fa0/12 1.12 Vlans in spanning tree forwarding state and not pruned Fa0/11 none SW1(config-if-range)#switchport trunk allowed vlan except 100.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . As expected.12 the trunk. I’ll use it here to exclude VLANs 100 and 200 on both 0/11 and 0/12.200 Verify with show interface trunk. I immediately wondered why you would want to disable some VLANs on a trunk.115 S T U DY G U I D E Port Vlans allowed and active in management domain The except option is excellent when you need to exclude just one or a few VLANs. broadcast traffic for all VLANs will be sent from I’ll use the add option to add VLAN 100 back to the allowed list. We can eliminate unnecessary broadcasts by not allowing traffic for VLANs 100 and 200 to go from SW1 to SW2.201-4094 The broadcast rears its ugly head yet again! There are no hosts on SW2 in VLAN 100 or 200. We filter the list of VLANs allowed to send traffic across the trunk with switchport trunk allowed.101-199.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-199.201-4094 Fa0/12 1-199. Fa0/11 1. The command and the options in all their splendor: SW1(config-if)#switchport trunk allowed vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode add add VLANs to the current list all all VLANs except all VLANs except the following none no VLANs remove remove VLANs from the current list 56 SW1(config)#int range fast 0/11 .1q trunking 1 Fa0/12 auto n-802. but since trunk ports belong to all VLANs.12 SW1(config-if-range)#switchport trunk allowed vlan add 100 SW1#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802.201-4094 Fa0/12 1-99. When I first saw “VLANs allowed on trunk”.

and pings go through just fine.12 SW1(config-if-range)#switchport trunk allowed vlan remove 100 SW1(config-if-range)#switchport trunk allowed vlan all SW1#show int trunk SW1#show int trunk Port Mode Encapsulation Status Native vlan Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802.201-4094 Fa0/12 1-4094 If I wanted to remove all VLANs from the allowed list. so let’s We can quickly reinstate all VLANs on the trunk with the all option. You’ll usually have more than one combination of these commands that will filter the VLANs on the allowed list the way you want them filtered. and we’re right back put it there with the remove option. I’d use the none option.101-199.101-199.1q trunking 1 Fa0/11 auto n-802.1q trunking 1 Fa0/12 auto n-802.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1q trunking 1 Fa0/12 auto n-802. as long as you filter only the VLANs you want filtered. to where we began! SW1(config)#int range fast 0/11 .12 SW1(config)#int range fast 0/11 .115 S T U DY G U I D E C H R I S B R YA N T We just got word from our bosses that VLAN 100 should be on the disallowed list.201-4094 Fa0/11 1-4094 Fa0/12 1-99.1q trunking 1 Fa0/12 auto n-802. SW1(config)#int range fast 0/11 . There’s no “right” or “wrong” way to get the job done. chang- SW1#show int trunk Port Mode ing nothing else.1q trunking 1 Port Vlans allowed on trunk Port Vlans allowed on trunk Fa0/11 1-99.1q trunking 1 Port Vlans allowed on trunk Fa0/11 none Fa0/12 none 58 59 .12 SW1(config-if-range)#switchport trunk allowed vlan none What happens to traffic destined for a given VLAN when that same VLAN has already been removed from the allowed list? Let’s find out! I’ve placed H1 and H4 into VLAN 14. Encapsulation Status Native vlan Fa0/11 auto n-802.

SW1(config)#int range fast 0/11 . It may very well be a device in the middle.1. len 100.1.1.4 Type escape sequence to abort.1.4 (Ethernet0). len 100.1. sending. Let’s see what happens when VLAN 14 is removed from the allowed list on both of SW1’s Sending 5.1.1. it may not be Vlans allowed on trunk Fa0/11 1-13.1. I’ll run debug ip packet on both hosts.1.1.1q trunking 1 Fa0/12 desirable 802.1. but they’re failing.1 (local).1. sending SW1(config)#int range fast 0/11 .1.1. timeout is 2 seconds: 1d01h: IP: s=10.4 (local).1.1 (Ethernet0). round-trip min/avg/max = 4/4/4 ms HOST1#undebug all HOST4#ping 10.1 (local). d=10. 100-byte ICMP Echos to 10.4 (Ethernet0).15-4094 switch.1 (Ethernet0). len 100. since we caused the Port problem as part of the lab.4 (Ethernet0).1.1.4 (Ethernet0). HOST1#ping 10.1.4 (local). 1d01h: IP: s=10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . d=10.1q trunking 1 HOST4#undebug all All possible debugging has been turned off The pings are leaving the hosts.1.1. d=10.1.1.1.1.1. len 100. d=10. len 100. timeout is 2 seconds: trunk ports. Sending 5. round-trip min/avg/max = 4/5/8 ms HOST4#ping 10. d=10.1.1 (local).12 1d01h: IP: s=10.1. 100-byte ICMP Echos to 10. len 100. len 100.1.12 SW1(config-if-range)#switchport trunk allowed vlan add 14 SW1#show int trunk 1d01h: IP: s=10.1.1.1 (local).1 (Ethernet0).1. d=10.1.1.4 (Ethernet0).4 1d01h: IP: s=10. SW1(config-if-range)#switchport trunk allowed vlan except 14 1d01h: IP: s=10.1.1.1. d=10. Before sending the pings. A Fa0/12 1-13.1 Type escape sequence to abort. sending.4 (local).1. len 100. perhaps! Adding VLAN 14 back to the allowed list resolves the issue. d=10. d=10. 1d01h: IP: s=10.4 (local).1 (Ethernet0).4 (local). We know why.1.1. This is an excellent reminder that when pings fail.1.4.1. sending 1d01h: IP: s=10.1.1 (local). 1d01h: IP: s=10.1. sending.1. sending 60 61 . d=10.1 (Ethernet0).1.1.1. sending.1.1.1.115 S T U DY G U I D E C H R I S B R YA N T HOST1#ping 10. len 100.1. sending !!!!! Success rate is 0 percent (0/5) Success rate is 100 percent (5/5). len 100.1 All possible debugging has been turned off !!!!! Success rate is 100 percent (5/5).1. sending 1d01h: IP: s=10. SW1#show int trunk Port Mode Success rate is 0 percent (0/5) Encapsulation Status Native vlan Fa0/11 desirable 802.1. sending.15-4094 the fault of the sender or intended recipient.

and we’ll do the same! the subject of the next chapter! VTP allows each switch to have a synchronized view of the network’s active VLANs without necessarily having ports in every VLAN. ---------.1. Fa0/2. Fa0/6. (I’ve removed VLANs 1002 – 1005 from the output of show vlan brief and will do so throughout this section.1. VTP deals exclusively with trunking. I’ll create VLAN 100 on SW1. Fa0/10 62 63 .1. Fa0/4. Fa0/3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and that’s nected hosts. Fa0/8.4 !!!!! With VLANs and trunking down. That’s what the VLAN Trunking Protocol is all about. and any config from previous chapters or labs has been removed.1q trunking 1 Fa0/12 desirable 802. we need to spread the word throughout the network We’ll start this section with our two-switch network and won’t even worry about the con- about the VLANs we create.115 S T U DY G U I D E Port Mode Encapsulation Status Native vlan Fa0/11 desirable 802. Fa0/7.1 !!!!! HOST1#ping 10. and then run show vlan brief for both switches.1.) SW1#show vlan brief VLAN Name Status Ports ---. -------------------------------.1q trunking 1 Port Vlans allowed on trunk C hapter 4: Fa0/11 1-4094 Fa0/12 1-4094 THE VLAN TRUNKING PROTOCOL (VTP) HOST4#ping 10. Fa0/5. Fa0/9. Both switches are at their default settings. 1 default active Fa0/1.

Fa0/16.115 S T U DY G U I D E 100 VLAN0100 C H R I S B R YA N T The only way for the two hosts in VLAN 100 to communicate is through SW2. SW2 can only learn about VLAN 100 by manually creating that same VLAN on SW2 or to place a port on SW2 into VLAN 100. Fa0/13. know about and all three switches will have a like view of the VLANs on the network. Gi0/2 Right now. that communication can’t happen. Fa0/24. but what about a 300-switch network? Statically ---. SW2’s ignorance of VLAN 100 isn’t hurting anything now. Before doing so. That Ports would work well in a 3-switch network. creating VLANs simply isn’t a scalable solution. the more manual configuration SW2. Fa0/7. Fa0/2. they’ll exchange information about the VLANs they Fa0/17. Fa0/3. Of course. Fa0/6. hosts in VLAN 100 can then communicate with no manual VLAN creation necessary on Fa0/23. ally referred to as a “VTP domain”). Our Fa0/20. When we place all three of these switches into the same VTP management domain (gener- Fa0/14. as VLANs are created and deleted.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but as our little network grows just a bit larger. Fa0/21. Fa0/10. could certainly create VLAN 100 manually on SW2. the more time it takes and the larger the chances of misconfiguration. the network admins. Switches in one VTP domain will not exchange VLAN info with switches in another VTP domain. ---------. these switches will be happy to let their neighbors in the same VTP domain know about these changes via VTP advertisements. let’s run show vtp status on both. -------------------------------. 1 default active Fa0/1. The key phrase: “in the same VTP domain”. SW1#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 64 64 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled 65 . SW2#show vlan brief VLAN Name Status You and I. Gi0/1. you have. Fa0/18. Fa0/5. it does become a problem. Fa0/15. so they’re dropped. Better yet. Let’s step back to the two-switch network and put both switches into the VTP domain CCNP. Fa0/22. Fa0/4. Fa0/8. and since active SW2 doesn’t know VLAN 100 exists. Fa0/19. Fa0/9. SW2 doesn’t know how to handle incoming frames marked with VLAN ID 100.

0.0.0.0 at 0-0-00 00:00:00 Configuration last modified by 0.0 (no valid interface found) Feature VLAN: Feature VLAN: VTP Operating Mode : Server VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 Number of existing VLANs : 5 Configuration Revision : 0 Configuration Revision : 0 The VTP Domain Name field is blank.115 S T U DY G U I D E SW2#show vtp status C H R I S B R YA N T SW2#show vtp status VTP Version capable : 1 to 3 VTP Version capable : 1 to 3 VTP version running : 1 VTP version running : 1 VTP Domain Name : VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP Pruning Mode : Disabled VTP Traps Generation : Disabled VTP Traps Generation : Disabled Device ID : 0017.0. and SW2 will then join that domain as a VTP Server.9466. SW1(config)#vtp domain CCNP Changing VTP domain name from NULL to CCNP SW1#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 64 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled 66 Should you put SW1 into the domain CCNP and SW2 into the domain ccnp … SW2(config)#vtp domain ccnp Changing VTP domain name from CCNP to ccnp 67 .f780 Device ID : 0017.0.9466.f780 Configuration last modified by 0.0 (no valid interface found) Local updater ID is 0. that event triggers a VTP advertisement to SW2.0. a VTP domain…yet! That VTP ad contains info about the VTP domain.0.0. which simply means that the switches haven’t joined After placing SW1 into that VTP domain.0 at 0-0-00 00:00:00 Local updater ID is 0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

off Set the device to off mode. we mean VTP version running : 1 “change the name of the VLAN”. This is not one of those times.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Transparent Set the device to transparent mode. By “modify”.0. SW1#show vtp status VTP Version : 2 Configuration Revision : 2 VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Number of existing VLANs : 7 Configuration Revision : 2 MD5 digest : 0x87 0xA7 0x10 0x69 0x58 0xA8 0x12 0x72 0x5D 0x74 0x8A 0xED 0x1F 0xE1 0x67 0xE2 The default VTP operating mode is server. and transparent modes. with the options illustrated by vtp mode.0.0.0. We do NOT mean “add ports to a VLAN”.9466. There are times that IOS Help gives us wonderful descriptions for our options.0.0 at 3-1-93 00:30:42 SW2(config)#vtp mode ? client Set the device to client mode. client.0. IOS Help pretty much tells us what we already know. a switch can create. and modify VLANs. Local updater ID is 0. delete.896: %SW _ VLAN-6-VTP _ DOMAIN _ NAME _ CHG: VTP domain C H R I S B R YA N T name VTP Traps Generation : Disabled changed to ccnp. and I have a feeling we need to know a little more about each mode! Local updater ID is 0. we get the lay of the land via show vtp status.0 (no valid interface found) The VTP Modes SW2#show vtp status VTP Version capable : 1 to 3 In VTP server mode. We’ll follow this output by discussing the VTP Operating Mode info for each switch. but the most important VTP values are in each. Feature VLAN: -------------- … you end up with a mess.078: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/11 because of VTP domain mismatch.115 S T U DY G U I D E *Mar 1 00:29:00.0. Moral of the story: VTP domain names are case-sensitive! After switching (no pun intended – happy accident!) SW2 back to the VTP domain CCNP. which can be VTP Domain Name : CCNP done in server.0.0 (no valid interface found) *Mar 1 00:29:02. server Set the device to server mode. Maximum VLANs supported locally : 64 Number of existing VLANs : 7 VTP Operating Mode : Server VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x87 0xA7 0x10 0x69 0x58 0xA8 0x12 0x72 Configuration last modified by 0. The output will be slightly different on each switch. We must have at least one switch in any VTP Pruning Mode : Disabled 68 69 .0 at 3-1-93 00:30:42 on port Fa0/12 because of VTP domain mismatch. Device ID : 0017.f780 *Mar 1 00:29:02.020: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation Configuration last modified by 0.

We must have at least one VTP server in our domain. but will pass them across their trunks. or One VTP ad type is the subset advertisement. SW2(config)#vtp mode client Setting device to VTP Client mode for VLANS.115 S T U DY G U I D E C H R I S B R YA N T given VTP domain running in server mode. “off”. Clients listen for VTP advertisements and update their databases appropriately when those ads arrive. the VTP version number and domain name is the same as those switches that would receive the forwarded advertisement. modify. VTP Clients do not originate VTP ads. and accept advertisements from other VTP servers their current VLAN database to make room for old information! and clients in the same domain. which is what we’ll do in this lab. 70 On some switches. landscape. or we couldn’t create new VLANs or delete As you’d expect. or delete VLANs. a Transparent switch is running VTP v1. (Hang in there with me on this one. the switch will only forward incoming VTP ads if Switches running in VTP client mode cannot create. VTP Transparent switches take a slightly more complicated approach. you’ll see the CRN near the top of the show vtp status output… 71 . SW2(config)#vlan 100 VTP VLAN configuration not allowed when device is in CLIENT mode. When a transparent switch receives VTP advertisements. making them locally significant only. and the switch will not forward VTP advertisements. VTP switches to ensure they have the latest VTP information. sent anytime there’s a change in the VLAN we’re going to have a bunch of clients just looking at each other (and transparent switches just ignoring each other). and that they’re not overwriting servers originate VTP advertisements. what doesn’t happen. and isn’t available on previous versions. (This mode was one of the improvements that came along with VTP v3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .) VTP transparent switches do not synch their VTP databases with other VTP speakers in the same domain. Let’s see what happens after I make SW2 a VTP client and then try to create a VLAN on If the Transparent switch is running VTP v2. that switch will forward VTP advertisements that same switch – or more accurately. it will ignore the ads but forward them out its other trunks. The fourth mode. disables VTP on the switch.) VTP advertisements carry a configuration revision number (CRN) that enables VTP-enabled Another major difference between the modes is how they handle VTP advertisements. It could be something as simple as renaming a VLAN. That change doesn’t have to be a VLAN addition or deletion. via its trunk ports even if the domain name of the downstream switches doesn’t match. The VTP Advertisement Process & Config Revision Number VTP advertisements are multicasts that are sent out only over trunk links. They don’t even advertise their own VLAN information! VLANs created on a transparent VTP switch will not be advertised to other VTP speakers in the same domain. If previously existing ones. Makes sense. ‘Nuff said! since the only devices that need the advertisements are other switches! Switches in VTP transparent mode aren’t fully participating in the VTP domain.

115 S T U DY G U I D E SW1#show vtp status C H R I S B R YA N T SW1(config)#vlan 300 VTP Version : 2 Configuration Revision : 2 SW1#show vtp status Maximum VLANs supported locally : 64 Configuration Revision Number of existing VLANs : 7 VTP Operating Mode : Server SW2#show vtp status VTP Domain Name : CCNP Configuration Revision VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled : 3 : 3 SW2#show vlan brief VLAN Name … and on others. and the CRN increments before that ad is sent across the trunk to SW2. What hap- VTP Traps Generation : Disabled pened on each switch to make the CRN increment? Let’s take a behind-the-scenes look… Device ID : 0017. -------------------------------. SW2#show vtp status Status ---. 72 73 .0 at 3-1-93 00:30:42 The creation of VLAN 300 on SW1 triggers a subset advertisement from SW1.f780 Configuration last modified by 0. 1 default active 100 VLAN0100 active VTP Version capable : 1 to 3 200 VLAN0200 active VTP version running : 1 300 VLAN0300 active VTP Domain Name : CCNP VTP Pruning Mode : Disabled VLAN 300 is in SW2’s database. SW2 compares the incoming CRN to its own CRN (2). I’ll add a VLAN to SW1 and then recheck the CRN on each switch.0.9466. and the CRN incremented on both switches. Feature VLAN: VTP Operating Mode : Client Maximum VLANs supported locally : 1005 Number of existing VLANs : 7 Configuration Revision : 2 Both switches have a CRN of 2. you’ll see it near the bottom of that same command’s output. SW2 receives the subset ad with a CRN of 3.0. also checking to be sure the VLAN is visible in SW2’s show vlan brief output. When an incoming subset ad’s CRN is larger than the one on the receiving switch.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

and this switch only knows about VLAN 1. and 50. The domain is CCNP. that makes The other switches will receive a VTP advertisement with a higher CRN than the one cur- us smart. just be sure to verify the zero before you proceed. This is most likely to happen when a switch goes down and is replaced in a hurry with a switch from another client site. Cisco theory says that there are two ways to ensure the CRN is set to zero: Change the VTP domain name to a nonexistent domain. then change it back to the original name. the CRN MUST be set to zero before it’s inserted into the new network. 40. We have a simple three-switch network with two Clients and one advertisement. and you and I don’t have to do a thing. Just bouncing the switch isn’t enough.) Server. SW2 is busy sending an advertisement with CRN 300. The problem: the CRN on that switch is 500. so they synch their databases in accordance with this new You have to be sure to set the CRN to zero in one particular scenario. then back to server. it does send a full Summary ad when it first comes online. connectivity for the other five VLANs is lost. (The VTP Clients will forward the VTP ad to SW2. 20. That’s enough to cause a lot of trouble here. but you’ll call it something much more profane if it happens to your network. Once that’s done. (That doesn’t make us lazy. 30. While a Client generally spends non-default VLANs in use are VLANs 10.) rently in their VTP database. or even from a CCNP / CCIE practice lab! No matter the source of the switch.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The official name of this issue is “VTP synch issue”. SW2 will increment its own CRN. and the SW4 doesn’t even have to be in Server mode to ruin things. 74 Whichever you choose. since the CRN is kept in NVRAM. A switch that was at another physical location is brought to this client site and installed in the CCNP domain. We love the CRN! The switches make sure they’re accepting only the latest VLAN revision information. 75 . Since that new advertisement only includes VLAN 1. or you’ll have a real mess on your hands.115 S T U DY G U I D E C H R I S B R YA N T the contents of the ad are accepted and used to overwrite the receiving switch’s existing VTP database. Change the VTP mode from server to transparent. its time listening for and forwarding VTP ads.

VTP v2 performs a consistency check when changes are made to VLANs or the VTP con- Subset ads give more specific info about the VLAN that’s been changed. why does the client ever the domain and version number of the trunking switches had to match that of the transpar- have to request info? ent switch. If you’re on a switch request VLAN info. which A transparent VTP switch running VTP v2 will forward VTP advertisements via its trunk may seem unnecessary. which helps to prevent incorrect names from propagation Ring. client Set the device to client mode. that will allow the Client to rebuild its VLAN database. the VLAN type (Ethernet. MD5 hash code. the Client can explicitly tion of VTP v3. Client Advertisement Requests are requests from VTP Clients for VLAN information. throughout the network. VTP v3 introduced the VTP mode off we saw earlier. If those Summary Ads are coming every 5 minutes.115 S T U DY G U I D E The Three VTP Advertisement Types (And Two Directions!) C H R I S B R YA N T SW2#show vtp status VTP Version capable : 1 to 3 VTP version running : 1 VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP Traps Generation : Disabled SW2(config)#vtp version ? Summary Advertisements are sent by VTP Servers every 5 minutes OR upon a change in the VLAN database. and both ports. etc. 2. deleted. or suspended. (Whew!) These requests come in handy should the client’s VLAN database become corrupt or if Those were solid improvements. Rather than wait for the Server’s ads to be triggered.). there were some improvements when VTP v2 came along: this Summary ad. server Set the device to server mode. and the number of Subset Advertisements that will follow <1-3> Set the administrative domain VTP version number As you’d expect. Use vtp version to change versions. and the Server will answer with a series of Summary and Subset ads that can’t run VTP version 3. a timestamp. 76 77 . including whether figuration at the command-line interface (CLI). SW1(config)#vtp mode ? VTP Versions The available VTP versions are 1. Token the VLAN names and numbers. even if the VTP domain name is different on the switches it’s trunking with. Subset Advertisements are sent by VTP Servers when there’s a VLAN configuration change. VTP v2 supports Token Ring VLANs and Token Ring switching. rather than only at the switch level. and the new VLAN name and/or MTU (if those values were changed). With v1. Summary and Subset ads are sent when there’s a VLAN change. but serious improvements came along with the introduc- it’s deleted. and 3. Included in this ad type are the VTP domain name and version. where v1 does not. The consistency check is performed on the VLAN was actually created. and a Cisco switch will run Version 1 by default. FDDI. VTP v3 can be enabled and disabled at the port level.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . transparent Set the device to transparent mode. you will not see the off option. CRN.

which really is the 00000000: BADB100D 00000002 02044343 4E500000 :[. and then set a password. Let’s upgrade SW2 to VTP v3 and then view our options for the VTP password. .dat file.. it was easy to compromise the password.115 S T U DY G U I D E C H R I S B R YA N T The VTP Password (“Secure Mode”) SW2(config)#vtp password ? With previous versions of VTP. VTP Password: 50EF55299259C91C41DDF825699A177D SW2#more vlan.dat I just didn’t feel up to a 32-character password.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .dat file.. so I went with hidden. and that is indeed Improvement was needed. and you’ll be prompted one more time to ensure you’re the future. Suffice to say I looked for the password and it wasn’t there.318: %SW _ VLAN-6-OLD _ CONFIG _ FILE _ READ: Old version 2 VLAN switches in the VTP domain. the case! The vlan. as it was with VTP v2.. I’ll do that after removing the previous password. Version 3 files will be written in need the VTP password to do so. sure about making this switch the primary server. The Synch Problem SW2#show vtp password The VTP password is not configured. that’s the only device that can actually update other Mar 1 00:06:32. and VTP v3 brought it.. I was already there!) SW2(config)#vtp password CCNP secret ? VTP secret has to be 32 characters in length SW2(config)#vtp password CCNP Setting device VTP password to CCNP SW2(config)#vtp password CCNP hidden SW2#show vtp password Setting device VTP password VTP Password: CCNP SW2#show vtp password You could also spot the VTP password in the vlan. .. 78 79 . Use vtp primary to make a VTP server the primary server. hidden Set the VTP password hidden option secret Specify the vtp password in encrypted form SW2(config)#vtp version 2 <cr> VTP version is already in V2. Cisco’s website documentation on VTP v3 mentions that show commands can’t be used to see the password.dat file is HUGE. Remember the VTP synch problem we saw earlier in this chapter? VTP v3 helps us prevent that problem (proactively!) by introducing the primary server concept. nor is it visible in the vlan.CCNP. (Hey. best option.. VTP v3 vs. SW2(config)#no vtp password CCNP Clearing device VTP password. so I’m not showing the entire thing here. When you configure SW2(config)#vtp version 3 a VTP Server as the primary server. You configuration file detected and read OK. I’ll configure SW2 SW2(config)#vtp password CCNP ? to run VTP v2.

or multicast traffic Enter VTP Password: belonging to VLANs 11 – 19 to SW2. and unknown unicasts should and should not be sent across the trunk to SW2. SW1 has hosts in VLANs 2 – 19. work with v1. which has hosts in This system is becoming primary server for feature vlan VLANs 2 – 10. Naturally. VTP Pruning Trunk ports are members of all VLANs. VTP v3 is friendly to VTP v2. You’re better off if all your current switches are v3-capable.629: %SW _ VLAN-4-VTP _ PRIMARY _ SERVER _ CHG: 0017. Do you want to continue? [confirm] SW2# *Mar 1 00:24:17. broadcast.115 S T U DY G U I D E C H R I S B R YA N T SW2#vtp primary vlan Here. SW1 now knows which multicasts. If a switch running v1 detects a v3 switch. unknown unicast. That switch is trunking with SW2. and multicasts. which leads to an issue involving broadcasts.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . where v3 supports the full range of extended VLANs (1 – 4094). and the recipient is receiving totally unnecessary traffic. 80 81 .f780 has become the primary server for the VLAN VTP feature A Final Word About VTP Versions According to Cisco website documentation. the switch running v1 will attempt to upgrade to v2. Cisco strongly recommends that you determine whether your current switches are v2-capable before introducing v3 to your network. you’re stuck. a switch will send a message to its trunking partners. Another major difference between versions to watch out for: VTP v1 and v2 support only VLANs 1 – 1005. identifying the VLANs in use by the switch sending the message. No conflicting VTP3 devices found. if the switch can only run v1. There’s no reason to send broadcast.9466. This means that the sending switch is likely sending unnecessary traffic. unknown unicasts. A trunk port will forward broadcasts and multicasts for all VLANs it knows about. regardless of whether the switch at the other end of the trunk actually has ports in those VLANs. but v3 will not With VTP pruning.

you say. holding those paths in standby. The basic purpose of the Spanning Tree Protocol (STP) is to identify valid loop-free paths and then choose the best of those paths for use. A single point of failure for anything add add VLANs to the current list in today’s networks just isn’t acceptable. You can’t prune the default VLANs! If you want to make some of those VLANs “prune-proof”. (More on that in your ROUTE studies!) At Layer 2. Redundancy works just a bit differently at L2 except all VLANs except the following none no VLANs remove remove VLANs from the current list Enough of VLANs – for now! Let’s get started with the Spanning Tree Protocol! than L3. L3 routing protocols such as EIGRP and OSPF allow us to use secondary paths in addition to the primary paths. Should a primary path become unavailable. our redundant paths need to be ready for action in case the primary path fails.115 S T U DY G U I D E Enabling VTP pruning is just as easy.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . THE FUNDAMENTALS OF STP SW1(config)#int range fast 0/11 . With routing. but what about those redundant paths? Why can’t we use every single path from “A” to “B” for switching. however. we love redundancy. 82 83 . STP will realize this and begin to unblock the necessary ports to put the next best path into action. as we like to do for routing? The problem at L2 is the possibility of switching loops. which we have plenty of in the next few sections of the course! So that’s all fine. but they will not be used in addition to the primary path. You don’t even have to type “on”! SW2(config)#vtp pruning ? <cr> C hapter 5: SW2(config)#vtp pruning Pruning switched on That simple command makes VLANs 2 – 1001 eligible for pruning. we want to use as many of those paths as is feasible. making equal.12 SW1(config-if-range)#switchport trunk pruning vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode Whether it’s Layer 2 or Layer 3. This becomes a lot clearer with examples and lab work. use the switchport trunk pruning vlan command. Here’s an example of such a loop where STP is not in action. STP will then block ports on the valid but less desirable paths.and unequal-cost load balancing possible.

84 If you think that’s bad (and it is!). each host would still be able to reach every other host. so each switch will follow the default behavior for an unknown unicast address. we’re about to experience a switching loop. but in this example. all three switches would receive the frame on their Fast0/1 interfaces. Let’s say all three switches have just been turned on. When each switch receives a frame on Fast 0/2 with Host A’s MAC address as the source. the switch is overwhelmed by those broadcasts and we have a broadcast storm. None of the switches have such an entry. With this topology. will see the frame just flooded by the other two switches. more and more broadcast traffic is forwarded by the switches. Before making a forwarding decision regarding the incoming frame. Host 3. and we always say “legacy” because we don’t like to say “old”. which is still Host A’s MAC address. so they’ll each make an entry in their respective MAC tables. either in full or in part There’s an unnecessary strain put on the switch CPU A lot of bandwidth is unnecessarily sucked up by all those broadcasts 85 . and Host A sends a frame to Host C.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the frames will be flooded out Fast0/2 on each switch. it’s not on. On to the forwarding decision! None of the switches have an entry for the frame’s destination. listing Host A as reachable via Fast0/1. switching loops cause three major problems: Frames can’t reach their intended destination. In short. without STP. each switch will check its own MAC address table regarding an entry for the source MAC address of the frame. Each switch have bridges. so if two switches go down. The problem is the source MAC address of each flooded frame. even in networks that don’t Just that quickly.115 S T U DY G U I D E C H R I S B R YA N T Note: Switching loops are sometimes called “bridging loops”. Now this is redundancy! We have three switches connecting two Ethernet segments. just wait until the other hosts start sending traffic! Slowly but surely (don’t call me Shirley). Finally. They’ll flood the frame out all ports except the one it came in on. each switch will then change the MAC address table setting for Host A to Fast 0/2. the switches will keep going back and forth on the MAC address table entry for Host A. It’s a legacy term. As those frames are flooded in turn. Having STP on would help prevent switching loops. In our example.

If a Cisco switch has the default priority 32768 and a MAC later in this section. It all begins with the exchange of Bridge Protocol Data Units (BPDUs). allowing it to hear BPDUs from other switches. If the Priority is left at the default on all switches. We’re going to concentrate on Configuration BPDUs. But seriously folks. We’re about to walk through a root bridge election on a three-switch network. In general. The Priority value comes first in the BID.) Here’s our network and the root bridge election from SW1’s perspective. all six ports in this example will go to the listening state.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the switches get over it. and the switch with the lowest MAC address wins. and the MAC address of each switch is the switch’s number repeated 12 times. The non-roots will receive and All three switches are coming online at the same time. but non-root bridges do not actually create this BPDU type. When they first arrive. (Much more on these STP port states Each switch has a Bridge ID Priority value. both multicast to the well-known MAC address 01-80-c2-00-0000. and we’ll see that in action after we have an election.115 S T U DY G U I D E Luckily for us. In any network. Config BPDUs will be exchanged between our switches until one switch is elected root bridge. We don’t want to leave those roles to chance – or the lowest MAC address! I’ll show you exactly how to be deterministic about root bridge elections after we walk through an example of a root bridge election using only the defaults. commonly referred to as a BID. The Bridge Protocol Data Unit Types and The Root Bridge Election We have two BPDU types. the MAC address is the deciding factor in the root bridge election. TCN BPDUs will be covered later in this section. The root bridge is also the switch that decides what the STP timers will be. because STP does a great job of preventing switching loops before they happen. bridge. Only the root bridge will originate Configuration BPDUs. the BPDUs that are used in STP calculations. you should ensure that your primary and secondary root bridges are your more powerful switches. so all three believe they are the root forward a copy of that BPDU. 86 87 . and all three of them get very busy announcing that fact. they announce to everyone around them that they are the center of the universe. Unlike some people. address of 11-22-33-44-55-66. switching loops don’t occur often. the resulting BID is 32768:11-22-33-44-55-66. you’ll have switches that are more powerful than others in terms of processing power and speed. Each switch has the default priority 32768. The BID is a combination of a 2-byte Priority value and the switch’s 6-byte MAC address. Since each switch believes it’s the root. The switch with the lowest BID will win that coveted role. and we’ll take a look at the election from each switch’s point of view. C H R I S B R YA N T The Default Root Bridge Election Process Switches are a lot like people.

These Config BPDUs go out every 2 seconds. with the switches trunking on their 0/11 and 0/12 ports. SW1 is currently recognized as the root for this network. SW4 will then take over that role. The election from SW3’s point of view: This example allowed you to see the details of a root bridge election. both containing BIDs higher than SW1’s SW3 is about to develop a massive inferiority complex! Both incoming BPDUs contain BIDs own BID.115 S T U DY G U I D E C H R I S B R YA N T SW1 is receiving BPDUs from both SW2 and SW3. For this lab. SW3 recognizes that the BPDU containing the best BID is coming SW1 continues to believe that it’s the root bridge and will continue to announce itself as such. that election’s already taken place. SW2 and SW3 recognize SW1 as the root – for now! Here’s the election from SW2’s perspective: Root bridge elections never really end. and the BPDU from SW3 will not change its mind. SW4 will advertise this BID via a Configuration BPDU. but in your production network. 88 89 . and when SW1 sees that BPDU. and SW1 will begin forwarding the Configuration BPDUs it receives from SW4. SW2 will realize it is not the root bridge for this network. that switch would then become the root! SW4 has now come on board. While higher BIDs are winners in auctions. they’re losers in root bridge elections. so this process takes very little time. we’ll use a two-switch network. SW2 believes it’s the root. and will instead begin to relay those sent by SW1. but if another switch comes along that advertises a superior BID. superior to that of SW3. Just that quickly. SW1 will realize it’s no longer the root bridge. the BPDU from SW1 will! When SW2 sees the BID inside the BPDU from SW1. and is advertising a BID lower than that of SW1. However. from SW1. It’s a good idea to know how to see the BIDs of your live switches as well as spot the winner of a root bridge election that’s already taken place.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . SW2 will stop originating Configuration BPDUs.

2540 Priority Address 000f. What do things look like on the non-root bridge. but the other three are in bold. ---------.11 P2p Fa0/12 Desg FWD 19 128.14 P2p There are four ways to tell you’re not on the root bridge. The first listed here isn’t highlighted. you ask? SW1#show spanning vlan 1 SW2#show spanning vlan 1 VLAN0001 VLAN0001 Spanning tree enabled protocol ieee Spanning tree enabled protocol ieee Root ID Priority Address 000f.13 P2p 128. ----- --. ----- --.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . (Each VLAN will have its own root switch.Nbr Type ---------------. run show All ports on the root bridge will be in forwarding mode (FWD).12 P2p There are four different ways to tell you’re on the root switch.Nbr Type ---------------.115 S T U DY G U I D E C H R I S B R YA N T To see the BID of both the local switch and the root switch for a particular VLAN. No ports on the root spanning-tree vlan.90e2. bridge info for our default VLAN.9466. --------. The other three ways: The MAC address of the Root ID (the info for the root) and the Bridge ID (the info for the local switch) is the same. since it doesn’t exist. so the root bridge doesn’t need one! Interface Role Sts Cost Prio.90e2.2540 This bridge is the root Hello Time Bridge ID Priority 32769 Hello Time Aging Time 15 Port 13 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0017. ---------. The most obvious is the phrase “This bridge is the root”. --------. the root bridge will have no root port. Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 128. As odd as it sounds.f780 2 sec Max Age 20 sec Forward Delay 15 sec Role Sts Cost 32769 Cost 19 (priority 32768 sys-id-ext 1) Address 000f. The root port is the port a switch will use to reach the root bridge.2540 2 sec Max Age 20 sec Forward Delay 15 sec Interface Root ID 32769 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Prio. Fa0/11 Desg FWD 19 128.90e2. No “This bridge is the root” message The MAC address under the Root ID and Bridge ID fields are different The switch has a root port (Fa0/11) There is a port in blocking mode 90 91 .) Let’s take a look at the root bridge will be in blocking mode (BLK).

Only one is in blocking mode. one path between the switches is open and the other is closed. and that cost increments as that BPDU is forwarded throughout the network. In the end. rather than the two you might expect. the lower the path cost. The faster the port. The Configuration BPDU carries the root path cost. Path Costs. The path cost is strictly a local value and is not advertised to upstream or downstream switches. In our two-switch network. not sent. The root path cost is a cumulative value reflecting the overall cost for a given port to reach the root. STP allows only one path between “Point A” and “Point B” – in this case. The root path cost goes from 0 to 19 (when received by SW2) to 38 (when received by SW3). Let’s run show spanning-tree vlan to see what the It all begins with the root bridge transmitting a Configuration BPDU with the root path cost set to zero. 92 < Some config removed for clarity > 93 . STP puts the minimum number of ports into blocking mode in order to speed up the process of bringing a new path up when the currently open one becomes unavailable. Root Port Selection. it will add the cost of the port the BPDU was SW2#show spanning vlan 1 received upon to the root path cost found in that incoming BPDU. since every port These terms will become much clearer after the upcoming example! deciding factor was. The incoming root path cost should be the same for both ports on SW2. and that cost is used to arrive at the port’s root path cost. When SW2 receives that BPDU.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . instead of 0/12? Let’s zip back to our two-switch example. the faster that new path will be available. The fewer ports that need to reopen. and Root Path Costs Wondering how SW2 chose 0/11 as its root port. our two switches – and disallows the others by putting the minimum number of ports necessary into blocking mode. Every port on our switches has an assigned path cost. involved here is a Fast Ethernet port. It’s important to note that the root path cost increments as BPDUs are received.115 S T U DY G U I D E C H R I S B R YA N T STP prevents switching loops by putting some ports into blocking mode.

C H R I S B R YA N T With all path costs the same.14 P2p We have four ports in forwarding mode. the BPDU containing the lowest BID. the lowest sender Port ID wins. we can quickly identify the root ports on SW2 and SW3. as both ports will have a root path cost of 19. Since both ports received their BPDUs directly from SW1. ---------. Here’s the process for choosing the root port: Speaking of designated ports. we need one of those for the segment connecting SW2 and SW3. We know that the ports on the root Fa0/11 Root FWD 19 128. both switches will have the exact same root path cost.Nbr Type ---------------. That’s a tie. That’s where the designated port (DP) comes in. Fa0/12 Altn BLK 19 128. and fast 0/11 is your winnah! Let’s head back to our three-switch network and identify the root ports. but 0/11 was chosen as the root port over 0/12.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . so we need a tiebreaker. Finally. frames coming from that host onto the segment shared by SW2 and SW3 might cause a switching loop if both switches could forward frames from that host to SW1. The switch with the lowest root path cost will have its port on this shared segment named as the designated port. Next tiebreaker: choose the port receiving the BPDU with the lowest Sender BID. along with all ports on the root bridge. Next. and root ports will always be in forwarding mode (FWD). We need one and only one designated port on that segment. There’s our tiebreaker. They’re designated ports. The port belonging to the switch with the lowest BID will become the designated port. We saw earlier that SW2’s BID is 32768:22-2222-22-22-22 and SW3’s is 32768:33-33-33-33-33-33. being a shared network segment. 94 95 . All ports are Fast Ethernet ports with a path cost of 19. so this is a tie. In this admittedly unlikely-to-be-seen-in-the-real-world scenario. so SW2’s port on that shared segment becomes the DP. this is also a tie. ----- --.13 P2p bridge aren’t root ports. so STP better put a port or two in blocking mode soon! The path cost is 19 for each port. 0/11 and 0/12 are both receiving BPDUs from SW1. In this scenario. --------. just in case that ends up First. and they’ll also be in forwarding mode.115 S T U DY G U I D E Interface Role Sts Cost Prio. It was zero on SW1 and incremented as the BPDUs were received by SW2. choose the port receiving the superior BPDU. choose the port with the lowest root path cost.

and it’s really easy to miss a zero – or iar with the following port speeds. Do not jump to the conclusion that the physically shortest path is the logically shortest path. Of the six ports. The root path using that port has a cost of 38. Some of the network maps I’ve think one is there that isn’t! values are from the most recent list on Cisco’s website. SW3-to-SW1 root path cost: 100 (One 10 Mbps link) Luckily. Putting just one of the two ports on the SW2–SW3 shared segment into blocking mode makes the cutover to that path for SW3 a little quicker. and it couldn’t hurt to be famil- looked at over the years have a font size of about 0. It would also be really wrong. And speaking of Zen… SW3-to-SW2-to-SW1 root path cost: 38 (Two 100 Mbps links) Fast 0/2 becomes the root port. it would be really easy to say 0/1. to SW1 become unavailable. and these your server room. so I’ll edit the “Root ID” and “Bridge ID” fields from the output. but lists the more common speeds you’ll bump into on Cisco switches. Whether it’s in the exam room or We know the STP path costs are determined by port speed.) This is not a list of every possible speed.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . (These port costs have changed over time. or during your network admin duties.115 S T U DY G U I D E Here’s the final result: C H R I S B R YA N T Keep STP costs in mind when eyeballing a network map on your CCNP SWITCH exam.5. five of them are in forwarding mode and only one is blocked. but placing that one particular port into blocking mode prevents switching loops from forming. be sure to double-check the port speeds. that only happens now and Zen. while the The Shortest Path Is Not Always The Shortest Path more physically direct path has a root path cost of 100. 10 Gbps 1 Gbps 100 Mbps 16 Mbps 10 Mbps 4 Mbps 2 4 19 62 100 250 96 Changing A Port’s Path Cost We’ll verify port path cost changes with show spanning-tree vlan. should the current path from SW2 If you were asked which of SW3’s two ports would become its root port. job interview. We need only the information at the bottom of that command’s output in this lab. Let’s verify! 97 .

---------*Mar 2 05:31:08. ---------- mst Multiple spanning tree Fa0/11 Altn BLK 19 Fa0/12 Root LRN 9 port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link stack-port Enable stack port vlan VLAN Switch Spanning Tree SW2#show spanning vlan 1 Role Sts Cost 0/12 is now in learning mode. Let’s see if it comes … the VLAN1 interface comes back up and 0/12 is in forwarding mode. ----- --. 0/12 is in listening mode. What isn’t immediate is the transition of 0/12 from blocking to forwarding. but trust me – there’s a really good reason that change isn’t immediate. Vlan1. as is the transition of 0/11 from forwarding to We want 0/12 to be the root. About 15 seconds after that output. About 15 seconds later… *Mar 2 05:35:41. SW2(config-if)#spanning-tree cost ? changed state to up <1-200000000> port path cost SW2(config-if)#spanning-tree cost 9 SW2# show spanning vlan 1 Just a few seconds after changing the cost. we get this little message: Interface Role Sts Cost ---------------. ----- --.115 S T U DY G U I D E SW2#show spanning vlan 1 C H R I S B R YA N T SW2#show spanning vlan 1 Interface Interface Role Sts Cost Role Sts Cost ---------------. Lowering its path cost to 9 for all VLANs should do it! blocking. I ran the same SW2(config-if)#spanning-tree ? command: bpdufilter Don’t send or receive BPDUs on this interface bpduguard Don’t accept BPDUs on this interface cost Change an interface’s spanning tree port path cost guard Change an interface’s spanning tree guard mode Interface link-type Specify a link type for spanning tree protocol use ---------------.802: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. ----- --.510: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. SW2(config)#int fast 0/12 Right now. More on that shortly. Fa0/11 Altn BLK 19 changed state to down Fa0/12 Root FWD 9 Doesn’t sound good! Our management interface. That’s just what we back up while we check in on our root port situation! wanted – we just had to be a little patient! 98 99 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ----- --. ---------- ---------------. ---------- Fa0/11 Altn BLK 19 Fa0/11 Root FWD 19 Fa0/12 Root LIS 9 Fa0/12 Altn BLK 19 The change to 0/12’s path cost is immediate. has gone down.

Note the option to specify a range of VLANs. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LIS 9 SW2#show spanning vlan 40 Interface Role Sts Cost ---------------. example: 1. ----- --. We’ll change the path cost for 0/12 on SW2 to 9 for VLANs 30 and 40 while leaving it alone for VLANs 10 and 20. This is per-VLAN The port begins to transition from blocking to forwarding for VLANs 30 and 40… SW2#show spanning vlan 30 load balancing.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .40 cost 9 In the following lab. SW2#show spanning vlan 10 SW2(config)#int fast 0/10 SW2(config-if)#spanning vlan ? WORD vlan range. What if we want to change the cost for some VLANs while leaving it alone for others? SW2(config-if)#spanning vlan 30.3-5. ----- --. ---------- We’ll make this happen with spanning-tree vlan. using the cost option. it’s better than sending all our traffic across one trunk while treating the other trunk as strictly a backup.7. ----- --.115 S T U DY G U I D E Load Balancing On A Per-VLAN Basis C H R I S B R YA N T SW2(config-if)#spanning vlan 30. and while it’s not perfect load balancing.40 cost ? <1-200000000> Change an interface’s per VLAN spanning tree path cost Using cost is an all-or-nothing deal. all VLANs are using the top trunk (Fa 0/11 on both switches). Altn BLK 19 Fa0/12 Root LIS 9 … but there’s no transition for VLANs 10 and 20. We’re just wasting the other path! We want VLANs 10 and 20 to continue to use the top path. Interface Role Sts Cost ---------------. but VLANs 30 and 40 should use the bottom trunk (Fa 0/12 on both switches). ---------Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 SW2#show spanning vlan 20 101 .9-11 SW2(config-if)#spanning vlan 30.40 ? cost Fa0/11 Change an interface’s per VLAN spanning tree path cost port-priority Change an interface’s spanning tree port priority 100 Interface Role Sts Cost ---------------.

the port goes into blocking state (BLK). A port in listening mode still can’t forward or receive frames. ---------- When a port starts the transition from blocking to forwarding. and 0/12 is now the root port for both VLANs 30 and 40. isn’t forwarding frames or even officially running STP.115 S T U DY G U I D E Interface Let’s quickly review those STP port states. so we will too! A disabled port is simply a port that’s been administratively shut down. and as a result the port can’t learn MAC addresses. 102 103 . Cisco does consider this to be an official STP state. A listening port can send BPDUs as well. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LIS 9 The obvious question: “Listening for what?” A listening port is listening for BPDUs. ----- --. it enters listening mode Fa0/11 (LIS). ----- --. ----- --. Role Sts Cost ---------------. The port still can’t do much. Interface Role Sts Cost ---------------. Altn BLK 19 Fa0/12 Root FWD 9 SW2# show spanning vlan 40 All VLAN 30 and 40 traffic will now use the trunk that was previously unused. allowing the port to participate in the root bridge election.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the transition has completed. A disabled port Thirty seconds or so later. and therefore no dynamic learning of MAC addresses. ---------SW2#show spanning vlan 40 Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 Interface Role Sts Cost ---------------. No frame forwarding. Pretty cool! Interface Role Sts Cost ---------------. Once that port is administratively enabled. ---------Fa0/11 SW2#show spanning vlan 40 Altn BLK 19 Fa0/12 Root FWD 9 Interface Role Sts Cost ---------------. ----- --. no frame receiving. ----- --. ---------Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 C H R I S B R YA N T The STP port state disabled is a little odd in that you won’t see “DIS” next to a port in the output of show spanning vlan. About the only thing a blocked port can do is accept BPDUs SW2#show spanning vlan 30 from neighboring switches.

Fa0/11 Desg FWD 19 128.Nbr ----------------. A port in learning mode continues to send and receive BPDUs. --------. and that’s by manipulating the port priority.14 P2p SW1#show spanning vlan 20 SW1#show spanning vlan 1 Interface Interface Interface Prio. but it is learning MAC addresses and adding them to the switch’s MAC address table. and continue to learn MAC addresses.115 S T U DY G U I D E As the transition continues.12 104 Role Sts Cost Prio. Forwarding mode allows a port to forward and receive frames. In this lab. we’ll change the port priority of 0/12 to make it lower than that of 0/11 for some VLANs.Nbr Type ---------------. SW1#show spanning vlan 10 Tie? Choose the port with the lowest root path cost. ----- --. ----- --. C H R I S B R YA N T There’s another cute little way of performing per-VLAN load balancing on our switches. send and receive BPDUs. choose the port receiving the superior BPDU. Fa0/11 Desg FWD 19 128. Still tied? Choose the port receiving a frame from the lowest sender Port ID.) ---------------. while leaving it the same for oth- SW2#show spanning vlan 40 ers. ---------. ----- --. ----- --. Fa0/11 Desg FWD 19 128. ---------.14 P2p 105 . we had the following ports sending BPDUs on SW1: Role Sts Cost Role Sts Cost Prio. Still tied? Choose the port receiving the BPDU with the lowest Sender BID. VLANs 30 and 40 will continue to Interface use the trunk over 0/11. During that lab.Nbr Type ---------------. --------. the port goes from learning to forwarding mode. the port goes from listening to learning (LRN) mode. Finally. (The commands from the previous load-balancing lab have been Role Sts Cost removed.11 Fa0/12 Desg FWD 19 128. We’ll have VLANs 10 and 20 use the trunk over 0/12. ---------. That port ID is a combination of port priority and port number. This is the only state where the port is actually forwarding frames! Let’s review that list we used for root port selection: First.13 P2p Fa0/12 Desg FWD 19 128. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LRN 9 A learning port isn’t forwarding frames.13 P2p Fa0/12 Desg FWD 19 128.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The edited readout of show spanning vlan for each VLAN on SW1 reflects the default port priority of 128 on ports 0/11 and 0/12.

VLAN0010 Fa0/11 Altn BLK 19 128.12 P2p SW2#show spanning vlan 30 The same commands on SW2 show the same port priority for each VLAN. ----- --.115 S T U DY G U I D E SW1#show spanning vlan 30 C H R I S B R YA N T Interface Role Sts Cost Prio. ---------.3600 For VLANs 30 and 40 to start using fast 0/11.12 P2p 32778 (priority 32768 sys-id-ext 10) Address 000e.Nbr Type ---------------.2f00 Cost 19 Interface Port ---------------. 12 (FastEthernet0/12) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Role Sts Cost Prio. --------. --------.13 P2p Fa0/12 Desg FWD 19 128. ----- --. ---------. --------. ---------. ----- --.14 P2p Fa0/11 Altn BLK 19 128.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The new port priority must be set in increments of 16. --------. Interface Role Sts Cost Prio. we’ll decrease the port priority for those Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec VLANs on fast 0/12. Interface Role Sts Cost Prio. ----- --. --------.Nbr Type ---------------.Nbr Type ---------------.11 P2p Fa0/12 Root FWD 19 128.11 P2p Fa0/12 Root FWD 19 128. and the switch Aging Time 300 doesn’t like it when you do not do so. ----- --.11 P2p Fa0/12 Root FWD 19 128.Nbr Type ---------------. Interface SW2#show spanning vlan 10 Role Sts Cost Prio. ---------.0fbf. ---------.12 P2p Spanning tree enabled protocol ieee Root ID Priority 24586 SW2#show spanning vlan 40 Address 001c.Nbr Type Fa0/11 Altn BLK 19 128.Nbr Type ---------------. Fa0/11 Desg FWD 19 128.11 P2p Fa0/12 Root FWD 19 128. ----- --. 106 107 .84ae.13 P2p Fa0/12 Desg FWD 19 128. --------. Fa0/11 Desg FWD 19 128.14 P2p SW1#show spanning vlan 40 Fa0/11 Altn BLK 19 128.12 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio. ---------.

---------.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Nbr Type When it comes to VLANs 30 and 40. ----- --.Nbr Type ---------------.11 P2p Fa0/12 Altn BLK 19 128. Fa0/11 Desg FWD 19 128. As a result. --------. --------.11 P2p Fa0/12 Altn BLK 19 128. verified by show spanning vlan 30 and show spanning vlan 40 on SW1(config-if)#spanning vlan 30 ? SW2.Nbr Type ---------------. show spanning vlan 30 and show spanning vlan 40 verify the change. Cost Change an interface’s per VLAN spanning tree path cost port-priority Change an interface’s spanning tree port priority SW1(config-if)#spanning vlan 30 port-priority ? SW2#show spanning vlan 30 Interface <0-240> port priority in increments of 16 Role Sts Cost Prio. ----- --. ---------. ---------.12 P2p 108 109 .Nbr Type and show spanning vlan 20 on SW2.Nbr Type Fa0/11 Altn BLK 19 128.14 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio. SW1(config-if)#spanning vlan 30 port-priority 35 Fa0/11 Root FWD 19 128.Nbr Type ---------------.12 P2p ---------------. --------. ---------------. is now superior to that over fast 0/12.13 P2p Fa0/12 Desg FWD 19 64. --------.11 P2p Fa0/12 Root FWD 19 128. ----- --. Fa0/11 Desg FWD 19 128. ---------. --------. ----- --. the BPDU going from SW1 to SW2 over fast 0/11 ---------------. Fa0/11 Root FWD 19 128. Prio.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/12 trunk over fast 0/11. ---------. ----- --.12 P2p % Port Priority in increments of 16 is required SW2#show spanning vlan 40 SW1(config-if)#spanning vlan 30 port-priority 64 SW1(config-if)#spanning vlan 40 port-priority 64 Interface Role Sts Cost Prio.14 P2p SW2#show spanning vlan 10 Interface SW1#show spanning vlan 40 Interface Role Sts Cost Role Sts Cost Prio. VLANs 30 and 40 are now using the Fa0/11 Altn BLK 19 128. verified by show spanning vlan 10 Interface Role Sts Cost Prio. --------.13 P2p Fa0/12 Desg FWD 19 64. ----- --.12 P2p SW1#show spanning vlan 30 VLANs 10 and 20 continue to use the trunk over fast 0/12.11 P2p Fa0/12 Root FWD 19 128. ---------.

12 P2p On fast 0/11.11 P2p Fa0/12 Altn BLK 19 128. --------. ---------. ---------. ----- --.Nbr Type ---------------.12 P2p SW1(config-if)#spanning vlan 40 port-priority 160 Whether you choose to lower or raise a port priority to get VLAN load balancing going is Raising the port priority on fast 0/11 has the same effect as reducing it on fast 0/12.12 P2p Prio.Nbr Type ---------------. Could we have raised the port priority on 0/11 C H R I S B R YA N T SW2#show spanning vlan 30 rather than decreasing it on 0/12? Let’s find out! First. --------. verified really up to you when it comes to real-world networking.Nbr Type … while VLANs 10 and 20 continue to use the trunk over fast 0/12. ---------.11 P2p Fa0/12 Root FWD 19 128.12 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio.11 P2p SW1(config-if)#no spanning vlan 40 port-priority 64 Fa0/12 Altn BLK 19 128.Nbr Type ---------------. ---------------. Interface Role Sts Cost Prio. VLANs 30 and 40 are using the trunk over fast 0/11… as with all Cisco exams. I’ll remove the two lab commands from fast 0/12 on SW1. ---------. I already know what you’re gonna ask.11 P2p Fa0/12 Root FWD 19 128. ----- --. show spanning vlan 30 and show spanning vlan 40 verify the change back to fast 0/12. Fa0/11 Altn BLK 19 128. --------. --------. it’s great to know more than one way to get something done! 110 111 . ----- --. Interface Role Sts Cost Prio.12 P2p SW2#show spanning vlan 40 SW2#show spanning vlan 10 Interface Role Sts Cost Prio. SW1(config)#int fast 0/12 Fa0/11 Root FWD 19 128. SW2#show spanning vlan 30 Interface Role Sts Cost Fa0/11 Root FWD 19 128. ---------.11 P2p SW1(config-if)#spanning vlan 30 port-priority 160 Fa0/12 Root FWD 19 128.11 P2p Fa0/12 Root FWD 19 128. ----- --. Fa0/11 Altn BLK 19 128. Interface Role Sts Cost Prio. we’ll raise the port priority for VLANs 30 and 40 to 160 (a multiple of 160!). For CCNP SWITCH exam success. SW1(config)#int fast 0/11 Fa0/11 Altn BLK 19 128. ---------. Fa0/11 Altn BLK 19 128. ----- --. --------.12 P2p SW1(config-if)#no spanning vlan 30 port-priority 64 SW2#show spanning vlan 40 On SW2.Nbr Type ---------------. ----- --. by show spanning vlan on SW2.115 S T U DY G U I D E Now. --------.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Nbr Type ---------------.

but you will see them twice. Maximum Age (Max Age) is how long a switch will retain the superior BPDU’s contents before discarding it.90e2. Spanning tree enabled protocol ieee Root ID Priority 32769 SW1(config)#spanning vlan 1 ? Address 000f. but why do we see each one listed twice in that output? The first set of timers is in the Root ID field. with a default of 15 <6-40> maximum number of seconds the information in a BPDU is valid seconds for each individual stage. --------.) Bridge ID do not matter.2540 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost hello-time Set the hello interval for the spanning tree max-age Set the max age interval for the spanning tree priority Set the bridge priority for the spanning tree root Configure switch as root <cr> SW1(config)#spanning vlan 1 Hello ? Prio. SW1(config)#spanning vlan 1 max-age 25 Verify with show spanning vlan.115 S T U DY G U I D E C H R I S B R YA N T STP Timers by the root and all switches that receive a Configuration BPDU that originated with that These timers are so important.Nbr Type ---------------. It’s this set of timers that is actually used 112 SW1#show spanning vlan 1 113 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . those timers under (That’s not the real reason. The second set of timers is found in the Bridge ID field. you’ll see them twice when you run show spanning vlan! local switch’s setting for the timers.90e2.12 P2p Hello Time defines how often the root bridge originates Config BPDUs. IOS shows us the ranges of allowable settings for each command. ----- --. particular root. Default setting: 20 seconds. Default setting: 2 seconds. <1-10> number of seconds between generation of config BPDUs SW1(config)#spanning vlan 1 Hello 5 SW1(config)#spanning vlan 1 forward ? <4-30> number of seconds for the forward delay timer SW1(config)#spanning vlan 1 forward 16 SW1(config)#spanning vlan 1 max-age ? Forward Delay is the length of the listening and learning port stages. Unless you’re on the root. and those are the Use spanning vlan to change these timers. frankly. ---------. always use these commands on your primary and secondary roots. Fa0/11 Desg FWD 19 128.2540 forward-time Set the forward delay for the spanning tree This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f. None of them can be set VLAN0001 to zero. Those are important values to know. For the change to take effect throughout SW1#show spanning vlan 1 the VLAN.11 P2p Fa0/12 Desg FWD 19 128.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . You can spread the root switch role around as much as you like. SW2(config)#spanning vlan 20 root ? Primary Configure this switch as primary root for this spanning tree Secondary Configure switch as secondary root SW2(config)#spanning vlan 20 root primary 115 .90e2. That might not be so bad. It’s up to you! On the root bridge. and that’s not always best for our network. a single switch is going to be the root bridge for every 32769 Address 000f. VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000f. or we can spread the workload around a bit and let one switch be the root for some VLANs while another switch is the root for the rest of the VLANs.90e2.2540 Cost 19 Port 13 (FastEthernet0/11) Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0017. you could make each switch the root for 10 VLANs. 20. we expect the timers in the Root ID and Bridge ID fields to be identical. SW1 is the root for all four VLANs.90e2.2540 Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec Aging Time 300 We can choose another particular switch to be the root bridge for all VLANs. Before this lab. Please note that the cabling has changed. Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f.9466. The switch with the lowest MAC Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec address will be crowned as the root. and created What about the downstream.2540 VLAN in our network. and 30 for our next lab. the settings in use are the ones under Root ID! 114 We’d like SW2 to be the root for VLANs 20 and 30 while leaving SW1 the root for VLANs 1 and 10. Let’s use spanning vlan root primary to make SW2 the root for VLAN 20. SW2#show spanning vlan 1 As expected. reloaded. This bridge is the root but the default root switch selection is left up to chance.f780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec As always. non-root switch though? VLANs 10.dat on both switches. and we’ll be adding a switch and two cables as this lab progresses. depending on your network topology. I did a write erase and delete vlan. If you have 50 VLANs and five switches.115 S T U DY G U I D E C H R I S B R YA N T Root Switch Selection: Be Deterministic VLAN0001 Spanning tree enabled protocol ieee Root ID Priority If we leave STP to its own devices.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

SW2#show spanning vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID

Priority

24596

Address 0017.9466.f780
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

I’m sure you noticed the secondary option. If you want a certain switch to take over as root
bridge if the current root goes down, run show spanning vlan root secondary on the desired

Done and done! The new root’s priority is 24596. That’s certainly good enough to make it

secondary bridge. That command will adjust the switch’s priority enough to make it the

the root, but where exactly did that priority come from? It depends...

backup root, but not enough to make it the primary root.

Current root priority greater than 24576? Result: priority of new root is 24576 (plus the

Let’s see that in action! SW2 is still the root for VLANs 20 and 30, and we’ve added a third

VLAN ID in this case, since system extension ID is running).

switch to the lab. We’ll concentrate on those two VLANs from here on out.

Current root priority less than 24576? Result: subtract 4096 from that root priority and
you have the new root priority!
We’ll now make SW2 the root for VLAN 30.
SW2(config)#spanning vlan 30 root primary
SW2#show spanning vlan 30
VLAN0030
Spanning tree enabled protocol ieee
Root ID

Priority

24606

Address 0017.9466.f780
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Here’s the Bridge ID info for both SW1 and SW2, and here’s a pop quiz: Which one of these
would take over as the root for VLAN 20 if SW2 went down?
SW1#show spanning vlan 20
Bridge ID Priority

32788 (priority 32768 sys-id-ext 20)

Address 000f.90e2.2540
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

116

117

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

It does indeed! (show spanning vlan 30 isn’t shown, but we know SW1 is the root for that

SW3#show spanning vlan 20
Bridge ID Priority

C H R I S B R YA N T

32788 (priority 32768 sys-id-ext 20)

VLAN as well.) SW2 will become the root for VLAN 20 again once it comes back up…

Address 001c.0fbf.2f00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

SW2#show spanning vlan 20

Aging Time 300 sec
VLAN0020

They both have the default priority, so it comes down to MAC address, and SW1’s MAC is

Spanning tree enabled protocol ieee

lower than that of SW3. SW1’s address begins with “000”, and SW3’s begins with “001”, so

Root ID

Priority

24596

nothing after that matters. I’ll reload SW2 and we’ll see if SW1 becomes the root in SW2’s

Address 0017.9466.f780

absence.

This bridge is the root

SW2#reload

… but we’d like SW3 to take over as the root for VLAN 20 when SW2 is unavailable, while

Proceed with reload? [confirm]

keeping SW1 as the root for VLAN 30 in that circumstance.

*Mar 1 01:27:11.899: %SYS-5-RELOAD: Reload requested by console.

SW3(config)#spanning vlan 20 root ?

SW1#show spanning vlan 20

Primary

Configure this switch as primary root for this spanning tree

Secondary Configure switch as secondary root

VLAN0020
Spanning tree enabled protocol ieee
Root ID

Let’s make it happen. Note the change to SW3’s priority.

Priority

32788

Address 000f.90e2.2540
This bridge is the root

SW3(config)#spanning vlan 20 root secondary
SW3#show spanning vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID

Priority

24596

When SW2 goes offline, SW1 will again take over the root bridge role for VLAN 30, but now
SW3 will take that role for VLAN 20.
SW2#reload
Proceed with reload? [confirm]

118

119

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T
SW1(config)#spanning vlan 20 priority 7000

SW1#show spanning vlan 30
This bridge is the root

% Bridge Priority must be in increments of 4096.
% Allowed values are:

SW3#show spanning vlan 20
This bridge is the root

0

4096 8192 12288 16384 20480 24576 28672

32768

36864 40960 45056 49152 53248 57344 61440

Hey, I tried using a non-4096 multiple!
By the way, we just got a call from the other BPDU type, demanding semi-equal time!

The Topology Change Notification BPDU
TCN BPDUs are generated by a switch when a port goes into forwarding mode or when a
port goes from forwarding or learning into blocking mode. The TCN doesn’t say exactly
what happened, just that something happened.

SW2 will again take over as the primary root for both VLANs when it comes back online.
SW3 remains the secondary for VLAN 20 and SW1 the secondary for VLAN 30.
If SW1 is the desired secondary root for VLAN 30, you’re fine right now, but what if another
switch is added to the network? That new switch might have a lower MAC than that of SW1.
In this situation, I would manually configure SW1 as the secondary root for VLAN 30.
Of the two methods to configure primary and secondary roots, I prefer the one we just used.
You can change the priority manually with spanning vlan priority, but the switch isn’t going

Each switch receiving the TCN will send an ACK back, and the TCN continues to be forwarded until it reaches the root.

to help you by saying “Hey, the priority you set isn’t low enough for this switch to become
the primary / secondary!” There’s one more thing that makes this method a tad complicated:
SW1(config)#spanning vlan 20 priority ?
<0-61440> bridge priority in increments of 4096

120

121

The chances of a switching loop on a single port with a single host connected are very small. the root will acknowledge it in the form of a Configuration BPDU with the Topology Change bit set. that’s 35 seconds. If you’re fuzzy on Portfast or any other advanced STP features. we’ll take care of that in the very next section! Putting these features into operation is easy. so Portfast allows us to cheat just a bit in order to get that host up and running. 122 123 . configuring Portfast on that host’s switchport is the way to go. it doesn’t really affect STP operation.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and to leave the timers alone. Enable portfast on a per-port level with spanning-tree portfast. so there’s no need to alert the entire network about it.115 S T U DY G U I D E When the root receives the TCN. That makes sense. And I can hear you now…“We spent all that time talking about STP preventing switching loops. yeah. since the most common use of Portfast is when a single PC is directly connected to a switch port. C hapter 6: That BPDU with the TC bit set tells the receiving switches to change the aging time for their MAC tables from the default of 300 seconds to the duration of the Forward Delay STP — ADVANCED FEATURES AND VERSIONS timer. that’s just 15 seconds! This allows the switch to quickly rid itself of nowinvalid MAC address table entries while keeping entries for hosts that are currently sending frames to that switch. Exception time! Changes to Portfast-enabled ports cannot result in the generation of a TCN BPDU. Let’s jump right in! Portfast Portfast allows a port running STP to go directly from blocking to forwarding mode. Enabling this feature results in one long warning and an additional message. Knowing where to run them and why is another matter. The STP learning and listening stages can interfere with your host’s DHCP address acquisition process. The aging time will stay at the new value for (Forward Delay + Max Age). but only in a specific situation. If you have a host that has trouble getting an IP address via DHCP. When a port connected to a host goes into forwarding mode. and if the timers haven’t been changed. By default. and now you want to turn a couple of them off?” Well.

concentrators. well. a slightly different mst Multiple spanning tree message appears. and has VLAN0001 disabled also let us know that trunking must be disabled in order for Portfast to be enabled. etc. and after doing so. Use with cost Change an interface’s spanning tree port path cost CAUTION guard Change an interface’s spanning tree guard mode link-type Specify a link type for spanning tree protocol use Enable Portfast globally with spanning portfast default. can cause temporary bridging loops. to this interface Verify with show spanning interface portfast.. SW2#show spanning int fast 0/10 portfast The switch has given us a warning about the proper and improper use of Portfast. switches. switches and bridges as they may create temporary bridging loops. You Enable portfast on the interface even in trunk mode <cr> should now disable portfast explicitly on switched ports leading to hubs. when the interface is in a non-trunking mode... we’ll be VLAN0020 disabled warned about it again! VLAN0030 disabled 124 125 . SW2(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. After doing so. We VLAN0010 disabled do have the option of enabling Portfast on a trunk port. bridges. Connecting hubs. Use with CAUTION SW2#show spanning portfast ^ %Portfast has been configured on FastEthernet0/3 but will only have effect % Invalid input detected at ‘^’ marker. port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link SW2(config)#spanning portfast ? stack-port Enable stack port Bpdufilter Enable portfast bpdu filter on this switch vlan VLAN Switch Spanning Tree Bpduguard Enable portfast bpdu guard on this switch Default Enable portfast by default on all access ports SW2(config-if)#spanning-tree portfast ? Disable Disable portfast for this interface SW2(config)#spanning portfast default Trunk %Warning: this command enables portfast by default on all interfaces. to this interface bpduguard Don’t accept BPDUs on this interface when portfast is enabled. concentrators. there’s no “show spanning portfast” command.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . when portfast is enabled. bpdufilter Don’t send or receive BPDUs on this interface Connecting hubs.115 S T U DY G U I D E C H R I S B R YA N T SW2(config)#int fast 0/3 SW2(config-if)#spanning-tree portfast trunk SW2(config-if)#spanning-tree ? %Warning: portfast should only be enabled on ports connected to a single host. bridges.. can cause temporary bridging loops. Using this command enables Portfast on all access ports. As IOS Help is so helpful to let us know. switches. etc.

Configuring a port with Portfast is one way to avoid part of that delay. If the open path between SW1 and SW3 goes onds before the primary root port enters forwarding state. The first is setting the switch priority to 49. and they both occur that’s bad. but we’re advised over and over by Cisco not to use Portfast unless it’s on a port where a single host device is found.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Frankly. in which case you have much bigger problems to deal with! forwarding mode. although some Cisco documentation makes it sound like there’s no delay at all. the ports SW3 could potentially use to reach the root switch are collectively referred to as an uplink group.115 S T U DY G U I D E C H R I S B R YA N T UplinkFast When a port goes through the blocking-to-forwarding transition. If the forwarding port in the uplink group senses that the primary link is down. It’s all or nothing with this feature – you can’t run it on a per-port or per-VLAN basis. This effec- With Uplinkfast in use. STP blocks one of our six ports in order when it detects that the original primary path to the root is available once more. there will be approximately a 50-second delay before that blocked port is open. the direct physical path will be the path SW3 uses to reach the root. <cr> 126 127 . when Uplinkfast is first enabled. This doesn’t take place immediately. Uplinkfast is enabled globally and for all VLANs residing on the switch. By default. That almost-minute feels like almost-hours at times.and core-layer switches. the switch will wait (2 x Forward Delay) + 5 sec- to prevent switching loops. we’re looking at a 50-second delay before that port can actually begin forwarding frames. down. The uplink group includes ports in blocking and tively prevents this switch from becoming the root unless all other switches go down. another port in the uplink group will be transitioned immediately (almost) from SW2(config)#spanning uplinkfast ? max-update-rate Rate at which station address updates are sent blocking to forwarding. I mean 1 – 3 seconds. and Uplinkfast does have two immediate actions you should be aware of.152. What if the device off that port is another switch? By “almost immediately”. Uplinkfast is Portfast for wiring closets. Cisco strongly recommends Uplinkfast not be used on distribution. The original root port on the Uplinkfast-enabled switch will become the root port again SW3 has two paths to the root. and assuming all port speeds are the same. which is good.

then SW3. then SW1. which by default is 150 packets per second. We’re going to send these frames for every single Uplinkfast enabled Interface max-update-rate Rate at which station address updates are sent MAC address entry in SW3’s table. When the link SW2#show spanning vlan 1 between SW3 and SW1 goes down. That’s where our single Uplinkfast option comes into play: 32769 Address 000f. That flooding quickly updates SW2’s MAC address table. To avoid that. The destination address is 0100.115 S T U DY G U I D E Frames from Host A will currently go through SW2. You can disable the sending of those dummy frames by setting this value to zero. ---Fa0/12 Root FWD 3019 The STP port cost is increased by 3000. SW3(config)#spanning uplinkfast max-update-rate ? <0-32000> Maximum number of update packets per second 128 129 .cdcd. If SW3’s MAC address table is particularly large. UplinkFast works really well. Actually.90e2. and Aging Time 300 sec the source address – well. making it unlikely that this switch will be used to reach the root switch by any downstream switches.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .f780 in the network may be out of date for a few seconds after the cutover.2540 Cost 3019 Port SW3(config)#spanning uplinkfast ? 14 (FastEthernet0/12) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 49153 (priority 49152 sys-id-ext 1) <cr> The cutover to the backup path is so fast that the MAC address tables of other switches Address 0017.9466. and on occasion it works a little too well. SW3 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec sends “dummy” multicast frames to SW2.0ccd. that’s the rub. you may want to adjust the maximum update rate. a little too fast! Let’s revisit the original network and add two hosts. which might be small or might be very large! Role Sts Cost -------------------- ----. that path is no longer valid. but the now-invalid entry VLAN0001 Spanning tree enabled protocol ieee Root ID C H R I S B R YA N T Priority to send frames to Host B via SW1 will still be in SW2’s table.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

Verify your Uplinkfast settings with show spanning uplinkfast.

C H R I S B R YA N T

and relays it to SW3. All is well until SW2 loses its connection to SW1, which means SW2
will start announcing itself as the root. SW3 will receive two separate BPDUs from two
claimants to the root bridge role.

SW3#show spanning uplinkfast
UplinkFast is enabled
Station update rate set to 150 packets/sec.
UplinkFast statistics
Number of transitions via uplinkFast (all VLANs)

: 0

Number of proxy multicast addresses transmitted (all VLANs) : 0

BackboneFast

SW3 compares the priority in each BPDU and sees SW2 has a higher BID, making the

The Cisco-proprietary feature BackboneFast helps our network recover from indirect link

MaxAge timer on the port leading to SW2 hits zero, that port will transition to the lis-

failures. The key word is indirect. If a switch detects an indirect link failure (a failure of

tening state and start relaying the information contained in the BPDU coming from SW1

a link not directly connected to the switch in question), BackboneFast goes into action.

– the superior BPDU.

BPDU from SW2 an inferior BPDU. As a result, SW3 ignores that BPDU. Once SW3’s

An indirect link failure is detected when an inferior BPDU is received, as we’ll see in the
upcoming walkthrough. Let’s take a look at a three-switch setup where all links are working (currently!), and STP is running as expected. All links are running at the same speed.

Backbonefast speeds up the overall process by skipping the MaxAge stage. This doesn’t
eliminate the delay, but it does cut the overall delay from 50 to 30 seconds (the overall duration of the listening and learning states).
SW1 has been elected root, and it sends Configuration BPDUs to SW2 and SW3 every two
seconds reminding them of that. In turn, SW2 takes the BPDU it’s receiving from SW1

130

When an indirect link outage is detected, the Root Link Query goes into action in the form
of requests and responses. These message types act as a sort of echo and echo reply combo.
131

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

The request is sent to ensure connectivity to the root, is sent via a port receiving BPDUs,

All switches in the network have to be able to send, relay, and respond to RLQ requests. Since

and is sent by the switch detecting the indirect link outage.

RLQ is enabled by enabling BackboneFast, you should run this feature on every switch in the

The request names the switch believed by the sender to be the root. The recipient forwards
that RLQ request out its own root port, and after a short period of time (hopefully), the
request comes back with the name of the root that can be reached via that port. If they
match, all is well!

network. The easiest part of BackboneFast is enabling it. This command is a true Cisco rarity
in that there are no options. Just enable it, and verify with show spanning backbonefast.
SW3(config)#spanning backbonefast ?
<cr>
SW3#show spanning backbonefast
BackboneFast is enabled

Root Guard
The root we’re guarding, of course, is the root switch!
There are two circumstances under which the recipient will respond immediately, one good
and one bad. The bad one: The recipient has a different root bridge listed.

The good one: The recipient IS the root bridge.

132

SW1 is entrenched as the root – until SW4 arrives!

133

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

SW4 will take over as the root due to its lower BID, and depending on your network design

Address 000f.90e2.2540

and the switches’ capabilities, you might not want that. SW4 could also be a rogue switch!

Cost 19

If we go to the trouble of deciding which switch should be the root, we should likely go to a

Port

little bit of trouble in protecting that switch’s role. That’s where Root Guard comes in.

Hello Time

Root Guard is configured at the port level, and disqualifies any switch downstream from
that port from becoming the primary or secondary root. To prevent SW4 from taking over

14 (FastEthernet0/12)

Bridge ID Priority

2 sec Max Age 20 sec Forward Delay 15 sec
32769 (priority 32768 sys-id-ext 1)

Address 001c.0fbf.2f00

either of those roles, configure Root Guard on SW3’s port leading to SW4.

Hello Time

When a superior BPDU is received on a port running Root Guard, that BPDU is discarded

2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

and the port put into root-inconsistent state. That’s verified by show spanning vlan and show
spanning inconsistent-ports as well as this console message I received once SW4 came online

Interface

and started sending those superior BPDUs to SW3.

------------------- ---- ----- -------- --------- ----------------------

Role Sts

Cost

Prio Nbr Type

Fa0/4

Desg BKN

19

128.6

%SPANTREE-2-ROOTGUARD _ BLOCK: Root guard blocking port Fast

Fa0/11

Altn BLK

19

128.13 P2p

Ethernet0/4 on VLAN0001.

Fa0/12

Root FWD 19

128.14 P2p

P2p *ROOT _ Inc

The interface receiving the superior BPDU isn’t totally shut down by Root Guard. It’s still
listening for BPDUs, and once those superior BPDUs stop coming, that port will transition
normally through the STP port states and will come out of root-inconsistent state on its
own. To illustrate, I’ll set SW4’s priority back to the default.
SW4(config)#no spanning vlan 1 priority 4096

SW4 quickly recognizes SW1 as the root…

SW4#show spanning vlan 1
SW3#show spanning vlan 1

VLAN0001
Spanning tree enabled protocol ieee

VLAN0001
Spanning tree enabled protocol ieee
Root ID

Priority

8193 (SW1 is still the root!)

134

Root ID

Priority 8193
Address 000f.90e2.2540

135

I’ll open that port after enabling BPDU Guard. Note that the command requires Hey.. superior or inferior. switches. SW3(config-if)#spanning ? Connecting hubs. bridges. SW3#show spanning inc Name Interface Inconsistency -------------------. We’ll use the topology from the Root Guard section to illustrate.115 S T U DY G U I D E … and SW3’s 0/4 port is no longer root-inconsistent. etc.. SW3(config)#int fast 0/2 SW3(config-if)#spanning portfast SW3(config)#int fast 0/4 %Warning: portfast should only be enabled on ports connected to a single host. but someone just might try it. remember that Portfast warning? Of course you do! you to specify “enable” or “disable” – “spanning bpduguard” is not a legal command on its own. and doing so creates the possibility of mst Multiple spanning tree a switching loop. -----------------------.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . can cause temporary bridging loops. C H R I S B R YA N T Enabling BPDU Guard on a port will result in that port going into error disabled state (“errdisabled state”) when any BPDU is received. port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link up 136 stack-port Enable stack port vlan VLAN Switch Spanning Tree 137 . to this interface bpdufilter Don’t send or receive BPDUs on this interface when portfast is enabled. Number of inconsistent ports (segments) in the system : 0 What if we didn’t want any BPDUs coming in on SW3’s 0/4 port. Use with bpduguard Don’t accept BPDUs on this interface CAUTION cost Change an interface’s spanning tree port path cost guard Change an interface’s spanning tree guard mode You would think that might discourage anyone thinking of connecting a switch to a link-type Specify a link type for spanning tree protocol use Portfast-enabled port. %SPANTREE-2-ROOTGUARD _ UNBLOCK: Root guard unblocking port FastEthernet0/4 on VLAN0001. you ask? Well… Enabling BPDU Guard on SW3’s 0/4 port will block BPDUs coming in from SW4 and shut the BPDU Guard port down. concentrators.

changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/4. but it’s a good idea! It’s SW3(config-if)#spanning bpduguard ? Disable Disable BPDU guard for this interface such a good idea that you can globally enable BPDU Guard on all Portfast-enabled ports via Enable Enable BPDU guard for this interface spanning portfast bpduguard default. SW3(config-if)#spanning bpduguard enable SW3(config)#spanning portfast bpduguard ? default Enable bpdu guard by default on all portfast ports SW3(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0/4. line protocol is down (err-disabled) An error-disabled port must be cleared manually. Once those BPDUs stop coming. BPDU Filtering We have a similar but not identical service at our disposal to stop unwanted BPDUs. but the first BPDU that came in resulted in Filtering stops all BPDUs from leaving or being accepted on a Portfast-enabled port. regardless of Portfast: SW3(config)#int fast 0/4 need to do a shut/no shut to reset the port. changed state to down The interface came up physically and logically.changedstate to up %SPANTREE-2-BLOCK _ BPDUGUARD: Received BPDU on port Fa0/4 with BPDU Guard enabled. %LINEPROTO-5-UPDOWN:Line protocol on Int FastEthernet0/4. SW3(config-if)#spanning bpdufilter ? Disable Disable BPDU filtering for this interface enable 138 Enable BPDU filtering for this interface 139 . BPDU %PM-4-ERR _ DISABLE: bpduguard error detected on Fa0/4. you’ll Enable bpdu filter by default on all portfast ports SW3(config)#spanning-tree portfast bpdufilter default To enable and disable this feature at the port level. To enable this feature globally on all your Portfast-enabled ports: SW3(config)#spanning-tree portfast ? Bpdufilter Enable portfast bpdu filter on this switch Bpduguard Enable portfast bpdu guard on this switch Default Enable portfast by default on all access ports SW3(config)#spanning-tree portfast bpdufilter ? Default the port being disabled by BPDU Guard. SW3#show int fast 0/4 FastEthernet0/4 is down. remember that it’s off by default and is enabled / disabled with spanning-tree bpduguard at the interface level. putting Fa0/4 in errdisable state %LINEPROTO-5-UPDOWN: Line protocol on Int FastEthernet0/4. Disabling port. changed state to up If you’re not using that method of enabling BPDU Guard.115 S T U DY G U I D E C H R I S B R YA N T You’re not required to run BPDU Guard on a Portfast-enabled port.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

run show spanning summary.2540 Designated bridge has priority 32771.90e2. Root bridge for: none Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is enabled Portfast BPDU Filter Default is enabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is enabled You can also verify a port’s individual BPDU Filter settings. When SW1#show spanning int fast 0/3 detail Port 3 (FastEthernet0/3) of VLAN0003 is forwarding Port path cost 100. run spanning-tree loopguard default. Port Identifier 128. A switching loop is prevented. the port no longer receiving the BPDUs will go from blocking to loop-inconsistent. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is shared by default all six ports hit forwarding mode. address 000f. Instead.3. with show spanning interface detail. we have a switching loop.90e2. the port will come back up on its own.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . What if SW3 can send BPDUs to SW2. C H R I S B R YA N T Loop Guard With our three-switch network back at its defaults. and once the cable is repaired and the BPDUs begin flowing from SW2 to SW3 again. Port priority 128.3 Designated root has priority 32771. we know SW1 is originating Config SW3#show spanning summary BPDUs and sending them to both SW2 and SW3. received 0 With all this talk of blocking BPDUs. forward delay 0. which acts a lot like blocking mode. we better ensure we get the ones we need! 140 SW1(config)#spanning-tree loopguard default 141 . designated path cost 0 Timers: message age 0.115 S T U DY G U I D E To verify this and several other features we’ve seen (and will see!). SW1(config)#spanning-tree loopguard ? Bpdu filter is enabled Default Enable loopguard by default on all ports BPDU: sent 23. but not vice versa? SW3 will wait the duration of the MaxAge timer and then begin to transition the port on that link from blocking to forwarding.2540 Designated port id is 128. along with gathering other important info. we have a problem. Loop Guard doesn’t allow that port on SW3 to go from blocking to forwarding. To enable Loop Guard globally. address 000f. and the non-root switches are forwarding Switch is in pvst mode BPDUs to each other (hence the two-headed arrow). If the direct link between SW2 and SW3 goes unidirectional.

the port is shut down after eight coming in for VLAN 10. Run UDLD in aggressive mode. as opposed to Normal mode. we have a unidirectional link. which doesn’t shut the port down under continue to operate normally for VLANs 20 and 30. 20. a UDLD message is sent every second once a possible unidirectional link is detected. The port will missed messages. and then the recipient sends it right back with info on the port that received the message. run no spanning-tree guard loop. run spanning-tree guard loop. use udld followed by the mode you want. If something comes back. SW1(config)#int fast 0/2 SW1(config-if)#spanning-tree guard ? Loop Set guard mode to loop guard on interface none Set guard mode to none root Set guard mode to root guard on interface SW1(config-if)#spanning-tree guard loop To disable Loop Guard at the port level.115 S T U DY G U I D E To enable Loop Guard on a per-port basis. If a trunk is carrying traffic for VLANs 10. 143 . a per-VLAN basis. Detecting Unidirectional Links With UDLD UDLD can be enabled and disabled on a global and per-port basis. we have a bidirectional link and all is well. Second. A UDLD-enabled port sends a UDLD frame across the link every 15 seconds. First. 142 message Set UDLD message parameters Use the same command at the interface level. and BPDUs stop We call this mode “aggressive” for two reasons. and the results are much more… aggressive! The port will be put into err-disabled state after eight sent UDLD messages result in zero UDLD frames from the remote switch. BPDUs may not arrive at their destination due to a unidirectional link where SW1 can send to SW2. For global enabling and disabling. it gives us a syslog message to let us know about the problem. SW1(config-if)#no spanning-tree guard loop Dept. SW1(config)#udld ? Aggressive Enable UDLD protocol in aggressive mode on fiber ports except where locally configured enable Enable UDLD protocol on fiber ports except where locally configured UDLD’s basic operation is simple. but it operates on When UDLD runs in Normal mode. C H R I S B R YA N T The sent UDLD message lets the recipient know which port sent the message. and 30. the port will go port-inconsistent for VLAN 10 only. any circumstances. If you don’t specify aggressive mode.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Of Oddities: Loop Guard is enabled globally or on a per-port basis. but SW2 can’t send a BPDU back over the same connection. the port defaults to normal mode. If nothing comes back.

Note SW3 has multiple connections to the Ethernet from the remote endpoint doesn’t trigger the aggressive 8-second countdown to shut- segment. if aggressive mode shuts a port down after failing to receive an echo reply to eight consecutive UDLD frames going out once per second. Root and designated ports have already been selected. that port in RSTP. When UDLD’s aggressive mode is configured on the first endpoint. ting the port down. Problem is. letting the local switch know that the remote switch is indeed running UDLD.115 S T U DY G U I D E C H R I S B R YA N T SW2(config-if)#udld ? port Enable UDLD protocol on this interface despite global UDLD setting SW2(config-if)#udld port ? aggressive Enable UDLD protocol in aggressive mode on this interface despite global UDLD setting disable Disable UDLD protocol on this interface despite global UDLD Rapid Spanning-Tree Protocol setting STP is fantastic at what it does – we’d just like it to get done a little faster. Non-root switches select a root port. However. it must be enabled on both endpoints.1w. and still is in many networks. where SW1 is the root. The root port concept stays the same as we move from STP to RSTP. SW2 and SW3 144 145 . won’t the second port you configure always shut down before you finish the config? and it’s considered an extension of 802.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Once SW1 has received an echo reply from SW2. RSTP makes things just a bit more… rapid. Let’s take a look at the RSTP roles in will indeed start sending UDLD frames every 15 seconds. the remote switch has to answer back with a UDLD echo. The overall concept of the root bridge is still present Actually. that port being the one with the lowest root path cost. The absence of a UDLD echo this network. no. but the port roles themselves are different. Before that can happen. The overall 30-second delay built into STP convergence via the listening and learning states was once considered an acceptable delay. For UDLD to be effective. and that’s why <cr> the Rapid Spanning Tree Protocol (RSTP) was developed! RSTP is defined by IEEE 802. the eight-second countdown will begin if SW1 stops getting UDLD replies from SW2.1d.

likely connected to a single host SW2’s port on the shared segment is an alternate port (ALT) – but what of the remaining port spanning-tree portfast command. the equivalent of STP’s forwarding state. so they can go straight from discarding to forwarding. blocking. If a BPDU comes in on an RSTP edge port. That’s hardly an earth-shattering change to our network. since RSTP considers a topology change to have taken place when a port moves into forwarding mode – unless that port is an edge port. Well.) Here come the differences! RSTP has alternate ports rather than blocked ports. the RSTP port transitions nected to that segment.) Edge ports play a huge part in RSTP’s determination of when a topology change has taken place. RSTP-enabled root bridges will not have There are slight and important differences between STP and RSTP port states as well. such as an end user’s PC. SW2 and SW3. STP ports disabled. they don’t play a role. To configure a port as an RSTP edge port. on SW3? That port becomes the backup port for that segment. the As with our STP example. (More on that very soon. An edge port is simply a port on the edge of the network. This port gives SW3 a redundant path on that segment without guaranteeing that the root switch will still be accessible. RSTP brings with it two unique port types. actually. to the forwarding state. As with STP. The root ports. edge ports and point-to-point ports. since only a single host will be connected to that particular port. the DP will be the port with the lowest root path cost of all RSTP ports transition from discarding to learning. (Any ports running half-duplex are considered shared ports and must run STP rather than RSTP. 146 147 . and listening are combined into the RSTP state discarding.115 S T U DY G U I D E C H R I S B R YA N T have both selected their root ports. As you’d expect. just run the familiar RSTP edge ports are simply PortFast-enabled ports. The “alternate” refers to the port having an alternate path to the root switch than the actual root port does. Finally. but rather designated ports.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . RSTP does not consider that a change in the network. A quick comparison: STP: disabled > blocking > listening > learning > forwarding RSTP: discarding > learning > forwarding In addition to the familiar root port concept. it’s “demoted” to a regular RSTP port and then generates a TCN BPDU. where incoming frames are discarded the ports on that segment. and we’ll assume that to be one of the two ports SW3 has con- but the MAC addresses are being learned by the switch. A point-to-point port is any port running in full-duplex mode. so RSTP doesn’t bother alerting the rest of the network about it. a designated port must be elected on the segment connecting initial RSTP port state.

the MaxAge timer kicks in. carried out until all switches in the network are – wait for it – synchronized! Let’s walk through the process with this three-switch network. There’s a lot going on here – and it goes on quickly! 149 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and would like to agree to the proposal. Another major difference between STP and RSTP is the way BPDUs are generated. and in order for SW2 to consider itself synched. Switches that receive those BPDUs will remove all entries from their MAC tables except for the port the BPDU rode in on. now SW2 must place the port leading to SW3 into discarding mode. all ports on SW2 must either be discarding or an edge port. That timer dictates how long the switch will retain the contents of the last superior BPDU it received before it ages out and the STP recalculation process begins. How? When a switch running STP misses a BPDU. SW2 has to synch itself. those switches send BPDUs with the TC bit set out their non-edge DPs. (This hello time interval is the same in both STP and RSTP.115 S T U DY G U I D E C H R I S B R YA N T see a BPDU from its neighbor every two seconds. and as we’d expect. where the superior BPDU is aged out when three Hello Time intervals pass without it being refreshed! ports. We see a PC off one of SW2’s ports. my friend! First. and the nonroot bridges read ‘em and relay ‘em. SW2 will of course move its root port into forwarding. Every switch expects to 148 SW2 realizes SW1 is the root.) This slight change in operation from STP to RSTP allows all switches to have a role in detecting link failures. and that continues until the entire network’s been notified of the change – a “ripple effect”. the root bridge generates and transmits BPDUs every two seconds. that’s when RSTP does bother letting the rest of the network know! RSTP does so by sending BPDUs out all non-edge designated 20 seconds! Compare that to the RSTP process. This change cuts the error detection process from 20 seconds in STP to 6 seconds in RSTP. and naturally the TC bit is set on those BPDUs. We know the MaxAge default – When a non-edge port moves into forwarding mode. and if three BPDUs are missed. and the discovery of those failures is faster. At that point. RSTP Synchronization The RSTP synch process is a simple series of handshakes between switches. The switch then immediately ages out all information concerning the port that was receiving the BPDUs. With STP. the link is considered down. RSTP-enabled switches generate a BPDU every two seconds. SW2 will reply to the proposal with an agreement and will send a proposal of its own out any non-edge port that was just placed into discarding state. so that’s an edge port. regardless of whether they’ve received a BPDU from the root in that period of time. if you will. But not so fast.

14 P2p Peer(STP) Note the output under “Type”.6 P2p Fa0/11 Desg FWD 19 128. and when there’s no additional info after “P2p”. SW3(config-if)#spanning-tree link-type ? point-to-point Consider the interface as point-to-point shared Consider the interface as shared SW3#show spanning vlan 1 150 151 . it’s the version number in the BPDU that tells the switch how to handle things. actually! If a switch is running RSTP and needs to communicate with switches using both STP and RSTP. verified with show spanning vlan. In turn. Role Sts Cost Prio. ---------. The link via Fast0/4 is to SW4. SW3 is running RSTP after being configured with the spanning-tree mode rapid-pvst command. -------. the link is to an RSTP-enabled switch. Interface The Question Haunting Networks Everywhere Does RSTP play well with STP? Pretty well. but if you do. just use spanning link-type. Fa0/4 Root FWD 19 128.13 P2p Peer(STP) Fa0/12 Desg FWD 19 128.d480 Cost 19 Port 6 (FastEthernet0/4) Hello Time The ripple effect is powerful in RSTP synchronization.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . This is a full-duplex point-to-point link. When you see “Peer (STP)” as we do for SW3(config)#spanning mode ? the Fast0/11 and Fast0/12 links. In our lab.Nbr Type ------------------. SW2 is agreeing with SW1 while Bridge ID Priority 2 sec Max Age 20 sec Forward Delay 15 sec 32769 (priority 32768 sys-id-ext 1) almost simultaneously sending a proposal to SW3 (and any other downstream switches it’s Address 001c. you know those connections are to switches running mst Multiple spanning tree mode pvst Per-Vlan spanning tree mode rapid-pvst Per-Vlan rapid spanning tree mode SW3(config)#spanning mode rapid-pvst ? <cr> SW3(config)#spanning mode rapid-pvst STP.2f00 connected to).0fbf.90eb. SW3 goes through the same process we saw SW2 go through – SW3 Hello Time would accept that proposal from SW2 while sending proposals of its own. This ripple effect Aging Time 300 sec 2 sec Max Age 20 sec Forward Delay 15 sec fans throughout the entire network until all switches are synched. ----- --. a switch running RSTP. It’s a rare occasion indeed when you need to manually change the link type on an interface.115 S T U DY G U I D E C H R I S B R YA N T VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 4097 Address 000f.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the MST-instance / VLAN-mapping table. we have 750 instances of STP running. No matter the size of the network. one switch ends up handling all the traffic. MST configuration involves logically dividing the switches into regions. We can’t perform any per-VLAN load balancing.1q (“dot1q”) is the trunking protocol. With PVST+. where we can map VLANs to instances of STP. so we could spread the workload around a bit. “Common Spanning Tree”.1s. More on that in just a minute. As we know though. Let’s say we have traffic for 750 VLANs coming in. Common Spanning Tree and Multiple Spanning Tree When our pal IEEE 802. Defined by IEEE 802. MST allows us to reduce the number of STP instances without knocking it all the way back to one. and MST BPDUs are used to exchange values between switches. The Good: PVST does allow for much better fine-tuning of spanning tree performance than regular ol’ STP does. 152 153 . the purpose of MST is to map multiple VLANs to a lesser number of STP instances. And speaking of CST… With PVST+. we can configure per-VLAN load balancing as we did in an earlier lab. With CST’s one STP instance. MST configs can become quite complex and a great deal of planning is recommended before you even start a config. While it can be useful in the right environment. The MST BPDUs contain the MST config name. and the MST configuration revision number. The Bad: Running PVST does mean extra work for your CPU and memory. since that requires multiple instances of STP! PVST doesn’t play well with Common Spanning Tree (more on that in a moment). MST was designed with enterprise networks in mind. the config revision number. MST earns its name from a scheme that allows multiple VLANs to be mapped to a single instance of STP. MST serves as a middle ground between CST (one STP instance) and PVST (one STP instance per VLAN). everything we do on a Cisco switch has a cost in terms of CPU and/or time. if we have 750 VLANs. which has the same functionality as PVST while having the capability to run over ISL or dot1q trunks.115 S T U DY G U I D E C H R I S B R YA N T Per-VLAN Spanning Tree Versions (PVST and PVST+) The ultimate “the name is the recipe” protocol. so Cisco came up with PVST+. the Cisco-proprietary PVST runs a separate instance of STP for each VLAN. The Ugly: PVST requires ISL trunking. and three switches that can handle some MST gives us a great middle ground. and the switches in any given region must agree on the MST config name. it’s not for every network. rather than having an instance for every VLAN. and a digest value derived from the mapping table. Switches that disagree on any of these values are in different regions. or all of that traffic. the trunk is using a common instance of STP for all VLANs – hence the name.

Enable MST on the switch with spanning-tree mode mst. those are decimal values. and it’s the IST instance that is responsible for keeping communications in the MST regions loop-free. and follow by dropping into MST configuration mode and naming the region and revision number. CST doesn’t know what’s going on inside the regions. applying changes instance Map vlans to an MST instance name Set configuration name no Negate a command or set its defaults private-vlan Set private-vlan synchronization revision Set configuration revision number show Display region configurations SW3(config)#spanning-tree mst configuration The “IST” in each region stands for Internal Spanning Tree. SW3(config-mst)#name CCNP SW3(config-mst)#revision ? <0-65535> Configuration revision number Up to 16 MST instances (MSTIs) can exist in a region. exit exits entire network.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . abort exits the mode while not saving the changes. 300 -200 SW3(config-mst)#instance 1 vlan 1 – 250 SW3(config)#spanning-tree mode mst 154 155 . On occasion.115 S T U DY G U I D E C H R I S B R YA N T A good way to get a mental picture of MST – CST interoperability is that CST will cover the In MST configuration mode. MSTI Zero is reserved for the IST instance. aborting changes exit Exit region configuration mode. SW3(config)#spanning-tree mode ? mst Multiple spanning tree mode pvst Per-Vlan spanning tree mode rapid-pvst Per-Vlan rapid spanning tree mode SW3(config-mst)#instance 1 ? vlan Range of vlans to add to the instance mapping SW3(config-mst)#instance 1 vlan ? LINE vlan range ex: 1-65. network only with the links connecting the MST network subsets. MST’s job is to keep a loop-free topology in the MST region itself. numbered 0 – 15. and only the IST is going to send MST BPDUs. 72. SW3(config-mst)#revision 1 you’ll see the first ten MST instances referred to as “00” – “09”. SW3(config-mst)#? abort Exit region configuration mode. and MST is a “subset” of the network. SW3(config-mst)#instance ? <0-4094> MST instance id not hexadecimal values. nor does it want to know. CST is going to maintain a loop-free the mode and does save your changes.

By default. though. This bundling of Fast Ethernet. This is an MST configuration mode command. That prevents the delay of bringing another link up! In our lab. 156 157 . and we love aggregation! We use more of our available bandwidth and we avoid some of that 50-second delay that comes with the MaxAge and Forward Delay timers. STP will give the link a higher cost due to the lost bandwidth. What’s not to love? (To avoid aggravation. SW3(config-mst)#show pending Pending MST configuration C hapter 7: Name [CCNP] Revision 1 Instances configured 2 Instance Vlans mapped ETHERCHANNELS --------. ports placed inside an EC should be running at the same speed and have the same duplex settings. or even 10 Gig Ethernet ports Time to go from spanning to channeling! is aggregation.) STP considers an Etherchannel to be a single link. Gig Ethernet.115 S T U DY G U I D E Verify with show pending. STP allows us to use only one of the trunks. If one or more of the physical links in the Etherchannel go down.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but the link is still considered up. VLANs not manually assigned to an instance are mapped to Instance Zero. regardless of how many physical links actually make up the Etherchannel. there are four FastEthernet trunks between SW2 and SW3. 0 251-4094 1 1-250 An Etherchannel is a logical bundling of two to eight parallel trunks running between two switches.

23 SW3(config-if-range)#channel-group 5 mode on Interface Role Sts Cost ------------------. Let’s put 0/21. By combining the SW3#show spanning vlan 1 physical ports into a single logical link.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and 0/23 on both switches into an Etherchannel with the channel-group command. not only is the bandwidth of the links combined. changed state Fa0/21 Root FWD 19 to up Fa0/22 Altn BLK 19 Fa0/23 Altn BLK 19 The interfaces mentioned in the console messages. (The channel group number does not have to Fa0/24 Altn BLK 19 Po5 Root FWD 9 match between switches. port-channel1 and port-channel5 are the Fa0/24 Altn BLK 19 logical representations of the Etherchannels on the respective switches. %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel5. SW2(config-if-range)#channel-group 1 ? Mode Etherchannel Mode of the interface SW2(config-if-range)#channel-group 1 mode ? active Enable LACP unconditionally 158 159 . ----- --. communication between the two switches is lost. This temporary lack of a forwarding port can be avoided with an Etherchannel. ------------------. In the meantime. As it stands. 0/22 will begin the transition from blocking to Let’s check out STP on SW3. We’ll leave 0/24 alone for now. ----- --. but the failure of a link inside an Etherchannel will not force STP to start bringing another Interface Role-Sts-Cost port from blocking to forwarding. 0/22. Fa0/21 Desg FWD 19 Fa0/22 Desg FWD 19 Fa0/23 Desg FWD 19 Fa0/24 Desg FWD 19 on Enable Etherchannel only passive Enable LACP only if a LACP device is detected SW2(config-if-range)#channel-group 1 mode on %LINK-3-UPDOWN: Interface Port-channel1. if 0/21 goes down on SW3. changed state to up SW3#show spanning vlan 1 SW3(config)#int range fast 0/21 . ----- --.115 S T U DY G U I D E SW2#show spanning vlan 1 C H R I S B R YA N T auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally Interface Role Sts Cost ------------------.) I’ll use interface range to make things a little quicker. forwarding.

but only the eight ports with the lowest port priority will actually be part of the SW3(config-if)#shut EC. STP didn’t have to go to the trouble of opening 0/24. I hate typing “PAgP”. duplex. We’ll shut down 0/21 on R3 and then verify the changes.) 160 161 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/24 Desg FWD 19 Po1 Desg FWD 9 (LACP) and the Cisco-proprietary EC negotiation protocol is the Port Aggregation Protocol (PAgP). (Surprise!) We actually saw those in the channel-group command: Interface Role-Sts-Cost SW3(config)#int fast 0/24 ------------------. a port in desirable mode will initiate bundling with a remote port.3ad (the IEEE standard. Let’s see what happens when one of the links inside the Etherchannel fails. you know you’ll be waiting a long time. etc. the Etherchannel remained in forwarding mode and 0/24 stays blocked! SW2#show spanning vlan 1 Negotiating An Etherchannel Interface Role-Sts-Cost The industry standard EC negotiation protocol is the Link Aggregation Control Protocol ------------------. and the port’s path cost increased. If the ports at each endpoint are in auto. while a port in auto mode waits for the port on the other end of the trunk to start the process. The tion in use. short for port-channel 5) is now the connec- Thanks to our Etherchannel. but single FastEthernet port! SW2 shows the same path cost result. LACP assigns a priority value to each port with Etherchannel capability. to the STP costs and ports. ----- --. Fa0/24 Desg FWD 19 Po1 Desg FWD 12 With PAgP. less than half that of a down link in the Etherchannel was detected by STP. and with good reason.).115 S T U DY G U I D E C H R I S B R YA N T Things have changed! The Etherchannel (Po5. Fa0/24 Altn BLK 19 Po5 Root FWD 12 SW3(config-if)#channel-group 5 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected SW2#show spanning vlan 1 desirable Enable PAgP unconditionally on Enable Etherchannel only Interface Role-Sts-Cost passive Enable LACP only if a LACP device is detected ------------------. if any. Defined in 802. The path cost for that port is 9. You can assign up to 16 ports to an LACP-negotiated SW3(config)#int fast 0/21 Etherchannel. ----- --. SW3#show spanning vlan 1 PAgP and LACP use different terminology to express the same modes. ----- --. The remaining ports will be bundled only if one or more of the already-bundled ports fails. not the year). but I love how the protocol dynamically changes all of the other ports in an EC when you change a property of one of them statically (speed. (Forever.

Device is in Auto mode.Device learns on physical port. verifying with show pagp neighbor.Device is requesting Fast LACPDUs A . I’ll put all available trunks into a PAgP Etherchannel. verified with show lacp neighbor. Fa0/24 SW2 0017. SW2(config-if-range)#channel-group 1 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected SW2(config)#int range fast 0/21 . I created one with LACP.Device is in Passive mode Channel group 5 neighbors Partner’s information: 163 . We’re not going to get into every field of this output. P. Fa0/21 SW2 0017. A .f780 Fa0/23 5s SC 10001 ports at each endpoint are passive.9466.115 S T U DY G U I D E C H R I S B R YA N T With LACP.9466. an EC will never form.9466. Partner SW3#show lacp neighbor Flags: S . device ID. but I’m sure you can see that having a command that gives you the name. a port in active mode initiates bundling and passive ports are just that! If the Fa0/23 SW2 0017.9466.Device is sending Slow hello. C- Device is in Consistent state.24 desirable Enable PAgP unconditionally SW2(config-if-range)#channel-group 1 mode ? on Enable Etherchannel only active Enable LACP unconditionally passive Enable LACP only if a LACP device is detected auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally SW2(config-if-range)#channel-group 1 mode desir on Enable Etherchannel only passive Enable LACP only if a LACP device is detected SW3(config)#int range fast 0/21 .24 SW3(config-if-range)#channel-group 5 mode desir SW2(config-if-range)#channel-group 1 mode active SW3(config)#int range fast 0/21 . SW2(config)#int range fast 0/21 .f780 Fa0/21 14s SC 10001 Fa0/22 SW2 0017.Device is requesting Slow LACPDUs F .f780 Fa0/22 2s SC 10001 162 P . and port of the partner in the group can be very helpful for verification and/or troubleshooting.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .24 After removing the PAgP EC.Device is in Active mode Channel group 5 neighbors SW3(config-if-range)#channel-group 5 mode active Partner Partner Partner Group Port Name Device ID Port Age Flags Cap.24 SW3#show pagp neighbor Flags: S .f780 Fa0/24 11s SC 10001 After re-opening 0/21 on SW3.

9466. but last time I tried… M .bundled in port-channel I . In our lab. more on that later!). Note the flags next to Po5. I’ve also used show etherchannel brief in troubleshooting. minimum links not met u . 5 Po5(SU) SW3#show etherchannel brief Fa0/21(P) Fa0/22(P) Fa0/23(P) Fa0/24(P) % Command accepted but obsolete. ------------. 19s 0x0 0x1 0x119 0x3D 32768 f780 0017.suspended H .waiting to be aggregated d .115 S T U DY G U I D E Port Flags LACP port Dev ID Fa0/21 SA Fa0/22 SA Fa0/23 SA Age Admin Oper Key Port Number Port State R . (We’re dealing with per-flow balancing here.in use f .Layer3 S .9466. not Flags: D – down per-packet or per-frame. -----------.Layer2 0x1 0x118 0x3D U . It’s these values that are used to determine SW3#show etherchannel summary which link will handle which traffic flow.unsuitable for bundling w . and that’s just what we wanted to see. 21s 0x0 0x1 0x11A 0x3D 0x0 0x1 0x11B 0x3D f780 Fa0/24 SA 32768 0017.failed to allocate aggregator Priority 32768 0017. The Group: 5 “U” indicates the channel is in use (good) and the “S” means it’s a Layer 2 EC (hmmm. but that doesn’t mean each link is carrying 25% of the load.9466. “SU”.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .) That algorithm can use any of the following: P . see documentation. unreleased or unsupported. Channel-group listing: LACP That’s more like it! All four ports are marked with the “P” flag. we have Minimum Links: 0 four parallel links in the EC.9466.not in use. 20s key 0x0 32768 f780 0017.stand-alone s . but matching up the Device ID and port information can be very helpful in troubleshooting.Hot-standby (LACP only) Source IP address Destination IP address 164 165 . meaning they’re part of a port-channel. 23s C H R I S B R YA N T f780 The output is different. and those values are assigned to links in the EC. Group state = L2 Ports: 4 Maxports = 16 Port-channels: 1 Max Port-channels = 16 How The Link Is Chosen For A Particular Traffic Flow Protocol: LACP Etherchannels give us load balancing. but not pure load balancing. How about show etherchannel summary? Basically.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports -----. a Cisco-proprietary hash algorithm is run that will deliver a value of 0 – 7.

That’s it! The number of bits needed for the XOR depends on how many links we have in the EC: SW3(config)#port-channel load-balance ? dst-ip Dst IP Addr Number of links in EC # of lowest-order Possible results dst-mac Dst Mac Addr src-dst-ip Src XOR Dst IP Addr 2 bits to XOR 1 0.47.) For every method involving only one value. so we’ll first XOR the 7th bit of each octet. source and destination port number. so the switch will use the port assigned value “01” to send the data. from left to right. let’s figure out which link traffic sourced from 179. Verify with show etherchannel load-balance. SW3#show etherchannel load-balance EtherChannel Load-Balancing Configuration: 11 = 00001011 dst-ip 22 = 00010110 166 167 .2. The last octet of each address. that’s a great idea. the hash of the bits reveals the port that will handle traffic for that 11 = 00001011 15 = 00001111 particular flow.1 src-dst-mac Src XOR Dst Mac Addr 4 8 2 3 0.5. we know our XOR return is “00”.3.115 S T U DY G U I D E Both source and destination IP address C H R I S B R YA N T We perform the XOR on a bit-by-bit basis.15.6.39. With our four-path EC.1.4.38.2. or the source and destination MAC address. The switch may use the hash of the last low-order bits to choose the link that will carry Let’s walk through another example. The XOR operation’s name might look scary. with the two lowest-order bits highlighted: The “XOR” choices balance on source and destination IP or source and destination MAC. That gives us a “0” for the first bit of the XOR result.49. or it may get the exclusive-OR operation (“XOR”) involved.38.39.49. “1” and “0”.11 and destined for 210. “01” TCP / UDP port numbers converts to the decimal 1. but it’s one of the easiest math operations you’ll ever carry out. 1 and 1. with only two possible answers: Since both bits in the 7th position and both bits in the 8th position match up.22 would use. the result is 0. This is a global command – you can’t change If the compared bits are different. verify with show etherchannel load-balance.1.7 src-ip Src IP Addr src-mac Src Mac Addr Using our four-link EC. It’s a bit-by-bit comparison. If you want to break down the entire address for practice (ahem). the return is a “1” for the XOR’s second and final bit. When we XOR the Both source and destination MAC address 8th bit of each octet. resulting in the link assigned value 0 as the winner! To change the load-balancing method for your switch. (You get the point. is used – the source and destination IP address.3 0. use port-channel load-balance and If the compared bits are the same.11 and a desti- the traffic flow. The only nation of 190. but with a 4-link EC we only need the last two bits.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the load balancing method on a per-port or per-EC basis. using a source IP address of 179. the result is 1.47. we need the last two bits of each address for time the XOR operation is used is when one of the combination load-balancing methods our XOR.

SW3(config-if-range)#switchport trunk allowed vlan 100. The And finally…. To prevent the creation of a switching loop due to EC misconfiguration.115 S T U DY G U I D E EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Destination MAC address C H R I S B R YA N T SW2(config)#spanning etherchannel guard misconfig ? <cr> IPv4: Destination IP address If you use one of the EC negotiation protocols. As a result.20 In the midst of all the loop guarding and MSTing and BackboneFasting we did earlier was a %EC-5-CANNOT _ BUNDLE2: Fa0/22 is not compatible with Po5 and will be suspended little something about ECs. ports will be placed into err-disabled state if a condition exists that might result in a switching loop. since the EC won’t be created in the first place if there’s a problem. channel-group “on” option sidesteps negotiation.1t extensions logging Enable Spanning tree logging loopguard Spanning tree loopguard options mode Spanning tree operating mode mst Multiple spanning tree configuration pathcost Spanning tree pathcost options The allowed range of VLANs on the ports in the EC must match that of the port-channel. nor can such a port remain part of an EC if that change occurs after the port is already part of an EC. SW2(config)#spanning ? backbonefast Enable BackboneFast Feature etherchannel Spanning tree etherchannel specific configuration EC Troubleshooting Tips extend Spanning Tree 802. you really shouldn’t run into an issue with a IPv6: Destination IP address misconfigured EC. Remember This? channel guard misconfig. Let’s use IOS Help to flesh this out. and you could run into trouble if one side of your links is set up for an EC and the other isn’t (I speak from experience). portfast Spanning tree portfast options Here’s what happened after I changed the range of allowed VLANs on all ports in SW3’s EC transmit STP transmit parameters without doing so on the port-channel: uplinkfast Enable UplinkFast Feature vlan VLAN Switch Spanning Tree Ports configured for dynamic VLAN assignment from a VMPS cannot become part of an EC. (vlan mask is different) %EC-5-CANNOT _ BUNDLE2: Fa0/23 is not compatible with Po5 and will be suspended SW2(config)#spanning etherchannel ? Guard (vlan mask is different) Configure guard features for etherchannel %EC-5-CANNOT _ BUNDLE2: Fa0/24 is not compatible with Po5 and will be suspended (vlan mask is different) SW2(config)#spanning etherchannel guard ? Misconfig Enable guard to protect against etherchannel misconfiguration 168 %EC-5-CANNOT _ BUNDLE2: Fa0/23 is not compatible with Po5 and will be suspended (vlan mask is different) 169 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . run spanning ether- Hey.

or you’ll never have an EC! Number of channel-groups in use: 1 Number of aggregators: C H R I S B R YA N T While keeping in mind that EC load-balancing methods do not have to match between 1 switches. you know what to do – change it back! A few more notes that can save you CCNP exam points and troubleshooting time… A SPAN source port can be part of an Etherchannel. that port immediately unbundled. SW2(config)#int range fast 0/21 . including speed.472: %EC-5-CANNOT _ BUNDLE2: Fa0/21 is not compatible with Fa0/22 and will be suspended (vlan mask is different) *Mar 1 01:18:39.472: %EC-5-CANNOT _ BUNDLE2: Fa0/21 is not compatible with Fa0/22 and will be suspended (vlan mask is different) This is really true of any port attribute. You can’t have LACP negotiating one side and PAgP (Flags removed) negotiating the other. duplex. be sure to choose the load-balancing method that fits your situation. Ports in an EC cannot be configured with port security. and native VLAN. but not a SPAN destination port. the other end one has to as well.24 SW2(config-if-range)#switchport trunk allowed vlan 100. Let’s get started! VLAN setting for SW2’s 0/21.20 If one end of the EC is running in on mode. 170 171 . If you have Group Port-channel Protocol Ports destination IP addresses in your load-balancing methods! ������ ������������� ����������� 1 Po1(SU) LACP multiple source IP addresses and one destination IP address. the EC came back up.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Ports in an EC should have the same native VLAN set. When I changed the allowed With our trunks neatly bundled. once I went to SW2 and ran the same command.300 SW2(config-if)#^Z SW2# *Mar 1 01:18:39. there’s not much use in using Fa0/21(P) Fa0/22(P) Fa0/23(P) Fa0/24(P) Individual ports inside the EC must agree on this value as well. Know your LACP and PAgP modes! The mode doesn’t have to match. it’s time to do a little multilayer switching and work with our First Hop Redundancy Protocols (FHRPs).115 S T U DY G U I D E Not good! However. If you change one of those and the EC comes down. SW2(config)#int fast 0/21 SW2(config-if)#switchport trunk allowed vlan 200. but you do have to have SW2#show etherchannel summary LACP or PAgP modes on each side.

From your CCNA studies. and never the two shall meet. and QoS. you know that the IP source and destination addresses of a packet do not change as the packet travels the network. ACLs. also known as the bridging table. the switching table. Basically. so we also have the TCAM table – Ternary tilayer switch. The CAM And TCAM Tables One of the first things you get hit over the head with in your CCNA studies is that a The CAM table. the switching engine snoops in on that packet and the destination. the switch hardware itself.C H R I S B R YA N T C hapter 8: MULTILAYER SWITCHING AND HIGH AVAILABILITY PROTOCOLS When it comes to Cisco Catalyst switches. Multilayer Switching Methods The first MLS method is route caching. and then the switching engine takes over and forwards the rest of the packets in that flow. including info regarding ACLs and QoS. including routing. Application-Specific Integrated Circuits (ASICs) will perform the L2 rewriting operation of these packets. The routing processor routes a flow’s first packet. Thing is. is still present in a multilayer switch. The table operates just as an L2 Let me take this time to “un-hit” you while introducing you to Layer 3 Switches. With multilayer switching. also known as multilayer switches. Multilayer switches are devices that switch and route packets in switch’s CAM table does. it’s the ASICs that perform this L2 address overwriting. and on occasion switch runs at Layer 2. can’t. but the MAC addresses just might and probably will. This processor must download routing information to the hardware itself. To make this hardware-based packet processing happen. Route caching devices have both a routing processor and a switching engine. the MAC address table. we have a lot more going on with our L3 switches. the TCAM table stores everything the CAM table ever leaving the switch. the switch will run the legacy Multilayer Switching (MLS) or the newer Cisco Express Forwarding (CEF). If two hosts in separate VLANs are connected to the same mul- A simple CAM table can’t handle all of this. A flow is a unidirectional stream of 172 173 . a router runs at Layer 3. this hardware switching is performed by a router processor (or “L3 engine”). the correct configuration will allow that communication without the data Content Addressable Memory.

since the We can create an SVI for any VLAN. masks. and it’s the only default SVI.1. etc.1. The VLAN 1 interface present by default on all L2 switches is an SVI. 174 R1#ping 30. and you’re done.) this lab. there is a wildcard entry that redirects traffic to the routing engine. At this point. The FIB contains the usual routing information we need – destina- Inter-VLAN Routing With An SVI Multilayer switches allow us to create a logical interface. Summing it up. That’s where CEF comes in. CEF is on by default on any and all CEF-enabled switches. give it an IP address.115 S T U DY G U I D E C H R I S B R YA N T packets from a given source to a given destination.. we have two flows of traffic. but there’s one slight drawback: the first packet in any flow With these important nuts and bolts out of the way. it is more effective to have all of the packets switched by hardware. and the AT contains L2 information and is created via the ARP table. Should either the TCAM or AT hit capacity. must be on for CEF to run. The MLS cache entries support such where running “no cef” at the CLI will disable CEF. the FIB contains L3 information and is created via the IP routing table. (A host is considered adjacent to another if they’re just one hop apart. I’ll send pings between the two now. face. Even though all other packets in the flow will be hardware- with a Switched Virtual Interface! switched. but what of L2? That’s where the AT comes in. The L2 source address will be the MAC address of the switch interface transmitting the packet. Just go into config mode. In The FIB takes care of us at L3. and that includes changing the L2 destination MAC address to the next-hop MAC address. CEF is highly scalable and is also easier on a switch’s CPU than route caching. this topology-based switching method requires special hardware.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and creating one is just like creating a loopback inter- FIB is really just the IP routing table in another format.1 . so it’s not available on all L3 switches. next-hop IP addresses. Route caching can be effective. The FIB’s contents will mirror that of the IP routing table. – and CEF will use the FIB to make L3 prefix-based decisions. starting will be switched by software. Success rate is 0 percent (0/5) 175 . we’ll create SVIs that will allow hosts in different IP subnets and different VLANs to communicate without a separate L3 device. the multilayer switch is just about ready to forward the packet. Primarily designed for backbone switches. this is not a situation the same destination. If a source is sending both WWW and TFTP packets to turn it off! Since CEF is hardware-based rather than software-based. and you can’t tocol will be part of a single flow. interface Vlan1 no ip address tion networks. As adjacent hosts are discovered via ARP. The two major components of CEF are the Forwarding Information Base (FIB) and the Adjacency Table (AT). create the interface. There’s no such command! IP routing unidirectional flows.. The switch will make the same changes to the packet that a router would. the Switched Virtual Interface (SVI). and such packets sent by a given pro- Enabling CEF is EZ. let’s configure an L3 switch. representing a VLAN.. that next-hop L2 information is kept in the table for CEF switching. even though we know darn well they can’t have a chat… yet..

changed state to up SW3(config)#ip routing SW3(config-if)#ip address 30. EX . S . U .0.connected.0/24 is directly connected. su .NHRP. which is disabled on a multilayer switch by default! SW3(config-if)#int vlan 33 SW3(config-if)#ip address %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan33..2f42 (bia 001c.11/24 The ports have already been placed into their respective VLANs and the ports are access ports.OSPF.0.BGP D - EIGRP.1.0fbf.1.IS-IS summary. B .2f41) Internet address is 20..255.1 SW3#show int vlan 33 .1.0fbf.1. line protocol is up Hardware is EtherSVI.1. line protocol is up Success rate is 0 percent (0/5) Hardware is EtherSVI..periodic downloaded static route. Note that o - ODR. address is 001c. 2 subnets.IS-IS level-2 ia - IS-IS inter area.1.0 SW3#show ip route Codes: L - local. changed state to up Host Gateway SW3(config-if)#ip address 20.mobile. IA .11/32 is directly connected.candidate default.OSPF inter area N1 - OSPF NSSA external type 1. We’ll now create two SVIs on the switch.0fbf. H . + - replicated route.0fbf. address is 001c.11/24 176 20.next hop override SW3#show int vlan11 Gateway of last resort is not set Vlan11 is up.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .255. SW3.static.RIP.11 255.1. L2 . C .per-user static route We’ll verify the status on both with this clipped output from show interface vlan.1. E2 .EIGRP external.. M .LISP the hardware is listed as “EtherSVI”.2f41 (bia 001c.115 S T U DY G U I D E C H R I S B R YA N T R3#ping 20. one representing VLAN 11 and the other Looks good! Let’s check those routing tables! VLAN 33. Vlan11 177 . R .1. L1 .1.255. Vlan11 L 20.1. Vlan33 is up. Both SVIs show as up/up immediately after creation on our multilayer switch.0/8 is variably subnetted. l . 2 masks C 20.1. * .255. N2 .1. SW3#show ip route Default gateway is not set SW3(config)#int vlan 11 %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan11.OSPF NSSA external type 2 E1 - OSPF external type 1. P . % .11 255.0 ICMP redirect cache is empty Last Use Total Uses Interface Doesn’t look good! Let’s enable IP routing. O .1.2f42) Internet address is 30.IS-IS level-1.OSPF external type 2 I - IS-IS.

1.831: %LINEPROTO-5-UPDOWN: Line protocol on Interface C 30.1.1.0 30.0. we’ll use ip route to set the default gateway. Routed ports do not represent a particular VLAN as an SVI does.0. I can almost guarantee that the hosts have an incorrect default gateway set. Vlan33 SW3(config-if)#ip address 66. 2 subnets.0. the default gateway on the hosts must be the IP address assigned to the SVI that represents that host’s VLAN. you end up with a sad SVI. The hosts must have their default gateway set to the IP address on the SVI representing their VLAN. and no routing protocol is required in this case.0 0.1. Since we’re using Cisco routers for hosts.11 are up. round-trip min/avg/max = 4/5/8 ms are physical interfaces and SVIs are logical interfaces.0/8 is variably subnetted. The only default SVI on the switch is the one for VLAN 1. line protocol is down 2. changed state to down L 30.115 S T U DY G U I D E 30. If you create the SVI before doing that.1 On L3 switches. SW3#show int vlan 66 Vlan66 is down.1. Have active ports in the VLAN before you create an SVI for that same VLAN.1.1. !!!!! Success rate is 100 percent (5/5).1.0. they can! 4. 2 masks C H R I S B R YA N T *Mar 1 03:14:32.1.0.1. we also have the option of configuring a physical port as a routed port.1. but routed ports Success rate is 100 percent (5/5).1.0/24 is directly connected. Type escape sequence to abort. Vlan33 Vlan66. 3. the hosts can communicate. If you don’t get the ping results you expect and your SVIs HOST1(config)#ip route 0.0 0. round-trip min/avg/max = 4/5/8 ms SVI Success Tips: 1.1 255.0 20.0. One SVI per VLAN and one VLAN per SVI.0.0.255.1. SW3(config)#int vlan 66 SW3(config-if)# 178 179 .1. HOST3(config)#ip route 0. You !!!!! assign an IP address to a routed port in the same way you would an SVI.11/32 is directly connected.0 That looks just a bit more like our routing table! When SVIs are in use. Routed Ports (Layer 3 Ports) HOST1#ping 30.0.11 Can they ping? Yes.1 Let’s add a router to our network that leads our hosts to the Internet. HOST3#ping 20. With that default gateway set correctly.255.0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The !!!!! adjacency comes up very quickly: Success rate is 100 percent (5/5).1. the downstream router. . %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. 2 subnets.1. (that’s the default for many Cisco multilayer switches)..1. To configure a routed port. round-trip min/avg/max = 4/4/4 ms Verify addressing and status with show interface fast 0/5 and verify L3 status with show HOST3#ping 210. but comes back up in a few seconds.1. That’s the normal and HOST1#ping 210. Success rate is 0 percent (0/5) SW3#show int fast 0/5 FastEthernet0/5 is up. In the following config. Always a good sign! C 210. switchport followed by the desired IP address..1..1.0/24 is directly connected.1.1 To remedy that. !!!!! Success rate is 100 percent (5/5).1..1. Internet address is 210. changed state to down Success rate is 0 percent (0/5) %LINK-3-UPDOWN: Interface FastEthernet0/5.1.115 S T U DY G U I D E C H R I S B R YA N T Even though IP routing is enabled.11.1.1. each host can ping 210.1.) 210.1.11 to up !!!!! SW3(config-if)#ip address 210..0fbf.1 interface switchport. the line protocol on the switch port goes down.0fbf..1. changed state HOST1#ping 210. FastEthernet0/0 SW3#ping 210.1. line protocol is up (connected) Hardware is Fast Ethernet. the router’s interface.2f44) The pings can’t find their way back to the hosts because the router has no path to either 20.1. round-trip min/avg/max = 1/2/8 ms 180 181 . 2 masks The switch can now ping 210..1.. we’ll configure EIGRP between the multilayer switch and the router. the switch’s interface in that subnet.1. round-trip min/avg/max = 4/5/8 ms SW3(config-if)#no switchport %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5. address is 001c.1.1.255. use no they can’t ping 210. the ports on our multilayer switch are still in L2 mode Right now.1.255.1.1. changed state HOST3#ping 210.11 expected behavior.1.1.1. the port is running at L3.11/24 R1#show ip route SW3#show int fast 0/5 switchport (code table removed for clarity) Name: Fa0/5 Gateway of last resort is not set Switchport: Disabled (Note: If this is disabled.1 to down .1.0 /24 or 30.0/24 is variably subnetted.11 255.1.2f44 (bia 001c.0 Success rate is 100 percent (5/5). However. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5.0 /24.

0 [90/28416] via 210.0.0/24 is subnetted. 2 masks C 210.1.0.0. Be just as sure to enable your routed port’s L3 capabilities with the interface-level SW3(config-router)#network 20. HOST1#ping 210.1.0.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0.1. FastEthernet0/0 L 210. receive indicates packets that will be handled by the L3 engine.0.0.1/32 attached Vlan11 20.0/24 is subnetted.1.0 0. now that we have some routes and other 30.0/24 is variably subnetted.0.1.255/32 receive Vlan11 Under “Next Hop”.255 %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 210.1.1.0 /24 segment (“20.1 !!!!! Success rate is 100 percent (5/5).0 0.1.1. 183 .0. Prefix Next Hop Interface 0.1.1.1. round-trip min/avg/max = 1/3/4 ms High Availability Schemes And Redundancy Protocols Before we hit our First Hop Redundancy Protocols (FHRPs).1. The attached entries include directly connected addresses and subnets.1.1.0/0 receive 20.0/24 is directly connected.1. SW3#show ip cef Gateway of last resort is not set D We’ll wrap this section up with a look at the FIB.1. we’re going to take a HOST3#ping 210. 2 subnets. 00:01:00.1. 2.1.1.1.11.1.1.115 S T U DY G U I D E C H R I S B R YA N T Routed Port Success Checklist (Short.0.1.1.1. Need to turn SW3(config-router)#network 30.1.11.1/32 is directly connected.1. 1 subnets D info in there! Here’s a segment of the FIB from the multilayer switch in our lab. FastEthernet0/0 30.1. round-trip min/avg/max = 1/3/4 ms 182 protocol.1.0.1. 00:01:07.255 the port’s L2 capabilities back on? Just use switchport and you’re gold! The router now has the VLAN subnets in its routing table… R1#show ip route 20.1. FastEthernet0/0 … and the hosts now have two-way connectivity with R1’s at 210.255/32”).1.1.11/32 receive Vlan11 20. but important) SW3(config)#router eigrp 100 SW3(config-router)#no auto SW3(config-router)#network 210. It’s off by default. Those include the broadcasts for the 20. 1 subnets 20.1.1.0/32 receive Vlan11 20.1. Be sure to enable IP routing with the global ip routing command.1.1 (FastEthernet0/5) is up: new adjacency 1.0.255 no switchport command.0 0.1.1.1.1 brief and important look at two redundancy tactics that don’t involve a particular !!!!! Success rate is 100 percent (5/5).0 [90/28416] via 210.0/24 attached Vlan11 20. and verify with show interface switchport.1. FastEthernet0/0 210.

and we have a dual-active situation. and should the backup switch detect via the VSL that the active switch has failed. Our redundancy comes in the form of Stateful SwitchOver (SSO) and NonStop Forwarding (NSF). while RPR+ allows the backup supervisor to boot fully and initialize its routing engine. the backup supervisor is fully booted. the speed of the cutover to the picture – but which one? new active switch and the continued forwarding of packets during that cutover make the transition as smooth as the proverbial baby’s butt. this would be the default and we wouldn’t have a standby! Dual-active is not desirable. C H R I S B R YA N T Now back to our story! How does the standby switch know when it needs to take over as the active switch? The two switches regularly exchange control info over the VSL. RPR allows the backup supervisor to boot partially. the standby switch takes it upon itself to become the active switch. This sounds great. it will not take over its original role as the active router. and ready to step in as the active router at a moment’s notice – literally! In this situation. Instead. both switches will be active. It’ll stay that way until the VSL is back up. but what if the VSL itself goes down? How could the standby switch know whether the active switch is still active? The VSL is actually an Etherchannel. Side note: There are other redundancy modes available to us on Cat switches. 184 185 . For the network to recover. that switch now becomes the active switch. VSS goes into dual-active NSF is all about keeping the overall downtime to a minimum by preventing link flapping recovery. It’s the first active switch that drinks the virtual hemlock in the form of putting every single one of its non-VSL interfaces into err-disabled mode. SSO and NSF are enabled by default in a VSS config. and we have the ability to create MultiChassis Etherchannels where ports on the physical switches in the VSS can be bundled. At this point. The active switch handles the workload. including Router Processor Redundancy (RPR) and Router Processor Redundancy Plus (RPR+). we’re representing a pair of physical switches (the “VSS Pair”) as a single logical switch. Between SSO and NSF. When the previous switch is back online. with the standby ready to step in if the active switch becomes unavailable. One switch is the active switch. since the two switches will now be using a lot of the same information. With SSO. including the same IP address.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Even better. The physical switches in a VSS pair communicate via the virtual switch link (VSL). and RPR+ is faster than RPR. fully initialized. All well and good.115 S T U DY G U I D E The Virtual Switching System With VSS. SSO is faster than RPR+. but if it was all that great. one of these switches needs to take itself out of the (“route flapping”) during the cutover. the other the standby switch.

the switch with the best feature set wins. If that’s somehow a tie. then send the config to the new switch. the switch that’s been up the longest wins. the switch with the err-disabled ports will come back online and assume the standby role. That may be true of production networks. The master switch keeps a master MAC address table. switch also has to handle ping requests and remote connection requests.115 S T U DY G U I D E The remaining active switch will forward traffic normally. and We’re about to stack cables in a wise manner. You and I. thankfully it’s a very temporary hit. When we’re done connecting our the slightest break in service.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but there is a single point of pain. and the new switch joins the stack. the network admins. That’s quite a cap hit. we end up with a fully functioning two-way path. and QoS info to the non-masters. The entire stack is given one IP address and one config file. and that’s the aptly named master switch. ACL info. Our new pal NonStop switches with some very special stack interconnect cables. with this process: 1. The master switch is also responsible for letting non-masters know of additions and removals of switches in the stack. That master switch has quite the workload. C H R I S B R YA N T 3. Each path supports up to 16 Gbps in each direction. There is no single point of failure in a switch stack. The failover takes microseconds. and we’ll hit FHRPs hard right after this word to the (stack)wise! ing service. including downloading forwarding tables. If so. (Get it?) StackWise lets us physically link up Forwarding (NSF) is supported in StackWise. StackWise will take care of that for us! The master switch will autoconfig the new arrival with the stack’s IOS image. a preconfigured switch wins over a non-preconfigured switch. 186 187 . That switch is chosen via a master switch election: 1. the switch with the lowest MAC is selected as master. The master Most Cisco white papers on VSS will mention that VSS eliminates the need for an FHRP. a copy of which is sent to non-masters. but we’ll make it well One of these switches has to be a “boss switch”. but not of your CCNP Switch and Tshoot exams. 5. If that’s a tie. The network admin can select a particular switch to be the master. the master will ask the newcomer if it’s running the same IOS image as the master. When the VSL is repaired. If that’s a tie. If the new switch does not have the same IOS image. 4. the master sends the config to the new switch and all is well. If one StackWise of our cables breaks. The master will download the Cisco IOS image from its own Flash to the new switch. but we don’t even have to configure the new switch. NSF works with RPR+ to keep things rolling when we’re cutting over from one master to another. we lose 50% of our capacity immediately. a copy of which is sent to every switch in the stack. all is not well. which helps the packets flowing when there’s to nine switches to create a switch unit or switch stack. If none are selected in that manner. 2. RPR+ has those non-master switches fully initialized and ready to step in when needed. can not only add and remove switches without interrupt- Those exams will be covered with FHRP questions. StackWise requires every switch in the stack to run the same IOS. When we add a new switch to the stack.

Cisco could probably have a certification based just on VSS and StackWise. 172. we’re moving on to FHRPs! The Hot Standby Routing Protocol In this section. Those devices are actually communicating with a pseudorouter. along with the new switch. send it to the new switch. and it’s that address that should be used by all hosts in VLAN 100 as their default gateway. the master will then upgrade every switch that was already part of the stack to that IOS. to downstream devices.2 /24) are the routers in the HSRP group. Also.23. the master will put the new switch into suspension. 189 . If your network uses it or you want to learn more about it. The theory and commands of HSRP run the same on an L3 switch as on a router. just to their status in their HSRP group. live. I wanted to make sure you saw both versions. head to Cisco’s website and grab some PDFs.12 /24. The actual IP and MAC addresses of the physical routers in the group are unknown Whew! With all that said. Right now. Once that happens. 3. One of the routers in the group is selected as the active router. The configuration will create a virtual router with the IP address 172. The new switch can then join the stack. This virtual router will have a MAC and IP address of its own. MLS_1 (int VLAN 100. the mas- the active router handles the actual workload while the standby routers do just that – stand ter switch will grab the IOS image from the TFTP server. and downstream devices send data to those addresses. by! HSRP ensures a high network uptime.23.115 S T U DY G U I D E C H R I S B R YA N T 2. single router. Defined in RFC 2281.16. The first two possibilities assume that the new switch’s hardware can handle the necessary IOS image.16. 172. let us know about the problem. We can configure a TFTP server for that IOS download. There’s a lot more to StackWise.23.16. let’s hope our hardware is compatible! This is enough to get you started with StackWise. while others in the group are standby routers. frankly. I’m going to refer to routers rather than L3 switches. and then wait for us to do something about it! Namely. the icon I’m using for multilayer switches is slightly different than the one you saw earlier – there’s no “Si” in the middle. the master expects to be supplied with an IOS image that supports the master’s hardware and the new switch’s hardware. since the HSRP terminology refers to “active routers” and “standby routers”. since it routes IP traffic without reliance on a then send the config over. a virtual router created by the HSRP configuration. With that option. and the entire stack then goes The terms active and standby do not refer to the actual operational status of the routers.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . If not. It won’t surprise you to learn that 188 In our first lab. HSRP is a Cisco-proprietary router redundancy protocol in which routers are placed into an HSRP router group.1 /24) and MLS_2 (int VLAN 100.

C.16.23.16. address is 001c.0fbf.0fbf.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I’ll use IOS Help on MLS_1 to show our HSRP options.2f41) Internet address is 172.1 % address cannot equal interface IP address (so don’t try it!) MLS _ 1(config-if)#standby 5 ip 172.D Virtual IP address <cr> MLS _ 1(config-if)#standby 5 ip 172.23.2/24 We’ll put both SVIs in HSRP group 5 and let ‘em fight it out over the active router role to see what happens. address is 0017.f7c1 (bia 0017.115 S T U DY G U I D E C H R I S B R YA N T mac-refresh Refresh MAC cache on switch by periodically sending packe from virtual mac address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level redirect Configure sending of ICMP Redirect messages with an HSRP virtual IP address as the gateway IP address After verifying the SVI for VLAN 100 on each router.B.f7c1) Internet address is 172. line protocol is up Hardware is EtherSVI. The ip command is the only required command for HSRP.23. we’re off! Hello and hold timers track Priority tracking version HSRP version MLS _ 1(config-if)#standby 5 ? MLS _ 1#show int vlan 100 authentication Authentication Vlan100 is up. line protocol is up Hardware is EtherSVI.16.12 191 .1 ? MLS _ 1(config)#int vlan 100 secondary Make this IP address a secondary virtual IP address MLS _ 1(config-if)#standby ? <0-255> timers <cr> group number Authentication Authentication Delay HSRP initialisation delay Follow Name of HSRP group to follow Ip Enable HSRP IPv4 and set the virtual IP address 190 MLS _ 1(config-if)#standby 5 ip 172. follow Name of HSRP group to follow ip Enable HSRP IPv4 and set the virtual IP address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level timers Hello and hold timers track Priority tracking MLS _ 1(config-if)#standby 5 ip ? A.23.9466.23.16.1/24 MLS _ 2#show int vlan 100 Vlan100 is up.9466.2f41 (bia 001c.16.

priority 100 (expires in 10.12 Active virtual MAC address is 0000.23.16. and finally. we see… Interface VLAN100 is in HSRP Group 5 This router is in the Active state.23.12 Active virtual MAC address is 0000.ac05 (v1 default) Hello time 3 sec.23. hold time 10 sec Next hello sent in 2.16. Let’s look at the same command’s output on MLS_1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The local HSRP priority is 100.920 sec) Preemption disabled Standby router is local Active router is local Standby router is 172.Group 5 MLS _ 2#show standby State is Standby Vlan100 .ac05 (v1 default) Hello time 3 sec. hold time 10 sec Next hello sent in 1.936 secs Preemption disabled Active router is 172.0c07. last state change 00:01:19 Virtual IP address is 172.272 sec) Priority 100 (default 100) Group name is “hsrp-Vl100-5” (default) Priority 100 (default 100) Group name is “hsrp-Vl100-5” (default) That output verifies everything we saw on MLS_2. Here’s our HSRP group: There’s a treasure trove of HSRP info here! From the top down. This is the Active router (“local”) The standby router is at 172.368 secs Virtual IP address is 172. and the last one was 1 minute and 19 seconds ago The virtual router’s IP address and MAC address This router sends HSRP Hellos every 3 seconds 192 193 .16.16.12 Let’s verify our config on MLS_2 with show standby.0c07.Group 5 3 state changes. “Preemption” is disabled – more on that very soon! Let’s finish the config on MLS_2.ac05 Local virtual MAC address is 0000.23. the HSRP group name is displayed. there have been 2 state changes. last state change 00:01:45 State is Active 2 state changes.16.2.16.ac05 Local virtual MAC address is 0000.115 S T U DY G U I D E C H R I S B R YA N T You can’t assign an IP address from the MLS as the IP address for the virtual router. MLS _ 1#show standby Vlan100 .23. your #1 friend when it comes to verifying and troubleshooting HSRP.0c07.0c07. priority 100 (expires in 9.1.23.1 and that router’s priority is 100 MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 5 ip 172.

and the “xx” is the HSRP group number in hexadecimal. Just raising the priority on MLS_1 isn’t enough to get the job done here. Local virtual MAC address is 0000. or MLS_1 must have preemption enabled. The priority is 100 by default. Where the heck did that Next hello sent in 1. so the theory holds true. Either we have to reload MLS_2 so MLS_1 can take over as Active in its absence.0c07. the address would have been 00-00-0c-07-ac-0a.2.16. Group name is “hsrp-Vl100-5” (default) Had we gone with HSRP group 10. hold time 10 sec it! However.368 sec) Standby router is local Most of that address was predetermined. as we saw on both routers.115 S T U DY G U I D E C H R I S B R YA N T We know how the virtual router got its IP address. Brush up on your hex before you take the SWITCH exam! Now that we have the MAC address source down. last state change 00:17:26 Virtual IP address is 172. We’d like to avoid reloads here.0c07.ac05 … MLS_1 takes over as the Active router. This state change and the enabling of preemption are verified by show standby. let’s talk about that election. after all.ac05 (v1 default) 194 195 . We’ll go double or nothing… MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 5 priority 200 … and we get nothing! Let’s verify the priority change: MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 5 ? Authentication Authentication Follow Name of HSRP group to follow Ip Enable HSRP IPv4 and set the virtual IP address Name Redundancy name string Preempt Overthrow lower priority Active routers Priority Priority level Timers Hello and hold timers Track Priority tracking MLS _ 1(config-if)#standby 5 preempt Just a few seconds after enabling preemption on MLS_1… MLS _ 1#show standby Vlan100 .23.376 secs come from? Preemption disabled Active virtual MAC address is 0000. always verify your Active router.) Let’s make MLS_1 the Active router by raising its priority.Group 5 %HSRP-5-STATECHANGE: Vlan100 Grp 5 state Standby -> Active State is Standby 1 state change.ac05 Active router is 172.0c07.12 Active virtual MAC address is 0000. The MAC address 00-00-0c-07-ac-xx is HSRP’s Priority 200 (configured 200) well-known virtual MAC address. (Real world note: Always.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . priority 100 (expires in 10.16. we’re the ones who configured Hello time 3 sec. MLS_2 won the election in our first lab. The HSRP Active Router Election The HSRP priority is the first value considered in the election. so let’s do the latter.23. we didn’t enter any info regarding a MAC address. Should there be a tie – and there always will be if the routers are left at their defaults – theory holds that the router with the highest IP address wins the election. always.

I could have set delay on the preemption.23. Load Balancing With HSRP Had I wanted to delay any takeover by MLS_1.) I’ve reset the priority for both routers in Group 5 to 100. hold time 10 sec Next hello sent in 0. and MLS_1 is just sitting there. <cr> MLS _ 1(config-if)#standby 5 preempt delay ? minimum Delay at least this long reload Delay after reload sync Wait for IP redundancy clients MLS _ 1(config-if)#standby 5 preempt delay minimum ? <0-3600> Number of seconds for minimum delay We’ve seen a few of the HSRP states.16. MLS _ 1(config-if)#standby 5 preempt ? delay Wait before preempting This redundancy is all well and good.ac05 Local virtual MAC address is 0000.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1#show standby Disabled: Similar to the disabled STP port state. State is Active 2 state changes.0c07.23.896 sec) hello packets.12 Active virtual MAC address is 0000. but it is the official first HSRP port state.2. and that group is using 172. HSRP Group 5 has MLS_2 as the Active router. You can also delay a takeover until after the next reload. As a result. and MLS_2 is again the Active router.23.16. Preemption enabled Active router is local Standby: The router is now a candidate to become the active router and continues to send Standby router is 172. but there’s one thing driving me crazy. in that you won’t see this state actually Vlan100 . It’s listening for Hello packets from those routers. Unlike the load balancing techniques we’ve used to this point. last state change 00:00:51 Virtual IP address is 172. this one requires a little help from those 60 hosts. 196 We’re going to put MLS_1 to work via HSRP load balancing. but is not the primary or standby router. HSRP isn’t actually running at this point.Group 5 mentioned.16.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Listen: The router knows the virtual router’s IP address.ac05 (v1 default) Hello time 3 sec.12 to represent its 197 . MLS_2 is doing all the work of handling traffic from 60 hosts. let’s see them in order along with a quick description of each. Speak: The router is now sending Hello messages and participating in the election of the primary and standby routers.0c07. Priority 200 (configured 200) Group name is “hsrp-Vl100-5” (default) Active: The router is now forwarding packets sent to the group’s virtual IP address. but for t-shooting and exam prep. (A short drive. priority 100 (expires in 10.976 secs Initial (INIT): The interface enters this state when HSRP is first enabled. I admit.

23.16. 172. We’re going to create Group 10 with the same two routers.16. I’ll show only the info related to the election.Group 10 Preemption disabled MLS _ 1(config)#int vlan 100 Active router is 172.384 sec) Priority 200 (configured 200) Vlan100 .23. Standby router is 172. MLS _ 1#show standby Vlan100 .16. and MLS_2 is the Active router for Group 5.115 S T U DY G U I D E C H R I S B R YA N T virtual router.808 sec) MLS _ 1(config-if)#standby 10 ip 172.16. and that group will use the address 172.16.704 sec) Standby router is local Priority 100 (default 100) Vlan100 . half of the hosts would be configured with Verify with show standby.16.23.21 for its virtual router.21 MLS_1 is the Active router for Group 10.16.16.Group 5 Preemption disabled Active router is 172. To test this. priority 100 (expires in 10.23.23.Group 5 Preemption enabled Active router is local Standby router is 172.23.1.2. making sure that Active router is local MLS_1 is the Active. priority 200 (expires in 8.23. and the other half with 172.792 sec) Priority 201 (configured 201) MLS _ 2#show standby Vlan100 .16. just MLS _ 2(config-if)#standby 10 priority 100 (hardcoding the default) as we wanted.21 Standby router is local MLS _ 1(config-if)#standby 10 priority 200 Priority 100 (default 100) Group name is “hsrp-Vl100-10” (default) MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 10 ip 172. priority 100 (expires in 9. priority 201 (expires in 9. and we’ll send pings from each.23.1. I’ve configured a different default gateway on Host 2 and Host 3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .21.23.2.Group 10 Preemption enabled 198 199 . To finish the load balancing.12 as their default gateway.

(IP addresses shown for the multilayer switches in the next lab are for their SVI.) MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 1 ip 172.12 MLS _ 1(config-if)#standby 1 preempt Verify with show standby. round-trip min/avg/max = 1/3/4 ms HOST3#ping 172. MLS _ 2#show standby Vlan100 .16.16.12 !!!!! Success rate is 100 percent (5/5). That’s all well and good. We This great feature enables the HSRP process to monitor a particular interface. round-trip min/avg/max = 4/4/4 ms Both hosts are pinging their default gateways.23.16. the current priority would be fine for our purposes.656 sec) Priority 105 (configured 105) 200 201 . and the status of this interface will dynamically change the HSRP priority for a specified router – for better or for worse! can and will configure HSRP to drop MLS_2’s priority if the line protocol of Fast 0/3 on that server goes down.115 S T U DY G U I D E C H R I S B R YA N T HOST2#ping 172. I’m showing you only the info relating to the election. This can lead to another HSRP router in the group becoming the Active router.23. and the load is now shared! HSRP Interface Tracking If Fast 0/3 on MLS_2 fails.12 remented. MLS _ 2(config-if)#standby 1 priority 105 but that other router must have preemption enabled. When that tracked interface’s line protocol is down. MLS_1 is the standby and has the default priority of 100. MLS_2 has a priority of 105 and is the Active router. In our next lab.21 !!!!! Success rate is 100 percent (5/5). the hosts in VLAN 100 can’t reach the ecommerce server. so as long as MLS_1 has preemption enabled. HSRP’s default decrement with interface tracking is 10.Group 1 State is Active Preemption disabled Active router is local Standby router is 172. the HSRP priority of the router is dec- MLS _ 2(config-if)#standby 1 ip 172.23. priority 100 (expires in 8. As a result.16.16.23. interface VLAN100. but there is a single point of failure – and we hate those. MLS_2 will handle all the traffic sent to the server behind MLS_2 and MLS_1.23.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1.

0c07. last state change 00:00:17 Virtual IP address is 172.0c07. MLS_1 should then take over as the Active. Let’s shut Fast 0/3 down and see what happens! MLS _ 2(config)#int fast 0/3 MLS _ 2(config-if)#shut %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Up->Down %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Active -> Speak %LINK-5-CHANGED:Interface FastEthernet0/3.0c07. hold time 10 sec Next hello sent in 1.464 sec) on your CCNP SWITCH and TSHOOT exams being so kind. Standby router is local According to theory.16. be sure the interface you’re tracking is up! MLS _ 2#show int fast 0/3 FastEthernet0/3 is up.920 secs State is Standby 7 state changes.16.16.Group 1 Group name is “hsrp-Vl100-1” (default) State is Standby Preemption enabled The default HSRP interface tracking decrement of 10 is shown to us here. I would not count Active router is 172.23. last state change 00:00:10 Virtual IP address is 172.ac01 Active router is local Local virtual MAC address is 0000. preemption.1. priority 100 (expires in 11. In turn.23.ac01 (v1 default) Standby router is 172.12 MLS _ 2#show standby Active virtual MAC address is 0000. line protocol is up (connected) We’ll add tracking to MLS_2’s HSRP config and verify with show standby.ac01 (v1 default) Hello time 3 sec.115 S T U DY G U I D E C H R I S B R YA N T Track interface FastEthernet0/3 state Up decrement 10 MLS _ 1#show standby Vlan100 .2. changed state to administratively down MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 1 track fastethernet 0/3 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3.Group 1 than 10 seconds. since MLS_1’s priority is the default of 100 and that router is configured for Before configuring HSRP interface tracking.ac01 Vlan100 . MLS_2’s priority should go down Priority 100 (default 100) to 95. priority 105 (expires in 10. so know it by heart.16. changed state to down %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Speak -> Standby MLS _ 2#show standby I removed the timestamps for clarity.Group 1 Local virtual MAC address is 0000.12 Preemption disabled Active virtual MAC address is 0000.608 secs 202 203 . State is Active 5 state changes. so let me throw this in – all of that happened in less Vlan100 .184 sec) Priority 105 (configured 105) Hello time 3 sec. if Fast0/3’s line protocol goes down.23.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Let’s check show standby for verification. hold time 10 sec Next hello sent in 0.0c07.23.

16. the default decrement of 10 wouldn’t be enough for MLS_1 to take over as the Active should Fast 0/3 on MLS_2 go down.1.16. last state change 00:02:58 Track interface FastEthernet0/3 state Down decrement 10 Group name is “hsrp-Vl100-1” (default) Virtual IP address is 172. Let’s do that and then reopen Fast 0/3. the default decrement might not be enough for the failover to take place.115 S T U DY G U I D E C H R I S B R YA N T Preemption disabled MLS _ 2#show standby Active router is 172. On occasion.136 secs Preemption enabled Active router is local Standby router is 172.0c07.12 Active virtual MAC address is 0000.ac01 (v1 default) MLS_2 is indeed the standby as a result of that decrement.23. You can set a new decrement value at the very end of standby track.ac01 Local virtual MAC address is 0000. If MLS_2’s priority is 150 and MLS_1’s priority is 100.0c07. but MLS_2 will not become the Active router again unless we enable preemption. MLS _ 2(config-if)#standby 1 preempt I’ll set MLS_2’s priority to 150 and then set a decrement of 51… MLS _ 2(config-if)#int fast 0/3 MLS _ 2(config-if)#no shut MLS _ 2(config)#int vlan 100 %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Down->Up MLS _ 2(config-if)#standby 1 priority 150 MLS _ 2(config-if)#standby 1 track fastethernet 0/3 ? %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Standby -> Active <1-255> Decrement value <cr> %LINK-3-UPDOWN: Interface FastEthernet0/3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . priority 100 (expires in 10.23.1.16. note that you never actually enter MLS _ 2(config)#int vlan 100 the word “decrement”.changed state to up 204 205 .Group 1 State is Active Standby router is local Priority 95 (configured 105) 8 state changes. priority 100 (expires in 10. changed state to up MLS _ 2(config-if)#standby 1 track fastethernet 0/3 51 %LINEPROTO-5-UPDOWN:Line protocolon Interface FastEthernet0/3.000 sec) Priority 105 (configured 105) Track interface FastEthernet0/3 state Up decrement 10 Group name is “hsrp-Vl100-1” (default) And that’s that! When Fast 0/3 on MLS_2 is back up. Hello time 3 sec.23. the priority will go back to 105.688 sec) Vlan100 . hold time 10 sec Next hello sent in 1.

23.1.0c07. but just in case you need to change a few things. MLS _ 2#show standby <1-254> Hello interval in seconds msec Specify hello interval in milliseconds MLS _ 2(config-if)#standby 1 timers 6 ? Vlan100 .Group 1 Priority 99 (configured 150) Group name is “CCNP” (cfgd) Track interface FastEthernet0/3 state Down decrement 51 Group name is “hsrp-Vl100-1” (default) Want to set up authentication between your HSRP speakers? Use standby authentication. but they’re not everyday commands.ac01 (v1 default) Hello time 3 sec. You can leave most HSRP defaults as they are.16.0c07.12 Active virtual MAC address is 0000. decrement to 51 and enabling MLS_1 for preemption (done in the previous lab) got the job done! MLS _ 2(config-if)#standby 1 authentication ? Changing This And That In HSRP I don’t like to call these “miscellaneous” commands. last state change 00:00:05 MLS _ 2(config-if)#standby 1 timers 6 15 Virtual IP address is 172.560 secs Preemption enabled MLS _ 2#show standby (output edited. The default decrement would not have been enough to get the cutover done. because they are important. but setting the though. Choose “key string” to set a single word as the password. Local virtual MAC address is 0000. You do have to enter a value for each timer.600 sec) Standby router is local output) Vlan100 .ac01 Want to change the HSRP group name from that ugly default? Use standby name. hold time 10 sec MLS _ 2(config-if)#standby 1 name CCNP Next hello sent in 2. I’d tell you not to use plain text authentication. It is an option. even if there’s one you’re not changing. here’s how! 206 WORD Plain text authentication string (8 chars max) md5 Use MD5 authentication text Plain text authentication MLS _ 2(config-if)#standby 1 authentication md5 ? key-chain Set key chain key-string Set key string 207 .23. group name appears at very bottom of Active router is 172. MLS _ 2(config-if)#int fast 0/3 MLS _ 2(config-if)#shut MLS _ 2(config-if)#standby 1 timers ? … and verify any changes with show standby.Group 1 <7-255> Hold time in seconds State is Standby 13 state changes. but I know you won’t do that. use standby timers.16.115 S T U DY G U I D E … shut down fast 0/3… C H R I S B R YA N T To change the HSRP hello and hold timers. priority 100 (expires in 7.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

255.12 VRRP’s advertisements are multicast to 224.16.255.16. not that the password is hashed in the config.12 standby 1 priority 150 These options should look familiar… standby 1 preempt standby 1 authentication md5 key-string 7 0327782536 standby 1 name CCNP MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#vrrp ? standby 1 track 1 decrement 51 <1-255> Group number 208 209 .23. where HSRP ads are multicast to standby 1 priority 150 224.23.16. the “xx” is the VRRP standby 1 name CCNP group number in hex standby 1 track 1 decrement 51 Let’s have a look at VRRP in action. They’re so much alike that you pretty much learned VRRP during the last section.16. VRRP is the open-standard equivalent of the Cisco-proprietary MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 1 authentication md5 key-string CCNP Using MD5 authentication means that a hash of the password is sent to other HSRP group neighbors.255. IP addresses as we used in the HSRP section. where you learned HSRP! Let’s check out those differences. MLS _ 2(config)#service password-encryption The result: interface Vlan100 ip address 172. using the same two multilayer switches and the same To disguise that password in the config.18.2 255. VRRP works very much like HSRP.0.0 standby 1 ip 172. though… VRRP’s equivalent to HSRP’s Active router is the Master router VRRP’s equivalent to HSRP’s Standby router is the Backup router interface Vlan100 Preemption is enabled by default in VRRP ip address 172. Check out MLS_2’s config: HSRP. and yes.115 S T U DY G U I D E MLS _ 2(config-if)#standby 1 authentication md5 key-string CCNP C H R I S B R YA N T VRRP – The Virtual Router Redundancy Protocol Defined in RFC 2338.0.23.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0 standby 1 ip 172.0.2 standby 1 preempt standby 1 authentication md5 key-string CCNP The MAC address of VRRP routers is 00-00-5e-00-01-xx. use your old friend service password-encryption.0.2 255. with one or two important differences (naturally!).255.23.

115 S T U DY G U I D E C H R I S B R YA N T Virtual MAC address is 0000.Group 1 State is Master State is Master Virtual IP address is 172.2 (local).218 sec Correct! MLS _ 1#show vrrp Vlan100 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .609 sec Master Down interval is 3.23.12 priority is raised. let’s do a little interface tracking after making MLS_2 the Master State is Backup again.Group 1 Vlan100 .16.23.5e00.000 sec Master Advertisement interval is 1.Group 1 While we’re at it.609 sec (expires in 3.12 210 211 . correct? MLS _ 1(config)#int vlan 100 MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 1 ip 172.0101 MLS _ 2(config-if)#vrrp 1 ? authentication Authentication string Advertisement interval is 1.5e00.23.000 sec timers Set the VRRP timers Master Down interval is 3. MLS_1 should take over as The Master Router if its MLS _ 2(config-if)#vrrp 1 ip 172. priority is 200 Master Advertisement interval is 1.23.23.000 sec description Group specific description Preemption enabled ip Enable Virtual Router Redundancy Protocol (VRRP) for IP Priority is 100 preempt Enable preemption of lower priority Master Master Router is 172.000 sec Preemption enabled Preemption enabled Priority is 100 Priority is 200 Master Router is 172.16.2.23.1 (local).000 sec Master Down interval is 3.0101 Advertisement interval is 1.000 sec Advertisement interval is 1.16.458 sec) track Event Tracking With preemption enabled by default.12 Virtual IP address is 172.12 Virtual MAC address is 0000.16.5e00. priority is 100 Master Router is 172.23.16.0101 Virtual MAC address is 0000. priority is 100 priority Priority of this VRRP group Master Advertisement interval is 1.23.12 MLS _ 1(config-if)#vrrp 1 priority 200 07:53:32: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master Let’s verify! MLS _ 2#show vrrp MLS _ 1#show vrrp Vlan100 .16.16.16. Virtual IP address is 172.

Here’s where we stand: MLS _ 2(config)#track 1 interface fast 0/3 ? ip IP parameters line-protocol Track interface line-protocol MLS _ 2(config)#track 1 interface fast 0/3 line-protocol ? <cr> MLS _ 2(config)#track 1 interface fast 0/3 line-protocol The object number referred to in the track command must be the same one used in the vrrp track command. we need to define the interface as an object before moving forward with the ip Enable Virtual Router Redundancy Protocol (VRRP) for IP actual vrrp track command.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E MLS _ 2(config)#int vlan 100 C H R I S B R YA N T MLS _ 2(config)#track 1 ? MLS _ 2(config-if)#vrrp 1 priority 250 interface Select an interface to track 07:55:53: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master ip IP protocol list Group objects in a list The overall concept of tracking is the same in VRRP as it is in HSRP. line protocol is up (connected) authentication Authentication string description Group specific description With VRRP. then vrrp track”. Sounds complicated. Check the interface before you start tracking: MLS _ 2(config)#int vlan 100 MLS _ 2#show int fast 0/3 MLS _ 2(config-if)#vrrp 1 ? FastEthernet0/3 is up. but the process is a <cr> little bit different. MLS_2 is the Master router. but it isn’t. Feel free to steal it. and we want MLS_1 to take that role should the line protocol on MLS_2’s Fast 0/3 interface go down. track Event Tracking MLS _ 2(config-if)#vrrp 1 track ? MLS _ 2(config)#track ? <1-1000> Tracked object <1-1000> Tracked object resolution Tracking resolution parameters timer Polling interval timers 212 MLS _ 2(config-if)#vrrp 1 track 1 ? 213 . but that’s the easiest and most effective track to use for an timers Set the VRRP timers interface IMHO.) We’re not limited to using the line priority Priority of this VRRP group protocol as the tracked object. (I’ve always remembered this preempt Enable preemption of lower priority Master by saying “track.

priority is 240 Virtual IP address is 172.16. MLS _ 2(config)#int fast 0/3 <cr> MLS _ 2(config-if)#vrrp 1 track 1 decrement 51 MLS _ 2(config-if)#shut %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Up->Down 08:14:20: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Master -> Backup %LINK-5-CHANGED: Interface FastEthernet0/3.12 Master Advertisement interval is 1.000 sec Virtual MAC address is 0000.000 sec MLS _ 2(config)#int vlan 100 Master Down interval is 3.2 (local).12 Virtual MAC address is 0000.000 sec Preemption enabled Priority is 240 (cfgd 250) MLS _ 2#show vrrp Track object 1 state Down decrement 10 Vlan100 .5e00.16.16.12 Virtual MAC address is 0000.Group 1 State is Backup %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3.23.16.0101 We accepted the VRRP default priority decrement (10). the decrement isn’t large enough to make MLS_1 the Master router. changed state to administr MLS _ 2#show vrrp atively down Vlan100 .000 sec Preemption enabled The tracking is working.5e00.23.115 S T U DY G U I D E C H R I S B R YA N T decrement Priority decrement MLS _ 2#show vrrp <cr> Vlan100 .023 sec Advertisement interval is 1.0101 Advertisement interval is 1. priority is 250 Master Advertisement interval is 1. changed state to down Virtual IP address is 172.2 (local).16. Let’s change that Track object 1 state Up decrement 10 decrement to 51.Group 1 State is Master MLS _ 2(config-if)#vrrp 1 track 1 Virtual IP address is 172.000 sec 214 215 . Verify the config: Advertisement interval is 1.Group 1 State is Master Master Router is 172.23. but since we changed the default priority a couple of times early Priority is 250 on.23.5e00.23.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Master Router is 172.023 sec MLS _ 2(config-if)#vrrp 1 track 1 ? decrement Priority decrement Now we’ll shut down fast 0/3 and see what happens.0101 Master Down interval is 3.

2 (local).21 %VRRP-6-STATECHANGE: Vl100 Grp 55 state Init -> Backup 217 . using vrrp MLS _ 2(config-if)#no shut priority to ensure MLS_1 becomes the Master for the new group.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . we’re going to use much the same technique as we did with HSRP.16.000 sec Virtual MAC address is 0000.16. and the other half will use VR #2. I’ll unblock fast0/3 on MLS_2 and we’ll watch MLS_2 take over as Master.16.21 MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 55 ip 172.5e00.23. Changed state to up 08:34:58: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master 216 MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#vrrp 55 ip 172. we need to create another VRRP virtual router.000 sec Preemption enabled Priority is 250 Ta da! Track object 1 state Up decrement 51 Master Router is 172.12 Master Advertisement interval is 1.16.23. It’s all about the decrement – and in this case. which means creating a separate VRRP group.1. MLS _ 2(config)#int fast 0/3 Let’s create another VRRP group with a new IP address for the virtual router.0101 Master Down interval is 3. priority is 200 Virtual IP address is 172.023 sec (expires in 2. Before proceeding.100 sec) Advertisement interval is 1.23.16.23.Group 1 Track object 1 state Down decrement 51 State is Master Master Router is 172. priority is 250 For VRRP load balancing. knowing how to create a VRRP tracked object! Since VRRP wasn’t exactly developed with load balancing in mind.115 S T U DY G U I D E C H R I S B R YA N T Preemption enabled MLS _ 2#show vrrp Priority is 199 (cfgd 250) Vlan100 . changed state to down %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Down->Up %LINK-3-UPDOWN: Interface FastEthernet0/3. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3. %SYS-5-CONFIG _ I: Configured from console by console %LINK-3-UPDOWN: Interface FastEthernet0/3.23. Half of the hosts will use VR #1 as their default gateway.

16. we just need to configure half the hosts in VLAN 100 to use 172. State is Backup This is a major step forward over HSRP and VRRP load balancing.12 With GLBP. three hosts send an ARP request for the MAC of the virtual router.12 as their default gateway.16.16. GLBP allows us to configure Vlan100 .Group 55 HSRP and VRRP have some great features. For this reason.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 55 priority 200 %VRRP-6-STATECHANGE: Vl100 Grp 55 state Backup -> Master MLS_1 went to Backup for our new VRRP group first. and the other half 172.21 Gateway Load Balancing Protocol is.21. MLS _ 1#show vrrp Let’s finish our look at FHRPs with a protocol that was actually built with load balancing Vlan100 . By default.21 sciences at best and a pain in the buttocks at worst.12 The Gateway Load Balancing Protocol (GLBP) Vlan100 .Group 1 in mind! State is Backup Virtual IP address is 172.23. both of which are inexact Virtual IP address is 172. well. 218 219 . the hosts think they’re sending all of their data to a single gateway.23. but as we’ve seen.Group 1 allows every router in the group to handle some of the load in a round-robin manner.23.Group 55 a single default gateway on all of our hosts. GLBP Vlan100 .16.23.23. but then went to Master after having its priority for VRRP group 55 raised to 200. load balancing! It’s also suitable for use only on Cisco routers and switches.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . rather State is Master than having a primary router handle the entire load while the standby routers remain idle.23. GLBP routers will be placed into a router group. MLS _ 2#show vrrp As with HSRP and VRRP.16. Virtual IP address is 172. load balancing with these State is Master protocols is more of a workaround than a native behavior.16. The primary purpose of the Virtual IP address is 172. because GLBP is Cisco-proprietary. After verifying that MLS_1 is the Master for VRRP group 55 and MLS_2 is the Master for group 1. In the following illustration. but actually multiple gateways are in use at one time.

if that’s a tie. The next response. and the virtual MAC fol- with the next-highest GLBP priority in the group. It has assigned a virtual way address every time it sends an ARP request. GLBP will load-balance in a round-robin fashion. and the third the virtual MAC of MLS_3. With that in mind.0. Our GLBP deployment in this illustration is using the default GLBP load balancing technique of round-robin. This will also illustrate that GLBP runs the same on multilayer switches as used in the previous FHRP labs. the more often a particular In the following illustration. naturally. The routers receiving and forwarding traffic received on these virtual MAC addresses are Active Virtual Forwarders (AVFs). By default. and it’s that router that will respond with ARP responses that contain virtual MAC addresses assigned to the physical routers in the group.115 S T U DY G U I D E C H R I S B R YA N T the virtual MAC of MLS_1. The router with the highest GLBP priority is chosen as the Active Virtual Gateway.) If any of the AVFs fail. We can also use the AVG. Should the AVG fail. If a host needs the same MAC gateto go. so the first ARP response contains 220 routers in this lab. Our lab is going to be a bit different than the previous HSRP and VRRP labs.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 00-07-b4-0001-02 to MLS_2. 00-07-b4-00-01-04 to itself. would contain the virtual MAC of MLS_4. and 00-07-b4-00-01-03 to MLS_3. weighted assignments. MLS_4 is the AVG in GLBP group 1. Each physical device is running the IP address shown on its FastEthernet 0/0 interface. where the higher the assigned weight. load destined for a MAC assigned to the down router. GLBP routers use Hellos multicast to “XX” is the GLBP group number. The routers receiving and forwarding traffic received on these virtual MAC router’s virtual MAC will be sent to a requesting host. the next the virtual MAC of MLS_2. (That’s the router The AVG is also in charge of assigning the virtual MAC addresses. we’re going to use Cisco The AVG answers incoming ARP requests with ARP responses containing the virtual MAC and routers. 221 . and here’s the addresses are Active Virtual Forwarders (AVFs). “YY” is the AVF number. Since GLBP doesn’t run on all Cisco switch platforms. putting us at the limit of four AVFs in a GLBP group. the router with the next- lows this format: highest IP address takes that role. host-dependent load balancing is the way MAC address of 00-07-b4-00-01-01 to MLS_1. I’m going to use the same multilayer switch icon and names of one of the routers in the group.102 to detect the availability of other GLBP-speaking routers.0. where a host that sends an If all routers have the same GLBP priority. the router serving as the standby AVG will take over. the router with the highest IP address becomes ARP request will receive a response from the next MAC address in line. topology. another router will handle the 00-07-b4-00-xx-yy 224.

272 secs Redirect time 600 sec. along with some IOS Help on the first one: MLS _ 3#show glbp FastEthernet0/0 .23.12 MLS _ 3(config-if)#glbp 1 preempt 222 Great info here! From top to bottom. The beginning configuration.3) local MLS _ 3(config-if)#glbp 1 ip ? 001b.16.474a (172.D Virtual IP address 001f.16.12 MLS _ 2(config-if)#glbp 1 preempt MLS _ 1(config-if)#glbp 1 ip 172. hello and 223 .0990 (172. After the state change info.23.2) A.1) <cr> MLS _ 3(config-if)#glbp 1 ip 172. The first half of the output deals with the Active Virtual Gateway selection. thresholds: lower 1. and the second half with the Active Virtual Forwarders.12 Hello time 3 sec. We’re going to examine the output of this command on the current AVG.888 sec) Priority 100 (default) Weighting 100 (default 100).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . forwarder timeout 14400 sec Preemption enabled.16.16.Group 1 MLS _ 3(config)#int fast 0/0 State is Active MLS _ 3(config-if)#glbp 1 ? authentication Authentication method client-cache Client cache forwarder Forwarder configuration ip Enable group and set virtual IP address ipv6 Enable group for IPv6 and set the virtual IPv6 address load-balancing Load balancing method name Redundancy name preempt Overthrow lower priority designated routers priority Priority level timers Adjust GLBP timers weighting Gateway weighting and tracking 1 state change.12 MLS _ 1(config-if)#glbp 1 preempt show glbp is an incredibly important GLBP command. last state change 00:11:40 Virtual IP address is 172.B. starting with the first half.59e2. which means we’re on the AVG.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 2(config-if)#glbp 1 ip 172.23.ca96.23. upper 100 Load balancing: round-robin Group members: 0017. MLS_3.2754 (172.16.23. hold time 10 sec Next hello sent in 2.16.C. we see the interface and group number. followed by the state of Active.2.23. min delay 0 sec Active is local Standby is 172. priority 100 (expires in 9.23.16.16. it’s also incredibly verbose.d4c2.23.

This is also from MLS_3. Owner ID is 001f.d4c2.904 sec (maximum 14400 sec) Preemption enabled. Much like beauty pageants.474a “Active” while the other two are in “Listen”.904 sec remaining (maximum 600 sec) Time to live: 14399. weighting 100 (expires in 10. These are not the virtual The local forwarder (Forwarder 3) is shown as “State is Active”.0990 Redirection enabled.115 S T U DY G U I D E hold time. 599. the AVG title MAC address is 0007. also a GLBP default.392 sec remaining (maximum 600 sec) Time to live: 14399.16.b400. we see the Priority and Weighting values are set to 100.392 sec (maximum 14400 sec) Preemption enabled.0102 (learnt) Owner ID is 001b.2 (primary). MLS_2. but after the labs later in this section. and some timers new to us (“redirect” and “forwarder”).23. followed by the actual MAC and IP addresses of the GLBP group members.656 sec) We then see the load balancing method in use is round-robin. ers are shown as “State is Listen”. min delay 30 sec Active is 172.d4c2. the default for each. The virtual MAC address for each router is shown in this output as well.16. 599. last state change 00:28:09 MAC address is 0007. we see that preemption C H R I S B R YA N T Forwarder 3 is enabled.0990 225 .ca96.360 sec (maximum 14400 sec) State is Listen MAC address is 0007. This means that the other two AVFs are listening for Let’s have a look at the second half of the show glbp output. and should those hellos stop coming. Here’s that same info from MLS_2: There are 3 forwarders (1 active) Forwarder 1 Redirection enabled Preemption enabled. These values are often confused.0101 (default) Owner ID is 0017.b400. one of the other AVFs would step in and handle traffic destined for that down AVF’s virtual MAC address.474a Forwarder 2 Time to live: 14399.59e2. There are 3 forwarders (1 active) Forwarder 1 Each physical router in our group is an AVF.3 (primary).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . which deals with the AVF status of each member. You’ll see an example of this in an upcoming lab.912 sec Forwarder 2 State is Active 1 state change.0101 (learnt) Owner ID is 0017.816 sec) 224 Preemption enabled. Hellos from the local forwarder. Redirection enabled. along with “thresholds”.23. min delay 30 sec Active is local.1 (primary).b400. weighting 100 (expires in 10. weighting 100 State is Listen MAC address is 0007.23. we’re given the IP address and priority of the standby State is Listen AVG. min delay 30 sec Active is 172.b400.59e2. min delay 30 sec Active is 172.2754 Continuing down the output. should MLS_3 be unable to fulfill its duties.0102 (default) Owner ID is 001b. weighting 100 (expires in 10.b400.16. and they’ll each show their forwarder as State is Active 1 state change. you’ll be clear – crystal clear – on the usage of each.0103 (learnt) is given to the runner-up. last state change 00:11:29 MAC address is 0007. and the other two forward- MAC addresses that are sent by the AVG in response to ARP requests. Following “Active is local”.

it’s a great place to get started with t-shooting. weighting 100 (expires in 7.115 S T U DY G U I D E C H R I S B R YA N T Preemption enabled.0990 Time to live: 14398.2754 Time to live: 14397.936 sec) That same command’s output on MLS_1.784 sec (maximum 14400 sec) Preemption enabled.1 1 - 227 .d4c2. weighting 100 Forwarder 3 State is Listen That differing info on your AVFs can throw you at first.23.23.12 local 172. MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#shut %GLBP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Listen -> Active MLS _ 2#show glbp brief State is Active 1 state change.b400.0102 172.3 (primary).b400.0101 local - Fa0/0 1 2 - Listen 0007.474a devices with a number under “Fwd” are your AVFs. and while it doesn’t give the details the full command gives. min delay 30 sec Preemption enabled.23.b400.23. and it’s commonplace for a router to Time to live: 14399. min delay 30 sec Active is 172. MLS_2 should take over as the AVG if MLS_3 is unavailable.16.560 sec) Forwarder 3 According to that output. weighting 100 (expires in 10.0103 (default) Owner ID is 001f.16. The Owner ID is 0017.16.16.2 Fa0/0 1 1 - Active 0007.59e2. weighting 100 Active is local. last state change 00:29:10 MAC address is 0007.0103 (learnt) AVF will always be seen as Active and the others will be listening in! Owner ID is 001f. Let’s test that by making MLS_3 unavailable and then running show glbp brief on MLS_2.1 (primary).2754 226 Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 100 Active 172.0102 (learnt) Owner ID is 001b.ca96.112 sec) Forwarder 2 State is Listen MAC address is 0007.16.16.23.b400.0103 172.b400.23.23.ca96. Preemption enabled.16.12 local 172.2 - Fa0/0 1 3 - Listen 0007.2 (primary).1 - State is Listen MAC address is 0007.136 sec (maximum 14400 sec) serve as both an AVG and an AVF.23.b400.440 sec (maximum 14400 sec) Preemption enabled. weighting 100 (expires in 10.0101 (learnt) When you see a dash under “Fwd” and “Active” under “State”. min delay 30 sec Active is local. you’re on the AVG. min delay 30 sec Active is 172. showing the local forwarder as Active and other two as listening: There are 3 forwarders (1 active) Forwarder 1 You’ll be happy to know there is a brief option for this command. but just remember that the local MAC address is 0007.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . min delay 30 sec Active is 172.b400.16.16. MLS _ 3#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 100 Active 172.23.

16.23.16.Group 1 State is Active 3 state changes. Let’s clear up any confusion on these right now.0101.0103 172. ness will not last forever.115 S T U DY G U I D E Fa0/0 1 1 - Active 0007. MLS _ 3#show glbp FastEthernet0/0 . and the timeout interval is the second. C H R I S B R YA N T Watch The Timers Two of the GLBP timers are just the same as those found in HSRP.23.23.23.0102 local - Fa0/0 1 3 - Listen 0007. but that kindOnce MLS_3 comes back online.23.0101 local - Use glbp timers redirect to change either timer. and should you set the forwarder timeout too low… MAC address disappear from every GLBP router in the group.b400. when the forwarder timeout timer expires. and that’s verified by show glbp brief.b400.2 - the first timer in this command. 0007.0101 local - Fa0/0 1 2 - Active 0007.12 Hello time 3 sec.2 Fa0/0 1 1 - Active 0007. last state change 00:15:34 Virtual IP address is 172.b400. MLS _ 3(config-if)#glbp 1 timers ? <1-60> 228 Hello interval in seconds 229 . the now-disappeared VRF and its virtual Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 100 Active 172. We expected MLS_2 to take over as the AVG. they even have the same default.12 local 172.16. In the previous lab. hold time 10 sec Next hello sent in 0.23.16.b400. That’s mighty kind of MLS_2. which had been MLS_3’s virtual MAC address. They both have to Fa0/0 1 3 - Listen 0007. b400.0102.192 secs Redirect time 600 sec. the AVG will no longer use the virtual MAC address in question as a response to ARP replies.16. forwarder timeout 14400 se The hello and hold times operate the same here as they do in HSRP – it’s the redirect and forwarder timeout values we need to examine closely.b400.b400. There are two others that can be a tad confusing at first. and watch your syntax! The redirect timer is Fa0/0 1 2 - Listen 0007.b400.0102 172. and it’s handling traffic sent to that MAC address as well as its own assigned address.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .b400. What you might not have expected is that MLS_2 is now the Active router for the MAC address previously handled by MLS_3 (0007.16. When the redirect time expires. MLS_2 began accepting frames with the destination 0007.0103 172.0101). MLS _ 3#show glbp brief Then.1 - Take careful note of both GLBP console messages. it reclaims the role of AVG and begins acting as an AVF for its original virtual MAC address.1 - be set even if you’re just changing one.

16.23. but I did go back to the defaults after seeing that message.23.0103 local - Now. you’ve heard Barbara Corcoran say “I’m going to give you a minute to rethink that.2 - Fa0/0 1 3 - Active 0007.3 MLS_2 has taken over as the AVG.0102 172.1 - 172.b400. After changing the priority on MLS_1 to 125.0103 172. you’ll wonder what the fuss was.0101 172.23.16. MLS _ 1(config)#int fast 0/0 MLS _ 1(config-if)#glbp 1 priority 125 MLS _ 1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 125 Standby 172. Using Weights And Tracking Slight warning: This is one of those things that sounds complicated when you hear or read MLS _ 2(config)#int fast 0/0 about it.0102 local - Fa0/0 1 3 - Listen 0007.16.16. but when you see it in action.23.b400.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . show glbp brief verifies that MLS_1 is indeed the standby AVG while MLS_2 remains the AVG.16.12 local Fa0/0 1 1 - Listen 0007.16.0101 172.16. MLS_3 was selected MLS_3 (100) and less than that of MLS_2 (150).3 - Fa0/0 1 2 - Listen 0007. about those weights… because of its higher IP address – but perhaps we want MLS_2 to be the AVG instead. In these labs.b400. if you’ve ever watched Shark Tank. Change these timers with care! MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#no glbp 1 timers redirect 1800 3600 Selecting The AVG And Backup AVG Selecting another router to serve as the AVG is no problem. The timer change does take effect.16.23. Hang in there dur- MLS _ 2(config-if)#glbp 1 priority 150 ing this quick explanation and then you’ll see it all in action.2 local Fa0/0 1 1 - Listen 0007.3 - Fa0/0 1 2 - Active 0007. all we need to do is raise the GLBP priority on MLS_2. Since we enabled preemption on all three routers at the beginning of the lab.b400. assign it a priority higher than that of MLS _ 3(config-if)#glbp 1 timers redirect 1800 3600 % Forwarder timeout is less than the default ARP cache timeout (4 hours) … well.” That’s pretty much what the router is telling us here. 230 231 .b400.115 S T U DY G U I D E msec Specify hello interval in milliseconds C H R I S B R YA N T 01:24:57: %GLBP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active redirect Specify timeout values for failed forwarders MLS _ 2#show glbp brief MLS _ 3(config-if)#glbp 1 timers redirect ? <0-3600> Interval in seconds to redirect to failed forwarders MLS _ 3(config-if)#glbp 1 timers redirect 1800 ? <2400-64800> Timeout interval in seconds for failed forwarders MLS _ 3(config-if)#glbp 1 timers redirect 1800 3600 ? <cr> Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 150 Active 172. and MLS_3 is the standby AVG since it has a higher IP address than MLS_1. To make MLS_1 the standby AVG.23.23.23.b400.12 172.

and those thresholds to determine whether the group.23.16.2 - Fa0/0 1 3 - Listen 0007.1 - The default weight of a GLBP-enabled router is 100. In this lab. what do we do? CHECK THAT INTERFACE! MLS _ 3#show int fast 0/1 FastEthernet0/1 is up.23. min delay 0 sec Active is local Standby is 172.16.2. hold time 10 sec Next hello sent in 0. forwarder timeout 14400 sec Preemption enabled.16. the local router is eligible to be an AVF. thresholds: lower 1.12 local 172.b400.16. lower and upper: Before configuring interface tracking. which is a globally configured command rather than an interface-level command.115 S T U DY G U I D E C H R I S B R YA N T Before proceeding with this lab.23.b400. MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#glbp 1 priority 160 MLS _ 3#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172.16.23. we’ll configure MLS_3 to disqualify itself as an AVF if the line protocol on fast 0/1 goes down. MLS _ 3#show glbp FastEthernet0/0 . and this is the value that determines whether a router can be a VRF.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .16. last state change 00:00:52 Virtual IP address is 172.0102 172. upper 100 Load balancing: round-robin 232 <1-500> Tracked object resolution Tracking resolution parameters timer Polling interval timers MLS _ 3(config)#track 1 ? application Application interface Select an interface to track ip IP protocol list Group objects in a list stub-object Stub tracking object <cr> 233 .12 Hello time 3 sec.23.000 sec) Priority 160 (configured) Weighting 100 (default 100).2 Fa0/0 1 1 - Active 0007.23. I raised MLS_3’s priority to 160 and it is now the AVG for We can use interface tracking.0103 172. The weight has two default thresholds. GLBP weight. priority 150 (expires in 8. line protocol is up Huzzah! Now to set up tracking with the track command.b400. This does not in any way affect MLS_3’s status as the AVG.Group 1 MLS _ 3(config)#track ? State is Active 5 state changes.0101 local - Fa0/0 1 2 - Listen 0007.992 secs Redirect time 600 sec.

which by default is 10.16. threshold.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . it can no longer act as a VRF.23. Weighting lower threshold value MLS _ 3#show glbp MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 ? upper Weighting upper threshold <cr> FastEthernet0/0 . When the router’s weight drops below the low for the decrement.Group 1 State is Active 13 state changes. we have to set up the value for weight- decrement. that router can go right back to work as a VRF. First. Once that weight meets or rises above the high threshold.115 S T U DY G U I D E MLS _ 3(config)#track 1 interface fastethernet0/1 ? ip IP parameters C H R I S B R YA N T MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper ? <95-100> Weighting upper threshold value line-protocol Track interface line-protocol MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper 100 ? MLS _ 3(config)#track 1 interface fastethernet0/1 line-protocol ? <cr> <cr> MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper 100 MLS _ 3(config)#track 1 interface fastethernet0/1 line-protocol The second command needed here is the one specifying the interface to be tracked and the Now we’ll head back to the GLBP configuration. last state change 00:43:17 Virtual IP address is 172. MLS _ 3(config-if)#glbp 1 weighting ? <1-254> Weighting maximum value track Interface tracking MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#glbp 1 weighting ? <1-254> Weighting maximum value track Interface tracking MLS _ 3(config-if)#glbp 1 weighting track ? <1-500> Tracked object MLS _ 3(config-if)#glbp 1 weighting track 1 ? MLS _ 3(config-if)#glbp 1 weighting 100 ? lower Weighting lower threshold upper Weighting upper threshold <cr> <cr> MLS _ 3(config-if)#glbp 1 weighting track 1 MLS _ 3(config-if)#glbp 1 weighting 100 lower ? <1-99> decrement Weighting decrement Verify with show glbp. We’re accepting that default here by not entering a value ing along with the high and low thresholds. We’ll keep the default weight of 100 while setting a low threshold of 95 and a high of 100.12 234 235 .

0101 local - Fa0/0 1 2 - Listen 0007.b400.0101.2 - affect a router’s ability to serve as an AVF.2 - Fa0/0 1 3 - Listen 0007. priority 150 (expires in 8.23. min delay 0 sec Active is local Standby is 172.23. thresholds: lower 95.0103 172.16.23.23.23.2 Fa0/0 1 1 - Active 0007.16.000 sec) Priority 160 (configured) Weighting 100 (configured 100).b400. Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172.0103 172.2 - Fa0/0 1 3 - Listen 0007. MLS_3 should be disqualified from consideration as a VRF if that weight drops below 95.0102 172.b400.b400. upper 100 Track object 1 state Up decrement 10 With this configuration.b400.16. Weighting 90. low (configured 100). MLS_3 will resume its VRF duties. MLS _ 3#show glbp brief In short: Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172.1 - 236 Let’s shift our focus to securing our switches! 237 .23. hold time 10 sec Next hello sent in 1. and shortly after we see the GLBP syslog message shown here. upper 100 Track object 1 state Down decrement 10 show glbp brief verifies that while MLS_3 is still the AVG.12 local 172. it’s no longer an AVF.115 S T U DY G U I D E C H R I S B R YA N T Hello time 3 sec.16.16.23.b400. and use weighting to Fa0/0 1 1 - Listen 0007.b400.1 - The reason I ran this lab on our AVG is to emphasize that the AVG election and a router’s ability to serve as an AVF are two separate operations. Fa0/0 1 2 - Listen 0007.12 local 172.0102 172. MLS_2 is now handling traffic with a destination MAC of 0007.23.16. *Apr 3 19:09:49: %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Listen -> Active MLS _ 3#show glbp brief show glbp tells us that the weight has indeed dropped to 90.2.16. perhaps in tandem with interface tracking.344 secs Redirect time 600 sec.23. which was formerly handled by MLS_3.16. Let’s shut down fast 0/1 on that router and watch the fun! I’ll now bring MLS_3’s fast0/1 interface back online. thresholds: lower 95. forwarder timeout 14400 sec Preemption enabled.2 Use priority to affect the choice of your primary and backup AVGs.16.0101 172.16.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .23.

C H R I S B R YA N T

C hapter 9:

SECURING THE
SWITCHES

Port security is enabled with the switchport port-security command, and before we can consider any options…
MLS _ 1(config-if)#switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.

… we need to make the port a non-trunking port. Port security can’t be configured on a
When some people think of network security, they immediately think of protecting their

port that even has a possibility of becoming a trunk. This switch has no trunks…

network from attacks originating on the outside of the network. We’re not “some people”,
though, and we can’t afford to think like that. Many successful network attacks are inside

MLS _ 1#show int trunk

jobs, and originate from seemingly innocent sources like DHCP, ARP, CDP, Telnet, and
< crickets chirping >

even from other hosts on the same VLAN.
While it’s certainly wise to protect the perimeter of our network, we have to be vigilant
against attacks from the interior too. We’ve got important work to do, so let’s get to it!

MLS _ 1#

… but we still can’t secure that port until it’s an access port. Let’s make that happen and

Port Security
A basic Cisco switch security feature that’s often overlooked, port security uses the
source MAC address of incoming frames as a password. A port enabled with port security
will expect frames sourced from a particular MAC address or group of addresses (“secure
MAC addresses”), and if frames with non-secure source MAC addresses come in on that
port, the port takes action ranging from shutting down to “just” letting you and I know
about it.

put it into VLAN 11.
MLS _ 1(config)#int fast 0/11
MLS _ 1(config-if)#switchport mode access
MLS _ 1(config-if)#switchport access vlan 11
% Access VLAN does not exist. Creating vlan 11
MLS _ 1(config-if)#switchport port-security

In a nutshell, port security entails having the switch look at the source MAC address of an
incoming frame and asking itself, “Do I trust the source of this frame?”

238

We’ll verify with show port-security and then view our switchport port-security options.

239

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

MLS _ 1#show port-security
Secure Port

Fa0/11

MLS _ 1(config-if)#switchport port-security aging type ?

MaxSecureAddr

CurrentAddr

SecurityViolation

(Count)

(Count)

(Count)

1

0

0

Total Addresses in System (excluding one mac per port)

Security Action

Shutdown

: 0

Max Addresses limit in System (excluding one mac per port) : 6144
MLS _ 1(config-if)#switchport port-security ?
Aging

C H R I S B R YA N T

Port-security aging commands

mac-address Secure mac address
maximum

Max secure addresses

violation

Security violation mode

<cr>

Let’s tackle each of these important options, starting with maximum, which defines the
number of secure MAC addresses the port can learn. The default is one, and the maximum you’ll see on your switch depends on your switch! I’ve seen ranges from 132 to the
whopping 6144 allowed on this port. (I would not recommend allowing 6,144 secure MAC
addresses on any port.)

absolute

Absolute aging (default)

inactivity

Aging based on inactivity time period

MLS _ 1(config-if)#switchport port-security aging time ?
<1-1440>

Aging time in minutes. Enter a value between 1 and 1440

MLS _ 1(config-if)#switchport port-security aging static ?
<cr>

We’ll use the mac-address option to define secure MAC addresses for this port, as well as
something called a “sticky address” (sounds gross, but it isn’t).
MLS _ 1(config-if)#switchport port-security mac-address ?
H.H.H

48 bit mac address

sticky

Configure dynamic secure addresses as sticky

MLS _ 1(config-if)#switchport port-security mac-address

The violation option defines the action the port should take when a frame with a non-secure
MAC address comes in.

MLS _ 1(config-if)#switchport port-security maximum ?
<1-6144> Maximum addresses

Use the aging options to define how long dynamically learned secure MAC addresses should
be considered secure. You have the rarely used option of enabling aging for static entries.
MLS _ 1(config-if)#switchport port-security aging ?
static

Enable aging for configured secure addresses

time

Port-security aging time

type

Port-security aging type

MLS _ 1(config-if)#switchport port-security violation ?
protect

Security violation protect mode

restrict

Security violation restrict mode

shutdown

Security violation shutdown mode

The default port security mode is shutdown, which does just that – the port is placed into
error-disabled state (“err-disabled”), and manual intervention is needed to reopen the port.
That means you or I have to fix the problem and then do a shut / no shut on the port. With
shutdown mode, an SNMP trap message is also generated.
Protect mode simply drops the offending frames and no other action is taken.

240

241

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

Our middle-ground security mode is restrict. The non-secure frames are dropped, an SNMP

C H R I S B R YA N T

0017.59e2.474a on port FastEthernet0/1.

trap notification and a syslog message are generated, and the port remains open.
Here’s the network topology for the port-security labs. We’re using the hosts primarily to
send pings that will (or will not) trigger port security.

01:46:31:

%LINEPROTO-5-UPDOWN:

Line

protocol

on

Interface

FastEthernet0/1,

changed state to down
01:46:32: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

Looks like the data was NOT from a trusted source, as both show port-security and show int
fast 0/1 verify the security violation.
MLS _ 1#show port-security
Secure Port

Let’s see port security in action! I’ll configure port security on port fast0/1 after shutting
the interface, and then set the secure MAC address to aaaa-bbbb-cccc.

Fa0/1

MaxSecureAddr

CurrentAddr

SecurityViolation

(Count)

(Count)

(Count)

1

1

1

Security Action

Shutdown

MLS _ 1(config)#int fast 0/1

Total Addresses in System (excluding one mac per port)

: 0

MLS _ 1(config-if)#shut

Max Addresses limit in System (excluding one mac per port) : 6144

MLS _ 1(config-if)#switchport port-security
MLS _ 1(config-if)#switchport port-security mac-address aaaa.bbbb.cccc

MLS _ 1#show int fast 0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)

After reopening the port, I’ll send some pings from R1 and then quickly head back over to
the switch to see what happens.
R1#ping 172.16.23.222

Time for the network admins to step in! First, we resolve the problem by removing the currently defined secure MAC address on Fast0/1. When a secure MAC address is allowed on a
port, but none is defined, the next dynamically learned source MAC address is considered
Back on the switch:

the secure address. That’s why I shut the port before configuring port security – just in case
traffic came in on that port before I could finish.

SECURITY-2-PSECURE _ VIOLATION: Security violation occurred, caused by MAC address

242

243

23. so we’ll verify that Total Addresses in System (excluding one mac per port) : 0 everything’s beautiful with three separate show port-security commands.bbbb. starting with the Max Addresses limit in System (excluding one mac per port) : 6144 main one. We’ll do a shut / no shut on the interface and verify with show int fast 0/1. dynamically MLS _ 1(config-if)#no switchport port-security mac-address aaaa.59e2. we’ll send some pings from R1 again and then head right back to the switch. the violation mode is at the default. as with the aaaa.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 100 0017.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#int fast 0/1 marked as SecureDynamic since it is a secure address that was learned. the port is but none has been taken as there are no Security Violations. Secure Mac Address Table Vlan Mac Address Type Ports ------------. changed state to up To test the new config. SecureDynamic Fa0/1 Remaining Age (mins) -. along with the VLAN. show port-security interface fast 0/1 verifies port security is enabled. -----. Note carefully that you see the Security Action listed.16. R1#ping 172. We see there’s one secure address allowed on Fast0/1 (the default).cccc address configured earlier).bbbb. and that one current address is considered secure.222 ----------. and provides other handy info including the last source address of incoming frames and the VLAN it belonged to. and method used to learn the address. well. Finally. MLS _ 1#show port-security Secure Port Fa0/1 MaxSecureAddr CurrentAddr SecurityViolation (Count) (Count) (Count) 1 1 0 Security Action Shutdown Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144 show port-security address verifies the exact address that’s been learned and considered secure. MLS _ 1#show port-security address ? vlan Vlan limits MLS _ 1(config-if)#shut | MLS _ 1(config-if)#no shut <cr> 01:53:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface Output modifiers FastEthernet0/1.474a - Back on the switch. there’s no message about the port shutting down. This one’s 244 MLS _ 1#show port-security interface fast 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 245 . secured and up. the port. changed state to up MLS _ 1#show port-security address 01:53:49: %LINK-3-UPDOWN: Interface FastEthernet0/1.cccc (rather than statically.

16.59e2. Had we allowed four secure addresses and configured MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security MLS _ 1(config-if)#switchport port-security maximum 3 MLS _ 1(config-if)#switchport port-security mac-address aaaa. and you statically configure a few without hitting the maximum.bbbb.23. MLS _ 1(config-if)#switchport port-security mac-address aaaa. -----. Let’s find out on port Fast0/2. If you allow a certain number of secure MAC addresses and don’t statically configure all of them.111 Secure Mac Address Table Vlan Mac Address Type Ports ------------. 100 0017. the next two source MAC addresses for incoming frames on that port would be considered secure.d4c2.59e2.bbbb. Let’s run show port-security interface -.0990:100 Security Violation Count : 0 I just know someone out there is wondering what happens if you allow multiple secure MAC addresses on a port.aaaa only two static ones.aaaa.474a SecureDynamic Fa0/1 - 100 001b. and note that there are now a total of 3 secure addresses and 2 configured addresses. where I’ll allow 3 addresses to be considered secure while configuring 2 static secure addresses. MLS _ 1#show port-security int fast 0/2 100 aaaa. R2#ping 172.aaaa. the next dynamically learned MAC addresses will be considered secure until the limit is hit. Let’s run show port-security address and show port-security.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .aaaa SecureConfigured Fa0/2 - Port Status : Secure-up Violation Mode : Shutdown Total Addresses in System (excluding one mac per port) : 2 Aging Time : 0 mins Max Addresses limit in System (excluding one mac per port) : 6144 246 247 Age . not that they’ll actually age out in 59 seconds.aaaa SecureConfigured Fa0/2 - Port Security : Enabled 100 aaaa. Last Source Address:Vlan : 001b.aaaa MLS _ 1#show port-security address I’ll then send pings from R2 and head quickly back over to the switch.115 S T U DY G U I D E C H R I S B R YA N T Configured MAC Addresses : 0 Aging Type Sticky MAC Addresses : 0 SecureStatic Address Aging : Disabled Last Source Address:Vlan : 0017. fast0/2.d4c2. Remaining (mins) No messages on the switch regarding a shutdown.474a:100 Maximum MAC Addresses : 3 Security Violation Count : 0 Total MAC Addresses : 3 Configured MAC Addresses : 2 The aging time of “0 minutes” means that secure MAC addresses will never age out on this Sticky MAC Addresses : 0 port.0990 SecureDynamic Fa0/2 - ----------. : Absolute The port is secure and up.

aaaa SecureConfigured Fa0/2 - Fa0/2 3 3 0 Shutdown 100 aaaa. let’s enable aging and set it to 300 seconds (the default aging time for our “regular” MAC address table).d4c2. We’ll accept the aging type default shown via IOS Help and then verify with show port-security address. ------------. MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security aging time ? <1-1440> Aging time in minutes. -----.aaaa.474a SecureDynamic Fa0/1 - (Count) (Count) (Count) 100 001b.0990 SecureDynamic Fa0/2 299 Fa0/1 1 1 0 Shutdown 100 aaaa. ----------. I got it wrong – and here’s why I’m always telling you to check the unit of measure when you change anything on a Cisco router or switch. The command to change the aging time of our entire MAC address table uses seconds… MLS _ 1(config)#mac address-table aging-time ? <0-0> Enter 0 to disable aging <10-1000000> Aging time in seconds … but the command to change the aging time of the secure MAC address table uses MLS _ 1(config-if)#switchport port-security aging time ? <1-1440> Aging time in minutes. Enter a value between 1 and 1440 MLS _ 1(config-if)#switchport port-security aging time 5 MLS _ 1#show port-security address MLS _ 1#show port-security address Secure Mac Address Table Secure Mac Address Table 248 249 . Enter a value between 1 and 1440 MLS _ 1(config-if)#switchport port-security aging time 300 MLS _ 1(config-if)#switchport port-security aging type ? absolute Absolute aging (default) inactivity : 2 Aging based on inactivity time period minutes.115 S T U DY G U I D E MLS _ 1#show port-security Secure Port C H R I S B R YA N T Vlan Mac Address Type Ports -. While we’re here.bbbb.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security aging ? static Enable aging for configured secure addresses time Port-security aging time type Port-security aging type Max Addresses limit in System (excluding one mac per port) : 6144 So.aaaa SecureConfigured Fa0/2 - : 2 Total Addresses in System (excluding one mac per port) Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 6144 There are three entries for Fa0/2.59e2. Remaining Age (mins) MaxSecureAddr CurrentAddr SecurityViolation Security Action 100 0017. did I get that right? Nope. two of them statically configured and the other dynamically learned.

59e2. for which the default of “no aging” has not been changed. changed state to up 00:28:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1. (The dynamically learned address for R2 has now aged out. enable sticky address learning on the 100 aaaa. 100 0017.115 S T U DY G U I D E Vlan Mac Address Type Ports -. SecureDynamic Remaining Age (mins) -----. 100 aaaa. ------------. Remaining Age (mins) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 MLS _ 1# Fa0/1 - The same thing would happen if I rebooted the switch.) MLS _ 1#show port-security address Secure Mac Address Table Vlan Mac Address -.0990 SecureDynamic Fa0/2 4 to down 100 aaaa.474a Vlan Mac Address Type Ports -. 100 0017. changed state 100 001b. To have dynamically learned 100 aaaa.aaaa SecureConfigured Fa0/2 - ----------. ----------.aaaa SecureConfigured Fa0/2 - Total Addresses in System (excluding one mac per port) Type Ports ------------.aaaa.bbbb.bbbb. changed state to up Always use IOS Help to check the unit of time. changed state to down 250 Port-security aging commands mac-address Secure mac address 251 . when changing anything! MLS _ 1#show port-security address Secure Mac Address Table Making Secure Addresses Sticky Right now.aaaa.aaaa SecureConfigured Fa0/2 - port.bbbb. data.474a SecureDynamic Fa0/1 - %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1. do that here.aaaa SecureConfigured Fa0/2 - MLS _ 1(config-if)#no shut 100 aaaa. ----------. changed state to administratively down MLS _ 1#show port-security address Total Addresses in System (excluding one mac per port) : 2 Max Addresses limit in System (excluding one mac per port) : 6144 00:28:20: %LINK-3-UPDOWN: Interface FastEthernet0/1. These addresses are written to the running config. MLS _ 1(config)#int fast 0/1 MLS _ 1(config-if)#switchport port-security ? MLS _ 1(config)#int fast 0/1 Aging MLS _ 1(config-if)#shut %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100. -----. so be sure to save the changes! I’ll That dynamically learned address will be lost if the port is reset or the switch is reloaded. Fa0/1 has one secure MAC address. then send pings from R1 and check the secure address table.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .59e2. Remaining Age (mins) C H R I S B R YA N T %LINK-5-CHANGED: Interface FastEthernet0/1.aaaa SecureConfigured Fa0/2 - 100 aaaa. I’ll do a shut / no shut on the port to illustrate.aaaa. -----.aaaa SecureConfigured Fa0/2 - addresses retained in case of a port reset or reboot.d4c2. ------------.

a port that goes into err-disabled state must be manually reset – after resolving the condition that put the port in that state to begin with.aaaa SecureConfigured Fa0/2 - ----------. SW1(config)#errdisable recovery cause ? MLS _ 1(config)#int fast 0/1 MLS _ 1(config-if)#shut All Enable timer to recover from all causes Bpduguard Enable timer to recover from BPDU Guard error disable state MLS _ 1#show port-security address channel-misconfig Secure Mac Address Table Enable timer to recover from channel misconfig disable state 252 253 . use errdisable recovery.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . define what conditions should be allowed to have ports use Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 The address is now shown in the secure MAC table as “SecureSticky”. along with the SecureConfigured addresses.59e2.aaaa SecureConfigured Fa0/2 - 100 aaaa.474a Remaining Age (mins) We know via first-hand experience that by default.aaaa. SecureSticky Fa0/1 - 100 aaaa. -----. I’ll shut the port and then take a look at this table again.bbbb. First.H. Ports are shut down by port security due to a psecure-violation. ------------.aaaa SecureConfigured Fa0/2 - <cr> 100 0017. use the all option. so we’ll enable this feature only for ports put into err-disabled state in that fashion. this feature with errdisable recovery cause. SecureSticky Fa0/1 - 100 aaaa. Stickiness R1#ping 172.aaaa. To have errdisable recovery apply to ports placed into err-disabled state for any reason.59e2. -----.H ----------.23.474a MLS _ 1(config-if)#switchport port-security mac-address ? H. and the address was still in the table after the reboot.222 works! MLS _ 1#show port-security address Secure Mac Address Table Automatic Recovery From Err-Disabled Status Vlan Mac Address Type Ports -. 100 0017. of course! To have err-disabled ports come out of that state dynamically after a certain period of time.115 S T U DY G U I D E C H R I S B R YA N T maximum Max secure addresses Vlan Mac Address Type Ports violation Security violation mode -. ------------.16.aaaa SecureConfigured Fa0/2 - 100 aaaa.bbbb. Remaining Age (mins) 48 bit mac address Sticky Configure dynamic secure addresses as sticky Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 MLS _ 1(config-if)#switchport port-security mac-address sticky The entry is still in the table! I did reload the switch at this point.

putting Fa0/2 state in err-disable state Enable timer to recover from loopback detected disable state %PORT _ SECURITY-2-PSECURE _ VIOLATION: Security violation occurred. the port begins to come out of err-disabled state! state security-violation Enable timer to recover from 802. I’ll and out of err-disabled state! set it to 30 seconds for our lab. you can’t use % Unrecognized command SW1(config)#errdisable recovery interval ? TACACS or TACACS+. I removed any previous port security config from Fa0/2. use errdisable recovery interval. and reconfigured stat the port with the single secure MAC address aaaa.aaaa. caused by Enable timer to recover from pagp-flap error disable MAC address 001b.115 S T U DY G U I D E dhcp-rate-limit C H R I S B R YA N T Enable timer to recover from dhcp-rate-limit error SW1(config)#errdisable recovery interval 30 disable state dtp-flap gbic-invalid Enable timer to recover from dtp-flap error disable At this point.0990 on port FastEthernet0/2. changed state to up unicast-flood Enable timer to recover from unicast flood disable %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2.d4c2. SW1(config)#errdisable recovery cause psecure-violation SW1(config)#erridsable recovery interval ? % Unrecognized command Dot1x Port-Based Authentication We can take port-level security (cliché alert!) to the next level with dot1x port-based authentication. changed state state to up vmps Enable timer to recover from vmps shutdown error disable state I then configured Fa0/2 to consider the first source MAC address learned on that port to be the secure address.aaaa. It’s SW1(config)#erridsable recovery ? a bit unusual in that the Cisco authentication server must be RADIUS-based. You have to fix the problem or the port will bounce in To change the interval from the default of 300 seconds. state psecure-violation Enable timer to recover from psecure violation disable … and 30 seconds later.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The first frames that came in Enable timer to recover from invalid GBIC error disable from R2 shut the port down… state link-flap loopback pagp-flap Enable timer to recover from link-flap error disable %PM-4-ERR _ DISABLE: psecure-violation error detected on Fa0/2.1x violation disable %PM-4-ERR _ RECOVER: Attempting to recover from psecure-violation err-disable state state on Fa0/2 udld Enable timer to recover from udld error disable state %LINK-3-UPDOWN: Interface FastEthernet0/2. the standard upon which this feature is based. <30-86400> timer-interval(sec) 254 255 . The name refers to IEEE 802. and all is well.1x.

username-prompt Text to use when prompting for a username MLS _ 1(config)#radius-server host 172. as only Default The default authentication list. (The RADIUS version you’ll use is MLS _ 1(config)#radius-server host 172.) If the supplicant is running dot1x but the switch isn’t. Unlike ppp Set authentication lists for ppp.) A typical dot1x port-based authentication deployment involves the dot1x-enabled PC (the supplicant). enable Set authentication list for enable. MLS _ 1(config)#aaa authentication dot1x default ? cache Use Cached-group group Use Server-group local Use local username authentication. followed by the password for that server. Sgbp Set authentication lists for sgbp. MLS _ 1(config)#aaa authentication dot1x default group ? MLS _ 1(config)#aaa new-model 256 257 . we first have to enable AAA with aaa new-model. The WORD Named authentication list (max 31 characters. the network admins do not have to configure these logical ports. and then enable dot1x to use those RADIUS servers for authentication. We just need to configure the supplicant for dot1x! Suppress Do not send access request for a specific ty Strange but true: If the switch is ready for dot1x authentication and the supplicant isn’t. the only one we need to concern port must be configured for 802. but on a limited basis. uncontrolled port can transmit without authentication. STP. ourselves with right now is host. To get started with dot1x. all traffic can be received and sent via the port. EAPOL.1x EAPOL. eou Set authentication lists for EAPoUDP fail-message Message to use for failed login/authenticati login Set authentication lists for logins.23. the controlled and uncontrolled ports. MLS _ 1(config)#aaa authentication ? arap Set authentication lists for arap.55 key CCNP MLS _ 1(config)#aaa authentication dot1x ? The controlled port cannot transmit data until authentication actually takes place. We’ll follow that by pointing the switch to our RADIUS server(s). once the user authenticates. and CDP can be transmitted at that time. but that physical port password-prompt Text to use when prompting for a password is logically divided into two ports by dot1x. the PC has a single physical port connected to the switch.16. since few (if any) of those require us configuring anything on the host. Dot1x handles that.55 technically RADIUS with EAP extensions. the PC will not concern itself with dot1x and will communicate with the switch as it normally would. the dot1x-enabled switch (the authenticator). longer rejected).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .16. That’s a major departure from the switch features we’ve studied to date. and a RADIUS server (the authentication server). typical subinterfaces. (That’s not the strange part.115 S T U DY G U I D E C H R I S B R YA N T A major difference between this feature and port security is that both the host and switch- The radius-server command literally has about 40 options. attempts Set the maximum number of authentication att banner Message to use when starting login/authentic dot1x Set authentication lists for IEEE 802. By default.23. the Extensible Authentication Protocol over LANs. Of course. communications between the two will fail.1x.

the analyzer needs a copy of every frame the hosts are sending and/or receiving. 258 259 .1x authenticates the port and port security manages the number of MLS _ 1(config)#aaa authentication dot1x default group radius ? Finally. as it allows a host to authorize via an exchange of dot1x messages. we’re force-authorized PortState set to Authorized running local SPAN.” SPAN We’ve securely secured our ports. ditionally authorize the host. force-unauthorized tells the port to never authorize the host. question arises: “Can you run port security and dot1x authentication on the same port?” Radius Use list of all Radius hosts.115 S T U DY G U I D E C H R I S B R YA N T WORD Server-group name Now that we’ve covered port security and dot1x port-based authentication. system-auth-control Enable or Disable SysAuthControl test Configure dot1x test related parameters MLS _ 1(config)#dot1x system-auth-control And even more finally. By default.1X supplicant configuration MAC addresses allowed on that port. we’re likely to want to connect a network analyzer (“sniffer”) to one of those ports. and it’s the auto PortState will be set to AUTO destination port to which our network analyzer will be connected. A common situation is illustrated here. but one day.1x on a port. 802. using no authentication.1x Critical Authentication parameters guest-vlan Configure Guest Vlan and 802. and it’s a default you may well want to change. we get to enable dot1x port-based authentication! MLS _ 1(config)#dot1x ? Credentials Configure 802.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . since the source and destination ports are on the same switch (or same force-unauthorized PortState will be set to UnAuthorized switch stack). and we’ll use SPAN to capture that traffic. tells the port to uncon- mirrored to the destination port.1X credentials profiles Critical Set 802. In this example. force-authorized. a natural ldap Use list of all LDAP hosts. both traffic destined for and sourced from the source ports are That’s a lot of force! The first force-based option. the answer is yes! From Cisco’s website: “When you enable port security and 802. auto may be the way to go. including that of the client. That’s the default. Surprisingly. we get to set the authentication type. which seems a tad harsh. where we want to analyze traffic sourced from the three PCs.1x Supplicant behavior logging Set logging parameters supplicant 802. To get the job done. R1(config-if)#dot1x port-control ? SPAN allows the switch to mirror traffic from source port(s) to destination port.

4. No need to run show vlan brief for MLS _ 1#show monitor VLAN info. representing an entire Etherchannel Both : Fa0/3-5 Destination Ports Encapsulation Ingress MLS _ 1(config)#monitor session ? <1-66> SPAN session number : Fa0/9 : Native : Disabled Let me save you some seriously unnecessary troubleshooting time with this little tip! If you look at fast 0/9 right now. Cisco 2950s MLS _ 1(config)#monitor session 47 source interface fast0/3 .115 S T U DY G U I D E C H R I S B R YA N T The command monitor session starts a SPAN session. Multiple SPAN sessions are totally separate operations. you’ll see something that might make ya cuss: MLS _ 1(config)#monitor session 47 ? Destination SPAN destination interface or VLAN Filter SPAN filter VLAN Source SPAN source interface. and the number Port-channel Ethernet Channel of interfaces of simultaneous SPAN sessions you can run differs between switch platforms. and this is the one time in which seeing that an interface is “down and down” is what you should see! That’s all well and good. but what if SPAN isn’t all local? What if the traffic to be monitored is originating on one particular switch and the only vacant port available is on another MLS _ 1(config)#monitor session 47 source interface ? FastEthernet switch? FastEthernet IEEE 802. using ports Fa0/3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1(config)#monitor session 47 destination ? MLS _ 1(config)#monitor session ? Interface SPAN destination interface Remote SPAN destination Remote <1-66> SPAN session number MLS _ 1(config)#monitor session 47 destination interface fast 0/9 Let’s set up a local SPAN session.3z destination ports. along with defining the source and GigabitEthernet GigabitEthernet IEEE 802. line protocol is down (monitoring) No need to sweat. That means you’re looking at a SPAN destination port.5 allow only two. while the ones we’re on here allow just a few more. or VSPAN) Port-channels. VLAN MLS _ 1(config)#monitor session 47 source ? Interface SPAN source interface Remote SPAN source Remote Vlan SPAN source VLAN MLS _ 1#show int fast 0/9 FastEthernet0/9 is down.3 260 261 . since it doesn’t matter to SPAN whether the source ports are all in the same Session 47 VLAN or not. Note that possible sources include: Individual ports Type : Local Session Source Ports : Entire VLANs (in which case you’re running VLAN-based SPAN. just read all the way to the end of that line and you’ll see (monitoring). and 5 as the source ports and Fa0/10 as the destination and then verifying with show monitor.

we’ll also define VLAN 30 as the RSPAN VLAN. so don’t cut and paste ‘em! On MLS_2. Otherwise. Here’s the setup for our RSPAN lab: The config on MLS_2 will name the source as the RSPAN VLAN and the destination as the port connected to the analyzer. MLS _ 1(config)#vlan 30 MLS _ 1(config-vlan)#remote-span On MLS_1. but we need to keep a few things in mind: MLS _ 1(config)#monitor session 1 destination remote ? If there were intermediate switches between the two shown in the previous example. natch!). they would all need to be RSPAN-capable. we’ll set up the SPAN session by naming the source ports and configuring the RSPAN VLAN as the destination.115 S T U DY G U I D E C H R I S B R YA N T We’ll create VLAN 30 and identify it as the RSPAN VLAN with remote-span.5 This isn’t a complex configuration. the config is easy. MLS _ 2(config)#monitor session 1 source remote vlan 30 MLS _ 2(config)#monitor session 1 destination int fast0/10 262 263 . vlan Remote SPAN destination RSPAN VLAN MLS _ 1(config)#monitor session 1 destination remote vlan ? VTP treats the RSPAN VLAN like any other VLAN by propagating it throughout the VTP <1006-4094> Remote SPAN destination extended RSPAN VLAN number domain (if configured on a VTP server.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1(config)#monitor session 1 source int fast 0/1 . MLS _ 1(config)#monitor session 1 destination remote vlan 30 MLS _ 1(config)#monitor session 1 destination remote vlan 30 ? <cr> MAC address learning is disabled for the RSPAN VLAN. VTP pruning will prune the RSPAN VLAN under the same circumstances it would prune a normal VLAN. MLS _ 2(config)#vlan 30 MLS _ 2(config-vlan)#remote-span Whew! After all that. RSPAN to the rescue! Configuring Remote SPAN on both switches will allow mirrored frames to be sent over the trunk via a separate VLAN that will carry only those mirrored frames. but the commands will NOT be the same. The source and destination ports must be defined on both the switch containing the source ports and the switch connected to the network analyzer. that VLAN will have to be prop- <2-1001> Remote SPAN destination RSPAN VLAN number agated manually on every switch along that path.

you have to make the entire EC the source port. And just one more thing… remember the remote-span command we placed on both switches in our RSPAN config? If you have switches between the switch with source ports and the one with destination ports. nor can a single port serve as the destination for multiple SPAN sessions. but it’s a good idea to have a destination port be equal or higher in speed than the source port(s). and you can use SPAN to monitor an entire EtherChannel by specifying that EC’s port-channel interface as the source. C H R I S B R YA N T Destination port notes: A destination port can participate in only one SPAN session. VTP. you need that command on every intermediate A source port can be monitored in multiple. nor a destination port. In your CCNA studies. DTP. you learned of the danger of broadcast storms. While source ports can be part of an Etherchannel. Storm Control is specifically designed to proactively stop that flooding before our hosts are hit with a level of flooded traffic they just can’t handle. switch. only the traffic going over that specific port will be mirrored. To change this.115 S T U DY G U I D E The toughest part of working with SPAN can be remembering the ports that are eligible and not eligible to be source or destination ports. Here are some tips for a successful SPAN configuration: By default. but be aware that every single bit of traffic on any of the ciously caused. CDP. A destination port cannot be a source port. Whether accidentally or maliflooded by the switch. all the way to the point of non-operation. It’s enabled on a per-port basis: 264 265 . If you want all the traffic on an EC to be mirrored. use the rx and tx options at the end of monitor session. SW2(config)#monitor session 47 source interface fast 0/1 . a destination port cannot. traffic both from the source port and destined for the source port is mirrored to the destination port. these storms can also overwhelm your hosts with broadcasts and multicasts VLANs that are part of that trunk will be mirrored to the destination port. an entire VLAN can be configured as a source port. PaGP. ports from different VLANs can serve as source ports for the same SPAN session. where the number of A trunk port can be a source port. Trunk ports can be configured as source and/or destination ports. broadcasts and multicasts begin to overwhelm your switch. A source port can be part of an Etherchannel. the default behavior will result in the monitoring of all active VLANs on the trunk. A source port cannot also serve as a destination port. VLAN membership doesn’t matter. Storm Control Commonly referred to as VSPAN. The speed of the port doesn’t affect a port’s ability to be a source port. Specify another range of interfaces - Specify a range of interfaces both Monitor received and transmitted traffic rx Monitor received traffic only tx Monitor transmitted traffic only <cr> A destination SPAN port doesn’t participate in STP. simultaneous SPAN sessions.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Be aware that if a port that’s in an EC is a source port. or LACP.

SW1(config-if)#storm-control broadcast level 45 35 I’m using bandwidth usage percentage in this command. or show storm-control interface to see the info for just that interface! SW1#show storm-control fast 0/1 Interface Filter State Trap State Upper Lower Current Traps Sent ------. It’s not right or wrong to choose one option over the other – just choose the one that fits your situation.100> Enter Integer part of lower suppression level <cr> SW1(config-if)#storm-control broadcast level 45 35 ? <cr> Verify your config with show storm-control. Now.00% 0. right?) Action Action to take for storm-control Broadcast Broadcast address storm control Multicast Multicast address storm control Unicast Unicast address storm control For each traffic type listed. about that action… SW1(config-if)#storm-control broadcast ? Level At times.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . which can also be configured using packets per second.) Choosing shutdown or trap adds the configured pps behavior to this default. and stops that action when the traffic type goes below that level. the option level will follow. starting with VLAN ACLs. which will show you information on all ports on the switch. When the specified traffic type reaches that level.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/1 goes above that level. We’ll use IOS Help to explore our options for broadcast storm control. action. (That is. SW1(config-if)#storm-control ? (Makes sense. 267 .00% 35. Storm Control takes action when the traffic type 266 Fa0/1 Forwarding inactive 45. you may want to set a different level at which Storm Control should cease Set storm suppression level on this interface SW1(config-if)#storm-control action ? Shutdown Shutdown this interface if a storm occurs trap Send SNMP trap if a storm occurs SW1(config-if)#storm-control broadcast level ? Enter suppression level in packets per second What isn’t shown here is Storm Control’s default behavior of tossing the offending frames <0 .00% 0 VLAN ACLs Let’s take a look at some Cisco switch security features that were developed specifically with VLANs in mind. Storm Control acts. ------.100> Enter Integer part of storm suppression level overboard. ------. The line storm-control broadcast level 45 35 means Storm Control will take action when broadcasts are taking up over 45% of available bandwidth and will stop that action when the level of broadcasts drops below 35% of that available bandwidth. It might surprise you that we have the option for one or two levels! If you specify only the storm suppression level (the first value). they’re dropped. ------------- ------------- ------. SW1(config-if)#storm-control broadcast level 45 ? <0 .

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . we’ll still need to write an ACL.255 Even though a VACL will do the actual filtering.1. but not intra-VLAN traffic.3 ? Why not.255 ? A. but it limits ACL capability.D Source wildcard bits MLS _ 1(config-ext-nacl)#permit ip 10.0.0.0 0. with any traffic matching that ACL to be dropped other (results not shown).C. while allowing all other traffic.0 0. you ask? It relates to the application of ACLs on a multilayer switch.0 0.0.B.B.1. The ACL will be used as the match criterion within the VACL. You’ll see what I mean in the follow- I’m sure you noticed that the three source addresses named in the ACL are the ones that ing lab! won’t be allowed to communicate with other hosts on that subnet. each host can ping the We’ll write the VACL with vlan access-map.C.1.1.B.1. No worries.3 10.0 0. 268 269 .D Source address any Any source host host A single source host MLS _ 1(config-ext-nacl)#permit ip 10. A.1.0.0. and we mean any host – even among each other! Right now.1. but it’s the TCAM table – the Ternary Content-Addressable Memory table – that cuts down on the number of lookups required to compare a packet against an ACL.0.0 ? A.1.D Destination wildcard bits MLS _ 1(config-ext-nacl)#permit ip 10. Filtering between hosts in the same VLAN requires the use of a VLAN Access List (VACL). The CAM table holds the dynamically and statically learned MAC addresses.1.1.0. A.B.1. This packet filtering via the switch hardware speeds up the overall process.115 S T U DY G U I D E C H R I S B R YA N T You’ll certainly be familiar with ACLs and a few of their seemingly endless uses at this point in your Cisco studies! The ACL we’ve come to know and love has some limitations though. not a deny.0 /24 is a permit.1.0.1. While an ACL can filter traffic travelling between VLANs… MLS _ 1(config)#ip access-list extended BLOCK _ FIRST _ THREE MLS _ 1(config-ext-nacl)#permit ip ? … it can’t do anything about traffic from one host in a VLAN to another host in the same VLAN.1. the deny is coming! subnet.C.C.0.3 10. An ACL can be used to filter inter-VLAN traffic.0. but the ACL statement We want to stop these three hosts from communicating with any host in the 10.D Destination address any Any destination host host A single destination host MLS _ 1(config-ext-nacl)#permit ip 10.0 0.

270 271 . The VLAN to be filtered is specified at <0-65535> Sequence to insert to/delete from existing vlan access-map the end of the command with the vlan-list option. We can specify individual VLANs or entry go with the all option. we MLS _ 1(config)#vlan access-map NO _ 123 ? have to apply it in global configuration mode. If you follow my lead and don’t define them as you go. you’d need to give it a sequence number between 10 and 20. not the <cr> ACL name. meaning the action of “forward” I didn’t enter a sequence number for those two VACL statements because I wanted to demo MLS _ 1(config)#vlan access-map NO _ 123 Address C H R I S B R YA N T Action: drop Vlan access-map “NO _ 123” 20 Match clauses: Action: Forward Access-list name MLS _ 1(config-access-map)#match ip address BLOCK _ FIRST _ THREE MLS _ 1(config-access-map)#action ? drop Drop packets forward Forward packets The “10” and “20” shown are the default sequence numbers. MLS _ 1#show vlan access-map MLS _ 1(config-access-map)#match ip ? <1-199> No match was configured for the second VACL statement. since VACL sequence number 20 permits all MLS _ 1(config-access-map)#action drop traffic. Sequence numbers are fantastic for those situations where you later need to add an action.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . they’ll increment by 10. Be careful to specify the VACL name in this command. Adding it at the end wouldn’t do any good.115 S T U DY G U I D E MLS _ 1(config)#vlan access-map ? WORD MLS _ 1(config)#vlan access-map NO _ 123 Vlan access map tag MLS _ 1(config-access-map)#action forward MLS _ 1(config)#vlan access-map NO _ 123 ? <0-65535> Sequence to insert to/delete from existing vlan access-map entry <cr> MLS _ 1(config-access-map)#match ? Ip IP based match Mac MAC based match the default for you via show vlan access-map: Vlan access-map “NO _ 123” 10 Match clauses: ip address: BLOCK _ FIRST _ THREE Match IP address to access control. MLS _ 1(config-access-map)#exit Hey. MLS _ 1(config-access-map)#match ip address ? IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) WORD will be applied to any and all traffic that didn’t match previous statements. If you needed to add an action that involved dropping traffic. we need to apply this thing! Don’t try to apply a VACL to a specific interface.

3 Success rate is 0 percent (0/5) MLS _ 1(config)#vlan filter NO _ 123 vlan-list 10 Verify with show ip access-list and show vlan access-map. we’ll take this concept one step at a time. The terminology is unique as well. Three port types – one type talks to everybody.1. one type talks to some.0. so hang in there and it’ll be second nature before you know it.0.1.3 <1-4094> VLAN id Success rate is 0 percent (0/5) all Add this filter to all VLANs HOST _ 1#ping 10. ^ % Invalid input detected at ‘^’ marker.1.0 0. community and isolated. primary and secondary. MLS _ 1#show vlan access-map Vlan access-map “NO _ 123” 10 Two types of private VLANs. and then test! Private VLANs Want to put a host in such a secret place that you yourself may never be able to find it? MLS _ 1#show ip access-list Extended IP access list BLOCK _ FIRST _ THREE 10 permit ip 10.1. starting with those three port types.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1. since a private VLAN is truly unlike any other VLAN concept.0.0 0. MLS _ 1#show vacl ^ Private VLANs give us all of the following: % Invalid input detected at ‘^’ marker.0. we have two types of secondary VLANs.1.25 MLS _ 1#show vlan access-list Private VLANs aren’t quite that private.1. Action: drop As always.1.3 10. Vlan access-map “NO _ 123” 20 272 273 . but if you want to hide a host from the rest of your network – even going as far as hiding a host from other hosts in the same subnet – private VLANs are the way to go. thanks to our VACL! HOST _ 2#ping 10.115 S T U DY G U I D E MLS _ 1(config)#vlan filter ? WORD C H R I S B R YA N T Match clauses: VLAN map name Action: Forward MLS _ 1(config)#vlan filter NO _ 123 ? vlan-list VLANs to apply filter to MLS _ 1(config)#vlan filter NO _ 123 vlan-list ? Hosts that could previously ping each other now cannot. This concept can throw you a bit at first. Match clauses: ip address: BLOCK _ FIRST _ THREE In turn. and one type talks to practically no one.

The “parent” private VLAN is the primary private VLAN. If we placed another host Now let’s have a brief. These hosts can communicate with other community ports in the same private VLAN as well as any device connected to a promiscuous port.115 S T U DY G U I D E C H R I S B R YA N T Hosts that need to talk to everyone will be connected to promiscuous ports. About those secondary VLAN types… VLAN 200 is a secondary private VLAN (isolated). They cannot communicate with Host A. private VLAN can be mapped to multiple secondary VLANs. powerful look at the private VLAN types. we’ll use the following VLANs and VLAN types: can be mapped to only one primary. Host A has been placed into an isolated private VLAN. VLAN 100 is a secondary private VLAN (community). That’s it! In our config. munity as well as promiscuous ports in the primary. those two hosts could not communicate with each other. Ports are Fa0/6 – 10. Ports in an isolated private VLAN can only communicate with promiscuous ports in the parent private VLAN. Hosts that just don’t want anything to do with anybody are connected to the aptly named isolated ports. Creating the first VLAN with VLAN config mode is no problem. Hosts connected to isolated ports can only communicate with hosts connected to promiscuous ports. we’ll map primary private VLANs to secondary private VLANs. any kind of private VLAN! MLS _ 1(config)#vlan 100 Each of these concepts is illustrated here: MLS _ 1(config-vlan)#private-vlan ? association Configure association between private VLANs 274 community Configure the VLAN as a community private VLAN isolated Configure the VLAN as an isolated private VLAN primary Configure the VLAN as a primary private VLAN 275 . that device must be connected to a promiscuous port for the network to function correctly. A primary in the same isolated private VLAN that Host A is in now. Our router is off fast0/12. and will be able to communicate only with the router. Even if you have two isolated ports in the same private VLAN. which is connected to a promiscuous port. those hosts can’t intercommunicate. but a secondary private VLAN In the following configuration. Ports in a community private VLAN can communicate with other ports in the same com- VLAN 300 will be the primary private VLAN. and the “child” private VLAN is the secondary private VLAN.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . When you have a router or multilayer switch that serves as a default gateway. This port type can communicate with any host connected to any of the other two port types. Hosts that just need to talk to some other devices are connected to community ports. so they can communicate with each other as well as the router. Ports are Fa0/1 – 5. The other hosts are in a community private VLAN. but look what happens when we try to make it a community private VLAN – or for that matter.

100 276 We’ll also need the primary vlan mapping command on that interface: MLS _ 1(config-if)#switchport private-vlan ? Association Set the private VLAN association host-association mapping Set the private VLAN host association Set the private VLAN promiscuous mapping 277 .) Once we do that. MLS _ 1(config)#vlan 100 MLS _ 1(config-vlan)#private-vlan ? association Configure association between private VLANs community Configure the VLAN as a community private VLAN isolated Configure the VLAN as an isolated private VLAN primary Configure the VLAN as a primary private VLAN MLS _ 1(config-vlan)#private-vlan community MLS _ 1(config-vlan)#vlan 200 MLS _ 1(config-vlan)#private-vlan isolated Now we’ll configure VLAN 300 as the primary private VLAN. MLS _ 1(config)#int fast 0/12 MLS _ 1(config-if)#switchport mode ? access Set trunking mode to ACCESS unconditionally dot1q-tunnel set trunking mode to TUNNEL unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode private-vlan Set private-vlan mode trunk Set trunking mode to TRUNK unconditionally MLS _ 1(config-if)#switchport mode private-vlan ? host Set the mode to private-vlan host promiscuous Set the mode to private-vlan promiscuous MLS _ 1(config-if)#switchport mode private-vlan promiscuous MLS _ 1(config)#vlan 300 MLS _ 1(config-vlan)#private-vlan primary MLS _ 1(config-vlan)#private-vlan association ? WORD VLAN IDs of the private VLANs to be configured add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list MLS _ 1(config-vlan)#private-vlan association 200.115 S T U DY G U I D E MLS _ 1(config-vlan)#private-vlan community %Private VLANs can only be configured when VTP is in transparent/off mode. (This association is not the mapping I mentioned earlier.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .) Just two more things to do – place the ports into the proper VLAN and get that mapping done! The switch leading to the router is Fa0/12. like it says right there. (Yes. and that port must be made promiscuous. and then associate those two secondary private VLANs with this primary private VLAN. C H R I S B R YA N T We’ve accomplished the following: Configured VTP to run in transparent mode (very important!) Created our secondary private VLANs. Private VLANs can only be configured with VTP is in transparent mode. configuring VLAN 100 as a community private VLAN and VLAN 200 as an isolated private VLAN is no problem. both isolated and community Created our primary private VLAN Created an association between the secondary and primary private VLANs MLS _ 1(config)#vtp mode transparent Setting device to VTP Transparent mode for VLANS.

5 MLS _ 1(config-if-range)#switchport mode private-vlan ? host Set the mode to private-vlan host promiscuous Set the mode to private-vlan promiscuous MLS _ 1(config-if-range)#switchport mode private-vlan host We’ll use interface range on Fa0/6 – 10 as well. Verify your private VLAN config with the tricky-to-type show vlan private-vlan command. 2. 278 279 . Securing DHCP is a vital part of our overall Cisco switch security strategy. MLS _ 1(config)#int range fast 0/1 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . First.115 S T U DY G U I D E MLS _ 1(config-if)#switchport private-vlan mapping ? <1006-4094> <2-1001> C H R I S B R YA N T association Primary extended range VLAN ID of the private VLAN promiscuous host-association Set the private VLAN host association port mapping mapping Set the private VLAN promiscuous mapping Primary normal range VLAN ID of the private VLAN promiscuous port mapping MLS _ 1(config-if-range)#switchport private-vlan host-association ? <1006-4094> MLS _ 1(config-if)#switchport private-vlan mapping 300 ? WORD Set the private VLAN association Secondary VLAN IDs of the private VLAN promiscuous port Primary extended range VLAN ID of the private VLAN host port association <2-1001> mapping Primary normal range VLAN ID of the private VLAN port association add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list MLS _ 1(config-if-range)#switchport private-vlan host-association 300 ? <1006-4094> MLS _ 1(config-if)#switchport private-vlan mapping 300 100. We’ll use our buddy interface range to configure that port range with the private-vlan host and private-vlan host-association commands. using VLAN 200 instead of 100. MLS _ 1(config)#int range fast 0/6 . There are two really good reasons for this: 1.10 DHCP And Multilayer Switches I’m sure you’re wondering why DHCP is smack in the middle of a CCNP SWITCH exam discussion of switch security features. the client broad- MLS _ 1(config-if-range)#switchport private-vlan ? casts a DHCP Discover packet. and on an interface level with show interface switchport. and its purpose is to discover the network’s DHCP servers. DHCP is a topic on your CCNP SWITCH exam.200 ? <cr> Secondary extended range VLAN ID of the private VLAN host port association <2-1001> Secondary normal range VLAN ID of the private VLAN host port association MLS _ 1(config-if)#switchport private-vlan mapping 300 100.200 MLS _ 1(config-if-range)#switchport private-vlan host-association 300 200 Ports Fa0/1 – 5 are in VLAN 100. the better our security will be. MLS _ 1(config-if-range)#switchport mode private-vlan host Let’s jump right in with a quick review of the overall DHCP process. and the better our knowledge of DHCP.

0. Here’s the setup: MLS _ 1(config)#ip dhcp excluded-address 10. IP address of the DHCP Server whose address offer is being accepted.0 MLS _ 1(config)#ip dhcp excluded-address 10.1. that server knows that its offer was not accepted.0. the network admins. some say it’s a broadcast.1.0.B. to assign addresses from 10.C.) MLS _ 1(config)#ip dhcp excluded-address ? A. ignoring the others. you’ll have a traditional server for your DHCP server.1.0.0? <cr> MLS _ 1(config)#ip dhcp excluded-address 10.0 – 10. along with notification on how long the client can keep that address (the lease).B. since the The client will accept the first Offer received. not as cast DHCP Request message to indicate acceptance of the offer.0.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1.1.1 10. We’re going to do something a bit unusual in this section and have a Cisco router acquire an IP address via DHCP from a Cisco multilayer switch. but I want to illustrate that you can use this command to exclude a single address. and technically int VLAN 4.0 ? A. they’re both right.0. The client uses a broad- ip dhcp excluded-address command we use for that purpose is configured globally.0 – 10. but we don’t want to use the addresses 10.0. the default gateway. No problem there.D High IP address Generally speaking. but like all things Cisco.1.0 /8 via DHCP.D Low IP address Vrf VRF name for excluded address range MLS _ 1(config)#ip dhcp excluded-address 10.0 10.1. but a Cisco router <cr> or multilayer switch can handle the role nicely! The syntax may seem a little odd at first. When a DHCP Server We can specify a single address to be excluded. and other info as desired and configured by you and I. This can drive you a bit crazy at first. an entire range or both.1. nor do we want to assign the IP address already assigned to the SVI The DHCP server whose offer is being accepted sends a DHCP Acknowledgement message back to the client. Some books say it’s a unicast.1.0. we’re going sees a Request that does not include its own IP address. take it one command at a time and you’ll be fine.0 10. ip dhcp excluded-address gets the job done. This includes an IP address the client can use. but we do need to exclude that particular address from the DHCP pool.1.0.1.1.1.0. Here.1 280 281 . Using a multilayer switch as a DHCP server requires that switch to have an IP address on any subnet that it’s offering addresses from.115 S T U DY G U I D E C H R I S B R YA N T The DHCP servers that receive that Discover packet respond with a broadcast in the form of a DHCP Offer packet. The Request includes the part of the general DHCP configuration.0.C. I could have used one command with the range 10.1. and that’s it! (This ACK can be a unicast or a broadcast depending on the circumstances.

0? <0-365> Days A.3.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0.B.0 /8 MLS _ 1(dhcp-config)#lease 10 10 ? <0-59> Minutes Other options include specifying a domain name with domain-name. we’re given the rare option of entering the value in either prefix notation or the more check the units of time! familiar dotted decimal.C. Both the default router and DNS servers can be referred to by either their hostname or IP address. If they time out. we’re now ready to create the DHCP pool with ip dhcp pool.3.com an address.C.B.3 282 This is a value you won’t adjust often.1.1 We’ll use network to define the range of addresses to be assigned to DHCP clients. we’re good and that address can MLS _ 1(dhcp-config)#dns-server ? be sent to the client. using dns-server to <cr> give the DNS server location to clients.D Network mask or prefix length <0-23> Hours <cr> <cr> MLS _ 1(dhcp-config)#network 10. Use IOS Help to mask. For the Define the lease length with lease.D Infinite Infinite lease MLS _ 1(dhcp-config)#network 10. MLS _ 1(dhcp-config)#lease 10 10 10 ? <cr> MLS _ 1(dhcp-config)#domain-name ? MLS _ 1(dhcp-config)#lease 10 10 10 WORD Domain name A Cisco router acting as a DHCP server will check for IP address conflicts before assigning MLS _ 1(dhcp-config)#domain-name bryantadvantage. use ip dhcp ping packets and ip dhcp 283 . we can’t assign that address! Hostname or A. MLS _ 1(dhcp-config)#lease ? MLS _ 1(dhcp-config)#network 10. The conflict check takes the form of two pings sent to that address. and specifying the IP address of the default router with default-router.0.B.0.0.0. C H R I S B R YA N T MLS _ 1(dhcp-config)#default-router ? Hostname or A.D Router’s name or IP address MLS _ 1(config)#ip dhcp pool CCNP MLS _ 1(dhcp-config)# MLS _ 1(dhcp-config)#default-router 10. or set it to never expire with infinite. and those MLS _ 1(dhcp-config)# pings will time out in 500 milliseconds.0. but if you want to change the number of pings sent and/or the timeout duration during the conflict check. well.C.115 S T U DY G U I D E With those tasks completed.C.B.D Server’s name or IP address MLS _ 1(dhcp-config)#dns-server 10.0 ? MLS _ 1(dhcp-config)#lease 10 ? /nn or A. If we get pings back.

HOST _ 2(config)#int fast 0/0 HOST _ 2(config-if)#ip address dhcp Using ip helper-address on a router or multilayer switch allows the device to translate cer- HOST _ 2#show int fast 0/0 tain broadcasts to a unicast.302d.2 that these are globally configured commands. line protocol is up Hardware is Gt96k FE.622e.0990 (bia 001b.0990) Internet address is 10.1. MLS _ 1(config)#ip dhcp ping ? 302f. the first message in the entire process Let’s enable DHCP IP address acquisition on the router’s Fast0/0 interface and then verify is a broadcast! the addressing with show int fast 0/0 on the router and show ip dhcp binding on the multilayer switch.2d30.30 packets Specify number of ping packets timeout Specify ping timeout On occasion we just might need some help with our DHCP broadcast messages… some helper addresses.636f. not the interface closest to the destination.d4c2. The command syntax is exactly the same whether User name you’re configuring this command on a multilayer switch SVI or a router’s physical interface.6332.6973. Note C H R I S B R YA N T 10.1. 0063.2/8 MLS _ 1#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ Type The command should be configured on the interface that will be receiving the broadcasts. 284 285 .3939. making forwarding possible.1.4661.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1. Mar 26 2015 01:16 AM Automatic 3031. That can present an issue with DHCP messages when a router is between <100-10000> Ping timeout in milliseconds the requesting host and the DHCP server. After all. FastEthernet0/0 is up. Setting the number of ping packets to zero disables the conflict check. 2e30. and routers create broadcasts. but routers do not forward broad- MLS _ 1(config)#ip dhcp ping timeout ? casts by default. perhaps! MLS _ 1(config)#ip dhcp ping packets ? <0-10> Number of ping packets (0 disables ping) IP Helper Addresses <cr> Routers accept broadcasts.d4c2. address is 001b.115 S T U DY G U I D E ping timeout.6434.

you may need to create a static IP address binding (also called a “man- A. TACACS.6973. BOOTP/ DHCP Server. 3031. as this is the ASCII string representing the client ID. To get the classic Interface Helper-Address representation of that ID. and IEN-116 name service all benefit from this command.5. BOOTP/DHCP Client. as our router does.C.5.D IP destination address User name global Helper-address is global vrf VRF name for helper-address (if different from interface VRF) 10.2 0063. 286 HOST _ 2(config)#int fast 0/0 HOST _ 2(config-if)#ip address dhcp ? client-id Specify client-id to use hostname Specify value for hostname option <cr> 287 .1. but not entirely accurate.B. MLS _ 1(config-if)#ip helper-address MLS _ 1(config-if)#ip helper-address 10. (The voice of experience speaks!) Before we start a manual binding.622e.1 get the client ID from the DHCP binding table.D IP destination address ual” binding) in your network.1 ? <cr> The Cisco identifier is going to look a lot like a MAC address. and even I don’t want to start typing all those numbers! Luckily. HOST _ 1#show ip helper-address we don’t have to.0 MLS _ 1(config-if)#ip helper-address ? On rare occasions. because configur- vrf VRF name for helper-address (if different from interface VRF) ing these suckers can be a real pain in the butt.2d30.6332.1. Since that client already has an IP address from us.255. MLS _ 1#show ip dhcp binding R1(config)#int fast 0/0 IP address R1(config-if)#ip helper-address ? Client-ID/ Hardware address/ A. Holy crap.636f.1. NetBIOS name service.1.6.6434.255.3939. we’ll configure a manual binding for our router. the identifier is simply a “01” in front of the MAC.115 S T U DY G U I D E C H R I S B R YA N T The Dynamic Shall Become Static MLS _ 1(config)#int vlan 10 MLS _ 1(config-if)#ip address 10. we can MLS _ 1(config-if)#ip helper-address 10.5 address in the pool is assigned as a result of this change. NetBIOS datagram service. use the client-id option with ip address dhcp. That rare occasion is when you need DHCP to give a client global Helper-address is global the same address every single time.1 255.6 A device running ip helper-address to help with DHCP server reachability is said to be a DHCP relay agent. Got multiple DHCP servers your switch needs help reaching? No worries. just configure 302f.C.5. 2e30. I’m saying “rare” in a hopeful voice.4661. we need the client identifier of the client in question.30 multiple ip helper-address statements and verify with show ip helper-address. Here.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . as nine common UDP service broadcasts are helped in this manner by this command. TIME. 10.6.B. That’s accurate. If the client uses Ethernet. TFTP. DNS.5. Note that the next FastEthernet0/0 10.302d.1. That’s a lot of ID.1.

mask 255.90 Infinite the other required command for a DHCP manual binding? Now for just a bit of DHCP for IPv6.3 % This command may not be used with network. vrf or relay pools. hostname HOST _ 2 Now there’s a value we can work with! For a manual binding. hostname HOST _ 2 MLS _ 1(dhcp-config)#host 10.3. so I finished that config.0.3 0100.1. Client-ID/ Lease expiration Type Hardware address/ User name Hmmmm.1.c209. Well.0. and then it’s on to DHCP Snooping! 288 289 Manual .1.3.0.1.3 IP address % This command may not be used with network.1bd4.0. start in DHCP pool mode. perhaps you’re starting to feel manual bindings are too much of a pain to bother HOST _ 2(config-if)#ip address dhcp client-id fastethernet 0/0 ? Hostname with. frankly.1.90 05:54:55: %DHCP-6-ADDRESS _ ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.c209.3 MLS _ 1(dhcp-config)#client-identifier 0100. We’re going to bind that client ID to the IP address 10. Let’s go into our previous DHCP is described as a manual binding and the lease is infinite. using the host command. origin.90 % A binding for this client already exists.1.1bd4.3. and soon saw… User name 10. and you’re done! Note that this that interface will receive the same IP address every time.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .c209.0. pool and make that happen.1. so All riiiiiiiiiiight! Verify on MLS_1 with show ip dhcp binding.1.0.1. reopened the inter- Hardware address/ face on R2. vrf or relay pools.1. The binding was then gone.1. origin. With this. 10.1bd4. I’m about to make you feel better about them by telling you something that a lot of Specify value for hostname option books / study guides / PDFs / websites leave out – manual bindings have to be put into their <cr> own DHCP pool.1. MLS _ 1#show ip dhcp binding MLS _ 1(config)#ip dhcp pool CCNP Bindings from all pools not associated with VRF: MLS _ 1(dhcp-config)#host 10. I did so by closing the fast0/0 IP address Client-ID/ interface on R2. MLS _ 1#show ip dhcp binding Bindings from all pools not associated wit You also have to end any bindings that client currently has.1. mask 255. that doesn’t leave a lot of ways to use it! How about client-identifier.1bd4.90 FastEthernet FastEthernet IEEE 802. HOST _ 2(config-if)#ip address dhcp client-id fastethernet 0/0 HOST _ 2(config-if)# MLS _ 1(config)#ip dhcp pool STATIC _ BINDINGS %DHCP-6-ADDRESS _ ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.115 S T U DY G U I D E C H R I S B R YA N T HOST _ 2(config-if)#ip address dhcp client-id ? MLS _ 1(dhcp-config)#client-identifier 0100.c209.3 0100.1.

it will disable its The key phrase in that description is “from a server”. IPv4 address throughout the course. polling the router with an RS does speed up the overall process. and that’s where the Duplicate Address Detection (DAD) feature If DHCP is not in use. That’s a remote possibility. It’s been successfully calculated. and the entire process starts with the IPv6 host configuring its own link-local address. then the second half of the MAC address. it is – DHCPv6. If no response to the NS is received. If the DHCPv6 server goes down. since it’s easy to read FFFE as FFFF. but even though the host would only have to wait 10 seconds or so for an RA. there’s no dependency on a server. followed by 54 zeroes. which consists of (in order) the first half of a Router Advertisement (RA). one of the hardest things about learning IPv6 is getting used to entering “ipv6” over ROUTER1(config)#int fast 0/0 ROUTER1(config-if)#ipv6 address ? 290 WORD General prefix name X:X:X:X::X IPv6 link-local address X:X:X:X::X/<0-128> IPv6 prefix 291 . the local host is satisfied that it has used when the host obtains an IPv6 address and other related information from a server. the RA gives the location of the DHCP server. I personally like to write the “e” in express request from a host. the “all-routers” multicast address. Advertisement (NA). I kid you DAD starts with a Neighbor Solicitation (NS) message asking if any other host on the link is and over again in the commands. The local host will then send a Router Solicitation (RS) message that sounds like DHCP to you. and if DHCP is in use.IP Version 6 Style If another host on the link is using that address. not. the router attaches the network prefix to the host’s link-local address. we’re out of luck and up that well-known creek. but we which results in the host’s full IPv6 address.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . both stateless and stateful. Information in the RA includes flags indicating whether the host should use DHCP for lower case. Technically. When the host that sent the NS receives the NA. complete with network prefix! need to make sure that no other host is using the same address. Just don’t forget the “ipv6” in the command. Stateful autoconfiguration is link-local address. If a unique link-local address. that host will respond with a Neighbor IPv6 brings us autoconfiguration. to be exact! with a destination of FF02::2. well. then the hex string FFFe. What’s the host soliciting? It needs additional config information from a router in the form The last 64 bits are the interface identifier. the address is tentative at this point. Routers generally send these RAs periodically without an of the interface’s MAC address. using the same link-local address the NS-transmitting host just created for itself.115 S T U DY G U I D E C H R I S B R YA N T DHCP . addressing information. but it never hurts to check. Our 128-bit IPv6 address is created in this manner with stateless autoconfiguration: The first 64 bits of this self-generated address will be 1111 1110 10 (FE80). You’ll usually see that hex string referred to as “FFFE”. With stateless autoconfiguration. We can assign an IPv6 address to an SVI in almost the same way we’ve been assigning it an comes in.

the domain-name Domain name to complete unqualified host names host accepts the very first offer it sees come in! exit Exit from DHCPv6 configuration mode import Import options information Information refresh option link-address Link-address to match nis NIS server options nisp NISP server options no Negate a command or set its defaults prefix-delegation IPv6 prefix delegation sip SIP server options sntp SNTP server options vendor-specific Configure Vendor-specific option Part of the Offer is the address the host should use as its default gateway. The host isn’t particularly discriminating about the offer it accepts. and if the host uses the Offer ROUTER1(config)#ipv6 dhcp ? database Configure IPv6 DHCP database agents from the rogue DHCP server. There’s no ipv6 dhcp excluded-address command. There’s also an option missing from our ipv6 dhcp list that we did have in IPv4: The host will use the info in the first Offer packet it receives.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . a DHCP rogue server. the host listens for replies in the form of DHCP dns-server DNS servers Offers. Actually. and that’s for the simple reason that you can’t exclude addresses in IPv6 DHCP! 292 DHCP Snooping allows the switch to serve as a firewall between hosts and untrusted DHCP servers. Once that happens. since only one DHCP Server is on the network. joins our network? Many of the commands and concepts are carried straight over from IPv4. and for good reason. but the trouble can start as early as the host sending out a DHCP default Set a command to its defaults Discovery packet.115 S T U DY G U I D E C H R I S B R YA N T DHCP Snoooooooooop (ing) ROUTER1(config)#ipv6 dhcp pool CCNP ROUTER1(config-dhcpv6)#? It’s hard to believe that something as innocent and commonplace as DHCP can be used IPv6 DHCP configuration commands: address IPv6 address allocation against our network. The host will receive the offer and set its default gateway accordingly. The options for host and client-identifier are missing. which opens the host and the network up to all kinds of nasty server Configure IPv6 DHCP server attacks. the switch snoops on DHCP conversations between those devices 293 . We don’t have the option to create manual bindings in IPv6 DHCP. Basically. No problem here. the host will set its default gateway to the rogue server’s IP ping Configure IPv6 DHCP pinging address! The rogue server’s accepted Offer could set the host’s DNS server address to the pool Configure IPv6 DHCP pool rogue’s IP address as well. BUT – what if a DHCP server not under our administrative control.

we’ll have no dynamic IP addressing and a lot When used with DHCP Snooping. Instead. Trusted ports must be configured manually and explicitly by the network admin. those packets are not dropped.7.3-5.9-11 MLS _ 1(config)#ip dhcp snooping vlan 4 With our trusted DHCP server on port Fa0/10. we’ll now trust that individual port: DHCP Snooping classifies switch interfaces as either trusted or untrusted. Sorry. use ip dhcp snooping information option. 294 295 . are not. DHCP messages MLS _ 1(config)#int fast 0/10 received on trusted interfaces will be allowed to pass through the switch.115 S T U DY G U I D E and makes decisions on which conversations are between trusted devices and which ones C H R I S B R YA N T Next step: Identify the VLANs that will use DHCP Snooping. while DHCP mes- MLS _ 1(config-if)#ip dhcp snooping ? sages received on untrusted interfaces will be dropped by the switch AND the interface will information DHCP Snooping information go into err-disabled state. and ports that have this option enabled. injects its own DHCP relay info into the Option-82 field (including its MAC address). Otherwise. so we better remember to trust some ports when running this feature. When DHCP packets with Option 82 set come in on untrusted First step: Enable DHCP Snooping on the switch. the switch the packet is then forwarded to a DHCP Server. MLS _ 1(config)#ip dhcp snooping ? database DHCP snooping database agent information DHCP Snooping information verify DHCP snooping verify vlan DHCP Snooping vlan <cr> MLS _ 1(config)#ip dhcp snooping To enable this option. MLS _ 1(config-if)#ip dhcp snooping trust By default. limit DHCP Snooping limit trust DHCP Snooping trust config vlan DHCP Snooping vlan You’re now asking yourself whether there’s some automagical way for the switch to detect valid DHCP servers. example: 1. the sinister-sounding Option 82 basically extends of err-disabled ports! Snooping’s trust boundary.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the switch considers all ports untrusted. no. MLS _ 1(config)#ip dhcp snooping vlan ? WORD DHCP Snooping vlan first number or vlan range.

use no ip dhcp relay information check.9466. IOS Help doesn’t mention the measuring unit in this command. Verification of giaddr field is enabled BOOTP specific configuration information Relay agent information option prefer Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled MLS _ 1(config)#no ip dhcp relay ? bootp remote-id: 0017. ------. the switch validates the message by 4 checking to see if its own Option 82 info was included in the reply. If so. That refers to the number of Option Insert relay information in BOOTREQUEST DHCP packets the interface can accept in one second. none Smartlog is operational on following VLANs: none DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is enabled circuit-id default format: vlan-mod-port This validity check is enabled by default. If you want to turn it off for some reason.f780 (MAC) Relay agent server selection approach MLS _ 1(config)#no ip dhcp relay information ? DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option ----------------------. FastEthernet0/10 yes yes Rate limit (pps) unlimited Check Validate relay information in BOOTREPLY Note the “rate limit” for the untrusted port is “unlimited”. If not.115 S T U DY G U I D E MLS _ 1(config)#ip dhcp snooping information ? option DHCP Snooping information option C H R I S B R YA N T MLS _ 1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: MLS _ 1(config)#ip dhcp snooping information option 4 DHCP snooping is operational on following VLANs: When the reply to that DHCP message comes back. MLS _ 1(config)#int fast 0/9 MLS _ 1(config-if)#ip dhcp snooping ? information DHCP Snooping information 296 297 . Use ip dhcp snooping limit rate to set a Policy Define reforwarding policy limit for this value. the packet is dropped. -----------. giaddr Verify your config with show ip dhcp snooping. that info is removed Smartlog is configured on following VLANs: and the packet is forwarded. so it’s trust-all Received DHCP packets may contain relay info option with zero a good idea to know it’s packets per second.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

to the mac address aaaa.cccc. Host B makes an entry in its local ARP cache mapping the source IP trust DHCP Snooping trust config address of the Request. also known as ARP Spoofing. the rogue host acquires Host B’s true MAC address via ARP.12. not ARP.12. leading to these two negative results: 1.12. all communications between A and B are going through the rogue host. if a rogue host responds to the original ARP Request. Host A is sending an ARP Request. This happens through ARP Cache Poisoning. Meanwhile.12.cccc. 298 299 . who can you trust? Well. Here.2 respond with its MAC address.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . When H The rogue host can do the same for an ARP Request sent by Host B for Host A. 172.aaaa.aaaa. both hosts have a MAC address – IP address mapping for the other. As a result of this man-in-the-middle attack.115 S T U DY G U I D E C H R I S B R YA N T limit DHCP Snooping limit Before responding.12. MLS _ 1(config-if)#ip dhcp snooping limit ? rate DHCP Snooping limit MLS _ 1(config-if)#ip dhcp snooping limit rate ? <1-2048> DHCP snooping rate limit MLS _ 1(config-if)#ip dhcp snooping limit rate 1000 ? <cr> Once Host A receives the ARP Reply.1. Dynamic ARP Inspection If you can’t trust DHCP.2 to cccc. and at that point.12. However. The ARP Reply is vlan DHCP Snooping vlan then sent. requesting the host with the IP address 172. because the Address Resolution Protocol can turn on us in a minute! A rogue device on our network can overhear part of the ARP conversation and make itself look like a legitimate part of the action. Host A makes an entry in its ARP cache mapping 172. we have a problem.

7. With DAI using the DHCP Snooping Database to get the job done.3-5. example: 1. Verify with show ip dhcp snooping.115 S T U DY G U I D E Dynamic ARP Inspection (DAI) prevents this behavior by building a database of trusted C H R I S B R YA N T MLS _ 1(config)#ip arp inspection vlan 4 IP – MAC address mappings. the message is forwarded appropriately.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . not transmitted. On trusted interfaces. If the ARP message has an approved validate Validate addresses MAC – IP address mapping. DAI is performed as ARP messages are received. Let’s use the ip option and verify with show ip arp inspection. the ARP message is dropped. just as DHCP Snooping does. DAI allows the ARP message to pass without checking the database at all.9-11 300 : Disabled Destination Mac Validation : Disabled IP Address Validation : Enabled 301 . The validate option gives us the option to go beyond DAI’s default inspection. MLS _ 1(config)#ip arp inspection ? filter Specify ARP acl to be applied log-buffer Log Buffer Configuration Once the IP – MAC address database is built. MLS _ 1#show ip arp inspection Source Mac Validation MLS _ 1(config)#ip arp inspection vlan ? WORD vlan range. it follows that DHCP MLS _ 1(config)#ip arp inspection validate ? dst-mac Validate destination MAC address ip Validate IP addresses src-mac Validate source MAC address Snooping must be enabled before DAI is configured. Here’s what happens with these enabled: MLS _ 1#show ip dhcp snooping “src-mac” compares the source MAC address in the Ethernet header and the MAC address Switch DHCP snooping is enabled of the source of the ARP message. “dst-mac” compares the destination MAC in the Ethernet header and the MAC destination address of the ARP message. Watch this one: DAI uses the concepts of trusted and untrusted ports. and static ARP configurations can be also be used by DAI. The next step in configuring DAI is to name the VLANs that will be using this feature. MLS _ 1(config)#ip arp inspection ? filter Specify ARP acl to be applied log-buffer Log Buffer Configuration smartlog Smartlog all the logged pkts validate Validate addresses vlan Enable/Disable ARP Inspection on vlans “ip” compares the ARP Request’s source IP against the destination IP of the ARP Reply. If no such mapping vlan Enable/Disable ARP Inspection on vlans exists. This database is the same one built by the DHCP Snooping process. every single ARP Request and ARP Reply smartlog Smartlog all the logged pkts received on an untrusted interface is examined. but DAI has some major differences in how messages are treated by these port types.

115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config-if)#ip arp inspection trust ? Vlan Configuration Operation ACL Match --. Cisco’s recommended trusted / untrusted port config is to have all ports connected to hosts run as untrusted and all ports connected to Vlan Dest MAC Failures --. IP Validation Failures ---------------------. run that command. -------------. Source MAC Failures Should you run DAI in your network.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . name the interface at the end of the command. Burst Interval Fa0/10 Trusted None Vlan DHCP Permits --. for just one. 0 If you see those validation failures start to add up. ---------. -----------. 4 0 0 Invalid Protocol Data --------------------- switches as trusted. ---------- ---------- 4 Enabled Vlan Active DHCP Logging ----------- ------------- 4 Deny <cr> MLS _ 1(config-if)#ip arp inspection trust ACL Logging --. IP Source Guard works in tandem with DHCP 302 303 . MLS _ 1(config)#int fast 0/10 MLS _ 1(config-if)#ip arp inspection ? Limit Configure Rate limit of incoming ARP packets Trust Configure Trust state IP Source Guard Another “the name is the recipe” feature. this scheme ensures that every ARP packet has to pass one checkpoint but no more than that. ----------------. Off MLS _ 1#show ip arp inspection int fast 0/10 Vlan --. Dropped DHCP Drops ---------- ---------- ACL Drops Interface 4 0 0 0 0 Trust State Rate (pps) ---------------. you just might have a rogue device on your network. 4 0 ACL Permits Probe Permits ----------. use ip arp inspection. about our ports! DAI considers all ports untrusted by default. -----------. 0 N/A 0 0 good idea to avoid unnecessary inspection. and it’s a -------------. To see this DAI info for all interfaces. Since DAI runs only on ingress ports. Static ACL Deny Probe Logging Verify with show ip arp inspection interface. To trust one (or remove trust from one that was trusted). Forwarded -------------. IP Source Guard prevents a host on the network from using another host’s IP address. Now. you’ll likely run it on all of your switches.

If you don’t need this feature. If those addresses match. MLS _ 1#show ip verify source Should the host pretend to be another host on that subnet – that is. a host that comes online and is connected to an untrusted port can receive only DHCP-related traffic. the switch takes note of that IP address assignment. use ip verify source to enable IP Source Guard Snooping up and running before configuring IP Source Guard. This IP address-to-switchport mapping is generally referred to as binding. at the interface level. Fa0/3 ip active deny-all 1 If the device off fast 0/3 was getting its IP address via DHCP. The port-security option enables an extra level of security. this is IP Source Guard! There The switch then creates a VLAN ACL (VACL) that will only allow traffic to be processed by a port if the previously noted source IP address is present on incoming traffic. With this feature enabled. since the source IP Log address of that incoming traffic will not match the database’s entry for that port. Once that host successfully acquires an IP address via DHCP. are two important options to go with that. Smartlog enables the switch to send dropped packets to a NetFlow collector. we’d see a secure MAC address under IP-address. ----------. all is well. Filter-type Filter-mode IP-address Mac-address Vlan -------. and be prepared to see “disabled” for “log” in the output of show ip verify source. as the source MAC address of incoming packets on that port will be checked against the local switch’s MAC address table.115 S T U DY G U I D E C H R I S B R YA N T Snooping and uses the same database to carry out this operation. -----------------. That router is using a static address instead. MLS _ 1(config)#int fast 0/3 MLS _ 1(config-if)#ip verify source ? port-security port security smartlog Smartlog denied packets <cr> MLS _ 1(config-if)#ip verify source The default value checked is the IP source address. to spoof that other Interface host’s IP address – the switch will simply drop that incoming traffic. so we 304 305 . the packets are dropped. rather than deny-all. leave it alone. so we need to have DHCP Once DHCP Snooping is enabled and verified. port-security and smartlog. if not. I’ll go with the default setting here and leave those options off. ------------- --------------. After all.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

3 1 disabled 306 307 .D ISL wouldn’t work at all for this attack.1.B. You can get the MAC address of this host C H R I S B R YA N T VLAN Hopping How can something that sounds so much fun be so evil? from the local switch’s MAC address table or from the device itself.ca96. Some very specific circumstances have to exist for this attack binding VLAN to bear fruit: MLS _ 1(config)#ip source binding 001f.1. <1-4094> binding VLAN number The VLAN used by that access port must be the native VLAN.2754 vlan 1 ? A.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .ca96.3 int fast 0/3 MLS _ 1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan Log The trunk receiving this double-tagged frame sees the tag for the native VLAN. ----------. we have less overhead… we LOVE dot1q tagging and we’re not letting it go! MLS _ 1(config)#ip source binding ? H.ca96. Interface binding interface MLS _ 1(config)#ip source binding 001f. -----------------.ca96.1. but not difficult. We’ll assume that VLAN 100 is the ultimate target. In the output of show ip VLAN Hopping techniques use dot1q tagging against us. binding IP address When that rogue host transmits a frame. where an intruder transmits frames that are tagged MLS _ 1(config)#ip source binding 001f.ca96.1. and we love dot1q tagging! We get verify source.2754 vlan 1 10. note that “log” is disabled – that’s Smartlog. so dot1q must be in use. Fa0/3 ip active 10. the other carrying the VLAN number of the VLAN to be MLS _ 1(config)#ip source binding 001f.2754 vlan ? The intruding device must be attached to an access port.ca96. and as usual that tag is removed and then sent across the trunk.2754 vlan 1 10. the native VLAN.H. the tag for VLAN 100 is still there! ------. One form of hopping is double tagging. The command is long-winded.1. MLS _ 1(config)#ip source binding 001f.1.1.2754 vlan 1 10. we don’t have to! Let’s have a look at binding MAC address how VLAN Hopping attacks work.2754 ? Vlan with two separate VLAN IDs.H And if we follow a few simple network security tips.3 ? attacked.115 S T U DY G U I D E have to create a manual binding for it with ip source binding in order to use IP Source Guard here. ------------- --------------.C.3 int fast 0/3 ? <cr> MLS _ 1(config)#ip source binding 001f. Problem is. the frame will have two tags – one indicating native VLAN membership.

it sees the tag for VLAN 100 and forwards the “Hope is a good thing. Switch spoofing allows the rogue to pretend to be a member of all VLANs in our network. dynamic and auto trunking modes – will score points for you in the exam room and save you serious troubles in your server room! The Cisco Discovery Protocol Many companies have clear. concise network maps that show every physical connection in their network.Chris Bryant.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . send DTP frames of its own. and no good thing ever dies. the switch just knows it’s sending DTP frames – it has no idea who’s actually receiving them. right? Right! It is a big deal! It seems innocent enough. (This is also a security vulnerability for Cisco switches whose default port trunking mode is Auto. Doing so disables the port’s ability to create a trunk and the rogue host’s ability to Some Cisco switch ports run in dynamic desirable mode by default. There’s a classic defense for this attack. disabling Problem is. Every port on your switch that doesn’t lead to another switch known to be under your administrative control should be placed into access mode. Many well-meaning network admins will put this kind of port into Auto mode. which leads to a trunk between our switch and someone else’s Classic solution: Make your native VLAN a VLAN that no hosts are actually a member of. but that stops double tagging in its tracks! switch.” – Some networks do not. which means a port is switch spoof! sending out Dynamic Trunking Protocol frames in an aggressive effort to form a trunk. You may have a little more overhead as a result.) You can also go the extra mile (or extra command) and prune that native VLAN from the trunk. This solution leads to another prob- been used for a huge variety of network attacks. Andy Dufresne. The Book You’re frame to ports in that VLAN. “Remember Red. Not good! Switch spoofing is a VLAN Hopping variation that’s even worse than double tagging. The switch is basically hoping nothing bad happens as a result of sending these frames blindly. meaning Big deal. The Shawshank Redemption 308 309 . but a lousy network security strategy. because a rogue host connected to a port in Auto mode can pretend it’s a switch and tion to stealing bank account numbers and passwords. The rogue has now successfully hopped from one VLAN to Reading the other. but VLAN Hopping has the port will trunk but isn’t actively looking to do so. hope is a good thing. and these maps are regularly updated as their network changes. ranging from Trojan horse virus propaga- lem.” -.115 S T U DY G U I D E C H R I S B R YA N T When the remote switch receives that frame. maybe the best of things. These simple network security tips – using an empty VLAN as the native VLAN.

r . Before we get to those commands. M . let’s run show cdp to see if CDP is enabled in the first place. you just know that’s going to show up on your exam in some fashion. MLS _ 1#show cdp neighbor % CDP is not enabled Capability Codes: R . T . they’re not necessarily correct. use cdp run (and no cdp run to turn it off globally).Source Route Bridge S . it’s on. the local switch’s interface that is directly connected to the remote host. C . and is Cisco-proprietary.115 S T U DY G U I D E C H R I S B R YA N T A big part of network troubleshooting is quietly verifying what a client has told you.CVTA. To enable CDP globally. Just CDP sends its announcements every 60 seconds to the destination MAC address because someone is looking over your shoulder and saying “That switch is connected to 01:00:0c:cc:cc:cc. If you get global info. To change either of those.Router. MLS _ 1(config)#cdp run MLS _ 1(config)#^Z MLS _ 1#show *Mar 1 00:18:54.Switch. P . B . Protocol (CDP) to see what Cisco devices are directly connected to the Cisco device we’re currently working on. 311 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Trans Bridge. and the holdtime is 180 seconds.Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID HOST _ 3 Fas 0/3 122 R S I 2801 Fas 0/0 HOST _ 1 Fas 0/1 176 R S I 2801 Fas 0/0 From left to right.IGMP. We can use the Cisco Discovery and/or cdp holdtime. run show cdp neighbor. use cdp timer the other one at fast0/12!”. the remote device’s hostname.Host. we see… Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled 310 Device ID. I . When you have interface-level and globally-configured commands enabling and disabling the same protocol. it’s not! MLS _ 1(config)#cdp ? advertise-v2 CDP sends version-2 advertisements holdtime Specify the holdtime (in sec) to be sent in packets run Enable CDP timer Specify the rate at which CDP packets are sent (in sec) tlv Enable exchange of specific tlv information MLS _ 1(config)#cdp timer ? <5-254> MLS _ 1#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled MLS _ 1#show cdp Rate at which CDP packets are sent (in sec) MLS _ 1(config)#cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet For that all-important info on directly connected Cisco devices. It’s on by default but often disabled in production networks.542: %SYS-5-CONFIG _ I: Configure MLS _ 1#show cdp D . and if you don’t.Remote.Phone. This Layer 2 protocol runs globally and on a per-interface level by default on Cisco routers and switches.Repeater. Local interface. H .

enable Enable CDP on interface tlv Device ID: HOST _ 3 IP address: 10. T . we have two devices that D . use the commands no cdp enable and cdp enable to get the job done. and you turn it on for trouble- Capability Platform Port ID R S I 2801 Fas 0/0 For more details on those neighbors. r . so it’s a good guess that those are L3 switches! Platform. 2801 Software (C2801-ADVENTERPRISEK9 _ IVS-M). Port ID (outgoing port): FastEthernet0/0 enable Enable CDP on interface Enable exchange of specific tlv information Holdtime : 125 sec Version : MLS _ 1(config-if)#cdp enable ? Cisco IOS Software.Switch. Capabilities: Router Switch IGMP MLS _ 1(config-if)#cdp ? Interface: FastEthernet0/3. Capability Codes: R . Inc. M .CVTA. This command gives you both the IP address and IOS version run by each neighbor. We’ll disable CDP on the interface leading directly to Host 1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E C H R I S B R YA N T Holdtime.Repeater.Host.Remote. turn it back off before you leave. just as you would turn off debugs before leaving. I . RELEASE SOFTWARE (fc1) Technical Support: http://www.1(2 <cr> T2. Entry address(es): Platform: Cisco 2801. You may want to leave CDP on globally but disable / reenable it on a particular interface.Phone. HOST _ 3 Fas 0/3 148 Port ID. At the interface level.3 MLS _ 1(config)#int fast 0/1 tlv MLS _ 1#show cdp neighbor detail Enable exchange of specific tlv information Compiled Sat 23-Oct-10 00:43 by prod _ rel _ team advertisement version: 2 MLS _ 1(config-if)#no cdp enable VTP Management Domain: ‘’ About 3 minutes after disabling CDP on that interface. the remote device’s interface involved in the direct connection.cisco. Version 15. Real-world courtesy tip: If your client has CDP turned off. H .1.Router.IGMP. Capability. C .Trans Bridge. B . run show cdp neighbor detail.Two-port Mac Relay can run as both routers and switches. the type of device the remote device is! In this case. the number of seconds the local device will retain the contents of the last CDP MLS _ 1#show cdp neighbor advertisement received from that remote host. shooting.com/techsupport MLS _ 1(config-if)#no cdp ? Copyright (c) 1986-2010 by Cisco Systems. 312 Duplex: full Management address(es): 313 . Both connections here are to Cisco 2801 Device ID Local Intrfce Holdtme switches.1. the remote device’s hardware platform. P .Source Route Bridge S . Host_1 disappears from the CDP table.

a series of informational messages sent by an LLDP-enabled device. the Link Layer Discovery Protocol may come in handy. but there’s just one problem – all of the data sent to the remote host. and like the non-encrypted-by-default enable password. matched native VLANs. including the following: MTU sizeVLAN Trunking Protocol information IP network prefix support (for ODR. LLDP is the vendor-independent equivalent of CDP and is defined by IEEE 802. it’s being kept around for backward compatibility. You likely noted the term “tlv” in some of the CDP command options.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .html CDP. You can MED and CDP. http://www. where v1 doesn’t. According to Cisco’s website. so why do many networks disable it? CDP offers no authen- I’ve included a link to a Cisco PDF with a great deal of helpful info comparing LLDP- tication. and use the interface-level commands to make that happen. For obvious reasons.) There’s a very helpful extension. “LLDP-MED is specified to operate only between endpoint devices such as IP phones and network connectivity devices such as switches. Secure Shell (SSH) is basically encrypted Telnet. “What happened to CDP version 1?” v1 is still available.115 S T U DY G U I D E C H R I S B R YA N T CDP gives you a lot of great info. nor does it use any kind of encryption – all CDP info is sent in clear text.com/en/US/technologies/tk652/tk701/technologies_white_paper0900a- The issue with disabling CDP is that many network management tools use info gathered by ecd804cd46d. (TLVs are not exclusive to LLDP though. In case you run into networks that (shudder) run non-Cisco devices. While not required reading for the CCNP exams. which is no problem. which brings up the musical question. which We really hate that. accessible to everyone. we prefer “LLDP”. comes into play when VoIP is in use. I do recommend it for see by the info in the show cdp neighbor detail output that we don’t want this information greater understanding of LLDP-MED in particular. SSH Telnet’s a great way to communicate with remote routers and switches. LLDP for Media Endpoint Devices (LLDP-MED). Any would-be network intruder who intercepts that transmission can easily enter our network and cause all kinds of trouble. On-Demand Routing) 314 SSH requires a little more config than Telnet.” CDP does carry info that LLDP-MED doesn’t. CDP v2 has greatly enhanced error-reporting capabilities (Cisco’s terms for this include “rapid reporting mechanism” or “enhanced reporting mechanism”). determine where it really needs to be running. where you can do without it. LLDP is also known as the Station and Media Access Control Connectivity Discovery. “tlv” refers to Type-Length-Value. I’m sure you noticed that the CDP commands referred to a “version 2”. but all data (and the password!) is encrypted. is transmitted in clear text. but it may also require a stronger IOS image and/or hardware that you don’t have in your network. since the basic operation of SSH is similar to that of Telnet. which is a 315 . To minimize the risk of running CDP. CDPv2 recognizes the native VLAN concept.cisco.1ab. including passwords. and can report mis- Telnet vs.

and that’s the use of ACLs to determine MLS _ 1(config)#line vty 0 15 who should be able to connect. you’ll need to configure a local database on the router or C H R I S B R YA N T transport input ssh use AAA. though. but SSH does not. run- [OK] (elapsed time was 1 seconds) ning transport input ssh and login local again applies that command to all lines. all All protocols none No protocols MLS _ 1(config)#username tarrant password tarantula ssh TCP/IP SSH protocol MLS _ 1(config)#username signal password gasoline telnet TCP/IP Telnet protocol MLS _ 1(config)#username homer password beeeeeeer MLS _ 1(config-line)#transport input ssh SSH configuration also requires a domain name to be specified with ip domain-name and crypto key creation with crypto key generate rsa. Cisco switches have 16 lines: MLS _ 1(config)#crypto key generate rsa The name for the keys will be: MLS _ 1. Whoops! Easily fixed. run transport input ssh on the VTY lines.. After entering VTY line config mode with line vty 0 15. For SSH authentication. Be careful with your switch VTY line configs.and MLS _ 1(config-line)#transport input ssh apply the ACL to the VTY lines with access-class. Telnet and SSH do share an important option.3.bryantadvantage.3.. line vty 0 4 MLS _ 1(config)#ip access-list standard STOPTHATGUY login local MLS _ 1(config-std-nacl)#deny host 3. block untrusted addresses and allow everyone else in .com line vty 0 4 Choose the size of the key modulus in the range of 360 to 4096 for your login local General Purpose Keys. Problem is. Choosing a key modulus greater than 512 may take a transport input ssh few minutes.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . keys will be non-exportable. To limit authentication to SSH and disallow Telnet login local authentication. Create the ACL defining the source IP addresses of trusted MLS _ 1(config-line)#login local users – or as I’ve done here.115 S T U DY G U I D E problem. and the username/password combination must MLS _ 1(config-line)#transport input ? match a database entry for authentication to be successful.3 316 317 . Each individual MLS _ 1(config-line)#login local user is assigned a password of their own. Telnet allows the configuration of a one-size-fits-all password on the VTY lines line vty 5 15 (“password CCNP”). line vty 5 15 login How many bits in the modulus [512]: % Generating 512 bit RSA keys. transport input ssh MLS _ 1(config)#line vty 0 4 A local user database is created with the username /password command. as the one I just wrote limited those five VTY lines to SSH connections.

Let’s take a look at the logging options . Logging is straightforward. These messages can be quite helpful in figuring out what the heck just happened in your network – you just have to remain calm and read the message carefully.B.115 S T U DY G U I D E MLS _ 1(config-std-nacl)#permit any MLS _ 1(config-std-nacl)#line vty 0 15 MLS _ 1(config-line)#access-class STOPTHATGUY ? in Filter incoming connections out Filter outgoing connections C hapter 10: MLS _ 1(config-line)#access-class STOPTHATGUY in Let’s take a deep breath and move from security to monitoring! MONITORING THE SWITCHES Syslog delivers messages regarding network events. and in that panic they miss the message that’s right in front of them. but the logging command itself can be a little tricky. MLS _ 1(config)#logging ? Hostname or A.C. along with a timestamp that helps you determine when the event occurred.D IP address of the logging host That one’s simple enough! We just need to follow logging with the hostname or IP address of that host.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I say that because some network admins panic more than a little when these messages show up. The trap option is a bit more complex: MLS _ 1(config)#logging trap ? 318 <0-7> Logging severity level alerts Immediate action needed 319 (severity=1) .

to send all log messages to the server. just choose that option! MLS _ 1(config)#service timestamps log uptime ? <cr> MLS _ 1(config)#service timestamps log uptime The next syslog message indicates this device has been up for 2 hours. *Mar 1 02:50:32. You can use the name As a result. To change this value. so let’s get that practice with the latest syslog message on my L3 switch. so let’s keep the datetime format but leave the msec option off. I personally find the milliseconds to be annoying. datetime Timestamp with date and time The switch console is set to display all syslog messages by default.115 S T U DY G U I D E C H R I S B R YA N T critical Critical conditions (severity=2) debugging Debugging messages (severity=7) emergencies System is unusable (severity=0) errors Error conditions (severity=3) localtime Use local time zone for timestamps informational Informational messages (severity=6) msec Include milliseconds in timestamp notifications Normal but significant conditions (severity=5) show-timezone Add time zone information to timestamp warnings Warning conditions (severity=4) year Include year in timestamp <cr> <cr> MLS _ 1(config)#service timestamps log datetime ? <cr> When you select a trap level. all messages of the numeric severity you choose and all those MLS _ 1(config)#service timestamps log datetime with a lower numeric value are sent to the logging server specified with hostname.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 54 minutes. followed by the mnemonic for this mes- MLS _ 1(config)#service timestamps log ? sage and the message text itself. use logging console. of the level or the numeric value – just set it high enough so you get all the messages you need sent to that server. *Mar 1 02:52:28: %SYS-5-CONFIG _ I: Configured from console by console Deciphering syslog messages takes a little practice.465: %SYS-5-CONFIG _ I: Configured from console by console You can change the beginning of syslog messages to the timestamp format of your choice with service timestamps log. and I’ve kept it there uptime Timestamp with system uptime throughout the course. and 56 seconds. MLS _ 1(config)#service timestamps ? debug Timestamp debug messages log Timestamp log messages <cr> 02:54:56: %SYS-5-CONFIG _ I: Configured from console by console The “5” bolded above indicates the severity level. If you prefer to have the device uptime reflected in syslog messages. Therefore. you need only specify level 7. the next syslog message gives the date and time without the msecs. 320 321 .

505: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. Throughout the book. run show logging. cha nged state to downAuth Manager registration failed *Mar 1 00:00:36. such as this one: 03:12:30: %SYS-5-CONFIG _ I: Configured from console by console 03:12:31: %LINK-3-UPDOWN: Interface FastEthernet0/0. filtering disabled) filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled File logging: disabled Persistent logging: disabled No active filter modules. xml disabled. xml disabled. alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) Console logging: level debugging.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . *Mar 1 00:00:38. run logging buffered followed by the severity level. 36 messages logged. changed state to up 322 323 . 39 message lines logged Logging severity level <4096-2147483647> Logging buffer size Log Buffer (4096 bytes): alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) discriminator Establish MD-Buffer association emergencies System is unusable (severity=0) errors Error conditions (severity=3) filtered Enable filtered logging informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) To view the log along with log settings. Version 15. 36 messages logged. debugging Debugging messages (severity=7) filtering disabled emergencies System is unusable (severity=0) Monitor logging: level debugging.352: %SYS-5-CONFIG _ I: Configured from memory by console *Mar 1 00:00:39. 0 messages logged. errors Error conditions (severity=3) filtering disabled informational Informational messages (severity=6) Buffer logging: level debugging. 0 messages rate-limited. RE (truncated for clarity at this point) Before we move to another topic. notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) To send log messages to the local device’s internal buffer. MLS _ 1(config)#logging buffered ? <0-7> Trap logging: level informational. xml disabled. *Mar 1 00:00:32. xml disabled. 0 flushes. 0 overruns.146: %DC-6-DEFAULT _ INIT _ INFO: Default Profiles DB not loaded.0(1)SE. you’ve seen log messages regarding ports opening and closing. C3560 Software (C3560-IPSERVICESK9-M).115 S T U DY G U I D E MLS _ 1(config)#logging console ? C H R I S B R YA N T MLS _ 1#show logging <0-7> Logging severity level Syslog logging: enabled (0 messages dropped. let me show you a nifty little trick. to change the internal buffer from its default of 4096 bytes.183: %SYS-5-RESTART: System restarted -Cisco IOS Software. run this same command followed by the number of bytes desired.

Note where clock set is run as opposed to the other clock commands. changed state to down with clock timezone and clock summer-time. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. To get those logging messages back. You might ROUTER1(config-if)#no shut just miss one you really need to see! 03:14:33: %SYS-5-CONFIG _ I: Configured from console by console Timestamping We received only the configuration message. you may see bundle-status BUNDLE/UNBUNDLE messages only these two options: link-status UPDOWN and CHANGE messages nfas-status NFAS D-channel status messages ROUTER1(config)#int fast 0/0 spanning-tree Spanning-tree Interface events ROUTER1(config-if)#no logging event ? status Spanning-tree state change messages link-status UPDOWN and CHANGE messages subif-link-status Sub-interface UPDOWN and CHANGE messages subif-link-status Sub-interface UPDOWN and CHANGE messages trunk-status TRUNK status messages ROUTER1(config-if)#no logging event link-status Getting rid of the link up-down messages is a good way to keep the log size down and make ROUTER1(config-if)#shut the log easier to read. On routers.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . run the interface-level command no logging event link-status.037 UTC Mon Mar 1 1993 ROUTER1(config)#int fast 0/0 ROUTER1(config-if)#logging event link-status Yeah. it’s time to get another time source. You’ll have more options for this command on switches. but I’d be careful about turning too many log messages off. then fine-tune that setting ROUTER1(config-if)#shut 03:16:27: %LINK-5-CHANGED: Interface FastEthernet0/0. MLS _ 1#show clock *04:55:05. changed state to administratively down 03:16:28: If your timestamps reflect an era long gone. changed state to up I like seeing these message in lab environments. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. run logging event link-status. MLS _ 1#clock ? set ROUTER1(config-if)#no shut 03:16:37: %LINK-3-UPDOWN: Interface FastEthernet0/0. like that! We can set the local device’s time with clock set. but in production networks. the syslog messages regarding link and line protocol status are gone. you can fill up MLS _ 1(config)#int fast 0/1 a log pretty quickly with these messages.115 S T U DY G U I D E 03:12:32:  %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. changed state to up 324 Set the time and date MLS _ 1#clock set ? 325 . changed state to down 03:12:35:  C H R I S B R YA N T 03:16:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. To prevent these particular messages from log- MLS _ 1(config-if)#no logging event ? ging.

Doing so allows our syslog timestamps to have accurate MLS _ 1(config)#clock timezone ? and synched time throughout the network. and it’s vital they have the same time.23> First week of the month clock set is okay for one or two routers. here’s the Wikipedia page listing all offsets: routers and switches. so I put Eastern Standard Time (EST) in for the time zone and -5 for the offset.115 S T U DY G U I D E hh:mm:ss Current Time C H R I S B R YA N T WORD MLS _ 1#clock set 13:43:00 ? name of time zone in summer MLS _ 1(config)#clock summer-time EDT ? <1-31> Day of the month date Configure absolute summer time MONTH Month of the year recurring Configure recurring summer time MLS _ 1#clock set 13:43:00 March ? <1-31> MLS _ 1(config)#clock summer-time EDT recurring ? Day of the month MLS _ 1#clock set 13:43:00 March 25 ? <1993-2035> Year <cr> MLS _ 1#clock set 13:43:00 March 25 2015 04:59:01: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:59:01 EST Sun Feb 28 1993 to 13:43:00 EDT Wed Mar 25 2015. For your personal reference.wikipedia. nor the Coordinated Universal Time (UCT).org/wiki/List_of_UTC_time_offsets name of time zone MLS _ 1(config)#clock ? timezone Week number to start <cr> MLS _ 1#clock set 13:43:00 March 25 2015 ? WORD <1-4> Hours offset from UTC MLS _ 1(config)#clock timezone EST -5 of accounting in your network. making troubleshooting a lot less frustrating. we’re going to have a lot more initialize WORD first http://en. The Network Time Protocol It’s vital for our routers and switches to have a central time source that allows our network devices to synchronize their clocks. name of time zone Synched time is important for our digital certificates as well. NTP allows us to specify time sources for our switches and routers. and if you’re using any kind MLS _ 1(config)#clock timezone EST ? <-23 . accurate and synched time is a necessity. so you gotta know yours! I live on the East Coast in the United States. configured from console by console MLS _ 1(config)#clock timezone ? Initialize system clock on restart save backup of clock with NVRAM summer-time Configure summer (daylight savings) time Configure time zone last Last week of the month MLS _ 1(config)#clock summer-time EDT recurring The clock timezone command doesn’t list every time zone in the world. whether that time source is another router in the same network or an external time source. The Network Time Protocol (NTP) helps us make that happen. You haven’t lived until you bill a department for 67 days’ usage of a network resource – in a single month.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but in our networks. MLS _ 1(config)#clock summer-time ? 326 327 .

We can choose to run NTP in broadcast mode or multicast mode as well. ingly. and we can configure a Cisco router to get its time from a stratum-1 device. it’s imperative It’s strongly recommended that your network’s “outside” router receive its time from a public NTP timeserver. You Clients accept the time synch message from the server and set their internal clock accord- can’t configure a Cisco router to get its time directly from a stratum-0 server. just run a search on the you use NTP authentication and/or ACLs to prevent routers from outside your network from attempting to synch with one of your routers. the server broadcasts or multicasts its NTP messages. (And you thought you were done with hops in RIP!) Stratum-1 servers are generally referred to as time servers. The number following “stratum” in non-stratum-0 devices indicates how many hops away the device is from a stratum-0 device. As always. and either peer can send time synch messages to the other. which the clients must be able to receive – otherwise. With these methods. NTP-based or otherwise. Should you choose to use one of your network routers as the NTP Master. with ROUTER_3 network – that’s the port NTP uses. or peers. with the server giving the correct time to clients. Clients do NOT sent NTP time synch messages back to the server. we’ll configure MLS_1 as our NTP Master and a timeserver. term public NTP servers.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . broadcasts for the correct time. For the latest IP addresses of these servers. the router number serves as the last octet of Cisco routers can serve as NTP servers. we’re wasting our time! Remember that routers don’t forward broadcasts or multicasts. 328 329 .115 S T U DY G U I D E C H R I S B R YA N T At the very top of our NTP hierarchy are stratum-0 devices. typically atomic clocks. We’re not limited to the traditional Server/Client relationship with NTP. NTP peers send NTP messages to each other. The NTP server-client relationship is as you’d expect. They can also depend on NTP each IP address. clients. It’s highly recommended an NTP public timeserver be used as your NTP Master time source. configured as a client of MLS_1. Be sure not to block UDP port 123 on that or other routers in your In our lab.

167 EST Wed Mar 25 2015 MLS _ 1#show ntp status It ain’t 1993.000 0. We’re also looking for that asterisk next to the address in show ntp association.1. I’ll use ntp server to point R3 to this switch as its time source. ~ configured 09:25:29.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . our NTP clients to have more than one time server to choose from. Here’s the output from the server’s point of view. precision is 2**17 reference time is D8BD46F7.peer.D IP address of peer Hostname or A.0.127.D IP address of supervisor (127.peer.1.77 If we’re fortunate and smart enough to have NTP Master redundancy. stratum 9. ~ configured ROUTER _ 3(config)#ntp server 10.127. .1.1. since the only thing we’re MLS _ 1#show ntp association really telling the client is “Hey. MLS _ 1#show clock st 7 when poll 8 16 reach delay offset disp 377 0.425 439.1.4 prefer ROUTER _ 3(config)#ntp server 10. and the phrase we’re looking for is “clock is synchronized”.LOCL.F3858835 (14:42:28.115 S T U DY G U I D E Let’s check the clock on our NTP-Master-to-be: C H R I S B R YA N T address ref clock *~127.1.1 .outlyer. reference is 127.46BF9352 (09:38:47.B.0000 Hz.2092 Hz.” Let’s use NTP 330 331 . There’s a lot of info here.B.276 EST Wed Mar 25 2015) MLS _ 1(config)#ntp master ? (Output truncated for clarity) <1-15> Stratum number <cr> And from the client’s point of view: On R3. + candidate. stratum 8. x falseticker.1. # selected. which includes the reference address 127.0.0000 Hz. so we’ll take it! Our NTP options: Clock is synchronized. ROUTER _ 3(config)#ntp server 10.4 reference time is D8BD47D4.x) WORD Hostname of peer X:X:X:X::X IPv6 address of peer ROUTER _ 3#show ntp association ip Use IP for DNS resolution address ref clock st ipv6 Use IPv6 for DNS resolution *~10. ROUTER _ 3#show ntp status Clock is synchronized.outlyer.1 nominal freq is 119. We can also prefer one server over the other! Just use multiple ntp server commands while also using the prefer option to indicate the preferred server. actual freq is 250.1. reference is 10.4 127.1. here’s the IP address of the time server.1.1. precision is 2**24 A.7 The NTP process likely strikes you as wide open to attack.127.243 * sys. .000 0.C.1. actual freq is 119.2092 Hz.1. # selected. which indicates that the synch is complete.348 -66.4 ROUTER _ 3(config)#ntp server ? nominal freq is 250. indicating the time source is the switch’s internal clock.1 8 vrf VPN Routing/Forwarding Information * sys. we can configure The commands show ntp status and show ntp association verify NTP’s operation. + candidate.127. x falseticker.1.C.1.951 UTC Wed Mar 25 2015) (Output truncated for clarity) when 64 poll reach delay offset disp 64 37 2.

I’ve left out most of the output of this command.4 key ? NTP authentication really just assures the client that it’s talking to an NTP server that’s <0-4294967295> Peer key number ROUTER _ 3(config)#ntp server 10. peer mode server.1. # selected. authenticated.127.1.1.1. I’ve just added ROUTER _ 3(config)#ntp trusted-key ? another router to our lab.127.4 127. peer poll intvl 64 ROUTER _ 3(config)#ntp server 10.1 . Enabling NTP authentication on the server does NOT require NTP clients to use authentication.1.46322015 (08:44:17.4 ? ROUTER _ 1(config)#ntp server 10. it means detail! The authentication verifi- <1-4294967295> Key number ROUTER _ 3(config)#ntp authentication-key 1 ? md5 MD5 authentication cation is right at the top of the output: ROUTER _ 3#show ntp association detail ROUTER _ 3(config)#ntp authentication-key 1 md5 ? WORD Authentication key 10.127. ~ configured prefer Prefer this peer when possible source Interface for source address version Configure NTP version reach delay 17 2.4 configured. time D8BE4169.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1.271 UTC Thu Mar 26 2015) ROUTER _ 3(config)#ntp authentication-key 1 md5 CCNP That’s all well and good.1. stratum 8 ref ID 127. as we’ve seen.peer.outlyer. our _ master. sane.1. We’ll enable this feature with ntp authenticate.53 ROUTER _ 1#show ntp assoc detail 10.1. MLS _ 1(config)#ntp authenticate MLS _ 1(config)#ntp trusted-key 1 ROUTER _ 3(config)#ntp authenticate ROUTER _ 3(config)#ntp authentication-key ? Verify NTP authentication with show ntp association detail. but NTP authentication isn’t quite what it seems. time D8BE4561. sane. either! ROUTER _ 3(config)#ntp trusted-key 1 ROUTER _ 3(config)#ntp server 10.1. + candidate.115 S T U DY G U I D E C H R I S B R YA N T authentication to tie things down a bit.4569D946 (08:27:21.4 configured.274 UTC Thu Mar 26 2015) <cr> our mode client.1 8 26 64 minpoll Minimum poll interval * sys.1.790 offset disp -8.1.4 burst Send a burst when peer is reachable iburst Send a burst when peer is unreachable ROUTER _ 1#show ntp assoc key Configure peer authentication key Address ref clock st when poll maxpoll Maximum poll interval *~10.1. stratum 8 ref ID 127. We’ll need the same commands on the server (except the ntp server command.4 key 1 under our administrative control. because when it says “detail”.124 939. then MLS _ 1(config)#ntp authentication-key 1 md5 CCNP define a key and link that key to the ntp server command.1. . our poll intvl 64. our _ master. of course!): 332 333 .1 . x falseticker.1. and it’s able to get time from MLS_1 with no problem – and no <1-4294967295> Key number authentication.1. valid. valid.

4) 334 335 . but that message is not answered due to the ACL and ntp access-group command.4) NTP message received from 10.1. and you’ll find it in just about every network out there today.1.1.1.3 on interface ‘Vlan13’ (10.1.1.1 on interface ‘Vlan13’ (10.1.1.3 All possible debugging has been turned off (Router_3).4) … and a “SET” is a request from the Manager to the Agent.1. The SNMP Agents. With our time all synched up. an NTP message is sent in reply.4) NTP message received from 10. The Management Information Base (MIB). from interface ‘Vlan13’ (10.1. from interface ‘Vlan13’ (10. and these messages take the form of GETs and SETs. and we’ll call that ACL in ntp access-group.1.1. MLS _ 1(config)#ntp access-group serve 22 debug ntp packets illustrates that when MLS_1 receives an NTP message from the permitted SNMP Managers poll Agents over UDP port 161.1.4) NTP message sent to 10.1.1 as well. the devices being monitored (and running an SNMP instance).1.1.1. the database on the Agent that contains important information (“variables”) about the Agent.1.1.3.3. An SNMP deployment has three main parts: The SNMP Manager.1.4) NTP message sent to 10.1.1. we’ll configure an ACL on the server and use ntp MLS _ 1#u all access-group to apply it to NTP.1.3 on interface ‘Vlan13’ (10. requesting a certain variable be set to the value indicated in the SET.1. Our ACL will permit only the source IP address 10. A “GET” is a request for information… IP address of 10.1 on interface ‘Vlan13’ (10.1. MLS _ 1#debug ntp packet NTP packets debugging is on NTP message received from 10.3.1.1.1. The debug shows an NTP message coming in from 10. NTP message received from 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E C H R I S B R YA N T To further protect our NTP deployment.1. let’s do some network monitoring! MLS _ 1(config)#access-list 22 permit host 10.1. the actual monitoring device.3 MLS _ 1(config)# SNMP MLS _ 1(config)#ntp access-group ? Peer Provide full access query-only Allow only control queries serve Provide server and query access serve-only Provide only server access MLS _ 1(config)#ntp access-group serve ? <1-99> Standard IP access list <1300-1999> Standard IP access list (expanded range) WORD Named access list The Simple Network Management Protocol is used to carry network management info from one network device to another.1.1.

we configure SNMP traps on the managed devices. Let’s use IOS Help to venture through some of the most long-winded commands you’re ever going to see. the earlier versions do not. We still have three versions of SNMP out there – versions 1. The only way for the Manager to ro Read-only access with this community string receive immediate or even near-immediate notice of a critical network event is to poll the rw Read-write access with this community string Agents quite often. are a kind of password / authority level combination that allow you to set the strings as read-only or read-write. Access-list name 336 337 . but there’s one glaring issue. For that reason alone. and the use of the other versions should be restricted to allowing read-only MLS _ 1(config)#snmp-server group BULLDOGS ? access via the use of community strings. Let’s start with creating an SNMP group and then assigning a user to that group. It would then take 9 minutes and 57 seconds for the Manager to find out about the change! To get a quick notification on such an event without overloading the Manager. but when you break them down they’re easy to remember. Three seconds after the Agent answers one such GET. ever possible. that variable undergoes a critical change. 2c. and 3 – and there are some serious security concerns with the earlier versions. allowing the Agents to send a message to the Manager when such a variable changes.115 S T U DY G U I D E C H R I S B R YA N T Seems like a good approach. you should use V3 when- With SNMP v3. SNMP community strings. found in SNMP v1 and 2c.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . <cr> MLS _ 1(config)#snmp-server community CCNP ro ? <1-99> Std IP accesslist allowing access with this community string <1300-1999>  Expanded IP accesslist allowing access with this community string WORD Access-list name ipv6 Specify IPv6 Named Access-List <cr> MLS _ 1(config)#snmp-server community CCNP ro 15 This configuration would allow hosts identified by ACL 15 to have read-only access to all SNMP objects specified by this community string. which in turn sucks up bandwidth and is a hit on the Manager’s CPU. things are much more secure and just a tad more complex. view Restrict this community to a named MIB view Let’s say our Manager is polling our Agent every 10 minutes regarding one particular variable. V3 has both authentication and encryption capabilities. MLS _ 1(config)#snmp-server community ? WORD SNMP community string MLS _ 1(config)#snmp-server community CCNP ? <1-99> Std IP accesslist allowing access with this community string <1300-1999>  Expanded IP accesslist allowing access with this community string WORD v1 group using the v1 security model v2c group using the v2c security model v3 group using the User Security Model (SNMPv3) MLS _ 1(config)#snmp-server group BULLDOGS v3 ? auth group using the authNoPriv Security Level noauth group using the noAuthNoPriv Security Level priv group using SNMPv3 authPriv security level A quick word about those three security levels – they look intimidating.

no objects can be written. group members are not sent notifications. If no write view is defined. which 128 Use 128 bit AES algorithm for encryption are both excellent choices when your hardware allows them. authPriv – Your SNMP packets are both authenticated and privacy is assured via encryption. MLS _ 1(config)#snmp-server group BULLDOGS v3 priv ? C H R I S B R YA N T v3 user using the v3 security model MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 ? Access specify an access-list associated with this group Auth authentication parameters for the user Encrypted specifying passwords as MD5 or SHA digests <cr> access specify an access-list associated with this group context specify a context to associate these views for the group md5 Use HMAC MD5 algorithm for authentication match context name match criteria sha Use HMAC SHA algorithm for authentication notify specify a notify view for the group read specify a read view for the group write specify a write view for the group <cr> MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth ? MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha ? WORD authentication pasword for user MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP ? MLS _ 1(config)#snmp-server group BULLDOGS v3 priv The views mentioned in the last IOS Help readout aren’t required. If no notify view is defined. You have no authentication and no privacy (encryption). Access specify an access-list associated with this group Priv encryption parameters for the user <cr> MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv ? 3des Use 168 bit 3DES algorithm for encryption aes Use AES algorithm for encryption des Use 56 bit DES algorithm for encryption MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv aes ? Now let’s create our user. but no privacy (no encryption) noAuthNoPriv – You’re really asking for it.115 S T U DY G U I D E authNoPriv – You have authentication. all objects can be read.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . using SHA for authentication and AES 128-bit encryption. but I do want you to know the defaults: If no read view is defined. and creating them is out of the CCNP SWITCH exam scope. 192 Use 192 bit AES algorithm for encryption 256 Use 256 bit AES algorithm for encryption MLS _ 1(config)#snmp-server user CHRIS ? WORD Group to which the user belongs MLS _ 1(config)#snmp-server user CHRIS BULLDOGS ? Remote Specify a remote SNMP entity to which the user belongs v1 user using the v1 security model v2c user using the v2c security model 338 MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv aes 128 ? WORD privacy pasword for user MLS _ 1(config)#$S BULLDOGS v3 auth sha CCNP priv aes 128 TIREDOFTYPING ? access specify an access-list associated with this group <cr> 339 .

1.1. trouble notification and resolution time. persisting snmpEngineBoots.1. but this agreement is between different parties. we’ll define the host to which we’ll send traps.1.3 traps version 3 ? auth Use the SNMPv3 authNoPriv Security Level noauth Use the SNMPv3 noAuthNoPriv Security Level priv Use the SNMPv3 authPriv Security Level MLS _ 1(config)#snmp-server host 10. you were introduced to the Committed Information Rate (CIR). The SLA can involve just about any quality-measurable value in your network. or it can be between the internal clients of a company and the network team at that same company.1. to DNS lookup time.1.D>[:<port number>][/<uri>] HTTP address of XML that’s far superior to earlier versions.3 traps version 3 priv CHRIS Whew! You obviously have to do some serious planning for SNMPv3. where a service provider guarantees a certain level of overall network uptime and performance.1.1.1.3 traps version 3 priv CHRIS ? MLS _ 1# Mar 26 10:16:25. we guarantee you’ll get “Y” amount of bandwidth.” Given that guarantee of minimum performance. but we guarantee you won’t get less. notification host MLS _ 1(config)#snmp-server host 10. the customer can then plan the WAN appropriately. guaranteed performance.B.1.3 ? WORD SNMPv1/v2c community string or SNMPv3 user name informs Send Inform messages to this host traps Send Trap messages to this host version SNMP version to use for notification messages vrf VPN Routing instance for this host MLS _ 1(config)#snmp-server host 10.1.1. The CIR is basically a guarantee given to the customer by the Frame Relay service provider.1. MLS _ 1(config)#snmp-server host ? MLS _ 1(config)#snmp-server host 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . <about 45 options. The SLA is based on the concept of minimum. Here’s a sneak peek of the available tests: MLS _ 1(config)#snmp-server host 10.3 traps ? WORD SNMPv1/v2c community string or SNMPv3 user name version SNMP version to use for notification messages MLS _ 1(config)#snmp-server host 10.3 traps version ? 1 Use SNMPv1 2c Use SNMPv2c 3 Use SNMPv3 Service Level Agreements During your Frame Relay studies in your CCNA days. including the encryp- WORD IP/IPV6 address of SNM tion type and bit level of same you’ll be able to use.467: Configuring snmpv3 USM user.1.115 S T U DY G U I D E MLS _ 1(config)#$S BULLDOGS v3 auth sha CCNP priv aes 128 TIREDOFTYPING MLS _ 1(config)#^Z C H R I S B R YA N T WORD SNMPv1/v2c community string or SNMPv3 user name MLS _ 1(config)#snmp-server host 10. too many to list here> <cr> Finally. from available bandwidth and acceptable levels of jitter in voice networks. but it pays off in the end with security notification host http://<Hostname or A. where the provider says “For X dollars.3 traps version 3 priv ? 340 MLS _ 1(config)#ip sla 5 MLS _ 1(config-ip-sla)#? IP SLAs entry configuration commands: dhcp DHCP Operation 341 . It can be much like the CIR.C. You may get more.

In this case. This connection isn’t the actual SLA test. The low-memory Configure Low Water Memory Mark source wants to see if the packets are echoed back and how long the overall process takes. (Of course. To kick off the festivities. (If the responder doesn’t agree. anyone?) An SLA setup consists of a source and a responder. as the source sends test packets to the responder.115 S T U DY G U I D E dns DNS Query Operation exit Exit Operation Configuration ftp FTP Operation http HTTP Operation icmp-echo ICMP Echo Operation path-echo Path Discovered ICMP Echo Operation path-jitter Path Discovered ICMP Jitter Operation tcp-connect TCP Connect Operation udp-echo UDP Echo Operation udp-jitter UDP Jitter Operation video Video Operation C H R I S B R YA N T The responder adds timestamps to those packets both as the packets are accepted and then returned. and our story ends prematurely. with ROUTER_3 serving as the responder. the rules sent to the responder are the port number to be listened to during the test and the time limit on that listening. reaction-configuration IP SLAs Reaction-Configuration reaction-trigger IP SLAs Trigger Assignment Should the responder be kind enough to agree. it’ll send a message back to the source indicating the same.) 342 343 . this timestamping only helps if the devices have synched time – NTP. Here are the first options for the ip sla command: MLS _ 1(config)#ip sla ? <1-2147483647> Entry Number enable Enable Event Notifications group Group Configuration or Group Scheduling key-chain Use MD5 Authentication for IP SLAs Control Messages logging Enable Syslog We now go from controlling to probing. but is an agreement on the rules of communication. and then the responder starts listening to the indicated port. the source sends control packets to the responder via UDP port 1967 in an attempt to create a control connection similar to that in FTP. This gives the sender a better idea of the overall time the responder took to process the packets as well as the overall round-trip time. Let’s tackle an SLA lab! MLS_1 will be the SLA source. it’ll send a message back indicating that decision.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

345 . we’ll leave those alone here. Note the option to configure the source interface and IP address – those options can come in handy in larger networks. using 10.D Destination IP address or hostname. where I’ll set a frequency of 60 seconds between tests.3 MLS _ 1(config-ip-sla-echo)#? IP SLAs Icmp Echo Configuration Commands: MLS _ 1(config)#ip sla 5 MLS _ 1(config-ip-sla)#? IP SLAs entry configuration commands: dhcp DHCP Operation dns DNS Query Operation exit Exit Operation Configuration ftp FTP Operation http HTTP Operation icmp-echo ICMP Echo Operation path-echo Path Discovered ICMP Echo Operation path-jitter Path Discovered ICMP Jitter Operation tcp-connect TCP Connect Operation udp-echo UDP Echo Operation udp-jitter UDP Jitter Operation video Video Operation default Set a command to its defaults exit Exit operation configuration frequency Frequency of an operation history History and Distribution Data no Negate a command or set its defaults owner Owner of Entry request-data-size Request data size tag User defined tag threshold Operation threshold in milliseconds timeout Timeout of an operation tos Type Of Service verify-data Verify data vrf Configure IP SLAs for a VPN Routing/Forwarding instance MLS _ 1(config-ip-sla-echo)#frequency ? <1-604800> MLS _ 1(config-ip-sla)#icmp-echo ? Frequency in seconds MLS _ 1(config-ip-sla-echo)#frequency 60 Hostname or A.1. and accepting that value drops us into SLA entry config mode. Source Interface (ingress icmp packet interface) Source Address MLS _ 1(config-ip-sla)#icmp-echo 10.1.1.1.B.C.3 ? 344 Finally.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . We’ll then choose the icmp-echo test. Note the option to grant the test eternal life.1.1. we get to schedule this sucker! I’ll use IOS Help to show you the options and then start the test immediately.115 S T U DY G U I D E C H R I S B R YA N T read Read data for use with IP SLA source-interface reset IP SLAs Reset source-ip responder Enable IP SLAs Responder <cr> restart Restart An Active Entry schedule Entry Scheduling We’ll go with SLA entry number 5.1.3 as the target of the test. That also happens to be the default! MLS _ 1(config-ip-sla)#icmp-echo 10. Since we only have one path from source to responder. broadcast disallowed MLS _ 1(config-ip-sla)#icmp-echo 10.1.3 We then drop into SLA ICMP Echo config mode (!).

I’ll show you the entire output here. and we can see that’s ticking away.3/0.115 S T U DY G U I D E MLS _ 1(config)#ip sla schedule ? <1-2147483647> C H R I S B R YA N T Type Of Service parameter: 0x0 Entry number Request size (ARR data portion): 28 Verify data: No MLS _ 1(config)#ip sla schedule 5 ? ageout How long to keep this Entry when inactive life Length of time to execute in seconds recurring Probe to be scheduled automatically every day start-time When to start this entry <cr> Vrf Name: Schedule: Operation frequency (seconds): 60 (not considered if randomly scheduled) Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Randomly Scheduled : FALSE MLS _ 1(config)#ip sla schedule 5 life ? Life (seconds): 3600 <0-2147483647> Life seconds (default 3600) Entry Ageout (seconds): never forever continue running forever Recurring (Starting Everyday): FALSE MLS _ 1(config)#ip sla schedule 5 start-time ? after Start after a certain amount of time from now hh:mm Start time (hh:mm) hh:mm:ss Start time (hh:mm:ss) now Start now pending Start pending MLS _ 1(config)#ip sla schedule 5 start-time now Status of entry (SNMP RowStatus): Active Threshold (milliseconds): 5000 Distribution Statistics: Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic distribution interval (milliseconds): 20 Enhanced History: History Statistics: Number of history Lives kept: 0 Verify your config with show ip sla config.0. Owner: Tag: MLS _ 1#show ip sla stat Operation timeout (milliseconds): 5000 IPSLAs Latest Operation Statistics Type of operation to perform: icmp-echo Target address/Source address: 10. History Filter Type: None MLS _ 1#show ip sla config To view SLA statistics. The default Entry number: 5 TTL is 3600 seconds. run show ip sla statistics.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1.0. I ran the command twice. and we can see IP SLAs Infrastructure Engine-III that the tests are running a minute apart and they’ve both been successful.1.0 346 IPSLA operation id: 5 Latest RTT: 1 milliseconds 347 . and the most Number of history Buckets kept: 15 important info to us is near the top.

Here’s the Number of failures: 0 result of the very next echo test: Operation time to live: 3528 sec An interesting thing about SLA tests – you can’t edit one that’s in progress.115 S T U DY G U I D E Latest operation start time: 06:11:35 EST Thu Mar 26 2015 Latest operation return code: OK C H R I S B R YA N T We can secure our SLA config with a key-chain and the ip sla key-chain command. Here.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . IPSLAs Latest Operation Statistics IPSLA operation id: 5 ROUTER _ 3(config)#ip sla responder Latest RTT: 1 milliseconds 348 349 . For After reopening the interface. though. and here’s what happened: MLS _ 1#show ip sla stat IPSLAs Latest Operation Statistics IPSLA operation id: 5 Latest RTT: NoConnection/Busy/Timeout MLS _ 1(config)#ip sla 5 Entry already running and cannot be modified Latest operation start time: 06:53:35 EST Thu Mar 26 2015 (only can delete (no) and start over) Latest operation return code: Timeout (check to see if the probe has finished exiting) Number of successes: 42 Number of failures: 1 It’s always something! Operation time to live: 1024 sec Hey. Here. ROUTER _ 3(config)#key chain CCNP Number of successes: 1 ROUTER _ 3(config-keychain)#key 1 Number of failures: 0 ROUTER _ 3(config-keychain-key)#key-string SPIDERS Operation time to live: 3552 sec ROUTER _ 3(config)#ip sla key-chain CCNP MLS _ 1#show ip sla stat MLS _ 1(config)#key chain CCNP IPSLAs Latest Operation Statistics MLS _ 1(config-keychain)#key 1 IPSLA operation id: 5 MLS _ 1(config-keychain-key)#key-string SPIDERS Latest RTT: 1 milliseconds Latest operation start time: 06:12:35 EST Thu Mar 26 2015 Latest operation return code: OK MLS _ 1(config)#ip sla key-chain CCNP Just one more SLA thing… I want to show you what the statistics output is when some- Number of successes: 2 thing’s gone wrong. I didn’t need to. It doesn’t hurt anything MLS _ 1#show ip sla stat to enable SLA capabilities for the simpler tests. since I know the responder can handle pinging. did you notice I never configured anything on the responder? Since I was running a simple ICMP echo test. you may need ip sla responder. I shut ROUTER_3’s port down that leads to the switch. the successes start incrementing again! some of those other tests. I tried to go back and set this test to live forever rather than time out.

but TACACS+ can. AAA must first be enabled with the global com- tication in the form of a local database of usernames and passwords. but it makes it very difficult to run one process without Those As stand for authentication. so we 350 aaa new-model not only enables AAA. a Cisco-proprietary TCP-based protocol (port 49. As your network grows and you need a more scalable authentication scheme. it’s likely you’ll turn to one of the following protocols for your AAA deployment. This is sometimes mand aaa new-model.5 key CCIE You just might be asking yourself what happened to the original TACACS if we’re now using TACACS+.3 key CCNP developed by the IETF. along with a shared encryption key that must be agreed upon by both client and server. an open-standard UDP-based protocol (ports 1812 and 1813. We do need to concern ourselves with Latest operation return code: OK these differences between TACACS+ and RADIUS: Number of successes: 43 TACACS+ encrypts the entire packet. that is) originally MLS _ 1(config)#tacacs-server host 10. where RADIUS encrypts only the password in the Number of failures: 1 initial client-server packet. TACACS+. authorization. Before we deal with configs though. that is). MLS _ 1(config)#radius-server host 10. The location of the TACACS+ and/or RADIUS server must then be called a self-contained AAA deployment. let’s look at each “A” and see exactly what’s going on with each. TACACS was the original version of the protocol and is rarely used today. configured. Authentication is the process of deciding if a given user should be allowed to access the net- running the other. RADIUS cannot control the authorization level of users. allowing another method of authentication to be used while still using TACACS+ for authorization and/ or accounting.1. As a CCNA and future CCNP. and accounting. Operation time to live: 989 sec RADIUS actually combines the authentication and authorization processes. since no external device is involved. it also overrides every previously configured authentication method for the router lines – especially the vty lines! 351 . Each “A” is a separate function and requires separate configuration. MLS _ 1(config)#aaa new-model RADIUS. work (or network service).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . TACACS+ runs each “A” as a separate process.115 S T U DY G U I D E C H R I S B R YA N T Latest operation start time: 06:54:35 EST Thu Mar 26 2015 don’t have to concern ourselves with that version. you’ve already configured authen- Regardless of the “A” you’re configuring.1.1.1. That AAA might sound like a good thing.

and we could also use a line password. cache Use Cached-group group Use Server-group enable Use enable password for authentication. group Use Server-group krb5-telnet Allow logins only if already authenticated via Kerberos V krb5 Use Kerberos 5 authentication. longer will be default MLS _ 1(config)#aaa authentication login default group ? rejected). none NO authentication. choose group and all will be revealed! MLS _ 1(config)#aaa authentication login ? WORD  Named authentication list (max 31 characters.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . line Use line password for authentication. from left to right.5. local Use local username authentication. options in the above config.1. <cr> passwd-expiry enable the login list to provide password aging support Hmm. local-case Use case-sensitive local username authentication. tacacs+ Use list of all Tacacs+ hosts. we’ll use our TACACS+ and configured as a client of both. If you don’t see those authentication. The tacacs+ choice is legal. If you try to list a fifth method as I did below. the enable password. with the switch And that’s that! However. local-case Use case-sensitive local username authentication. 353 . We’ll go with the default list.3 and our RADIUS server at 10. MLS _ 1(config)#aaa authentication login default ? cache Use Cached-group MLS _ 1(config)#aaa authentication login default group tacacs+ ? enable Use enable password for authentication. and finally. the local database third. We have to create either a named authentication list or a default list that will be used for all authentications that don’t reference a named list. radius Use list of all Radius hosts.1. Local Use local username authentication. A quick review on how to build one of those: MLS _ 1(config)#username bruno password wwwf MLS _ 1(config)#username thesz password nwa MLS _ 1(config)#username gagne password awa 352 the option to list more authentication choices. and in what order. We now need to determine which servers will be used for RADIUS servers by drilling a little deeper with aaa authentication. and they’ll be used in the order listed. none NO authentication. ldap Use list of all LDAP hosts. and this command is fine on its own – but why do I have Some choices might surprise you! We can configure authentication to use the enable password. a line password second. including “none”? We can actually name up to four methods. I’ll go with TACACS+ and then check the options.1. the IOS will not let you enter the 5th method. WORD Server-group name The default authentication list. IOS Help will not show me the remaining options since my statement is already at the legal limit.1. Let’s have a look at the options. instead of using the local database. Telnet. there’s a good reason – they’re not there! To use TACACS+ or RADIUS in aaa authentication. IOS Help won’t even show you the remaining options once you hit four! The following statement lists TACACS+ as the first method.115 S T U DY G U I D E C H R I S B R YA N T We have our TACACS+ server at 10. The local and local-case options allow us to use the local username/password database. with aaa authentication. krb5 Use Kerberos 5 authentication. line Use line password for authentication.

That way. local-case Use case-sensitive local username authentication. You don’t want to log out and then find authentication method used. I’ll apply the default list to the switch’s VTY lines. <cr> Always leave yourself a back door to get in. If TACACS+ actively refuses the authentication attempt. You’re likely wondering why the heck “none” is an AAA authentication option. so no authentication is necessary if the external servers are down. After all. the next method we choose in this line will be used. are group Use Server-group we doing all this work just to have no authentication? In some cases – yes! krb5 Use Kerberos 5 authentication. TACACS+ will be the first authentication setup with a separate connection.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#$ication login default group tacacs+ line local enable ? <cr> Let’s go back to an aaa authentication line with just one method listed. then our RADIUS server. and always stay logged in while you test your Here’s the most important rule of this entire section. That’s the end of the authentication try! MLS _ 1(config)#line vty 0 15 MLS _ 1(config-line)#login authentication ? WORD Use an authentication list with this name. if the external devices aren’t available. local Use local username authentication. In this line. you can still authenticate! Some admins like to use none at the end of their authentication method list. and will then use the local username/pw database if those servers are unavailable or return errors. The enable password is also a good choice. It’s always a good idea to list at least one authentication method that doesn’t require an external device. 354 355 . the second method is not used. MLS _ 1(config)#aaa authentication login default group tacacs+ ? cache Use Cached-group enable Use enable password for authentication. This authentication method list will try our defined TACACS+ server first. MLS_1(config)#aaa authentication login default group tacacs+ group radius local Finally. line Use line password for authentication. If the TACACS+ authentication attempt times out or an error out you can’t log back in! is encountered. Default Use the default authentication list. none NO authentication. apply the authentication method list to the appropriate lines with login authentication.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

and TACACS+ server IP addresses. multicast For downloading Multicast configurations from server network For network services.) Another time not to get cute is when you’re naming an AAA authentication list. admins like to use AAA for the name of the list. authorization dictates what users can do once they’re in. aaa authorization creates a user profile that’s checked when a user attempts to use a particular command or service. AAA must be enabled with aaa new-model if you Don’t Get Cute haven’t already done so! We did just that in the last lab. particularly a meeting with high-ranking sensitive folk. ARAP) policy-if For diameter policy interface application. When you give something a name on a router or switch.115 S T U DY G U I D E MLS _ 1(config-line)#login authentication default ? C H R I S B R YA N T Authorization <cr> MLS _ 1(config-line)#login authentication default And now… a word to the wise. don’t call it login. 356 357 . make the name intuitive. along with defining the RADIUS Don’t get cute with passwords. configuration For downloading configurations from AAA serve console For enabling console authorization credential-download For downloading EAP credential from Local/RAD exec For starting an exec (shell). Ugly. As with authentication. so we’ll dive straight into the authorization options. MLS _ 1(config)#aaa authentication login radius group tacacs+ local radius-proxy For proxying radius packets reverse-access For reverse access connections subscriber-service For iEdge subscriber services (VPDN etc) template Enable template authorization (Didn’t happen to me. Never set a password that you don’t want to say out loud at a meeting. SLIP. For some reason. tacacs+. MLS _ 1(config)#aaa authentication login tacacs+ group tacacs+ local prepaid For diameter prepaid services. MLS _ 1(config)#aaa authorization ? auth-proxy For Authentication Proxy Services cache For AAA cache configuration commands For exec (shell) commands. longer will rejected). don’t use a word already in the command! MLS _ 1(config)#aaa authorization exec ? WORD  Named authorization list (max 31 characters. because then you end up with one of these: MLS _ 1(config)#aaa authentication login login group tacacs+ local MLS _ 1(config)#aaa authentication login group group tacacs+ local Don’t get cute. (PPP. Above all. config-commands For configuration mode commands. radius.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . we’ll have the option of creating a default list or a named list – and as always. While authentication decides whether a given user should be allowed into our network. resulting in this command: MLS _ 1(config)#aaa authentication login PASSWORD group tacacs+ local That command confuses the uninitiated. At the very least. or group. but I was there to see it. Real ugly.

This tracking can be for security purposes (detecting users doing things they shouldn’t be doing!) or for tracking network usage in order to bill other departments in your company. None No accounting. MLS _ 1(config-line)#authorization ? arap For Appletalk Remote Access Protocol Default commands For exec (shell) commands exec For starting an exec (shell) MLS _ 1(config)#aaa accounting commands 1 default ? reverse-access For reverse telnet connections MLS _ 1(config-line)#authorization commands ? <0-15> Enable level MLS _ 1(config-line)#authorization exec ? 358 The default accounting list. config-commands options.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Apply the authorization list to the appropriate lines with authorization. If you’re dealing with PPP (or ARAP or SLIP for that matter). Getting that same info for privilege level 15 would be easy enough – just replace the “1” with “15”. krb5-instance Use Kerberos instance privilege maps. <cr> MLS _ 1(config)#aaa accounting commands 1 default start-stop ? Broadcast Use Broadcast for Accounting 359 longer will be . config. if-authenticated Succeed if user has authenticated. so we’re not going to walk through every single one. MLS _ 1(config)#aaa authorization exec default ? cache Use Cached-group group Use server-group. <0-15> Enable level MLS _ 1(config)#aaa accounting commands 1 ? WORD MLS _ 1(config)#line vty 0 15 Named Accounting list (max 31 characters. while the second limits authorization to the use of configuration commands. that method will MLS _ 1(config)#aaa accounting commands ? (obviously) consider the user authorized. go with the network option. authorization decides what users can do once they get in. both when they start and stop. local Use local database. Watch the commands and Naturally. rejected). but I do want to show you a sample command on the switch. If the user’s already authenticated.115 S T U DY G U I D E default The default authorization list. accounting tracks the resources used by that user. Also note the if-authenticated option. MLS _ 1(config)#aaa authorization exec default group tacacs+ local Frankly. AAA must be enabled before proceeding with accounting. none No authorization (always succeeds). start-stop Record start and stop without waiting stop-only Record stop when service terminates. I could write a whole book solely on the many different aaa authorization com- C H R I S B R YA N T WORD Use an authorization list with this name default Use the default authorization list MLS _ 1(config-line)#authorization exec default Accounting Authentication decides who gets in and who doesn’t. though – the first means the user must be authorized to run any We’re not going to spend much time on accounting. This line would give us info on users who use commands while in privilege level 1. binations.

MLS _ 1(config)#aaa accounting commands 1 default start-stop group tacacs+ ? Group Use Server-group <cr> MLS _ 1(config)#aaa accounting commands 1 default start-stop group tacacs+ AAA supports six different accounting formats: C hapter 11: NETWORK DESIGN AND MODELS Commands: Information regarding EXEC mode commands issued by a user. it is EXEC: Information about user EXEC terminal sessions. System: Non-user-related system-level events. Connection: Information regarding all outbound connections made from a network access server. and then delve into each layer in detail. as we need to know what should and should not occur at each layer. very important material. Having said that. your only responsibilities concerning the Cisco 3-Layer Hierarchical Model was memorizing the layers and their location. ARAP. records for calls that fail authentication. We’ll start this section with a review of the model. and stop in your CCNP studies.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The stakes are raised Resource: Info regarding start and stop records for calls passing authentication. Blunt as always: This isn’t the most exciting material in the course. and SLIP sessions. Network: Info on all PPP. so grab some caffeine and let’s dive right in! During your CCNA studies. 360 361 .115 S T U DY G U I D E Group Use Server-group MLS _ 1(config)#aaa accounting commands 1 default start-stop group ? WORD Server-group name tacacs+ Use list of all Tacacs+ hosts.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . (MAC filtering is a pain to configure. Examine your cally a series of LANs interconnected via a network backbone. (A campus network is basi- 363 . A 12-port switch might be fine for your needs at present. The access-layer switches will have their uplinks connecting to our distribution-level switches. The Enterprise Composite Network Model Before we dive into this topic. Be sure to examine your network’s requirements and review the documen- layer as well. switches is “low cost. everything we do on a Cisco router or switch takes away from overall switch resources. Core layer switches are generally the most powerful in your network. but we want a lot of redundancy in the core layer. It’s a lot easier to get everything you need when you’re buying than to go back and try to add it later. but a month from now you’ll wish and other traffic filtering methods for other layers of this model. you had bought a larger switch with more ports.115 S T U DY G U I D E The Core Layer C H R I S B R YA N T decisions. With networking though. The distribution layer also serves as a boundary for broadcasts and multicasts sent by access-layer devices. As you know. and we want the core layer to be concerned strictly with switching. and you must plan for future network growth. and some basic QoS features all run here. so not only do the distribution-level switches need high-speed ports and links. A good rule of thumb for access-layer We always want redundancy. so we’ll leave most frame manipulation and filtering to other layers. This is tomorrow’s “Where the $%)$ am I gonna plug this user in?” the nerve center of your entire network.) The Distribution Layer Not all the work is done at the core layer! The demands on distribution-level switches is very high. so we’re interested in high-speed data transfer. high switchport-to-user ratio”. you’ll find it in the distribution Today’s core switches are generally the multilayer switches we’ve worked with throughout this course. Today’s sufficient port density is Collision domains are found at the access layer.) network topology closely and check vendor documentation before making purchasing 362 Model. very low latency. and MAC address filtering can be performed here as well. tation on switch models carefully before making your purchase. Advanced QoS is generally performed at the core layer. a very popular model used to design campus networks. and should be used as such. I kid you not. non-switching features off the core layer and let these switches do what they do best – switch. capable of higher throughput than switches found at the other layers. so fault tolerance should be at the highest level possible. routing should take place at the distribution layer. traffic filtering. While QoS is configured at the core layer when possible. and this is more than a full-time job! It’s vital that we keep extra. Leave your ACLs The Access Layer Here’s where the end users communicate with the network! VLAN membership. and that’s it! When multilayer switches are in use. That’s particularly true of the Enterprise Composite Network Distribution-layer switches must be able to handle redundancy for all links. Redundancy is important at this layer (of course! It’s important everywhere!). and that exception is Quality of Service (QoS). The core layer is the backbone of our entire network. although hopefully there are other ways to get the job done that you need done. you know there’s an exception to that rule. I want to remind you that network models are guidelines they have to have quite a few in order to connect to both the access and core-layer switches. Switches at the core layer allow distribution-layer switches to communicate. The access layer’s too busy with end users to handle routing.

Helpful guidelines. The Enterprise Composite Network Model has three main parts: All four distribution-layer switches have connections to both switches in the Core Block. again) In turn again. allowing switches in one Switch Block to communicate with switches in the giving us as much redundancy as this topology can offer.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Smaller networks (and admins on a tight budget!) can use a collapsed core setup.115 S T U DY G U I D E C H R I S B R YA N T Switch blocks are units of access-layer and distribution-layer devices. there is no dedicated core switch. both the traditional L2 switches (found at the access layer) and multilayer switches. leaving the core switches free to use all their resources to switch. and these core blocks allow the switch blocks to communicate. The number of LANs involved. especially the dual core. As you’d expect. Devices in a switch block work together to bring network access to a unit of the network. where certain switches will perform as both Switch Block and Core Block Campus Infrastructure switches. there’s no one right way to design an enterprise network. and that occasion may be not having the money to afford a setup like this. we still have total connectivity. the Enterprise Campus consists of these modules: Reality does rear its ugly head on occasion. The Service Provider Edge In turn. These layers contain Let’s take a look at a typical campus network and see how these block types work together. We love this setup. the physical layout of the buildings as a unit and individually – these are just two important factors involved. In a collapsed core. if one of the core switches The Enterprise Edge goes down.and distribution-layer switches are both found in this model’s Switch Block. These models are strictly guidelines. Core blocks naturally consist of our high-powered core switches. Server Farm Network Management Enterprise Edge (yes. The Core Block serves as the camother Switch Block. the Campus Infrastructure model consists of these modules: Building Access (access-layer devices) Building Distribution (distribution-layer devices) Campus Backbone (Interconnects multiple Distribution modules) 364 365 . Our access. but guidelines nonetheless. typically found in the distribution layer. and it’s the major reason I continue to mention that the access and distribution layers should handle many of the network services. This is a tremendous responsibility. The Enterprise Campus pus backbone. such as a single building on a college campus or business park.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . network management tools are a necessity. Our core switches have even more work to do not. In today’s world. and network monitoring tools are found in almost every campus network today. but we’re not quite done yet. but you already have a good idea of the sheer workload the core switches will be handling. This is a relatively small campus network. There are times when we’ve wanted to throw a server or two (or twelve) straight out the window. The combination of access. the network management block. and core layers shown here is sometimes called the Campus Infrastructure. In a campus network. complete with access and distribution-layer switches. the server farm block is a separate switch block. Two blocks will team up to bring our users that all-important internet connectivity – the Enterprise Edge Block and the Service Provider Edge Block. AAA servers. syslog servers. but we’re not going to have much of a network without them. 366 367 .115 S T U DY G U I D E C H R I S B R YA N T The four multilayer switches are working as both core-layer and distribution-layer switches. distribution. The distribution-layer switches again have redundant connections to the core switches. All of these devices can be placed in a switch block of their own. Note that each of the access switches have redundant uplinks to both distribution/core switches in their switch block. intruder detection tools.

ETE VLANs must be accessible on every access-layer switch in order to accommodate mobile users. remain the same no matter where the user is. and this block of routers and switches brings WAN connectivity to the rest of the campus network. With all the lines leading to the core switches. or when the hosts have similar resource requirements – for example. but you didn’t want your other hosts to even know of the existence of that resource. The physical location of the user doesn’t matter. And frankly. and the other 20% will traverse the network core en route to a non-local destination. ETE VLANs should be designed with the 80/20 rule in mind. but these two VLAN types do fit in with our design chat. The very nature of an end-to-end VLAN and the fact that it spans the entire network makes working with one a challenge. Chris B. not more VLANs!” Hey. and that VLAN will are grouped by location in Local VLANs. That’s it! The end of the book! Thanks for reading. and I wish you all the best on your CCNP SWITCH exam and in your future studies. This level of access is more of a necessity than a luxury today. The following network diagram is very simple. but users End-to-End And Local VLANs “Oh no. ETE VLANs can come in handy as a security tool. we have no control over the actual structure of the block. so 80/20 traffic patterns are becoming increasingly rare. While the Service Provider Edge Block is considered part of the campus network model. it’s easy to see why we want to dedicate as much of the switches’ capabilities to pure switching – the workload is huge! Local VLANs use the 20/80 rule. 368 369 . but even this network would be difficult to configure with ETE VLANs when the hosts need Internet connectivity or Cloud access. Well. if you had certain hosts across the network that needed access to a particular network resource.115 S T U DY G U I D E C H R I S B R YA N T The Enterprise Edge Block is naturally found at the edge of the campus network. assuming that 20% of traffic is local in scope and the other 80% will cross the network core. where 80% of the local traffic stays within the local area. end-to-end VLANs span the entire network. I hear you. we don’t care! The key is that this block borders the Enterprise Edge Block. A user is assigned to a single VLAN. Let’s spend a few minutes with each type… As you’d expect from the name.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . shoot. Physical location is unimportant in ETE VLANs. Many of today’s networks don’t lend themselves well to this type of VLAN. and it’s the final piece of the Internet connectivity puzzle for our campus network.