You are on page 1of 188

CHRIS BRYANT’S

CCNP
SWITCH 300-115 STUDY GUIDE

C H R I S B R YA N T

Table of Content s

Chris Bryant, CCIE #12933
“The Computer Certification Bulldog”
Copyright © 2015 The Bryant Advantage, Inc.
All rights reserved.
Disclaimers and Legal Notices:
Copyright © The Bryant Advantage, 2015.
All rights reserved. This book or any portion thereof may not be reproduced or used in any manner whatsoever
without the express written permission of the publisher, except for the use of brief quotations in a book review.
No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including
but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written
permission of the publisher.
The Bryant Advantage, Inc., has attempted throughout this book to distinguish proprietary trademarks from
descriptive terms by following the capitalization style used by the manufacturer. Copyrights and trademarks of all
products and services listed or described herein are property of their respective owners and companies. All rules
and laws pertaining to said copyrights and trademarks are inferred.
This study guide is intended to prepare candidates for Cisco’s CCNP SWITCH 300-115 certification exam. The
book has been made as accurate and complete as possible. No warranty or fitness is inferred or implied. Neither the
author nor The Bryant Advantage, Inc. has liability or responsibility to any entity or individual regarding loss or
damage arising from the use of this book. Passing the CCNP SWITCH exam is not guaranteed in any fashion.
The terms CCIE, CCNP, CCNA, Cisco IOS, Cisco Systems, IOS, and StackWise are all registered trademarks of Cisco
Systems, Inc. As always, no challenge to any trademark or copyright is intended in any of my books or video-based
courses.
ISBN: 1517351227
ISBN 10: 9781517351229

Chapter 1 Switching Fundamentals����������������������������������������������������������������������������������������������������������������������� 1
Chapter 2 The When, Where, and How Of VLANs����������������������������������������������������������������������������������������� 22
Chapter 3 Trunking����������������������������������������������������������������������������������������������������������������������������������������������� 40
Chapter 4 The VLAN Trunking Protocol (VTP) ��������������������������������������������������������������������������������������������� 63
Chapter 5 The Fundamentals Of STP����������������������������������������������������������������������������������������������������������������� 83
Chapter 6 STP -- Advanced Features and Versions������������������������������������������������������������������������������������������������������������������ 123
Chapter 7 Etherchannels������������������������������������������������������������������������������������������������������������������������������������� 157
Chapter 8 Multilayer Switching And High Availability Protocols��������������������������������������������������������������� 172
Chapter 9 Securing The Switches����������������������������������������������������������������������������������������������������������������������� 238
Chapter 10 Monitoring The Switches����������������������������������������������������������������������������������������������������������������� 319
Chapter 11 Network Design And Models����������������������������������������������������������������������������������������������������������� 361

A V E RY Br ief I nt roduc t ion
Before We G et St a r ted…
Thank you for making The Bryant Advantage part of your CCNP success story! I know you
have a lot of training options out there, from books to videos and everything in between,
and all of us here at TBA are very appreciative of your purchase.
During your studies, check out my YouTube channel! I’m starting an all-new CCNP SWITCH
300-115 Playlist in October 2015. With over 300 free videos there already, I know there’s
something there you’ll enjoy.
https://www.youtube.com/user/ccie12933
You’ll find additional free resources via these links:
Facebook: goo.gl/u72n1M
Google+: https://plus.google.com/+ccie12933
GNS3 (Free CCNP SWITCH Course!): goo.gl/yk2loM
Thanks again for your purchase, and now, let’s get started!
Chris Bryant
“The Computer Certification Bulldog”

so let’s give this material a good going-over before heading on to new material! Before proceeding. 1 . let’s have a moment of silence for two old friends.C hapter 1: SWITCHING FUNDAMENTALS Your mastery of switching fundamentals can make the difference on exam day. (You’ll sometimes see a double-headed arrow on top of the icon representing a hub. the predecessor to today’s switches. but the item on the left is a hub. our hosts had to share transmission media via a hub.) Back in the day. We won’t spend any time discussing floppy disks.

VoIP phones. the host sends the data.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . it’s unlikely that the data collision will reoccur. By default. Vimeo. set to a random number of milliseconds. Some Cisco documentation refers to this “one host. The hub might as well be a bomb at that point. we were darn glad to have CSMA/CD. Cat videos. and all data involved is unusable. they’ll send a jam signal indicating to the other hosts that they should not send data right now. a separate collision domain is created for each host. we also get a lot more bandwidth! When hosts are connected to individual switch ports. Since that backoff timer is set to a random value. the voltage on the wire will change. Thanks to our switch. Dog videos. will be almost continually colliding with another host’s data. indicating a data collision. and by doing A host with data to send must first listen to the wire. YouTube. It’s not a term you hear often. 2 3 . The sending hosts will then invoke a backoff timer. we must have rules on when a host may transmit data. the host backs off for a few milliseconds before listening to the wire again. With the When the sending hosts detect that voltage change. all kinds of ultra-delay-sensitive voice and video traffic is present in today’s network that we were only dreaming about back in the days of the hub. Donkey videos. one host’s data price to pay for sharing media. That’s a lot of unnecessary broadcasts flying around our network. thankfully referred to as CSMA/CD. One reason we love switches is the creation of smaller collision domains. but we still have one large broadcast domain. each host can theoretically run at 200 Mbps (100 sending and 100 receiving). because the data involved in the collision is going to “explode” when that collision occurs. rendering the collided signals useless. one collision domain” setup as microsegmentation. but it’s not. assuming FastEthernet ports. they no longer have to share bandwidth with other hosts. Having one big collision domain just would not do today. meaning it checks the shared media to so. We’ll start breaking up those broadcast domains in the Virtual LAN (VLAN) section of the course. right switch config and network cards. The hosts then have to retransmit the data. which in turn means unnecessary work for the switch and for the hosts. That takes care of the collision domain issue. Otherwise. In short. Today’s networks typically have each host connected to their own individual port on a switch. they will each begin the CSMA/CD process from the very beginning by listening to the wire. If two hosts happen to send data at the exact same time. Collisions literally cannot occur! see if another host is currently sending data. When each host’s backoff timer expires. but it’s certainly a good one to know when you’re reading Cisco docs.115 S T U DY G U I D E C H R I S B R YA N T Having just one collision domain may sound good. With one big collision At the time. and those built-in delays were a small domain. If the media is in use. and there’s no guarantee that another collision won’t occur when that retransmission occurs! The set of rules for transmitting over Ethernet via shared media is Carrier Sense Multiple Access with Collision Detection. Here’s the overall process… You know what wasn’t around though? Voice and video conferencing. a broadcast or multicast sent by any host connected to that switch will be received by every other host on that switch. If the media is not in use.

When a switch receives a frame. In the heat of battle. which brings up another We could build a MAC address table with all static entries. or flood it. Our routing table is helped along by dynamic routing protocols like EIGRP and OSPF.” That’s not the only reason for this behavior. When you first boot a switch.115 S T U DY G U I D E C H R I S B R YA N T that host. The more information you add statically. so the switches have to build their MAC address tables in another fashion (or fashions).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Every time you add a host to a switch. When I have a choice between letting the hardware do the work and me doing the work. but that approach has a serious important point. the only way for the switch to get the frame where it needs to go is to look at its intended destination. which in turn leads to unnecessary troubleshooting. to handle everything statically. and they’ll look something like this: 5 . right? Wrong! The switch will actually look at the source MAC address before any other value. the network admins. We’ll take a Let’s take a look at how a switch builds that all-important MAC address table. which leads to even more unnecessary troubleshooting when the bad port is fixed and another host is eventually connected to it. We’ll start with four hosts and one When a frame enters a switch. you’d have to make a static MAC entry for 4 will be some entries for the CPU. Hosts A and It makes perfect sense that the switch would look at the frame’s destination address first. Decisions” you and I. filter it. that switch will forward it. using an odd topology to illustrate one forwarding option in particular. After all. If a port goes down and you switch the host connected to the bad port to a good port. There drawback. the greater the chance of a mistyped entry. That doesn’t mean I’m lazy. what common value does the switch look at first? B are connected to a hub. but it’s the major reason. There is no equivalent to those protocols at Layer 2. The logical question to that answer would be: “Why does the switch even care where the frame came from?” The answer: “Because source addresses of incoming frames are how the switch builds and maintains its MAC address table. the MAC address table isn’t empty. We’ll assume the switch has just been added to the network. it means I’m smart. It’s much more efficient to let the hardware carry out dynamic operations rather than forcing “Decisions. switch. you won’t have full connectivity until you add a new static entry for that host’s MAC address. it’s easy to forget to remove the old entry. and we’ll also look at each process right after this pop quiz! see each of those frame forwarding options in action. which in turn is connected to a switch. I’ll let the hardware do it every time.

0ccc.aaaa DYNAMIC Fa0/1 At long last. ------------ --------. This is an unknown unicast frame.aaaa. the switch then looks at the source MAC address of the frame and asks This flooding ensures the frame will go out the port leading to the correct host.cccc. so the switch floods the frame. but will there be an entry for the source MAC of that frame? MLS _ 1#show mac address-table dynamic Mac Address Table Vlan Mac Address Type ---. there’s no entry for Host A’s address in the MAC table. so the switch will create one. Our dynamic entries in that table are as follows: Host C will now respond to Host A with a frame of its own. since the frame is a unicast (destined for one particular host).cccc STATIC CPU All 0100. we get to the frame forwarding decision! Will this frame be forwarded. ------------ --------. itself one simple question: “Do I have an entry for this address in my MAC address table?” the switch has to send 63 copies of the frame – 62 of which are totally unnecessary! There’s no grey area here – the answer is either yes or no! There’s nothing wrong with a little frame flooding as you add a host or switch to a network – Since we just turned the switch on. it really can’t be avoided – but after the initial add. filtered.0ccc. but there is no entry for this address in the MAC table.cccc. 6 Mac Address Table Vlan Mac Address Type Ports 1 aaaa. host resources. which is a huge waste of bandwidth. All 0100.aaaa. so the switch makes one. The frame enters the switch on fast0/1. we’d rather not have much flooding. MLS _ 1#show mac address-table dynamic Mac Address Table Vlan Mac Address Type Ports 1 aaaa. sending a copy of the frame out of every single port on the switch except the port the frame rode in on.aaaa DYNAMIC Fa0/1 No entry for cccc. and switch resources.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1#show mac address-table Mac Address Table Vlan Mac Address Type Ports ---. We’ll start our walkthrough with Host A sending a frame to Host C. and it also guarantees the other hosts will get the frame. or flooded? That depends on the answer to the next question the switch asks itself: “Do I have an entry for this destination address in my MAC address table?” The answer is no.cccd STATIC CPU The only way the switch can learn where the hosts are is for you and I to add a bunch of static entries (clumsy. not scalable) or let the switch learn their addresses dynamically. MLS _ 1#show mac address-table dynamic Ports 1 aaaa.aaaa.cccc DYNAMIC Fa0/2 7 .aaaa DYNAMIC Fa0/1 1 cccc. We know what happens when the switch receives that frame.cccc.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . If this is a 64-port switch and there’s a host on every port.

a copy of it is sent out of every port on the switch except the one it came in on. We have an unusual setup where Hosts A and B are connected to a hub that is in turn connected to a switch. where unknown unicast frames are sent to all hosts as a side effect of the frame flooding. MAC entry for each host.dddd.dddd DYNAMIC Fa0/3 switch will forward the frame via Fa0/1. The switch checks for 1 cccc. and the switch then filters the frame. both of those hosts are found off port Fa0/1.ffff and are treated in the same fashion as broadcast frames. I’m strictly presenting it to you to illustrate the switch’s third option for frame forwarding.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 1 aaaa. and since there is one. The switch checks for the source addresses in its MAC address table. and sees that they’re both found off the same port! Frames with a destination MAC of all Fs (ffff. as will the switch.0000 – 0100. Fa0/2 rather than being flooded.cccc. filtering also occurs when a frame is not sent out of a port because the destination is a known unicast. Please note that this is not a topology you’re going to see in many Flooding occurs when the switch has no entry for the frame’s destination MAC.aaaa.aaaa DYNAMIC Fa0/1 1 bbbb.115 S T U DY G U I D E C H R I S B R YA N T The dynamic entries in the table will now start to work in our favor.5e7f. 9 . MLS _ 1#show mac address-table dynamic Mac Address Table Forwarding happens when the switch has an entry for the frame’s destination MAC. “Filter” is a fancy big-city way of saying “the frame is dropped”. frame is flooded. When a production networks (if at all).cccc DYNAMIC Fa0/2 the frame’s destination address of aaaa. If Host A responds to Host C.ffff) are called broadcast frames. Forwarded frames are sent out only via the port indicated by the MAC address table.ffff. Frames flowing from Host A to Host C will now be forwarded out This messes with the switch’s mind for just a moment. Technically.5e00. When Host A sends a frame to Host B. From the switch’s point of view. B will get a copy of it through the hub.bbbb. ----------. the switch will have an entry for Host C’s MAC address where it didn’t have one earlier. and are treated in the same manner as unknown unicast frames. Vlan Mac Address Type Ports ---.aaaa. Unknown unicast frames are always flooded. Broadcast frames are actually intended for all hosts. Let’s jump ahead to a scenario where the topology is the same and the switch has a dynamic Let’s review those decisions and add a little broadcast / multicast discussion.bbbb DYNAMIC Fa0/1 8 Filtering happens when the source and destination MAC addresses are found off the same port. -------. Multicast frames have a destination MAC in the range 0100. the 1 dddd.aaaa in that table.

For example. I’ll need to know the port ROUTER_3 is connected to. C . it’s really wrong.IGMP. Time-related commands When I was waxing poetic about dynamically learned MAC addresses. hours. days. MLS _ 1#show mac address-table aging-time Global Aging Time: 600 10 Capability Codes: R . and you already knew that the command to change that value is mac addresstable aging-time. With time-based IOS commands. I .115 S T U DY G U I D E C H R I S B R YA N T More About That MAC Address Table I strongly urge you to use IOS Help to check any numeric value. I’m sure you won- based commands use megabits. To demo this. 10 minutes. r . In short.Two-port Mac Relay Device ID Local Intrfce Holdtme ROUTER _ 1 Fas 0/1 177 R S I 2801 Fas 0/0 ROUTER _ 3 Fas 0/3 136 R S I 2801 Fas 0/0 Capability Platform Port ID Right! More about CDP later in the course. The default aging time for dynamically friends – that’s why it’s there! learned MAC addresses is 300 seconds. kilobits.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Host. milliseconds. H . you’ll want to use this filter.Switch. and that timer is reset when a frame comes in with that particular source MAC address. (When you have 48 or so dynamically learned addresses.Router. T . IOS Help reveals that the time unit for this commands is seconds… MLS _ 1#show cdp neighbor MLS _ 1(config)#mac address-table aging-time ? <0-0> Do you know a command that will give us information about directly connected Cisco devices? Enter 0 to disable aging <10-1000000> Aging time in seconds MLS _ 1(config)#mac address-table aging-time … so our dynamic entries are now aging out in just 10 seconds. Right now.Trans Bridge. my dered how long those addresses stay in the table.Phone. you might be tempted to enter the following: MLS _ 1(config)#mac address-table aging-time 10 Not only is that wrong. M .Source Route Bridge S . P . D . as long as the switch hears from a host within any five-minute period.CVTA. that host’s MAC address stays in the table. if I asked you to set the MAC address aging time to use different combinations of seconds.Remote. be sure to use IOS Help to check the unit of time that particular command uses.Repeater.) MLS _ 1#show mac address-table int fast 0/3 Mac Address Table 11 . gigabits – you get the idea. Data- I shall now hop down from Ye Olde Soapbox and we’ll march forward! Another factor in favor of dynamic MAC address table entries is the switch’s ability to dynamically adapt to a change in physical ports. and minutes. B . Use IOS Help. Let’s fix that: MLS _ 1(config)#mac address-table aging-time 600 Verify with show mac address-table aging-time. let’s use show mac address-table dynamic interface to get info about only that particular port.

Success! ROUTER_3’s MAC address is correctly listed in the table.2754 DYNAMIC Ports C H R I S B R YA N T how to change a port’s VLAN membership. and our Cisco switch ports belong to VLAN 1 by default. having “just” the CAM table MLS _ 1#show mac address-table dynamic is enough to get the job done. Multilayer switches have other challenges and tasks besides Mac Address Table switching – routing. 13 001f.115 S T U DY G U I D E Vlan Mac Address Type ---.ca96. MLS _ 1#show vlan brief VLAN Name Status Ports ---.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 1 001f. ----------. here’s a reminder. Fa0/13 We’ve been working with the MAC address table for a while now. Fa0/3. TCAM tables have three values – 0. (All ports except those in #13) 13 VLAN0013 active Fa0/1. You’ll find more info on the TCAM in the Multilayer Switching portion of the course. There is one thing you have to do manually in this situation. Earlier show commands told us that the previous port belonged to VLAN 13. ----------. we’ll need the help of a Ternary Content Addressable Memory (TCAM) table. and Quality of Service (QoS) to name just a few! Vlan Mac Address Type Ports ---. If not. the resources are split up pretty much evenly between routing. 1. It’s common for multilayer switches to have multiple TCAM tables to go along with the multiple functions an MLS must handle. and there’s plenty of additional work with VLANs ahead! Fa0/3 Total Mac Addresses for this criterion: 1 MLS _ 1(config)#int fast 0/13 MLS _ 1(config-if)#switchport access vlan 13 So far.59e2. The MAC address table is also known as the Content Addressable Memory (CAM) table. -------. -------. all we need to do is move that cable to a port that’s 1 default active working. You likely remember 12 Switch Roles And The SDM The great thing about multilayer switches is their ability to fit almost any role in your network. You may have an MLS that spends most of its time routing. I’ll move it to Fast0/11 and check the full dynamic address table. and for Layer 2 switching. While CAM table lookups use two values (no surprise. and “x” for “don’t care”. the entry for that address on Fa0/3 was removed.ca96. they’re 0 and 1).2754 DYNAMIC Fa0/13 13 0017. 13 . and that’s changing the VLAN membership of that port. The default allocation of switch resources may not fit the role of the switch. -------------------------------. advanced security. ---------. while others act pretty much as L2 switches. so it’s good time to tell you the other name for this table. by default. With dynamically learned addresses.474a DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 2 For these tasks. so good! But now… port Fa0/3 goes BAD. No aging was necessary – once the switch saw frames from ROUTER_3 come in on a new port.

14 Well. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. MLS _ 1#show sdm prefer The current template is “desktop vlan” template. When IOS Help says “bias”. we really do have to reload the switch! I’ll do so now and run show sdm prefer after the reload.5K dual-ipv4-and-ipv6 Support both IPv4 and IPv6 number of IPv4/MAC security aces: 1K routing Unicast bias vlan VLAN bias Let’s load the VLAN template and see what happens. we can do just that on many Cisco switches. SDM does that for us with ease! (This is not the Security Device Manager that you may have used and studied previously. Wouldn’t it be great if we could allocate more system resources C H R I S B R YA N T To see the currently loaded template and its allocation settings. the first thing that’s going to happen is you and I being told we have to reload the switch for the template switch to take effect. Routing – Enhances the environment for IPv4 unicast routing. you may un-cringe – these templates are already created! Let’s see the SDM number of IPv4 IGMP groups + multicast routes: 1K templates available on my switch: number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K MLS _ 1(config)#sdm prefer ? number of indirect IPv4 routes: 2K Access Access bias number of IPv4 policy based routing aces: 0 Default Default bias number of IPv4/MAC qos aces: 0. VLAN – Supports the CAM table’s growth to contain the maximum number of unicast MAC addresses. There’s no workaround for this one. this template can come in handy. to routing if the MLS is primarily going to route? How about making a larger MAC address table possible for an MLS that’s primarily going to switch? Thanks to SDM. but cannot take Access – If your MLS is running a whoooole lot of ACLs. The selected template optimizes the resources in 15 . Default – That’s the default template. run show sdm prefer. Very important: This template disables hardware routing. effect until the next reload. Some switches have default source allocations that can’t be changed. this SDM is the Switching Database Manager.) MLS _ 1#show sdm prefer The current template is “desktop default” template. it means business! Here’s a quick look at each template and its MLS _ 1(config)#sdm prefer vlan capabilities: Changes to the running SDM preferences have been stored. so do your homework before applying this template. and it treats all functions more or less equally Dual-ipv4-and-ipv6 – Great for an MLS running dual stack (both IPv4 and v6 at the same time). but when they can be changed. and if you cringe when you hear the word number of unicast mac addresses: 6K “template”. SDM uses templates to allocate system resources. This template doesn’t support everything IPv6-wise. and security. including IPv6 multicast. as it will allocate resources to handle the maximum number of ACLs.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Use ‘show sdm prefer’ to see what SDM preference is currently active.115 S T U DY G U I D E switching.

using the SDM vlan template! The selected template optimizes the resources in the switch to support this level of features for Let’s load the routing template and check the results.5K number of IPv4/MAC security aces: 2K The selected template optimizes the resources in the switch to support this level of features for Just Some Reminders… 8 routed interfaces and 1024 VLANs. Most Cisco switch ports we’ll number of directly-connected IPv4 hosts: 3K use in this course are FE ports. MLS _ 1(config)#sdm prefer vlan Changes to the running SDM preferences have been stored. Something to keep in mind when The current template is “desktop access IPv4” template. Can run in half. but look at that Additional resources are indeed reserved for IPv4 unicast and PBR.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The Ethernet types and speeds we’ll see in this course: number of unicast mac addresses: 3K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 11K FastEthernet: 100 Mbps.or full-duplex mode. Use ‘show sdm prefer’ to see what SDM preference is currently active. Important stuff to keep in mind! Before we move on. but the SDM vlan template does disable routing. number of unicast mac addresses: 4K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 6K number of directly-connected IPv4 hosts: 4K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0. but we still have some room for MAC addresses. here’s the allocation when the access template is in use. The original. MLS _ 1#show sdm prefer tradeoff! There’s no room for IPv4 unicast routes or PBR. The SDM routing template doesn’t disable switching. After the reload: MLS _ 1#show sdm prefer The current template is “desktop routing” template. 17 . but not the best. number of indirect IPv4 routes: 8K 16 Ethernet: 10 Mbps. just for shiggles.5K number of IPv4/MAC security aces: 1K number of unicast mac addresses: 12K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 0 number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0. but cannot take effect until the next reload.5K number of IPv4/MAC qos aces: 0.5K 8 routed interfaces and 1024 VLANs.115 S T U DY G U I D E C H R I S B R YA N T the switch to support this level of features for number of IPv4 policy based routing aces: 0. 8 routed interfaces and 1024 VLANs. number of IPv4/MAC qos aces: 0.5K number of IPv4/MAC security aces: 1K Quite a difference! We now have twice the space for unicast mac addresses.

both devices will send fast link pulses and duplex settings on MLS_1. Port Speed. our FLPs give more pulses in the same amount of time. both are in the public domain. (Both drawings courtesy of Wikipedia. Duplex.and full-duplex.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Now. Does not support half-duplex links. allowing a decision as to speed and duplex that is as fast and efficient as not updated anymore and full-duplex usage with switches is used exclusively.000 Mbps). but requires higher-grade cables (Cat 6a or Cat7). Also expressed as GbE. full-duplex is (thankfully) always preferred. the highest common speed is preferred.115 S T U DY G U I D E C H R I S B R YA N T Gig Ethernet: 1 Gbps (1000 Mbps). ROUTER_3’s Fast 0/0 interface is connected to 0/7 on MLS_1. If both ports support different speeds. to the other. And Autonegotiation If both ports support half. and port duplex settings. But what happens if MLS_1 is not running autonegotiation at all? Let’s find out while hardcoding the speed With both interfaces enabled for autonegotiation. back to the demo… In the real world. port speeds. set to full-duplex. 10 Gig Ethernet: 10 Gbps (10. but the specification is speed and duplex. use autonegotiation on both ends of a connection and you’re gold. Not much to decide here. let’s discuss some things that can go wrong with autonegotiation.” possible without exceeding device capabilities. The obvious question is: “Fast compared to what?” They’re fast compared to normal link pulses (NLPs): As expected.) MLS _ 1(config)#int fast 0/7 MLS _ 1(config-if)#speed ? 10 Force 10 Mbps operation 100 Force 100 Mbps operation Auto Enable AUTO speed configuration 18 19 . Here. Wikipedia: “Half-duplex giga- The FLP is basically a declaration of the capabilities of the sending device with regards to bit links connected through hubs are allowed by the specification. With that in mind. since the max capabilities are the same on both sides! Both involved ports end up running at FastEthernet speed. Can be run on The fundamental autonegotiation rules: copper cables.

but our old pal Keepalive set (10 sec) CDP will let you know about ‘em in a heartbeat: Half-duplex. so it must set its own port to the dreaded half-duplex.ca96. loopback not set These duplex mismatches can be tough to spot just by looking at the config. ROUTER_3 detects the 10 Mbps speed on the remote endpoint and sets its own speed accordingly. That’s about as self-explanatory as a console message can get! Coming up next: The wonderful world of VLANs! 20 21 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Encapsulation ARPA. 10Mb/s. txload 1/255. ROUTER _ 3#show int fast 0/0 since it’s running at full-duplex. with MLS _ 1 FastEthernet0/7 (full duplex). rxload 1/255 In short. we end up with parallel detection. The physical interfaces and line protocols are still up on both devices: ROUTER _ 3(config)#int fast 0/0 ROUTER _ 3(config-if)#speed auto MLS _ 1#show int fast 0/7 ROUTER _ 3(config-if)#duplex auto FastEthernet0/7 is up. you end up with a real mess. line protocol is up (connected) With one endpoint running autonegotiation and the other end not.ca96.2754) has. so that interface will transmit or receive. line protocol is up transmitting. it’s not all good with PD. The router can’t assume full-duplex on that remote endpoint. BW 10000 Kbit/sec. 100BaseTX/FX Sadly. address is 001f. ROUTER_3 will see data coming in at the same time it’s FastEthernet0/0 is up. but it will not do both at the same time. MTU 1500 bytes.2754 (bia 001f. DLY 1000 usec. and will think a data collision has occurred when in reality no such collision Hardware is Gt96k FE. and it’s a problem that’s not always easy to spot. (That’s verified by the show interface output just above.) *Apr 11: %CDP-4-DUPLEX _ MISMATCH: duplex mismatch discovered on FastEthernet0/0 (not full duplex).115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config-if)#speed 10 MLS _ 1(config-if)#duplex ? Auto Enable AUTO duplex configuration Full Force full duplex operation Half Force half-duplex operation MLS _ 1(config-if)#duplex full Now we have a problem. MLS_1 will go at data transmission with all guns blazing. line protocol is up ROUTER_3 is running at half-duplex. PD brings us some good news: The device running autonegotiation can detect the speed of the remote device and adjust its speed accordingly. and a totally unnecessary one at that. as Router_3 will be unable to detect the remote endpoint’s duplex setting. reliability 255/255. ROUTER _ 3#show int fast 0/0 FastEthernet0/0 is up.

but we don’t run into many 5-host networks in the real world. (For clarity. smaller broadcast domains. a switch will take an incoming broadcast and send a copy of it out of every single port except the port that received the original broadcast. (More on that in the design section of this course. and they’re going to be all over your SWITCH exam.) Our hosts are all in the same broadcast domain. ing these questions: “Why don’t we just use physical LANs? Why do we need virtual ones?” One great use for VLANs is to limit the scope of our old pal. In the following example. overall switch operation. We’re in the exam room to score points.C H R I S B R YA N T C hapter 2: THE WHEN. AND HOW OF VLANS I pride myself on presenting as many real-world networking examples as possible in my Even if you’ve just earned your CCNA. making this a flat network Cisco’s best practice is to have one VLAN per IP subnet. which in turn lowers the number of overall broadcasts. and this is a best practice that topology.) 22 23 . cabling is forwarded only to hosts in the same VLAN as the original sender of the broadcast. Broadcast propagation wouldn’t be a huge deal in a 5-host network.” That’s where VLANs come in. When you create VLANs. this broadcast flooding would have a negative impact on mastering VLAN fundamentals. works really well in real-world networking. you’re creating multiple. and your available bandwidth would start to get sucked up by a Speaking of that. VLANs are the core of your switching network. It’s doubtful that every host connected to your switch We limit the overall number of broadcasts by limiting their scope. WHERE. the broadcast. the switch bunch of unnecessary broadcasts. let’s jump to the most fundamental of fundamentals by answer- actually needs the broadcast. By default. or 60+ ports. not give them away. and part of scoring points is books. Cisco also recommends that a VLAN doesn’t reach beyond the distribution layer in its 3-layer switching model. a fancy way of saying “let’s only send the broadcasts where they need to go rather than just sending them everywhere. don’t breeze through this section. not shown. 48. On a switch with 24. Broadcasts are will forward a copy of the incoming broadcast to every other host. Rest assured that this is not one of them.

---------. Remote SPAN VLANs Primary Secondary Type Ports ------. Whether you’re using static or dynamic VLANs. 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN Type SAID 1 With dynamic VLANs. ---------. Fa0/11. It’s only important to the port to which the designed for use with FDDI and Token Ring. (Never say “old” in networking. All 12 ports on this particular switch are in the default VLAN. They’re legacy VLANs host doesn’t care about its VLAN membership. -----------------. Fa0/11. Fa0/7. SW1#show vlan SW1#show vlan brief VLAN Name Status Ports VLAN Name ---. while this is an important command to know. Fa0/4.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .) Keep them in mind for the exam. Fa0/12 24 Ports Fa0/1. Fa0/4 Fa0/5. Fa0/10. the membership depends on the host’s MAC address. and static VLAN member- 1003 token-ring-default act/unsup ship is dependent on the port the host is connected to. Fa0/3. the You may never use VLANs 1002 – 1005 in real-world networking. not to how the VLAN is actually created. Fa0/8 1 default active Fa0/9. we’ll concentrate on static VLANs. VLAN 1. Fa0/7. it gives you a lot of info you be deleted. Fa0/6. The five VLANs shown are default VLANs and cannot To be blunt. 1 default active Status ---. Fa0/1. ---------. I prefer show vlan brief. Fa0/2. Fa0/8. Fa0/6. Fa0/2. -------------------------------. The actual MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 enet 100001 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr - - - - 0 0 101003 1500 - 1004 fdnet 101004 1500 - - - - - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 VLAN membership determination is still done by the switch. In this course. Fa0/10. always say host is connected. The terms “static” and “dynamic” refer to how the host is assigned VLAN membership. Fa0/12 25 . “legacy”.115 S T U DY G U I D E C H R I S B R YA N T The method used to determine a host’s VLAN membership depends on the kind of VLAN 1002 fddi-default act/unsup you’re using. -------------------------------. Fa0/5. Fa0/9. really don’t need to start troubleshooting or to verify your work. Let’s take our first look at show vlan. Fa0/3.

and right now.1. all hosts are in one single broadcast domain. Sending 5.1. we’ll use the single IP subnet 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .2 This command shows you only the port memberships. timeout is 2 seconds: munications issue comes down to a port being in a different VLAN than you thought it !!!!! was! Success rate is 100 percent (5/5). The first command puts the port into access mode.4.1. 1003 token-ring-default act/unsup (Always test your basic connectivity before starting a lab. The second command defines VLAN membership. their own VLAN! We’ll place those two hosts into the not-yet-existent VLAN 12 with switchport mode access and switchport access vlan 12. and every host can ping every other host. The pain will stop soon.” and while that admin may not have configured VLANs. using this four-host network for a lab. as I’m using Cisco routers as my hosts. Type escape sequence to abort. Sending 5.4 serve as the last octet in the host’s IP address. which is all we need to get started.) Let’s configure our switch to allow broadcasts sent by H1 to be forwarded only to H2 by putting them in their own little broadcast domain – that is.115 S T U DY G U I D E C H R I S B R YA N T 1002 fddi-default act/unsup I’ve used ping to test connectivity in the lab. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). To meet Cisco’s best practices.0 /24. which means it can belong to one and only one VLAN. I know you’ll take my word on the others! 1005 trnet-default act/unsup HOST1#ping 10. Each VLAN is its own broadcast domain.) I’ll show the ping results here 1004 fddinet-default act/unsup only from H1 to save a little space. would on a PC.1. round-trip min/avg/max = 4/6/8 ms I occasionally hear a network admin say “we don’t use VLANs.1.1.1. As your studies and career progress. (I know I’m hitting you over the head with this. HOST1#ping 10. VLANs are always in use. any broadcast sent by any host will be received by all of our other hosts. We know what that means – a broadcast that comes in on any of these ports will be forwarded out every other port on the switch. round-trip min/avg/max = 4/4/8 ms Let’s practice limiting the broadcast scope. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1.3 Type escape sequence to abort.3. The ping results will look different than they Type escape sequence to abort.1. Cisco switch ports are in VLAN 1 by default. and the host number will HOST1#ping 10. 26 27 .1. 100-byte ICMP Echos to 10. you’ll be surprised at how often a host-to-host com- Sending 5. 100-byte ICMP Echos to 10. 100-byte ICMP Echos to 10.1. round-trip min/avg/max = 4/10/32 ms Right now.1.1.1.2.

the switch will do it for you. not the method of VLAN creation. Trust your config. To create a VLAN manually. you know what I’m going to say. The terms “static” and “dynamic” ID number of the second translational VLAN for this VLAN (or zero if none) refer to the method used to place hosts into a VLAN. name it ACCOUNTING. Fa0/4. Fa0/11. and then we’ll leave that VLAN alone for the duration of the lab. Fa0/12 12 VLAN0012 active 20 ACCOUNTING active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup 29 Fa0/1. Creating vlan 12 tb-vlan1 ID number of the first translational VLAN for this VLAN (or zero if none) If you try to put ports into a non-existent VLAN. this interfaces VLAN is controlled by VMPS ste Maximum number of Spanning Tree Explorer hops for this VLAN (or zero if none specified) SW1(config-if)#switchport access vlan 12 stp Spanning tree characteristics of the VLAN % Access VLAN does not exist. and exit mode media Media type of the VLAN mtu VLAN Maximum Transmission Unit name Ascii name of the VLAN no Negate a command or set its defaults 28 Fa0/3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/9. VLAN configuration commands: Are If you earned your CCNA with me.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/1 parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs SW1(config-if)#switchport mode access private-vlan Configure a private VLAN SW1(config-if)#switchport access ? remote-span Configure as Remote SPAN VLAN vlan Set VLAN when interface is in access mode ring Ring number of FDDI or Token Ring type VLANs said IEEE 802. This dynamic tb-vlan2 creation of a VLAN does NOT make this a dynamic VLAN.10 SAID SW1(config-if)#switchport access vlan ? shutdown Shutdown VLAN switching <1-1005> VLAN ID of the VLAN when this port is in access mode state Operational state of the VLAN dynamic When in access mode. bump revision number. The name command is the only one of these options we need to concern ourselves with. ---------. Fa0/8. but Maximum number of All Route Explorer hops for this VLAN (or 1 default active zero if none specified) Backupcrf Backup CRF mode of the VLAN bridge Bridging characteristics of the VLAN exit Apply changes. use the vlan command. Fa0/2 Fa0/5. -------------------------------. Fa0/7. Fa0/6 Fa0/10 . I’ll create VLAN 20 on this switch. SW1(config)#vlan 20 verify it! SW1#show vlan brief VLAN Name SW1(config-vlan)#? Status Ports ---.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ---------. 1 default active Fa0/3.. and all is well! The good news is that broadcasts from H1 aren’t going to H3 or H4.2 !!!!! SW1#show vlan brief VLAN Name Status HOST1#ping 10.1.1. The bad news is that no traffic is going from H1 to H3 or H4. Fa0/6 Fa0/10 Fa0/11. Inter-VLAN traffic requires the routing layer of the OSI model to get involved.3 Ports . I’ll rename VLAN 12 “SUCCESS”. Fa0/4.115 S T U DY G U I D E C H R I S B R YA N T Bingo! VLAN 20 sits empty.1. Fa0/12 12 Or… IS it? SUCCESS active 20 ACCOUNTING active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Fa0/1. Sometimes.. Congratulations! Assuming all hosts are sending roughly the same number of broadcasts.1. If this is strictly a Layer 2 switch.. Fa0/8. SW1(config)#vlan 12 SW1(config-vlan)#name SUCCESS HOST1#ping 10. Let’s ping the network from H1.. you just cut broadcast traffic in your network by 66%. a solution leads to another issue.. and VLAN 12 contains fast 0/1 and 0/2. even though they’re in the same IP subnet.4 . in networking. For brevity’s sake. we’ll need to get a router involved. and then we’ll move on.1. Fa0/7. we could enable IP routing on the switch and then work something out.. Fa0/2 HOST1#ping 10. If this is a Multi-Layer Switch (MLS). -------------------------------.. Fa0/5. ---. Fa0/9.. We’ll look at 30 31 .1. for the rest of this section I’ll show only the ping and ping result.

that’s just going to make your troubleshooting harder! To see the ports in one particular VLAN. what’s the big deal?” I admit that it’s not a ton of work. Let’s say a problem has arisen with 0/4 on our current switch. Fa0/12 SW1(config)#int fast 0/4 SW1(config-if)#no switchport access vlan 12 10 KANSASCITY active Fa0/6 SW1(config-if)#int fast 0/5 12 active SW1(config-if)#switchport mode access SUCCESS Fa0/1. We’d need to manually configure 0/5 for SW1#show vlan brief that host. we’d keep up with our network housekeeping and VLAN Name Status remove the config from 0/4. especially when one of your company’s VPs is yelling at you while you write the con- 1004 fddinet-default act/unsup fig. Fa0/5. as in the following: Dynamic VLANs The actual configuration of dynamic VLANs is way out of the CCNP SWITCH exam scope. Fa0/2 20 OREGON active Fa0/9 35 GREENBAY active Fa0/10 42 OHIOSTATE active Fa0/8 You’re likely thinking “Hey Chris. (I’ll leave 0/4 as an access port. use show vlan id followed by the VLAN number. the core of dynamic VLAN configuration. Once you get more VLANs. Fa0/4. so moving the cable is all we have to do. and as good network admins. When you have one or two VLANs. -------------------------------. It’s really easy for the eye to skip up a line as you read this output. keep in mind that inter-VLAN traffic requires Layer 3 involvement. VMPS uses the source MAC address of incoming frames to determine the VLAN membership of the port receiving those frames.) Ports ---. -------------------------------. 1002 fddi-default act/unsup but the more manual configuration you do. 35 GREENBAY active Fa0/10 32 33 . and we need to move that host to 0/5. the output of show vlan brief is easy to read.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . When the switch sees frames coming in on 0/5 with a source MAC address that was in its SW1#show vlan id 35 MAC address table as belonging to 0/4… VLAN Name Status Ports ---. Fa0/7 Fa0/11. If you read fast0/10 as belonging to VLAN 42. For now. and the VLAN membership adjusted automatically? That’s what VMPS brings to the table. One of the painful things about static VLANs becomes apparent when you need to move a host from one port to another. SW1(config-if)#switchport access vlan 12 Wouldn’t it be great if you could just detach the cable from 0/4 and plug it into 0/5. it’s easy to misread.115 S T U DY G U I D E C H R I S B R YA N T using an MLS in this situation later in the course. ---------. and ports spread out among them. ---------. 1 default active Fa0/3. the larger the chance of a simple misconfigura- 1003 token-ring-default act/unsup tion. All you have to do is enter “21” for “12” on that 0/5 config and you have more trouble 1005 trnet-default act/unsup than you started with. let me give you a real-world networking tip that’s saved my hash on more than one occasion. Before we hit dynamic VLANs. but you should be familiar with the basics of the VLAN Membership Policy Server (VMPS).

since by definition trunk ports already belong to all VLANs. Trunk ports can’t receive a dynamic VLAN assignment. (Yeah. there is no special config needed on the PC. As far as the direct connection to the IP phone is concerned. 34 35 . often in relation to a reference clock source. it’s really annoying. Some VMPS notes: Jitter is defined by Wikipedia as “the deviation from true periodicity of a presumed signal A somewhat odd default of VMPS is that PortFast is automatically enabled for a port when it receives its VLAN membership dynamically. As far as the PC is concerned. The human ear will only accept 140 – 150 milliseconds of delay before it notices a problem with voice delivery. With Cisco IP phones. they able. and the third is an internal connection to an Application-Specific Integrated Circuit (ASIC).” mode. A quick reminder: PortFast allows a port to go straight from blocking mode to forwarding in electronics and telecommunications. It can then be disabled if you like. Using this can be a big help with host DHCP issues. it is attached directly to that switch. non-voice data streams. …the switch will realize what’s happened.1q trunk or bership. I know. Using an access link results in voice and data traffic being carried in the same VLAN. a VLAN Port security and dynamic VLAN memberships don’t play well together. Whichever definition you use. Using a trunk gives us the advantage of creating a voice VLAN (VVID). Actually.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . You have to disable port security on a port in order for that port dedicated to carrying voice traffic.” Chris Bryant defines jitter as “that really annoying continual interruption in a voice stream that makes you want to tear your own eardrums out. giving the delay-sensitive voice traffic priority over normal. and will then dynamically change the VLAN membership of 0/5 and update its MAC address table. don’t play together at all.115 S T U DY G U I D E C H R I S B R YA N T A Word Or Two On Voice VLANs Cisco IP Phones have three ports.) access link. another to a PC. The VVID allows the highest Quality of Service avail- to get a dynamic VLAN assignment. The VMPS Server must be configured before you can dynamically assign any VLAN mem- The link between the switch and the IP phone can be configured as either an 802. which can lead to time-related delivery issues with the voice traffic. the PC is unaware and it doesn’t care! The key to keeping end users happy with voice-based traffic is to deliver it without jitter. “duh”. One will be connected to a switch.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

Should the voice traffic start to be delayed, your end users begin to get annoyed, and your

dot1p

Priority tagged on PVID

support center phones start to ring!

none

Don’t tell telephone about voice vlan

We have four options for the switch-to-phone link:
Use an access link

untagged
Untagged on PVID

The <1 – 4094> option creates a voice VLAN and a dot1q trunk between the switch and IP
phone. As with data VLANs, if the VVID has not been previously created, the switch will

Use a trunk and use 802.1p

create it for you.

Use a trunk without tagging voice traffic
SW1(config-if)#switchport voice vlan 10

Use a trunk and specify a VVID

% Voice VLAN does not exist. Creating vlan 10

The question “Who’s The Boss?” has stumped the great scholars and live-in housekeepers
of eras past and present, but in this situation the boss is the switch, which tells the phone
which of those four options will be used.

Verify with show interface switchport. The output of this command is huge, so I’ll show only
the VLAN information here.
SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)

The interface is using VLAN 100 for normal data, and the native VLAN is unchanged from
the default, verified by this partial output of show interface switchport.

Administrative Native VLAN tagging: enabled
Voice VLAN: 10 (VLAN0010)

SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

Using dot1p results in the IP phone granting voice traffic high priority, and voice traffic will

The PVID shown in the following options is the port VLAN ID, the number identifying the
non-voice VLAN.

be sent through VLAN 0.
SW1(config-if)#switchport voice vlan dot1p

SW1(config)#int fast 0/1
SW1(config-if)#switchport voice vlan ?
<1-4094> Vlan for voice traffic
36

SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)

37

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Administrative Native VLAN tagging: enabled

Voice VLAN: untagged

Voice VLAN: dot1p

A quick Portfast note to end our VVID discussion: Portfast is automatically enabled on
Using untagged results in voice packets being placed into the native VLAN.

a port when a voice VLAN is created, verified by show config and show spanning interface
portfast. Here’s that info for 0/2, which is using VLAN 100 for data and VLAN 11 for voice.

SW1(config-if)#switchport voice vlan untagged
SW1#show int fast 0/1 switchport

I didn’t manually enable portfast, but there it is!
interface FastEthernet0/2

Access Mode VLAN: 100 (VLAN0100)

switchport access vlan 100

Trunking Native Mode VLAN: 1 (default)

switchport mode access

Administrative Native VLAN tagging: enabled

switchport voice vlan 11

Voice VLAN: untagged

spanning-tree portfast
SW1#show spanning int fast 0/2 portfast
VLAN0011 enabled
VLAN0100 enabled

You’re unlikely to find all ports in a given VLAN to be on the same switch. With that in
Finally, none sets the port back to its default, where a trunk is not used and the voice and

mind, let’s head to the next section!

non-voice traffic use the access VLAN.
SW1(config-if)#switchport voice vlan none
SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)

38

39

C H R I S B R YA N T

A trunk is a member of all VLANs by default, allowing traffic for any and all VLANs to cross
the trunk (good idea). That includes broadcast traffic (not-so-good idea).
Theoretically, you need a crossover cable for a switch-to-switch connection, and that’s
what I’m using here. Some Cisco switch models allow you to use a straight-through cable

C hapter 3:

TRUNKING

for trunking. In any case, verify with show interface trunk.
SW2#show int trunk
Port

Mode

Encapsulation Status

Native vlan

Fa0/11 auto

n-802.1q trunking 12

Fa0/12 auto

n-802.1q trunking 12

It’s nice and neat to have all hosts in a VLAN connected to a single switch. It’s also
unlikely. In the next example, we have hosts in VLANs 1 and 12 connected to separate

Port

switches. The switches are connected via two crossover cables. Trunks do not require

Fa0/11 1-4094

you to use the identically numbered port on each switch (port 0/11 on each switch, for

Fa0/12 1-4094

Vlans allowed on trunk

example), but in labs it’s a great organizational tool.
Port

Vlans allowed and active in management domain

Fa0/11 1,12
Fa0/12 1,12
Port

Vlans in spanning tree forwarding state and not pruned

Fa0/11 none
Fa0/12 1,12

From left to right, that command shows us…
The ports attempting to trunk (if none are shown, none are trunking)
For frames to flow flawlessly and freely between two switches, a trunk must be established.
Sometimes all it takes to create a trunk is physically connecting the switches. On occasion,
it takes a little fine-tuning to get the job done. It’s a safe bet that your CCNP SWITCH exam
will test you on both scenarios!

The trunking mode each port is using
The encapsulation type
The status of the trunk (either “trunking” or “not trunking”)
The “native vlan”

40

41

The similarities end pretty quickly. vendor switching environment. Fa0/3. Gi0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Our pal show vlan brief will not show ports that are trunking.1. Fa0/2. If you’re looking for a specific port’s VLAN membership and you don’t So much for the similarities! Now. for the differences… ISL is Cisco-proprietary. with a switch at each endpoint. Both of these trunking protocols are point-to-point protocols. Fa0/19. but the cumulative effect of adding that overhead to every frame adds up to a lot of extra effort on the part of both the sender and the receiver. ---. We’ll start by pinging H2 from H1 and then H4 from H3. Fa0/17. Fa0/14. Fa0/21. You can’t use ISL in a multi- see it here. but as with everything good in networking. Fa0/22.115 S T U DY G U I D E C H R I S B R YA N T Know where you will not find your trunk ports? Aaaaaand it’s good! Trunking is a beautiful thing. Ports and that switch knows that the VLAN ID indicates the destination VLAN. HOST1#ping 10. only Cisco switches understand ISL. 1 default active Fa0/1. round-trip min/avg/max = 4/6/8 ms 42 43 . that VLAN ID is read by the receiving switch.4 !!!!! Success rate is 100 percent (5/5). which has to remove the encapsulation. !!!!! Success rate is 100 percent (5/5). where the frame has a VLAN VLAN Name Status ID attached by the sending switch.1. Fa0/10. placing both a header and trailer VLAN.1. -------------------------------. very clear on the features and drawbacks of each for our CCNP SWITCH exam. In turn. The overhead here involves frame tagging. Fa0/23. Fa0/6. That doesn’t sound like a big deal. Our trunk is up and running. there’s a little SW2#show vlan brief overhead involved.1q (“dot1q”) is used Fa0/5. Fa0/7. so let’s make sure we can ping between hosts in the same ISL will encapsulate every frame going across the trunk.2 onto the frame (“double tagging”). round-trip min/avg/max = 4/5/8 ms HOST3#ping 10. Fa0/20. check to see if the port is trunking. Fa0/15. since trunk ports are members of all VLANs. we need to be Fa0/9. Fa0/13. ---------. Fa0/8 as the trunking protocol. Fa0/4 The amount of overhead involved depends on whether ISL or IEEE 802. Fa0/16. While most Cisco switches no longer support ISL. Fa0/18. Gi0/1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/24.1.

Fa0/3. -------------------------------. so it’s often referred to as “single tagging”. An access port belongs to one and only one VLAN. VLAN.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/9. Verifying And Changing The Native VLAN When dot1q is our trunking protocol. The CRC is C H R I S B R YA N T Both ISL and dot1q bring a 4-byte addition to a frame. and if the frame is destined for the native VLAN. Gi0/2 45 . as it likely is. Fa0/5. Fa0/24. The 4-byte trailer contains a Cyclic Redundancy Check (CRC) value. so there’s no need for any VLAN ID info. ISL doesn’t understand the concept of the native VLAN (the default VLAN). 26 bytes of that is in the header. For this reason. that switch assumes the native VLAN is the destination ---. -------------------------------. Dot1q adds only one tag. which includes the VLAN ID. Fa0/23. but they’re in different locations: ISL’s 4-byte trailer is just that – a trailer. Dot1q SW1#show vlan brief places only a 4-byte header on each frame. Fa0/2. 44 1 Status default active Ports Fa0/22. about that native VLAN… a frame validity scheme that checks the frame’s integrity.115 S T U DY G U I D E Everything we do on a Cisco switch has a cost in terms of time and effort. Fa0/10 Dot1q embeds the tagging information into the frame itself. Those little overhead savings add up! If there is a particular VLAN responsible for a majority of traffic. we might want to change the native VLAN. and that includes encapsulation and de-encapsulation. 12 active Status ACCOUNTING A few more dot1q tidbits for you: Ports Fa0/1. ---------.1Q (“dot1q”) results in much less overhead on our frames. Gi0/1. even that header isn’t put on the frame! When the receiving switch sees a VLAN Name frame with no VLAN ID. you’ll sometimes hear dot1q referred to as “internal tagging”. No need to tag frames traversing access ports. ISL adds a total overhead of 30 bytes.) Using IEEE 802. (VLANs 1002 – 1005 not shown in following lab. This is an excellent reason to make sure your switches agree on the native 1 default active VLAN. Fa0/4. which in turn saves a great deal of overall overhead. Dot1q’s 4-byte addition is in the form of a tag inserted into the frame. frames destined for the native VLAN are not tagged. Double tagging means double the workload on the switches! There’s even more to dislike regarding ISL. SW2#show vlan brief Dot1q is the industry-standard trunking protocol. Fa0/8. Fa0/6. ---------. ---. We’ll see why that’s so important in just a moment. Now. Fa0/7. making it suitable for use in a VLAN Name multi-vendor switching environment. That saves a little bit of overhead per frame.

08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/11 on SW1(config-if-range)#switchport trunk native VLAN 12 46 VLAN0 012. Fa0/6. 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/12 on VLAN0012. Port consistency restored. It would make sense to make that our native VLAN. 08:14:55: %SPANTREE-2-RECV _ PVID _ ERR: Received BPDU with inconsistent peer vlan id 1 on FastEthernet0/11 VLAN12. SW1(config)#int range fast 0/11 . I received this stack of messages on SW1: 08:14:55: %SPANTREE-2-RECV _ PVID _ ERR: Received BPDU with inconsistent peer vlan id 1 on FastEthernet0/12 VLAN12. Fa0/7.12 SW2(config-if-range)#switchport trunk native vlan 12 SW1# 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/12 on VLAN0001. Fa0/2. Assume an analysis of traffic going over the trunk has revealed that most frames are destined for VLAN 12.115 S T U DY G U I D E 12 ACCOUNTING active C H R I S B R YA N T Fa0/1. 08:14:55: %SPANTREE-2-BLOCK _ PVID _ PEER: Blocking FastEthernet0/11 on VLAN000 SW1#1. 08:14:55: %SPANTREE-2-BLOCK _ PVID _ PEER: Blocking FastEthernet0/12 on VLAN0001. along with all the talk of blocking ports! No worries. Fa0/10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/8. Inconsistent peer vlan. It can panic even the calmest network admin when six error messages come up at once. 08:14:55: %SPANTREE-2-BLOCK _ PVID _ LOCAL: Blocking FastEthernet0/11 on VLAN0012. I’ll finish the config here and then hop back to SW1.12 SW1(config-if-range)#switchport trunk ? allowed Set allowed VLAN characteristics when interface is in trunking mode native Set trunking native characteristics when interface is in trunking mode pruning Set pruning VLAN characteristics when interface is in trunking mode SW1(config-if-range)#switchport trunk native ? vlan Set native VLAN when interface is in trunking mode SW1(config-if-range)#switchport trunk native VLAN ? <1-1005> VLAN ID of the native VLAN when this port is in trunking mode SW1(config-if-range)#switchport trunk native VLAN 12 ? <cr> 08:14:55: %SPANTREE-2-BLOCK _ PVID _ LOCAL: Blocking FastEthernet0/12 on VLAN0012. Fa0/18. We’ll use switchport trunk native vlan on both switches to make that happen. I’ll use the always-handy interface range config option to change the native VLAN on both trunking ports on SW1 at one time. Fa0/13. Inconsistent local vlan. I’ll use IOS Help to illustrate the options (or lack of) with this command. Fa0/15. Inconsistent local vlan. Fa0/14. Fa0/9. Fa0/19. Fa0/3. Fa0/20. 47 . Inconsistent peer vlan. Fa0/17. Port consistency restored. Fa0/16. SW2(config)#int range fast 0/11 . Fa0/4. Port consistency restored. followed by the error message you can expect to see after you change the native VLAN on one switch and before you change it on the other switch. Fa0/5. just finish your config and all will be well. Port consistency restored. 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/11 on VLAN0001. Fa0/21 After completing that config.

1q trunking 1 Mode encap type with switchport trunk encapsulation. C H R I S B R YA N T Note the default trunk modes are different. shown here on both switches. A port in auto mode SW2#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802.1q trunking 1 Fa0/12 desirable 802. but if the remote port initiates trunking. desirable. Oddly enough. Dynamic auto (shown as “auto”) is the wallflower of trunking modes.1q trunking 1 48 SW2(config)#int fast 0/11 SW2(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802. If the remote port Fa0/12 desirable 802.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Should Trunking Negotiate? For this section. the remote port has to ask a port in auto mode to trunk. Encapsulation Status Native vlan Dynamic desirable (shown as “desirable”) means that the port is actively attempting to form Port Mode Fa0/11 desirable 802. SW1 doesn’t SW1#show int trunk show the encap type as negotiated. which can run either ISL or dot1q. you can configure the switch.1q trunking 1 Fa0/12 auto n-802. but verify with show interface trunk. but that’s no longer the case. We’ll again concentrate on the top of the output of show interface trunk. “Desirable” used to be the default for all Cisco switches. a trunk will form.1q trunking encapsulation when trunking 49 .in front of the encapsulation type on SW2? That means the encapsulation type was negotiated rather than manually configured. Did you notice the n. Encapsulation Status Native vlan Fa0/11 auto n-802. In other words.1q trunking 12 Fa0/12 auto n-802.115 S T U DY G U I D E All looks well. If the encap type is configured and you want the port to negotiate instead.1q trunking 12 a trunk with the port at the remote end of the point-to-point connection. the auto port will accept that.1q trunking 12 is running trunk. I’m not going to change the setting here – I just want to show you the options on this particular SW2#show int trunk Port If your switch is capable of running both ISL and dot1q. Here’s why… Port Mode Encapsulation Status Native vlan Fa0/11 desirable 802. or auto mode. Here’s a review of the trunking modes: SW1#show int trunk Trunk mode is unconditional trunking.1q trunking 12 will not initiate a trunk. I’ve erased the previous switch configs and reloaded both switches. as SW2 is. so they’re now both running at their defaults. use this command with the negotiate option.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the IOS will Leaving DTP running on ports that aren’t actually trunking is a BIG security risk. not with disabling DTP.12 mode SW1(config-if-range)#switchport nonegotiate pruning Set pruning VLAN characteristics when interface is in trunking Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status. starting with SW1. When a port is configured as an unconditional trunk port. The encapsulation option won’t DTP on such ports makes it easier for an intruder to introduce a rogue switch to our net- even be available! work. I highly recommend that you use the pipe option to skip to the interface you want. We’ll disable DTP at the interface level with switchport nonegotiate. 51 . why have the DTP overhead? 50 You’ll get slightly different messages from the IOS in this situation depending on the switch model and IOS version. Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status. if there’s a device on the other end of the p-t-p connection that literally can’t trunk (a firewall. and we’re most interested in the “Negotiation Of Trunking” setting. We’ll do just that in our next lab.) It’s generally recommended that all ports have DTP disabled. it attempts to negotiate a trunk with the remote port. ing mode be set to unconditional trunking. If the ports are not in unconditional trunking mode. they must be configured as such before using switchport nonegotiate. Verify DTP settings with show interface switchport. DTP comes with a cost. as shown on this Cisco 2950. When this Cisco-proprietary point-to-point protocol is in action. Leaving not recognize this command. including 2950 switches. which is now off. We had no issue moving the interfaces from desirable to trunk mode. (A rogue switch looks like a legit part of the network. there’s no need for that same port to send DTP frames. As with everything in networking. Also. for example). mode SW1(config-if-range)#switchport mode trunk SW1(config-if-range)#switchport nonegotiate To DTP Or Not To DTP The Dynamic Trunking Protocol (DTP) handles the actual trunk negotiation workload. but it’s under the intruder’s control. and trunk- SW1(config-if)#switchport trunk encapsulation ^ % Invalid input detected at ‘^’ marker. In that case. nor ours. as the switch is kind SW1(config-if)#switchport trunk ? allowed Set allowed VLAN characteristics when interface is in trunking enough to tell us! mode native Set trunking native characteristics when interface is in trunking SW1(config)#interface range fast 0/11 .115 S T U DY G U I D E isl C H R I S B R YA N T Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on interface That’s all fine. because this is one verbose command when left on its own! There’s some handy info in this output. A port running DTP will send DTP frames out every 30 seconds. We had the same command rejected twice since that’s how many ports we had in our interface range. but what does that have to do with the “n-“ not being on SW1? Some Cisco switches only support dot1q.

let’s verify the trunks on SW1. which indicates that the port is unconditionally trunking.1q trunking 1 The mode has changed to “on”. There’s a good reason you can’t go straight from auto to trunk mode. Port 0/11 no longer has the “n-“ in front of the encap type. As we saw ear- SW1#show interface switchport | begin Fa0/12 lier. since negotiation is no longer involved.1q trunking encapsulation when trunking negotiate Device Access Mode VLAN: 1 (default) Port dot1q Encapsulation Status Native vlan Fa0/11 on 802. Let’s head to SW2 and repeat the process.1q trunking 1 Fa0/12 on 802. SW2#show int trunk 53 . and then we can go from auto to Switchport: Enabled trunk. SW2 is capable of both ISL and dot1q encapsulation.115 S T U DY G U I D E C H R I S B R YA N T SW1#show interface switchport | begin Fa0/11 SW2(config)#int range fast 0/11 . indicating that the port is in unconditional trunking mode. Operational Mode: trunk % Range command terminated because it failed on FastEthernet0/11 Administrative Trunking Encapsulation: dot1q SW2(config-if-range)# Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off This particular switch IOS rejected the command once and then terminated the range com- Access Mode VLAN: 1 (default) mand.12 Name: Fa0/11 SW2(config-if-range)#switchport mode trunk Switchport: Enabled Command rejected: An interface whose trunk encapsulation is “Auto” cannot be Administrative Mode: trunk configured to “trunk” mode. The mode for 0/11 is now “on”. We need to define which Name: Fa0/12 encapsulation protocol the port is going to use. 52 Verify the trunk mode with show interface trunk and then verify DTP has been disabled with show interface switchport.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . No big deal. SW2(config-if-range)#switchport mode trunk SW2(config-if-range)#switchport nonegotiate SW1#show int trunk Mode Interface uses only 802. Administrative Mode: trunk Operational Mode: trunk SW2(config-if-range)#switchport trunk encapsulation ? Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off isl Interface uses only ISL trunking encapsulation when trunking will negotiate trunking encapsulation with peer on interface Trunking Native Mode VLAN: 1 (default) SW2(config-if-range)#switchport trunk encapsulation dot1q While we’re here. but I just want to point out why we only received one rejection when two Trunking Native Mode VLAN: 12 (VLAN0012) ports are in the range.

but not for “on”.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E Port Mode Encapsulation Status Native vlan Fa0/11 on 802. Negotiation of Trunking: Off SW2#show interface fast 0/11 trunk Name: Fa0/12 Switchport: Enabled Port Mode Encapsulation Status Administrative Mode: trunk Fa0/11 off 802. the trunk is immediately lost. Setting a port to access mode turns trunking Port Mode Encapsulation Status Fa0/11 auto n-802.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-4094 Fa0/12 1-4094 off. When I change 0/11’s mode to access. I’ve erased the config on both switches and set them back to their default There’s an oddity in the switchport mode options: Set trunking mode to ACCESS unconditionally dot1q-tunnel set trunking mode to TUNNEL unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode private-vlan Set private-vlan mode trunk settings. SW2#show int trunk SW2(config-if)#switchport mode ? access Filtering The VLANs Allowed To Use The Trunk Set trunking mode to TRUNK unconditionally We have an option for “off”. That’s where you’ll see the trunk Operational Trunking Encapsulation: dot1q mode actually set to off. 54 Native vlan 55 .1q trunking 1 C H R I S B R YA N T SW2(config)#int fast 0/11 SW2(config-if)#switchport mode access SW2#show int trunk SW2#show interface switchport | begin Fa0/11 Name: Fa0/11 Port Mode Switchport: Enabled Fa0/12 trunk Encapsulation Status 802. After a reload.1q Native vlan trunking 1 Administrative Mode: trunk Operational Mode: trunk To see trunk settings for a particular port. even one that isn’t showing up in show interface Administrative Trunking Encapsulation: dot1q trunk.1q trunking 1 Fa0/12 on 802. run show interface (interface type and number) trunk. here’s the full output of show interface trunk on SW2.1q trunking 1 Fa0/12 auto n-802.1q Native vlan not-trunking 12 Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off For our next lab.

As expected.1q trunking 1 Fa0/12 auto n-802. but since trunk ports belong to all VLANs. VLANs 100 and 200 are no longer allowed on Fa0/12 1. SW1 to SW2 (and vice versa).1q trunking 1 Fa0/12 auto n-802. We can eliminate unnecessary broadcasts by not allowing traffic for VLANs 100 and 200 to go from SW1 to SW2.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-199. I’ll use it here to exclude VLANs 100 and 200 on both 0/11 and 0/12. Here’s one great reason: SW1#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802.12 Port C H R I S B R YA N T SW1(config)#interface range fast 0/11 . Fa0/11 1.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-99.201-4094 57 .201-4094 Fa0/12 1-99.201-4094 The broadcast rears its ugly head yet again! There are no hosts on SW2 in VLAN 100 or 200.101-199.200 Verify with show interface trunk.12 Fa0/12 1.12 SW1(config-if-range)#switchport trunk allowed vlan add 100 SW1#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E Port Vlans allowed and active in management domain The except option is excellent when you need to exclude just one or a few VLANs. When I first saw “VLANs allowed on trunk”. The command and the options in all their splendor: SW1(config-if)#switchport trunk allowed vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode add add VLANs to the current list all all VLANs except all VLANs except the following none no VLANs remove remove VLANs from the current list 56 SW1(config)#int range fast 0/11 .201-4094 Fa0/12 1-199. We filter the list of VLANs allowed to send traffic across the trunk with switchport trunk allowed. I immediately wondered why you would want to disable some VLANs on a trunk.12 Vlans in spanning tree forwarding state and not pruned Fa0/11 none SW1(config-if-range)#switchport trunk allowed vlan except 100.101-199. broadcast traffic for all VLANs will be sent from I’ll use the add option to add VLAN 100 back to the allowed list.12 the trunk.

1q trunking 1 Fa0/12 auto n-802.1q trunking 1 Fa0/11 auto n-802. SW1(config)#int range fast 0/11 . There’s no “right” or “wrong” way to get the job done. and we’re right back put it there with the remove option. so let’s We can quickly reinstate all VLANs on the trunk with the all option.201-4094 Fa0/11 1-4094 Fa0/12 1-99. You’ll usually have more than one combination of these commands that will filter the VLANs on the allowed list the way you want them filtered. to where we began! SW1(config)#int range fast 0/11 .101-199.1q trunking 1 Fa0/12 auto n-802.1q trunking 1 Fa0/12 auto n-802.115 S T U DY G U I D E C H R I S B R YA N T We just got word from our bosses that VLAN 100 should be on the disallowed list. and pings go through just fine.12 SW1(config)#int range fast 0/11 .1q trunking 1 Port Vlans allowed on trunk Port Vlans allowed on trunk Fa0/11 1-99.101-199.1q trunking 1 Port Vlans allowed on trunk Fa0/11 none Fa0/12 none 58 59 .201-4094 Fa0/12 1-4094 If I wanted to remove all VLANs from the allowed list. as long as you filter only the VLANs you want filtered. chang- SW1#show int trunk Port Mode ing nothing else.12 SW1(config-if-range)#switchport trunk allowed vlan remove 100 SW1(config-if-range)#switchport trunk allowed vlan all SW1#show int trunk SW1#show int trunk Port Mode Encapsulation Status Native vlan Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802. Encapsulation Status Native vlan Fa0/11 auto n-802. I’d use the none option.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .12 SW1(config-if-range)#switchport trunk allowed vlan none What happens to traffic destined for a given VLAN when that same VLAN has already been removed from the allowed list? Let’s find out! I’ve placed H1 and H4 into VLAN 14.

We know why. since we caused the Port problem as part of the lab. d=10.1. len 100.1.1.1.1. sending.1 (local).1.1. SW1(config)#int range fast 0/11 .15-4094 switch.1.1. sending 60 61 .1 (Ethernet0).1q trunking 1 Fa0/12 desirable 802.4 (local).1.1.4 (Ethernet0). This is an excellent reminder that when pings fail.1. len 100.15-4094 the fault of the sender or intended recipient.1. 1d01h: IP: s=10.1.4. sending. perhaps! Adding VLAN 14 back to the allowed list resolves the issue.1. d=10.1.1 All possible debugging has been turned off !!!!! Success rate is 100 percent (5/5). len 100.1. round-trip min/avg/max = 4/4/4 ms HOST1#undebug all HOST4#ping 10. sending 1d01h: IP: s=10. round-trip min/avg/max = 4/5/8 ms HOST4#ping 10.1.1 (local).1q trunking 1 HOST4#undebug all All possible debugging has been turned off The pings are leaving the hosts.1. Before sending the pings. timeout is 2 seconds: 1d01h: IP: s=10. timeout is 2 seconds: trunk ports. len 100. it may not be Vlans allowed on trunk Fa0/11 1-13.1.1 (local).1 (Ethernet0).1.1.1.1.1 (Ethernet0).4 (local).1. d=10.1.4 (Ethernet0).1. len 100.1.12 1d01h: IP: s=10.1 (Ethernet0).1. Sending 5.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1. 100-byte ICMP Echos to 10.1. sending 1d01h: IP: s=10.1.1.4 (local). len 100. HOST1#ping 10.1 Type escape sequence to abort.1. 100-byte ICMP Echos to 10.1.4 Type escape sequence to abort.115 S T U DY G U I D E C H R I S B R YA N T HOST1#ping 10. sending.1.1. len 100.1. d=10.1.1. but they’re failing.1 (Ethernet0).1. SW1(config-if-range)#switchport trunk allowed vlan except 14 1d01h: IP: s=10. sending SW1(config)#int range fast 0/11 .1. d=10. It may very well be a device in the middle. 1d01h: IP: s=10.1.4 1d01h: IP: s=10. len 100. I’ll run debug ip packet on both hosts. 1d01h: IP: s=10. len 100.1. SW1#show int trunk Port Mode Success rate is 0 percent (0/5) Encapsulation Status Native vlan Fa0/11 desirable 802. d=10.12 SW1(config-if-range)#switchport trunk allowed vlan add 14 SW1#show int trunk 1d01h: IP: s=10.4 (Ethernet0). A Fa0/12 1-13.1. sending. d=10.1.1.1. d=10.4 (Ethernet0). sending !!!!! Success rate is 0 percent (0/5) Success rate is 100 percent (5/5). d=10.1 (local).4 (Ethernet0). d=10.1.1.4 (local).1. Let’s see what happens when VLAN 14 is removed from the allowed list on both of SW1’s Sending 5.4 (local). len 100.1.1 (local).1. sending.

Fa0/8.1 !!!!! HOST1#ping 10. VTP deals exclusively with trunking.1q trunking 1 Port Vlans allowed on trunk C hapter 4: Fa0/11 1-4094 Fa0/12 1-4094 THE VLAN TRUNKING PROTOCOL (VTP) HOST4#ping 10.1. Fa0/9. ---------.1.1. and that’s nected hosts. Fa0/6. and we’ll do the same! the subject of the next chapter! VTP allows each switch to have a synchronized view of the network’s active VLANs without necessarily having ports in every VLAN. Both switches are at their default settings. (I’ve removed VLANs 1002 – 1005 from the output of show vlan brief and will do so throughout this section. Fa0/5.) SW1#show vlan brief VLAN Name Status Ports ---. and any config from previous chapters or labs has been removed. and then run show vlan brief for both switches. I’ll create VLAN 100 on SW1. -------------------------------. Fa0/3. we need to spread the word throughout the network We’ll start this section with our two-switch network and won’t even worry about the con- about the VLANs we create. Fa0/4. Fa0/10 62 63 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/7. Fa0/2. That’s what the VLAN Trunking Protocol is all about. 1 default active Fa0/1.1.115 S T U DY G U I D E Port Mode Encapsulation Status Native vlan Fa0/11 desirable 802.4 !!!!! With VLANs and trunking down.1q trunking 1 Fa0/12 desirable 802.

Fa0/21. Fa0/15. Of course. Gi0/1. but as our little network grows just a bit larger. these switches will be happy to let their neighbors in the same VTP domain know about these changes via VTP advertisements. creating VLANs simply isn’t a scalable solution. Fa0/13. that communication can’t happen. know about and all three switches will have a like view of the VLANs on the network. could certainly create VLAN 100 manually on SW2. Let’s step back to the two-switch network and put both switches into the VTP domain CCNP. 1 default active Fa0/1. Fa0/5. ally referred to as a “VTP domain”). Fa0/16. it does become a problem. the network admins. the more manual configuration SW2. Fa0/24. -------------------------------. That Ports would work well in a 3-switch network.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . hosts in VLAN 100 can then communicate with no manual VLAN creation necessary on Fa0/23. SW1#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 64 64 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled 65 . Fa0/2. Gi0/2 Right now. as VLANs are created and deleted. SW2’s ignorance of VLAN 100 isn’t hurting anything now. Fa0/19. they’ll exchange information about the VLANs they Fa0/17. Fa0/22. ---------. Fa0/8. and since active SW2 doesn’t know VLAN 100 exists. Before doing so. SW2 can only learn about VLAN 100 by manually creating that same VLAN on SW2 or to place a port on SW2 into VLAN 100. Fa0/6. Fa0/4. SW2 doesn’t know how to handle incoming frames marked with VLAN ID 100. the more time it takes and the larger the chances of misconfiguration. so they’re dropped. Fa0/10. you have. Fa0/3. Fa0/9.115 S T U DY G U I D E 100 VLAN0100 C H R I S B R YA N T The only way for the two hosts in VLAN 100 to communicate is through SW2. but what about a 300-switch network? Statically ---. The key phrase: “in the same VTP domain”. Switches in one VTP domain will not exchange VLAN info with switches in another VTP domain. Better yet. Fa0/18. let’s run show vtp status on both. Our Fa0/20. SW2#show vlan brief VLAN Name Status You and I. Fa0/7. When we place all three of these switches into the same VTP management domain (gener- Fa0/14.

0.0.0.9466. which simply means that the switches haven’t joined After placing SW1 into that VTP domain.115 S T U DY G U I D E SW2#show vtp status C H R I S B R YA N T SW2#show vtp status VTP Version capable : 1 to 3 VTP Version capable : 1 to 3 VTP version running : 1 VTP version running : 1 VTP Domain Name : VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP Pruning Mode : Disabled VTP Traps Generation : Disabled VTP Traps Generation : Disabled Device ID : 0017.0. that event triggers a VTP advertisement to SW2.f780 Configuration last modified by 0.0.0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .9466.0 (no valid interface found) Feature VLAN: Feature VLAN: VTP Operating Mode : Server VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 Number of existing VLANs : 5 Configuration Revision : 0 Configuration Revision : 0 The VTP Domain Name field is blank. and SW2 will then join that domain as a VTP Server.0.0 (no valid interface found) Local updater ID is 0.f780 Device ID : 0017.0.0 at 0-0-00 00:00:00 Configuration last modified by 0. SW1(config)#vtp domain CCNP Changing VTP domain name from NULL to CCNP SW1#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 64 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled 66 Should you put SW1 into the domain CCNP and SW2 into the domain ccnp … SW2(config)#vtp domain ccnp Changing VTP domain name from CCNP to ccnp 67 . a VTP domain…yet! That VTP ad contains info about the VTP domain.0 at 0-0-00 00:00:00 Local updater ID is 0.

and modify VLANs.0. There are times that IOS Help gives us wonderful descriptions for our options.078: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/11 because of VTP domain mismatch. IOS Help pretty much tells us what we already know. We must have at least one switch in any VTP Pruning Mode : Disabled 68 69 . SW1#show vtp status VTP Version : 2 Configuration Revision : 2 VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Number of existing VLANs : 7 Configuration Revision : 2 MD5 digest : 0x87 0xA7 0x10 0x69 0x58 0xA8 0x12 0x72 0x5D 0x74 0x8A 0xED 0x1F 0xE1 0x67 0xE2 The default VTP operating mode is server. By “modify”.0.0.0. This is not one of those times. Transparent Set the device to transparent mode. a switch can create. which can be VTP Domain Name : CCNP done in server. and I have a feeling we need to know a little more about each mode! Local updater ID is 0. Device ID : 0017.020: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation Configuration last modified by 0.896: %SW _ VLAN-6-VTP _ DOMAIN _ NAME _ CHG: VTP domain C H R I S B R YA N T name VTP Traps Generation : Disabled changed to ccnp. server Set the device to server mode.9466.f780 *Mar 1 00:29:02. Local updater ID is 0.0 (no valid interface found) *Mar 1 00:29:02. We’ll follow this output by discussing the VTP Operating Mode info for each switch. but the most important VTP values are in each.0.0 at 3-1-93 00:30:42 SW2(config)#vtp mode ? client Set the device to client mode.0 at 3-1-93 00:30:42 on port Fa0/12 because of VTP domain mismatch. The output will be slightly different on each switch.0. We do NOT mean “add ports to a VLAN”. Maximum VLANs supported locally : 64 Number of existing VLANs : 7 VTP Operating Mode : Server VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x87 0xA7 0x10 0x69 0x58 0xA8 0x12 0x72 Configuration last modified by 0. off Set the device to off mode.0. with the options illustrated by vtp mode. Feature VLAN: -------------- … you end up with a mess. we mean VTP version running : 1 “change the name of the VLAN”.0 (no valid interface found) The VTP Modes SW2#show vtp status VTP Version capable : 1 to 3 In VTP server mode.0. Moral of the story: VTP domain names are case-sensitive! After switching (no pun intended – happy accident!) SW2 back to the VTP domain CCNP. client. we get the lay of the land via show vtp status.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E *Mar 1 00:29:00. delete. and transparent modes.

or One VTP ad type is the subset advertisement. a Transparent switch is running VTP v1. the VTP version number and domain name is the same as those switches that would receive the forwarded advertisement. that switch will forward VTP advertisements that same switch – or more accurately. via its trunk ports even if the domain name of the downstream switches doesn’t match. and the switch will not forward VTP advertisements. That change doesn’t have to be a VLAN addition or deletion. VTP Transparent switches take a slightly more complicated approach. or we couldn’t create new VLANs or delete As you’d expect. and isn’t available on previous versions. and that they’re not overwriting servers originate VTP advertisements. The VTP Advertisement Process & Config Revision Number VTP advertisements are multicasts that are sent out only over trunk links. “off”. disables VTP on the switch. sent anytime there’s a change in the VLAN we’re going to have a bunch of clients just looking at each other (and transparent switches just ignoring each other). Let’s see what happens after I make SW2 a VTP client and then try to create a VLAN on If the Transparent switch is running VTP v2. The fourth mode. Clients listen for VTP advertisements and update their databases appropriately when those ads arrive. 70 On some switches. landscape. which is what we’ll do in this lab. but will pass them across their trunks. When a transparent switch receives VTP advertisements. what doesn’t happen. the switch will only forward incoming VTP ads if Switches running in VTP client mode cannot create. (Hang in there with me on this one. They don’t even advertise their own VLAN information! VLANs created on a transparent VTP switch will not be advertised to other VTP speakers in the same domain. you’ll see the CRN near the top of the show vtp status output… 71 .115 S T U DY G U I D E C H R I S B R YA N T given VTP domain running in server mode. (This mode was one of the improvements that came along with VTP v3. It could be something as simple as renaming a VLAN. SW2(config)#vtp mode client Setting device to VTP Client mode for VLANS. Makes sense. If previously existing ones. We must have at least one VTP server in our domain. VTP switches to ensure they have the latest VTP information. and accept advertisements from other VTP servers their current VLAN database to make room for old information! and clients in the same domain.) VTP advertisements carry a configuration revision number (CRN) that enables VTP-enabled Another major difference between the modes is how they handle VTP advertisements. it will ignore the ads but forward them out its other trunks. modify. SW2(config)#vlan 100 VTP VLAN configuration not allowed when device is in CLIENT mode. making them locally significant only.) VTP transparent switches do not synch their VTP databases with other VTP speakers in the same domain. or delete VLANs.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ‘Nuff said! since the only devices that need the advertisements are other switches! Switches in VTP transparent mode aren’t fully participating in the VTP domain. VTP Clients do not originate VTP ads.

0 at 3-1-93 00:30:42 The creation of VLAN 300 on SW1 triggers a subset advertisement from SW1.115 S T U DY G U I D E SW1#show vtp status C H R I S B R YA N T SW1(config)#vlan 300 VTP Version : 2 Configuration Revision : 2 SW1#show vtp status Maximum VLANs supported locally : 64 Configuration Revision Number of existing VLANs : 7 VTP Operating Mode : Server SW2#show vtp status VTP Domain Name : CCNP Configuration Revision VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled : 3 : 3 SW2#show vlan brief VLAN Name … and on others. you’ll see it near the bottom of that same command’s output. Feature VLAN: VTP Operating Mode : Client Maximum VLANs supported locally : 1005 Number of existing VLANs : 7 Configuration Revision : 2 Both switches have a CRN of 2.9466. I’ll add a VLAN to SW1 and then recheck the CRN on each switch.0. and the CRN increments before that ad is sent across the trunk to SW2.f780 Configuration last modified by 0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . SW2#show vtp status Status ---. 1 default active 100 VLAN0100 active VTP Version capable : 1 to 3 200 VLAN0200 active VTP version running : 1 300 VLAN0300 active VTP Domain Name : CCNP VTP Pruning Mode : Disabled VLAN 300 is in SW2’s database. -------------------------------. 72 73 . SW2 receives the subset ad with a CRN of 3. When an incoming subset ad’s CRN is larger than the one on the receiving switch. SW2 compares the incoming CRN to its own CRN (2). What hap- VTP Traps Generation : Disabled pened on each switch to make the CRN increment? Let’s take a behind-the-scenes look… Device ID : 0017. also checking to be sure the VLAN is visible in SW2’s show vlan brief output. and the CRN incremented on both switches.0.

so they synch their databases in accordance with this new You have to be sure to set the CRN to zero in one particular scenario. 40. The problem: the CRN on that switch is 500. While a Client generally spends non-default VLANs in use are VLANs 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Change the VTP mode from server to transparent. The domain is CCNP. 75 . 30.) Server. Just bouncing the switch isn’t enough. The official name of this issue is “VTP synch issue”. Since that new advertisement only includes VLAN 1. and this switch only knows about VLAN 1. We love the CRN! The switches make sure they’re accepting only the latest VLAN revision information. since the CRN is kept in NVRAM. but you’ll call it something much more profane if it happens to your network. SW2 is busy sending an advertisement with CRN 300. its time listening for and forwarding VTP ads. A switch that was at another physical location is brought to this client site and installed in the CCNP domain. then change it back to the original name. it does send a full Summary ad when it first comes online. We have a simple three-switch network with two Clients and one advertisement. Cisco theory says that there are two ways to ensure the CRN is set to zero: Change the VTP domain name to a nonexistent domain. This is most likely to happen when a switch goes down and is replaced in a hurry with a switch from another client site. 74 Whichever you choose. and 50. (That doesn’t make us lazy.115 S T U DY G U I D E C H R I S B R YA N T the contents of the ad are accepted and used to overwrite the receiving switch’s existing VTP database.) rently in their VTP database. that makes The other switches will receive a VTP advertisement with a higher CRN than the one cur- us smart. and you and I don’t have to do a thing. or you’ll have a real mess on your hands. SW2 will increment its own CRN. Once that’s done. That’s enough to cause a lot of trouble here. (The VTP Clients will forward the VTP ad to SW2. 20. the CRN MUST be set to zero before it’s inserted into the new network. then back to server. just be sure to verify the zero before you proceed. connectivity for the other five VLANs is lost. and the SW4 doesn’t even have to be in Server mode to ruin things. or even from a CCNP / CCIE practice lab! No matter the source of the switch.

or suspended. CRN. and a Cisco switch will run Version 1 by default. which helps to prevent incorrect names from propagation Ring. (Whew!) These requests come in handy should the client’s VLAN database become corrupt or if Those were solid improvements. Rather than wait for the Server’s ads to be triggered.). and both ports. and the Server will answer with a series of Summary and Subset ads that can’t run VTP version 3. a timestamp. If you’re on a switch request VLAN info. that will allow the Client to rebuild its VLAN database. With v1. The consistency check is performed on the VLAN was actually created. 2. the VLAN type (Ethernet. the Client can explicitly tion of VTP v3. VTP v3 introduced the VTP mode off we saw earlier. client Set the device to client mode. Token the VLAN names and numbers. even if the VTP domain name is different on the switches it’s trunking with. SW1(config)#vtp mode ? VTP Versions The available VTP versions are 1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . etc. MD5 hash code.115 S T U DY G U I D E The Three VTP Advertisement Types (And Two Directions!) C H R I S B R YA N T SW2#show vtp status VTP Version capable : 1 to 3 VTP version running : 1 VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP Traps Generation : Disabled SW2(config)#vtp version ? Summary Advertisements are sent by VTP Servers every 5 minutes OR upon a change in the VLAN database. 76 77 . Summary and Subset ads are sent when there’s a VLAN change. which A transparent VTP switch running VTP v2 will forward VTP advertisements via its trunk may seem unnecessary. throughout the network. and 3. Subset Advertisements are sent by VTP Servers when there’s a VLAN configuration change. Use vtp version to change versions. rather than only at the switch level. where v1 does not. server Set the device to server mode. and the new VLAN name and/or MTU (if those values were changed). VTP v2 supports Token Ring VLANs and Token Ring switching. deleted. you will not see the off option. and the number of Subset Advertisements that will follow <1-3> Set the administrative domain VTP version number As you’d expect. but serious improvements came along with the introduc- it’s deleted. If those Summary Ads are coming every 5 minutes. Client Advertisement Requests are requests from VTP Clients for VLAN information. there were some improvements when VTP v2 came along: this Summary ad. VTP v3 can be enabled and disabled at the port level. Included in this ad type are the VTP domain name and version. why does the client ever the domain and version number of the trunking switches had to match that of the transpar- have to request info? ent switch. including whether figuration at the command-line interface (CLI). VTP v2 performs a consistency check when changes are made to VLANs or the VTP con- Subset ads give more specific info about the VLAN that’s been changed. FDDI. transparent Set the device to transparent mode.

I was already there!) SW2(config)#vtp password CCNP secret ? VTP secret has to be 32 characters in length SW2(config)#vtp password CCNP Setting device VTP password to CCNP SW2(config)#vtp password CCNP hidden SW2#show vtp password Setting device VTP password VTP Password: CCNP SW2#show vtp password You could also spot the VTP password in the vlan... which really is the 00000000: BADB100D 00000002 02044343 4E500000 :[. When you configure SW2(config)#vtp version 3 a VTP Server as the primary server. best option. SW2(config)#no vtp password CCNP Clearing device VTP password. The Synch Problem SW2#show vtp password The VTP password is not configured.dat file is HUGE. Version 3 files will be written in need the VTP password to do so. 78 79 . sure about making this switch the primary server. and VTP v3 brought it.. as it was with VTP v2. (Hey. I’ll do that after removing the previous password. hidden Set the VTP password hidden option secret Specify the vtp password in encrypted form SW2(config)#vtp version 2 <cr> VTP version is already in V2.CCNP.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Let’s upgrade SW2 to VTP v3 and then view our options for the VTP password. VTP Password: 50EF55299259C91C41DDF825699A177D SW2#more vlan. so I’m not showing the entire thing here. Remember the VTP synch problem we saw earlier in this chapter? VTP v3 helps us prevent that problem (proactively!) by introducing the primary server concept.dat I just didn’t feel up to a 32-character password. it was easy to compromise the password..115 S T U DY G U I D E C H R I S B R YA N T The VTP Password (“Secure Mode”) SW2(config)#vtp password ? With previous versions of VTP. and then set a password. Use vtp primary to make a VTP server the primary server. and you’ll be prompted one more time to ensure you’re the future.. and that is indeed Improvement was needed. VTP v3 vs.dat file. the case! The vlan.318: %SW _ VLAN-6-OLD _ CONFIG _ FILE _ READ: Old version 2 VLAN switches in the VTP domain. You configuration file detected and read OK. so I went with hidden. nor is it visible in the vlan. .dat file. Cisco’s website documentation on VTP v3 mentions that show commands can’t be used to see the password. Suffice to say I looked for the password and it wasn’t there. .. that’s the only device that can actually update other Mar 1 00:06:32. I’ll configure SW2 SW2(config)#vtp password CCNP ? to run VTP v2.

or multicast traffic Enter VTP Password: belonging to VLANs 11 – 19 to SW2. unknown unicasts. SW1 now knows which multicasts.115 S T U DY G U I D E C H R I S B R YA N T SW2#vtp primary vlan Here. Naturally. That switch is trunking with SW2. VTP v3 is friendly to VTP v2. work with v1. No conflicting VTP3 devices found. regardless of whether the switch at the other end of the trunk actually has ports in those VLANs.629: %SW _ VLAN-4-VTP _ PRIMARY _ SERVER _ CHG: 0017. If a switch running v1 detects a v3 switch.9466. you’re stuck. Do you want to continue? [confirm] SW2# *Mar 1 00:24:17. where v3 supports the full range of extended VLANs (1 – 4094). Another major difference between versions to watch out for: VTP v1 and v2 support only VLANs 1 – 1005. if the switch can only run v1. unknown unicast. SW1 has hosts in VLANs 2 – 19. the switch running v1 will attempt to upgrade to v2. 80 81 . Cisco strongly recommends that you determine whether your current switches are v2-capable before introducing v3 to your network. which leads to an issue involving broadcasts.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and unknown unicasts should and should not be sent across the trunk to SW2. a switch will send a message to its trunking partners. and the recipient is receiving totally unnecessary traffic. identifying the VLANs in use by the switch sending the message. A trunk port will forward broadcasts and multicasts for all VLANs it knows about. and multicasts.f780 has become the primary server for the VLAN VTP feature A Final Word About VTP Versions According to Cisco website documentation. You’re better off if all your current switches are v3-capable. This means that the sending switch is likely sending unnecessary traffic. which has hosts in This system is becoming primary server for feature vlan VLANs 2 – 10. There’s no reason to send broadcast. VTP Pruning Trunk ports are members of all VLANs. but v3 will not With VTP pruning. broadcast.

but what about those redundant paths? Why can’t we use every single path from “A” to “B” for switching. 82 83 .and unequal-cost load balancing possible. You don’t even have to type “on”! SW2(config)#vtp pruning ? <cr> C hapter 5: SW2(config)#vtp pruning Pruning switched on That simple command makes VLANs 2 – 1001 eligible for pruning. THE FUNDAMENTALS OF STP SW1(config)#int range fast 0/11 . (More on that in your ROUTE studies!) At Layer 2.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . which we have plenty of in the next few sections of the course! So that’s all fine. STP will realize this and begin to unblock the necessary ports to put the next best path into action. L3 routing protocols such as EIGRP and OSPF allow us to use secondary paths in addition to the primary paths.115 S T U DY G U I D E Enabling VTP pruning is just as easy. making equal. STP will then block ports on the valid but less desirable paths. we love redundancy. use the switchport trunk pruning vlan command. With routing. Here’s an example of such a loop where STP is not in action. but they will not be used in addition to the primary path. as we like to do for routing? The problem at L2 is the possibility of switching loops. our redundant paths need to be ready for action in case the primary path fails. You can’t prune the default VLANs! If you want to make some of those VLANs “prune-proof”. however. you say. holding those paths in standby.12 SW1(config-if-range)#switchport trunk pruning vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode Whether it’s Layer 2 or Layer 3. The basic purpose of the Spanning Tree Protocol (STP) is to identify valid loop-free paths and then choose the best of those paths for use. Redundancy works just a bit differently at L2 except all VLANs except the following none no VLANs remove remove VLANs from the current list Enough of VLANs – for now! Let’s get started with the Spanning Tree Protocol! than L3. Should a primary path become unavailable. A single point of failure for anything add add VLANs to the current list in today’s networks just isn’t acceptable. This becomes a lot clearer with examples and lab work. we want to use as many of those paths as is feasible.

either in full or in part There’s an unnecessary strain put on the switch CPU A lot of bandwidth is unnecessarily sucked up by all those broadcasts 85 . It’s a legacy term. and we always say “legacy” because we don’t like to say “old”. and Host A sends a frame to Host C. so if two switches go down. Finally. Each switch have bridges. we’re about to experience a switching loop. On to the forwarding decision! None of the switches have an entry for the frame’s destination. They’ll flood the frame out all ports except the one it came in on. the switch is overwhelmed by those broadcasts and we have a broadcast storm. In short. each switch will then change the MAC address table setting for Host A to Fast 0/2. even in networks that don’t Just that quickly. just wait until the other hosts start sending traffic! Slowly but surely (don’t call me Shirley). Now this is redundancy! We have three switches connecting two Ethernet segments. each host would still be able to reach every other host. so each switch will follow the default behavior for an unknown unicast address. When each switch receives a frame on Fast 0/2 with Host A’s MAC address as the source. None of the switches have such an entry. each switch will check its own MAC address table regarding an entry for the source MAC address of the frame. all three switches would receive the frame on their Fast0/1 interfaces. without STP. switching loops cause three major problems: Frames can’t reach their intended destination. the switches will keep going back and forth on the MAC address table entry for Host A. With this topology. but in this example. Having STP on would help prevent switching loops. it’s not on. In our example. listing Host A as reachable via Fast0/1. the frames will be flooded out Fast0/2 on each switch. Let’s say all three switches have just been turned on.115 S T U DY G U I D E C H R I S B R YA N T Note: Switching loops are sometimes called “bridging loops”. As those frames are flooded in turn.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . more and more broadcast traffic is forwarded by the switches. which is still Host A’s MAC address. will see the frame just flooded by the other two switches. The problem is the source MAC address of each flooded frame. so they’ll each make an entry in their respective MAC tables. 84 If you think that’s bad (and it is!). Before making a forwarding decision regarding the incoming frame. Host 3.

all six ports in this example will go to the listening state. allowing it to hear BPDUs from other switches. and we’ll see that in action after we have an election. Config BPDUs will be exchanged between our switches until one switch is elected root bridge. C H R I S B R YA N T The Default Root Bridge Election Process Switches are a lot like people. But seriously folks. so all three believe they are the root forward a copy of that BPDU. We’re about to walk through a root bridge election on a three-switch network. The root bridge is also the switch that decides what the STP timers will be. When they first arrive. Each switch has the default priority 32768. Since each switch believes it’s the root. and the MAC address of each switch is the switch’s number repeated 12 times. The non-roots will receive and All three switches are coming online at the same time. commonly referred to as a BID. the BPDUs that are used in STP calculations. 86 87 . and we’ll take a look at the election from each switch’s point of view. you should ensure that your primary and secondary root bridges are your more powerful switches. In general. If the Priority is left at the default on all switches. Only the root bridge will originate Configuration BPDUs. bridge. the MAC address is the deciding factor in the root bridge election. The Bridge Protocol Data Unit Types and The Root Bridge Election We have two BPDU types. and all three of them get very busy announcing that fact. but non-root bridges do not actually create this BPDU type. In any network. both multicast to the well-known MAC address 01-80-c2-00-0000. address of 11-22-33-44-55-66. The BID is a combination of a 2-byte Priority value and the switch’s 6-byte MAC address. the switches get over it. and the switch with the lowest MAC address wins.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . We don’t want to leave those roles to chance – or the lowest MAC address! I’ll show you exactly how to be deterministic about root bridge elections after we walk through an example of a root bridge election using only the defaults. It all begins with the exchange of Bridge Protocol Data Units (BPDUs). The switch with the lowest BID will win that coveted role. you’ll have switches that are more powerful than others in terms of processing power and speed. We’re going to concentrate on Configuration BPDUs. the resulting BID is 32768:11-22-33-44-55-66. TCN BPDUs will be covered later in this section. switching loops don’t occur often.115 S T U DY G U I D E Luckily for us. Unlike some people. (Much more on these STP port states Each switch has a Bridge ID Priority value. because STP does a great job of preventing switching loops before they happen.) Here’s our network and the root bridge election from SW1’s perspective. The Priority value comes first in the BID. If a Cisco switch has the default priority 32768 and a MAC later in this section. they announce to everyone around them that they are the center of the universe.

so this process takes very little time. and will instead begin to relay those sent by SW1. While higher BIDs are winners in auctions. from SW1. These Config BPDUs go out every 2 seconds.115 S T U DY G U I D E C H R I S B R YA N T SW1 is receiving BPDUs from both SW2 and SW3. However. SW3 recognizes that the BPDU containing the best BID is coming SW1 continues to believe that it’s the root bridge and will continue to announce itself as such. SW1 is currently recognized as the root for this network. we’ll use a two-switch network. but if another switch comes along that advertises a superior BID. they’re losers in root bridge elections. superior to that of SW3. It’s a good idea to know how to see the BIDs of your live switches as well as spot the winner of a root bridge election that’s already taken place. SW2 believes it’s the root. SW2 and SW3 recognize SW1 as the root – for now! Here’s the election from SW2’s perspective: Root bridge elections never really end. the BPDU from SW1 will! When SW2 sees the BID inside the BPDU from SW1. and is advertising a BID lower than that of SW1. 88 89 . SW2 will realize it is not the root bridge for this network. both containing BIDs higher than SW1’s SW3 is about to develop a massive inferiority complex! Both incoming BPDUs contain BIDs own BID. but in your production network. that election’s already taken place. SW4 will advertise this BID via a Configuration BPDU. SW2 will stop originating Configuration BPDUs. with the switches trunking on their 0/11 and 0/12 ports. For this lab. SW4 will then take over that role. and SW1 will begin forwarding the Configuration BPDUs it receives from SW4.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . SW1 will realize it’s no longer the root bridge. and the BPDU from SW3 will not change its mind. and when SW1 sees that BPDU. that switch would then become the root! SW4 has now come on board. Just that quickly. The election from SW3’s point of view: This example allowed you to see the details of a root bridge election.

14 P2p There are four ways to tell you’re not on the root bridge. (Each VLAN will have its own root switch. so the root bridge doesn’t need one! Interface Role Sts Cost Prio. ---------.115 S T U DY G U I D E C H R I S B R YA N T To see the BID of both the local switch and the root switch for a particular VLAN.2540 2 sec Max Age 20 sec Forward Delay 15 sec Interface Root ID 32769 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Prio.Nbr Type ---------------. but the other three are in bold. run show All ports on the root bridge will be in forwarding mode (FWD).90e2. The most obvious is the phrase “This bridge is the root”.11 P2p Fa0/12 Desg FWD 19 128. --------.2540 This bridge is the root Hello Time Bridge ID Priority 32769 Hello Time Aging Time 15 Port 13 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0017. ----- --. The root port is the port a switch will use to reach the root bridge. you ask? SW1#show spanning vlan 1 SW2#show spanning vlan 1 VLAN0001 VLAN0001 Spanning tree enabled protocol ieee Spanning tree enabled protocol ieee Root ID Priority Address 000f. Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 128. the root bridge will have no root port.f780 2 sec Max Age 20 sec Forward Delay 15 sec Role Sts Cost 32769 Cost 19 (priority 32768 sys-id-ext 1) Address 000f. bridge info for our default VLAN. The first listed here isn’t highlighted.) Let’s take a look at the root bridge will be in blocking mode (BLK). What do things look like on the non-root bridge. The other three ways: The MAC address of the Root ID (the info for the root) and the Bridge ID (the info for the local switch) is the same. ---------.Nbr Type ---------------.12 P2p There are four different ways to tell you’re on the root switch. No ports on the root spanning-tree vlan. --------. ----- --.90e2. Fa0/11 Desg FWD 19 128.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . since it doesn’t exist. No “This bridge is the root” message The MAC address under the Root ID and Bridge ID fields are different The switch has a root port (Fa0/11) There is a port in blocking mode 90 91 .13 P2p 128.90e2.9466.2540 Priority Address 000f. As odd as it sounds.

The fewer ports that need to reopen. it will add the cost of the port the BPDU was SW2#show spanning vlan 1 received upon to the root path cost found in that incoming BPDU. the lower the path cost. The faster the port. STP allows only one path between “Point A” and “Point B” – in this case. STP puts the minimum number of ports into blocking mode in order to speed up the process of bringing a new path up when the currently open one becomes unavailable. since every port These terms will become much clearer after the upcoming example! deciding factor was. rather than the two you might expect. The root path cost is a cumulative value reflecting the overall cost for a given port to reach the root. 92 < Some config removed for clarity > 93 . the faster that new path will be available. Let’s run show spanning-tree vlan to see what the It all begins with the root bridge transmitting a Configuration BPDU with the root path cost set to zero. Only one is in blocking mode. The Configuration BPDU carries the root path cost. and Root Path Costs Wondering how SW2 chose 0/11 as its root port. and that cost increments as that BPDU is forwarded throughout the network. instead of 0/12? Let’s zip back to our two-switch example.115 S T U DY G U I D E C H R I S B R YA N T STP prevents switching loops by putting some ports into blocking mode. In our two-switch network. The root path cost goes from 0 to 19 (when received by SW2) to 38 (when received by SW3). Every port on our switches has an assigned path cost. not sent. In the end.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and that cost is used to arrive at the port’s root path cost. The incoming root path cost should be the same for both ports on SW2. The path cost is strictly a local value and is not advertised to upstream or downstream switches. Root Port Selection. When SW2 receives that BPDU. It’s important to note that the root path cost increments as BPDUs are received. our two switches – and disallows the others by putting the minimum number of ports necessary into blocking mode. Path Costs. one path between the switches is open and the other is closed. involved here is a Fast Ethernet port.

13 P2p bridge aren’t root ports. ---------. the lowest sender Port ID wins. Here’s the process for choosing the root port: Speaking of designated ports. We know that the ports on the root Fa0/11 Root FWD 19 128. There’s our tiebreaker. being a shared network segment.Nbr Type ---------------. The switch with the lowest root path cost will have its port on this shared segment named as the designated port. Next tiebreaker: choose the port receiving the BPDU with the lowest Sender BID. Next. as both ports will have a root path cost of 19. Fa0/12 Altn BLK 19 128. so STP better put a port or two in blocking mode soon! The path cost is 19 for each port. the BPDU containing the lowest BID. We saw earlier that SW2’s BID is 32768:22-2222-22-22-22 and SW3’s is 32768:33-33-33-33-33-33. but 0/11 was chosen as the root port over 0/12. and fast 0/11 is your winnah! Let’s head back to our three-switch network and identify the root ports. this is also a tie. frames coming from that host onto the segment shared by SW2 and SW3 might cause a switching loop if both switches could forward frames from that host to SW1. In this scenario. both switches will have the exact same root path cost. 94 95 . C H R I S B R YA N T With all path costs the same. choose the port with the lowest root path cost.115 S T U DY G U I D E Interface Role Sts Cost Prio. just in case that ends up First.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Finally. choose the port receiving the superior BPDU. That’s a tie. and root ports will always be in forwarding mode (FWD). They’re designated ports. we can quickly identify the root ports on SW2 and SW3. ----- --. It was zero on SW1 and incremented as the BPDUs were received by SW2. --------. so this is a tie. All ports are Fast Ethernet ports with a path cost of 19. we need one of those for the segment connecting SW2 and SW3. The port belonging to the switch with the lowest BID will become the designated port. so SW2’s port on that shared segment becomes the DP. We need one and only one designated port on that segment. In this admittedly unlikely-to-be-seen-in-the-real-world scenario. and they’ll also be in forwarding mode. That’s where the designated port (DP) comes in. so we need a tiebreaker. 0/11 and 0/12 are both receiving BPDUs from SW1. Since both ports received their BPDUs directly from SW1.14 P2p We have four ports in forwarding mode. along with all ports on the root bridge.

It would also be really wrong. but lists the more common speeds you’ll bump into on Cisco switches. be sure to double-check the port speeds. Do not jump to the conclusion that the physically shortest path is the logically shortest path. Whether it’s in the exam room or We know the STP path costs are determined by port speed. And speaking of Zen… SW3-to-SW2-to-SW1 root path cost: 38 (Two 100 Mbps links) Fast 0/2 becomes the root port. five of them are in forwarding mode and only one is blocked. to SW1 become unavailable.5. and it’s really easy to miss a zero – or iar with the following port speeds.) This is not a list of every possible speed. The root path using that port has a cost of 38. while the The Shortest Path Is Not Always The Shortest Path more physically direct path has a root path cost of 100. Let’s verify! 97 . 10 Gbps 1 Gbps 100 Mbps 16 Mbps 10 Mbps 4 Mbps 2 4 19 62 100 250 96 Changing A Port’s Path Cost We’ll verify port path cost changes with show spanning-tree vlan. job interview. but placing that one particular port into blocking mode prevents switching loops from forming. Putting just one of the two ports on the SW2–SW3 shared segment into blocking mode makes the cutover to that path for SW3 a little quicker. (These port costs have changed over time. so I’ll edit the “Root ID” and “Bridge ID” fields from the output. it would be really easy to say 0/1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . that only happens now and Zen. We need only the information at the bottom of that command’s output in this lab. SW3-to-SW1 root path cost: 100 (One 10 Mbps link) Luckily. or during your network admin duties. Of the six ports.115 S T U DY G U I D E Here’s the final result: C H R I S B R YA N T Keep STP costs in mind when eyeballing a network map on your CCNP SWITCH exam. and these your server room. should the current path from SW2 If you were asked which of SW3’s two ports would become its root port. and it couldn’t hurt to be famil- looked at over the years have a font size of about 0. Some of the network maps I’ve think one is there that isn’t! values are from the most recent list on Cisco’s website.

That’s just what we back up while we check in on our root port situation! wanted – we just had to be a little patient! 98 99 . Fa0/11 Altn BLK 19 changed state to down Fa0/12 Root FWD 9 Doesn’t sound good! Our management interface. but trust me – there’s a really good reason that change isn’t immediate. ----- --. we get this little message: Interface Role Sts Cost ---------------. 0/12 is in listening mode. SW2(config)#int fast 0/12 Right now.510: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. ---------- mst Multiple spanning tree Fa0/11 Altn BLK 19 Fa0/12 Root LRN 9 port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link stack-port Enable stack port vlan VLAN Switch Spanning Tree SW2#show spanning vlan 1 Role Sts Cost 0/12 is now in learning mode.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I ran the same SW2(config-if)#spanning-tree ? command: bpdufilter Don’t send or receive BPDUs on this interface bpduguard Don’t accept BPDUs on this interface cost Change an interface’s spanning tree port path cost guard Change an interface’s spanning tree guard mode Interface link-type Specify a link type for spanning tree protocol use ---------------. About 15 seconds after that output.802: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. ---------- ---------------.115 S T U DY G U I D E SW2#show spanning vlan 1 C H R I S B R YA N T SW2#show spanning vlan 1 Interface Interface Role Sts Cost Role Sts Cost ---------------. ----- --. ----- --. Let’s see if it comes … the VLAN1 interface comes back up and 0/12 is in forwarding mode. ----- --. SW2(config-if)#spanning-tree cost ? changed state to up <1-200000000> port path cost SW2(config-if)#spanning-tree cost 9 SW2# show spanning vlan 1 Just a few seconds after changing the cost. What isn’t immediate is the transition of 0/12 from blocking to forwarding. About 15 seconds later… *Mar 2 05:35:41. More on that shortly. ---------*Mar 2 05:31:08. ---------- Fa0/11 Altn BLK 19 Fa0/11 Root FWD 19 Fa0/12 Root LIS 9 Fa0/12 Altn BLK 19 The change to 0/12’s path cost is immediate. as is the transition of 0/11 from forwarding to We want 0/12 to be the root. has gone down. Lowering its path cost to 9 for all VLANs should do it! blocking. Vlan1.

We’re just wasting the other path! We want VLANs 10 and 20 to continue to use the top path.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . example: 1.40 cost 9 In the following lab.9-11 SW2(config-if)#spanning vlan 30. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LIS 9 SW2#show spanning vlan 40 Interface Role Sts Cost ---------------. Interface Role Sts Cost ---------------. What if we want to change the cost for some VLANs while leaving it alone for others? SW2(config-if)#spanning vlan 30. ----- --. ---------- We’ll make this happen with spanning-tree vlan. using the cost option. it’s better than sending all our traffic across one trunk while treating the other trunk as strictly a backup. ----- --. and while it’s not perfect load balancing. all VLANs are using the top trunk (Fa 0/11 on both switches). SW2#show spanning vlan 10 SW2(config)#int fast 0/10 SW2(config-if)#spanning vlan ? WORD vlan range. We’ll change the path cost for 0/12 on SW2 to 9 for VLANs 30 and 40 while leaving it alone for VLANs 10 and 20. Note the option to specify a range of VLANs.3-5.115 S T U DY G U I D E Load Balancing On A Per-VLAN Basis C H R I S B R YA N T SW2(config-if)#spanning vlan 30. ----- --.40 ? cost Fa0/11 Change an interface’s per VLAN spanning tree path cost port-priority Change an interface’s spanning tree port priority 100 Interface Role Sts Cost ---------------. but VLANs 30 and 40 should use the bottom trunk (Fa 0/12 on both switches). This is per-VLAN The port begins to transition from blocking to forwarding for VLANs 30 and 40… SW2#show spanning vlan 30 load balancing. Altn BLK 19 Fa0/12 Root LIS 9 … but there’s no transition for VLANs 10 and 20.40 cost ? <1-200000000> Change an interface’s per VLAN spanning tree path cost Using cost is an all-or-nothing deal. ---------Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 SW2#show spanning vlan 20 101 .7.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . A port in listening mode still can’t forward or receive frames. the transition has completed. Cisco does consider this to be an official STP state. ---------SW2#show spanning vlan 40 Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 Interface Role Sts Cost ---------------.115 S T U DY G U I D E Interface Let’s quickly review those STP port states. Altn BLK 19 Fa0/12 Root FWD 9 SW2# show spanning vlan 40 All VLAN 30 and 40 traffic will now use the trunk that was previously unused. so we will too! A disabled port is simply a port that’s been administratively shut down. it enters listening mode Fa0/11 (LIS). ----- --. the port goes into blocking state (BLK). 102 103 . ---------Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 C H R I S B R YA N T The STP port state disabled is a little odd in that you won’t see “DIS” next to a port in the output of show spanning vlan. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LIS 9 The obvious question: “Listening for what?” A listening port is listening for BPDUs. No frame forwarding. isn’t forwarding frames or even officially running STP. A disabled port Thirty seconds or so later. A listening port can send BPDUs as well. ---------- When a port starts the transition from blocking to forwarding. ----- --. ----- --. no frame receiving. and 0/12 is now the root port for both VLANs 30 and 40. ----- --. Pretty cool! Interface Role Sts Cost ---------------. About the only thing a blocked port can do is accept BPDUs SW2#show spanning vlan 30 from neighboring switches. Once that port is administratively enabled. ----- --. Role Sts Cost ---------------. Interface Role Sts Cost ---------------. allowing the port to participate in the root bridge election. and as a result the port can’t learn MAC addresses. The port still can’t do much. ---------Fa0/11 SW2#show spanning vlan 40 Altn BLK 19 Fa0/12 Root FWD 9 Interface Role Sts Cost ---------------. and therefore no dynamic learning of MAC addresses.

A port in learning mode continues to send and receive BPDUs. ----- --.13 P2p Fa0/12 Desg FWD 19 128. ----- --. We’ll have VLANs 10 and 20 use the trunk over 0/12. SW1#show spanning vlan 10 Tie? Choose the port with the lowest root path cost. Fa0/11 Desg FWD 19 128. ---------. Forwarding mode allows a port to forward and receive frames. and that’s by manipulating the port priority.11 Fa0/12 Desg FWD 19 128. ----- --.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The edited readout of show spanning vlan for each VLAN on SW1 reflects the default port priority of 128 on ports 0/11 and 0/12.13 P2p Fa0/12 Desg FWD 19 128. ---------. During that lab. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LRN 9 A learning port isn’t forwarding frames. but it is learning MAC addresses and adding them to the switch’s MAC address table. VLANs 30 and 40 will continue to Interface use the trunk over 0/11.Nbr ----------------. --------. Still tied? Choose the port receiving a frame from the lowest sender Port ID.Nbr Type ---------------. ---------.14 P2p 105 . Still tied? Choose the port receiving the BPDU with the lowest Sender BID. In this lab. Fa0/11 Desg FWD 19 128. and continue to learn MAC addresses. Fa0/11 Desg FWD 19 128. the port goes from listening to learning (LRN) mode. the port goes from learning to forwarding mode. ----- --.115 S T U DY G U I D E As the transition continues.12 104 Role Sts Cost Prio. This is the only state where the port is actually forwarding frames! Let’s review that list we used for root port selection: First. That port ID is a combination of port priority and port number.14 P2p SW1#show spanning vlan 20 SW1#show spanning vlan 1 Interface Interface Interface Prio. choose the port receiving the superior BPDU. we’ll change the port priority of 0/12 to make it lower than that of 0/11 for some VLANs. send and receive BPDUs. Finally. we had the following ports sending BPDUs on SW1: Role Sts Cost Role Sts Cost Prio.Nbr Type ---------------. C H R I S B R YA N T There’s another cute little way of performing per-VLAN load balancing on our switches. (The commands from the previous load-balancing lab have been Role Sts Cost removed. --------. while leaving it the same for oth- SW2#show spanning vlan 40 ers.) ---------------.

---------. --------. --------. ---------.12 P2p SW2#show spanning vlan 30 The same commands on SW2 show the same port priority for each VLAN.115 S T U DY G U I D E SW1#show spanning vlan 30 C H R I S B R YA N T Interface Role Sts Cost Prio.Nbr Type ---------------. we’ll decrease the port priority for those Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec VLANs on fast 0/12. The new port priority must be set in increments of 16.13 P2p Fa0/12 Desg FWD 19 128. --------. ----- --.14 P2p SW1#show spanning vlan 40 Fa0/11 Altn BLK 19 128.Nbr Type ---------------. Fa0/11 Desg FWD 19 128. ----- --. ---------. ---------. Interface Role Sts Cost Prio.0fbf.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .13 P2p Fa0/12 Desg FWD 19 128.Nbr Type Fa0/11 Altn BLK 19 128.Nbr Type ---------------.84ae. ----- --.11 P2p Fa0/12 Root FWD 19 128. Interface SW2#show spanning vlan 10 Role Sts Cost Prio. VLAN0010 Fa0/11 Altn BLK 19 128. 106 107 . ----- --. and the switch Aging Time 300 doesn’t like it when you do not do so. ----- --.11 P2p Fa0/12 Root FWD 19 128.14 P2p Fa0/11 Altn BLK 19 128.2f00 Cost 19 Interface Port ---------------. Interface Role Sts Cost Prio. --------.12 P2p Spanning tree enabled protocol ieee Root ID Priority 24586 SW2#show spanning vlan 40 Address 001c. --------.11 P2p Fa0/12 Root FWD 19 128. 12 (FastEthernet0/12) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Role Sts Cost Prio.12 P2p 32778 (priority 32768 sys-id-ext 10) Address 000e. ----- --.12 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio. Fa0/11 Desg FWD 19 128. --------.Nbr Type ---------------.Nbr Type ---------------. ---------.11 P2p Fa0/12 Root FWD 19 128. ---------.3600 For VLANs 30 and 40 to start using fast 0/11.

---------. the BPDU going from SW1 to SW2 over fast 0/11 ---------------. ----- --.Nbr Type and show spanning vlan 20 on SW2.Nbr Type ---------------. ---------.11 P2p Fa0/12 Altn BLK 19 128. ---------------. Cost Change an interface’s per VLAN spanning tree path cost port-priority Change an interface’s spanning tree port priority SW1(config-if)#spanning vlan 30 port-priority ? SW2#show spanning vlan 30 Interface <0-240> port priority in increments of 16 Role Sts Cost Prio. ----- --.12 P2p SW1#show spanning vlan 30 VLANs 10 and 20 continue to use the trunk over fast 0/12.13 P2p Fa0/12 Desg FWD 19 64. --------.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ----- --. ----- --.12 P2p 108 109 . Fa0/11 Root FWD 19 128.11 P2p Fa0/12 Altn BLK 19 128.11 P2p Fa0/12 Root FWD 19 128. SW1(config-if)#spanning vlan 30 port-priority 35 Fa0/11 Root FWD 19 128. VLANs 30 and 40 are now using the Fa0/11 Altn BLK 19 128.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/12 trunk over fast 0/11.12 P2p ---------------. ---------.Nbr Type Fa0/11 Altn BLK 19 128.Nbr Type ---------------.11 P2p Fa0/12 Root FWD 19 128. ---------. ---------. As a result.Nbr Type When it comes to VLANs 30 and 40. show spanning vlan 30 and show spanning vlan 40 verify the change. Prio. ----- --. --------.14 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio.12 P2p % Port Priority in increments of 16 is required SW2#show spanning vlan 40 SW1(config-if)#spanning vlan 30 port-priority 64 SW1(config-if)#spanning vlan 40 port-priority 64 Interface Role Sts Cost Prio.14 P2p SW2#show spanning vlan 10 Interface SW1#show spanning vlan 40 Interface Role Sts Cost Role Sts Cost Prio.Nbr Type ---------------. Fa0/11 Desg FWD 19 128. --------. ----- --. --------. verified by show spanning vlan 10 Interface Role Sts Cost Prio. --------. ---------. Fa0/11 Desg FWD 19 128. verified by show spanning vlan 30 and show spanning vlan 40 on SW1(config-if)#spanning vlan 30 ? SW2. --------.13 P2p Fa0/12 Desg FWD 19 64. is now superior to that over fast 0/12.

I’ll remove the two lab commands from fast 0/12 on SW1.11 P2p Fa0/12 Altn BLK 19 128. --------. ----- --. ---------.115 S T U DY G U I D E Now. Fa0/11 Altn BLK 19 128.11 P2p Fa0/12 Root FWD 19 128.12 P2p Prio. --------.Nbr Type ---------------.Nbr Type ---------------. it’s great to know more than one way to get something done! 110 111 . Interface Role Sts Cost Prio.11 P2p SW1(config-if)#spanning vlan 30 port-priority 160 Fa0/12 Root FWD 19 128. ----- --. Interface Role Sts Cost Prio.Nbr Type ---------------. Could we have raised the port priority on 0/11 C H R I S B R YA N T SW2#show spanning vlan 30 rather than decreasing it on 0/12? Let’s find out! First. ----- --. Fa0/11 Altn BLK 19 128. verified really up to you when it comes to real-world networking. ---------. we’ll raise the port priority for VLANs 30 and 40 to 160 (a multiple of 160!). ----- --. show spanning vlan 30 and show spanning vlan 40 verify the change back to fast 0/12.12 P2p SW1(config-if)#spanning vlan 40 port-priority 160 Whether you choose to lower or raise a port priority to get VLAN load balancing going is Raising the port priority on fast 0/11 has the same effect as reducing it on fast 0/12. SW1(config)#int fast 0/11 Fa0/11 Altn BLK 19 128.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . --------. ---------.12 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio. Interface Role Sts Cost Prio. SW1(config)#int fast 0/12 Fa0/11 Root FWD 19 128. ---------. ----- --. ----- --. --------.Nbr Type … while VLANs 10 and 20 continue to use the trunk over fast 0/12.11 P2p SW1(config-if)#no spanning vlan 40 port-priority 64 Fa0/12 Altn BLK 19 128. ---------.12 P2p SW1(config-if)#no spanning vlan 30 port-priority 64 SW2#show spanning vlan 40 On SW2.12 P2p On fast 0/11.11 P2p Fa0/12 Root FWD 19 128.Nbr Type ---------------. ---------. I already know what you’re gonna ask. For CCNP SWITCH exam success. SW2#show spanning vlan 30 Interface Role Sts Cost Fa0/11 Root FWD 19 128. --------. by show spanning vlan on SW2.Nbr Type ---------------. VLANs 30 and 40 are using the trunk over fast 0/11… as with all Cisco exams. ---------------.12 P2p SW2#show spanning vlan 40 SW2#show spanning vlan 10 Interface Role Sts Cost Prio. --------. Fa0/11 Altn BLK 19 128.11 P2p Fa0/12 Root FWD 19 128.

The second set of timers is found in the Bridge ID field. those timers under (That’s not the real reason.115 S T U DY G U I D E C H R I S B R YA N T STP Timers by the root and all switches that receive a Configuration BPDU that originated with that These timers are so important.90e2. It’s this set of timers that is actually used 112 SW1#show spanning vlan 1 113 . IOS shows us the ranges of allowable settings for each command.) Bridge ID do not matter. None of them can be set VLAN0001 to zero. and those are the Use spanning vlan to change these timers. Default setting: 20 seconds. --------.2540 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost hello-time Set the hello interval for the spanning tree max-age Set the max age interval for the spanning tree priority Set the bridge priority for the spanning tree root Configure switch as root <cr> SW1(config)#spanning vlan 1 Hello ? Prio. ---------. you’ll see them twice when you run show spanning vlan! local switch’s setting for the timers.11 P2p Fa0/12 Desg FWD 19 128.12 P2p Hello Time defines how often the root bridge originates Config BPDUs. Fa0/11 Desg FWD 19 128. Default setting: 2 seconds.Nbr Type ---------------. but why do we see each one listed twice in that output? The first set of timers is in the Root ID field. SW1(config)#spanning vlan 1 max-age 25 Verify with show spanning vlan.2540 forward-time Set the forward delay for the spanning tree This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f. with a default of 15 <6-40> maximum number of seconds the information in a BPDU is valid seconds for each individual stage. Unless you’re on the root. but you will see them twice. ----- --.90e2. Those are important values to know. particular root. Maximum Age (Max Age) is how long a switch will retain the superior BPDU’s contents before discarding it. Spanning tree enabled protocol ieee Root ID Priority 32769 SW1(config)#spanning vlan 1 ? Address 000f. For the change to take effect throughout SW1#show spanning vlan 1 the VLAN. always use these commands on your primary and secondary roots. <1-10> number of seconds between generation of config BPDUs SW1(config)#spanning vlan 1 Hello 5 SW1(config)#spanning vlan 1 forward ? <4-30> number of seconds for the forward delay timer SW1(config)#spanning vlan 1 forward 16 SW1(config)#spanning vlan 1 max-age ? Forward Delay is the length of the listening and learning port stages.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . frankly.

SW1 is the root for all four VLANs.2540 Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec Aging Time 300 We can choose another particular switch to be the root bridge for all VLANs.90e2.dat on both switches. The switch with the lowest MAC Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec address will be crowned as the root. Please note that the cabling has changed. reloaded. or we can spread the workload around a bit and let one switch be the root for some VLANs while another switch is the root for the rest of the VLANs. I did a write erase and delete vlan. you could make each switch the root for 10 VLANs. Let’s use spanning vlan root primary to make SW2 the root for VLAN 20.f780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec As always.2540 Cost 19 Port 13 (FastEthernet0/11) Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0017. 20. a single switch is going to be the root bridge for every 32769 Address 000f. and we’ll be adding a switch and two cables as this lab progresses. non-root switch though? VLANs 10. VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000f. If you have 50 VLANs and five switches.9466. and that’s not always best for our network. Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f.90e2.90e2.115 S T U DY G U I D E C H R I S B R YA N T Root Switch Selection: Be Deterministic VLAN0001 Spanning tree enabled protocol ieee Root ID Priority If we leave STP to its own devices. You can spread the root switch role around as much as you like. the settings in use are the ones under Root ID! 114 We’d like SW2 to be the root for VLANs 20 and 30 while leaving SW1 the root for VLANs 1 and 10. and created What about the downstream. That might not be so bad. Before this lab. SW2#show spanning vlan 1 As expected. depending on your network topology. SW2(config)#spanning vlan 20 root ? Primary Configure this switch as primary root for this spanning tree Secondary Configure switch as secondary root SW2(config)#spanning vlan 20 root primary 115 . It’s up to you! On the root bridge.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .2540 VLAN in our network. and 30 for our next lab. we expect the timers in the Root ID and Bridge ID fields to be identical. This bridge is the root but the default root switch selection is left up to chance.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

SW2#show spanning vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID

Priority

24596

Address 0017.9466.f780
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

I’m sure you noticed the secondary option. If you want a certain switch to take over as root
bridge if the current root goes down, run show spanning vlan root secondary on the desired

Done and done! The new root’s priority is 24596. That’s certainly good enough to make it

secondary bridge. That command will adjust the switch’s priority enough to make it the

the root, but where exactly did that priority come from? It depends...

backup root, but not enough to make it the primary root.

Current root priority greater than 24576? Result: priority of new root is 24576 (plus the

Let’s see that in action! SW2 is still the root for VLANs 20 and 30, and we’ve added a third

VLAN ID in this case, since system extension ID is running).

switch to the lab. We’ll concentrate on those two VLANs from here on out.

Current root priority less than 24576? Result: subtract 4096 from that root priority and
you have the new root priority!
We’ll now make SW2 the root for VLAN 30.
SW2(config)#spanning vlan 30 root primary
SW2#show spanning vlan 30
VLAN0030
Spanning tree enabled protocol ieee
Root ID

Priority

24606

Address 0017.9466.f780
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Here’s the Bridge ID info for both SW1 and SW2, and here’s a pop quiz: Which one of these
would take over as the root for VLAN 20 if SW2 went down?
SW1#show spanning vlan 20
Bridge ID Priority

32788 (priority 32768 sys-id-ext 20)

Address 000f.90e2.2540
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

116

117

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

It does indeed! (show spanning vlan 30 isn’t shown, but we know SW1 is the root for that

SW3#show spanning vlan 20
Bridge ID Priority

C H R I S B R YA N T

32788 (priority 32768 sys-id-ext 20)

VLAN as well.) SW2 will become the root for VLAN 20 again once it comes back up…

Address 001c.0fbf.2f00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

SW2#show spanning vlan 20

Aging Time 300 sec
VLAN0020

They both have the default priority, so it comes down to MAC address, and SW1’s MAC is

Spanning tree enabled protocol ieee

lower than that of SW3. SW1’s address begins with “000”, and SW3’s begins with “001”, so

Root ID

Priority

24596

nothing after that matters. I’ll reload SW2 and we’ll see if SW1 becomes the root in SW2’s

Address 0017.9466.f780

absence.

This bridge is the root

SW2#reload

… but we’d like SW3 to take over as the root for VLAN 20 when SW2 is unavailable, while

Proceed with reload? [confirm]

keeping SW1 as the root for VLAN 30 in that circumstance.

*Mar 1 01:27:11.899: %SYS-5-RELOAD: Reload requested by console.

SW3(config)#spanning vlan 20 root ?

SW1#show spanning vlan 20

Primary

Configure this switch as primary root for this spanning tree

Secondary Configure switch as secondary root

VLAN0020
Spanning tree enabled protocol ieee
Root ID

Let’s make it happen. Note the change to SW3’s priority.

Priority

32788

Address 000f.90e2.2540
This bridge is the root

SW3(config)#spanning vlan 20 root secondary
SW3#show spanning vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID

Priority

24596

When SW2 goes offline, SW1 will again take over the root bridge role for VLAN 30, but now
SW3 will take that role for VLAN 20.
SW2#reload
Proceed with reload? [confirm]

118

119

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T
SW1(config)#spanning vlan 20 priority 7000

SW1#show spanning vlan 30
This bridge is the root

% Bridge Priority must be in increments of 4096.
% Allowed values are:

SW3#show spanning vlan 20
This bridge is the root

0

4096 8192 12288 16384 20480 24576 28672

32768

36864 40960 45056 49152 53248 57344 61440

Hey, I tried using a non-4096 multiple!
By the way, we just got a call from the other BPDU type, demanding semi-equal time!

The Topology Change Notification BPDU
TCN BPDUs are generated by a switch when a port goes into forwarding mode or when a
port goes from forwarding or learning into blocking mode. The TCN doesn’t say exactly
what happened, just that something happened.

SW2 will again take over as the primary root for both VLANs when it comes back online.
SW3 remains the secondary for VLAN 20 and SW1 the secondary for VLAN 30.
If SW1 is the desired secondary root for VLAN 30, you’re fine right now, but what if another
switch is added to the network? That new switch might have a lower MAC than that of SW1.
In this situation, I would manually configure SW1 as the secondary root for VLAN 30.
Of the two methods to configure primary and secondary roots, I prefer the one we just used.
You can change the priority manually with spanning vlan priority, but the switch isn’t going

Each switch receiving the TCN will send an ACK back, and the TCN continues to be forwarded until it reaches the root.

to help you by saying “Hey, the priority you set isn’t low enough for this switch to become
the primary / secondary!” There’s one more thing that makes this method a tad complicated:
SW1(config)#spanning vlan 20 priority ?
<0-61440> bridge priority in increments of 4096

120

121

that’s 35 seconds. By default. yeah. Exception time! Changes to Portfast-enabled ports cannot result in the generation of a TCN BPDU. The aging time will stay at the new value for (Forward Delay + Max Age). so Portfast allows us to cheat just a bit in order to get that host up and running. If you have a host that has trouble getting an IP address via DHCP. Knowing where to run them and why is another matter. the root will acknowledge it in the form of a Configuration BPDU with the Topology Change bit set. since the most common use of Portfast is when a single PC is directly connected to a switch port. Enabling this feature results in one long warning and an additional message. but only in a specific situation. That makes sense. When a port connected to a host goes into forwarding mode. that’s just 15 seconds! This allows the switch to quickly rid itself of nowinvalid MAC address table entries while keeping entries for hosts that are currently sending frames to that switch. and now you want to turn a couple of them off?” Well. and if the timers haven’t been changed. it doesn’t really affect STP operation. If you’re fuzzy on Portfast or any other advanced STP features. The chances of a switching loop on a single port with a single host connected are very small. And I can hear you now…“We spent all that time talking about STP preventing switching loops. The STP learning and listening stages can interfere with your host’s DHCP address acquisition process.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Let’s jump right in! Portfast Portfast allows a port running STP to go directly from blocking to forwarding mode. Enable portfast on a per-port level with spanning-tree portfast. 122 123 . we’ll take care of that in the very next section! Putting these features into operation is easy. C hapter 6: That BPDU with the TC bit set tells the receiving switches to change the aging time for their MAC tables from the default of 300 seconds to the duration of the Forward Delay STP — ADVANCED FEATURES AND VERSIONS timer.115 S T U DY G U I D E When the root receives the TCN. configuring Portfast on that host’s switchport is the way to go. so there’s no need to alert the entire network about it. and to leave the timers alone.

to this interface bpduguard Don’t accept BPDUs on this interface when portfast is enabled. After doing so. port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link SW2(config)#spanning portfast ? stack-port Enable stack port Bpdufilter Enable portfast bpdu filter on this switch vlan VLAN Switch Spanning Tree Bpduguard Enable portfast bpdu guard on this switch Default Enable portfast by default on all access ports SW2(config-if)#spanning-tree portfast ? Disable Disable portfast for this interface SW2(config)#spanning portfast default Trunk %Warning: this command enables portfast by default on all interfaces... SW2(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. can cause temporary bridging loops. bridges. switches. to this interface Verify with show spanning interface portfast. Connecting hubs. Use with cost Change an interface’s spanning tree port path cost CAUTION guard Change an interface’s spanning tree guard mode link-type Specify a link type for spanning tree protocol use Enable Portfast globally with spanning portfast default. concentrators. You Enable portfast on the interface even in trunk mode <cr> should now disable portfast explicitly on switched ports leading to hubs.. can cause temporary bridging loops. and has VLAN0001 disabled also let us know that trunking must be disabled in order for Portfast to be enabled. when portfast is enabled.. a slightly different mst Multiple spanning tree message appears. there’s no “show spanning portfast” command. As IOS Help is so helpful to let us know. well. concentrators. bridges. We VLAN0010 disabled do have the option of enabling Portfast on a trunk port.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Use with CAUTION SW2#show spanning portfast ^ %Portfast has been configured on FastEthernet0/3 but will only have effect % Invalid input detected at ‘^’ marker. SW2#show spanning int fast 0/10 portfast The switch has given us a warning about the proper and improper use of Portfast. etc.115 S T U DY G U I D E C H R I S B R YA N T SW2(config)#int fast 0/3 SW2(config-if)#spanning-tree portfast trunk SW2(config-if)#spanning-tree ? %Warning: portfast should only be enabled on ports connected to a single host. and after doing so. Using this command enables Portfast on all access ports. etc. switches and bridges as they may create temporary bridging loops. we’ll be VLAN0020 disabled warned about it again! VLAN0030 disabled 124 125 . bpdufilter Don’t send or receive BPDUs on this interface Connecting hubs. when the interface is in a non-trunking mode. switches.

Uplinkfast is enabled globally and for all VLANs residing on the switch. Configuring a port with Portfast is one way to avoid part of that delay. If the forwarding port in the uplink group senses that the primary link is down. This doesn’t take place immediately. which is good. It’s all or nothing with this feature – you can’t run it on a per-port or per-VLAN basis. If the open path between SW1 and SW3 goes onds before the primary root port enters forwarding state. Frankly. and they both occur that’s bad. when Uplinkfast is first enabled. The original root port on the Uplinkfast-enabled switch will become the root port again SW3 has two paths to the root. STP blocks one of our six ports in order when it detects that the original primary path to the root is available once more. but we’re advised over and over by Cisco not to use Portfast unless it’s on a port where a single host device is found. The first is setting the switch priority to 49. This effec- With Uplinkfast in use. the switch will wait (2 x Forward Delay) + 5 sec- to prevent switching loops. I mean 1 – 3 seconds. another port in the uplink group will be transitioned immediately (almost) from SW2(config)#spanning uplinkfast ? max-update-rate Rate at which station address updates are sent blocking to forwarding. we’re looking at a 50-second delay before that port can actually begin forwarding frames. By default.and core-layer switches.115 S T U DY G U I D E C H R I S B R YA N T UplinkFast When a port goes through the blocking-to-forwarding transition. although some Cisco documentation makes it sound like there’s no delay at all. Cisco strongly recommends Uplinkfast not be used on distribution. What if the device off that port is another switch? By “almost immediately”. there will be approximately a 50-second delay before that blocked port is open. the ports SW3 could potentially use to reach the root switch are collectively referred to as an uplink group. <cr> 126 127 . That almost-minute feels like almost-hours at times.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .152. The uplink group includes ports in blocking and tively prevents this switch from becoming the root unless all other switches go down. down. and assuming all port speeds are the same. the direct physical path will be the path SW3 uses to reach the root. and Uplinkfast does have two immediate actions you should be aware of. Uplinkfast is Portfast for wiring closets. in which case you have much bigger problems to deal with! forwarding mode.

We’re going to send these frames for every single Uplinkfast enabled Interface max-update-rate Rate at which station address updates are sent MAC address entry in SW3’s table.9466. ---Fa0/12 Root FWD 3019 The STP port cost is increased by 3000. If SW3’s MAC address table is particularly large. UplinkFast works really well. and Aging Time 300 sec the source address – well.cdcd. SW3 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec sends “dummy” multicast frames to SW2. That flooding quickly updates SW2’s MAC address table. making it unlikely that this switch will be used to reach the root switch by any downstream switches. and on occasion it works a little too well. To avoid that.115 S T U DY G U I D E Frames from Host A will currently go through SW2. then SW1. which by default is 150 packets per second. When the link SW2#show spanning vlan 1 between SW3 and SW1 goes down. then SW3. you may want to adjust the maximum update rate. That’s where our single Uplinkfast option comes into play: 32769 Address 000f. SW3(config)#spanning uplinkfast max-update-rate ? <0-32000> Maximum number of update packets per second 128 129 . Actually. that path is no longer valid. The destination address is 0100.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .f780 in the network may be out of date for a few seconds after the cutover.90e2. but the now-invalid entry VLAN0001 Spanning tree enabled protocol ieee Root ID C H R I S B R YA N T Priority to send frames to Host B via SW1 will still be in SW2’s table. You can disable the sending of those dummy frames by setting this value to zero.0ccd.2540 Cost 3019 Port SW3(config)#spanning uplinkfast ? 14 (FastEthernet0/12) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 49153 (priority 49152 sys-id-ext 1) <cr> The cutover to the backup path is so fast that the MAC address tables of other switches Address 0017. that’s the rub. a little too fast! Let’s revisit the original network and add two hosts. which might be small or might be very large! Role Sts Cost -------------------- ----.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

Verify your Uplinkfast settings with show spanning uplinkfast.

C H R I S B R YA N T

and relays it to SW3. All is well until SW2 loses its connection to SW1, which means SW2
will start announcing itself as the root. SW3 will receive two separate BPDUs from two
claimants to the root bridge role.

SW3#show spanning uplinkfast
UplinkFast is enabled
Station update rate set to 150 packets/sec.
UplinkFast statistics
Number of transitions via uplinkFast (all VLANs)

: 0

Number of proxy multicast addresses transmitted (all VLANs) : 0

BackboneFast

SW3 compares the priority in each BPDU and sees SW2 has a higher BID, making the

The Cisco-proprietary feature BackboneFast helps our network recover from indirect link

MaxAge timer on the port leading to SW2 hits zero, that port will transition to the lis-

failures. The key word is indirect. If a switch detects an indirect link failure (a failure of

tening state and start relaying the information contained in the BPDU coming from SW1

a link not directly connected to the switch in question), BackboneFast goes into action.

– the superior BPDU.

BPDU from SW2 an inferior BPDU. As a result, SW3 ignores that BPDU. Once SW3’s

An indirect link failure is detected when an inferior BPDU is received, as we’ll see in the
upcoming walkthrough. Let’s take a look at a three-switch setup where all links are working (currently!), and STP is running as expected. All links are running at the same speed.

Backbonefast speeds up the overall process by skipping the MaxAge stage. This doesn’t
eliminate the delay, but it does cut the overall delay from 50 to 30 seconds (the overall duration of the listening and learning states).
SW1 has been elected root, and it sends Configuration BPDUs to SW2 and SW3 every two
seconds reminding them of that. In turn, SW2 takes the BPDU it’s receiving from SW1

130

When an indirect link outage is detected, the Root Link Query goes into action in the form
of requests and responses. These message types act as a sort of echo and echo reply combo.
131

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

The request is sent to ensure connectivity to the root, is sent via a port receiving BPDUs,

All switches in the network have to be able to send, relay, and respond to RLQ requests. Since

and is sent by the switch detecting the indirect link outage.

RLQ is enabled by enabling BackboneFast, you should run this feature on every switch in the

The request names the switch believed by the sender to be the root. The recipient forwards
that RLQ request out its own root port, and after a short period of time (hopefully), the
request comes back with the name of the root that can be reached via that port. If they
match, all is well!

network. The easiest part of BackboneFast is enabling it. This command is a true Cisco rarity
in that there are no options. Just enable it, and verify with show spanning backbonefast.
SW3(config)#spanning backbonefast ?
<cr>
SW3#show spanning backbonefast
BackboneFast is enabled

Root Guard
The root we’re guarding, of course, is the root switch!
There are two circumstances under which the recipient will respond immediately, one good
and one bad. The bad one: The recipient has a different root bridge listed.

The good one: The recipient IS the root bridge.

132

SW1 is entrenched as the root – until SW4 arrives!

133

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

SW4 will take over as the root due to its lower BID, and depending on your network design

Address 000f.90e2.2540

and the switches’ capabilities, you might not want that. SW4 could also be a rogue switch!

Cost 19

If we go to the trouble of deciding which switch should be the root, we should likely go to a

Port

little bit of trouble in protecting that switch’s role. That’s where Root Guard comes in.

Hello Time

Root Guard is configured at the port level, and disqualifies any switch downstream from
that port from becoming the primary or secondary root. To prevent SW4 from taking over

14 (FastEthernet0/12)

Bridge ID Priority

2 sec Max Age 20 sec Forward Delay 15 sec
32769 (priority 32768 sys-id-ext 1)

Address 001c.0fbf.2f00

either of those roles, configure Root Guard on SW3’s port leading to SW4.

Hello Time

When a superior BPDU is received on a port running Root Guard, that BPDU is discarded

2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

and the port put into root-inconsistent state. That’s verified by show spanning vlan and show
spanning inconsistent-ports as well as this console message I received once SW4 came online

Interface

and started sending those superior BPDUs to SW3.

------------------- ---- ----- -------- --------- ----------------------

Role Sts

Cost

Prio Nbr Type

Fa0/4

Desg BKN

19

128.6

%SPANTREE-2-ROOTGUARD _ BLOCK: Root guard blocking port Fast

Fa0/11

Altn BLK

19

128.13 P2p

Ethernet0/4 on VLAN0001.

Fa0/12

Root FWD 19

128.14 P2p

P2p *ROOT _ Inc

The interface receiving the superior BPDU isn’t totally shut down by Root Guard. It’s still
listening for BPDUs, and once those superior BPDUs stop coming, that port will transition
normally through the STP port states and will come out of root-inconsistent state on its
own. To illustrate, I’ll set SW4’s priority back to the default.
SW4(config)#no spanning vlan 1 priority 4096

SW4 quickly recognizes SW1 as the root…

SW4#show spanning vlan 1
SW3#show spanning vlan 1

VLAN0001
Spanning tree enabled protocol ieee

VLAN0001
Spanning tree enabled protocol ieee
Root ID

Priority

8193 (SW1 is still the root!)

134

Root ID

Priority 8193
Address 000f.90e2.2540

135

remember that Portfast warning? Of course you do! you to specify “enable” or “disable” – “spanning bpduguard” is not a legal command on its own. can cause temporary bridging loops. concentrators. C H R I S B R YA N T Enabling BPDU Guard on a port will result in that port going into error disabled state (“errdisabled state”) when any BPDU is received. SW3(config-if)#spanning ? Connecting hubs. Use with bpduguard Don’t accept BPDUs on this interface CAUTION cost Change an interface’s spanning tree port path cost guard Change an interface’s spanning tree guard mode You would think that might discourage anyone thinking of connecting a switch to a link-type Specify a link type for spanning tree protocol use Portfast-enabled port. port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link up 136 stack-port Enable stack port vlan VLAN Switch Spanning Tree 137 . etc. to this interface bpdufilter Don’t send or receive BPDUs on this interface when portfast is enabled.. Number of inconsistent ports (segments) in the system : 0 What if we didn’t want any BPDUs coming in on SW3’s 0/4 port. but someone just might try it. and doing so creates the possibility of mst Multiple spanning tree a switching loop. We’ll use the topology from the Root Guard section to illustrate.. you ask? Well… Enabling BPDU Guard on SW3’s 0/4 port will block BPDUs coming in from SW4 and shut the BPDU Guard port down. SW3(config)#int fast 0/2 SW3(config-if)#spanning portfast SW3(config)#int fast 0/4 %Warning: portfast should only be enabled on ports connected to a single host. %SPANTREE-2-ROOTGUARD _ UNBLOCK: Root guard unblocking port FastEthernet0/4 on VLAN0001. -----------------------.115 S T U DY G U I D E … and SW3’s 0/4 port is no longer root-inconsistent.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Note that the command requires Hey. I’ll open that port after enabling BPDU Guard. SW3#show spanning inc Name Interface Inconsistency -------------------. switches. superior or inferior. bridges.

SW3(config-if)#spanning bpdufilter ? Disable Disable BPDU filtering for this interface enable 138 Enable BPDU filtering for this interface 139 . changed state to up If you’re not using that method of enabling BPDU Guard. regardless of Portfast: SW3(config)#int fast 0/4 need to do a shut/no shut to reset the port. line protocol is down (err-disabled) An error-disabled port must be cleared manually. BPDU %PM-4-ERR _ DISABLE: bpduguard error detected on Fa0/4.115 S T U DY G U I D E C H R I S B R YA N T You’re not required to run BPDU Guard on a Portfast-enabled port. changed state to down The interface came up physically and logically. SW3#show int fast 0/4 FastEthernet0/4 is down.changedstate to up %SPANTREE-2-BLOCK _ BPDUGUARD: Received BPDU on port Fa0/4 with BPDU Guard enabled. Disabling port. BPDU Filtering We have a similar but not identical service at our disposal to stop unwanted BPDUs. but the first BPDU that came in resulted in Filtering stops all BPDUs from leaving or being accepted on a Portfast-enabled port. To enable this feature globally on all your Portfast-enabled ports: SW3(config)#spanning-tree portfast ? Bpdufilter Enable portfast bpdu filter on this switch Bpduguard Enable portfast bpdu guard on this switch Default Enable portfast by default on all access ports SW3(config)#spanning-tree portfast bpdufilter ? Default the port being disabled by BPDU Guard. %LINEPROTO-5-UPDOWN:Line protocol on Int FastEthernet0/4. but it’s a good idea! It’s SW3(config-if)#spanning bpduguard ? Disable Disable BPDU guard for this interface such a good idea that you can globally enable BPDU Guard on all Portfast-enabled ports via Enable Enable BPDU guard for this interface spanning portfast bpduguard default. changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/4. putting Fa0/4 in errdisable state %LINEPROTO-5-UPDOWN: Line protocol on Int FastEthernet0/4. SW3(config-if)#spanning bpduguard enable SW3(config)#spanning portfast bpduguard ? default Enable bpdu guard by default on all portfast ports SW3(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0/4. you’ll Enable bpdu filter by default on all portfast ports SW3(config)#spanning-tree portfast bpdufilter default To enable and disable this feature at the port level.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . remember that it’s off by default and is enabled / disabled with spanning-tree bpduguard at the interface level. Once those BPDUs stop coming.

received 0 With all this talk of blocking BPDUs. Instead. A switching loop is prevented. the port no longer receiving the BPDUs will go from blocking to loop-inconsistent. but not vice versa? SW3 will wait the duration of the MaxAge timer and then begin to transition the port on that link from blocking to forwarding. Port Identifier 128. Port priority 128. Loop Guard doesn’t allow that port on SW3 to go from blocking to forwarding. address 000f. When SW1#show spanning int fast 0/3 detail Port 3 (FastEthernet0/3) of VLAN0003 is forwarding Port path cost 100. designated path cost 0 Timers: message age 0. run show spanning summary. and the non-root switches are forwarding Switch is in pvst mode BPDUs to each other (hence the two-headed arrow).90e2.2540 Designated bridge has priority 32771. which acts a lot like blocking mode. the port will come back up on its own. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is shared by default all six ports hit forwarding mode. along with gathering other important info. we better ensure we get the ones we need! 140 SW1(config)#spanning-tree loopguard default 141 . we have a switching loop.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E To verify this and several other features we’ve seen (and will see!). What if SW3 can send BPDUs to SW2. If the direct link between SW2 and SW3 goes unidirectional. C H R I S B R YA N T Loop Guard With our three-switch network back at its defaults. Root bridge for: none Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is enabled Portfast BPDU Filter Default is enabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is enabled You can also verify a port’s individual BPDU Filter settings. and once the cable is repaired and the BPDUs begin flowing from SW2 to SW3 again.3.3 Designated root has priority 32771. run spanning-tree loopguard default. To enable Loop Guard globally. with show spanning interface detail.90e2. SW1(config)#spanning-tree loopguard ? Bpdu filter is enabled Default Enable loopguard by default on all ports BPDU: sent 23. address 000f. we know SW1 is originating Config SW3#show spanning summary BPDUs and sending them to both SW2 and SW3. forward delay 0. we have a problem.2540 Designated port id is 128.

and the results are much more… aggressive! The port will be put into err-disabled state after eight sent UDLD messages result in zero UDLD frames from the remote switch. run spanning-tree guard loop. SW1(config)#int fast 0/2 SW1(config-if)#spanning-tree guard ? Loop Set guard mode to loop guard on interface none Set guard mode to none root Set guard mode to root guard on interface SW1(config-if)#spanning-tree guard loop To disable Loop Guard at the port level.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and 30. Of Oddities: Loop Guard is enabled globally or on a per-port basis. 20. 142 message Set UDLD message parameters Use the same command at the interface level.115 S T U DY G U I D E To enable Loop Guard on a per-port basis. we have a unidirectional link. we have a bidirectional link and all is well. A UDLD-enabled port sends a UDLD frame across the link every 15 seconds. First. If a trunk is carrying traffic for VLANs 10. which doesn’t shut the port down under continue to operate normally for VLANs 20 and 30. and then the recipient sends it right back with info on the port that received the message. and BPDUs stop We call this mode “aggressive” for two reasons. it gives us a syslog message to let us know about the problem. If you don’t specify aggressive mode. 143 . Run UDLD in aggressive mode. but it operates on When UDLD runs in Normal mode. If nothing comes back. BPDUs may not arrive at their destination due to a unidirectional link where SW1 can send to SW2. use udld followed by the mode you want. the port is shut down after eight coming in for VLAN 10. SW1(config)#udld ? Aggressive Enable UDLD protocol in aggressive mode on fiber ports except where locally configured enable Enable UDLD protocol on fiber ports except where locally configured UDLD’s basic operation is simple. as opposed to Normal mode. Second. any circumstances. a UDLD message is sent every second once a possible unidirectional link is detected. the port will go port-inconsistent for VLAN 10 only. but SW2 can’t send a BPDU back over the same connection. If something comes back. For global enabling and disabling. C H R I S B R YA N T The sent UDLD message lets the recipient know which port sent the message. a per-VLAN basis. run no spanning-tree guard loop. The port will missed messages. SW1(config-if)#no spanning-tree guard loop Dept. Detecting Unidirectional Links With UDLD UDLD can be enabled and disabled on a global and per-port basis. the port defaults to normal mode.

won’t the second port you configure always shut down before you finish the config? and it’s considered an extension of 802. The absence of a UDLD echo this network. Before that can happen. no. the remote switch has to answer back with a UDLD echo. Non-root switches select a root port. that port being the one with the lowest root path cost.1d. and that’s why <cr> the Rapid Spanning Tree Protocol (RSTP) was developed! RSTP is defined by IEEE 802. ting the port down. and still is in many networks. For UDLD to be effective. Note SW3 has multiple connections to the Ethernet from the remote endpoint doesn’t trigger the aggressive 8-second countdown to shut- segment. RSTP makes things just a bit more… rapid. Once SW1 has received an echo reply from SW2. if aggressive mode shuts a port down after failing to receive an echo reply to eight consecutive UDLD frames going out once per second. When UDLD’s aggressive mode is configured on the first endpoint. it must be enabled on both endpoints. The overall 30-second delay built into STP convergence via the listening and learning states was once considered an acceptable delay. letting the local switch know that the remote switch is indeed running UDLD. that port in RSTP. where SW1 is the root. the eight-second countdown will begin if SW1 stops getting UDLD replies from SW2. The root port concept stays the same as we move from STP to RSTP. but the port roles themselves are different.1w. However.115 S T U DY G U I D E C H R I S B R YA N T SW2(config-if)#udld ? port Enable UDLD protocol on this interface despite global UDLD setting SW2(config-if)#udld port ? aggressive Enable UDLD protocol in aggressive mode on this interface despite global UDLD setting disable Disable UDLD protocol on this interface despite global UDLD Rapid Spanning-Tree Protocol setting STP is fantastic at what it does – we’d just like it to get done a little faster. The overall concept of the root bridge is still present Actually. Root and designated ports have already been selected. Problem is.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . SW2 and SW3 144 145 . Let’s take a look at the RSTP roles in will indeed start sending UDLD frames every 15 seconds.

) Here come the differences! RSTP has alternate ports rather than blocked ports. The root ports. since only a single host will be connected to that particular port.115 S T U DY G U I D E C H R I S B R YA N T have both selected their root ports. so they can go straight from discarding to forwarding. RSTP does not consider that a change in the network.) Edge ports play a huge part in RSTP’s determination of when a topology change has taken place. a designated port must be elected on the segment connecting initial RSTP port state. (More on that very soon. but rather designated ports. As you’d expect. and listening are combined into the RSTP state discarding.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . RSTP brings with it two unique port types. and we’ll assume that to be one of the two ports SW3 has con- but the MAC addresses are being learned by the switch. the As with our STP example. where incoming frames are discarded the ports on that segment. 146 147 . blocking. to the forwarding state. since RSTP considers a topology change to have taken place when a port moves into forwarding mode – unless that port is an edge port. SW2 and SW3. the RSTP port transitions nected to that segment. on SW3? That port becomes the backup port for that segment. A point-to-point port is any port running in full-duplex mode. An edge port is simply a port on the edge of the network. RSTP-enabled root bridges will not have There are slight and important differences between STP and RSTP port states as well. That’s hardly an earth-shattering change to our network. such as an end user’s PC. they don’t play a role. (Any ports running half-duplex are considered shared ports and must run STP rather than RSTP. As with STP. the equivalent of STP’s forwarding state. likely connected to a single host SW2’s port on the shared segment is an alternate port (ALT) – but what of the remaining port spanning-tree portfast command. STP ports disabled. Well. To configure a port as an RSTP edge port. This port gives SW3 a redundant path on that segment without guaranteeing that the root switch will still be accessible. so RSTP doesn’t bother alerting the rest of the network about it. Finally. the DP will be the port with the lowest root path cost of all RSTP ports transition from discarding to learning. actually. A quick comparison: STP: disabled > blocking > listening > learning > forwarding RSTP: discarding > learning > forwarding In addition to the familiar root port concept. just run the familiar RSTP edge ports are simply PortFast-enabled ports. edge ports and point-to-point ports. The “alternate” refers to the port having an alternate path to the root switch than the actual root port does. If a BPDU comes in on an RSTP edge port. it’s “demoted” to a regular RSTP port and then generates a TCN BPDU.

(This hello time interval is the same in both STP and RSTP. those switches send BPDUs with the TC bit set out their non-edge DPs.115 S T U DY G U I D E C H R I S B R YA N T see a BPDU from its neighbor every two seconds. Every switch expects to 148 SW2 realizes SW1 is the root. where the superior BPDU is aged out when three Hello Time intervals pass without it being refreshed! ports. There’s a lot going on here – and it goes on quickly! 149 . SW2 has to synch itself. and as we’d expect. and the nonroot bridges read ‘em and relay ‘em. and the discovery of those failures is faster. How? When a switch running STP misses a BPDU. my friend! First. Switches that receive those BPDUs will remove all entries from their MAC tables except for the port the BPDU rode in on. the MaxAge timer kicks in.) This slight change in operation from STP to RSTP allows all switches to have a role in detecting link failures. With STP. regardless of whether they’ve received a BPDU from the root in that period of time. This change cuts the error detection process from 20 seconds in STP to 6 seconds in RSTP. and that continues until the entire network’s been notified of the change – a “ripple effect”. RSTP Synchronization The RSTP synch process is a simple series of handshakes between switches. We see a PC off one of SW2’s ports. and in order for SW2 to consider itself synched. if you will.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . We know the MaxAge default – When a non-edge port moves into forwarding mode. and would like to agree to the proposal. that’s when RSTP does bother letting the rest of the network know! RSTP does so by sending BPDUs out all non-edge designated 20 seconds! Compare that to the RSTP process. Another major difference between STP and RSTP is the way BPDUs are generated. SW2 will reply to the proposal with an agreement and will send a proposal of its own out any non-edge port that was just placed into discarding state. RSTP-enabled switches generate a BPDU every two seconds. carried out until all switches in the network are – wait for it – synchronized! Let’s walk through the process with this three-switch network. and if three BPDUs are missed. all ports on SW2 must either be discarding or an edge port. But not so fast. now SW2 must place the port leading to SW3 into discarding mode. That timer dictates how long the switch will retain the contents of the last superior BPDU it received before it ages out and the STP recalculation process begins. SW2 will of course move its root port into forwarding. the link is considered down. the root bridge generates and transmits BPDUs every two seconds. so that’s an edge port. At that point. The switch then immediately ages out all information concerning the port that was receiving the BPDUs. and naturally the TC bit is set on those BPDUs.

This is a full-duplex point-to-point link.14 P2p Peer(STP) Note the output under “Type”. Role Sts Cost Prio. Interface The Question Haunting Networks Everywhere Does RSTP play well with STP? Pretty well. you know those connections are to switches running mst Multiple spanning tree mode pvst Per-Vlan spanning tree mode rapid-pvst Per-Vlan rapid spanning tree mode SW3(config)#spanning mode rapid-pvst ? <cr> SW3(config)#spanning mode rapid-pvst STP. SW3(config-if)#spanning-tree link-type ? point-to-point Consider the interface as point-to-point shared Consider the interface as shared SW3#show spanning vlan 1 150 151 . This ripple effect Aging Time 300 sec 2 sec Max Age 20 sec Forward Delay 15 sec fans throughout the entire network until all switches are synched. ----- --. a switch running RSTP.90eb.2f00 connected to).Nbr Type ------------------. ---------.6 P2p Fa0/11 Desg FWD 19 128. Fa0/4 Root FWD 19 128. -------. When you see “Peer (STP)” as we do for SW3(config)#spanning mode ? the Fast0/11 and Fast0/12 links.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and when there’s no additional info after “P2p”. The link via Fast0/4 is to SW4. SW3 goes through the same process we saw SW2 go through – SW3 Hello Time would accept that proposal from SW2 while sending proposals of its own.115 S T U DY G U I D E C H R I S B R YA N T VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 4097 Address 000f. actually! If a switch is running RSTP and needs to communicate with switches using both STP and RSTP. the link is to an RSTP-enabled switch. SW2 is agreeing with SW1 while Bridge ID Priority 2 sec Max Age 20 sec Forward Delay 15 sec 32769 (priority 32768 sys-id-ext 1) almost simultaneously sending a proposal to SW3 (and any other downstream switches it’s Address 001c. In turn. just use spanning link-type. but if you do. it’s the version number in the BPDU that tells the switch how to handle things. It’s a rare occasion indeed when you need to manually change the link type on an interface. SW3 is running RSTP after being configured with the spanning-tree mode rapid-pvst command.13 P2p Peer(STP) Fa0/12 Desg FWD 19 128.d480 Cost 19 Port 6 (FastEthernet0/4) Hello Time The ripple effect is powerful in RSTP synchronization. In our lab.0fbf. verified with show spanning vlan.

everything we do on a Cisco switch has a cost in terms of CPU and/or time. MST earns its name from a scheme that allows multiple VLANs to be mapped to a single instance of STP. the purpose of MST is to map multiple VLANs to a lesser number of STP instances.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . We can’t perform any per-VLAN load balancing. and the switches in any given region must agree on the MST config name. if we have 750 VLANs.115 S T U DY G U I D E C H R I S B R YA N T Per-VLAN Spanning Tree Versions (PVST and PVST+) The ultimate “the name is the recipe” protocol. Defined by IEEE 802. and MST BPDUs are used to exchange values between switches. since that requires multiple instances of STP! PVST doesn’t play well with Common Spanning Tree (more on that in a moment). the MST-instance / VLAN-mapping table. The Ugly: PVST requires ISL trunking. MST configuration involves logically dividing the switches into regions. More on that in just a minute. Common Spanning Tree and Multiple Spanning Tree When our pal IEEE 802. and a digest value derived from the mapping table. the config revision number. MST configs can become quite complex and a great deal of planning is recommended before you even start a config. MST allows us to reduce the number of STP instances without knocking it all the way back to one. the trunk is using a common instance of STP for all VLANs – hence the name. Switches that disagree on any of these values are in different regions. “Common Spanning Tree”. MST was designed with enterprise networks in mind. and three switches that can handle some MST gives us a great middle ground. where we can map VLANs to instances of STP. While it can be useful in the right environment.1s. or all of that traffic. it’s not for every network. And speaking of CST… With PVST+. we can configure per-VLAN load balancing as we did in an earlier lab. No matter the size of the network. With CST’s one STP instance. The MST BPDUs contain the MST config name. we have 750 instances of STP running. 152 153 . the Cisco-proprietary PVST runs a separate instance of STP for each VLAN. rather than having an instance for every VLAN. MST serves as a middle ground between CST (one STP instance) and PVST (one STP instance per VLAN). one switch ends up handling all the traffic. As we know though. and the MST configuration revision number. which has the same functionality as PVST while having the capability to run over ISL or dot1q trunks.1q (“dot1q”) is the trunking protocol. so Cisco came up with PVST+. so we could spread the workload around a bit. With PVST+. Let’s say we have traffic for 750 VLANs coming in. The Good: PVST does allow for much better fine-tuning of spanning tree performance than regular ol’ STP does. The Bad: Running PVST does mean extra work for your CPU and memory.

SW3(config-mst)#? abort Exit region configuration mode. applying changes instance Map vlans to an MST instance name Set configuration name no Negate a command or set its defaults private-vlan Set private-vlan synchronization revision Set configuration revision number show Display region configurations SW3(config)#spanning-tree mst configuration The “IST” in each region stands for Internal Spanning Tree. MSTI Zero is reserved for the IST instance. CST doesn’t know what’s going on inside the regions.115 S T U DY G U I D E C H R I S B R YA N T A good way to get a mental picture of MST – CST interoperability is that CST will cover the In MST configuration mode. On occasion. network only with the links connecting the MST network subsets. aborting changes exit Exit region configuration mode. 72. nor does it want to know. SW3(config)#spanning-tree mode ? mst Multiple spanning tree mode pvst Per-Vlan spanning tree mode rapid-pvst Per-Vlan rapid spanning tree mode SW3(config-mst)#instance 1 ? vlan Range of vlans to add to the instance mapping SW3(config-mst)#instance 1 vlan ? LINE vlan range ex: 1-65. and only the IST is going to send MST BPDUs.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 300 -200 SW3(config-mst)#instance 1 vlan 1 – 250 SW3(config)#spanning-tree mode mst 154 155 . SW3(config-mst)#name CCNP SW3(config-mst)#revision ? <0-65535> Configuration revision number Up to 16 MST instances (MSTIs) can exist in a region. and MST is a “subset” of the network. Enable MST on the switch with spanning-tree mode mst. abort exits the mode while not saving the changes. SW3(config-mst)#revision 1 you’ll see the first ten MST instances referred to as “00” – “09”. CST is going to maintain a loop-free the mode and does save your changes. exit exits entire network. those are decimal values. and it’s the IST instance that is responsible for keeping communications in the MST regions loop-free. numbered 0 – 15. SW3(config-mst)#instance ? <0-4094> MST instance id not hexadecimal values. and follow by dropping into MST configuration mode and naming the region and revision number. MST’s job is to keep a loop-free topology in the MST region itself.

What’s not to love? (To avoid aggravation. 156 157 . That prevents the delay of bringing another link up! In our lab. STP allows us to use only one of the trunks. or even 10 Gig Ethernet ports Time to go from spanning to channeling! is aggregation.) STP considers an Etherchannel to be a single link. Gig Ethernet. By default. STP will give the link a higher cost due to the lost bandwidth. but the link is still considered up. SW3(config-mst)#show pending Pending MST configuration C hapter 7: Name [CCNP] Revision 1 Instances configured 2 Instance Vlans mapped ETHERCHANNELS --------. there are four FastEthernet trunks between SW2 and SW3. 0 251-4094 1 1-250 An Etherchannel is a logical bundling of two to eight parallel trunks running between two switches. and we love aggregation! We use more of our available bandwidth and we avoid some of that 50-second delay that comes with the MaxAge and Forward Delay timers. If one or more of the physical links in the Etherchannel go down. regardless of how many physical links actually make up the Etherchannel.115 S T U DY G U I D E Verify with show pending. This is an MST configuration mode command. VLANs not manually assigned to an instance are mapped to Instance Zero. This bundling of Fast Ethernet. ports placed inside an EC should be running at the same speed and have the same duplex settings. though.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

We’ll leave 0/24 alone for now.115 S T U DY G U I D E SW2#show spanning vlan 1 C H R I S B R YA N T auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally Interface Role Sts Cost ------------------. (The channel group number does not have to Fa0/24 Altn BLK 19 Po5 Root FWD 9 match between switches.23 SW3(config-if-range)#channel-group 5 mode on Interface Role Sts Cost ------------------. but the failure of a link inside an Etherchannel will not force STP to start bringing another Interface Role-Sts-Cost port from blocking to forwarding. SW2(config-if-range)#channel-group 1 ? Mode Etherchannel Mode of the interface SW2(config-if-range)#channel-group 1 mode ? active Enable LACP unconditionally 158 159 . As it stands. 0/22 will begin the transition from blocking to Let’s check out STP on SW3. By combining the SW3#show spanning vlan 1 physical ports into a single logical link. changed state to up SW3#show spanning vlan 1 SW3(config)#int range fast 0/21 . changed state Fa0/21 Root FWD 19 to up Fa0/22 Altn BLK 19 Fa0/23 Altn BLK 19 The interfaces mentioned in the console messages. ----- --. port-channel1 and port-channel5 are the Fa0/24 Altn BLK 19 logical representations of the Etherchannels on the respective switches. This temporary lack of a forwarding port can be avoided with an Etherchannel. and 0/23 on both switches into an Etherchannel with the channel-group command. In the meantime. 0/22. ----- --. %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel5. Let’s put 0/21.) I’ll use interface range to make things a little quicker.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ------------------. Fa0/21 Desg FWD 19 Fa0/22 Desg FWD 19 Fa0/23 Desg FWD 19 Fa0/24 Desg FWD 19 on Enable Etherchannel only passive Enable LACP only if a LACP device is detected SW2(config-if-range)#channel-group 1 mode on %LINK-3-UPDOWN: Interface Port-channel1. communication between the two switches is lost. ----- --. if 0/21 goes down on SW3. forwarding. not only is the bandwidth of the links combined.

Let’s see what happens when one of the links inside the Etherchannel fails. (Forever. and the port’s path cost increased. The remaining ports will be bundled only if one or more of the already-bundled ports fails.115 S T U DY G U I D E C H R I S B R YA N T Things have changed! The Etherchannel (Po5. a port in desirable mode will initiate bundling with a remote port.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .) 160 161 .). ----- --. while a port in auto mode waits for the port on the other end of the trunk to start the process. but only the eight ports with the lowest port priority will actually be part of the SW3(config-if)#shut EC. SW3#show spanning vlan 1 PAgP and LACP use different terminology to express the same modes. We’ll shut down 0/21 on R3 and then verify the changes. the Etherchannel remained in forwarding mode and 0/24 stays blocked! SW2#show spanning vlan 1 Negotiating An Etherchannel Interface Role-Sts-Cost The industry standard EC negotiation protocol is the Link Aggregation Control Protocol ------------------. to the STP costs and ports. and with good reason. ----- --. etc. I hate typing “PAgP”. duplex.3ad (the IEEE standard. STP didn’t have to go to the trouble of opening 0/24. LACP assigns a priority value to each port with Etherchannel capability. The tion in use. Fa0/24 Altn BLK 19 Po5 Root FWD 12 SW3(config-if)#channel-group 5 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected SW2#show spanning vlan 1 desirable Enable PAgP unconditionally on Enable Etherchannel only Interface Role-Sts-Cost passive Enable LACP only if a LACP device is detected ------------------. short for port-channel 5) is now the connec- Thanks to our Etherchannel. The path cost for that port is 9. but I love how the protocol dynamically changes all of the other ports in an EC when you change a property of one of them statically (speed. not the year). Fa0/24 Desg FWD 19 Po1 Desg FWD 9 (LACP) and the Cisco-proprietary EC negotiation protocol is the Port Aggregation Protocol (PAgP). You can assign up to 16 ports to an LACP-negotiated SW3(config)#int fast 0/21 Etherchannel. ----- --. you know you’ll be waiting a long time. If the ports at each endpoint are in auto. Fa0/24 Desg FWD 19 Po1 Desg FWD 12 With PAgP. less than half that of a down link in the Etherchannel was detected by STP. Defined in 802. (Surprise!) We actually saw those in the channel-group command: Interface Role-Sts-Cost SW3(config)#int fast 0/24 ------------------. if any. but single FastEthernet port! SW2 shows the same path cost result.

verifying with show pagp neighbor.Device is requesting Slow LACPDUs F .f780 Fa0/23 5s SC 10001 ports at each endpoint are passive. P. We’re not going to get into every field of this output. an EC will never form. but I’m sure you can see that having a command that gives you the name.9466. Fa0/24 SW2 0017. and port of the partner in the group can be very helpful for verification and/or troubleshooting. I’ll put all available trunks into a PAgP Etherchannel. Partner SW3#show lacp neighbor Flags: S . Fa0/21 SW2 0017.Device is in Active mode Channel group 5 neighbors SW3(config-if-range)#channel-group 5 mode active Partner Partner Partner Group Port Name Device ID Port Age Flags Cap. device ID.Device is in Passive mode Channel group 5 neighbors Partner’s information: 163 .24 desirable Enable PAgP unconditionally SW2(config-if-range)#channel-group 1 mode ? on Enable Etherchannel only active Enable LACP unconditionally passive Enable LACP only if a LACP device is detected auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally SW2(config-if-range)#channel-group 1 mode desir on Enable Etherchannel only passive Enable LACP only if a LACP device is detected SW3(config)#int range fast 0/21 . A .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .f780 Fa0/21 14s SC 10001 Fa0/22 SW2 0017.24 SW3(config-if-range)#channel-group 5 mode desir SW2(config-if-range)#channel-group 1 mode active SW3(config)#int range fast 0/21 . SW2(config)#int range fast 0/21 .115 S T U DY G U I D E C H R I S B R YA N T With LACP. I created one with LACP.f780 Fa0/22 2s SC 10001 162 P . SW2(config-if-range)#channel-group 1 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected SW2(config)#int range fast 0/21 .9466.Device is requesting Fast LACPDUs A .9466.Device is in Auto mode. verified with show lacp neighbor.9466.24 After removing the PAgP EC.Device learns on physical port.24 SW3#show pagp neighbor Flags: S .Device is sending Slow hello. C- Device is in Consistent state.f780 Fa0/24 11s SC 10001 After re-opening 0/21 on SW3. a port in active mode initiates bundling and passive ports are just that! If the Fa0/23 SW2 0017.

Note the flags next to Po5. Group state = L2 Ports: 4 Maxports = 16 Port-channels: 1 Max Port-channels = 16 How The Link Is Chosen For A Particular Traffic Flow Protocol: LACP Etherchannels give us load balancing. and that’s just what we wanted to see.9466. minimum links not met u . a Cisco-proprietary hash algorithm is run that will deliver a value of 0 – 7. meaning they’re part of a port-channel. unreleased or unsupported.stand-alone s .failed to allocate aggregator Priority 32768 0017. and those values are assigned to links in the EC.9466.115 S T U DY G U I D E Port Flags LACP port Dev ID Fa0/21 SA Fa0/22 SA Fa0/23 SA Age Admin Oper Key Port Number Port State R . see documentation. not Flags: D – down per-packet or per-frame. The Group: 5 “U” indicates the channel is in use (good) and the “S” means it’s a Layer 2 EC (hmmm.bundled in port-channel I . -----------. Channel-group listing: LACP That’s more like it! All four ports are marked with the “P” flag. It’s these values that are used to determine SW3#show etherchannel summary which link will handle which traffic flow.9466.waiting to be aggregated d . but matching up the Device ID and port information can be very helpful in troubleshooting.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but that doesn’t mean each link is carrying 25% of the load. 21s 0x0 0x1 0x11A 0x3D 0x0 0x1 0x11B 0x3D f780 Fa0/24 SA 32768 0017.unsuitable for bundling w . 20s key 0x0 32768 f780 0017.not in use. 19s 0x0 0x1 0x119 0x3D 32768 f780 0017.suspended H . we have Minimum Links: 0 four parallel links in the EC.9466. ------------.) That algorithm can use any of the following: P . How about show etherchannel summary? Basically. but last time I tried… M . “SU”. but not pure load balancing. 5 Po5(SU) SW3#show etherchannel brief Fa0/21(P) Fa0/22(P) Fa0/23(P) Fa0/24(P) % Command accepted but obsolete.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports -----. I’ve also used show etherchannel brief in troubleshooting. In our lab.Hot-standby (LACP only) Source IP address Destination IP address 164 165 . (We’re dealing with per-flow balancing here.Layer3 S .Layer2 0x1 0x118 0x3D U . more on that later!).in use f . 23s C H R I S B R YA N T f780 The output is different.

The XOR operation’s name might look scary. This is a global command – you can’t change If the compared bits are different. or the source and destination MAC address. but with a 4-link EC we only need the last two bits. resulting in the link assigned value 0 as the winner! To change the load-balancing method for your switch. The only nation of 190. The last octet of each address.5. using a source IP address of 179. we need the last two bits of each address for time the XOR operation is used is when one of the combination load-balancing methods our XOR. the return is a “1” for the XOR’s second and final bit. the load balancing method on a per-port or per-EC basis. so the switch will use the port assigned value “01” to send the data.2.115 S T U DY G U I D E Both source and destination IP address C H R I S B R YA N T We perform the XOR on a bit-by-bit basis. Verify with show etherchannel load-balance.3. That gives us a “0” for the first bit of the XOR result.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .11 and a desti- the traffic flow. the hash of the bits reveals the port that will handle traffic for that 11 = 00001011 15 = 00001111 particular flow. so we’ll first XOR the 7th bit of each octet.47.38. 1 and 1.39. with the two lowest-order bits highlighted: The “XOR” choices balance on source and destination IP or source and destination MAC.38. If you want to break down the entire address for practice (ahem). the result is 0. (You get the point.49. from left to right. use port-channel load-balance and If the compared bits are the same. with only two possible answers: Since both bits in the 7th position and both bits in the 8th position match up.39. SW3#show etherchannel load-balance EtherChannel Load-Balancing Configuration: 11 = 00001011 dst-ip 22 = 00010110 166 167 .7 src-ip Src IP Addr src-mac Src Mac Addr Using our four-link EC.49. It’s a bit-by-bit comparison.3 0. When we XOR the Both source and destination MAC address 8th bit of each octet. “01” TCP / UDP port numbers converts to the decimal 1.4.47.11 and destined for 210.) For every method involving only one value. the result is 1. we know our XOR return is “00”. or it may get the exclusive-OR operation (“XOR”) involved. is used – the source and destination IP address. That’s it! The number of bits needed for the XOR depends on how many links we have in the EC: SW3(config)#port-channel load-balance ? dst-ip Dst IP Addr Number of links in EC # of lowest-order Possible results dst-mac Dst Mac Addr src-dst-ip Src XOR Dst IP Addr 2 bits to XOR 1 0.15. source and destination port number. that’s a great idea.1 src-dst-mac Src XOR Dst Mac Addr 4 8 2 3 0. but it’s one of the easiest math operations you’ll ever carry out.2.1. “1” and “0”. The switch may use the hash of the last low-order bits to choose the link that will carry Let’s walk through another example. verify with show etherchannel load-balance.22 would use.1. let’s figure out which link traffic sourced from 179.6. With our four-path EC.

you really shouldn’t run into an issue with a IPv6: Destination IP address misconfigured EC. To prevent the creation of a switching loop due to EC misconfiguration. As a result. Remember This? channel guard misconfig. (vlan mask is different) %EC-5-CANNOT _ BUNDLE2: Fa0/23 is not compatible with Po5 and will be suspended SW2(config)#spanning etherchannel ? Guard (vlan mask is different) Configure guard features for etherchannel %EC-5-CANNOT _ BUNDLE2: Fa0/24 is not compatible with Po5 and will be suspended (vlan mask is different) SW2(config)#spanning etherchannel guard ? Misconfig Enable guard to protect against etherchannel misconfiguration 168 %EC-5-CANNOT _ BUNDLE2: Fa0/23 is not compatible with Po5 and will be suspended (vlan mask is different) 169 . run spanning ether- Hey.115 S T U DY G U I D E EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Destination MAC address C H R I S B R YA N T SW2(config)#spanning etherchannel guard misconfig ? <cr> IPv4: Destination IP address If you use one of the EC negotiation protocols. The And finally….1t extensions logging Enable Spanning tree logging loopguard Spanning tree loopguard options mode Spanning tree operating mode mst Multiple spanning tree configuration pathcost Spanning tree pathcost options The allowed range of VLANs on the ports in the EC must match that of the port-channel. since the EC won’t be created in the first place if there’s a problem. channel-group “on” option sidesteps negotiation.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .20 In the midst of all the loop guarding and MSTing and BackboneFasting we did earlier was a %EC-5-CANNOT _ BUNDLE2: Fa0/22 is not compatible with Po5 and will be suspended little something about ECs. SW2(config)#spanning ? backbonefast Enable BackboneFast Feature etherchannel Spanning tree etherchannel specific configuration EC Troubleshooting Tips extend Spanning Tree 802. Let’s use IOS Help to flesh this out. and you could run into trouble if one side of your links is set up for an EC and the other isn’t (I speak from experience). SW3(config-if-range)#switchport trunk allowed vlan 100. portfast Spanning tree portfast options Here’s what happened after I changed the range of allowed VLANs on all ports in SW3’s EC transmit STP transmit parameters without doing so on the port-channel: uplinkfast Enable UplinkFast Feature vlan VLAN Switch Spanning Tree Ports configured for dynamic VLAN assignment from a VMPS cannot become part of an EC. ports will be placed into err-disabled state if a condition exists that might result in a switching loop. nor can such a port remain part of an EC if that change occurs after the port is already part of an EC.

it’s time to do a little multilayer switching and work with our First Hop Redundancy Protocols (FHRPs). there’s not much use in using Fa0/21(P) Fa0/22(P) Fa0/23(P) Fa0/24(P) Individual ports inside the EC must agree on this value as well. You can’t have LACP negotiating one side and PAgP (Flags removed) negotiating the other.472: %EC-5-CANNOT _ BUNDLE2: Fa0/21 is not compatible with Fa0/22 and will be suspended (vlan mask is different) *Mar 1 01:18:39. Ports in an EC should have the same native VLAN set.300 SW2(config-if)#^Z SW2# *Mar 1 01:18:39. the EC came back up.115 S T U DY G U I D E Not good! However. SW2(config)#int range fast 0/21 . that port immediately unbundled. and native VLAN. 170 171 . but not a SPAN destination port. once I went to SW2 and ran the same command.472: %EC-5-CANNOT _ BUNDLE2: Fa0/21 is not compatible with Fa0/22 and will be suspended (vlan mask is different) This is really true of any port attribute. duplex.20 If one end of the EC is running in on mode. or you’ll never have an EC! Number of channel-groups in use: 1 Number of aggregators: C H R I S B R YA N T While keeping in mind that EC load-balancing methods do not have to match between 1 switches. SW2(config)#int fast 0/21 SW2(config-if)#switchport trunk allowed vlan 200.24 SW2(config-if-range)#switchport trunk allowed vlan 100. be sure to choose the load-balancing method that fits your situation. When I changed the allowed With our trunks neatly bundled.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . you know what to do – change it back! A few more notes that can save you CCNP exam points and troubleshooting time… A SPAN source port can be part of an Etherchannel. If you have Group Port-channel Protocol Ports destination IP addresses in your load-balancing methods! ������ ������������� ����������� 1 Po1(SU) LACP multiple source IP addresses and one destination IP address. the other end one has to as well. but you do have to have SW2#show etherchannel summary LACP or PAgP modes on each side. Ports in an EC cannot be configured with port security. Let’s get started! VLAN setting for SW2’s 0/21. If you change one of those and the EC comes down. including speed. Know your LACP and PAgP modes! The mode doesn’t have to match.

To make this hardware-based packet processing happen. the switching table. This processor must download routing information to the hardware itself. Basically. The routing processor routes a flow’s first packet. it’s the ASICs that perform this L2 address overwriting. the correct configuration will allow that communication without the data Content Addressable Memory. Route caching devices have both a routing processor and a switching engine. ACLs. the switch hardware itself. Multilayer Switching Methods The first MLS method is route caching. The table operates just as an L2 Let me take this time to “un-hit” you while introducing you to Layer 3 Switches. also known as multilayer switches. and on occasion switch runs at Layer 2. including routing. The CAM And TCAM Tables One of the first things you get hit over the head with in your CCNA studies is that a The CAM table. Multilayer switches are devices that switch and route packets in switch’s CAM table does. including info regarding ACLs and QoS. also known as the bridging table. From your CCNA studies. Application-Specific Integrated Circuits (ASICs) will perform the L2 rewriting operation of these packets. and QoS. If two hosts in separate VLANs are connected to the same mul- A simple CAM table can’t handle all of this. the switch will run the legacy Multilayer Switching (MLS) or the newer Cisco Express Forwarding (CEF). A flow is a unidirectional stream of 172 173 . and never the two shall meet. but the MAC addresses just might and probably will. the MAC address table. With multilayer switching. can’t.C H R I S B R YA N T C hapter 8: MULTILAYER SWITCHING AND HIGH AVAILABILITY PROTOCOLS When it comes to Cisco Catalyst switches. and then the switching engine takes over and forwards the rest of the packets in that flow. is still present in a multilayer switch. a router runs at Layer 3. so we also have the TCAM table – Ternary tilayer switch. you know that the IP source and destination addresses of a packet do not change as the packet travels the network. the switching engine snoops in on that packet and the destination. Thing is. the TCAM table stores everything the CAM table ever leaving the switch. we have a lot more going on with our L3 switches. this hardware switching is performed by a router processor (or “L3 engine”).

the FIB contains L3 information and is created via the IP routing table. that next-hop L2 information is kept in the table for CEF switching. Primarily designed for backbone switches.115 S T U DY G U I D E C H R I S B R YA N T packets from a given source to a given destination. CEF is highly scalable and is also easier on a switch’s CPU than route caching. (A host is considered adjacent to another if they’re just one hop apart. and creating one is just like creating a loopback inter- FIB is really just the IP routing table in another format. Route caching can be effective. and such packets sent by a given pro- Enabling CEF is EZ. Success rate is 0 percent (0/5) 175 . In The FIB takes care of us at L3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . As adjacent hosts are discovered via ARP. Even though all other packets in the flow will be hardware- with a Switched Virtual Interface! switched. so it’s not available on all L3 switches. Just go into config mode. this is not a situation the same destination. we have two flows of traffic. masks. and it’s the only default SVI. representing a VLAN. we’ll create SVIs that will allow hosts in different IP subnets and different VLANs to communicate without a separate L3 device. The MLS cache entries support such where running “no cef” at the CLI will disable CEF. The FIB’s contents will mirror that of the IP routing table. but there’s one slight drawback: the first packet in any flow With these important nuts and bolts out of the way. If a source is sending both WWW and TFTP packets to turn it off! Since CEF is hardware-based rather than software-based. interface Vlan1 no ip address tion networks. That’s where CEF comes in. this topology-based switching method requires special hardware.1. give it an IP address..1. The L2 source address will be the MAC address of the switch interface transmitting the packet. and you can’t tocol will be part of a single flow. The VLAN 1 interface present by default on all L2 switches is an SVI.) this lab. The two major components of CEF are the Forwarding Information Base (FIB) and the Adjacency Table (AT). the multilayer switch is just about ready to forward the packet. it is more effective to have all of the packets switched by hardware.. The switch will make the same changes to the packet that a router would. The FIB contains the usual routing information we need – destina- Inter-VLAN Routing With An SVI Multilayer switches allow us to create a logical interface. create the interface. Summing it up. starting will be switched by software. 174 R1#ping 30. but what of L2? That’s where the AT comes in. let’s configure an L3 switch. etc. There’s no such command! IP routing unidirectional flows. – and CEF will use the FIB to make L3 prefix-based decisions. At this point.. and that includes changing the L2 destination MAC address to the next-hop MAC address. and the AT contains L2 information and is created via the ARP table.1 . and you’re done. face. next-hop IP addresses. I’ll send pings between the two now.. there is a wildcard entry that redirects traffic to the routing engine. since the We can create an SVI for any VLAN. even though we know darn well they can’t have a chat… yet. Should either the TCAM or AT hit capacity. the Switched Virtual Interface (SVI). CEF is on by default on any and all CEF-enabled switches. must be on for CEF to run.

line protocol is up Success rate is 0 percent (0/5) Hardware is EtherSVI. 2 masks C 20.0 ICMP redirect cache is empty Last Use Total Uses Interface Doesn’t look good! Let’s enable IP routing. SW3.2f42) Internet address is 30. l . + - replicated route.1.11 255. IA .0fbf.2f41) Internet address is 20. Both SVIs show as up/up immediately after creation on our multilayer switch.0/8 is variably subnetted. Vlan33 is up.0 SW3#show ip route Codes: L - local.BGP D - EIGRP. U .next hop override SW3#show int vlan11 Gateway of last resort is not set Vlan11 is up.11/32 is directly connected. 2 subnets.11/24 The ports have already been placed into their respective VLANs and the ports are access ports. line protocol is up Hardware is EtherSVI.1. su . M . C . L1 . changed state to up Host Gateway SW3(config-if)#ip address 20.0fbf..OSPF inter area N1 - OSPF NSSA external type 1.per-user static route We’ll verify the status on both with this clipped output from show interface vlan.mobile.1.1.1.LISP the hardware is listed as “EtherSVI”. L2 .1.0fbf.0. address is 001c. O . Note that o - ODR.IS-IS summary. P .static. We’ll now create two SVIs on the switch.. address is 001c. S . Vlan11 L 20.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .NHRP.1.2f42 (bia 001c.11/24 176 20.255.OSPF. % . which is disabled on a multilayer switch by default! SW3(config-if)#int vlan 33 SW3(config-if)#ip address %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan33.candidate default.OSPF NSSA external type 2 E1 - OSPF external type 1. H . Vlan11 177 .RIP.1.115 S T U DY G U I D E C H R I S B R YA N T R3#ping 20.1 SW3#show int vlan 33 . changed state to up SW3(config)#ip routing SW3(config-if)#ip address 30. N2 .2f41 (bia 001c.OSPF external type 2 I - IS-IS. one representing VLAN 11 and the other Looks good! Let’s check those routing tables! VLAN 33. * ..255.1. E2 .11 255.connected. SW3#show ip route Default gateway is not set SW3(config)#int vlan 11 %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan11.0/24 is directly connected.IS-IS level-1. B .0.0fbf.. R .IS-IS level-2 ia - IS-IS inter area.periodic downloaded static route.EIGRP external.1.255. EX .1.1.255.1.1.

0.1.1. The hosts must have their default gateway set to the IP address on the SVI representing their VLAN.1. 2 masks C H R I S B R YA N T *Mar 1 03:14:32.1.11 are up.1 On L3 switches. Routed ports do not represent a particular VLAN as an SVI does.0. we also have the option of configuring a physical port as a routed port. You !!!!! assign an IP address to a routed port in the same way you would an SVI. we’ll use ip route to set the default gateway.1.1. HOST3(config)#ip route 0. Routed Ports (Layer 3 Ports) HOST1#ping 30.255. I can almost guarantee that the hosts have an incorrect default gateway set. SW3#show int vlan 66 Vlan66 is down. !!!!! Success rate is 100 percent (5/5).1.1.255.831: %LINEPROTO-5-UPDOWN: Line protocol on Interface C 30. Vlan33 SW3(config-if)#ip address 66.0 0. they can! 4.0 20.0/24 is directly connected. line protocol is down 2. 2 subnets. and no routing protocol is required in this case.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .11 Can they ping? Yes.0.0. If you don’t get the ping results you expect and your SVIs HOST1(config)#ip route 0.0 That looks just a bit more like our routing table! When SVIs are in use. If you create the SVI before doing that. the default gateway on the hosts must be the IP address assigned to the SVI that represents that host’s VLAN.0. changed state to down L 30. With that default gateway set correctly. HOST3#ping 20. the hosts can communicate.0. round-trip min/avg/max = 4/5/8 ms SVI Success Tips: 1.0.1.0.0.115 S T U DY G U I D E 30.1 255. Vlan33 Vlan66.11/32 is directly connected.1. One SVI per VLAN and one VLAN per SVI.0. but routed ports Success rate is 100 percent (5/5). Type escape sequence to abort. The only default SVI on the switch is the one for VLAN 1. Have active ports in the VLAN before you create an SVI for that same VLAN.1. round-trip min/avg/max = 4/5/8 ms are physical interfaces and SVIs are logical interfaces.1. you end up with a sad SVI.0 30.1.0/8 is variably subnetted. Since we’re using Cisco routers for hosts.1. SW3(config)#int vlan 66 SW3(config-if)# 178 179 . 3.1 Let’s add a router to our network that leads our hosts to the Internet.0 0.

round-trip min/avg/max = 1/2/8 ms 180 181 .1.1.255.1.1.. round-trip min/avg/max = 4/5/8 ms SW3(config-if)#no switchport %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5. (that’s the default for many Cisco multilayer switches). the port is running at L3. FastEthernet0/0 SW3#ping 210. the downstream router. round-trip min/avg/max = 4/4/4 ms Verify addressing and status with show interface fast 0/5 and verify L3 status with show HOST3#ping 210.11/24 R1#show ip route SW3#show int fast 0/5 switchport (code table removed for clarity) Name: Fa0/5 Gateway of last resort is not set Switchport: Disabled (Note: If this is disabled. the router’s interface.1 to down ..1 To remedy that. However. The !!!!! adjacency comes up very quickly: Success rate is 100 percent (5/5). changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5. but comes back up in a few seconds. switchport followed by the desired IP address..1. Always a good sign! C 210.1...) 210.1..1. changed state HOST1#ping 210.1. 2 masks The switch can now ping 210.1. To configure a routed port.11 expected behavior.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1.1. each host can ping 210.2f44) The pings can’t find their way back to the hosts because the router has no path to either 20.11 255.1. address is 001c.11.0 Success rate is 100 percent (5/5).1..1.0 /24..1.1.0fbf.11 to up !!!!! SW3(config-if)#ip address 210. the ports on our multilayer switch are still in L2 mode Right now.1.0/24 is directly connected. .1.115 S T U DY G U I D E C H R I S B R YA N T Even though IP routing is enabled.1. That’s the normal and HOST1#ping 210.1. Internet address is 210.1. 2 subnets. changed state HOST3#ping 210. the switch’s interface in that subnet.1.2f44 (bia 001c. we’ll configure EIGRP between the multilayer switch and the router. use no they can’t ping 210. Success rate is 0 percent (0/5) SW3#show int fast 0/5 FastEthernet0/5 is up. In the following config. the line protocol on the switch port goes down.1.1.255.1.1 interface switchport.1.1.1.0 /24 or 30.0fbf. %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. !!!!! Success rate is 100 percent (5/5).0/24 is variably subnetted.1. changed state to down Success rate is 0 percent (0/5) %LINK-3-UPDOWN: Interface FastEthernet0/5. line protocol is up (connected) Hardware is Fast Ethernet.

0. The attached entries include directly connected addresses and subnets. HOST1#ping 210.1.255 no switchport command.1. Be sure to enable IP routing with the global ip routing command.0 0.1.1.1.1. FastEthernet0/0 210.1. Those include the broadcasts for the 20.0/24 is directly connected.0.1. round-trip min/avg/max = 1/3/4 ms 182 protocol.0. 00:01:07.0 0.1.1.0/24 is subnetted.1.1.1. we’re going to take a HOST3#ping 210.0. but important) SW3(config)#router eigrp 100 SW3(config-router)#no auto SW3(config-router)#network 210.0.1 !!!!! Success rate is 100 percent (5/5).1. SW3#show ip cef Gateway of last resort is not set D We’ll wrap this section up with a look at the FIB.0/24 is subnetted.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1.0.0 [90/28416] via 210.255 %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 210.1.255 the port’s L2 capabilities back on? Just use switchport and you’re gold! The router now has the VLAN subnets in its routing table… R1#show ip route 20.0 0.0. FastEthernet0/0 30.1.1.1.1.1. receive indicates packets that will be handled by the L3 engine.115 S T U DY G U I D E C H R I S B R YA N T Routed Port Success Checklist (Short.255/32”). 2.1 brief and important look at two redundancy tactics that don’t involve a particular !!!!! Success rate is 100 percent (5/5).0 /24 segment (“20.0/24 is variably subnetted.1.1.1.1. 2 subnets.0.1.1.11. Prefix Next Hop Interface 0.1 (FastEthernet0/5) is up: new adjacency 1. and verify with show interface switchport.1.1.0/32 receive Vlan11 20.1. FastEthernet0/0 … and the hosts now have two-way connectivity with R1’s at 210.1.0/0 receive 20.0.11/32 receive Vlan11 20.1. Need to turn SW3(config-router)#network 30.1/32 is directly connected.1.0 [90/28416] via 210.0.1.1.1/32 attached Vlan11 20.0/24 attached Vlan11 20. 00:01:00. 1 subnets 20. 1 subnets D info in there! Here’s a segment of the FIB from the multilayer switch in our lab.0.0.11. Be just as sure to enable your routed port’s L3 capabilities with the interface-level SW3(config-router)#network 20.255/32 receive Vlan11 Under “Next Hop”. 2 masks C 210. now that we have some routes and other 30. FastEthernet0/0 L 210.1.1. round-trip min/avg/max = 1/3/4 ms High Availability Schemes And Redundancy Protocols Before we hit our First Hop Redundancy Protocols (FHRPs).1.1.1. 183 .1.1. It’s off by default.

and ready to step in as the active router at a moment’s notice – literally! In this situation. it will not take over its original role as the active router. With SSO. and we have the ability to create MultiChassis Etherchannels where ports on the physical switches in the VSS can be bundled.115 S T U DY G U I D E The Virtual Switching System With VSS. When the previous switch is back online. All well and good. but what if the VSL itself goes down? How could the standby switch know whether the active switch is still active? The VSL is actually an Etherchannel. Even better. SSO is faster than RPR+. Our redundancy comes in the form of Stateful SwitchOver (SSO) and NonStop Forwarding (NSF). Instead. The active switch handles the workload. and we have a dual-active situation. including the same IP address. For the network to recover. and should the backup switch detect via the VSL that the active switch has failed. one of these switches needs to take itself out of the (“route flapping”) during the cutover. Side note: There are other redundancy modes available to us on Cat switches. and RPR+ is faster than RPR. fully initialized. the other the standby switch. One switch is the active switch. while RPR+ allows the backup supervisor to boot fully and initialize its routing engine. with the standby ready to step in if the active switch becomes unavailable. SSO and NSF are enabled by default in a VSS config. It’ll stay that way until the VSL is back up. RPR allows the backup supervisor to boot partially. It’s the first active switch that drinks the virtual hemlock in the form of putting every single one of its non-VSL interfaces into err-disabled mode. including Router Processor Redundancy (RPR) and Router Processor Redundancy Plus (RPR+). At this point. we’re representing a pair of physical switches (the “VSS Pair”) as a single logical switch. VSS goes into dual-active NSF is all about keeping the overall downtime to a minimum by preventing link flapping recovery. Between SSO and NSF. the speed of the cutover to the picture – but which one? new active switch and the continued forwarding of packets during that cutover make the transition as smooth as the proverbial baby’s butt. This sounds great. C H R I S B R YA N T Now back to our story! How does the standby switch know when it needs to take over as the active switch? The two switches regularly exchange control info over the VSL. but if it was all that great.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the standby switch takes it upon itself to become the active switch. 184 185 . this would be the default and we wouldn’t have a standby! Dual-active is not desirable. The physical switches in a VSS pair communicate via the virtual switch link (VSL). that switch now becomes the active switch. since the two switches will now be using a lot of the same information. both switches will be active. the backup supervisor is fully booted.

When the VSL is repaired. If that’s a tie. The master Most Cisco white papers on VSS will mention that VSS eliminates the need for an FHRP. (Get it?) StackWise lets us physically link up Forwarding (NSF) is supported in StackWise. That’s quite a cap hit. StackWise will take care of that for us! The master switch will autoconfig the new arrival with the stack’s IOS image. Our new pal NonStop switches with some very special stack interconnect cables. and that’s the aptly named master switch. we end up with a fully functioning two-way path. The master will download the Cisco IOS image from its own Flash to the new switch. When we add a new switch to the stack. The failover takes microseconds. including downloading forwarding tables. 2. 5. switch also has to handle ping requests and remote connection requests. but there is a single point of pain. ACL info. If that’s a tie. If one StackWise of our cables breaks. The master switch is also responsible for letting non-masters know of additions and removals of switches in the stack. When we’re done connecting our the slightest break in service. and we’ll hit FHRPs hard right after this word to the (stack)wise! ing service. and QoS info to the non-masters. then send the config to the new switch. The entire stack is given one IP address and one config file. StackWise requires every switch in the stack to run the same IOS. RPR+ has those non-master switches fully initialized and ready to step in when needed. with this process: 1. You and I.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but we’ll make it well One of these switches has to be a “boss switch”. That switch is chosen via a master switch election: 1. a preconfigured switch wins over a non-preconfigured switch. the master sends the config to the new switch and all is well. all is not well. we lose 50% of our capacity immediately. and the new switch joins the stack. but not of your CCNP Switch and Tshoot exams. C H R I S B R YA N T 3. If the new switch does not have the same IOS image. 186 187 . The network admin can select a particular switch to be the master. the switch with the lowest MAC is selected as master. a copy of which is sent to non-masters. the network admins. a copy of which is sent to every switch in the stack. and We’re about to stack cables in a wise manner. The master switch keeps a master MAC address table. NSF works with RPR+ to keep things rolling when we’re cutting over from one master to another. can not only add and remove switches without interrupt- Those exams will be covered with FHRP questions. which helps the packets flowing when there’s to nine switches to create a switch unit or switch stack. If so. That may be true of production networks. the switch with the best feature set wins. If none are selected in that manner. but we don’t even have to configure the new switch. That master switch has quite the workload. the switch with the err-disabled ports will come back online and assume the standby role. 4. thankfully it’s a very temporary hit. the master will ask the newcomer if it’s running the same IOS image as the master. There is no single point of failure in a switch stack. the switch that’s been up the longest wins. If that’s somehow a tie. Each path supports up to 16 Gbps in each direction.115 S T U DY G U I D E The remaining active switch will forward traffic normally.

and it’s that address that should be used by all hosts in VLAN 100 as their default gateway. live. If your network uses it or you want to learn more about it. frankly.2 /24) are the routers in the HSRP group. The theory and commands of HSRP run the same on an L3 switch as on a router. the master expects to be supplied with an IOS image that supports the master’s hardware and the new switch’s hardware. and then wait for us to do something about it! Namely. HSRP is a Cisco-proprietary router redundancy protocol in which routers are placed into an HSRP router group. The configuration will create a virtual router with the IP address 172. I wanted to make sure you saw both versions. Once that happens. send it to the new switch. 172. to downstream devices. I’m going to refer to routers rather than L3 switches. the mas- the active router handles the actual workload while the standby routers do just that – stand ter switch will grab the IOS image from the TFTP server.23. 172.23. let us know about the problem. Right now. MLS_1 (int VLAN 100. With that option. If not. a virtual router created by the HSRP configuration. The new switch can then join the stack.23. One of the routers in the group is selected as the active router. while others in the group are standby routers. since the HSRP terminology refers to “active routers” and “standby routers”. head to Cisco’s website and grab some PDFs.12 /24. just to their status in their HSRP group. by! HSRP ensures a high network uptime. 3.1 /24) and MLS_2 (int VLAN 100. let’s hope our hardware is compatible! This is enough to get you started with StackWise. we’re moving on to FHRPs! The Hot Standby Routing Protocol In this section. We can configure a TFTP server for that IOS download. Cisco could probably have a certification based just on VSS and StackWise. the master will then upgrade every switch that was already part of the stack to that IOS.16. single router. There’s a lot more to StackWise. The actual IP and MAC addresses of the physical routers in the group are unknown Whew! With all that said. The first two possibilities assume that the new switch’s hardware can handle the necessary IOS image. and downstream devices send data to those addresses.16. This virtual router will have a MAC and IP address of its own.16. 189 . Defined in RFC 2281. and the entire stack then goes The terms active and standby do not refer to the actual operational status of the routers. the master will put the new switch into suspension. along with the new switch. since it routes IP traffic without reliance on a then send the config over.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the icon I’m using for multilayer switches is slightly different than the one you saw earlier – there’s no “Si” in the middle. Also. It won’t surprise you to learn that 188 In our first lab.115 S T U DY G U I D E C H R I S B R YA N T 2. Those devices are actually communicating with a pseudorouter.

115 S T U DY G U I D E C H R I S B R YA N T mac-refresh Refresh MAC cache on switch by periodically sending packe from virtual mac address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level redirect Configure sending of ICMP Redirect messages with an HSRP virtual IP address as the gateway IP address After verifying the SVI for VLAN 100 on each router.16.23. address is 0017.f7c1) Internet address is 172.D Virtual IP address <cr> MLS _ 1(config-if)#standby 5 ip 172.16.23. address is 001c.B.16.1/24 MLS _ 2#show int vlan 100 Vlan100 is up. line protocol is up Hardware is EtherSVI.C.9466.0fbf. follow Name of HSRP group to follow ip Enable HSRP IPv4 and set the virtual IP address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level timers Hello and hold timers track Priority tracking MLS _ 1(config-if)#standby 5 ip ? A.f7c1 (bia 0017. we’re off! Hello and hold timers track Priority tracking version HSRP version MLS _ 1(config-if)#standby 5 ? MLS _ 1#show int vlan 100 authentication Authentication Vlan100 is up.23.23.16.1 % address cannot equal interface IP address (so don’t try it!) MLS _ 1(config-if)#standby 5 ip 172.2/24 We’ll put both SVIs in HSRP group 5 and let ‘em fight it out over the active router role to see what happens.1 ? MLS _ 1(config)#int vlan 100 secondary Make this IP address a secondary virtual IP address MLS _ 1(config-if)#standby ? <0-255> timers <cr> group number Authentication Authentication Delay HSRP initialisation delay Follow Name of HSRP group to follow Ip Enable HSRP IPv4 and set the virtual IP address 190 MLS _ 1(config-if)#standby 5 ip 172.9466.2f41 (bia 001c. I’ll use IOS Help on MLS_1 to show our HSRP options.12 191 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .2f41) Internet address is 172.16.23. The ip command is the only required command for HSRP.0fbf. line protocol is up Hardware is EtherSVI.

0c07. and finally.ac05 (v1 default) Hello time 3 sec. This is the Active router (“local”) The standby router is at 172.Group 5 3 state changes.1 and that router’s priority is 100 MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 5 ip 172. priority 100 (expires in 9.23.23. and the last one was 1 minute and 19 seconds ago The virtual router’s IP address and MAC address This router sends HSRP Hellos every 3 seconds 192 193 . last state change 00:01:45 State is Active 2 state changes.0c07.23.16. last state change 00:01:19 Virtual IP address is 172.16.16.16.ac05 Local virtual MAC address is 0000.23. hold time 10 sec Next hello sent in 1.23. The local HSRP priority is 100. MLS _ 1#show standby Vlan100 .2.0c07.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Group 5 MLS _ 2#show standby State is Standby Vlan100 .12 Let’s verify our config on MLS_2 with show standby.1. Here’s our HSRP group: There’s a treasure trove of HSRP info here! From the top down.936 secs Preemption disabled Active router is 172.16. the HSRP group name is displayed.0c07. priority 100 (expires in 10.ac05 Local virtual MAC address is 0000.ac05 (v1 default) Hello time 3 sec. “Preemption” is disabled – more on that very soon! Let’s finish the config on MLS_2.368 secs Virtual IP address is 172. there have been 2 state changes. we see… Interface VLAN100 is in HSRP Group 5 This router is in the Active state.920 sec) Preemption disabled Standby router is local Active router is local Standby router is 172.16.12 Active virtual MAC address is 0000.12 Active virtual MAC address is 0000.272 sec) Priority 100 (default 100) Group name is “hsrp-Vl100-5” (default) Priority 100 (default 100) Group name is “hsrp-Vl100-5” (default) That output verifies everything we saw on MLS_2. your #1 friend when it comes to verifying and troubleshooting HSRP. hold time 10 sec Next hello sent in 2.23. Let’s look at the same command’s output on MLS_1.115 S T U DY G U I D E C H R I S B R YA N T You can’t assign an IP address from the MLS as the IP address for the virtual router.

let’s talk about that election. The priority is 100 by default. We’d like to avoid reloads here. or MLS_1 must have preemption enabled.) Let’s make MLS_1 the Active router by raising its priority. This state change and the enabling of preemption are verified by show standby.368 sec) Standby router is local Most of that address was predetermined. Local virtual MAC address is 0000. hold time 10 sec it! However.0c07.16. priority 100 (expires in 10. Either we have to reload MLS_2 so MLS_1 can take over as Active in its absence. we didn’t enter any info regarding a MAC address.376 secs come from? Preemption disabled Active virtual MAC address is 0000. and the “xx” is the HSRP group number in hexadecimal.0c07.ac05 (v1 default) 194 195 .23. always. We’ll go double or nothing… MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 5 priority 200 … and we get nothing! Let’s verify the priority change: MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 5 ? Authentication Authentication Follow Name of HSRP group to follow Ip Enable HSRP IPv4 and set the virtual IP address Name Redundancy name string Preempt Overthrow lower priority Active routers Priority Priority level Timers Hello and hold timers Track Priority tracking MLS _ 1(config-if)#standby 5 preempt Just a few seconds after enabling preemption on MLS_1… MLS _ 1#show standby Vlan100 . as we saw on both routers.Group 5 %HSRP-5-STATECHANGE: Vlan100 Grp 5 state Standby -> Active State is Standby 1 state change.115 S T U DY G U I D E C H R I S B R YA N T We know how the virtual router got its IP address. so let’s do the latter.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Group name is “hsrp-Vl100-5” (default) Had we gone with HSRP group 10.12 Active virtual MAC address is 0000. MLS_2 won the election in our first lab. The HSRP Active Router Election The HSRP priority is the first value considered in the election. we’re the ones who configured Hello time 3 sec. Should there be a tie – and there always will be if the routers are left at their defaults – theory holds that the router with the highest IP address wins the election.2. so the theory holds true. Brush up on your hex before you take the SWITCH exam! Now that we have the MAC address source down. Just raising the priority on MLS_1 isn’t enough to get the job done here.23. always verify your Active router. (Real world note: Always.16. the address would have been 00-00-0c-07-ac-0a. Where the heck did that Next hello sent in 1. after all.ac05 Active router is 172. last state change 00:17:26 Virtual IP address is 172. The MAC address 00-00-0c-07-ac-xx is HSRP’s Priority 200 (configured 200) well-known virtual MAC address.0c07.ac05 … MLS_1 takes over as the Active router.

16. HSRP isn’t actually running at this point.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1#show standby Disabled: Similar to the disabled STP port state. but for t-shooting and exam prep. in that you won’t see this state actually Vlan100 . but it is the official first HSRP port state. and MLS_2 is again the Active router. You can also delay a takeover until after the next reload. Priority 200 (configured 200) Group name is “hsrp-Vl100-5” (default) Active: The router is now forwarding packets sent to the group’s virtual IP address. and MLS_1 is just sitting there. State is Active 2 state changes.0c07. Speak: The router is now sending Hello messages and participating in the election of the primary and standby routers. I admit.12 Active virtual MAC address is 0000.Group 5 mentioned. but there’s one thing driving me crazy.ac05 Local virtual MAC address is 0000.16. Preemption enabled Active router is local Standby: The router is now a candidate to become the active router and continues to send Standby router is 172. this one requires a little help from those 60 hosts. <cr> MLS _ 1(config-if)#standby 5 preempt delay ? minimum Delay at least this long reload Delay after reload sync Wait for IP redundancy clients MLS _ 1(config-if)#standby 5 preempt delay minimum ? <0-3600> Number of seconds for minimum delay We’ve seen a few of the HSRP states.0c07.2. Unlike the load balancing techniques we’ve used to this point. 196 We’re going to put MLS_1 to work via HSRP load balancing. and that group is using 172.896 sec) hello packets.12 to represent its 197 . priority 100 (expires in 10. (A short drive.23. Load Balancing With HSRP Had I wanted to delay any takeover by MLS_1. Listen: The router knows the virtual router’s IP address. I could have set delay on the preemption. last state change 00:00:51 Virtual IP address is 172. let’s see them in order along with a quick description of each. It’s listening for Hello packets from those routers. HSRP Group 5 has MLS_2 as the Active router.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS_2 is doing all the work of handling traffic from 60 hosts.23.) I’ve reset the priority for both routers in Group 5 to 100. As a result. MLS _ 1(config-if)#standby 5 preempt ? delay Wait before preempting This redundancy is all well and good.976 secs Initial (INIT): The interface enters this state when HSRP is first enabled.16. hold time 10 sec Next hello sent in 0.23. but is not the primary or standby router.ac05 (v1 default) Hello time 3 sec.

16.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E C H R I S B R YA N T virtual router.Group 10 Preemption enabled 198 199 .21 MLS_1 is the Active router for Group 10. priority 201 (expires in 9. half of the hosts would be configured with Verify with show standby. I’ll show only the info related to the election.2.16.808 sec) MLS _ 1(config-if)#standby 10 ip 172.704 sec) Standby router is local Priority 100 (default 100) Vlan100 .23.Group 5 Preemption disabled Active router is 172.16. 172.16.792 sec) Priority 201 (configured 201) MLS _ 2#show standby Vlan100 .23.21. Standby router is 172. making sure that Active router is local MLS_1 is the Active. To test this.Group 5 Preemption enabled Active router is local Standby router is 172.23. priority 100 (expires in 10.16. I’ve configured a different default gateway on Host 2 and Host 3. priority 200 (expires in 8.2. and MLS_2 is the Active router for Group 5. just MLS _ 2(config-if)#standby 10 priority 100 (hardcoding the default) as we wanted.23.23. priority 100 (expires in 9.1.16.12 as their default gateway.384 sec) Priority 200 (configured 200) Vlan100 .21 for its virtual router. We’re going to create Group 10 with the same two routers. and the other half with 172. and we’ll send pings from each. MLS _ 1#show standby Vlan100 .1.16.23.23.23.21 Standby router is local MLS _ 1(config-if)#standby 10 priority 200 Priority 100 (default 100) Group name is “hsrp-Vl100-10” (default) MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 10 ip 172.16.16. To finish the load balancing.Group 10 Preemption disabled MLS _ 1(config)#int vlan 100 Active router is 172.23. and that group will use the address 172.

In our next lab. This can lead to another HSRP router in the group becoming the Active router.21 !!!!! Success rate is 100 percent (5/5). We This great feature enables the HSRP process to monitor a particular interface. and the load is now shared! HSRP Interface Tracking If Fast 0/3 on MLS_2 fails. the hosts in VLAN 100 can’t reach the ecommerce server. When that tracked interface’s line protocol is down. the HSRP priority of the router is dec- MLS _ 2(config-if)#standby 1 ip 172.23.Group 1 State is Active Preemption disabled Active router is local Standby router is 172. That’s all well and good. priority 100 (expires in 8.115 S T U DY G U I D E C H R I S B R YA N T HOST2#ping 172.16.) MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 1 ip 172.16. MLS _ 2#show standby Vlan100 .23. HSRP’s default decrement with interface tracking is 10. MLS _ 2(config-if)#standby 1 priority 105 but that other router must have preemption enabled.656 sec) Priority 105 (configured 105) 200 201 . As a result. (IP addresses shown for the multilayer switches in the next lab are for their SVI. MLS_1 is the standby and has the default priority of 100. round-trip min/avg/max = 1/3/4 ms HOST3#ping 172.23. interface VLAN100. but there is a single point of failure – and we hate those.12 MLS _ 1(config-if)#standby 1 preempt Verify with show standby.12 remented.16.16.12 !!!!! Success rate is 100 percent (5/5).16. MLS_2 has a priority of 105 and is the Active router.1. the current priority would be fine for our purposes. and the status of this interface will dynamically change the HSRP priority for a specified router – for better or for worse! can and will configure HSRP to drop MLS_2’s priority if the line protocol of Fast 0/3 on that server goes down. MLS_2 will handle all the traffic sent to the server behind MLS_2 and MLS_1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .23. so as long as MLS_1 has preemption enabled. round-trip min/avg/max = 4/4/4 ms Both hosts are pinging their default gateways. I’m showing you only the info relating to the election.23.

priority 100 (expires in 11.Group 1 Group name is “hsrp-Vl100-1” (default) State is Standby Preemption enabled The default HSRP interface tracking decrement of 10 is shown to us here.Group 1 than 10 seconds.0c07. Let’s check show standby for verification. so let me throw this in – all of that happened in less Vlan100 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .16. so know it by heart. hold time 10 sec Next hello sent in 1.115 S T U DY G U I D E C H R I S B R YA N T Track interface FastEthernet0/3 state Up decrement 10 MLS _ 1#show standby Vlan100 .23.12 Preemption disabled Active virtual MAC address is 0000.1.184 sec) Priority 105 (configured 105) Hello time 3 sec. hold time 10 sec Next hello sent in 0.23. line protocol is up (connected) We’ll add tracking to MLS_2’s HSRP config and verify with show standby. last state change 00:00:17 Virtual IP address is 172. since MLS_1’s priority is the default of 100 and that router is configured for Before configuring HSRP interface tracking. be sure the interface you’re tracking is up! MLS _ 2#show int fast 0/3 FastEthernet0/3 is up.0c07.2.0c07.ac01 (v1 default) Standby router is 172.464 sec) on your CCNP SWITCH and TSHOOT exams being so kind.16. if Fast0/3’s line protocol goes down. Standby router is local According to theory. Let’s shut Fast 0/3 down and see what happens! MLS _ 2(config)#int fast 0/3 MLS _ 2(config-if)#shut %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Up->Down %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Active -> Speak %LINK-5-CHANGED:Interface FastEthernet0/3. changed state to administratively down MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 1 track fastethernet 0/3 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3.16. MLS_1 should then take over as the Active. last state change 00:00:10 Virtual IP address is 172. MLS_2’s priority should go down Priority 100 (default 100) to 95.608 secs 202 203 . changed state to down %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Speak -> Standby MLS _ 2#show standby I removed the timestamps for clarity. State is Active 5 state changes.ac01 Vlan100 . In turn. preemption.920 secs State is Standby 7 state changes. priority 105 (expires in 10.23.16.Group 1 Local virtual MAC address is 0000. I would not count Active router is 172.23.0c07.ac01 Active router is local Local virtual MAC address is 0000.ac01 (v1 default) Hello time 3 sec.12 MLS _ 2#show standby Active virtual MAC address is 0000.

136 secs Preemption enabled Active router is local Standby router is 172.115 S T U DY G U I D E C H R I S B R YA N T Preemption disabled MLS _ 2#show standby Active router is 172. Hello time 3 sec.changed state to up 204 205 . but MLS_2 will not become the Active router again unless we enable preemption.000 sec) Priority 105 (configured 105) Track interface FastEthernet0/3 state Up decrement 10 Group name is “hsrp-Vl100-1” (default) And that’s that! When Fast 0/3 on MLS_2 is back up.23.12 Active virtual MAC address is 0000. the default decrement might not be enough for the failover to take place.ac01 Local virtual MAC address is 0000. the default decrement of 10 wouldn’t be enough for MLS_1 to take over as the Active should Fast 0/3 on MLS_2 go down.16.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0c07. note that you never actually enter MLS _ 2(config)#int vlan 100 the word “decrement”.16.Group 1 State is Active Standby router is local Priority 95 (configured 105) 8 state changes.688 sec) Vlan100 . last state change 00:02:58 Track interface FastEthernet0/3 state Down decrement 10 Group name is “hsrp-Vl100-1” (default) Virtual IP address is 172. You can set a new decrement value at the very end of standby track.1.16. priority 100 (expires in 10.23.1. On occasion. If MLS_2’s priority is 150 and MLS_1’s priority is 100.0c07. Let’s do that and then reopen Fast 0/3. the priority will go back to 105. hold time 10 sec Next hello sent in 1. priority 100 (expires in 10. MLS _ 2(config-if)#standby 1 preempt I’ll set MLS_2’s priority to 150 and then set a decrement of 51… MLS _ 2(config-if)#int fast 0/3 MLS _ 2(config-if)#no shut MLS _ 2(config)#int vlan 100 %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Down->Up MLS _ 2(config-if)#standby 1 priority 150 MLS _ 2(config-if)#standby 1 track fastethernet 0/3 ? %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Standby -> Active <1-255> Decrement value <cr> %LINK-3-UPDOWN: Interface FastEthernet0/3.23.ac01 (v1 default) MLS_2 is indeed the standby as a result of that decrement. changed state to up MLS _ 2(config-if)#standby 1 track fastethernet 0/3 51 %LINEPROTO-5-UPDOWN:Line protocolon Interface FastEthernet0/3.

115 S T U DY G U I D E … shut down fast 0/3… C H R I S B R YA N T To change the HSRP hello and hold timers.ac01 Want to change the HSRP group name from that ugly default? Use standby name. because they are important. use standby timers. group name appears at very bottom of Active router is 172.0c07. last state change 00:00:05 MLS _ 2(config-if)#standby 1 timers 6 15 Virtual IP address is 172.12 Active virtual MAC address is 0000.23. It is an option.Group 1 <7-255> Hold time in seconds State is Standby 13 state changes. You do have to enter a value for each timer. Local virtual MAC address is 0000. but setting the though. Choose “key string” to set a single word as the password. but they’re not everyday commands.1. but just in case you need to change a few things. priority 100 (expires in 7.16. MLS _ 2#show standby <1-254> Hello interval in seconds msec Specify hello interval in milliseconds MLS _ 2(config-if)#standby 1 timers 6 ? Vlan100 . MLS _ 2(config-if)#int fast 0/3 MLS _ 2(config-if)#shut MLS _ 2(config-if)#standby 1 timers ? … and verify any changes with show standby.0c07.Group 1 Priority 99 (configured 150) Group name is “CCNP” (cfgd) Track interface FastEthernet0/3 state Down decrement 51 Group name is “hsrp-Vl100-1” (default) Want to set up authentication between your HSRP speakers? Use standby authentication.16. hold time 10 sec MLS _ 2(config-if)#standby 1 name CCNP Next hello sent in 2.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .23.ac01 (v1 default) Hello time 3 sec.600 sec) Standby router is local output) Vlan100 . even if there’s one you’re not changing. I’d tell you not to use plain text authentication. You can leave most HSRP defaults as they are.560 secs Preemption enabled MLS _ 2#show standby (output edited. decrement to 51 and enabling MLS_1 for preemption (done in the previous lab) got the job done! MLS _ 2(config-if)#standby 1 authentication ? Changing This And That In HSRP I don’t like to call these “miscellaneous” commands. here’s how! 206 WORD Plain text authentication string (8 chars max) md5 Use MD5 authentication text Plain text authentication MLS _ 2(config-if)#standby 1 authentication md5 ? key-chain Set key chain key-string Set key string 207 . but I know you won’t do that. The default decrement would not have been enough to get the cutover done.

though… VRRP’s equivalent to HSRP’s Active router is the Master router VRRP’s equivalent to HSRP’s Standby router is the Backup router interface Vlan100 Preemption is enabled by default in VRRP ip address 172.2 255.12 standby 1 priority 150 These options should look familiar… standby 1 preempt standby 1 authentication md5 key-string 7 0327782536 standby 1 name CCNP MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#vrrp ? standby 1 track 1 decrement 51 <1-255> Group number 208 209 .0.16.255.23.23. use your old friend service password-encryption. Check out MLS_2’s config: HSRP. MLS _ 2(config)#service password-encryption The result: interface Vlan100 ip address 172. with one or two important differences (naturally!).255.0 standby 1 ip 172.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .23.16.18. where HSRP ads are multicast to standby 1 priority 150 224. VRRP works very much like HSRP.2 standby 1 preempt standby 1 authentication md5 key-string CCNP The MAC address of VRRP routers is 00-00-5e-00-01-xx.255.0.0. the “xx” is the VRRP standby 1 name CCNP group number in hex standby 1 track 1 decrement 51 Let’s have a look at VRRP in action.115 S T U DY G U I D E MLS _ 2(config-if)#standby 1 authentication md5 key-string CCNP C H R I S B R YA N T VRRP – The Virtual Router Redundancy Protocol Defined in RFC 2338. not that the password is hashed in the config.23. and yes.255.0.0 standby 1 ip 172.2 255. VRRP is the open-standard equivalent of the Cisco-proprietary MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 1 authentication md5 key-string CCNP Using MD5 authentication means that a hash of the password is sent to other HSRP group neighbors.16. where you learned HSRP! Let’s check out those differences.16.12 VRRP’s advertisements are multicast to 224. They’re so much alike that you pretty much learned VRRP during the last section. IP addresses as we used in the HSRP section. using the same two multilayer switches and the same To disguise that password in the config.

23. priority is 100 priority Priority of this VRRP group Master Advertisement interval is 1.16.1 (local).0101 Virtual MAC address is 0000.23.609 sec (expires in 3.2 (local). Virtual IP address is 172.12 MLS _ 1(config-if)#vrrp 1 priority 200 07:53:32: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master Let’s verify! MLS _ 2#show vrrp MLS _ 1#show vrrp Vlan100 .0101 MLS _ 2(config-if)#vrrp 1 ? authentication Authentication string Advertisement interval is 1.5e00. MLS_1 should take over as The Master Router if its MLS _ 2(config-if)#vrrp 1 ip 172.000 sec Preemption enabled Preemption enabled Priority is 100 Priority is 200 Master Router is 172.12 Virtual MAC address is 0000.Group 1 State is Master State is Master Virtual IP address is 172.16. priority is 200 Master Advertisement interval is 1.609 sec Master Down interval is 3.000 sec timers Set the VRRP timers Master Down interval is 3.Group 1 Vlan100 .000 sec Master Down interval is 3. let’s do a little interface tracking after making MLS_2 the Master State is Backup again.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .23.23.5e00.16.23.218 sec Correct! MLS _ 1#show vrrp Vlan100 . correct? MLS _ 1(config)#int vlan 100 MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 1 ip 172.0101 Advertisement interval is 1.23.000 sec description Group specific description Preemption enabled ip Enable Virtual Router Redundancy Protocol (VRRP) for IP Priority is 100 preempt Enable preemption of lower priority Master Master Router is 172.16.5e00.23.000 sec Master Advertisement interval is 1.16.000 sec Advertisement interval is 1.12 210 211 .115 S T U DY G U I D E C H R I S B R YA N T Virtual MAC address is 0000.16.16.16.12 Virtual IP address is 172.2.458 sec) track Event Tracking With preemption enabled by default.Group 1 While we’re at it.23. priority is 100 Master Router is 172.12 priority is raised.

) We’re not limited to using the line priority Priority of this VRRP group protocol as the tracked object. line protocol is up (connected) authentication Authentication string description Group specific description With VRRP. and we want MLS_1 to take that role should the line protocol on MLS_2’s Fast 0/3 interface go down. Here’s where we stand: MLS _ 2(config)#track 1 interface fast 0/3 ? ip IP parameters line-protocol Track interface line-protocol MLS _ 2(config)#track 1 interface fast 0/3 line-protocol ? <cr> MLS _ 2(config)#track 1 interface fast 0/3 line-protocol The object number referred to in the track command must be the same one used in the vrrp track command. (I’ve always remembered this preempt Enable preemption of lower priority Master by saying “track. we need to define the interface as an object before moving forward with the ip Enable Virtual Router Redundancy Protocol (VRRP) for IP actual vrrp track command. but it isn’t.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E MLS _ 2(config)#int vlan 100 C H R I S B R YA N T MLS _ 2(config)#track 1 ? MLS _ 2(config-if)#vrrp 1 priority 250 interface Select an interface to track 07:55:53: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master ip IP protocol list Group objects in a list The overall concept of tracking is the same in VRRP as it is in HSRP. but the process is a <cr> little bit different. MLS_2 is the Master router. then vrrp track”. Check the interface before you start tracking: MLS _ 2(config)#int vlan 100 MLS _ 2#show int fast 0/3 MLS _ 2(config-if)#vrrp 1 ? FastEthernet0/3 is up. but that’s the easiest and most effective track to use for an timers Set the VRRP timers interface IMHO. Sounds complicated. track Event Tracking MLS _ 2(config-if)#vrrp 1 track ? MLS _ 2(config)#track ? <1-1000> Tracked object <1-1000> Tracked object resolution Tracking resolution parameters timer Polling interval timers 212 MLS _ 2(config-if)#vrrp 1 track 1 ? 213 . Feel free to steal it.

Group 1 State is Master MLS _ 2(config-if)#vrrp 1 track 1 Virtual IP address is 172. changed state to down Virtual IP address is 172.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 240 (cfgd 250) MLS _ 2#show vrrp Track object 1 state Down decrement 10 Vlan100 .5e00. but since we changed the default priority a couple of times early Priority is 250 on.023 sec MLS _ 2(config-if)#vrrp 1 track 1 ? decrement Priority decrement Now we’ll shut down fast 0/3 and see what happens.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Group 1 State is Master Master Router is 172.023 sec Advertisement interval is 1.2 (local). priority is 240 Virtual IP address is 172.23.115 S T U DY G U I D E C H R I S B R YA N T decrement Priority decrement MLS _ 2#show vrrp <cr> Vlan100 .000 sec 214 215 .16.23. Let’s change that Track object 1 state Up decrement 10 decrement to 51. the decrement isn’t large enough to make MLS_1 the Master router. Master Router is 172.16.000 sec Preemption enabled The tracking is working. Verify the config: Advertisement interval is 1. MLS _ 2(config)#int fast 0/3 <cr> MLS _ 2(config-if)#vrrp 1 track 1 decrement 51 MLS _ 2(config-if)#shut %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Up->Down 08:14:20: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Master -> Backup %LINK-5-CHANGED: Interface FastEthernet0/3.2 (local).0101 Master Down interval is 3.12 Virtual MAC address is 0000.16.000 sec MLS _ 2(config)#int vlan 100 Master Down interval is 3.16.16.12 Virtual MAC address is 0000.000 sec Virtual MAC address is 0000. changed state to administr MLS _ 2#show vrrp atively down Vlan100 .5e00. priority is 250 Master Advertisement interval is 1.23.23.5e00.Group 1 State is Backup %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3.12 Master Advertisement interval is 1.0101 We accepted the VRRP default priority decrement (10).23.

0101 Master Down interval is 3.5e00.23.16. we’re going to use much the same technique as we did with HSRP.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .21 %VRRP-6-STATECHANGE: Vl100 Grp 55 state Init -> Backup 217 . Changed state to up 08:34:58: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master 216 MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#vrrp 55 ip 172. knowing how to create a VRRP tracked object! Since VRRP wasn’t exactly developed with load balancing in mind.115 S T U DY G U I D E C H R I S B R YA N T Preemption enabled MLS _ 2#show vrrp Priority is 199 (cfgd 250) Vlan100 . we need to create another VRRP virtual router. MLS _ 2(config)#int fast 0/3 Let’s create another VRRP group with a new IP address for the virtual router.16.2 (local).000 sec Preemption enabled Priority is 250 Ta da! Track object 1 state Up decrement 51 Master Router is 172. changed state to down %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Down->Up %LINK-3-UPDOWN: Interface FastEthernet0/3. Before proceeding.16. priority is 250 For VRRP load balancing.100 sec) Advertisement interval is 1.16.23.23.23.Group 1 Track object 1 state Down decrement 51 State is Master Master Router is 172.1. %SYS-5-CONFIG _ I: Configured from console by console %LINK-3-UPDOWN: Interface FastEthernet0/3.16. I’ll unblock fast0/3 on MLS_2 and we’ll watch MLS_2 take over as Master.12 Master Advertisement interval is 1. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3.23.000 sec Virtual MAC address is 0000. Half of the hosts will use VR #1 as their default gateway. priority is 200 Virtual IP address is 172. using vrrp MLS _ 2(config-if)#no shut priority to ensure MLS_1 becomes the Master for the new group. It’s all about the decrement – and in this case. and the other half will use VR #2. which means creating a separate VRRP group.21 MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 55 ip 172.023 sec (expires in 2.

In the following illustration.23.16. well. and the other half 172. GLBP allows us to configure Vlan100 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .16. MLS _ 1#show vrrp Let’s finish our look at FHRPs with a protocol that was actually built with load balancing Vlan100 .23. because GLBP is Cisco-proprietary.Group 1 allows every router in the group to handle some of the load in a round-robin manner. load balancing with these State is Master protocols is more of a workaround than a native behavior. but then went to Master after having its priority for VRRP group 55 raised to 200.21 sciences at best and a pain in the buttocks at worst.23. rather State is Master than having a primary router handle the entire load while the standby routers remain idle. MLS _ 2#show vrrp As with HSRP and VRRP.23. the hosts think they’re sending all of their data to a single gateway.16. but as we’ve seen. For this reason. The primary purpose of the Virtual IP address is 172.16. GLBP routers will be placed into a router group. After verifying that MLS_1 is the Master for VRRP group 55 and MLS_2 is the Master for group 1.16. 218 219 .12 The Gateway Load Balancing Protocol (GLBP) Vlan100 .12 With GLBP.21. GLBP Vlan100 .12 as their default gateway.Group 1 in mind! State is Backup Virtual IP address is 172.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 55 priority 200 %VRRP-6-STATECHANGE: Vl100 Grp 55 state Backup -> Master MLS_1 went to Backup for our new VRRP group first. By default. State is Backup This is a major step forward over HSRP and VRRP load balancing. load balancing! It’s also suitable for use only on Cisco routers and switches.Group 55 HSRP and VRRP have some great features. both of which are inexact Virtual IP address is 172.Group 55 a single default gateway on all of our hosts.21 Gateway Load Balancing Protocol is. but actually multiple gateways are in use at one time. three hosts send an ARP request for the MAC of the virtual router. Virtual IP address is 172.16. we just need to configure half the hosts in VLAN 100 to use 172.23.23.

Should the AVG fail. Each physical device is running the IP address shown on its FastEthernet 0/0 interface. would contain the virtual MAC of MLS_4. and it’s that router that will respond with ARP responses that contain virtual MAC addresses assigned to the physical routers in the group. The routers receiving and forwarding traffic received on these virtual MAC addresses are Active Virtual Forwarders (AVFs). The router with the highest GLBP priority is chosen as the Active Virtual Gateway. and here’s the addresses are Active Virtual Forwarders (AVFs). (That’s the router The AVG is also in charge of assigning the virtual MAC addresses. where the higher the assigned weight. “YY” is the AVF number.115 S T U DY G U I D E C H R I S B R YA N T the virtual MAC of MLS_1. where a host that sends an If all routers have the same GLBP priority.102 to detect the availability of other GLBP-speaking routers. naturally. The routers receiving and forwarding traffic received on these virtual MAC router’s virtual MAC will be sent to a requesting host. and the third the virtual MAC of MLS_3. topology. another router will handle the 00-07-b4-00-xx-yy 224. 00-07-b4-0001-02 to MLS_2. It has assigned a virtual way address every time it sends an ARP request. host-dependent load balancing is the way MAC address of 00-07-b4-00-01-01 to MLS_1. The next response. Since GLBP doesn’t run on all Cisco switch platforms. the more often a particular In the following illustration.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . GLBP routers use Hellos multicast to “XX” is the GLBP group number. and the virtual MAC fol- with the next-highest GLBP priority in the group. With that in mind. By default. so the first ARP response contains 220 routers in this lab.) If any of the AVFs fail. we’re going to use Cisco The AVG answers incoming ARP requests with ARP responses containing the virtual MAC and routers. weighted assignments. Our lab is going to be a bit different than the previous HSRP and VRRP labs. Our GLBP deployment in this illustration is using the default GLBP load balancing technique of round-robin. GLBP will load-balance in a round-robin fashion.0. load destined for a MAC assigned to the down router. the router with the highest IP address becomes ARP request will receive a response from the next MAC address in line. This will also illustrate that GLBP runs the same on multilayer switches as used in the previous FHRP labs. and 00-07-b4-00-01-03 to MLS_3. the next the virtual MAC of MLS_2. if that’s a tie. We can also use the AVG. MLS_4 is the AVG in GLBP group 1. I’m going to use the same multilayer switch icon and names of one of the routers in the group. putting us at the limit of four AVFs in a GLBP group. the router with the next- lows this format: highest IP address takes that role.0. 221 . If a host needs the same MAC gateto go. 00-07-b4-00-01-04 to itself. the router serving as the standby AVG will take over.

The first half of the output deals with the Active Virtual Gateway selection.16.16.C. last state change 00:11:40 Virtual IP address is 172. we see the interface and group number.16.2. MLS_3. min delay 0 sec Active is local Standby is 172. followed by the state of Active.23. The beginning configuration.16.474a (172. forwarder timeout 14400 sec Preemption enabled.23.B.1) <cr> MLS _ 3(config-if)#glbp 1 ip 172.2) A.23.23.888 sec) Priority 100 (default) Weighting 100 (default 100).23. which means we’re on the AVG.D Virtual IP address 001f.12 MLS _ 3(config-if)#glbp 1 preempt 222 Great info here! From top to bottom. along with some IOS Help on the first one: MLS _ 3#show glbp FastEthernet0/0 . it’s also incredibly verbose.16. starting with the first half.12 Hello time 3 sec.23.59e2.16.16.ca96.0990 (172.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 2(config-if)#glbp 1 ip 172.272 secs Redirect time 600 sec.16. hold time 10 sec Next hello sent in 2. After the state change info.2754 (172.12 MLS _ 2(config-if)#glbp 1 preempt MLS _ 1(config-if)#glbp 1 ip 172. thresholds: lower 1.d4c2.12 MLS _ 1(config-if)#glbp 1 preempt show glbp is an incredibly important GLBP command.3) local MLS _ 3(config-if)#glbp 1 ip ? 001b.23. We’re going to examine the output of this command on the current AVG. and the second half with the Active Virtual Forwarders.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . priority 100 (expires in 9. upper 100 Load balancing: round-robin Group members: 0017. hello and 223 .23.Group 1 MLS _ 3(config)#int fast 0/0 State is Active MLS _ 3(config-if)#glbp 1 ? authentication Authentication method client-cache Client cache forwarder Forwarder configuration ip Enable group and set virtual IP address ipv6 Enable group for IPv6 and set the virtual IPv6 address load-balancing Load balancing method name Redundancy name preempt Overthrow lower priority designated routers priority Priority level timers Adjust GLBP timers weighting Gateway weighting and tracking 1 state change.

d4c2. weighting 100 (expires in 10. There are 3 forwarders (1 active) Forwarder 1 Each physical router in our group is an AVF. weighting 100 State is Listen MAC address is 0007.816 sec) 224 Preemption enabled.2754 Continuing down the output.1 (primary).904 sec remaining (maximum 600 sec) Time to live: 14399. This is also from MLS_3. Redirection enabled.0990 Redirection enabled. MLS_2.904 sec (maximum 14400 sec) Preemption enabled.360 sec (maximum 14400 sec) State is Listen MAC address is 0007.b400. Owner ID is 001f. weighting 100 (expires in 10. should MLS_3 be unable to fulfill its duties.474a Forwarder 2 Time to live: 14399.3 (primary).ca96.b400. min delay 30 sec Active is 172.0102 (learnt) Owner ID is 001b.0103 (learnt) is given to the runner-up.0102 (default) Owner ID is 001b.23. along with “thresholds”.b400. the AVG title MAC address is 0007. Hellos from the local forwarder. Following “Active is local”. we’re given the IP address and priority of the standby State is Listen AVG. followed by the actual MAC and IP addresses of the GLBP group members. last state change 00:28:09 MAC address is 0007. You’ll see an example of this in an upcoming lab.115 S T U DY G U I D E hold time. Much like beauty pageants. you’ll be clear – crystal clear – on the usage of each. and should those hellos stop coming.b400.16.16. The virtual MAC address for each router is shown in this output as well. and the other two forward- MAC addresses that are sent by the AVG in response to ARP requests. which deals with the AVF status of each member. we see that preemption C H R I S B R YA N T Forwarder 3 is enabled.0101 (default) Owner ID is 0017. the default for each.d4c2. This means that the other two AVFs are listening for Let’s have a look at the second half of the show glbp output. Here’s that same info from MLS_2: There are 3 forwarders (1 active) Forwarder 1 Redirection enabled Preemption enabled. we see the Priority and Weighting values are set to 100.0101 (learnt) Owner ID is 0017.474a “Active” while the other two are in “Listen”.23.2 (primary). and some timers new to us (“redirect” and “forwarder”). one of the other AVFs would step in and handle traffic destined for that down AVF’s virtual MAC address.b400.912 sec Forwarder 2 State is Active 1 state change.16. 599.392 sec remaining (maximum 600 sec) Time to live: 14399. min delay 30 sec Active is 172.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .23.0990 225 .392 sec (maximum 14400 sec) Preemption enabled.59e2.656 sec) We then see the load balancing method in use is round-robin. last state change 00:11:29 MAC address is 0007. also a GLBP default. 599. These values are often confused. weighting 100 (expires in 10. but after the labs later in this section. min delay 30 sec Active is 172. ers are shown as “State is Listen”. These are not the virtual The local forwarder (Forwarder 3) is shown as “State is Active”.59e2. min delay 30 sec Active is local. and they’ll each show their forwarder as State is Active 1 state change.

784 sec (maximum 14400 sec) Preemption enabled.115 S T U DY G U I D E C H R I S B R YA N T Preemption enabled.23.23. MLS _ 3#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 100 Active 172.b400.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0102 (learnt) Owner ID is 001b. MLS_2 should take over as the AVG if MLS_3 is unavailable.0103 (default) Owner ID is 001f.0990 Time to live: 14398.3 (primary). and while it doesn’t give the details the full command gives.16.112 sec) Forwarder 2 State is Listen MAC address is 0007. The Owner ID is 0017.16. Preemption enabled. MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#shut %GLBP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Listen -> Active MLS _ 2#show glbp brief State is Active 1 state change.ca96. it’s a great place to get started with t-shooting.16. weighting 100 (expires in 10.23. min delay 30 sec Active is 172. weighting 100 Forwarder 3 State is Listen That differing info on your AVFs can throw you at first.16. weighting 100 (expires in 10. min delay 30 sec Active is 172.2754 Time to live: 14397.12 local 172.2 - Fa0/0 1 3 - Listen 0007. last state change 00:29:10 MAC address is 0007.0102 172.16.2 (primary).23.2754 226 Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 100 Active 172.0101 (learnt) When you see a dash under “Fwd” and “Active” under “State”.2 Fa0/0 1 1 - Active 0007.16.d4c2.0103 (learnt) AVF will always be seen as Active and the others will be listening in! Owner ID is 001f.23.12 local 172.1 1 - 227 .23.474a devices with a number under “Fwd” are your AVFs. weighting 100 Active is local.59e2.b400.b400.16.16.136 sec (maximum 14400 sec) serve as both an AVG and an AVF. you’re on the AVG.440 sec (maximum 14400 sec) Preemption enabled. showing the local forwarder as Active and other two as listening: There are 3 forwarders (1 active) Forwarder 1 You’ll be happy to know there is a brief option for this command. weighting 100 (expires in 7.23. min delay 30 sec Active is 172.23.16. min delay 30 sec Active is local. but just remember that the local MAC address is 0007.560 sec) Forwarder 3 According to that output.b400. min delay 30 sec Preemption enabled.b400.ca96.936 sec) That same command’s output on MLS_1.b400.23.1 - State is Listen MAC address is 0007.1 (primary). and it’s commonplace for a router to Time to live: 14399.b400.0101 local - Fa0/0 1 2 - Listen 0007. Let’s test that by making MLS_3 unavailable and then running show glbp brief on MLS_2.0103 172.

23.16. In the previous lab. C H R I S B R YA N T Watch The Timers Two of the GLBP timers are just the same as those found in HSRP.0101. but that kindOnce MLS_3 comes back online.115 S T U DY G U I D E Fa0/0 1 1 - Active 0007.Group 1 State is Active 3 state changes.192 secs Redirect time 600 sec. There are two others that can be a tad confusing at first. the AVG will no longer use the virtual MAC address in question as a response to ARP replies. and it’s handling traffic sent to that MAC address as well as its own assigned address. What you might not have expected is that MLS_2 is now the Active router for the MAC address previously handled by MLS_3 (0007. ness will not last forever.1 - be set even if you’re just changing one.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS_2 began accepting frames with the destination 0007. and the timeout interval is the second.b400.b400. and watch your syntax! The redirect timer is Fa0/0 1 2 - Listen 0007.b400.16.b400. and should you set the forwarder timeout too low… MAC address disappear from every GLBP router in the group.0103 172.2 - the first timer in this command. Let’s clear up any confusion on these right now.0101 local - Use glbp timers redirect to change either timer.0102 local - Fa0/0 1 3 - Listen 0007.16. they even have the same default. and that’s verified by show glbp brief. When the redirect time expires.12 local 172. MLS _ 3(config-if)#glbp 1 timers ? <1-60> 228 Hello interval in seconds 229 .23. the now-disappeared VRF and its virtual Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 100 Active 172.b400. We expected MLS_2 to take over as the AVG.2 Fa0/0 1 1 - Active 0007.b400. MLS _ 3#show glbp brief Then.0101 local - Fa0/0 1 2 - Active 0007.23.b400.23. That’s mighty kind of MLS_2. hold time 10 sec Next hello sent in 0. MLS _ 3#show glbp FastEthernet0/0 . it reclaims the role of AVG and begins acting as an AVF for its original virtual MAC address. when the forwarder timeout timer expires. forwarder timeout 14400 se The hello and hold times operate the same here as they do in HSRP – it’s the redirect and forwarder timeout values we need to examine closely.16.23.b400. b400.0101).0102.16. 0007. They both have to Fa0/0 1 3 - Listen 0007.0102 172.16. which had been MLS_3’s virtual MAC address.0103 172. last state change 00:15:34 Virtual IP address is 172.1 - Take careful note of both GLBP console messages.12 Hello time 3 sec.23.

230 231 .3 - Fa0/0 1 2 - Active 0007. assign it a priority higher than that of MLS _ 3(config-if)#glbp 1 timers redirect 1800 3600 % Forwarder timeout is less than the default ARP cache timeout (4 hours) … well.0102 local - Fa0/0 1 3 - Listen 0007. Hang in there dur- MLS _ 2(config-if)#glbp 1 priority 150 ing this quick explanation and then you’ll see it all in action.16.b400.0103 local - Now.3 MLS_2 has taken over as the AVG.3 - Fa0/0 1 2 - Listen 0007. you’ve heard Barbara Corcoran say “I’m going to give you a minute to rethink that.23.b400. The timer change does take effect.” That’s pretty much what the router is telling us here.23.16. In these labs. After changing the priority on MLS_1 to 125.16.16.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .12 172.2 - Fa0/0 1 3 - Active 0007. show glbp brief verifies that MLS_1 is indeed the standby AVG while MLS_2 remains the AVG. but I did go back to the defaults after seeing that message.16.23.0102 172. MLS_3 was selected MLS_3 (100) and less than that of MLS_2 (150).0103 172.16.23. MLS _ 1(config)#int fast 0/0 MLS _ 1(config-if)#glbp 1 priority 125 MLS _ 1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 125 Standby 172. all we need to do is raise the GLBP priority on MLS_2.0101 172. if you’ve ever watched Shark Tank. To make MLS_1 the standby AVG.b400.1 - 172.115 S T U DY G U I D E msec Specify hello interval in milliseconds C H R I S B R YA N T 01:24:57: %GLBP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active redirect Specify timeout values for failed forwarders MLS _ 2#show glbp brief MLS _ 3(config-if)#glbp 1 timers redirect ? <0-3600> Interval in seconds to redirect to failed forwarders MLS _ 3(config-if)#glbp 1 timers redirect 1800 ? <2400-64800> Timeout interval in seconds for failed forwarders MLS _ 3(config-if)#glbp 1 timers redirect 1800 3600 ? <cr> Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 150 Active 172.23. you’ll wonder what the fuss was. and MLS_3 is the standby AVG since it has a higher IP address than MLS_1.23. Using Weights And Tracking Slight warning: This is one of those things that sounds complicated when you hear or read MLS _ 2(config)#int fast 0/0 about it.2 local Fa0/0 1 1 - Listen 0007.b400.16. about those weights… because of its higher IP address – but perhaps we want MLS_2 to be the AVG instead.16. Since we enabled preemption on all three routers at the beginning of the lab.b400.12 local Fa0/0 1 1 - Listen 0007.0101 172.23.b400.23. Change these timers with care! MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#no glbp 1 timers redirect 1800 3600 Selecting The AVG And Backup AVG Selecting another router to serve as the AVG is no problem. but when you see it in action.

lower and upper: Before configuring interface tracking. and those thresholds to determine whether the group.b400. and this is the value that determines whether a router can be a VRF.b400. upper 100 Load balancing: round-robin 232 <1-500> Tracked object resolution Tracking resolution parameters timer Polling interval timers MLS _ 3(config)#track 1 ? application Application interface Select an interface to track ip IP protocol list Group objects in a list stub-object Stub tracking object <cr> 233 .2.115 S T U DY G U I D E C H R I S B R YA N T Before proceeding with this lab.000 sec) Priority 160 (configured) Weighting 100 (default 100).16.23.16. which is a globally configured command rather than an interface-level command. I raised MLS_3’s priority to 160 and it is now the AVG for We can use interface tracking. priority 150 (expires in 8.23. the local router is eligible to be an AVF.0102 172. MLS _ 3#show glbp FastEthernet0/0 . This does not in any way affect MLS_3’s status as the AVG. The weight has two default thresholds.23. MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#glbp 1 priority 160 MLS _ 3#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172.12 local 172. forwarder timeout 14400 sec Preemption enabled.23.12 Hello time 3 sec.16. what do we do? CHECK THAT INTERFACE! MLS _ 3#show int fast 0/1 FastEthernet0/1 is up.23. we’ll configure MLS_3 to disqualify itself as an AVF if the line protocol on fast 0/1 goes down.b400. In this lab.16.16. last state change 00:00:52 Virtual IP address is 172.2 Fa0/0 1 1 - Active 0007.23.1 - The default weight of a GLBP-enabled router is 100.16.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . hold time 10 sec Next hello sent in 0. thresholds: lower 1. min delay 0 sec Active is local Standby is 172.992 secs Redirect time 600 sec.0101 local - Fa0/0 1 2 - Listen 0007. GLBP weight.Group 1 MLS _ 3(config)#track ? State is Active 5 state changes.2 - Fa0/0 1 3 - Listen 0007. line protocol is up Huzzah! Now to set up tracking with the track command.0103 172.

that router can go right back to work as a VRF.Group 1 State is Active 13 state changes. it can no longer act as a VRF. MLS _ 3(config-if)#glbp 1 weighting ? <1-254> Weighting maximum value track Interface tracking MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#glbp 1 weighting ? <1-254> Weighting maximum value track Interface tracking MLS _ 3(config-if)#glbp 1 weighting track ? <1-500> Tracked object MLS _ 3(config-if)#glbp 1 weighting track 1 ? MLS _ 3(config-if)#glbp 1 weighting 100 ? lower Weighting lower threshold upper Weighting upper threshold <cr> <cr> MLS _ 3(config-if)#glbp 1 weighting track 1 MLS _ 3(config-if)#glbp 1 weighting 100 lower ? <1-99> decrement Weighting decrement Verify with show glbp. We’re accepting that default here by not entering a value ing along with the high and low thresholds. Once that weight meets or rises above the high threshold.16. First. When the router’s weight drops below the low for the decrement. We’ll keep the default weight of 100 while setting a low threshold of 95 and a high of 100. we have to set up the value for weight- decrement. last state change 00:43:17 Virtual IP address is 172.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E MLS _ 3(config)#track 1 interface fastethernet0/1 ? ip IP parameters C H R I S B R YA N T MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper ? <95-100> Weighting upper threshold value line-protocol Track interface line-protocol MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper 100 ? MLS _ 3(config)#track 1 interface fastethernet0/1 line-protocol ? <cr> <cr> MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper 100 MLS _ 3(config)#track 1 interface fastethernet0/1 line-protocol The second command needed here is the one specifying the interface to be tracked and the Now we’ll head back to the GLBP configuration. which by default is 10. Weighting lower threshold value MLS _ 3#show glbp MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 ? upper Weighting upper threshold <cr> FastEthernet0/0 .23. threshold.12 234 235 .

perhaps in tandem with interface tracking. Fa0/0 1 2 - Listen 0007.23.b400. MLS_3 should be disqualified from consideration as a VRF if that weight drops below 95.2 - Fa0/0 1 3 - Listen 0007.23. MLS_3 will resume its VRF duties. Weighting 90. thresholds: lower 95. *Apr 3 19:09:49: %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Listen -> Active MLS _ 3#show glbp brief show glbp tells us that the weight has indeed dropped to 90.23.0103 172.0101.b400.b400.23.16.23.23. and use weighting to Fa0/0 1 1 - Listen 0007.16. which was formerly handled by MLS_3.16.0101 local - Fa0/0 1 2 - Listen 0007.23.b400.0102 172.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . low (configured 100).344 secs Redirect time 600 sec. min delay 0 sec Active is local Standby is 172. priority 150 (expires in 8. upper 100 Track object 1 state Down decrement 10 show glbp brief verifies that while MLS_3 is still the AVG.23. forwarder timeout 14400 sec Preemption enabled. MLS_2 is now handling traffic with a destination MAC of 0007.2.12 local 172.1 - The reason I ran this lab on our AVG is to emphasize that the AVG election and a router’s ability to serve as an AVF are two separate operations.2 - Fa0/0 1 3 - Listen 0007. hold time 10 sec Next hello sent in 1. Let’s shut down fast 0/1 on that router and watch the fun! I’ll now bring MLS_3’s fast0/1 interface back online.16. MLS _ 3#show glbp brief In short: Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172.b400. upper 100 Track object 1 state Up decrement 10 With this configuration. thresholds: lower 95.1 - 236 Let’s shift our focus to securing our switches! 237 . Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172.16.16.b400.16.12 local 172.0101 172. it’s no longer an AVF.2 Use priority to affect the choice of your primary and backup AVGs.0102 172. and shortly after we see the GLBP syslog message shown here.16.23.23.2 - affect a router’s ability to serve as an AVF.000 sec) Priority 160 (configured) Weighting 100 (configured 100).b400.16.16.0103 172.2 Fa0/0 1 1 - Active 0007.115 S T U DY G U I D E C H R I S B R YA N T Hello time 3 sec.

C H R I S B R YA N T

C hapter 9:

SECURING THE
SWITCHES

Port security is enabled with the switchport port-security command, and before we can consider any options…
MLS _ 1(config-if)#switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.

… we need to make the port a non-trunking port. Port security can’t be configured on a
When some people think of network security, they immediately think of protecting their

port that even has a possibility of becoming a trunk. This switch has no trunks…

network from attacks originating on the outside of the network. We’re not “some people”,
though, and we can’t afford to think like that. Many successful network attacks are inside

MLS _ 1#show int trunk

jobs, and originate from seemingly innocent sources like DHCP, ARP, CDP, Telnet, and
< crickets chirping >

even from other hosts on the same VLAN.
While it’s certainly wise to protect the perimeter of our network, we have to be vigilant
against attacks from the interior too. We’ve got important work to do, so let’s get to it!

MLS _ 1#

… but we still can’t secure that port until it’s an access port. Let’s make that happen and

Port Security
A basic Cisco switch security feature that’s often overlooked, port security uses the
source MAC address of incoming frames as a password. A port enabled with port security
will expect frames sourced from a particular MAC address or group of addresses (“secure
MAC addresses”), and if frames with non-secure source MAC addresses come in on that
port, the port takes action ranging from shutting down to “just” letting you and I know
about it.

put it into VLAN 11.
MLS _ 1(config)#int fast 0/11
MLS _ 1(config-if)#switchport mode access
MLS _ 1(config-if)#switchport access vlan 11
% Access VLAN does not exist. Creating vlan 11
MLS _ 1(config-if)#switchport port-security

In a nutshell, port security entails having the switch look at the source MAC address of an
incoming frame and asking itself, “Do I trust the source of this frame?”

238

We’ll verify with show port-security and then view our switchport port-security options.

239

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

MLS _ 1#show port-security
Secure Port

Fa0/11

MLS _ 1(config-if)#switchport port-security aging type ?

MaxSecureAddr

CurrentAddr

SecurityViolation

(Count)

(Count)

(Count)

1

0

0

Total Addresses in System (excluding one mac per port)

Security Action

Shutdown

: 0

Max Addresses limit in System (excluding one mac per port) : 6144
MLS _ 1(config-if)#switchport port-security ?
Aging

C H R I S B R YA N T

Port-security aging commands

mac-address Secure mac address
maximum

Max secure addresses

violation

Security violation mode

<cr>

Let’s tackle each of these important options, starting with maximum, which defines the
number of secure MAC addresses the port can learn. The default is one, and the maximum you’ll see on your switch depends on your switch! I’ve seen ranges from 132 to the
whopping 6144 allowed on this port. (I would not recommend allowing 6,144 secure MAC
addresses on any port.)

absolute

Absolute aging (default)

inactivity

Aging based on inactivity time period

MLS _ 1(config-if)#switchport port-security aging time ?
<1-1440>

Aging time in minutes. Enter a value between 1 and 1440

MLS _ 1(config-if)#switchport port-security aging static ?
<cr>

We’ll use the mac-address option to define secure MAC addresses for this port, as well as
something called a “sticky address” (sounds gross, but it isn’t).
MLS _ 1(config-if)#switchport port-security mac-address ?
H.H.H

48 bit mac address

sticky

Configure dynamic secure addresses as sticky

MLS _ 1(config-if)#switchport port-security mac-address

The violation option defines the action the port should take when a frame with a non-secure
MAC address comes in.

MLS _ 1(config-if)#switchport port-security maximum ?
<1-6144> Maximum addresses

Use the aging options to define how long dynamically learned secure MAC addresses should
be considered secure. You have the rarely used option of enabling aging for static entries.
MLS _ 1(config-if)#switchport port-security aging ?
static

Enable aging for configured secure addresses

time

Port-security aging time

type

Port-security aging type

MLS _ 1(config-if)#switchport port-security violation ?
protect

Security violation protect mode

restrict

Security violation restrict mode

shutdown

Security violation shutdown mode

The default port security mode is shutdown, which does just that – the port is placed into
error-disabled state (“err-disabled”), and manual intervention is needed to reopen the port.
That means you or I have to fix the problem and then do a shut / no shut on the port. With
shutdown mode, an SNMP trap message is also generated.
Protect mode simply drops the offending frames and no other action is taken.

240

241

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

Our middle-ground security mode is restrict. The non-secure frames are dropped, an SNMP

C H R I S B R YA N T

0017.59e2.474a on port FastEthernet0/1.

trap notification and a syslog message are generated, and the port remains open.
Here’s the network topology for the port-security labs. We’re using the hosts primarily to
send pings that will (or will not) trigger port security.

01:46:31:

%LINEPROTO-5-UPDOWN:

Line

protocol

on

Interface

FastEthernet0/1,

changed state to down
01:46:32: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

Looks like the data was NOT from a trusted source, as both show port-security and show int
fast 0/1 verify the security violation.
MLS _ 1#show port-security
Secure Port

Let’s see port security in action! I’ll configure port security on port fast0/1 after shutting
the interface, and then set the secure MAC address to aaaa-bbbb-cccc.

Fa0/1

MaxSecureAddr

CurrentAddr

SecurityViolation

(Count)

(Count)

(Count)

1

1

1

Security Action

Shutdown

MLS _ 1(config)#int fast 0/1

Total Addresses in System (excluding one mac per port)

: 0

MLS _ 1(config-if)#shut

Max Addresses limit in System (excluding one mac per port) : 6144

MLS _ 1(config-if)#switchport port-security
MLS _ 1(config-if)#switchport port-security mac-address aaaa.bbbb.cccc

MLS _ 1#show int fast 0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)

After reopening the port, I’ll send some pings from R1 and then quickly head back over to
the switch to see what happens.
R1#ping 172.16.23.222

Time for the network admins to step in! First, we resolve the problem by removing the currently defined secure MAC address on Fast0/1. When a secure MAC address is allowed on a
port, but none is defined, the next dynamically learned source MAC address is considered
Back on the switch:

the secure address. That’s why I shut the port before configuring port security – just in case
traffic came in on that port before I could finish.

SECURITY-2-PSECURE _ VIOLATION: Security violation occurred, caused by MAC address

242

243

bbbb.cccc address configured earlier). Finally. MLS _ 1#show port-security address ? vlan Vlan limits MLS _ 1(config-if)#shut | MLS _ 1(config-if)#no shut <cr> 01:53:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface Output modifiers FastEthernet0/1. the port. Secure Mac Address Table Vlan Mac Address Type Ports ------------. there’s no message about the port shutting down. We’ll do a shut / no shut on the interface and verify with show int fast 0/1.bbbb. show port-security interface fast 0/1 verifies port security is enabled. starting with the Max Addresses limit in System (excluding one mac per port) : 6144 main one. changed state to up MLS _ 1#show port-security address 01:53:49: %LINK-3-UPDOWN: Interface FastEthernet0/1.cccc (rather than statically. SecureDynamic Fa0/1 Remaining Age (mins) -. the port is but none has been taken as there are no Security Violations. along with the VLAN. We see there’s one secure address allowed on Fast0/1 (the default). and that one current address is considered secure. 100 0017. and provides other handy info including the last source address of incoming frames and the VLAN it belonged to. the violation mode is at the default. so we’ll verify that Total Addresses in System (excluding one mac per port) : 0 everything’s beautiful with three separate show port-security commands. R1#ping 172.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#int fast 0/1 marked as SecureDynamic since it is a secure address that was learned. dynamically MLS _ 1(config-if)#no switchport port-security mac-address aaaa. MLS _ 1#show port-security Secure Port Fa0/1 MaxSecureAddr CurrentAddr SecurityViolation (Count) (Count) (Count) 1 1 0 Security Action Shutdown Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144 show port-security address verifies the exact address that’s been learned and considered secure. Note carefully that you see the Security Action listed.474a - Back on the switch. we’ll send some pings from R1 again and then head right back to the switch. well.222 ----------.16.59e2.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . changed state to up To test the new config. as with the aaaa. and method used to learn the address.23. -----. This one’s 244 MLS _ 1#show port-security interface fast 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 245 . secured and up.

474a SecureDynamic Fa0/1 - 100 001b. : Absolute The port is secure and up. the next two source MAC addresses for incoming frames on that port would be considered secure.d4c2. R2#ping 172. MLS _ 1#show port-security int fast 0/2 100 aaaa.aaaa SecureConfigured Fa0/2 - Port Status : Secure-up Violation Mode : Shutdown Total Addresses in System (excluding one mac per port) : 2 Aging Time : 0 mins Max Addresses limit in System (excluding one mac per port) : 6144 246 247 Age . Had we allowed four secure addresses and configured MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security MLS _ 1(config-if)#switchport port-security maximum 3 MLS _ 1(config-if)#switchport port-security mac-address aaaa.d4c2. fast0/2. not that they’ll actually age out in 59 seconds.bbbb. MLS _ 1(config-if)#switchport port-security mac-address aaaa.59e2.aaaa SecureConfigured Fa0/2 - Port Security : Enabled 100 aaaa.aaaa.bbbb.23. and note that there are now a total of 3 secure addresses and 2 configured addresses. If you allow a certain number of secure MAC addresses and don’t statically configure all of them. 100 0017.0990 SecureDynamic Fa0/2 - ----------. Let’s run show port-security address and show port-security. where I’ll allow 3 addresses to be considered secure while configuring 2 static secure addresses.115 S T U DY G U I D E C H R I S B R YA N T Configured MAC Addresses : 0 Aging Type Sticky MAC Addresses : 0 SecureStatic Address Aging : Disabled Last Source Address:Vlan : 0017. Last Source Address:Vlan : 001b.474a:100 Maximum MAC Addresses : 3 Security Violation Count : 0 Total MAC Addresses : 3 Configured MAC Addresses : 2 The aging time of “0 minutes” means that secure MAC addresses will never age out on this Sticky MAC Addresses : 0 port. and you statically configure a few without hitting the maximum.aaaa MLS _ 1#show port-security address I’ll then send pings from R2 and head quickly back over to the switch.16.0990:100 Security Violation Count : 0 I just know someone out there is wondering what happens if you allow multiple secure MAC addresses on a port. Let’s find out on port Fast0/2. Let’s run show port-security interface -. -----. Remaining (mins) No messages on the switch regarding a shutdown.111 Secure Mac Address Table Vlan Mac Address Type Ports ------------.59e2.aaaa only two static ones. the next dynamically learned MAC addresses will be considered secure until the limit is hit.aaaa.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

did I get that right? Nope. The command to change the aging time of our entire MAC address table uses seconds… MLS _ 1(config)#mac address-table aging-time ? <0-0> Enter 0 to disable aging <10-1000000> Aging time in seconds … but the command to change the aging time of the secure MAC address table uses MLS _ 1(config-if)#switchport port-security aging time ? <1-1440> Aging time in minutes.d4c2.115 S T U DY G U I D E MLS _ 1#show port-security Secure Port C H R I S B R YA N T Vlan Mac Address Type Ports -.0990 SecureDynamic Fa0/2 299 Fa0/1 1 1 0 Shutdown 100 aaaa. ----------.aaaa SecureConfigured Fa0/2 - Fa0/2 3 3 0 Shutdown 100 aaaa. MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security aging ? static Enable aging for configured secure addresses time Port-security aging time type Port-security aging type Max Addresses limit in System (excluding one mac per port) : 6144 So. MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security aging time ? <1-1440> Aging time in minutes. -----. two of them statically configured and the other dynamically learned.bbbb. Remaining Age (mins) MaxSecureAddr CurrentAddr SecurityViolation Security Action 100 0017.aaaa SecureConfigured Fa0/2 - : 2 Total Addresses in System (excluding one mac per port) Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 6144 There are three entries for Fa0/2. ------------. I got it wrong – and here’s why I’m always telling you to check the unit of measure when you change anything on a Cisco router or switch. Enter a value between 1 and 1440 MLS _ 1(config-if)#switchport port-security aging time 300 MLS _ 1(config-if)#switchport port-security aging type ? absolute Absolute aging (default) inactivity : 2 Aging based on inactivity time period minutes.59e2. We’ll accept the aging type default shown via IOS Help and then verify with show port-security address. While we’re here.aaaa.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .474a SecureDynamic Fa0/1 - (Count) (Count) (Count) 100 001b. let’s enable aging and set it to 300 seconds (the default aging time for our “regular” MAC address table). Enter a value between 1 and 1440 MLS _ 1(config-if)#switchport port-security aging time 5 MLS _ 1#show port-security address MLS _ 1#show port-security address Secure Mac Address Table Secure Mac Address Table 248 249 .

59e2. SecureDynamic Remaining Age (mins) -----. ------------.d4c2. then send pings from R1 and check the secure address table. 100 0017. To have dynamically learned 100 aaaa. enable sticky address learning on the 100 aaaa.aaaa SecureConfigured Fa0/2 - addresses retained in case of a port reset or reboot. when changing anything! MLS _ 1#show port-security address Secure Mac Address Table Making Secure Addresses Sticky Right now.aaaa.aaaa.474a SecureDynamic Fa0/1 - %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1.) MLS _ 1#show port-security address Secure Mac Address Table Vlan Mac Address -. 100 aaaa. -----.aaaa SecureConfigured Fa0/2 - port.115 S T U DY G U I D E Vlan Mac Address Type Ports -. do that here.aaaa SecureConfigured Fa0/2 - Total Addresses in System (excluding one mac per port) Type Ports ------------. I’ll do a shut / no shut on the port to illustrate.aaaa SecureConfigured Fa0/2 - MLS _ 1(config-if)#no shut 100 aaaa. changed state 100 001b.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0990 SecureDynamic Fa0/2 4 to down 100 aaaa. ----------. 100 0017.aaaa.aaaa SecureConfigured Fa0/2 - ----------. data. so be sure to save the changes! I’ll That dynamically learned address will be lost if the port is reset or the switch is reloaded.aaaa SecureConfigured Fa0/2 - 100 aaaa.59e2. Fa0/1 has one secure MAC address. changed state to up 00:28:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1. ----------. ------------.bbbb. changed state to up Always use IOS Help to check the unit of time. (The dynamically learned address for R2 has now aged out. Remaining Age (mins) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 MLS _ 1# Fa0/1 - The same thing would happen if I rebooted the switch.bbbb. changed state to down 250 Port-security aging commands mac-address Secure mac address 251 . changed state to administratively down MLS _ 1#show port-security address Total Addresses in System (excluding one mac per port) : 2 Max Addresses limit in System (excluding one mac per port) : 6144 00:28:20: %LINK-3-UPDOWN: Interface FastEthernet0/1. MLS _ 1(config)#int fast 0/1 MLS _ 1(config-if)#switchport port-security ? MLS _ 1(config)#int fast 0/1 Aging MLS _ 1(config-if)#shut %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100. These addresses are written to the running config.474a Vlan Mac Address Type Ports -.bbbb. -----. Remaining Age (mins) C H R I S B R YA N T %LINK-5-CHANGED: Interface FastEthernet0/1. for which the default of “no aging” has not been changed.

aaaa SecureConfigured Fa0/2 - 100 aaaa.bbbb.16.59e2. a port that goes into err-disabled state must be manually reset – after resolving the condition that put the port in that state to begin with. and the address was still in the table after the reboot.H ----------.aaaa SecureConfigured Fa0/2 - 100 aaaa. SecureSticky Fa0/1 - 100 aaaa.H. ------------. Stickiness R1#ping 172.23. Ports are shut down by port security due to a psecure-violation. SecureSticky Fa0/1 - 100 aaaa.59e2. -----. define what conditions should be allowed to have ports use Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 The address is now shown in the secure MAC table as “SecureSticky”. so we’ll enable this feature only for ports put into err-disabled state in that fashion. this feature with errdisable recovery cause. Remaining Age (mins) 48 bit mac address Sticky Configure dynamic secure addresses as sticky Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 MLS _ 1(config-if)#switchport port-security mac-address sticky The entry is still in the table! I did reload the switch at this point.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . First. use the all option. 100 0017.222 works! MLS _ 1#show port-security address Secure Mac Address Table Automatic Recovery From Err-Disabled Status Vlan Mac Address Type Ports -. use errdisable recovery.aaaa.bbbb.115 S T U DY G U I D E C H R I S B R YA N T maximum Max secure addresses Vlan Mac Address Type Ports violation Security violation mode -. along with the SecureConfigured addresses.aaaa. To have errdisable recovery apply to ports placed into err-disabled state for any reason. I’ll shut the port and then take a look at this table again. -----. of course! To have err-disabled ports come out of that state dynamically after a certain period of time.474a MLS _ 1(config-if)#switchport port-security mac-address ? H.474a Remaining Age (mins) We know via first-hand experience that by default. ------------. SW1(config)#errdisable recovery cause ? MLS _ 1(config)#int fast 0/1 MLS _ 1(config-if)#shut All Enable timer to recover from all causes Bpduguard Enable timer to recover from BPDU Guard error disable state MLS _ 1#show port-security address channel-misconfig Secure Mac Address Table Enable timer to recover from channel misconfig disable state 252 253 .aaaa SecureConfigured Fa0/2 - <cr> 100 0017.aaaa SecureConfigured Fa0/2 - ----------.

d4c2. changed state to up unicast-flood Enable timer to recover from unicast flood disable %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2. you can’t use % Unrecognized command SW1(config)#errdisable recovery interval ? TACACS or TACACS+. The first frames that came in Enable timer to recover from invalid GBIC error disable from R2 shut the port down… state link-flap loopback pagp-flap Enable timer to recover from link-flap error disable %PM-4-ERR _ DISABLE: psecure-violation error detected on Fa0/2. changed state state to up vmps Enable timer to recover from vmps shutdown error disable state I then configured Fa0/2 to consider the first source MAC address learned on that port to be the secure address. caused by Enable timer to recover from pagp-flap error disable MAC address 001b. the standard upon which this feature is based.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0990 on port FastEthernet0/2. The name refers to IEEE 802. and reconfigured stat the port with the single secure MAC address aaaa.aaaa. state psecure-violation Enable timer to recover from psecure violation disable … and 30 seconds later. It’s SW1(config)#erridsable recovery ? a bit unusual in that the Cisco authentication server must be RADIUS-based. putting Fa0/2 state in err-disable state Enable timer to recover from loopback detected disable state %PORT _ SECURITY-2-PSECURE _ VIOLATION: Security violation occurred. the port begins to come out of err-disabled state! state security-violation Enable timer to recover from 802. I removed any previous port security config from Fa0/2.1x. <30-86400> timer-interval(sec) 254 255 .115 S T U DY G U I D E dhcp-rate-limit C H R I S B R YA N T Enable timer to recover from dhcp-rate-limit error SW1(config)#errdisable recovery interval 30 disable state dtp-flap gbic-invalid Enable timer to recover from dtp-flap error disable At this point. You have to fix the problem or the port will bounce in To change the interval from the default of 300 seconds. use errdisable recovery interval.1x violation disable %PM-4-ERR _ RECOVER: Attempting to recover from psecure-violation err-disable state state on Fa0/2 udld Enable timer to recover from udld error disable state %LINK-3-UPDOWN: Interface FastEthernet0/2. SW1(config)#errdisable recovery cause psecure-violation SW1(config)#erridsable recovery interval ? % Unrecognized command Dot1x Port-Based Authentication We can take port-level security (cliché alert!) to the next level with dot1x port-based authentication.aaaa. and all is well. I’ll and out of err-disabled state! set it to 30 seconds for our lab.

eou Set authentication lists for EAPoUDP fail-message Message to use for failed login/authenticati login Set authentication lists for logins. and a RADIUS server (the authentication server). Sgbp Set authentication lists for sgbp. typical subinterfaces. the only one we need to concern port must be configured for 802.55 key CCNP MLS _ 1(config)#aaa authentication dot1x ? The controlled port cannot transmit data until authentication actually takes place. all traffic can be received and sent via the port. longer rejected). the PC will not concern itself with dot1x and will communicate with the switch as it normally would. followed by the password for that server. EAPOL. communications between the two will fail. username-prompt Text to use when prompting for a username MLS _ 1(config)#radius-server host 172. To get started with dot1x. we first have to enable AAA with aaa new-model. attempts Set the maximum number of authentication att banner Message to use when starting login/authentic dot1x Set authentication lists for IEEE 802.23.1x. the Extensible Authentication Protocol over LANs. We just need to configure the supplicant for dot1x! Suppress Do not send access request for a specific ty Strange but true: If the switch is ready for dot1x authentication and the supplicant isn’t. ourselves with right now is host. but that physical port password-prompt Text to use when prompting for a password is logically divided into two ports by dot1x. We’ll follow that by pointing the switch to our RADIUS server(s). That’s a major departure from the switch features we’ve studied to date. MLS _ 1(config)#aaa authentication dot1x default ? cache Use Cached-group group Use Server-group local Use local username authentication.1x EAPOL. MLS _ 1(config)#aaa authentication ? arap Set authentication lists for arap.115 S T U DY G U I D E C H R I S B R YA N T A major difference between this feature and port security is that both the host and switch- The radius-server command literally has about 40 options. and then enable dot1x to use those RADIUS servers for authentication. and CDP can be transmitted at that time. the PC has a single physical port connected to the switch.) A typical dot1x port-based authentication deployment involves the dot1x-enabled PC (the supplicant). uncontrolled port can transmit without authentication. once the user authenticates. as only Default The default authentication list. enable Set authentication list for enable. (The RADIUS version you’ll use is MLS _ 1(config)#radius-server host 172.16.) If the supplicant is running dot1x but the switch isn’t. since few (if any) of those require us configuring anything on the host. STP. Dot1x handles that. (That’s not the strange part.23.16. the network admins do not have to configure these logical ports.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but on a limited basis. MLS _ 1(config)#aaa authentication dot1x default group ? MLS _ 1(config)#aaa new-model 256 257 .55 technically RADIUS with EAP extensions. The WORD Named authentication list (max 31 characters. Of course. By default. the controlled and uncontrolled ports. Unlike ppp Set authentication lists for ppp. the dot1x-enabled switch (the authenticator).

Surprisingly. a natural ldap Use list of all LDAP hosts. In this example. and it’s a default you may well want to change. ditionally authorize the host. 802. and it’s the auto PortState will be set to AUTO destination port to which our network analyzer will be connected. and we’ll use SPAN to capture that traffic. where we want to analyze traffic sourced from the three PCs. system-auth-control Enable or Disable SysAuthControl test Configure dot1x test related parameters MLS _ 1(config)#dot1x system-auth-control And even more finally. including that of the client. auto may be the way to go. since the source and destination ports are on the same switch (or same force-unauthorized PortState will be set to UnAuthorized switch stack).1X supplicant configuration MAC addresses allowed on that port.” SPAN We’ve securely secured our ports. we’re force-authorized PortState set to Authorized running local SPAN. the analyzer needs a copy of every frame the hosts are sending and/or receiving. By default. which seems a tad harsh. we’re likely to want to connect a network analyzer (“sniffer”) to one of those ports. as it allows a host to authorize via an exchange of dot1x messages. the answer is yes! From Cisco’s website: “When you enable port security and 802.115 S T U DY G U I D E C H R I S B R YA N T WORD Server-group name Now that we’ve covered port security and dot1x port-based authentication. That’s the default. using no authentication. we get to enable dot1x port-based authentication! MLS _ 1(config)#dot1x ? Credentials Configure 802.1x authenticates the port and port security manages the number of MLS _ 1(config)#aaa authentication dot1x default group radius ? Finally. force-unauthorized tells the port to never authorize the host.1x Critical Authentication parameters guest-vlan Configure Guest Vlan and 802.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . force-authorized. but one day. we get to set the authentication type. A common situation is illustrated here. 258 259 . R1(config-if)#dot1x port-control ? SPAN allows the switch to mirror traffic from source port(s) to destination port. both traffic destined for and sourced from the source ports are That’s a lot of force! The first force-based option. tells the port to uncon- mirrored to the destination port. To get the job done.1x on a port.1X credentials profiles Critical Set 802.1x Supplicant behavior logging Set logging parameters supplicant 802. question arises: “Can you run port security and dot1x authentication on the same port?” Radius Use list of all Radius hosts.

line protocol is down (monitoring) No need to sweat. Cisco 2950s MLS _ 1(config)#monitor session 47 source interface fast0/3 .3 260 261 . just read all the way to the end of that line and you’ll see (monitoring). but what if SPAN isn’t all local? What if the traffic to be monitored is originating on one particular switch and the only vacant port available is on another MLS _ 1(config)#monitor session 47 source interface ? FastEthernet switch? FastEthernet IEEE 802.5 allow only two. and this is the one time in which seeing that an interface is “down and down” is what you should see! That’s all well and good. since it doesn’t matter to SPAN whether the source ports are all in the same Session 47 VLAN or not.115 S T U DY G U I D E C H R I S B R YA N T The command monitor session starts a SPAN session. and the number Port-channel Ethernet Channel of interfaces of simultaneous SPAN sessions you can run differs between switch platforms. and 5 as the source ports and Fa0/10 as the destination and then verifying with show monitor. you’ll see something that might make ya cuss: MLS _ 1(config)#monitor session 47 ? Destination SPAN destination interface or VLAN Filter SPAN filter VLAN Source SPAN source interface.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . along with defining the source and GigabitEthernet GigabitEthernet IEEE 802. while the ones we’re on here allow just a few more. Note that possible sources include: Individual ports Type : Local Session Source Ports : Entire VLANs (in which case you’re running VLAN-based SPAN. VLAN MLS _ 1(config)#monitor session 47 source ? Interface SPAN source interface Remote SPAN source Remote Vlan SPAN source VLAN MLS _ 1#show int fast 0/9 FastEthernet0/9 is down. MLS _ 1(config)#monitor session 47 destination ? MLS _ 1(config)#monitor session ? Interface SPAN destination interface Remote SPAN destination Remote <1-66> SPAN session number MLS _ 1(config)#monitor session 47 destination interface fast 0/9 Let’s set up a local SPAN session. 4. No need to run show vlan brief for MLS _ 1#show monitor VLAN info. representing an entire Etherchannel Both : Fa0/3-5 Destination Ports Encapsulation Ingress MLS _ 1(config)#monitor session ? <1-66> SPAN session number : Fa0/9 : Native : Disabled Let me save you some seriously unnecessary troubleshooting time with this little tip! If you look at fast 0/9 right now. using ports Fa0/3.3z destination ports. or VSPAN) Port-channels. Multiple SPAN sessions are totally separate operations. That means you’re looking at a SPAN destination port.

RSPAN to the rescue! Configuring Remote SPAN on both switches will allow mirrored frames to be sent over the trunk via a separate VLAN that will carry only those mirrored frames. so don’t cut and paste ‘em! On MLS_2.5 This isn’t a complex configuration. MLS _ 1(config)#monitor session 1 source int fast 0/1 . that VLAN will have to be prop- <2-1001> Remote SPAN destination RSPAN VLAN number agated manually on every switch along that path. MLS _ 1(config)#monitor session 1 destination remote vlan 30 MLS _ 1(config)#monitor session 1 destination remote vlan 30 ? <cr> MAC address learning is disabled for the RSPAN VLAN. VTP pruning will prune the RSPAN VLAN under the same circumstances it would prune a normal VLAN. The source and destination ports must be defined on both the switch containing the source ports and the switch connected to the network analyzer. Here’s the setup for our RSPAN lab: The config on MLS_2 will name the source as the RSPAN VLAN and the destination as the port connected to the analyzer. MLS _ 1(config)#vlan 30 MLS _ 1(config-vlan)#remote-span On MLS_1. we’ll set up the SPAN session by naming the source ports and configuring the RSPAN VLAN as the destination. they would all need to be RSPAN-capable.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Otherwise. but the commands will NOT be the same. MLS _ 2(config)#vlan 30 MLS _ 2(config-vlan)#remote-span Whew! After all that. we’ll also define VLAN 30 as the RSPAN VLAN. natch!). but we need to keep a few things in mind: MLS _ 1(config)#monitor session 1 destination remote ? If there were intermediate switches between the two shown in the previous example. the config is easy.115 S T U DY G U I D E C H R I S B R YA N T We’ll create VLAN 30 and identify it as the RSPAN VLAN with remote-span. MLS _ 2(config)#monitor session 1 source remote vlan 30 MLS _ 2(config)#monitor session 1 destination int fast0/10 262 263 . vlan Remote SPAN destination RSPAN VLAN MLS _ 1(config)#monitor session 1 destination remote vlan ? VTP treats the RSPAN VLAN like any other VLAN by propagating it throughout the VTP <1006-4094> Remote SPAN destination extended RSPAN VLAN number domain (if configured on a VTP server.

While source ports can be part of an Etherchannel. VLAN membership doesn’t matter. nor a destination port. but it’s a good idea to have a destination port be equal or higher in speed than the source port(s). or LACP. Trunk ports can be configured as source and/or destination ports. Storm Control Commonly referred to as VSPAN. you learned of the danger of broadcast storms. And just one more thing… remember the remote-span command we placed on both switches in our RSPAN config? If you have switches between the switch with source ports and the one with destination ports. A source port cannot also serve as a destination port.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Specify another range of interfaces - Specify a range of interfaces both Monitor received and transmitted traffic rx Monitor received traffic only tx Monitor transmitted traffic only <cr> A destination SPAN port doesn’t participate in STP. and you can use SPAN to monitor an entire EtherChannel by specifying that EC’s port-channel interface as the source. only the traffic going over that specific port will be mirrored. you need that command on every intermediate A source port can be monitored in multiple. all the way to the point of non-operation. Whether accidentally or maliflooded by the switch. CDP. broadcasts and multicasts begin to overwhelm your switch. Storm Control is specifically designed to proactively stop that flooding before our hosts are hit with a level of flooded traffic they just can’t handle. To change this. DTP. Be aware that if a port that’s in an EC is a source port. Here are some tips for a successful SPAN configuration: By default. an entire VLAN can be configured as a source port. traffic both from the source port and destined for the source port is mirrored to the destination port. simultaneous SPAN sessions. It’s enabled on a per-port basis: 264 265 . where the number of A trunk port can be a source port. use the rx and tx options at the end of monitor session. SW2(config)#monitor session 47 source interface fast 0/1 . A destination port cannot be a source port. In your CCNA studies. A source port can be part of an Etherchannel. these storms can also overwhelm your hosts with broadcasts and multicasts VLANs that are part of that trunk will be mirrored to the destination port. PaGP. switch. VTP. you have to make the entire EC the source port. a destination port cannot. but be aware that every single bit of traffic on any of the ciously caused. If you want all the traffic on an EC to be mirrored. nor can a single port serve as the destination for multiple SPAN sessions. The speed of the port doesn’t affect a port’s ability to be a source port. ports from different VLANs can serve as source ports for the same SPAN session. the default behavior will result in the monitoring of all active VLANs on the trunk.115 S T U DY G U I D E The toughest part of working with SPAN can be remembering the ports that are eligible and not eligible to be source or destination ports. C H R I S B R YA N T Destination port notes: A destination port can participate in only one SPAN session.

00% 0 VLAN ACLs Let’s take a look at some Cisco switch security features that were developed specifically with VLANs in mind. SW1(config-if)#storm-control ? (Makes sense. (That is. Storm Control acts. or show storm-control interface to see the info for just that interface! SW1#show storm-control fast 0/1 Interface Filter State Trap State Upper Lower Current Traps Sent ------. SW1(config-if)#storm-control broadcast level 45 ? <0 . which will show you information on all ports on the switch. about that action… SW1(config-if)#storm-control broadcast ? Level At times. SW1(config-if)#storm-control broadcast level 45 35 I’m using bandwidth usage percentage in this command.) Choosing shutdown or trap adds the configured pps behavior to this default. It’s not right or wrong to choose one option over the other – just choose the one that fits your situation.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/1 goes above that level. they’re dropped. starting with VLAN ACLs. you may want to set a different level at which Storm Control should cease Set storm suppression level on this interface SW1(config-if)#storm-control action ? Shutdown Shutdown this interface if a storm occurs trap Send SNMP trap if a storm occurs SW1(config-if)#storm-control broadcast level ? Enter suppression level in packets per second What isn’t shown here is Storm Control’s default behavior of tossing the offending frames <0 . which can also be configured using packets per second. We’ll use IOS Help to explore our options for broadcast storm control. action.00% 35. Storm Control takes action when the traffic type 266 Fa0/1 Forwarding inactive 45. ------------- ------------- ------. Now. right?) Action Action to take for storm-control Broadcast Broadcast address storm control Multicast Multicast address storm control Unicast Unicast address storm control For each traffic type listed. It might surprise you that we have the option for one or two levels! If you specify only the storm suppression level (the first value).100> Enter Integer part of lower suppression level <cr> SW1(config-if)#storm-control broadcast level 45 35 ? <cr> Verify your config with show storm-control. The line storm-control broadcast level 45 35 means Storm Control will take action when broadcasts are taking up over 45% of available bandwidth and will stop that action when the level of broadcasts drops below 35% of that available bandwidth. ------. 267 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and stops that action when the traffic type goes below that level. the option level will follow. ------.00% 0.100> Enter Integer part of storm suppression level overboard. When the specified traffic type reaches that level.

each host can ping the We’ll write the VACL with vlan access-map.0 0.0 0. but the ACL statement We want to stop these three hosts from communicating with any host in the 10. we’ll still need to write an ACL. While an ACL can filter traffic travelling between VLANs… MLS _ 1(config)#ip access-list extended BLOCK _ FIRST _ THREE MLS _ 1(config-ext-nacl)#permit ip ? … it can’t do anything about traffic from one host in a VLAN to another host in the same VLAN.0.0.1.D Destination address any Any destination host host A single destination host MLS _ 1(config-ext-nacl)#permit ip 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1.1.1.1.1.0 0.B.1. but it’s the TCAM table – the Ternary Content-Addressable Memory table – that cuts down on the number of lookups required to compare a packet against an ACL. An ACL can be used to filter inter-VLAN traffic.1. you ask? It relates to the application of ACLs on a multilayer switch.1. You’ll see what I mean in the follow- I’m sure you noticed that the three source addresses named in the ACL are the ones that ing lab! won’t be allowed to communicate with other hosts on that subnet.0.C.D Source address any Any source host host A single source host MLS _ 1(config-ext-nacl)#permit ip 10.1.0 0.3 10.0.1.B.1.3 ? Why not. 268 269 .0.3 10.0.0.115 S T U DY G U I D E C H R I S B R YA N T You’ll certainly be familiar with ACLs and a few of their seemingly endless uses at this point in your Cisco studies! The ACL we’ve come to know and love has some limitations though. A. but not intra-VLAN traffic.D Destination wildcard bits MLS _ 1(config-ext-nacl)#permit ip 10.C.0. while allowing all other traffic.0 0. with any traffic matching that ACL to be dropped other (results not shown). No worries.C.255 Even though a VACL will do the actual filtering. This packet filtering via the switch hardware speeds up the overall process.B. Filtering between hosts in the same VLAN requires the use of a VLAN Access List (VACL).B. and we mean any host – even among each other! Right now. not a deny.1.255 ? A.0. but it limits ACL capability.1. the deny is coming! subnet.0. The ACL will be used as the match criterion within the VACL.C.0 /24 is a permit.D Source wildcard bits MLS _ 1(config-ext-nacl)#permit ip 10. The CAM table holds the dynamically and statically learned MAC addresses. A.0 ? A.

not the <cr> ACL name. Adding it at the end wouldn’t do any good. If you needed to add an action that involved dropping traffic. 270 271 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1(config-access-map)#exit Hey.115 S T U DY G U I D E MLS _ 1(config)#vlan access-map ? WORD MLS _ 1(config)#vlan access-map NO _ 123 Vlan access map tag MLS _ 1(config-access-map)#action forward MLS _ 1(config)#vlan access-map NO _ 123 ? <0-65535> Sequence to insert to/delete from existing vlan access-map entry <cr> MLS _ 1(config-access-map)#match ? Ip IP based match Mac MAC based match the default for you via show vlan access-map: Vlan access-map “NO _ 123” 10 Match clauses: ip address: BLOCK _ FIRST _ THREE Match IP address to access control. meaning the action of “forward” I didn’t enter a sequence number for those two VACL statements because I wanted to demo MLS _ 1(config)#vlan access-map NO _ 123 Address C H R I S B R YA N T Action: drop Vlan access-map “NO _ 123” 20 Match clauses: Action: Forward Access-list name MLS _ 1(config-access-map)#match ip address BLOCK _ FIRST _ THREE MLS _ 1(config-access-map)#action ? drop Drop packets forward Forward packets The “10” and “20” shown are the default sequence numbers. we MLS _ 1(config)#vlan access-map NO _ 123 ? have to apply it in global configuration mode. since VACL sequence number 20 permits all MLS _ 1(config-access-map)#action drop traffic. MLS _ 1#show vlan access-map MLS _ 1(config-access-map)#match ip ? <1-199> No match was configured for the second VACL statement. they’ll increment by 10. The VLAN to be filtered is specified at <0-65535> Sequence to insert to/delete from existing vlan access-map the end of the command with the vlan-list option. We can specify individual VLANs or entry go with the all option. MLS _ 1(config-access-map)#match ip address ? IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) WORD will be applied to any and all traffic that didn’t match previous statements. Sequence numbers are fantastic for those situations where you later need to add an action. Be careful to specify the VACL name in this command. we need to apply this thing! Don’t try to apply a VACL to a specific interface. If you follow my lead and don’t define them as you go. you’d need to give it a sequence number between 10 and 20.

This concept can throw you a bit at first.0 0. community and isolated. since a private VLAN is truly unlike any other VLAN concept.3 10.25 MLS _ 1#show vlan access-list Private VLANs aren’t quite that private. one type talks to some.1. ^ % Invalid input detected at ‘^’ marker.1.0.0 0.0. MLS _ 1#show vlan access-map Vlan access-map “NO _ 123” 10 Two types of private VLANs.1. so hang in there and it’ll be second nature before you know it. MLS _ 1#show vacl ^ Private VLANs give us all of the following: % Invalid input detected at ‘^’ marker.3 <1-4094> VLAN id Success rate is 0 percent (0/5) all Add this filter to all VLANs HOST _ 1#ping 10. Three port types – one type talks to everybody.115 S T U DY G U I D E MLS _ 1(config)#vlan filter ? WORD C H R I S B R YA N T Match clauses: VLAN map name Action: Forward MLS _ 1(config)#vlan filter NO _ 123 ? vlan-list VLANs to apply filter to MLS _ 1(config)#vlan filter NO _ 123 vlan-list ? Hosts that could previously ping each other now cannot. starting with those three port types. The terminology is unique as well. primary and secondary. thanks to our VACL! HOST _ 2#ping 10. Vlan access-map “NO _ 123” 20 272 273 .0. and one type talks to practically no one. and then test! Private VLANs Want to put a host in such a secret place that you yourself may never be able to find it? MLS _ 1#show ip access-list Extended IP access list BLOCK _ FIRST _ THREE 10 permit ip 10. Match clauses: ip address: BLOCK _ FIRST _ THREE In turn. but if you want to hide a host from the rest of your network – even going as far as hiding a host from other hosts in the same subnet – private VLANs are the way to go.1.1.0.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .3 Success rate is 0 percent (0/5) MLS _ 1(config)#vlan filter NO _ 123 vlan-list 10 Verify with show ip access-list and show vlan access-map. we have two types of secondary VLANs. Action: drop As always. we’ll take this concept one step at a time.1.1.

If we placed another host Now let’s have a brief. those two hosts could not communicate with each other. This port type can communicate with any host connected to any of the other two port types. Even if you have two isolated ports in the same private VLAN. and the “child” private VLAN is the secondary private VLAN. and will be able to communicate only with the router. Our router is off fast0/12. That’s it! In our config. we’ll use the following VLANs and VLAN types: can be mapped to only one primary. A primary in the same isolated private VLAN that Host A is in now. those hosts can’t intercommunicate. but look what happens when we try to make it a community private VLAN – or for that matter. Ports in a community private VLAN can communicate with other ports in the same com- VLAN 300 will be the primary private VLAN. Creating the first VLAN with VLAN config mode is no problem. About those secondary VLAN types… VLAN 200 is a secondary private VLAN (isolated). which is connected to a promiscuous port. Host A has been placed into an isolated private VLAN. VLAN 100 is a secondary private VLAN (community). They cannot communicate with Host A. These hosts can communicate with other community ports in the same private VLAN as well as any device connected to a promiscuous port. that device must be connected to a promiscuous port for the network to function correctly. Ports in an isolated private VLAN can only communicate with promiscuous ports in the parent private VLAN. but a secondary private VLAN In the following configuration. Ports are Fa0/6 – 10. so they can communicate with each other as well as the router. When you have a router or multilayer switch that serves as a default gateway. Hosts that just don’t want anything to do with anybody are connected to the aptly named isolated ports. The other hosts are in a community private VLAN. The “parent” private VLAN is the primary private VLAN. any kind of private VLAN! MLS _ 1(config)#vlan 100 Each of these concepts is illustrated here: MLS _ 1(config-vlan)#private-vlan ? association Configure association between private VLANs 274 community Configure the VLAN as a community private VLAN isolated Configure the VLAN as an isolated private VLAN primary Configure the VLAN as a primary private VLAN 275 . powerful look at the private VLAN types. munity as well as promiscuous ports in the primary. Ports are Fa0/1 – 5.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Hosts that just need to talk to some other devices are connected to community ports. we’ll map primary private VLANs to secondary private VLANs.115 S T U DY G U I D E C H R I S B R YA N T Hosts that need to talk to everyone will be connected to promiscuous ports. Hosts connected to isolated ports can only communicate with hosts connected to promiscuous ports. private VLAN can be mapped to multiple secondary VLANs.

configuring VLAN 100 as a community private VLAN and VLAN 200 as an isolated private VLAN is no problem. MLS _ 1(config)#vlan 100 MLS _ 1(config-vlan)#private-vlan ? association Configure association between private VLANs community Configure the VLAN as a community private VLAN isolated Configure the VLAN as an isolated private VLAN primary Configure the VLAN as a primary private VLAN MLS _ 1(config-vlan)#private-vlan community MLS _ 1(config-vlan)#vlan 200 MLS _ 1(config-vlan)#private-vlan isolated Now we’ll configure VLAN 300 as the primary private VLAN. Private VLANs can only be configured with VTP is in transparent mode. (This association is not the mapping I mentioned earlier.) Just two more things to do – place the ports into the proper VLAN and get that mapping done! The switch leading to the router is Fa0/12.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .100 276 We’ll also need the primary vlan mapping command on that interface: MLS _ 1(config-if)#switchport private-vlan ? Association Set the private VLAN association host-association mapping Set the private VLAN host association Set the private VLAN promiscuous mapping 277 . and then associate those two secondary private VLANs with this primary private VLAN.) Once we do that. and that port must be made promiscuous. (Yes.115 S T U DY G U I D E MLS _ 1(config-vlan)#private-vlan community %Private VLANs can only be configured when VTP is in transparent/off mode. MLS _ 1(config)#int fast 0/12 MLS _ 1(config-if)#switchport mode ? access Set trunking mode to ACCESS unconditionally dot1q-tunnel set trunking mode to TUNNEL unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode private-vlan Set private-vlan mode trunk Set trunking mode to TRUNK unconditionally MLS _ 1(config-if)#switchport mode private-vlan ? host Set the mode to private-vlan host promiscuous Set the mode to private-vlan promiscuous MLS _ 1(config-if)#switchport mode private-vlan promiscuous MLS _ 1(config)#vlan 300 MLS _ 1(config-vlan)#private-vlan primary MLS _ 1(config-vlan)#private-vlan association ? WORD VLAN IDs of the private VLANs to be configured add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list MLS _ 1(config-vlan)#private-vlan association 200. both isolated and community Created our primary private VLAN Created an association between the secondary and primary private VLANs MLS _ 1(config)#vtp mode transparent Setting device to VTP Transparent mode for VLANS. C H R I S B R YA N T We’ve accomplished the following: Configured VTP to run in transparent mode (very important!) Created our secondary private VLANs. like it says right there.

278 279 . and the better our knowledge of DHCP. First. MLS _ 1(config)#int range fast 0/6 . 2. using VLAN 200 instead of 100. the better our security will be. the client broad- MLS _ 1(config-if-range)#switchport private-vlan ? casts a DHCP Discover packet. DHCP is a topic on your CCNP SWITCH exam. and on an interface level with show interface switchport.115 S T U DY G U I D E MLS _ 1(config-if)#switchport private-vlan mapping ? <1006-4094> <2-1001> C H R I S B R YA N T association Primary extended range VLAN ID of the private VLAN promiscuous host-association Set the private VLAN host association port mapping mapping Set the private VLAN promiscuous mapping Primary normal range VLAN ID of the private VLAN promiscuous port mapping MLS _ 1(config-if-range)#switchport private-vlan host-association ? <1006-4094> MLS _ 1(config-if)#switchport private-vlan mapping 300 ? WORD Set the private VLAN association Secondary VLAN IDs of the private VLAN promiscuous port Primary extended range VLAN ID of the private VLAN host port association <2-1001> mapping Primary normal range VLAN ID of the private VLAN port association add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list MLS _ 1(config-if-range)#switchport private-vlan host-association 300 ? <1006-4094> MLS _ 1(config-if)#switchport private-vlan mapping 300 100. MLS _ 1(config)#int range fast 0/1 .10 DHCP And Multilayer Switches I’m sure you’re wondering why DHCP is smack in the middle of a CCNP SWITCH exam discussion of switch security features. We’ll use our buddy interface range to configure that port range with the private-vlan host and private-vlan host-association commands. Verify your private VLAN config with the tricky-to-type show vlan private-vlan command. and its purpose is to discover the network’s DHCP servers.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .200 ? <cr> Secondary extended range VLAN ID of the private VLAN host port association <2-1001> Secondary normal range VLAN ID of the private VLAN host port association MLS _ 1(config-if)#switchport private-vlan mapping 300 100. MLS _ 1(config-if-range)#switchport mode private-vlan host Let’s jump right in with a quick review of the overall DHCP process. Securing DHCP is a vital part of our overall Cisco switch security strategy.200 MLS _ 1(config-if-range)#switchport private-vlan host-association 300 200 Ports Fa0/1 – 5 are in VLAN 100. There are two really good reasons for this: 1.5 MLS _ 1(config-if-range)#switchport mode private-vlan ? host Set the mode to private-vlan host promiscuous Set the mode to private-vlan promiscuous MLS _ 1(config-if-range)#switchport mode private-vlan host We’ll use interface range on Fa0/6 – 10 as well.

When a DHCP Server We can specify a single address to be excluded.0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .D High IP address Generally speaking.1. since the The client will accept the first Offer received. and that’s it! (This ACK can be a unicast or a broadcast depending on the circumstances.0.1.B.1.0. No problem there. take it one command at a time and you’ll be fine.C.0. along with notification on how long the client can keep that address (the lease).0.115 S T U DY G U I D E C H R I S B R YA N T The DHCP servers that receive that Discover packet respond with a broadcast in the form of a DHCP Offer packet. we’re going sees a Request that does not include its own IP address.1. but a Cisco router <cr> or multilayer switch can handle the role nicely! The syntax may seem a little odd at first. We’re going to do something a bit unusual in this section and have a Cisco router acquire an IP address via DHCP from a Cisco multilayer switch.1.1.B.1.0.1.) MLS _ 1(config)#ip dhcp excluded-address ? A. and other info as desired and configured by you and I. IP address of the DHCP Server whose address offer is being accepted. and technically int VLAN 4. but like all things Cisco.1 10.1. ignoring the others.0 ? A.0 10. The client uses a broad- ip dhcp excluded-address command we use for that purpose is configured globally. the network admins. This includes an IP address the client can use.0? <cr> MLS _ 1(config)#ip dhcp excluded-address 10.1. ip dhcp excluded-address gets the job done. but we do need to exclude that particular address from the DHCP pool. that server knows that its offer was not accepted.0.C.0 – 10. not as cast DHCP Request message to indicate acceptance of the offer.1 280 281 . Here.1.D Low IP address Vrf VRF name for excluded address range MLS _ 1(config)#ip dhcp excluded-address 10.0 /8 via DHCP.1. to assign addresses from 10.1.1. some say it’s a broadcast.0 – 10. The Request includes the part of the general DHCP configuration.0. I could have used one command with the range 10.0 MLS _ 1(config)#ip dhcp excluded-address 10. nor do we want to assign the IP address already assigned to the SVI The DHCP server whose offer is being accepted sends a DHCP Acknowledgement message back to the client.0 10.0. you’ll have a traditional server for your DHCP server. Using a multilayer switch as a DHCP server requires that switch to have an IP address on any subnet that it’s offering addresses from.0. the default gateway.1. but we don’t want to use the addresses 10. Here’s the setup: MLS _ 1(config)#ip dhcp excluded-address 10. they’re both right. an entire range or both.0. This can drive you a bit crazy at first. Some books say it’s a unicast. but I want to illustrate that you can use this command to exclude a single address.

The conflict check takes the form of two pings sent to that address. but if you want to change the number of pings sent and/or the timeout duration during the conflict check. and specifying the IP address of the default router with default-router. use ip dhcp ping packets and ip dhcp 283 .D Infinite Infinite lease MLS _ 1(dhcp-config)#network 10.0 /8 MLS _ 1(dhcp-config)#lease 10 10 ? <0-59> Minutes Other options include specifying a domain name with domain-name. or set it to never expire with infinite.D Router’s name or IP address MLS _ 1(config)#ip dhcp pool CCNP MLS _ 1(dhcp-config)# MLS _ 1(dhcp-config)#default-router 10. we can’t assign that address! Hostname or A. we’re good and that address can MLS _ 1(dhcp-config)#dns-server ? be sent to the client.0? <0-365> Days A.115 S T U DY G U I D E With those tasks completed.3.B. MLS _ 1(dhcp-config)#lease 10 10 10 ? <cr> MLS _ 1(dhcp-config)#domain-name ? MLS _ 1(dhcp-config)#lease 10 10 10 WORD Domain name A Cisco router acting as a DHCP server will check for IP address conflicts before assigning MLS _ 1(dhcp-config)#domain-name bryantadvantage. we’re given the rare option of entering the value in either prefix notation or the more check the units of time! familiar dotted decimal.1.0.0. For the Define the lease length with lease. and those MLS _ 1(dhcp-config)# pings will time out in 500 milliseconds.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1 We’ll use network to define the range of addresses to be assigned to DHCP clients.D Network mask or prefix length <0-23> Hours <cr> <cr> MLS _ 1(dhcp-config)#network 10. If we get pings back. we’re now ready to create the DHCP pool with ip dhcp pool.0.3 282 This is a value you won’t adjust often. well.C. Use IOS Help to mask.1.com an address.0.B.C.0 ? MLS _ 1(dhcp-config)#lease 10 ? /nn or A. C H R I S B R YA N T MLS _ 1(dhcp-config)#default-router ? Hostname or A.3.0. If they time out. MLS _ 1(dhcp-config)#lease ? MLS _ 1(dhcp-config)#network 10.C.B. using dns-server to <cr> give the DNS server location to clients.B.C. Both the default router and DNS servers can be referred to by either their hostname or IP address.0.D Server’s name or IP address MLS _ 1(dhcp-config)#dns-server 10.

1. 0063. not the interface closest to the destination.1. making forwarding possible.3939.2d30.4661.6434. That can present an issue with DHCP messages when a router is between <100-10000> Ping timeout in milliseconds the requesting host and the DHCP server. line protocol is up Hardware is Gt96k FE.1. FastEthernet0/0 is up. After all. 284 285 . address is 001b. HOST _ 2(config)#int fast 0/0 HOST _ 2(config-if)#ip address dhcp Using ip helper-address on a router or multilayer switch allows the device to translate cer- HOST _ 2#show int fast 0/0 tain broadcasts to a unicast.0990 (bia 001b.2 that these are globally configured commands.6973.636f.d4c2.d4c2. MLS _ 1(config)#ip dhcp ping ? 302f. Setting the number of ping packets to zero disables the conflict check.0990) Internet address is 10.1. the first message in the entire process Let’s enable DHCP IP address acquisition on the router’s Fast0/0 interface and then verify is a broadcast! the addressing with show int fast 0/0 on the router and show ip dhcp binding on the multilayer switch. and routers create broadcasts.2/8 MLS _ 1#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ Type The command should be configured on the interface that will be receiving the broadcasts. perhaps! MLS _ 1(config)#ip dhcp ping packets ? <0-10> Number of ping packets (0 disables ping) IP Helper Addresses <cr> Routers accept broadcasts. 2e30. but routers do not forward broad- MLS _ 1(config)#ip dhcp ping timeout ? casts by default.6332. Note C H R I S B R YA N T 10.302d.622e.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E ping timeout. The command syntax is exactly the same whether User name you’re configuring this command on a multilayer switch SVI or a router’s physical interface.30 packets Specify number of ping packets timeout Specify ping timeout On occasion we just might need some help with our DHCP broadcast messages… some helper addresses. Mar 26 2015 01:16 AM Automatic 3031.

1 get the client ID from the DHCP binding table.6 A device running ip helper-address to help with DHCP server reachability is said to be a DHCP relay agent.6.5.302d.636f.2 0063.1.C.3939.622e.1 255.255.2d30.115 S T U DY G U I D E C H R I S B R YA N T The Dynamic Shall Become Static MLS _ 1(config)#int vlan 10 MLS _ 1(config-if)#ip address 10.4661. and even I don’t want to start typing all those numbers! Luckily.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .6332. TFTP. as our router does.5.6973. (The voice of experience speaks!) Before we start a manual binding.1. we need the client identifier of the client in question. To get the classic Interface Helper-Address representation of that ID.255.6.1. HOST _ 1#show ip helper-address we don’t have to.1 ? <cr> The Cisco identifier is going to look a lot like a MAC address. Since that client already has an IP address from us. MLS _ 1#show ip dhcp binding R1(config)#int fast 0/0 IP address R1(config-if)#ip helper-address ? Client-ID/ Hardware address/ A. as this is the ASCII string representing the client ID. BOOTP/ DHCP Server.D IP destination address User name global Helper-address is global vrf VRF name for helper-address (if different from interface VRF) 10.0 MLS _ 1(config-if)#ip helper-address ? On rare occasions.5. Note that the next FastEthernet0/0 10. NetBIOS datagram service. just configure 302f. we’ll configure a manual binding for our router. 286 HOST _ 2(config)#int fast 0/0 HOST _ 2(config-if)#ip address dhcp ? client-id Specify client-id to use hostname Specify value for hostname option <cr> 287 . as nine common UDP service broadcasts are helped in this manner by this command. If the client uses Ethernet. TIME. BOOTP/DHCP Client. use the client-id option with ip address dhcp. 10. Holy crap.1. 2e30. we can MLS _ 1(config-if)#ip helper-address 10. That rare occasion is when you need DHCP to give a client global Helper-address is global the same address every single time. Got multiple DHCP servers your switch needs help reaching? No worries. That’s accurate.5 address in the pool is assigned as a result of this change. NetBIOS name service. the identifier is simply a “01” in front of the MAC. DNS. MLS _ 1(config-if)#ip helper-address MLS _ 1(config-if)#ip helper-address 10. but not entirely accurate. and IEN-116 name service all benefit from this command. 3031.5. That’s a lot of ID. Here.C. you may need to create a static IP address binding (also called a “man- A.D IP destination address ual” binding) in your network.1.1.6434. because configur- vrf VRF name for helper-address (if different from interface VRF) ing these suckers can be a real pain in the butt. I’m saying “rare” in a hopeful voice.30 multiple ip helper-address statements and verify with show ip helper-address. TACACS.B.B.

The binding was then gone.c209.0. hostname HOST _ 2 Now there’s a value we can work with! For a manual binding.3.1bd4.c209.1. I did so by closing the fast0/0 IP address Client-ID/ interface on R2. We’re going to bind that client ID to the IP address 10. so All riiiiiiiiiiight! Verify on MLS_1 with show ip dhcp binding.1.c209. origin. 10. vrf or relay pools. and then it’s on to DHCP Snooping! 288 289 Manual .1. that doesn’t leave a lot of ways to use it! How about client-identifier. start in DHCP pool mode.3 % This command may not be used with network.90 Infinite the other required command for a DHCP manual binding? Now for just a bit of DHCP for IPv6. and you’re done! Note that this that interface will receive the same IP address every time. Client-ID/ Lease expiration Type Hardware address/ User name Hmmmm. perhaps you’re starting to feel manual bindings are too much of a pain to bother HOST _ 2(config-if)#ip address dhcp client-id fastethernet 0/0 ? Hostname with. vrf or relay pools.3 IP address % This command may not be used with network.3. mask 255.90 FastEthernet FastEthernet IEEE 802.3. using the host command. I’m about to make you feel better about them by telling you something that a lot of Specify value for hostname option books / study guides / PDFs / websites leave out – manual bindings have to be put into their <cr> own DHCP pool.90 % A binding for this client already exists. reopened the inter- Hardware address/ face on R2.3 MLS _ 1(dhcp-config)#client-identifier 0100.0. pool and make that happen.1bd4.1.0. MLS _ 1#show ip dhcp binding Bindings from all pools not associated wit You also have to end any bindings that client currently has.0. Let’s go into our previous DHCP is described as a manual binding and the lease is infinite. HOST _ 2(config-if)#ip address dhcp client-id fastethernet 0/0 HOST _ 2(config-if)# MLS _ 1(config)#ip dhcp pool STATIC _ BINDINGS %DHCP-6-ADDRESS _ ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10. Well.1.1. hostname HOST _ 2 MLS _ 1(dhcp-config)#host 10.1.3 0100. mask 255.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .90 05:54:55: %DHCP-6-ADDRESS _ ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.1.c209. and soon saw… User name 10.3 0100.0. With this.1. origin.1.115 S T U DY G U I D E C H R I S B R YA N T HOST _ 2(config-if)#ip address dhcp client-id ? MLS _ 1(dhcp-config)#client-identifier 0100. frankly.1.1bd4.1. MLS _ 1#show ip dhcp binding MLS _ 1(config)#ip dhcp pool CCNP Bindings from all pools not associated with VRF: MLS _ 1(dhcp-config)#host 10.1.1bd4.1.0. so I finished that config.

IPv4 address throughout the course. complete with network prefix! need to make sure that no other host is using the same address. and the entire process starts with the IPv6 host configuring its own link-local address. If a unique link-local address. I personally like to write the “e” in express request from a host. the address is tentative at this point. both stateless and stateful. but it never hurts to check. not. it will disable its The key phrase in that description is “from a server”. that host will respond with a Neighbor IPv6 brings us autoconfiguration. It’s been successfully calculated. Stateful autoconfiguration is link-local address. it is – DHCPv6. there’s no dependency on a server. We can assign an IPv6 address to an SVI in almost the same way we’ve been assigning it an comes in. to be exact! with a destination of FF02::2. the router attaches the network prefix to the host’s link-local address. one of the hardest things about learning IPv6 is getting used to entering “ipv6” over ROUTER1(config)#int fast 0/0 ROUTER1(config-if)#ipv6 address ? 290 WORD General prefix name X:X:X:X::X IPv6 link-local address X:X:X:X::X/<0-128> IPv6 prefix 291 . If the DHCPv6 server goes down.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . When the host that sent the NS receives the NA. which consists of (in order) the first half of a Router Advertisement (RA). then the second half of the MAC address. If no response to the NS is received. we’re out of luck and up that well-known creek. the RA gives the location of the DHCP server. Technically. well. since it’s easy to read FFFE as FFFF. Advertisement (NA). The local host will then send a Router Solicitation (RS) message that sounds like DHCP to you. polling the router with an RS does speed up the overall process. but even though the host would only have to wait 10 seconds or so for an RA. and that’s where the Duplicate Address Detection (DAD) feature If DHCP is not in use. That’s a remote possibility. the local host is satisfied that it has used when the host obtains an IPv6 address and other related information from a server.115 S T U DY G U I D E C H R I S B R YA N T DHCP . Our 128-bit IPv6 address is created in this manner with stateless autoconfiguration: The first 64 bits of this self-generated address will be 1111 1110 10 (FE80). using the same link-local address the NS-transmitting host just created for itself. Information in the RA includes flags indicating whether the host should use DHCP for lower case. then the hex string FFFe. followed by 54 zeroes. You’ll usually see that hex string referred to as “FFFE”. With stateless autoconfiguration. What’s the host soliciting? It needs additional config information from a router in the form The last 64 bits are the interface identifier. I kid you DAD starts with a Neighbor Solicitation (NS) message asking if any other host on the link is and over again in the commands. and if DHCP is in use.IP Version 6 Style If another host on the link is using that address. the “all-routers” multicast address. Routers generally send these RAs periodically without an of the interface’s MAC address. addressing information. Just don’t forget the “ipv6” in the command. but we which results in the host’s full IPv6 address.

the domain-name Domain name to complete unqualified host names host accepts the very first offer it sees come in! exit Exit from DHCPv6 configuration mode import Import options information Information refresh option link-address Link-address to match nis NIS server options nisp NISP server options no Negate a command or set its defaults prefix-delegation IPv6 prefix delegation sip SIP server options sntp SNTP server options vendor-specific Configure Vendor-specific option Part of the Offer is the address the host should use as its default gateway.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . We don’t have the option to create manual bindings in IPv6 DHCP. the switch snoops on DHCP conversations between those devices 293 . joins our network? Many of the commands and concepts are carried straight over from IPv4. The host will receive the offer and set its default gateway accordingly.115 S T U DY G U I D E C H R I S B R YA N T DHCP Snoooooooooop (ing) ROUTER1(config)#ipv6 dhcp pool CCNP ROUTER1(config-dhcpv6)#? It’s hard to believe that something as innocent and commonplace as DHCP can be used IPv6 DHCP configuration commands: address IPv6 address allocation against our network. and if the host uses the Offer ROUTER1(config)#ipv6 dhcp ? database Configure IPv6 DHCP database agents from the rogue DHCP server. since only one DHCP Server is on the network. There’s also an option missing from our ipv6 dhcp list that we did have in IPv4: The host will use the info in the first Offer packet it receives. the host listens for replies in the form of DHCP dns-server DNS servers Offers. Once that happens. and for good reason. and that’s for the simple reason that you can’t exclude addresses in IPv6 DHCP! 292 DHCP Snooping allows the switch to serve as a firewall between hosts and untrusted DHCP servers. BUT – what if a DHCP server not under our administrative control. Actually. which opens the host and the network up to all kinds of nasty server Configure IPv6 DHCP server attacks. Basically. No problem here. The host isn’t particularly discriminating about the offer it accepts. the host will set its default gateway to the rogue server’s IP ping Configure IPv6 DHCP pinging address! The rogue server’s accepted Offer could set the host’s DNS server address to the pool Configure IPv6 DHCP pool rogue’s IP address as well. but the trouble can start as early as the host sending out a DHCP default Set a command to its defaults Discovery packet. a DHCP rogue server. There’s no ipv6 dhcp excluded-address command. The options for host and client-identifier are missing.

9-11 MLS _ 1(config)#ip dhcp snooping vlan 4 With our trusted DHCP server on port Fa0/10. 294 295 . Otherwise. Instead. while DHCP mes- MLS _ 1(config-if)#ip dhcp snooping ? sages received on untrusted interfaces will be dropped by the switch AND the interface will information DHCP Snooping information go into err-disabled state. so we better remember to trust some ports when running this feature. DHCP messages MLS _ 1(config)#int fast 0/10 received on trusted interfaces will be allowed to pass through the switch.3-5. and ports that have this option enabled. we’ll now trust that individual port: DHCP Snooping classifies switch interfaces as either trusted or untrusted. the switch the packet is then forwarded to a DHCP Server.115 S T U DY G U I D E and makes decisions on which conversations are between trusted devices and which ones C H R I S B R YA N T Next step: Identify the VLANs that will use DHCP Snooping. MLS _ 1(config)#ip dhcp snooping ? database DHCP snooping database agent information DHCP Snooping information verify DHCP snooping verify vlan DHCP Snooping vlan <cr> MLS _ 1(config)#ip dhcp snooping To enable this option. the sinister-sounding Option 82 basically extends of err-disabled ports! Snooping’s trust boundary. use ip dhcp snooping information option.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . injects its own DHCP relay info into the Option-82 field (including its MAC address). Sorry. the switch considers all ports untrusted. MLS _ 1(config-if)#ip dhcp snooping trust By default. MLS _ 1(config)#ip dhcp snooping vlan ? WORD DHCP Snooping vlan first number or vlan range. limit DHCP Snooping limit trust DHCP Snooping trust config vlan DHCP Snooping vlan You’re now asking yourself whether there’s some automagical way for the switch to detect valid DHCP servers. no. those packets are not dropped. Trusted ports must be configured manually and explicitly by the network admin. we’ll have no dynamic IP addressing and a lot When used with DHCP Snooping.7. are not. When DHCP packets with Option 82 set come in on untrusted First step: Enable DHCP Snooping on the switch. example: 1.

none Smartlog is operational on following VLANs: none DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is enabled circuit-id default format: vlan-mod-port This validity check is enabled by default. the packet is dropped.115 S T U DY G U I D E MLS _ 1(config)#ip dhcp snooping information ? option DHCP Snooping information option C H R I S B R YA N T MLS _ 1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: MLS _ 1(config)#ip dhcp snooping information option 4 DHCP snooping is operational on following VLANs: When the reply to that DHCP message comes back. use no ip dhcp relay information check. Use ip dhcp snooping limit rate to set a Policy Define reforwarding policy limit for this value. Verification of giaddr field is enabled BOOTP specific configuration information Relay agent information option prefer Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled MLS _ 1(config)#no ip dhcp relay ? bootp remote-id: 0017. so it’s trust-all Received DHCP packets may contain relay info option with zero a good idea to know it’s packets per second. If so.f780 (MAC) Relay agent server selection approach MLS _ 1(config)#no ip dhcp relay information ? DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option ----------------------.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . If you want to turn it off for some reason. IOS Help doesn’t mention the measuring unit in this command. That refers to the number of Option Insert relay information in BOOTREQUEST DHCP packets the interface can accept in one second. FastEthernet0/10 yes yes Rate limit (pps) unlimited Check Validate relay information in BOOTREPLY Note the “rate limit” for the untrusted port is “unlimited”.9466. giaddr Verify your config with show ip dhcp snooping. -----------. If not. MLS _ 1(config)#int fast 0/9 MLS _ 1(config-if)#ip dhcp snooping ? information DHCP Snooping information 296 297 . the switch validates the message by 4 checking to see if its own Option 82 info was included in the reply. ------. that info is removed Smartlog is configured on following VLANs: and the packet is forwarded.

Host A is sending an ARP Request.115 S T U DY G U I D E C H R I S B R YA N T limit DHCP Snooping limit Before responding. Host B makes an entry in its local ARP cache mapping the source IP trust DHCP Snooping trust config address of the Request. we have a problem.1. Meanwhile. because the Address Resolution Protocol can turn on us in a minute! A rogue device on our network can overhear part of the ARP conversation and make itself look like a legitimate part of the action.aaaa. As a result of this man-in-the-middle attack. 172. leading to these two negative results: 1. Host A makes an entry in its ARP cache mapping 172.cccc. 298 299 .aaaa. who can you trust? Well.2 to cccc.12. and at that point. The ARP Reply is vlan DHCP Snooping vlan then sent.12. requesting the host with the IP address 172.2 respond with its MAC address. Dynamic ARP Inspection If you can’t trust DHCP. However. MLS _ 1(config-if)#ip dhcp snooping limit ? rate DHCP Snooping limit MLS _ 1(config-if)#ip dhcp snooping limit rate ? <1-2048> DHCP snooping rate limit MLS _ 1(config-if)#ip dhcp snooping limit rate 1000 ? <cr> Once Host A receives the ARP Reply. When H The rogue host can do the same for an ARP Request sent by Host B for Host A. also known as ARP Spoofing. to the mac address aaaa.12. not ARP.12.12. This happens through ARP Cache Poisoning. all communications between A and B are going through the rogue host. if a rogue host responds to the original ARP Request.cccc.12.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . both hosts have a MAC address – IP address mapping for the other. the rogue host acquires Host B’s true MAC address via ARP. Here.

MLS _ 1(config)#ip arp inspection ? filter Specify ARP acl to be applied log-buffer Log Buffer Configuration Once the IP – MAC address database is built.3-5. but DAI has some major differences in how messages are treated by these port types. every single ARP Request and ARP Reply smartlog Smartlog all the logged pkts received on an untrusted interface is examined.7. and static ARP configurations can be also be used by DAI. Let’s use the ip option and verify with show ip arp inspection. example: 1. the message is forwarded appropriately. just as DHCP Snooping does. The next step in configuring DAI is to name the VLANs that will be using this feature. DAI allows the ARP message to pass without checking the database at all. The validate option gives us the option to go beyond DAI’s default inspection.115 S T U DY G U I D E Dynamic ARP Inspection (DAI) prevents this behavior by building a database of trusted C H R I S B R YA N T MLS _ 1(config)#ip arp inspection vlan 4 IP – MAC address mappings. the ARP message is dropped. Watch this one: DAI uses the concepts of trusted and untrusted ports. “dst-mac” compares the destination MAC in the Ethernet header and the MAC destination address of the ARP message. Here’s what happens with these enabled: MLS _ 1#show ip dhcp snooping “src-mac” compares the source MAC address in the Ethernet header and the MAC address Switch DHCP snooping is enabled of the source of the ARP message. If no such mapping vlan Enable/Disable ARP Inspection on vlans exists.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . On trusted interfaces. MLS _ 1#show ip arp inspection Source Mac Validation MLS _ 1(config)#ip arp inspection vlan ? WORD vlan range. With DAI using the DHCP Snooping Database to get the job done. Verify with show ip dhcp snooping. If the ARP message has an approved validate Validate addresses MAC – IP address mapping. MLS _ 1(config)#ip arp inspection ? filter Specify ARP acl to be applied log-buffer Log Buffer Configuration smartlog Smartlog all the logged pkts validate Validate addresses vlan Enable/Disable ARP Inspection on vlans “ip” compares the ARP Request’s source IP against the destination IP of the ARP Reply. it follows that DHCP MLS _ 1(config)#ip arp inspection validate ? dst-mac Validate destination MAC address ip Validate IP addresses src-mac Validate source MAC address Snooping must be enabled before DAI is configured.9-11 300 : Disabled Destination Mac Validation : Disabled IP Address Validation : Enabled 301 . This database is the same one built by the DHCP Snooping process. not transmitted. DAI is performed as ARP messages are received.

Source MAC Failures Should you run DAI in your network. 4 0 ACL Permits Probe Permits ----------. IP Source Guard prevents a host on the network from using another host’s IP address. name the interface at the end of the command. 0 If you see those validation failures start to add up. Dropped DHCP Drops ---------- ---------- ACL Drops Interface 4 0 0 0 0 Trust State Rate (pps) ---------------. -----------. To trust one (or remove trust from one that was trusted). Forwarded -------------. Since DAI runs only on ingress ports. this scheme ensures that every ARP packet has to pass one checkpoint but no more than that. -----------. Static ACL Deny Probe Logging Verify with show ip arp inspection interface. and it’s a -------------. -------------. To see this DAI info for all interfaces. ---------. Burst Interval Fa0/10 Trusted None Vlan DHCP Permits --. IP Source Guard works in tandem with DHCP 302 303 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . about our ports! DAI considers all ports untrusted by default. you just might have a rogue device on your network. Off MLS _ 1#show ip arp inspection int fast 0/10 Vlan --. IP Validation Failures ---------------------.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config-if)#ip arp inspection trust ? Vlan Configuration Operation ACL Match --. ---------- ---------- 4 Enabled Vlan Active DHCP Logging ----------- ------------- 4 Deny <cr> MLS _ 1(config-if)#ip arp inspection trust ACL Logging --. ----------------. run that command. Cisco’s recommended trusted / untrusted port config is to have all ports connected to hosts run as untrusted and all ports connected to Vlan Dest MAC Failures --. MLS _ 1(config)#int fast 0/10 MLS _ 1(config-if)#ip arp inspection ? Limit Configure Rate limit of incoming ARP packets Trust Configure Trust state IP Source Guard Another “the name is the recipe” feature. for just one. 0 N/A 0 0 good idea to avoid unnecessary inspection. you’ll likely run it on all of your switches. use ip arp inspection. 4 0 0 Invalid Protocol Data --------------------- switches as trusted. Now.

If those addresses match. I’ll go with the default setting here and leave those options off. the packets are dropped. ----------. This IP address-to-switchport mapping is generally referred to as binding. and be prepared to see “disabled” for “log” in the output of show ip verify source. Fa0/3 ip active deny-all 1 If the device off fast 0/3 was getting its IP address via DHCP. Once that host successfully acquires an IP address via DHCP. so we need to have DHCP Once DHCP Snooping is enabled and verified. use ip verify source to enable IP Source Guard Snooping up and running before configuring IP Source Guard. MLS _ 1(config)#int fast 0/3 MLS _ 1(config-if)#ip verify source ? port-security port security smartlog Smartlog denied packets <cr> MLS _ 1(config-if)#ip verify source The default value checked is the IP source address. at the interface level. so we 304 305 . to spoof that other Interface host’s IP address – the switch will simply drop that incoming traffic. the switch takes note of that IP address assignment. this is IP Source Guard! There The switch then creates a VLAN ACL (VACL) that will only allow traffic to be processed by a port if the previously noted source IP address is present on incoming traffic. a host that comes online and is connected to an untrusted port can receive only DHCP-related traffic. If you don’t need this feature.115 S T U DY G U I D E C H R I S B R YA N T Snooping and uses the same database to carry out this operation. After all. leave it alone.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . rather than deny-all. The port-security option enables an extra level of security. as the source MAC address of incoming packets on that port will be checked against the local switch’s MAC address table. Smartlog enables the switch to send dropped packets to a NetFlow collector. we’d see a secure MAC address under IP-address. ------------- --------------. are two important options to go with that. -----------------. MLS _ 1#show ip verify source Should the host pretend to be another host on that subnet – that is. That router is using a static address instead. all is well. Filter-type Filter-mode IP-address Mac-address Vlan -------. if not. With this feature enabled. port-security and smartlog. since the source IP Log address of that incoming traffic will not match the database’s entry for that port.

3 int fast 0/3 MLS _ 1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan Log The trunk receiving this double-tagged frame sees the tag for the native VLAN.ca96.115 S T U DY G U I D E have to create a manual binding for it with ip source binding in order to use IP Source Guard here.1.3 1 disabled 306 307 .1. Fa0/3 ip active 10. One form of hopping is double tagging.ca96.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1(config)#ip source binding 001f. ----------. and as usual that tag is removed and then sent across the trunk.2754 ? Vlan with two separate VLAN IDs.B. Problem is. You can get the MAC address of this host C H R I S B R YA N T VLAN Hopping How can something that sounds so much fun be so evil? from the local switch’s MAC address table or from the device itself.H. We’ll assume that VLAN 100 is the ultimate target. the native VLAN.ca96.3 int fast 0/3 ? <cr> MLS _ 1(config)#ip source binding 001f.ca96.1.2754 vlan 1 10. ------------- --------------.2754 vlan 1 10.ca96. and we love dot1q tagging! We get verify source. we have less overhead… we LOVE dot1q tagging and we’re not letting it go! MLS _ 1(config)#ip source binding ? H. -----------------.2754 vlan ? The intruding device must be attached to an access port.H And if we follow a few simple network security tips. Interface binding interface MLS _ 1(config)#ip source binding 001f. In the output of show ip VLAN Hopping techniques use dot1q tagging against us.ca96.C. where an intruder transmits frames that are tagged MLS _ 1(config)#ip source binding 001f.1. binding IP address When that rogue host transmits a frame.3 ? attacked. note that “log” is disabled – that’s Smartlog. <1-4094> binding VLAN number The VLAN used by that access port must be the native VLAN. the tag for VLAN 100 is still there! ------. Some very specific circumstances have to exist for this attack binding VLAN to bear fruit: MLS _ 1(config)#ip source binding 001f. The command is long-winded.D ISL wouldn’t work at all for this attack.1. we don’t have to! Let’s have a look at binding MAC address how VLAN Hopping attacks work. the other carrying the VLAN number of the VLAN to be MLS _ 1(config)#ip source binding 001f.1. but not difficult. the frame will have two tags – one indicating native VLAN membership.1.2754 vlan 1 10.2754 vlan 1 ? A. so dot1q must be in use.

it sees the tag for VLAN 100 and forwards the “Hope is a good thing. There’s a classic defense for this attack.) You can also go the extra mile (or extra command) and prune that native VLAN from the trunk. but VLAN Hopping has the port will trunk but isn’t actively looking to do so. disabling Problem is. These simple network security tips – using an empty VLAN as the native VLAN. the switch just knows it’s sending DTP frames – it has no idea who’s actually receiving them.” -. but that stops double tagging in its tracks! switch. and no good thing ever dies. Not good! Switch spoofing is a VLAN Hopping variation that’s even worse than double tagging. Doing so disables the port’s ability to create a trunk and the rogue host’s ability to Some Cisco switch ports run in dynamic desirable mode by default.Chris Bryant. Andy Dufresne. which leads to a trunk between our switch and someone else’s Classic solution: Make your native VLAN a VLAN that no hosts are actually a member of. The switch is basically hoping nothing bad happens as a result of sending these frames blindly.115 S T U DY G U I D E C H R I S B R YA N T When the remote switch receives that frame. and these maps are regularly updated as their network changes. send DTP frames of its own. concise network maps that show every physical connection in their network. because a rogue host connected to a port in Auto mode can pretend it’s a switch and tion to stealing bank account numbers and passwords.” – Some networks do not. This solution leads to another prob- been used for a huge variety of network attacks. meaning Big deal. ranging from Trojan horse virus propaga- lem. hope is a good thing. dynamic and auto trunking modes – will score points for you in the exam room and save you serious troubles in your server room! The Cisco Discovery Protocol Many companies have clear. The Book You’re frame to ports in that VLAN.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but a lousy network security strategy. The Shawshank Redemption 308 309 . The rogue has now successfully hopped from one VLAN to Reading the other. Switch spoofing allows the rogue to pretend to be a member of all VLANs in our network. Many well-meaning network admins will put this kind of port into Auto mode. Every port on your switch that doesn’t lead to another switch known to be under your administrative control should be placed into access mode. “Remember Red. (This is also a security vulnerability for Cisco switches whose default port trunking mode is Auto. which means a port is switch spoof! sending out Dynamic Trunking Protocol frames in an aggressive effort to form a trunk. right? Right! It is a big deal! It seems innocent enough. maybe the best of things. You may have a little more overhead as a result.

Switch.Router. they’re not necessarily correct. H . and is Cisco-proprietary. use cdp run (and no cdp run to turn it off globally). Just CDP sends its announcements every 60 seconds to the destination MAC address because someone is looking over your shoulder and saying “That switch is connected to 01:00:0c:cc:cc:cc.Phone. C . P .Host. run show cdp neighbor. 311 . and if you don’t. I . If you get global info. it’s on.Repeater. r . the remote device’s hostname. MLS _ 1(config)#cdp run MLS _ 1(config)#^Z MLS _ 1#show *Mar 1 00:18:54. B .Trans Bridge. use cdp timer the other one at fast0/12!”. This Layer 2 protocol runs globally and on a per-interface level by default on Cisco routers and switches.Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID HOST _ 3 Fas 0/3 122 R S I 2801 Fas 0/0 HOST _ 1 Fas 0/1 176 R S I 2801 Fas 0/0 From left to right. we see… Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled 310 Device ID. Local interface.Remote. it’s not! MLS _ 1(config)#cdp ? advertise-v2 CDP sends version-2 advertisements holdtime Specify the holdtime (in sec) to be sent in packets run Enable CDP timer Specify the rate at which CDP packets are sent (in sec) tlv Enable exchange of specific tlv information MLS _ 1(config)#cdp timer ? <5-254> MLS _ 1#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled MLS _ 1#show cdp Rate at which CDP packets are sent (in sec) MLS _ 1(config)#cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet For that all-important info on directly connected Cisco devices. It’s on by default but often disabled in production networks.542: %SYS-5-CONFIG _ I: Configure MLS _ 1#show cdp D . When you have interface-level and globally-configured commands enabling and disabling the same protocol. We can use the Cisco Discovery and/or cdp holdtime.IGMP. Protocol (CDP) to see what Cisco devices are directly connected to the Cisco device we’re currently working on.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . To change either of those. T . MLS _ 1#show cdp neighbor % CDP is not enabled Capability Codes: R . M . you just know that’s going to show up on your exam in some fashion.Source Route Bridge S . let’s run show cdp to see if CDP is enabled in the first place. To enable CDP globally. Before we get to those commands. the local switch’s interface that is directly connected to the remote host.115 S T U DY G U I D E C H R I S B R YA N T A big part of network troubleshooting is quietly verifying what a client has told you. and the holdtime is 180 seconds.CVTA.

Capability Codes: R .115 S T U DY G U I D E C H R I S B R YA N T Holdtime. P . enable Enable CDP on interface tlv Device ID: HOST _ 3 IP address: 10.1. Port ID (outgoing port): FastEthernet0/0 enable Enable CDP on interface Enable exchange of specific tlv information Holdtime : 125 sec Version : MLS _ 1(config-if)#cdp enable ? Cisco IOS Software. M .cisco.com/techsupport MLS _ 1(config-if)#no cdp ? Copyright (c) 1986-2010 by Cisco Systems.1.IGMP.Host. and you turn it on for trouble- Capability Platform Port ID R S I 2801 Fas 0/0 For more details on those neighbors. At the interface level. the remote device’s hardware platform. run show cdp neighbor detail.Source Route Bridge S . B . the remote device’s interface involved in the direct connection. I . We’ll disable CDP on the interface leading directly to Host 1.Two-port Mac Relay can run as both routers and switches. Both connections here are to Cisco 2801 Device ID Local Intrfce Holdtme switches. we have two devices that D . 2801 Software (C2801-ADVENTERPRISEK9 _ IVS-M). You may want to leave CDP on globally but disable / reenable it on a particular interface. r . Version 15. so it’s a good guess that those are L3 switches! Platform. Capabilities: Router Switch IGMP MLS _ 1(config-if)#cdp ? Interface: FastEthernet0/3. HOST _ 3 Fas 0/3 148 Port ID. Capability. the type of device the remote device is! In this case. use the commands no cdp enable and cdp enable to get the job done. Real-world courtesy tip: If your client has CDP turned off.Switch. 312 Duplex: full Management address(es): 313 .CVTA. Inc. the number of seconds the local device will retain the contents of the last CDP MLS _ 1#show cdp neighbor advertisement received from that remote host. turn it back off before you leave. This command gives you both the IP address and IOS version run by each neighbor. RELEASE SOFTWARE (fc1) Technical Support: http://www.Router. Host_1 disappears from the CDP table.Remote.1(2 <cr> T2. H . T .Phone. Entry address(es): Platform: Cisco 2801. shooting.Trans Bridge.Repeater.3 MLS _ 1(config)#int fast 0/1 tlv MLS _ 1#show cdp neighbor detail Enable exchange of specific tlv information Compiled Sat 23-Oct-10 00:43 by prod _ rel _ team advertisement version: 2 MLS _ 1(config-if)#no cdp enable VTP Management Domain: ‘’ About 3 minutes after disabling CDP on that interface. just as you would turn off debugs before leaving. C .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

LLDP is the vendor-independent equivalent of CDP and is defined by IEEE 802. is transmitted in clear text. While not required reading for the CCNP exams. which We really hate that. where you can do without it. where v1 doesn’t. so why do many networks disable it? CDP offers no authen- I’ve included a link to a Cisco PDF with a great deal of helpful info comparing LLDP- tication. You likely noted the term “tlv” in some of the CDP command options. which is no problem. and use the interface-level commands to make that happen. CDPv2 recognizes the native VLAN concept. and like the non-encrypted-by-default enable password.115 S T U DY G U I D E C H R I S B R YA N T CDP gives you a lot of great info. On-Demand Routing) 314 SSH requires a little more config than Telnet. accessible to everyone.1ab. including the following: MTU sizeVLAN Trunking Protocol information IP network prefix support (for ODR. which brings up the musical question. but all data (and the password!) is encrypted. determine where it really needs to be running. and can report mis- Telnet vs. (TLVs are not exclusive to LLDP though. http://www. but there’s just one problem – all of the data sent to the remote host. a series of informational messages sent by an LLDP-enabled device. For obvious reasons. SSH Telnet’s a great way to communicate with remote routers and switches. matched native VLANs.) There’s a very helpful extension. “tlv” refers to Type-Length-Value. including passwords. comes into play when VoIP is in use. “LLDP-MED is specified to operate only between endpoint devices such as IP phones and network connectivity devices such as switches. LLDP is also known as the Station and Media Access Control Connectivity Discovery.” CDP does carry info that LLDP-MED doesn’t. You can MED and CDP.com/en/US/technologies/tk652/tk701/technologies_white_paper0900a- The issue with disabling CDP is that many network management tools use info gathered by ecd804cd46d. Any would-be network intruder who intercepts that transmission can easily enter our network and cause all kinds of trouble. nor does it use any kind of encryption – all CDP info is sent in clear text. To minimize the risk of running CDP. I do recommend it for see by the info in the show cdp neighbor detail output that we don’t want this information greater understanding of LLDP-MED in particular. Secure Shell (SSH) is basically encrypted Telnet. which is a 315 . “What happened to CDP version 1?” v1 is still available.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .html CDP. I’m sure you noticed that the CDP commands referred to a “version 2”. we prefer “LLDP”. LLDP for Media Endpoint Devices (LLDP-MED). CDP v2 has greatly enhanced error-reporting capabilities (Cisco’s terms for this include “rapid reporting mechanism” or “enhanced reporting mechanism”). but it may also require a stronger IOS image and/or hardware that you don’t have in your network. the Link Layer Discovery Protocol may come in handy.cisco. it’s being kept around for backward compatibility. In case you run into networks that (shudder) run non-Cisco devices. since the basic operation of SSH is similar to that of Telnet. According to Cisco’s website.

run transport input ssh on the VTY lines. as the one I just wrote limited those five VTY lines to SSH connections. transport input ssh MLS _ 1(config)#line vty 0 4 A local user database is created with the username /password command. After entering VTY line config mode with line vty 0 15. Cisco switches have 16 lines: MLS _ 1(config)#crypto key generate rsa The name for the keys will be: MLS _ 1. though. Telnet and SSH do share an important option. and the username/password combination must MLS _ 1(config-line)#transport input ? match a database entry for authentication to be successful.bryantadvantage. you’ll need to configure a local database on the router or C H R I S B R YA N T transport input ssh use AAA.3 316 317 . Each individual MLS _ 1(config-line)#login local user is assigned a password of their own. Telnet allows the configuration of a one-size-fits-all password on the VTY lines line vty 5 15 (“password CCNP”). Create the ACL defining the source IP addresses of trusted MLS _ 1(config-line)#login local users – or as I’ve done here. line vty 0 4 MLS _ 1(config)#ip access-list standard STOPTHATGUY login local MLS _ 1(config-std-nacl)#deny host 3...3.and MLS _ 1(config-line)#transport input ssh apply the ACL to the VTY lines with access-class. To limit authentication to SSH and disallow Telnet login local authentication. Choosing a key modulus greater than 512 may take a transport input ssh few minutes. all All protocols none No protocols MLS _ 1(config)#username tarrant password tarantula ssh TCP/IP SSH protocol MLS _ 1(config)#username signal password gasoline telnet TCP/IP Telnet protocol MLS _ 1(config)#username homer password beeeeeeer MLS _ 1(config-line)#transport input ssh SSH configuration also requires a domain name to be specified with ip domain-name and crypto key creation with crypto key generate rsa. keys will be non-exportable. For SSH authentication. but SSH does not. Whoops! Easily fixed.115 S T U DY G U I D E problem.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and that’s the use of ACLs to determine MLS _ 1(config)#line vty 0 15 who should be able to connect. Problem is. run- [OK] (elapsed time was 1 seconds) ning transport input ssh and login local again applies that command to all lines. block untrusted addresses and allow everyone else in .com line vty 0 4 Choose the size of the key modulus in the range of 360 to 4096 for your login local General Purpose Keys.3. Be careful with your switch VTY line configs. line vty 5 15 login How many bits in the modulus [512]: % Generating 512 bit RSA keys.

Logging is straightforward. and in that panic they miss the message that’s right in front of them.B. but the logging command itself can be a little tricky. along with a timestamp that helps you determine when the event occurred.115 S T U DY G U I D E MLS _ 1(config-std-nacl)#permit any MLS _ 1(config-std-nacl)#line vty 0 15 MLS _ 1(config-line)#access-class STOPTHATGUY ? in Filter incoming connections out Filter outgoing connections C hapter 10: MLS _ 1(config-line)#access-class STOPTHATGUY in Let’s take a deep breath and move from security to monitoring! MONITORING THE SWITCHES Syslog delivers messages regarding network events. The trap option is a bit more complex: MLS _ 1(config)#logging trap ? 318 <0-7> Logging severity level alerts Immediate action needed 319 (severity=1) . These messages can be quite helpful in figuring out what the heck just happened in your network – you just have to remain calm and read the message carefully.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I say that because some network admins panic more than a little when these messages show up.C. Let’s take a look at the logging options . MLS _ 1(config)#logging ? Hostname or A.D IP address of the logging host That one’s simple enough! We just need to follow logging with the hostname or IP address of that host.

use logging console. *Mar 1 02:50:32. If you prefer to have the device uptime reflected in syslog messages. Therefore. To change this value. You can use the name As a result. just choose that option! MLS _ 1(config)#service timestamps log uptime ? <cr> MLS _ 1(config)#service timestamps log uptime The next syslog message indicates this device has been up for 2 hours.115 S T U DY G U I D E C H R I S B R YA N T critical Critical conditions (severity=2) debugging Debugging messages (severity=7) emergencies System is unusable (severity=0) errors Error conditions (severity=3) localtime Use local time zone for timestamps informational Informational messages (severity=6) msec Include milliseconds in timestamp notifications Normal but significant conditions (severity=5) show-timezone Add time zone information to timestamp warnings Warning conditions (severity=4) year Include year in timestamp <cr> <cr> MLS _ 1(config)#service timestamps log datetime ? <cr> When you select a trap level. 320 321 . 54 minutes. and 56 seconds. followed by the mnemonic for this mes- MLS _ 1(config)#service timestamps log ? sage and the message text itself. all messages of the numeric severity you choose and all those MLS _ 1(config)#service timestamps log datetime with a lower numeric value are sent to the logging server specified with hostname.465: %SYS-5-CONFIG _ I: Configured from console by console You can change the beginning of syslog messages to the timestamp format of your choice with service timestamps log. so let’s get that practice with the latest syslog message on my L3 switch. of the level or the numeric value – just set it high enough so you get all the messages you need sent to that server. MLS _ 1(config)#service timestamps ? debug Timestamp debug messages log Timestamp log messages <cr> 02:54:56: %SYS-5-CONFIG _ I: Configured from console by console The “5” bolded above indicates the severity level. the next syslog message gives the date and time without the msecs. and I’ve kept it there uptime Timestamp with system uptime throughout the course. *Mar 1 02:52:28: %SYS-5-CONFIG _ I: Configured from console by console Deciphering syslog messages takes a little practice. you need only specify level 7. I personally find the milliseconds to be annoying. datetime Timestamp with date and time The switch console is set to display all syslog messages by default.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . to send all log messages to the server. so let’s keep the datetime format but leave the msec option off.

183: %SYS-5-RESTART: System restarted -Cisco IOS Software. 0 messages rate-limited. 39 message lines logged Logging severity level <4096-2147483647> Logging buffer size Log Buffer (4096 bytes): alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) discriminator Establish MD-Buffer association emergencies System is unusable (severity=0) errors Error conditions (severity=3) filtered Enable filtered logging informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) To view the log along with log settings. *Mar 1 00:00:38. 0 messages logged. to change the internal buffer from its default of 4096 bytes. 36 messages logged. cha nged state to downAuth Manager registration failed *Mar 1 00:00:36. debugging Debugging messages (severity=7) filtering disabled emergencies System is unusable (severity=0) Monitor logging: level debugging. MLS _ 1(config)#logging buffered ? <0-7> Trap logging: level informational.0(1)SE. alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) Console logging: level debugging. xml disabled. 36 messages logged. xml disabled. xml disabled. run show logging. let me show you a nifty little trick. xml disabled. 0 overruns. such as this one: 03:12:30: %SYS-5-CONFIG _ I: Configured from console by console 03:12:31: %LINK-3-UPDOWN: Interface FastEthernet0/0. changed state to up 322 323 . errors Error conditions (severity=3) filtering disabled informational Informational messages (severity=6) Buffer logging: level debugging.115 S T U DY G U I D E MLS _ 1(config)#logging console ? C H R I S B R YA N T MLS _ 1#show logging <0-7> Logging severity level Syslog logging: enabled (0 messages dropped.146: %DC-6-DEFAULT _ INIT _ INFO: Default Profiles DB not loaded.352: %SYS-5-CONFIG _ I: Configured from memory by console *Mar 1 00:00:39. Version 15. run this same command followed by the number of bytes desired. Throughout the book. C3560 Software (C3560-IPSERVICESK9-M).505: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. filtering disabled) filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled File logging: disabled Persistent logging: disabled No active filter modules. RE (truncated for clarity at this point) Before we move to another topic. 0 flushes. you’ve seen log messages regarding ports opening and closing.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . run logging buffered followed by the severity level. *Mar 1 00:00:32. notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) To send log messages to the local device’s internal buffer.

but I’d be careful about turning too many log messages off. changed state to down 03:12:35:  C H R I S B R YA N T 03:16:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. On routers. it’s time to get another time source. changed state to up I like seeing these message in lab environments. the syslog messages regarding link and line protocol status are gone. run the interface-level command no logging event link-status. Note where clock set is run as opposed to the other clock commands.037 UTC Mon Mar 1 1993 ROUTER1(config)#int fast 0/0 ROUTER1(config-if)#logging event link-status Yeah. To get those logging messages back. changed state to administratively down 03:16:28: If your timestamps reflect an era long gone. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. changed state to down with clock timezone and clock summer-time. You might ROUTER1(config-if)#no shut just miss one you really need to see! 03:14:33: %SYS-5-CONFIG _ I: Configured from console by console Timestamping We received only the configuration message. MLS _ 1#clock ? set ROUTER1(config-if)#no shut 03:16:37: %LINK-3-UPDOWN: Interface FastEthernet0/0. To prevent these particular messages from log- MLS _ 1(config-if)#no logging event ? ging.115 S T U DY G U I D E 03:12:32:  %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. run logging event link-status. you may see bundle-status BUNDLE/UNBUNDLE messages only these two options: link-status UPDOWN and CHANGE messages nfas-status NFAS D-channel status messages ROUTER1(config)#int fast 0/0 spanning-tree Spanning-tree Interface events ROUTER1(config-if)#no logging event ? status Spanning-tree state change messages link-status UPDOWN and CHANGE messages subif-link-status Sub-interface UPDOWN and CHANGE messages subif-link-status Sub-interface UPDOWN and CHANGE messages trunk-status TRUNK status messages ROUTER1(config-if)#no logging event link-status Getting rid of the link up-down messages is a good way to keep the log size down and make ROUTER1(config-if)#shut the log easier to read. You’ll have more options for this command on switches. you can fill up MLS _ 1(config)#int fast 0/1 a log pretty quickly with these messages. MLS _ 1#show clock *04:55:05.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but in production networks. changed state to up 324 Set the time and date MLS _ 1#clock set ? 325 . like that! We can set the local device’s time with clock set. then fine-tune that setting ROUTER1(config-if)#shut 03:16:27: %LINK-5-CHANGED: Interface FastEthernet0/0.

You haven’t lived until you bill a department for 67 days’ usage of a network resource – in a single month. The Network Time Protocol (NTP) helps us make that happen.wikipedia. so I put Eastern Standard Time (EST) in for the time zone and -5 for the offset. we’re going to have a lot more initialize WORD first http://en. but in our networks. and it’s vital they have the same time. NTP allows us to specify time sources for our switches and routers.23> First week of the month clock set is okay for one or two routers. nor the Coordinated Universal Time (UCT).org/wiki/List_of_UTC_time_offsets name of time zone MLS _ 1(config)#clock ? timezone Week number to start <cr> MLS _ 1#clock set 13:43:00 March 25 2015 ? WORD <1-4> Hours offset from UTC MLS _ 1(config)#clock timezone EST -5 of accounting in your network. The Network Time Protocol It’s vital for our routers and switches to have a central time source that allows our network devices to synchronize their clocks. so you gotta know yours! I live on the East Coast in the United States. whether that time source is another router in the same network or an external time source. configured from console by console MLS _ 1(config)#clock timezone ? Initialize system clock on restart save backup of clock with NVRAM summer-time Configure summer (daylight savings) time Configure time zone last Last week of the month MLS _ 1(config)#clock summer-time EDT recurring The clock timezone command doesn’t list every time zone in the world. Doing so allows our syslog timestamps to have accurate MLS _ 1(config)#clock timezone ? and synched time throughout the network.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1(config)#clock summer-time ? 326 327 . and if you’re using any kind MLS _ 1(config)#clock timezone EST ? <-23 . For your personal reference. here’s the Wikipedia page listing all offsets: routers and switches. accurate and synched time is a necessity.115 S T U DY G U I D E hh:mm:ss Current Time C H R I S B R YA N T WORD MLS _ 1#clock set 13:43:00 ? name of time zone in summer MLS _ 1(config)#clock summer-time EDT ? <1-31> Day of the month date Configure absolute summer time MONTH Month of the year recurring Configure recurring summer time MLS _ 1#clock set 13:43:00 March ? <1-31> MLS _ 1(config)#clock summer-time EDT recurring ? Day of the month MLS _ 1#clock set 13:43:00 March 25 ? <1993-2035> Year <cr> MLS _ 1#clock set 13:43:00 March 25 2015 04:59:01: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:59:01 EST Sun Feb 28 1993 to 13:43:00 EDT Wed Mar 25 2015. name of time zone Synched time is important for our digital certificates as well. making troubleshooting a lot less frustrating.

Clients do NOT sent NTP time synch messages back to the server. NTP-based or otherwise. It’s highly recommended an NTP public timeserver be used as your NTP Master time source. and we can configure a Cisco router to get its time from a stratum-1 device.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . (And you thought you were done with hops in RIP!) Stratum-1 servers are generally referred to as time servers. term public NTP servers. NTP peers send NTP messages to each other. broadcasts for the correct time. with ROUTER_3 network – that’s the port NTP uses. it’s imperative It’s strongly recommended that your network’s “outside” router receive its time from a public NTP timeserver. just run a search on the you use NTP authentication and/or ACLs to prevent routers from outside your network from attempting to synch with one of your routers. As always. the server broadcasts or multicasts its NTP messages. We can choose to run NTP in broadcast mode or multicast mode as well. Should you choose to use one of your network routers as the NTP Master. They can also depend on NTP each IP address. 328 329 . You Clients accept the time synch message from the server and set their internal clock accord- can’t configure a Cisco router to get its time directly from a stratum-0 server. Be sure not to block UDP port 123 on that or other routers in your In our lab. ingly. We’re not limited to the traditional Server/Client relationship with NTP. and either peer can send time synch messages to the other. configured as a client of MLS_1. With these methods. For the latest IP addresses of these servers. we’re wasting our time! Remember that routers don’t forward broadcasts or multicasts. the router number serves as the last octet of Cisco routers can serve as NTP servers. we’ll configure MLS_1 as our NTP Master and a timeserver. typically atomic clocks. which the clients must be able to receive – otherwise. or peers. The NTP server-client relationship is as you’d expect. clients.115 S T U DY G U I D E C H R I S B R YA N T At the very top of our NTP hierarchy are stratum-0 devices. with the server giving the correct time to clients. The number following “stratum” in non-stratum-0 devices indicates how many hops away the device is from a stratum-0 device.

# selected. our NTP clients to have more than one time server to choose from.peer.127.” Let’s use NTP 330 331 . + candidate.1.000 0. .951 UTC Wed Mar 25 2015) (Output truncated for clarity) when 64 poll reach delay offset disp 64 37 2.4 prefer ROUTER _ 3(config)#ntp server 10.1. # selected.1.000 0. We’re also looking for that asterisk next to the address in show ntp association. stratum 8.D IP address of supervisor (127. which includes the reference address 127.1.0000 Hz. reference is 127. x falseticker.1. actual freq is 119.4 ROUTER _ 3(config)#ntp server ? nominal freq is 250.outlyer. and the phrase we’re looking for is “clock is synchronized”. so we’ll take it! Our NTP options: Clock is synchronized. we can configure The commands show ntp status and show ntp association verify NTP’s operation. precision is 2**24 A.C. ~ configured ROUTER _ 3(config)#ntp server 10.276 EST Wed Mar 25 2015) MLS _ 1(config)#ntp master ? (Output truncated for clarity) <1-15> Stratum number <cr> And from the client’s point of view: On R3. MLS _ 1#show clock st 7 when poll 8 16 reach delay offset disp 377 0.1 8 vrf VPN Routing/Forwarding Information * sys.1.1.F3858835 (14:42:28.1 nominal freq is 119. indicating the time source is the switch’s internal clock.0.1.1.127.B.1. + candidate. .7 The NTP process likely strikes you as wide open to attack.x) WORD Hostname of peer X:X:X:X::X IPv6 address of peer ROUTER _ 3#show ntp association ip Use IP for DNS resolution address ref clock st ipv6 Use IPv6 for DNS resolution *~10.2092 Hz. ~ configured 09:25:29.348 -66. here’s the IP address of the time server.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .425 439.1 .peer.4 127.LOCL.B. ROUTER _ 3(config)#ntp server 10.1. which indicates that the synch is complete.0000 Hz. There’s a lot of info here.0.1. We can also prefer one server over the other! Just use multiple ntp server commands while also using the prefer option to indicate the preferred server.115 S T U DY G U I D E Let’s check the clock on our NTP-Master-to-be: C H R I S B R YA N T address ref clock *~127.1. precision is 2**17 reference time is D8BD46F7. reference is 10.outlyer. ROUTER _ 3#show ntp status Clock is synchronized. stratum 9.1. x falseticker. Here’s the output from the server’s point of view. since the only thing we’re MLS _ 1#show ntp association really telling the client is “Hey. actual freq is 250.127.127.D IP address of peer Hostname or A.4 reference time is D8BD47D4.46BF9352 (09:38:47.77 If we’re fortunate and smart enough to have NTP Master redundancy. I’ll use ntp server to point R3 to this switch as its time source.243 * sys.C.167 EST Wed Mar 25 2015 MLS _ 1#show ntp status It ain’t 1993.2092 Hz.1.

valid. peer poll intvl 64 ROUTER _ 3(config)#ntp server 10.4 key 1 under our administrative control.1.1. of course!): 332 333 .1. and it’s able to get time from MLS_1 with no problem – and no <1-4294967295> Key number authentication.46322015 (08:44:17. stratum 8 ref ID 127.4 configured.274 UTC Thu Mar 26 2015) <cr> our mode client. Enabling NTP authentication on the server does NOT require NTP clients to use authentication.outlyer.1 .4 configured. our poll intvl 64. I’ve just added ROUTER _ 3(config)#ntp trusted-key ? another router to our lab. because when it says “detail”.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .271 UTC Thu Mar 26 2015) ROUTER _ 3(config)#ntp authentication-key 1 md5 CCNP That’s all well and good.4 key ? NTP authentication really just assures the client that it’s talking to an NTP server that’s <0-4294967295> Peer key number ROUTER _ 3(config)#ntp server 10.127.1 8 26 64 minpoll Minimum poll interval * sys.790 offset disp -8.1. ~ configured prefer Prefer this peer when possible source Interface for source address version Configure NTP version reach delay 17 2.1.1.115 S T U DY G U I D E C H R I S B R YA N T authentication to tie things down a bit. our _ master. authenticated. . We’ll enable this feature with ntp authenticate.1.127.127. # selected.1.1. either! ROUTER _ 3(config)#ntp trusted-key 1 ROUTER _ 3(config)#ntp server 10. We’ll need the same commands on the server (except the ntp server command. but NTP authentication isn’t quite what it seems.1. time D8BE4169.peer. MLS _ 1(config)#ntp authenticate MLS _ 1(config)#ntp trusted-key 1 ROUTER _ 3(config)#ntp authenticate ROUTER _ 3(config)#ntp authentication-key ? Verify NTP authentication with show ntp association detail.1. time D8BE4561. stratum 8 ref ID 127.1 .1.53 ROUTER _ 1#show ntp assoc detail 10.1.4 burst Send a burst when peer is reachable iburst Send a burst when peer is unreachable ROUTER _ 1#show ntp assoc key Configure peer authentication key Address ref clock st when poll maxpoll Maximum poll interval *~10.124 939. x falseticker. sane.1. our _ master.1.4 127.4569D946 (08:27:21.4 ? ROUTER _ 1(config)#ntp server 10. it means detail! The authentication verifi- <1-4294967295> Key number ROUTER _ 3(config)#ntp authentication-key 1 ? md5 MD5 authentication cation is right at the top of the output: ROUTER _ 3#show ntp association detail ROUTER _ 3(config)#ntp authentication-key 1 md5 ? WORD Authentication key 10. I’ve left out most of the output of this command. valid. then MLS _ 1(config)#ntp authentication-key 1 md5 CCNP define a key and link that key to the ntp server command. sane. as we’ve seen.1.1. + candidate. peer mode server.

1. Our ACL will permit only the source IP address 10. With our time all synched up.3 MLS _ 1(config)# SNMP MLS _ 1(config)#ntp access-group ? Peer Provide full access query-only Allow only control queries serve Provide server and query access serve-only Provide only server access MLS _ 1(config)#ntp access-group serve ? <1-99> Standard IP access list <1300-1999> Standard IP access list (expanded range) WORD Named access list The Simple Network Management Protocol is used to carry network management info from one network device to another. we’ll configure an ACL on the server and use ntp MLS _ 1#u all access-group to apply it to NTP.4) 334 335 .1.1.1.1.1.4) … and a “SET” is a request from the Manager to the Agent.4) NTP message sent to 10.1.1.1.1 on interface ‘Vlan13’ (10.1. from interface ‘Vlan13’ (10. and you’ll find it in just about every network out there today.1 on interface ‘Vlan13’ (10.1. an NTP message is sent in reply.1. The debug shows an NTP message coming in from 10.1.1.4) NTP message sent to 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1.1. A “GET” is a request for information… IP address of 10.3 on interface ‘Vlan13’ (10. MLS _ 1(config)#ntp access-group serve 22 debug ntp packets illustrates that when MLS_1 receives an NTP message from the permitted SNMP Managers poll Agents over UDP port 161. and we’ll call that ACL in ntp access-group.1.1. but that message is not answered due to the ACL and ntp access-group command. and these messages take the form of GETs and SETs.3 All possible debugging has been turned off (Router_3).1.1. The SNMP Agents. An SNMP deployment has three main parts: The SNMP Manager.1.1.1.3. the devices being monitored (and running an SNMP instance). The Management Information Base (MIB). the actual monitoring device.3.4) NTP message received from 10.1.1. MLS _ 1#debug ntp packet NTP packets debugging is on NTP message received from 10. from interface ‘Vlan13’ (10.1.3.1.1 as well. the database on the Agent that contains important information (“variables”) about the Agent.115 S T U DY G U I D E C H R I S B R YA N T To further protect our NTP deployment. requesting a certain variable be set to the value indicated in the SET.3 on interface ‘Vlan13’ (10.4) NTP message received from 10.1.1. NTP message received from 10. let’s do some network monitoring! MLS _ 1(config)#access-list 22 permit host 10.1.1.1.

It would then take 9 minutes and 57 seconds for the Manager to find out about the change! To get a quick notification on such an event without overloading the Manager. things are much more secure and just a tad more complex. but when you break them down they’re easy to remember. MLS _ 1(config)#snmp-server community ? WORD SNMP community string MLS _ 1(config)#snmp-server community CCNP ? <1-99> Std IP accesslist allowing access with this community string <1300-1999>  Expanded IP accesslist allowing access with this community string WORD v1 group using the v1 security model v2c group using the v2c security model v3 group using the User Security Model (SNMPv3) MLS _ 1(config)#snmp-server group BULLDOGS v3 ? auth group using the authNoPriv Security Level noauth group using the noAuthNoPriv Security Level priv group using SNMPv3 authPriv security level A quick word about those three security levels – they look intimidating. SNMP community strings. The only way for the Manager to ro Read-only access with this community string receive immediate or even near-immediate notice of a critical network event is to poll the rw Read-write access with this community string Agents quite often. view Restrict this community to a named MIB view Let’s say our Manager is polling our Agent every 10 minutes regarding one particular variable.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . V3 has both authentication and encryption capabilities. allowing the Agents to send a message to the Manager when such a variable changes. Let’s use IOS Help to venture through some of the most long-winded commands you’re ever going to see. We still have three versions of SNMP out there – versions 1. the earlier versions do not. are a kind of password / authority level combination that allow you to set the strings as read-only or read-write. ever possible.115 S T U DY G U I D E C H R I S B R YA N T Seems like a good approach. and 3 – and there are some serious security concerns with the earlier versions. Access-list name 336 337 . Let’s start with creating an SNMP group and then assigning a user to that group. <cr> MLS _ 1(config)#snmp-server community CCNP ro ? <1-99> Std IP accesslist allowing access with this community string <1300-1999>  Expanded IP accesslist allowing access with this community string WORD Access-list name ipv6 Specify IPv6 Named Access-List <cr> MLS _ 1(config)#snmp-server community CCNP ro 15 This configuration would allow hosts identified by ACL 15 to have read-only access to all SNMP objects specified by this community string. found in SNMP v1 and 2c. 2c. but there’s one glaring issue. and the use of the other versions should be restricted to allowing read-only MLS _ 1(config)#snmp-server group BULLDOGS ? access via the use of community strings. you should use V3 when- With SNMP v3. we configure SNMP traps on the managed devices. that variable undergoes a critical change. For that reason alone. which in turn sucks up bandwidth and is a hit on the Manager’s CPU. Three seconds after the Agent answers one such GET.

but I do want you to know the defaults: If no read view is defined. MLS _ 1(config)#snmp-server group BULLDOGS v3 priv ? C H R I S B R YA N T v3 user using the v3 security model MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 ? Access specify an access-list associated with this group Auth authentication parameters for the user Encrypted specifying passwords as MD5 or SHA digests <cr> access specify an access-list associated with this group context specify a context to associate these views for the group md5 Use HMAC MD5 algorithm for authentication match context name match criteria sha Use HMAC SHA algorithm for authentication notify specify a notify view for the group read specify a read view for the group write specify a write view for the group <cr> MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth ? MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha ? WORD authentication pasword for user MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP ? MLS _ 1(config)#snmp-server group BULLDOGS v3 priv The views mentioned in the last IOS Help readout aren’t required. If no write view is defined.115 S T U DY G U I D E authNoPriv – You have authentication. group members are not sent notifications.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Access specify an access-list associated with this group Priv encryption parameters for the user <cr> MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv ? 3des Use 168 bit 3DES algorithm for encryption aes Use AES algorithm for encryption des Use 56 bit DES algorithm for encryption MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv aes ? Now let’s create our user. using SHA for authentication and AES 128-bit encryption. no objects can be written. all objects can be read. but no privacy (no encryption) noAuthNoPriv – You’re really asking for it. and creating them is out of the CCNP SWITCH exam scope. You have no authentication and no privacy (encryption). which 128 Use 128 bit AES algorithm for encryption are both excellent choices when your hardware allows them. 192 Use 192 bit AES algorithm for encryption 256 Use 256 bit AES algorithm for encryption MLS _ 1(config)#snmp-server user CHRIS ? WORD Group to which the user belongs MLS _ 1(config)#snmp-server user CHRIS BULLDOGS ? Remote Specify a remote SNMP entity to which the user belongs v1 user using the v1 security model v2c user using the v2c security model 338 MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv aes 128 ? WORD privacy pasword for user MLS _ 1(config)#$S BULLDOGS v3 auth sha CCNP priv aes 128 TIREDOFTYPING ? access specify an access-list associated with this group <cr> 339 . authPriv – Your SNMP packets are both authenticated and privacy is assured via encryption. If no notify view is defined.

we’ll define the host to which we’ll send traps.3 traps version 3 priv CHRIS ? MLS _ 1# Mar 26 10:16:25.1. too many to list here> <cr> Finally.1.3 traps ? WORD SNMPv1/v2c community string or SNMPv3 user name version SNMP version to use for notification messages MLS _ 1(config)#snmp-server host 10. where the provider says “For X dollars.1. Here’s a sneak peek of the available tests: MLS _ 1(config)#snmp-server host 10. <about 45 options.D>[:<port number>][/<uri>] HTTP address of XML that’s far superior to earlier versions.1.3 traps version ? 1 Use SNMPv1 2c Use SNMPv2c 3 Use SNMPv3 Service Level Agreements During your Frame Relay studies in your CCNA days. The CIR is basically a guarantee given to the customer by the Frame Relay service provider.1.1. trouble notification and resolution time.1. including the encryp- WORD IP/IPV6 address of SNM tion type and bit level of same you’ll be able to use.1.B. guaranteed performance.1. you were introduced to the Committed Information Rate (CIR).C.115 S T U DY G U I D E MLS _ 1(config)#$S BULLDOGS v3 auth sha CCNP priv aes 128 TIREDOFTYPING MLS _ 1(config)#^Z C H R I S B R YA N T WORD SNMPv1/v2c community string or SNMPv3 user name MLS _ 1(config)#snmp-server host 10. but it pays off in the end with security notification host http://<Hostname or A.3 ? WORD SNMPv1/v2c community string or SNMPv3 user name informs Send Inform messages to this host traps Send Trap messages to this host version SNMP version to use for notification messages vrf VPN Routing instance for this host MLS _ 1(config)#snmp-server host 10. to DNS lookup time. from available bandwidth and acceptable levels of jitter in voice networks. the customer can then plan the WAN appropriately. You may get more. or it can be between the internal clients of a company and the network team at that same company.1. persisting snmpEngineBoots.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .467: Configuring snmpv3 USM user. The SLA is based on the concept of minimum. It can be much like the CIR. notification host MLS _ 1(config)#snmp-server host 10. but we guarantee you won’t get less. MLS _ 1(config)#snmp-server host ? MLS _ 1(config)#snmp-server host 10.1. The SLA can involve just about any quality-measurable value in your network.” Given that guarantee of minimum performance.3 traps version 3 priv ? 340 MLS _ 1(config)#ip sla 5 MLS _ 1(config-ip-sla)#? IP SLAs entry configuration commands: dhcp DHCP Operation 341 . we guarantee you’ll get “Y” amount of bandwidth. where a service provider guarantees a certain level of overall network uptime and performance.3 traps version 3 ? auth Use the SNMPv3 authNoPriv Security Level noauth Use the SNMPv3 noAuthNoPriv Security Level priv Use the SNMPv3 authPriv Security Level MLS _ 1(config)#snmp-server host 10. but this agreement is between different parties.1.3 traps version 3 priv CHRIS Whew! You obviously have to do some serious planning for SNMPv3.1.1.

but is an agreement on the rules of communication. This connection isn’t the actual SLA test. and then the responder starts listening to the indicated port. with ROUTER_3 serving as the responder.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and our story ends prematurely. it’ll send a message back to the source indicating the same. the source sends control packets to the responder via UDP port 1967 in an attempt to create a control connection similar to that in FTP. reaction-configuration IP SLAs Reaction-Configuration reaction-trigger IP SLAs Trigger Assignment Should the responder be kind enough to agree. anyone?) An SLA setup consists of a source and a responder. Let’s tackle an SLA lab! MLS_1 will be the SLA source. The low-memory Configure Low Water Memory Mark source wants to see if the packets are echoed back and how long the overall process takes. this timestamping only helps if the devices have synched time – NTP. it’ll send a message back indicating that decision. (If the responder doesn’t agree. This gives the sender a better idea of the overall time the responder took to process the packets as well as the overall round-trip time.115 S T U DY G U I D E dns DNS Query Operation exit Exit Operation Configuration ftp FTP Operation http HTTP Operation icmp-echo ICMP Echo Operation path-echo Path Discovered ICMP Echo Operation path-jitter Path Discovered ICMP Jitter Operation tcp-connect TCP Connect Operation udp-echo UDP Echo Operation udp-jitter UDP Jitter Operation video Video Operation C H R I S B R YA N T The responder adds timestamps to those packets both as the packets are accepted and then returned. Here are the first options for the ip sla command: MLS _ 1(config)#ip sla ? <1-2147483647> Entry Number enable Enable Event Notifications group Group Configuration or Group Scheduling key-chain Use MD5 Authentication for IP SLAs Control Messages logging Enable Syslog We now go from controlling to probing.) 342 343 . In this case. the rules sent to the responder are the port number to be listened to during the test and the time limit on that listening. To kick off the festivities. as the source sends test packets to the responder. (Of course.

1. using 10. we’ll leave those alone here.1.D Destination IP address or hostname.1. 345 . Since we only have one path from source to responder. Source Interface (ingress icmp packet interface) Source Address MLS _ 1(config-ip-sla)#icmp-echo 10. broadcast disallowed MLS _ 1(config-ip-sla)#icmp-echo 10.3 MLS _ 1(config-ip-sla-echo)#? IP SLAs Icmp Echo Configuration Commands: MLS _ 1(config)#ip sla 5 MLS _ 1(config-ip-sla)#? IP SLAs entry configuration commands: dhcp DHCP Operation dns DNS Query Operation exit Exit Operation Configuration ftp FTP Operation http HTTP Operation icmp-echo ICMP Echo Operation path-echo Path Discovered ICMP Echo Operation path-jitter Path Discovered ICMP Jitter Operation tcp-connect TCP Connect Operation udp-echo UDP Echo Operation udp-jitter UDP Jitter Operation video Video Operation default Set a command to its defaults exit Exit operation configuration frequency Frequency of an operation history History and Distribution Data no Negate a command or set its defaults owner Owner of Entry request-data-size Request data size tag User defined tag threshold Operation threshold in milliseconds timeout Timeout of an operation tos Type Of Service verify-data Verify data vrf Configure IP SLAs for a VPN Routing/Forwarding instance MLS _ 1(config-ip-sla-echo)#frequency ? <1-604800> MLS _ 1(config-ip-sla)#icmp-echo ? Frequency in seconds MLS _ 1(config-ip-sla-echo)#frequency 60 Hostname or A.1.3 as the target of the test.1. We’ll then choose the icmp-echo test. and accepting that value drops us into SLA entry config mode.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1. where I’ll set a frequency of 60 seconds between tests. we get to schedule this sucker! I’ll use IOS Help to show you the options and then start the test immediately.B.C.1.3 ? 344 Finally.3 We then drop into SLA ICMP Echo config mode (!). Note the option to configure the source interface and IP address – those options can come in handy in larger networks. Note the option to grant the test eternal life. That also happens to be the default! MLS _ 1(config-ip-sla)#icmp-echo 10.115 S T U DY G U I D E C H R I S B R YA N T read Read data for use with IP SLA source-interface reset IP SLAs Reset source-ip responder Enable IP SLAs Responder <cr> restart Restart An Active Entry schedule Entry Scheduling We’ll go with SLA entry number 5.

I’ll show you the entire output here. The default Entry number: 5 TTL is 3600 seconds. I ran the command twice. and we can see IP SLAs Infrastructure Engine-III that the tests are running a minute apart and they’ve both been successful. Owner: Tag: MLS _ 1#show ip sla stat Operation timeout (milliseconds): 5000 IPSLAs Latest Operation Statistics Type of operation to perform: icmp-echo Target address/Source address: 10. and we can see that’s ticking away. History Filter Type: None MLS _ 1#show ip sla config To view SLA statistics.1.0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and the most Number of history Buckets kept: 15 important info to us is near the top.1.0.0 346 IPSLA operation id: 5 Latest RTT: 1 milliseconds 347 .3/0. run show ip sla statistics.115 S T U DY G U I D E MLS _ 1(config)#ip sla schedule ? <1-2147483647> C H R I S B R YA N T Type Of Service parameter: 0x0 Entry number Request size (ARR data portion): 28 Verify data: No MLS _ 1(config)#ip sla schedule 5 ? ageout How long to keep this Entry when inactive life Length of time to execute in seconds recurring Probe to be scheduled automatically every day start-time When to start this entry <cr> Vrf Name: Schedule: Operation frequency (seconds): 60 (not considered if randomly scheduled) Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Randomly Scheduled : FALSE MLS _ 1(config)#ip sla schedule 5 life ? Life (seconds): 3600 <0-2147483647> Life seconds (default 3600) Entry Ageout (seconds): never forever continue running forever Recurring (Starting Everyday): FALSE MLS _ 1(config)#ip sla schedule 5 start-time ? after Start after a certain amount of time from now hh:mm Start time (hh:mm) hh:mm:ss Start time (hh:mm:ss) now Start now pending Start pending MLS _ 1(config)#ip sla schedule 5 start-time now Status of entry (SNMP RowStatus): Active Threshold (milliseconds): 5000 Distribution Statistics: Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic distribution interval (milliseconds): 20 Enhanced History: History Statistics: Number of history Lives kept: 0 Verify your config with show ip sla config.

IPSLAs Latest Operation Statistics IPSLA operation id: 5 ROUTER _ 3(config)#ip sla responder Latest RTT: 1 milliseconds 348 349 . It doesn’t hurt anything MLS _ 1#show ip sla stat to enable SLA capabilities for the simpler tests. you may need ip sla responder. the successes start incrementing again! some of those other tests. and here’s what happened: MLS _ 1#show ip sla stat IPSLAs Latest Operation Statistics IPSLA operation id: 5 Latest RTT: NoConnection/Busy/Timeout MLS _ 1(config)#ip sla 5 Entry already running and cannot be modified Latest operation start time: 06:53:35 EST Thu Mar 26 2015 (only can delete (no) and start over) Latest operation return code: Timeout (check to see if the probe has finished exiting) Number of successes: 42 Number of failures: 1 It’s always something! Operation time to live: 1024 sec Hey. Here’s the Number of failures: 0 result of the very next echo test: Operation time to live: 3528 sec An interesting thing about SLA tests – you can’t edit one that’s in progress. For After reopening the interface. ROUTER _ 3(config)#key chain CCNP Number of successes: 1 ROUTER _ 3(config-keychain)#key 1 Number of failures: 0 ROUTER _ 3(config-keychain-key)#key-string SPIDERS Operation time to live: 3552 sec ROUTER _ 3(config)#ip sla key-chain CCNP MLS _ 1#show ip sla stat MLS _ 1(config)#key chain CCNP IPSLAs Latest Operation Statistics MLS _ 1(config-keychain)#key 1 IPSLA operation id: 5 MLS _ 1(config-keychain-key)#key-string SPIDERS Latest RTT: 1 milliseconds Latest operation start time: 06:12:35 EST Thu Mar 26 2015 Latest operation return code: OK MLS _ 1(config)#ip sla key-chain CCNP Just one more SLA thing… I want to show you what the statistics output is when some- Number of successes: 2 thing’s gone wrong. I shut ROUTER_3’s port down that leads to the switch. I tried to go back and set this test to live forever rather than time out. since I know the responder can handle pinging. did you notice I never configured anything on the responder? Since I was running a simple ICMP echo test.115 S T U DY G U I D E Latest operation start time: 06:11:35 EST Thu Mar 26 2015 Latest operation return code: OK C H R I S B R YA N T We can secure our SLA config with a key-chain and the ip sla key-chain command. though. Here.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I didn’t need to. Here.

that is). This is sometimes mand aaa new-model. it also overrides every previously configured authentication method for the router lines – especially the vty lines! 351 . That AAA might sound like a good thing.3 key CCNP developed by the IETF. Authentication is the process of deciding if a given user should be allowed to access the net- running the other. configured. As a CCNA and future CCNP.1. AAA must first be enabled with the global com- tication in the form of a local database of usernames and passwords.1. but it makes it very difficult to run one process without Those As stand for authentication. it’s likely you’ll turn to one of the following protocols for your AAA deployment. where RADIUS encrypts only the password in the Number of failures: 1 initial client-server packet. Each “A” is a separate function and requires separate configuration. authorization. let’s look at each “A” and see exactly what’s going on with each. We do need to concern ourselves with Latest operation return code: OK these differences between TACACS+ and RADIUS: Number of successes: 43 TACACS+ encrypts the entire packet. that is) originally MLS _ 1(config)#tacacs-server host 10. MLS _ 1(config)#aaa new-model RADIUS.1. The location of the TACACS+ and/or RADIUS server must then be called a self-contained AAA deployment. Before we deal with configs though. since no external device is involved. work (or network service).1. TACACS+ runs each “A” as a separate process. TACACS+. an open-standard UDP-based protocol (ports 1812 and 1813. a Cisco-proprietary TCP-based protocol (port 49. TACACS was the original version of the protocol and is rarely used today.115 S T U DY G U I D E C H R I S B R YA N T Latest operation start time: 06:54:35 EST Thu Mar 26 2015 don’t have to concern ourselves with that version. RADIUS cannot control the authorization level of users. MLS _ 1(config)#radius-server host 10. along with a shared encryption key that must be agreed upon by both client and server. and accounting. allowing another method of authentication to be used while still using TACACS+ for authorization and/ or accounting.5 key CCIE You just might be asking yourself what happened to the original TACACS if we’re now using TACACS+. so we 350 aaa new-model not only enables AAA.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . As your network grows and you need a more scalable authentication scheme. but TACACS+ can. Operation time to live: 989 sec RADIUS actually combines the authentication and authorization processes. you’ve already configured authen- Regardless of the “A” you’re configuring.

local-case Use case-sensitive local username authentication.3 and our RADIUS server at 10. The local and local-case options allow us to use the local username/password database. WORD Server-group name The default authentication list. local Use local username authentication. MLS _ 1(config)#aaa authentication login default ? cache Use Cached-group MLS _ 1(config)#aaa authentication login default group tacacs+ ? enable Use enable password for authentication. options in the above config. group Use Server-group krb5-telnet Allow logins only if already authenticated via Kerberos V krb5 Use Kerberos 5 authentication. 353 .5. local-case Use case-sensitive local username authentication. Let’s have a look at the options. cache Use Cached-group group Use Server-group enable Use enable password for authentication. choose group and all will be revealed! MLS _ 1(config)#aaa authentication login ? WORD  Named authentication list (max 31 characters. IOS Help will not show me the remaining options since my statement is already at the legal limit. krb5 Use Kerberos 5 authentication. line Use line password for authentication. I’ll go with TACACS+ and then check the options. the IOS will not let you enter the 5th method. If you try to list a fifth method as I did below. the local database third. including “none”? We can actually name up to four methods. <cr> passwd-expiry enable the login list to provide password aging support Hmm. and this command is fine on its own – but why do I have Some choices might surprise you! We can configure authentication to use the enable password.1. and we could also use a line password.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . line Use line password for authentication. We’ll go with the default list. none NO authentication. and finally.115 S T U DY G U I D E C H R I S B R YA N T We have our TACACS+ server at 10.1. radius Use list of all Radius hosts. none NO authentication.1. Telnet. The tacacs+ choice is legal. ldap Use list of all LDAP hosts. instead of using the local database. IOS Help won’t even show you the remaining options once you hit four! The following statement lists TACACS+ as the first method. with the switch And that’s that! However. the enable password. and in what order. with aaa authentication. A quick review on how to build one of those: MLS _ 1(config)#username bruno password wwwf MLS _ 1(config)#username thesz password nwa MLS _ 1(config)#username gagne password awa 352 the option to list more authentication choices. from left to right. a line password second. We have to create either a named authentication list or a default list that will be used for all authentications that don’t reference a named list.1. there’s a good reason – they’re not there! To use TACACS+ or RADIUS in aaa authentication. If you don’t see those authentication. longer will be default MLS _ 1(config)#aaa authentication login default group ? rejected). tacacs+ Use list of all Tacacs+ hosts. and they’ll be used in the order listed. we’ll use our TACACS+ and configured as a client of both. Local Use local username authentication. We now need to determine which servers will be used for RADIUS servers by drilling a little deeper with aaa authentication.

apply the authentication method list to the appropriate lines with login authentication. Default Use the default authentication list. are group Use Server-group we doing all this work just to have no authentication? In some cases – yes! krb5 Use Kerberos 5 authentication. MLS _ 1(config)#aaa authentication login default group tacacs+ ? cache Use Cached-group enable Use enable password for authentication. if the external devices aren’t available. It’s always a good idea to list at least one authentication method that doesn’t require an external device. MLS_1(config)#aaa authentication login default group tacacs+ group radius local Finally. <cr> Always leave yourself a back door to get in. 354 355 . and always stay logged in while you test your Here’s the most important rule of this entire section. I’ll apply the default list to the switch’s VTY lines. The enable password is also a good choice. That way. you can still authenticate! Some admins like to use none at the end of their authentication method list. then our RADIUS server. This authentication method list will try our defined TACACS+ server first. If the TACACS+ authentication attempt times out or an error out you can’t log back in! is encountered. line Use line password for authentication. so no authentication is necessary if the external servers are down.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#$ication login default group tacacs+ line local enable ? <cr> Let’s go back to an aaa authentication line with just one method listed. none NO authentication. the second method is not used. If TACACS+ actively refuses the authentication attempt. You’re likely wondering why the heck “none” is an AAA authentication option. In this line. After all.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . You don’t want to log out and then find authentication method used. local Use local username authentication. TACACS+ will be the first authentication setup with a separate connection. the next method we choose in this line will be used. local-case Use case-sensitive local username authentication. and will then use the local username/pw database if those servers are unavailable or return errors. That’s the end of the authentication try! MLS _ 1(config)#line vty 0 15 MLS _ 1(config-line)#login authentication ? WORD Use an authentication list with this name.

config-commands For configuration mode commands. Real ugly. While authentication decides whether a given user should be allowed into our network. don’t use a word already in the command! MLS _ 1(config)#aaa authorization exec ? WORD  Named authorization list (max 31 characters. don’t call it login. (PPP. and TACACS+ server IP addresses. multicast For downloading Multicast configurations from server network For network services. MLS _ 1(config)#aaa authentication login radius group tacacs+ local radius-proxy For proxying radius packets reverse-access For reverse access connections subscriber-service For iEdge subscriber services (VPDN etc) template Enable template authorization (Didn’t happen to me. Ugly. MLS _ 1(config)#aaa authorization ? auth-proxy For Authentication Proxy Services cache For AAA cache configuration commands For exec (shell) commands. Above all. MLS _ 1(config)#aaa authentication login tacacs+ group tacacs+ local prepaid For diameter prepaid services. For some reason. When you give something a name on a router or switch. so we’ll dive straight into the authorization options. resulting in this command: MLS _ 1(config)#aaa authentication login PASSWORD group tacacs+ local That command confuses the uninitiated. configuration For downloading configurations from AAA serve console For enabling console authorization credential-download For downloading EAP credential from Local/RAD exec For starting an exec (shell). or group. particularly a meeting with high-ranking sensitive folk. tacacs+. SLIP. admins like to use AAA for the name of the list. because then you end up with one of these: MLS _ 1(config)#aaa authentication login login group tacacs+ local MLS _ 1(config)#aaa authentication login group group tacacs+ local Don’t get cute. radius.) Another time not to get cute is when you’re naming an AAA authentication list. At the very least.115 S T U DY G U I D E MLS _ 1(config-line)#login authentication default ? C H R I S B R YA N T Authorization <cr> MLS _ 1(config-line)#login authentication default And now… a word to the wise. ARAP) policy-if For diameter policy interface application. we’ll have the option of creating a default list or a named list – and as always. make the name intuitive. authorization dictates what users can do once they’re in. longer will rejected). As with authentication. but I was there to see it. 356 357 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . AAA must be enabled with aaa new-model if you Don’t Get Cute haven’t already done so! We did just that in the last lab. along with defining the RADIUS Don’t get cute with passwords. Never set a password that you don’t want to say out loud at a meeting. aaa authorization creates a user profile that’s checked when a user attempts to use a particular command or service.

if-authenticated Succeed if user has authenticated. Also note the if-authenticated option. accounting tracks the resources used by that user. both when they start and stop. but I do want to show you a sample command on the switch. start-stop Record start and stop without waiting stop-only Record stop when service terminates. None No accounting. AAA must be enabled before proceeding with accounting. I could write a whole book solely on the many different aaa authorization com- C H R I S B R YA N T WORD Use an authorization list with this name default Use the default authorization list MLS _ 1(config-line)#authorization exec default Accounting Authentication decides who gets in and who doesn’t. so we’re not going to walk through every single one. binations. rejected). If you’re dealing with PPP (or ARAP or SLIP for that matter). krb5-instance Use Kerberos instance privilege maps. Watch the commands and Naturally. while the second limits authorization to the use of configuration commands. This tracking can be for security purposes (detecting users doing things they shouldn’t be doing!) or for tracking network usage in order to bill other departments in your company. though – the first means the user must be authorized to run any We’re not going to spend much time on accounting. MLS _ 1(config)#aaa authorization exec default group tacacs+ local Frankly. This line would give us info on users who use commands while in privilege level 1. If the user’s already authenticated.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E default The default authorization list. MLS _ 1(config-line)#authorization ? arap For Appletalk Remote Access Protocol Default commands For exec (shell) commands exec For starting an exec (shell) MLS _ 1(config)#aaa accounting commands 1 default ? reverse-access For reverse telnet connections MLS _ 1(config-line)#authorization commands ? <0-15> Enable level MLS _ 1(config-line)#authorization exec ? 358 The default accounting list. config-commands options. go with the network option. none No authorization (always succeeds). Apply the authorization list to the appropriate lines with authorization. local Use local database. <cr> MLS _ 1(config)#aaa accounting commands 1 default start-stop ? Broadcast Use Broadcast for Accounting 359 longer will be . that method will MLS _ 1(config)#aaa accounting commands ? (obviously) consider the user authorized. MLS _ 1(config)#aaa authorization exec default ? cache Use Cached-group group Use server-group. <0-15> Enable level MLS _ 1(config)#aaa accounting commands 1 ? WORD MLS _ 1(config)#line vty 0 15 Named Accounting list (max 31 characters. config. Getting that same info for privilege level 15 would be easy enough – just replace the “1” with “15”. authorization decides what users can do once they get in.

and SLIP sessions. We’ll start this section with a review of the model. so grab some caffeine and let’s dive right in! During your CCNA studies. Blunt as always: This isn’t the most exciting material in the course. ARAP. 360 361 . The stakes are raised Resource: Info regarding start and stop records for calls passing authentication. MLS _ 1(config)#aaa accounting commands 1 default start-stop group tacacs+ ? Group Use Server-group <cr> MLS _ 1(config)#aaa accounting commands 1 default start-stop group tacacs+ AAA supports six different accounting formats: C hapter 11: NETWORK DESIGN AND MODELS Commands: Information regarding EXEC mode commands issued by a user.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . your only responsibilities concerning the Cisco 3-Layer Hierarchical Model was memorizing the layers and their location.115 S T U DY G U I D E Group Use Server-group MLS _ 1(config)#aaa accounting commands 1 default start-stop group ? WORD Server-group name tacacs+ Use list of all Tacacs+ hosts. records for calls that fail authentication. Connection: Information regarding all outbound connections made from a network access server. System: Non-user-related system-level events. as we need to know what should and should not occur at each layer. it is EXEC: Information about user EXEC terminal sessions. and stop in your CCNP studies. and then delve into each layer in detail. Having said that. very important material. Network: Info on all PPP.

) network topology closely and check vendor documentation before making purchasing 362 Model. so we’ll leave most frame manipulation and filtering to other layers. and you must plan for future network growth. A 12-port switch might be fine for your needs at present. Examine your cally a series of LANs interconnected via a network backbone. and this is more than a full-time job! It’s vital that we keep extra. With networking though. While QoS is configured at the core layer when possible.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Switches at the core layer allow distribution-layer switches to communicate. and MAC address filtering can be performed here as well. tation on switch models carefully before making your purchase. The Enterprise Composite Network Model Before we dive into this topic. you know there’s an exception to that rule. switches is “low cost. It’s a lot easier to get everything you need when you’re buying than to go back and try to add it later. capable of higher throughput than switches found at the other layers. non-switching features off the core layer and let these switches do what they do best – switch. The core layer is the backbone of our entire network. (A campus network is basi- 363 .115 S T U DY G U I D E The Core Layer C H R I S B R YA N T decisions. routing should take place at the distribution layer. Core layer switches are generally the most powerful in your network. although hopefully there are other ways to get the job done that you need done. I kid you not. Redundancy is important at this layer (of course! It’s important everywhere!). Leave your ACLs The Access Layer Here’s where the end users communicate with the network! VLAN membership. and we want the core layer to be concerned strictly with switching. That’s particularly true of the Enterprise Composite Network Distribution-layer switches must be able to handle redundancy for all links. The access layer’s too busy with end users to handle routing. Advanced QoS is generally performed at the core layer. traffic filtering. so not only do the distribution-level switches need high-speed ports and links. so we’re interested in high-speed data transfer. The distribution layer also serves as a boundary for broadcasts and multicasts sent by access-layer devices. and some basic QoS features all run here. (MAC filtering is a pain to configure.) The Distribution Layer Not all the work is done at the core layer! The demands on distribution-level switches is very high. everything we do on a Cisco router or switch takes away from overall switch resources. The access-layer switches will have their uplinks connecting to our distribution-level switches. you’ll find it in the distribution Today’s core switches are generally the multilayer switches we’ve worked with throughout this course. but we want a lot of redundancy in the core layer. and that’s it! When multilayer switches are in use. and should be used as such. This is tomorrow’s “Where the $%)$ am I gonna plug this user in?” the nerve center of your entire network. and that exception is Quality of Service (QoS). high switchport-to-user ratio”. Be sure to examine your network’s requirements and review the documen- layer as well. A good rule of thumb for access-layer We always want redundancy. a very popular model used to design campus networks. very low latency. I want to remind you that network models are guidelines they have to have quite a few in order to connect to both the access and core-layer switches. As you know. but a month from now you’ll wish and other traffic filtering methods for other layers of this model. Today’s sufficient port density is Collision domains are found at the access layer. so fault tolerance should be at the highest level possible. you had bought a larger switch with more ports.

the physical layout of the buildings as a unit and individually – these are just two important factors involved. In a collapsed core. Devices in a switch block work together to bring network access to a unit of the network.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . leaving the core switches free to use all their resources to switch. This is a tremendous responsibility. typically found in the distribution layer. Smaller networks (and admins on a tight budget!) can use a collapsed core setup. both the traditional L2 switches (found at the access layer) and multilayer switches. if one of the core switches The Enterprise Edge goes down. there’s no one right way to design an enterprise network. the Enterprise Campus consists of these modules: Reality does rear its ugly head on occasion.and distribution-layer switches are both found in this model’s Switch Block. and it’s the major reason I continue to mention that the access and distribution layers should handle many of the network services. and these core blocks allow the switch blocks to communicate. the Campus Infrastructure model consists of these modules: Building Access (access-layer devices) Building Distribution (distribution-layer devices) Campus Backbone (Interconnects multiple Distribution modules) 364 365 . where certain switches will perform as both Switch Block and Core Block Campus Infrastructure switches. but guidelines nonetheless. Helpful guidelines. These models are strictly guidelines. The Service Provider Edge In turn. again) In turn again. such as a single building on a college campus or business park. Our access. The number of LANs involved.115 S T U DY G U I D E C H R I S B R YA N T Switch blocks are units of access-layer and distribution-layer devices. allowing switches in one Switch Block to communicate with switches in the giving us as much redundancy as this topology can offer. The Core Block serves as the camother Switch Block. The Enterprise Composite Network Model has three main parts: All four distribution-layer switches have connections to both switches in the Core Block. The Enterprise Campus pus backbone. especially the dual core. and that occasion may be not having the money to afford a setup like this. Core blocks naturally consist of our high-powered core switches. These layers contain Let’s take a look at a typical campus network and see how these block types work together. there is no dedicated core switch. We love this setup. we still have total connectivity. Server Farm Network Management Enterprise Edge (yes. As you’d expect.

115 S T U DY G U I D E C H R I S B R YA N T The four multilayer switches are working as both core-layer and distribution-layer switches. and core layers shown here is sometimes called the Campus Infrastructure. but you already have a good idea of the sheer workload the core switches will be handling. AAA servers. distribution. The combination of access. There are times when we’ve wanted to throw a server or two (or twelve) straight out the window. The distribution-layer switches again have redundant connections to the core switches. This is a relatively small campus network.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Our core switches have even more work to do not. but we’re not going to have much of a network without them. In today’s world. Two blocks will team up to bring our users that all-important internet connectivity – the Enterprise Edge Block and the Service Provider Edge Block. All of these devices can be placed in a switch block of their own. and network monitoring tools are found in almost every campus network today. syslog servers. the server farm block is a separate switch block. the network management block. intruder detection tools. In a campus network. but we’re not quite done yet. Note that each of the access switches have redundant uplinks to both distribution/core switches in their switch block. 366 367 . complete with access and distribution-layer switches. network management tools are a necessity.

Let’s spend a few minutes with each type… As you’d expect from the name. but you didn’t want your other hosts to even know of the existence of that resource. While the Service Provider Edge Block is considered part of the campus network model. The physical location of the user doesn’t matter. or when the hosts have similar resource requirements – for example.115 S T U DY G U I D E C H R I S B R YA N T The Enterprise Edge Block is naturally found at the edge of the campus network. Many of today’s networks don’t lend themselves well to this type of VLAN. but even this network would be difficult to configure with ETE VLANs when the hosts need Internet connectivity or Cloud access. 368 369 . and it’s the final piece of the Internet connectivity puzzle for our campus network. Physical location is unimportant in ETE VLANs. That’s it! The end of the book! Thanks for reading. ETE VLANs should be designed with the 80/20 rule in mind. and this block of routers and switches brings WAN connectivity to the rest of the campus network. I hear you. remain the same no matter where the user is. The very nature of an end-to-end VLAN and the fact that it spans the entire network makes working with one a challenge. so 80/20 traffic patterns are becoming increasingly rare. not more VLANs!” Hey. we have no control over the actual structure of the block. The following network diagram is very simple. With all the lines leading to the core switches. it’s easy to see why we want to dedicate as much of the switches’ capabilities to pure switching – the workload is huge! Local VLANs use the 20/80 rule. assuming that 20% of traffic is local in scope and the other 80% will cross the network core. but users End-to-End And Local VLANs “Oh no. And frankly. if you had certain hosts across the network that needed access to a particular network resource. A user is assigned to a single VLAN. and that VLAN will are grouped by location in Local VLANs. Well. ETE VLANs must be accessible on every access-layer switch in order to accommodate mobile users. we don’t care! The key is that this block borders the Enterprise Edge Block. shoot. and I wish you all the best on your CCNP SWITCH exam and in your future studies. This level of access is more of a necessity than a luxury today. Chris B. and the other 20% will traverse the network core en route to a non-local destination. ETE VLANs can come in handy as a security tool. where 80% of the local traffic stays within the local area. end-to-end VLANs span the entire network.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but these two VLAN types do fit in with our design chat.