CHRIS BRYANT’S

CCNP
SWITCH 300-115 STUDY GUIDE

C H R I S B R YA N T

Table of Content s

Chris Bryant, CCIE #12933
“The Computer Certification Bulldog”
Copyright © 2015 The Bryant Advantage, Inc.
All rights reserved.
Disclaimers and Legal Notices:
Copyright © The Bryant Advantage, 2015.
All rights reserved. This book or any portion thereof may not be reproduced or used in any manner whatsoever
without the express written permission of the publisher, except for the use of brief quotations in a book review.
No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including
but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written
permission of the publisher.
The Bryant Advantage, Inc., has attempted throughout this book to distinguish proprietary trademarks from
descriptive terms by following the capitalization style used by the manufacturer. Copyrights and trademarks of all
products and services listed or described herein are property of their respective owners and companies. All rules
and laws pertaining to said copyrights and trademarks are inferred.
This study guide is intended to prepare candidates for Cisco’s CCNP SWITCH 300-115 certification exam. The
book has been made as accurate and complete as possible. No warranty or fitness is inferred or implied. Neither the
author nor The Bryant Advantage, Inc. has liability or responsibility to any entity or individual regarding loss or
damage arising from the use of this book. Passing the CCNP SWITCH exam is not guaranteed in any fashion.
The terms CCIE, CCNP, CCNA, Cisco IOS, Cisco Systems, IOS, and StackWise are all registered trademarks of Cisco
Systems, Inc. As always, no challenge to any trademark or copyright is intended in any of my books or video-based
courses.
ISBN: 1517351227
ISBN 10: 9781517351229

Chapter 1 Switching Fundamentals����������������������������������������������������������������������������������������������������������������������� 1
Chapter 2 The When, Where, and How Of VLANs����������������������������������������������������������������������������������������� 22
Chapter 3 Trunking����������������������������������������������������������������������������������������������������������������������������������������������� 40
Chapter 4 The VLAN Trunking Protocol (VTP) ��������������������������������������������������������������������������������������������� 63
Chapter 5 The Fundamentals Of STP����������������������������������������������������������������������������������������������������������������� 83
Chapter 6 STP -- Advanced Features and Versions������������������������������������������������������������������������������������������������������������������ 123
Chapter 7 Etherchannels������������������������������������������������������������������������������������������������������������������������������������� 157
Chapter 8 Multilayer Switching And High Availability Protocols��������������������������������������������������������������� 172
Chapter 9 Securing The Switches����������������������������������������������������������������������������������������������������������������������� 238
Chapter 10 Monitoring The Switches����������������������������������������������������������������������������������������������������������������� 319
Chapter 11 Network Design And Models����������������������������������������������������������������������������������������������������������� 361

A V E RY Br ief I nt roduc t ion
Before We G et St a r ted…
Thank you for making The Bryant Advantage part of your CCNP success story! I know you
have a lot of training options out there, from books to videos and everything in between,
and all of us here at TBA are very appreciative of your purchase.
During your studies, check out my YouTube channel! I’m starting an all-new CCNP SWITCH
300-115 Playlist in October 2015. With over 300 free videos there already, I know there’s
something there you’ll enjoy.
https://www.youtube.com/user/ccie12933
You’ll find additional free resources via these links:
Facebook: goo.gl/u72n1M
Google+: https://plus.google.com/+ccie12933
GNS3 (Free CCNP SWITCH Course!): goo.gl/yk2loM
Thanks again for your purchase, and now, let’s get started!
Chris Bryant
“The Computer Certification Bulldog”

1 . (You’ll sometimes see a double-headed arrow on top of the icon representing a hub. the predecessor to today’s switches. our hosts had to share transmission media via a hub. but the item on the left is a hub.C hapter 1: SWITCHING FUNDAMENTALS Your mastery of switching fundamentals can make the difference on exam day. let’s have a moment of silence for two old friends. We won’t spend any time discussing floppy disks. so let’s give this material a good going-over before heading on to new material! Before proceeding.) Back in the day.

but it’s not. YouTube. We’ll start breaking up those broadcast domains in the Virtual LAN (VLAN) section of the course. The sending hosts will then invoke a backoff timer. Dog videos. they no longer have to share bandwidth with other hosts. With one big collision At the time. indicating a data collision. each host can theoretically run at 200 Mbps (100 sending and 100 receiving). In short. and by doing A host with data to send must first listen to the wire. set to a random number of milliseconds. but it’s certainly a good one to know when you’re reading Cisco docs. assuming FastEthernet ports. the host backs off for a few milliseconds before listening to the wire again. they’ll send a jam signal indicating to the other hosts that they should not send data right now. Some Cisco documentation refers to this “one host. Having one big collision domain just would not do today. That takes care of the collision domain issue. One reason we love switches is the creation of smaller collision domains. If the media is in use. If the media is not in use. a separate collision domain is created for each host. VoIP phones.115 S T U DY G U I D E C H R I S B R YA N T Having just one collision domain may sound good. meaning it checks the shared media to so. and those built-in delays were a small domain. a broadcast or multicast sent by any host connected to that switch will be received by every other host on that switch. Here’s the overall process… You know what wasn’t around though? Voice and video conferencing. Vimeo. all kinds of ultra-delay-sensitive voice and video traffic is present in today’s network that we were only dreaming about back in the days of the hub. Today’s networks typically have each host connected to their own individual port on a switch. we also get a lot more bandwidth! When hosts are connected to individual switch ports. and all data involved is unusable. Cat videos. we were darn glad to have CSMA/CD. right switch config and network cards. By default. With the When the sending hosts detect that voltage change. Donkey videos. That’s a lot of unnecessary broadcasts flying around our network. rendering the collided signals useless. thankfully referred to as CSMA/CD. they will each begin the CSMA/CD process from the very beginning by listening to the wire. Otherwise.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . one host’s data price to pay for sharing media. Collisions literally cannot occur! see if another host is currently sending data. 2 3 . we must have rules on when a host may transmit data. The hosts then have to retransmit the data. but we still have one large broadcast domain. If two hosts happen to send data at the exact same time. because the data involved in the collision is going to “explode” when that collision occurs. Since that backoff timer is set to a random value. and there’s no guarantee that another collision won’t occur when that retransmission occurs! The set of rules for transmitting over Ethernet via shared media is Carrier Sense Multiple Access with Collision Detection. It’s not a term you hear often. which in turn means unnecessary work for the switch and for the hosts. will be almost continually colliding with another host’s data. it’s unlikely that the data collision will reoccur. Thanks to our switch. the host sends the data. the voltage on the wire will change. The hub might as well be a bomb at that point. When each host’s backoff timer expires. one collision domain” setup as microsegmentation.

In the heat of battle. it’s easy to forget to remove the old entry. which brings up another We could build a MAC address table with all static entries. you’d have to make a static MAC entry for 4 will be some entries for the CPU. which in turn leads to unnecessary troubleshooting. Decisions” you and I. We’ll start with four hosts and one When a frame enters a switch. the MAC address table isn’t empty. After all.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the greater the chance of a mistyped entry. or flood it. and they’ll look something like this: 5 . That doesn’t mean I’m lazy. which in turn is connected to a switch. that switch will forward it. but that approach has a serious important point.” That’s not the only reason for this behavior. right? Wrong! The switch will actually look at the source MAC address before any other value. you won’t have full connectivity until you add a new static entry for that host’s MAC address. using an odd topology to illustrate one forwarding option in particular. switch.115 S T U DY G U I D E C H R I S B R YA N T that host. We’ll take a Let’s take a look at how a switch builds that all-important MAC address table. If a port goes down and you switch the host connected to the bad port to a good port. so the switches have to build their MAC address tables in another fashion (or fashions). When a switch receives a frame. Hosts A and It makes perfect sense that the switch would look at the frame’s destination address first. There is no equivalent to those protocols at Layer 2. Our routing table is helped along by dynamic routing protocols like EIGRP and OSPF. and we’ll also look at each process right after this pop quiz! see each of those frame forwarding options in action. but it’s the major reason. Every time you add a host to a switch. When I have a choice between letting the hardware do the work and me doing the work. The more information you add statically. filter it. When you first boot a switch. to handle everything statically. the only way for the switch to get the frame where it needs to go is to look at its intended destination. which leads to even more unnecessary troubleshooting when the bad port is fixed and another host is eventually connected to it. I’ll let the hardware do it every time. There drawback. We’ll assume the switch has just been added to the network. The logical question to that answer would be: “Why does the switch even care where the frame came from?” The answer: “Because source addresses of incoming frames are how the switch builds and maintains its MAC address table. It’s much more efficient to let the hardware carry out dynamic operations rather than forcing “Decisions. the network admins. what common value does the switch look at first? B are connected to a hub. it means I’m smart.

cccc DYNAMIC Fa0/2 7 .cccc. so the switch makes one. or flooded? That depends on the answer to the next question the switch asks itself: “Do I have an entry for this destination address in my MAC address table?” The answer is no. and it also guarantees the other hosts will get the frame. ------------ --------. Our dynamic entries in that table are as follows: Host C will now respond to Host A with a frame of its own.cccd STATIC CPU The only way the switch can learn where the hosts are is for you and I to add a bunch of static entries (clumsy. but there is no entry for this address in the MAC table. it really can’t be avoided – but after the initial add. The frame enters the switch on fast0/1. If this is a 64-port switch and there’s a host on every port. MLS _ 1#show mac address-table dynamic Ports 1 aaaa.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1#show mac address-table Mac Address Table Vlan Mac Address Type Ports ---.0ccc.aaaa. itself one simple question: “Do I have an entry for this address in my MAC address table?” the switch has to send 63 copies of the frame – 62 of which are totally unnecessary! There’s no grey area here – the answer is either yes or no! There’s nothing wrong with a little frame flooding as you add a host or switch to a network – Since we just turned the switch on. We know what happens when the switch receives that frame.aaaa DYNAMIC Fa0/1 1 cccc. the switch then looks at the source MAC address of the frame and asks This flooding ensures the frame will go out the port leading to the correct host. filtered. All 0100.cccc. so the switch will create one. but will there be an entry for the source MAC of that frame? MLS _ 1#show mac address-table dynamic Mac Address Table Vlan Mac Address Type ---. since the frame is a unicast (destined for one particular host). This is an unknown unicast frame. We’ll start our walkthrough with Host A sending a frame to Host C.aaaa. and switch resources.aaaa DYNAMIC Fa0/1 At long last. we’d rather not have much flooding. sending a copy of the frame out of every single port on the switch except the port the frame rode in on.cccc STATIC CPU All 0100. host resources.aaaa DYNAMIC Fa0/1 No entry for cccc. there’s no entry for Host A’s address in the MAC table.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . we get to the frame forwarding decision! Will this frame be forwarded. not scalable) or let the switch learn their addresses dynamically.cccc. so the switch floods the frame. 6 Mac Address Table Vlan Mac Address Type Ports 1 aaaa. which is a huge waste of bandwidth.0ccc. MLS _ 1#show mac address-table dynamic Mac Address Table Vlan Mac Address Type Ports 1 aaaa. ------------ --------.aaaa.

where unknown unicast frames are sent to all hosts as a side effect of the frame flooding.ffff. a copy of it is sent out of every port on the switch except the one it came in on. Please note that this is not a topology you’re going to see in many Flooding occurs when the switch has no entry for the frame’s destination MAC.dddd.aaaa DYNAMIC Fa0/1 1 bbbb.bbbb DYNAMIC Fa0/1 8 Filtering happens when the source and destination MAC addresses are found off the same port. MLS _ 1#show mac address-table dynamic Mac Address Table Forwarding happens when the switch has an entry for the frame’s destination MAC.ffff and are treated in the same fashion as broadcast frames. Broadcast frames are actually intended for all hosts.5e00. If Host A responds to Host C.cccc. 9 . frame is flooded. Technically. Fa0/2 rather than being flooded. the 1 dddd.115 S T U DY G U I D E C H R I S B R YA N T The dynamic entries in the table will now start to work in our favor.aaaa in that table. Multicast frames have a destination MAC in the range 0100. MAC entry for each host. We have an unusual setup where Hosts A and B are connected to a hub that is in turn connected to a switch.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .aaaa. 1 aaaa. Let’s jump ahead to a scenario where the topology is the same and the switch has a dynamic Let’s review those decisions and add a little broadcast / multicast discussion. Forwarded frames are sent out only via the port indicated by the MAC address table. and are treated in the same manner as unknown unicast frames. When Host A sends a frame to Host B.5e7f. filtering also occurs when a frame is not sent out of a port because the destination is a known unicast. Frames flowing from Host A to Host C will now be forwarded out This messes with the switch’s mind for just a moment. both of those hosts are found off port Fa0/1.cccc DYNAMIC Fa0/2 the frame’s destination address of aaaa.bbbb. -------. The switch checks for the source addresses in its MAC address table. When a production networks (if at all). I’m strictly presenting it to you to illustrate the switch’s third option for frame forwarding. From the switch’s point of view. ----------. Vlan Mac Address Type Ports ---. and since there is one. B will get a copy of it through the hub. Unknown unicast frames are always flooded. the switch will have an entry for Host C’s MAC address where it didn’t have one earlier.dddd DYNAMIC Fa0/3 switch will forward the frame via Fa0/1. “Filter” is a fancy big-city way of saying “the frame is dropped”. and sees that they’re both found off the same port! Frames with a destination MAC of all Fs (ffff.ffff) are called broadcast frames. as will the switch. and the switch then filters the frame.0000 – 0100. The switch checks for 1 cccc.aaaa.

it’s really wrong.) MLS _ 1#show mac address-table int fast 0/3 Mac Address Table 11 . I’m sure you won- based commands use megabits. C . Use IOS Help.Switch.Source Route Bridge S . my dered how long those addresses stay in the table. days. In short. The default aging time for dynamically friends – that’s why it’s there! learned MAC addresses is 300 seconds. be sure to use IOS Help to check the unit of time that particular command uses. Let’s fix that: MLS _ 1(config)#mac address-table aging-time 600 Verify with show mac address-table aging-time.Trans Bridge. that host’s MAC address stays in the table.Repeater. let’s use show mac address-table dynamic interface to get info about only that particular port. I’ll need to know the port ROUTER_3 is connected to. I . To demo this.IGMP. M . you might be tempted to enter the following: MLS _ 1(config)#mac address-table aging-time 10 Not only is that wrong. and that timer is reset when a frame comes in with that particular source MAC address. P . milliseconds. IOS Help reveals that the time unit for this commands is seconds… MLS _ 1#show cdp neighbor MLS _ 1(config)#mac address-table aging-time ? <0-0> Do you know a command that will give us information about directly connected Cisco devices? Enter 0 to disable aging <10-1000000> Aging time in seconds MLS _ 1(config)#mac address-table aging-time … so our dynamic entries are now aging out in just 10 seconds. kilobits. MLS _ 1#show mac address-table aging-time Global Aging Time: 600 10 Capability Codes: R . you’ll want to use this filter. as long as the switch hears from a host within any five-minute period.Two-port Mac Relay Device ID Local Intrfce Holdtme ROUTER _ 1 Fas 0/1 177 R S I 2801 Fas 0/0 ROUTER _ 3 Fas 0/3 136 R S I 2801 Fas 0/0 Capability Platform Port ID Right! More about CDP later in the course. gigabits – you get the idea. (When you have 48 or so dynamically learned addresses. H . For example.Host.Router. With time-based IOS commands. Data- I shall now hop down from Ye Olde Soapbox and we’ll march forward! Another factor in favor of dynamic MAC address table entries is the switch’s ability to dynamically adapt to a change in physical ports. D . hours. 10 minutes. if I asked you to set the MAC address aging time to use different combinations of seconds. B .Phone. and minutes. Right now. T .115 S T U DY G U I D E C H R I S B R YA N T More About That MAC Address Table I strongly urge you to use IOS Help to check any numeric value. Time-related commands When I was waxing poetic about dynamically learned MAC addresses. and you already knew that the command to change that value is mac addresstable aging-time.Remote.CVTA. r .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

here’s a reminder. the resources are split up pretty much evenly between routing. MLS _ 1#show vlan brief VLAN Name Status Ports ---. and for Layer 2 switching. -------. 1 001f. You may have an MLS that spends most of its time routing. The MAC address table is also known as the Content Addressable Memory (CAM) table.ca96. Fa0/3.2754 DYNAMIC Fa0/13 13 0017. There is one thing you have to do manually in this situation.474a DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 2 For these tasks. It’s common for multilayer switches to have multiple TCAM tables to go along with the multiple functions an MLS must handle. so it’s good time to tell you the other name for this table. all we need to do is move that cable to a port that’s 1 default active working. 13 001f. advanced security.2754 DYNAMIC Ports C H R I S B R YA N T how to change a port’s VLAN membership. Earlier show commands told us that the previous port belonged to VLAN 13. and there’s plenty of additional work with VLANs ahead! Fa0/3 Total Mac Addresses for this criterion: 1 MLS _ 1(config)#int fast 0/13 MLS _ 1(config-if)#switchport access vlan 13 So far. and that’s changing the VLAN membership of that port. the entry for that address on Fa0/3 was removed. Success! ROUTER_3’s MAC address is correctly listed in the table. -------. while others act pretty much as L2 switches.ca96. ---------. 13 . we’ll need the help of a Ternary Content Addressable Memory (TCAM) table. You’ll find more info on the TCAM in the Multilayer Switching portion of the course. You likely remember 12 Switch Roles And The SDM The great thing about multilayer switches is their ability to fit almost any role in your network. Multilayer switches have other challenges and tasks besides Mac Address Table switching – routing. by default. I’ll move it to Fast0/11 and check the full dynamic address table. and Quality of Service (QoS) to name just a few! Vlan Mac Address Type Ports ---. -------------------------------. ----------. and our Cisco switch ports belong to VLAN 1 by default. having “just” the CAM table MLS _ 1#show mac address-table dynamic is enough to get the job done. The default allocation of switch resources may not fit the role of the switch.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ----------. they’re 0 and 1). If not. With dynamically learned addresses. While CAM table lookups use two values (no surprise.115 S T U DY G U I D E Vlan Mac Address Type ---. (All ports except those in #13) 13 VLAN0013 active Fa0/1.59e2. so good! But now… port Fa0/3 goes BAD. Fa0/13 We’ve been working with the MAC address table for a while now. 1. No aging was necessary – once the switch saw frames from ROUTER_3 come in on a new port. and “x” for “don’t care”. TCAM tables have three values – 0.

but when they can be changed. Very important: This template disables hardware routing. including IPv6 multicast. and if you cringe when you hear the word number of unicast mac addresses: 6K “template”. we really do have to reload the switch! I’ll do so now and run show sdm prefer after the reload. Some switches have default source allocations that can’t be changed. 14 Well. so do your homework before applying this template. VLAN – Supports the CAM table’s growth to contain the maximum number of unicast MAC addresses. Use ‘show sdm prefer’ to see what SDM preference is currently active. MLS _ 1#show sdm prefer The current template is “desktop vlan” template. effect until the next reload. the first thing that’s going to happen is you and I being told we have to reload the switch for the template switch to take effect. Wouldn’t it be great if we could allocate more system resources C H R I S B R YA N T To see the currently loaded template and its allocation settings.5K dual-ipv4-and-ipv6 Support both IPv4 and IPv6 number of IPv4/MAC security aces: 1K routing Unicast bias vlan VLAN bias Let’s load the VLAN template and see what happens. The selected template optimizes the resources in 15 . as it will allocate resources to handle the maximum number of ACLs. and security. SDM uses templates to allocate system resources. run show sdm prefer.115 S T U DY G U I D E switching. this template can come in handy. When IOS Help says “bias”. SDM does that for us with ease! (This is not the Security Device Manager that you may have used and studied previously. This template doesn’t support everything IPv6-wise.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Routing – Enhances the environment for IPv4 unicast routing.) MLS _ 1#show sdm prefer The current template is “desktop default” template. Default – That’s the default template. you may un-cringe – these templates are already created! Let’s see the SDM number of IPv4 IGMP groups + multicast routes: 1K templates available on my switch: number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K MLS _ 1(config)#sdm prefer ? number of indirect IPv4 routes: 2K Access Access bias number of IPv4 policy based routing aces: 0 Default Default bias number of IPv4/MAC qos aces: 0. There’s no workaround for this one. to routing if the MLS is primarily going to route? How about making a larger MAC address table possible for an MLS that’s primarily going to switch? Thanks to SDM. but cannot take Access – If your MLS is running a whoooole lot of ACLs. we can do just that on many Cisco switches. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. it means business! Here’s a quick look at each template and its MLS _ 1(config)#sdm prefer vlan capabilities: Changes to the running SDM preferences have been stored. this SDM is the Switching Database Manager. and it treats all functions more or less equally Dual-ipv4-and-ipv6 – Great for an MLS running dual stack (both IPv4 and v6 at the same time).

8 routed interfaces and 1024 VLANs. number of indirect IPv4 routes: 8K 16 Ethernet: 10 Mbps. MLS _ 1(config)#sdm prefer vlan Changes to the running SDM preferences have been stored.5K 8 routed interfaces and 1024 VLANs. The original. just for shiggles. but look at that Additional resources are indeed reserved for IPv4 unicast and PBR.5K number of IPv4/MAC qos aces: 0. but not the best. Most Cisco switch ports we’ll number of directly-connected IPv4 hosts: 3K use in this course are FE ports.5K number of IPv4/MAC security aces: 1K number of unicast mac addresses: 12K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 0 number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0. After the reload: MLS _ 1#show sdm prefer The current template is “desktop routing” template. The SDM routing template doesn’t disable switching. Use ‘show sdm prefer’ to see what SDM preference is currently active. MLS _ 1#show sdm prefer tradeoff! There’s no room for IPv4 unicast routes or PBR. using the SDM vlan template! The selected template optimizes the resources in the switch to support this level of features for Let’s load the routing template and check the results. but cannot take effect until the next reload. but the SDM vlan template does disable routing. Something to keep in mind when The current template is “desktop access IPv4” template. number of IPv4/MAC qos aces: 0.or full-duplex mode.5K number of IPv4/MAC security aces: 1K Quite a difference! We now have twice the space for unicast mac addresses. number of unicast mac addresses: 4K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 6K number of directly-connected IPv4 hosts: 4K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0. The Ethernet types and speeds we’ll see in this course: number of unicast mac addresses: 3K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 11K FastEthernet: 100 Mbps. here’s the allocation when the access template is in use. but we still have some room for MAC addresses.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Can run in half. Important stuff to keep in mind! Before we move on.5K number of IPv4/MAC security aces: 2K The selected template optimizes the resources in the switch to support this level of features for Just Some Reminders… 8 routed interfaces and 1024 VLANs. 17 .115 S T U DY G U I D E C H R I S B R YA N T the switch to support this level of features for number of IPv4 policy based routing aces: 0.

115 S T U DY G U I D E C H R I S B R YA N T Gig Ethernet: 1 Gbps (1000 Mbps). both devices will send fast link pulses and duplex settings on MLS_1.) MLS _ 1(config)#int fast 0/7 MLS _ 1(config-if)#speed ? 10 Force 10 Mbps operation 100 Force 100 Mbps operation Auto Enable AUTO speed configuration 18 19 . Also expressed as GbE. but requires higher-grade cables (Cat 6a or Cat7). allowing a decision as to speed and duplex that is as fast and efficient as not updated anymore and full-duplex usage with switches is used exclusively. but the specification is speed and duplex. to the other. Duplex. the highest common speed is preferred. And Autonegotiation If both ports support half. and port duplex settings. full-duplex is (thankfully) always preferred. let’s discuss some things that can go wrong with autonegotiation. Does not support half-duplex links. The obvious question is: “Fast compared to what?” They’re fast compared to normal link pulses (NLPs): As expected.and full-duplex. With that in mind. set to full-duplex. If both ports support different speeds. since the max capabilities are the same on both sides! Both involved ports end up running at FastEthernet speed. Not much to decide here. 10 Gig Ethernet: 10 Gbps (10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . But what happens if MLS_1 is not running autonegotiation at all? Let’s find out while hardcoding the speed With both interfaces enabled for autonegotiation. Can be run on The fundamental autonegotiation rules: copper cables. use autonegotiation on both ends of a connection and you’re gold. our FLPs give more pulses in the same amount of time. Now. (Both drawings courtesy of Wikipedia.” possible without exceeding device capabilities. ROUTER_3’s Fast 0/0 interface is connected to 0/7 on MLS_1. Wikipedia: “Half-duplex giga- The FLP is basically a declaration of the capabilities of the sending device with regards to bit links connected through hubs are allowed by the specification.000 Mbps). port speeds. back to the demo… In the real world. Port Speed. Here. both are in the public domain.

you end up with a real mess. The physical interfaces and line protocols are still up on both devices: ROUTER _ 3(config)#int fast 0/0 ROUTER _ 3(config-if)#speed auto MLS _ 1#show int fast 0/7 ROUTER _ 3(config-if)#duplex auto FastEthernet0/7 is up. but our old pal Keepalive set (10 sec) CDP will let you know about ‘em in a heartbeat: Half-duplex. and will think a data collision has occurred when in reality no such collision Hardware is Gt96k FE. The router can’t assume full-duplex on that remote endpoint. 10Mb/s. ROUTER_3 detects the 10 Mbps speed on the remote endpoint and sets its own speed accordingly. 100BaseTX/FX Sadly.ca96. MLS_1 will go at data transmission with all guns blazing. and it’s a problem that’s not always easy to spot. so that interface will transmit or receive. with MLS _ 1 FastEthernet0/7 (full duplex). address is 001f. PD brings us some good news: The device running autonegotiation can detect the speed of the remote device and adjust its speed accordingly. it’s not all good with PD. txload 1/255. loopback not set These duplex mismatches can be tough to spot just by looking at the config. rxload 1/255 In short. line protocol is up (connected) With one endpoint running autonegotiation and the other end not.) *Apr 11: %CDP-4-DUPLEX _ MISMATCH: duplex mismatch discovered on FastEthernet0/0 (not full duplex). so it must set its own port to the dreaded half-duplex. Encapsulation ARPA. ROUTER _ 3#show int fast 0/0 since it’s running at full-duplex. line protocol is up transmitting. ROUTER _ 3#show int fast 0/0 FastEthernet0/0 is up. reliability 255/255.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config-if)#speed 10 MLS _ 1(config-if)#duplex ? Auto Enable AUTO duplex configuration Full Force full duplex operation Half Force half-duplex operation MLS _ 1(config-if)#duplex full Now we have a problem. (That’s verified by the show interface output just above. ROUTER_3 will see data coming in at the same time it’s FastEthernet0/0 is up. MTU 1500 bytes. DLY 1000 usec.ca96. as Router_3 will be unable to detect the remote endpoint’s duplex setting. line protocol is up ROUTER_3 is running at half-duplex. and a totally unnecessary one at that.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .2754) has.2754 (bia 001f. we end up with parallel detection. but it will not do both at the same time. BW 10000 Kbit/sec. That’s about as self-explanatory as a console message can get! Coming up next: The wonderful world of VLANs! 20 21 .

and your available bandwidth would start to get sucked up by a Speaking of that. the switch bunch of unnecessary broadcasts.C H R I S B R YA N T C hapter 2: THE WHEN. and they’re going to be all over your SWITCH exam. the broadcast. When you create VLANs. overall switch operation. WHERE. 48. cabling is forwarded only to hosts in the same VLAN as the original sender of the broadcast. not shown. AND HOW OF VLANS I pride myself on presenting as many real-world networking examples as possible in my Even if you’ve just earned your CCNA. By default. On a switch with 24. In the following example. ing these questions: “Why don’t we just use physical LANs? Why do we need virtual ones?” One great use for VLANs is to limit the scope of our old pal. Broadcast propagation wouldn’t be a huge deal in a 5-host network. but we don’t run into many 5-host networks in the real world. you’re creating multiple. which in turn lowers the number of overall broadcasts. don’t breeze through this section. let’s jump to the most fundamental of fundamentals by answer- actually needs the broadcast.) Our hosts are all in the same broadcast domain. VLANs are the core of your switching network. a switch will take an incoming broadcast and send a copy of it out of every single port except the port that received the original broadcast. or 60+ ports. Cisco also recommends that a VLAN doesn’t reach beyond the distribution layer in its 3-layer switching model.) 22 23 . and this is a best practice that topology. (More on that in the design section of this course. It’s doubtful that every host connected to your switch We limit the overall number of broadcasts by limiting their scope. a fancy way of saying “let’s only send the broadcasts where they need to go rather than just sending them everywhere. (For clarity. making this a flat network Cisco’s best practice is to have one VLAN per IP subnet. We’re in the exam room to score points. and part of scoring points is books. smaller broadcast domains.” That’s where VLANs come in. this broadcast flooding would have a negative impact on mastering VLAN fundamentals. works really well in real-world networking. not give them away. Broadcasts are will forward a copy of the incoming broadcast to every other host. Rest assured that this is not one of them.

not to how the VLAN is actually created.) Keep them in mind for the exam. Fa0/6. and static VLAN member- 1003 token-ring-default act/unsup ship is dependent on the port the host is connected to. Fa0/2. Remote SPAN VLANs Primary Secondary Type Ports ------. while this is an important command to know. Fa0/2. Fa0/12 25 . ---------. really don’t need to start troubleshooting or to verify your work. I prefer show vlan brief. Fa0/5. Fa0/8 1 default active Fa0/9. the You may never use VLANs 1002 – 1005 in real-world networking. -------------------------------. the membership depends on the host’s MAC address. Fa0/6.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . -----------------.115 S T U DY G U I D E C H R I S B R YA N T The method used to determine a host’s VLAN membership depends on the kind of VLAN 1002 fddi-default act/unsup you’re using. In this course. always say host is connected. “legacy”. Fa0/9. Fa0/1. it gives you a lot of info you be deleted. we’ll concentrate on static VLANs. Fa0/12 24 Ports Fa0/1. They’re legacy VLANs host doesn’t care about its VLAN membership. Fa0/4 Fa0/5. It’s only important to the port to which the designed for use with FDDI and Token Ring. Fa0/4. The actual MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 enet 100001 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr - - - - 0 0 101003 1500 - 1004 fdnet 101004 1500 - - - - - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 VLAN membership determination is still done by the switch. Fa0/11. 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN Type SAID 1 With dynamic VLANs. ---------. SW1#show vlan SW1#show vlan brief VLAN Name Status Ports VLAN Name ---. Fa0/11. ---------. The terms “static” and “dynamic” refer to how the host is assigned VLAN membership. Fa0/7. All 12 ports on this particular switch are in the default VLAN. Fa0/8. Fa0/3. The five VLANs shown are default VLANs and cannot To be blunt. -------------------------------. (Never say “old” in networking. Fa0/10. Fa0/3. Whether you’re using static or dynamic VLANs. 1 default active Status ---. Fa0/7. VLAN 1. Fa0/10. Let’s take our first look at show vlan.

The first command puts the port into access mode.” and while that admin may not have configured VLANs. Each VLAN is its own broadcast domain.2 This command shows you only the port memberships.1. which is all we need to get started.3.1. 100-byte ICMP Echos to 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .) Let’s configure our switch to allow broadcasts sent by H1 to be forwarded only to H2 by putting them in their own little broadcast domain – that is. VLANs are always in use. and every host can ping every other host.4 serve as the last octet in the host’s IP address. The pain will stop soon. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). Sending 5.1. you’ll be surprised at how often a host-to-host com- Sending 5.1.3 Type escape sequence to abort.115 S T U DY G U I D E C H R I S B R YA N T 1002 fddi-default act/unsup I’ve used ping to test connectivity in the lab. any broadcast sent by any host will be received by all of our other hosts.) I’ll show the ping results here 1004 fddinet-default act/unsup only from H1 to save a little space. round-trip min/avg/max = 4/10/32 ms Right now. As your studies and career progress.1. Sending 5. Type escape sequence to abort.1. would on a PC. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5). The second command defines VLAN membership. using this four-host network for a lab. 26 27 . To meet Cisco’s best practices. and right now. round-trip min/avg/max = 4/4/8 ms Let’s practice limiting the broadcast scope.4. timeout is 2 seconds: munications issue comes down to a port being in a different VLAN than you thought it !!!!! was! Success rate is 100 percent (5/5).1. The ping results will look different than they Type escape sequence to abort.1.1. as I’m using Cisco routers as my hosts. we’ll use the single IP subnet 10. 100-byte ICMP Echos to 10. 100-byte ICMP Echos to 10. round-trip min/avg/max = 4/6/8 ms I occasionally hear a network admin say “we don’t use VLANs. I know you’ll take my word on the others! 1005 trnet-default act/unsup HOST1#ping 10. HOST1#ping 10.2.0 /24.1.1. which means it can belong to one and only one VLAN. and the host number will HOST1#ping 10. their own VLAN! We’ll place those two hosts into the not-yet-existent VLAN 12 with switchport mode access and switchport access vlan 12. Cisco switch ports are in VLAN 1 by default. (I know I’m hitting you over the head with this. 1003 token-ring-default act/unsup (Always test your basic connectivity before starting a lab.1. all hosts are in one single broadcast domain.1.1. We know what that means – a broadcast that comes in on any of these ports will be forwarded out every other port on the switch.

Fa0/12 12 VLAN0012 active 20 ACCOUNTING active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup 29 Fa0/1. name it ACCOUNTING. Trust your config. The name command is the only one of these options we need to concern ourselves with. The terms “static” and “dynamic” ID number of the second translational VLAN for this VLAN (or zero if none) refer to the method used to place hosts into a VLAN. Fa0/7. this interfaces VLAN is controlled by VMPS ste Maximum number of Spanning Tree Explorer hops for this VLAN (or zero if none specified) SW1(config-if)#switchport access vlan 12 stp Spanning tree characteristics of the VLAN % Access VLAN does not exist. the switch will do it for you. To create a VLAN manually. Fa0/6 Fa0/10 . but Maximum number of All Route Explorer hops for this VLAN (or 1 default active zero if none specified) Backupcrf Backup CRF mode of the VLAN bridge Bridging characteristics of the VLAN exit Apply changes. Fa0/4. Fa0/9. -------------------------------. Fa0/8. not the method of VLAN creation. VLAN configuration commands: Are If you earned your CCNA with me. Fa0/11. you know what I’m going to say. use the vlan command. ---------.10 SAID SW1(config-if)#switchport access vlan ? shutdown Shutdown VLAN switching <1-1005> VLAN ID of the VLAN when this port is in access mode state Operational state of the VLAN dynamic When in access mode. and then we’ll leave that VLAN alone for the duration of the lab.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I’ll create VLAN 20 on this switch. SW1(config)#vlan 20 verify it! SW1#show vlan brief VLAN Name SW1(config-vlan)#? Status Ports ---. bump revision number. This dynamic tb-vlan2 creation of a VLAN does NOT make this a dynamic VLAN. Creating vlan 12 tb-vlan1 ID number of the first translational VLAN for this VLAN (or zero if none) If you try to put ports into a non-existent VLAN.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/1 parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs SW1(config-if)#switchport mode access private-vlan Configure a private VLAN SW1(config-if)#switchport access ? remote-span Configure as Remote SPAN VLAN vlan Set VLAN when interface is in access mode ring Ring number of FDDI or Token Ring type VLANs said IEEE 802. and exit mode media Media type of the VLAN mtu VLAN Maximum Transmission Unit name Ascii name of the VLAN no Negate a command or set its defaults 28 Fa0/3. Fa0/2 Fa0/5.

Congratulations! Assuming all hosts are sending roughly the same number of broadcasts. Fa0/6 Fa0/10 Fa0/11.115 S T U DY G U I D E C H R I S B R YA N T Bingo! VLAN 20 sits empty. SW1(config)#vlan 12 SW1(config-vlan)#name SUCCESS HOST1#ping 10. Fa0/9. Fa0/5... Fa0/8. For brevity’s sake. Fa0/7.... we’ll need to get a router involved. The bad news is that no traffic is going from H1 to H3 or H4. I’ll rename VLAN 12 “SUCCESS”.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ---. in networking.. Fa0/12 12 Or… IS it? SUCCESS active 20 ACCOUNTING active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Fa0/1.1.1. Fa0/2 HOST1#ping 10. and all is well! The good news is that broadcasts from H1 aren’t going to H3 or H4. 1 default active Fa0/3.1. and VLAN 12 contains fast 0/1 and 0/2.4 . and then we’ll move on. Let’s ping the network from H1..1.. we could enable IP routing on the switch and then work something out. -------------------------------.1.3 Ports . If this is a Multi-Layer Switch (MLS). even though they’re in the same IP subnet. for the rest of this section I’ll show only the ping and ping result. a solution leads to another issue. Inter-VLAN traffic requires the routing layer of the OSI model to get involved. you just cut broadcast traffic in your network by 66%.1. Fa0/4. We’ll look at 30 31 . ---------. Sometimes. If this is strictly a Layer 2 switch.2 !!!!! SW1#show vlan brief VLAN Name Status HOST1#ping 10.

but you should be familiar with the basics of the VLAN Membership Policy Server (VMPS). Before we hit dynamic VLANs. All you have to do is enter “21” for “12” on that 0/5 config and you have more trouble 1005 trnet-default act/unsup than you started with.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and we need to move that host to 0/5. we’d keep up with our network housekeeping and VLAN Name Status remove the config from 0/4. keep in mind that inter-VLAN traffic requires Layer 3 involvement. When you have one or two VLANs. what’s the big deal?” I admit that it’s not a ton of work. ---------. We’d need to manually configure 0/5 for SW1#show vlan brief that host. 35 GREENBAY active Fa0/10 32 33 . it’s easy to misread. For now. 1 default active Fa0/3. If you read fast0/10 as belonging to VLAN 42. so moving the cable is all we have to do. Fa0/4. Fa0/12 SW1(config)#int fast 0/4 SW1(config-if)#no switchport access vlan 12 10 KANSASCITY active Fa0/6 SW1(config-if)#int fast 0/5 12 active SW1(config-if)#switchport mode access SUCCESS Fa0/1. ---------. -------------------------------. One of the painful things about static VLANs becomes apparent when you need to move a host from one port to another. 1002 fddi-default act/unsup but the more manual configuration you do. and ports spread out among them. It’s really easy for the eye to skip up a line as you read this output. the larger the chance of a simple misconfigura- 1003 token-ring-default act/unsup tion. SW1(config-if)#switchport access vlan 12 Wouldn’t it be great if you could just detach the cable from 0/4 and plug it into 0/5. When the switch sees frames coming in on 0/5 with a source MAC address that was in its SW1#show vlan id 35 MAC address table as belonging to 0/4… VLAN Name Status Ports ---. and as good network admins. as in the following: Dynamic VLANs The actual configuration of dynamic VLANs is way out of the CCNP SWITCH exam scope. VMPS uses the source MAC address of incoming frames to determine the VLAN membership of the port receiving those frames. the output of show vlan brief is easy to read.115 S T U DY G U I D E C H R I S B R YA N T using an MLS in this situation later in the course. Fa0/5. Fa0/2 20 OREGON active Fa0/9 35 GREENBAY active Fa0/10 42 OHIOSTATE active Fa0/8 You’re likely thinking “Hey Chris. let me give you a real-world networking tip that’s saved my hash on more than one occasion. Let’s say a problem has arisen with 0/4 on our current switch.) Ports ---. Fa0/7 Fa0/11. use show vlan id followed by the VLAN number. -------------------------------. that’s just going to make your troubleshooting harder! To see the ports in one particular VLAN. Once you get more VLANs. especially when one of your company’s VPs is yelling at you while you write the con- 1004 fddinet-default act/unsup fig. (I’ll leave 0/4 as an access port. and the VLAN membership adjusted automatically? That’s what VMPS brings to the table. the core of dynamic VLAN configuration.

Some VMPS notes: Jitter is defined by Wikipedia as “the deviation from true periodicity of a presumed signal A somewhat odd default of VMPS is that PortFast is automatically enabled for a port when it receives its VLAN membership dynamically.” mode. 34 35 . As far as the PC is concerned. It can then be disabled if you like.1q trunk or bership. don’t play together at all. I know. One will be connected to a switch.” Chris Bryant defines jitter as “that really annoying continual interruption in a voice stream that makes you want to tear your own eardrums out. often in relation to a reference clock source. it’s really annoying.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Whichever definition you use. and the third is an internal connection to an Application-Specific Integrated Circuit (ASIC). it is attached directly to that switch. (Yeah. and will then dynamically change the VLAN membership of 0/5 and update its MAC address table. Trunk ports can’t receive a dynamic VLAN assignment. “duh”. since by definition trunk ports already belong to all VLANs. which can lead to time-related delivery issues with the voice traffic. As far as the direct connection to the IP phone is concerned. Actually. Using an access link results in voice and data traffic being carried in the same VLAN. non-voice data streams. there is no special config needed on the PC. a VLAN Port security and dynamic VLAN memberships don’t play well together. Using a trunk gives us the advantage of creating a voice VLAN (VVID). the PC is unaware and it doesn’t care! The key to keeping end users happy with voice-based traffic is to deliver it without jitter.115 S T U DY G U I D E C H R I S B R YA N T A Word Or Two On Voice VLANs Cisco IP Phones have three ports. With Cisco IP phones. The VMPS Server must be configured before you can dynamically assign any VLAN mem- The link between the switch and the IP phone can be configured as either an 802. You have to disable port security on a port in order for that port dedicated to carrying voice traffic. …the switch will realize what’s happened. The VVID allows the highest Quality of Service avail- to get a dynamic VLAN assignment. giving the delay-sensitive voice traffic priority over normal. Using this can be a big help with host DHCP issues. another to a PC. The human ear will only accept 140 – 150 milliseconds of delay before it notices a problem with voice delivery.) access link. they able. A quick reminder: PortFast allows a port to go straight from blocking mode to forwarding in electronics and telecommunications.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

Should the voice traffic start to be delayed, your end users begin to get annoyed, and your

dot1p

Priority tagged on PVID

support center phones start to ring!

none

Don’t tell telephone about voice vlan

We have four options for the switch-to-phone link:
Use an access link

untagged
Untagged on PVID

The <1 – 4094> option creates a voice VLAN and a dot1q trunk between the switch and IP
phone. As with data VLANs, if the VVID has not been previously created, the switch will

Use a trunk and use 802.1p

create it for you.

Use a trunk without tagging voice traffic
SW1(config-if)#switchport voice vlan 10

Use a trunk and specify a VVID

% Voice VLAN does not exist. Creating vlan 10

The question “Who’s The Boss?” has stumped the great scholars and live-in housekeepers
of eras past and present, but in this situation the boss is the switch, which tells the phone
which of those four options will be used.

Verify with show interface switchport. The output of this command is huge, so I’ll show only
the VLAN information here.
SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)

The interface is using VLAN 100 for normal data, and the native VLAN is unchanged from
the default, verified by this partial output of show interface switchport.

Administrative Native VLAN tagging: enabled
Voice VLAN: 10 (VLAN0010)

SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

Using dot1p results in the IP phone granting voice traffic high priority, and voice traffic will

The PVID shown in the following options is the port VLAN ID, the number identifying the
non-voice VLAN.

be sent through VLAN 0.
SW1(config-if)#switchport voice vlan dot1p

SW1(config)#int fast 0/1
SW1(config-if)#switchport voice vlan ?
<1-4094> Vlan for voice traffic
36

SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)

37

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Administrative Native VLAN tagging: enabled

Voice VLAN: untagged

Voice VLAN: dot1p

A quick Portfast note to end our VVID discussion: Portfast is automatically enabled on
Using untagged results in voice packets being placed into the native VLAN.

a port when a voice VLAN is created, verified by show config and show spanning interface
portfast. Here’s that info for 0/2, which is using VLAN 100 for data and VLAN 11 for voice.

SW1(config-if)#switchport voice vlan untagged
SW1#show int fast 0/1 switchport

I didn’t manually enable portfast, but there it is!
interface FastEthernet0/2

Access Mode VLAN: 100 (VLAN0100)

switchport access vlan 100

Trunking Native Mode VLAN: 1 (default)

switchport mode access

Administrative Native VLAN tagging: enabled

switchport voice vlan 11

Voice VLAN: untagged

spanning-tree portfast
SW1#show spanning int fast 0/2 portfast
VLAN0011 enabled
VLAN0100 enabled

You’re unlikely to find all ports in a given VLAN to be on the same switch. With that in
Finally, none sets the port back to its default, where a trunk is not used and the voice and

mind, let’s head to the next section!

non-voice traffic use the access VLAN.
SW1(config-if)#switchport voice vlan none
SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)

38

39

C H R I S B R YA N T

A trunk is a member of all VLANs by default, allowing traffic for any and all VLANs to cross
the trunk (good idea). That includes broadcast traffic (not-so-good idea).
Theoretically, you need a crossover cable for a switch-to-switch connection, and that’s
what I’m using here. Some Cisco switch models allow you to use a straight-through cable

C hapter 3:

TRUNKING

for trunking. In any case, verify with show interface trunk.
SW2#show int trunk
Port

Mode

Encapsulation Status

Native vlan

Fa0/11 auto

n-802.1q trunking 12

Fa0/12 auto

n-802.1q trunking 12

It’s nice and neat to have all hosts in a VLAN connected to a single switch. It’s also
unlikely. In the next example, we have hosts in VLANs 1 and 12 connected to separate

Port

switches. The switches are connected via two crossover cables. Trunks do not require

Fa0/11 1-4094

you to use the identically numbered port on each switch (port 0/11 on each switch, for

Fa0/12 1-4094

Vlans allowed on trunk

example), but in labs it’s a great organizational tool.
Port

Vlans allowed and active in management domain

Fa0/11 1,12
Fa0/12 1,12
Port

Vlans in spanning tree forwarding state and not pruned

Fa0/11 none
Fa0/12 1,12

From left to right, that command shows us…
The ports attempting to trunk (if none are shown, none are trunking)
For frames to flow flawlessly and freely between two switches, a trunk must be established.
Sometimes all it takes to create a trunk is physically connecting the switches. On occasion,
it takes a little fine-tuning to get the job done. It’s a safe bet that your CCNP SWITCH exam
will test you on both scenarios!

The trunking mode each port is using
The encapsulation type
The status of the trunk (either “trunking” or “not trunking”)
The “native vlan”

40

41

You can’t use ISL in a multi- see it here.1q (“dot1q”) is used Fa0/5. Ports and that switch knows that the VLAN ID indicates the destination VLAN. Fa0/10. since trunk ports are members of all VLANs. where the frame has a VLAN VLAN Name Status ID attached by the sending switch. The similarities end pretty quickly. While most Cisco switches no longer support ISL. we need to be Fa0/9. Fa0/3.4 !!!!! Success rate is 100 percent (5/5). That doesn’t sound like a big deal. HOST1#ping 10. Fa0/21. Gi0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Our pal show vlan brief will not show ports that are trunking. The overhead here involves frame tagging. ---. Fa0/24. Our trunk is up and running. check to see if the port is trunking. In turn. Fa0/8 as the trunking protocol. but the cumulative effect of adding that overhead to every frame adds up to a lot of extra effort on the part of both the sender and the receiver.1. Gi0/1. ---------. Fa0/14. very clear on the features and drawbacks of each for our CCNP SWITCH exam. Fa0/17. Fa0/20. there’s a little SW2#show vlan brief overhead involved. Fa0/18. Fa0/15. but as with everything good in networking. We’ll start by pinging H2 from H1 and then H4 from H3.2 onto the frame (“double tagging”). Both of these trunking protocols are point-to-point protocols. Fa0/6. Fa0/4 The amount of overhead involved depends on whether ISL or IEEE 802. Fa0/7. Fa0/19.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . vendor switching environment. Fa0/16. only Cisco switches understand ISL.1. Fa0/13.1. !!!!! Success rate is 100 percent (5/5). with a switch at each endpoint. round-trip min/avg/max = 4/6/8 ms 42 43 . placing both a header and trailer VLAN. round-trip min/avg/max = 4/5/8 ms HOST3#ping 10. Fa0/23. 1 default active Fa0/1. Fa0/2. which has to remove the encapsulation.1.115 S T U DY G U I D E C H R I S B R YA N T Know where you will not find your trunk ports? Aaaaaand it’s good! Trunking is a beautiful thing. -------------------------------. If you’re looking for a specific port’s VLAN membership and you don’t So much for the similarities! Now. that VLAN ID is read by the receiving switch. Fa0/22. so let’s make sure we can ping between hosts in the same ISL will encapsulate every frame going across the trunk. for the differences… ISL is Cisco-proprietary.

making it suitable for use in a VLAN Name multi-vendor switching environment. even that header isn’t put on the frame! When the receiving switch sees a VLAN Name frame with no VLAN ID. -------------------------------. ISL adds a total overhead of 30 bytes. -------------------------------. 12 active Status ACCOUNTING A few more dot1q tidbits for you: Ports Fa0/1.115 S T U DY G U I D E Everything we do on a Cisco switch has a cost in terms of time and effort. Gi0/1. We’ll see why that’s so important in just a moment. (VLANs 1002 – 1005 not shown in following lab. Fa0/7.) Using IEEE 802. frames destined for the native VLAN are not tagged. Fa0/8. Double tagging means double the workload on the switches! There’s even more to dislike regarding ISL. so there’s no need for any VLAN ID info. Verifying And Changing The Native VLAN When dot1q is our trunking protocol. so it’s often referred to as “single tagging”. you’ll sometimes hear dot1q referred to as “internal tagging”. Dot1q’s 4-byte addition is in the form of a tag inserted into the frame. Those little overhead savings add up! If there is a particular VLAN responsible for a majority of traffic.1Q (“dot1q”) results in much less overhead on our frames. Fa0/5. ---------. Now. Fa0/2. The CRC is C H R I S B R YA N T Both ISL and dot1q bring a 4-byte addition to a frame. 44 1 Status default active Ports Fa0/22. Fa0/24. Fa0/3. about that native VLAN… a frame validity scheme that checks the frame’s integrity. ISL doesn’t understand the concept of the native VLAN (the default VLAN). Dot1q SW1#show vlan brief places only a 4-byte header on each frame. That saves a little bit of overhead per frame. that switch assumes the native VLAN is the destination ---. 26 bytes of that is in the header. Fa0/9. Dot1q adds only one tag. Fa0/6. SW2#show vlan brief Dot1q is the industry-standard trunking protocol. For this reason. as it likely is. which includes the VLAN ID. we might want to change the native VLAN. Fa0/4. An access port belongs to one and only one VLAN. which in turn saves a great deal of overall overhead. ---------. and that includes encapsulation and de-encapsulation. ---. Fa0/10 Dot1q embeds the tagging information into the frame itself. Gi0/2 45 . VLAN.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . No need to tag frames traversing access ports. and if the frame is destined for the native VLAN. This is an excellent reason to make sure your switches agree on the native 1 default active VLAN. Fa0/23. The 4-byte trailer contains a Cyclic Redundancy Check (CRC) value. but they’re in different locations: ISL’s 4-byte trailer is just that – a trailer.

08:14:55: %SPANTREE-2-BLOCK _ PVID _ PEER: Blocking FastEthernet0/12 on VLAN0001.12 SW1(config-if-range)#switchport trunk ? allowed Set allowed VLAN characteristics when interface is in trunking mode native Set trunking native characteristics when interface is in trunking mode pruning Set pruning VLAN characteristics when interface is in trunking mode SW1(config-if-range)#switchport trunk native ? vlan Set native VLAN when interface is in trunking mode SW1(config-if-range)#switchport trunk native VLAN ? <1-1005> VLAN ID of the native VLAN when this port is in trunking mode SW1(config-if-range)#switchport trunk native VLAN 12 ? <cr> 08:14:55: %SPANTREE-2-BLOCK _ PVID _ LOCAL: Blocking FastEthernet0/12 on VLAN0012. We’ll use switchport trunk native vlan on both switches to make that happen. Port consistency restored. SW2(config)#int range fast 0/11 . Fa0/20. I received this stack of messages on SW1: 08:14:55: %SPANTREE-2-RECV _ PVID _ ERR: Received BPDU with inconsistent peer vlan id 1 on FastEthernet0/12 VLAN12. 47 . Fa0/15. I’ll use IOS Help to illustrate the options (or lack of) with this command. Fa0/10. Fa0/4. Fa0/2. Fa0/14. It can panic even the calmest network admin when six error messages come up at once. Fa0/7. along with all the talk of blocking ports! No worries. Inconsistent peer vlan. just finish your config and all will be well. Fa0/3. 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/12 on VLAN0012. 08:14:55: %SPANTREE-2-BLOCK _ PVID _ PEER: Blocking FastEthernet0/11 on VLAN000 SW1#1. Inconsistent local vlan. Fa0/9. followed by the error message you can expect to see after you change the native VLAN on one switch and before you change it on the other switch. SW1(config)#int range fast 0/11 . Fa0/16. Fa0/17. Inconsistent peer vlan. 08:14:55: %SPANTREE-2-BLOCK _ PVID _ LOCAL: Blocking FastEthernet0/11 on VLAN0012. Port consistency restored.12 SW2(config-if-range)#switchport trunk native vlan 12 SW1# 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/12 on VLAN0001. 08:14:55: %SPANTREE-2-RECV _ PVID _ ERR: Received BPDU with inconsistent peer vlan id 1 on FastEthernet0/11 VLAN12. It would make sense to make that our native VLAN. Fa0/18.115 S T U DY G U I D E 12 ACCOUNTING active C H R I S B R YA N T Fa0/1. Fa0/13. Port consistency restored.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/19. 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/11 on SW1(config-if-range)#switchport trunk native VLAN 12 46 VLAN0 012. Port consistency restored. 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/11 on VLAN0001. Fa0/8. Inconsistent local vlan. I’ll use the always-handy interface range config option to change the native VLAN on both trunking ports on SW1 at one time. Fa0/21 After completing that config. Assume an analysis of traffic going over the trunk has revealed that most frames are destined for VLAN 12. I’ll finish the config here and then hop back to SW1. Fa0/6. Fa0/5.

desirable. SW1 doesn’t SW1#show int trunk show the encap type as negotiated. I’m not going to change the setting here – I just want to show you the options on this particular SW2#show int trunk Port If your switch is capable of running both ISL and dot1q. but that’s no longer the case. which can run either ISL or dot1q. the remote port has to ask a port in auto mode to trunk.1q trunking 1 Mode encap type with switchport trunk encapsulation. “Desirable” used to be the default for all Cisco switches. a trunk will form.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Should Trunking Negotiate? For this section.in front of the encapsulation type on SW2? That means the encapsulation type was negotiated rather than manually configured.1q trunking 12 a trunk with the port at the remote end of the point-to-point connection.1q trunking 1 Fa0/12 desirable 802. or auto mode. so they’re now both running at their defaults.1q trunking encapsulation when trunking 49 .1q trunking 1 48 SW2(config)#int fast 0/11 SW2(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802. the auto port will accept that. Encapsulation Status Native vlan Dynamic desirable (shown as “desirable”) means that the port is actively attempting to form Port Mode Fa0/11 desirable 802. C H R I S B R YA N T Note the default trunk modes are different.115 S T U DY G U I D E All looks well. Did you notice the n. If the remote port Fa0/12 desirable 802. Dynamic auto (shown as “auto”) is the wallflower of trunking modes. but if the remote port initiates trunking. as SW2 is. Encapsulation Status Native vlan Fa0/11 auto n-802.1q trunking 1 Fa0/12 auto n-802.1q trunking 12 is running trunk. In other words. Here’s why… Port Mode Encapsulation Status Native vlan Fa0/11 desirable 802. We’ll again concentrate on the top of the output of show interface trunk. shown here on both switches. you can configure the switch.1q trunking 12 Fa0/12 auto n-802. I’ve erased the previous switch configs and reloaded both switches. Oddly enough.1q trunking 12 will not initiate a trunk. A port in auto mode SW2#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802. but verify with show interface trunk. Here’s a review of the trunking modes: SW1#show int trunk Trunk mode is unconditional trunking. If the encap type is configured and you want the port to negotiate instead. use this command with the negotiate option.

A port running DTP will send DTP frames out every 30 seconds. including 2950 switches. When this Cisco-proprietary point-to-point protocol is in action. they must be configured as such before using switchport nonegotiate. We’ll disable DTP at the interface level with switchport nonegotiate. When a port is configured as an unconditional trunk port.115 S T U DY G U I D E isl C H R I S B R YA N T Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on interface That’s all fine. The encapsulation option won’t DTP on such ports makes it easier for an intruder to introduce a rogue switch to our net- even be available! work. because this is one verbose command when left on its own! There’s some handy info in this output. We’ll do just that in our next lab. but it’s under the intruder’s control. I highly recommend that you use the pipe option to skip to the interface you want. why have the DTP overhead? 50 You’ll get slightly different messages from the IOS in this situation depending on the switch model and IOS version. Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status. As with everything in networking. as shown on this Cisco 2950. nor ours. which is now off. starting with SW1. We had the same command rejected twice since that’s how many ports we had in our interface range. In that case. but what does that have to do with the “n-“ not being on SW1? Some Cisco switches only support dot1q. ing mode be set to unconditional trunking. Verify DTP settings with show interface switchport. Also.) It’s generally recommended that all ports have DTP disabled.12 mode SW1(config-if-range)#switchport nonegotiate pruning Set pruning VLAN characteristics when interface is in trunking Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status. We had no issue moving the interfaces from desirable to trunk mode. 51 . if there’s a device on the other end of the p-t-p connection that literally can’t trunk (a firewall.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the IOS will Leaving DTP running on ports that aren’t actually trunking is a BIG security risk. there’s no need for that same port to send DTP frames. (A rogue switch looks like a legit part of the network. Leaving not recognize this command. it attempts to negotiate a trunk with the remote port. as the switch is kind SW1(config-if)#switchport trunk ? allowed Set allowed VLAN characteristics when interface is in trunking enough to tell us! mode native Set trunking native characteristics when interface is in trunking SW1(config)#interface range fast 0/11 . If the ports are not in unconditional trunking mode. not with disabling DTP. mode SW1(config-if-range)#switchport mode trunk SW1(config-if-range)#switchport nonegotiate To DTP Or Not To DTP The Dynamic Trunking Protocol (DTP) handles the actual trunk negotiation workload. and trunk- SW1(config-if)#switchport trunk encapsulation ^ % Invalid input detected at ‘^’ marker. DTP comes with a cost. for example). and we’re most interested in the “Negotiation Of Trunking” setting.

which indicates that the port is unconditionally trunking. indicating that the port is in unconditional trunking mode. Let’s head to SW2 and repeat the process.1q trunking encapsulation when trunking negotiate Device Access Mode VLAN: 1 (default) Port dot1q Encapsulation Status Native vlan Fa0/11 on 802.115 S T U DY G U I D E C H R I S B R YA N T SW1#show interface switchport | begin Fa0/11 SW2(config)#int range fast 0/11 . and then we can go from auto to Switchport: Enabled trunk. Operational Mode: trunk % Range command terminated because it failed on FastEthernet0/11 Administrative Trunking Encapsulation: dot1q SW2(config-if-range)# Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off This particular switch IOS rejected the command once and then terminated the range com- Access Mode VLAN: 1 (default) mand. Port 0/11 no longer has the “n-“ in front of the encap type. No big deal. As we saw ear- SW1#show interface switchport | begin Fa0/12 lier.1q trunking 1 The mode has changed to “on”.12 Name: Fa0/11 SW2(config-if-range)#switchport mode trunk Switchport: Enabled Command rejected: An interface whose trunk encapsulation is “Auto” cannot be Administrative Mode: trunk configured to “trunk” mode. SW2 is capable of both ISL and dot1q encapsulation. We need to define which Name: Fa0/12 encapsulation protocol the port is going to use. but I just want to point out why we only received one rejection when two Trunking Native Mode VLAN: 12 (VLAN0012) ports are in the range.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . let’s verify the trunks on SW1. since negotiation is no longer involved. SW2(config-if-range)#switchport mode trunk SW2(config-if-range)#switchport nonegotiate SW1#show int trunk Mode Interface uses only 802.1q trunking 1 Fa0/12 on 802. Administrative Mode: trunk Operational Mode: trunk SW2(config-if-range)#switchport trunk encapsulation ? Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off isl Interface uses only ISL trunking encapsulation when trunking will negotiate trunking encapsulation with peer on interface Trunking Native Mode VLAN: 1 (default) SW2(config-if-range)#switchport trunk encapsulation dot1q While we’re here. There’s a good reason you can’t go straight from auto to trunk mode. 52 Verify the trunk mode with show interface trunk and then verify DTP has been disabled with show interface switchport. SW2#show int trunk 53 . The mode for 0/11 is now “on”.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . After a reload. That’s where you’ll see the trunk Operational Trunking Encapsulation: dot1q mode actually set to off.115 S T U DY G U I D E Port Mode Encapsulation Status Native vlan Fa0/11 on 802.1q trunking 1 Fa0/12 auto n-802. Setting a port to access mode turns trunking Port Mode Encapsulation Status Fa0/11 auto n-802. the trunk is immediately lost.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-4094 Fa0/12 1-4094 off. When I change 0/11’s mode to access. here’s the full output of show interface trunk on SW2.1q Native vlan trunking 1 Administrative Mode: trunk Operational Mode: trunk To see trunk settings for a particular port.1q trunking 1 C H R I S B R YA N T SW2(config)#int fast 0/11 SW2(config-if)#switchport mode access SW2#show int trunk SW2#show interface switchport | begin Fa0/11 Name: Fa0/11 Port Mode Switchport: Enabled Fa0/12 trunk Encapsulation Status 802. 54 Native vlan 55 . I’ve erased the config on both switches and set them back to their default There’s an oddity in the switchport mode options: Set trunking mode to ACCESS unconditionally dot1q-tunnel set trunking mode to TUNNEL unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode private-vlan Set private-vlan mode trunk settings.1q trunking 1 Fa0/12 on 802. Negotiation of Trunking: Off SW2#show interface fast 0/11 trunk Name: Fa0/12 Switchport: Enabled Port Mode Encapsulation Status Administrative Mode: trunk Fa0/11 off 802. even one that isn’t showing up in show interface Administrative Trunking Encapsulation: dot1q trunk. SW2#show int trunk SW2(config-if)#switchport mode ? access Filtering The VLANs Allowed To Use The Trunk Set trunking mode to TRUNK unconditionally We have an option for “off”. but not for “on”. run show interface (interface type and number) trunk.1q Native vlan not-trunking 12 Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off For our next lab.

201-4094 Fa0/12 1-199.12 Vlans in spanning tree forwarding state and not pruned Fa0/11 none SW1(config-if-range)#switchport trunk allowed vlan except 100.1q trunking 1 Fa0/12 auto n-802. VLANs 100 and 200 are no longer allowed on Fa0/12 1. broadcast traffic for all VLANs will be sent from I’ll use the add option to add VLAN 100 back to the allowed list. but since trunk ports belong to all VLANs.12 Fa0/12 1.201-4094 57 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The command and the options in all their splendor: SW1(config-if)#switchport trunk allowed vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode add add VLANs to the current list all all VLANs except all VLANs except the following none no VLANs remove remove VLANs from the current list 56 SW1(config)#int range fast 0/11 .201-4094 Fa0/12 1-99.115 S T U DY G U I D E Port Vlans allowed and active in management domain The except option is excellent when you need to exclude just one or a few VLANs. I’ll use it here to exclude VLANs 100 and 200 on both 0/11 and 0/12. We filter the list of VLANs allowed to send traffic across the trunk with switchport trunk allowed. When I first saw “VLANs allowed on trunk”. We can eliminate unnecessary broadcasts by not allowing traffic for VLANs 100 and 200 to go from SW1 to SW2. Here’s one great reason: SW1#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802. Fa0/11 1.200 Verify with show interface trunk.101-199.101-199.201-4094 The broadcast rears its ugly head yet again! There are no hosts on SW2 in VLAN 100 or 200.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-199.12 Port C H R I S B R YA N T SW1(config)#interface range fast 0/11 .1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-99. SW1 to SW2 (and vice versa). As expected.12 SW1(config-if-range)#switchport trunk allowed vlan add 100 SW1#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802.12 the trunk.1q trunking 1 Fa0/12 auto n-802. I immediately wondered why you would want to disable some VLANs on a trunk.

1q trunking 1 Port Vlans allowed on trunk Port Vlans allowed on trunk Fa0/11 1-99.12 SW1(config-if-range)#switchport trunk allowed vlan none What happens to traffic destined for a given VLAN when that same VLAN has already been removed from the allowed list? Let’s find out! I’ve placed H1 and H4 into VLAN 14.115 S T U DY G U I D E C H R I S B R YA N T We just got word from our bosses that VLAN 100 should be on the disallowed list.1q trunking 1 Fa0/11 auto n-802.201-4094 Fa0/12 1-4094 If I wanted to remove all VLANs from the allowed list.12 SW1(config-if-range)#switchport trunk allowed vlan remove 100 SW1(config-if-range)#switchport trunk allowed vlan all SW1#show int trunk SW1#show int trunk Port Mode Encapsulation Status Native vlan Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802.201-4094 Fa0/11 1-4094 Fa0/12 1-99. I’d use the none option. chang- SW1#show int trunk Port Mode ing nothing else.101-199. You’ll usually have more than one combination of these commands that will filter the VLANs on the allowed list the way you want them filtered.12 SW1(config)#int range fast 0/11 . and we’re right back put it there with the remove option.1q trunking 1 Fa0/12 auto n-802.101-199.1q trunking 1 Fa0/12 auto n-802. so let’s We can quickly reinstate all VLANs on the trunk with the all option. Encapsulation Status Native vlan Fa0/11 auto n-802.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . as long as you filter only the VLANs you want filtered.1q trunking 1 Fa0/12 auto n-802.1q trunking 1 Port Vlans allowed on trunk Fa0/11 none Fa0/12 none 58 59 . There’s no “right” or “wrong” way to get the job done. to where we began! SW1(config)#int range fast 0/11 . SW1(config)#int range fast 0/11 . and pings go through just fine.

1.1. len 100.1. len 100.1 (Ethernet0). d=10. Sending 5. SW1(config-if-range)#switchport trunk allowed vlan except 14 1d01h: IP: s=10.1. This is an excellent reminder that when pings fail.1.1.1.1. len 100.1.4 (local). I’ll run debug ip packet on both hosts.1.1 (local).1.1.4 Type escape sequence to abort.1.1.1. d=10. len 100.4 (Ethernet0). round-trip min/avg/max = 4/4/4 ms HOST1#undebug all HOST4#ping 10.1.4 (Ethernet0).1.1.1.1.1.1. len 100.1.1.1. len 100.1q trunking 1 Fa0/12 desirable 802. We know why.1 Type escape sequence to abort. It may very well be a device in the middle. perhaps! Adding VLAN 14 back to the allowed list resolves the issue. it may not be Vlans allowed on trunk Fa0/11 1-13.4 (local).1.1 (Ethernet0). d=10.115 S T U DY G U I D E C H R I S B R YA N T HOST1#ping 10. d=10.1q trunking 1 HOST4#undebug all All possible debugging has been turned off The pings are leaving the hosts. sending 1d01h: IP: s=10.4 (Ethernet0).1. len 100.1.15-4094 switch.1 (local). SW1(config)#int range fast 0/11 . sending. sending. SW1#show int trunk Port Mode Success rate is 0 percent (0/5) Encapsulation Status Native vlan Fa0/11 desirable 802.1.1.1.1.1. sending SW1(config)#int range fast 0/11 .4 (Ethernet0).12 1d01h: IP: s=10. timeout is 2 seconds: trunk ports.1.1 (Ethernet0).1.1.1.1.1. d=10. timeout is 2 seconds: 1d01h: IP: s=10.1. sending. d=10.1. Let’s see what happens when VLAN 14 is removed from the allowed list on both of SW1’s Sending 5.1.1 (Ethernet0).1.1 All possible debugging has been turned off !!!!! Success rate is 100 percent (5/5). sending.1 (local). 1d01h: IP: s=10.1. 1d01h: IP: s=10.1. d=10.1.4 1d01h: IP: s=10.4 (local).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .15-4094 the fault of the sender or intended recipient. Before sending the pings. but they’re failing.1. A Fa0/12 1-13.4 (local). sending 1d01h: IP: s=10.1 (local).4 (Ethernet0). d=10. len 100.4 (local).1.1 (local).1.12 SW1(config-if-range)#switchport trunk allowed vlan add 14 SW1#show int trunk 1d01h: IP: s=10. d=10. len 100. sending. round-trip min/avg/max = 4/5/8 ms HOST4#ping 10. len 100. sending !!!!! Success rate is 0 percent (0/5) Success rate is 100 percent (5/5).4. HOST1#ping 10. d=10. since we caused the Port problem as part of the lab.1.1. sending 60 61 . 1d01h: IP: s=10.1. 100-byte ICMP Echos to 10. 100-byte ICMP Echos to 10.1.1 (Ethernet0).

and then run show vlan brief for both switches. Fa0/5.1q trunking 1 Fa0/12 desirable 802. and that’s nected hosts. I’ll create VLAN 100 on SW1.4 !!!!! With VLANs and trunking down. Fa0/9.1. Fa0/8. and we’ll do the same! the subject of the next chapter! VTP allows each switch to have a synchronized view of the network’s active VLANs without necessarily having ports in every VLAN. That’s what the VLAN Trunking Protocol is all about. ---------. Both switches are at their default settings. Fa0/10 62 63 . Fa0/7.115 S T U DY G U I D E Port Mode Encapsulation Status Native vlan Fa0/11 desirable 802. we need to spread the word throughout the network We’ll start this section with our two-switch network and won’t even worry about the con- about the VLANs we create.1q trunking 1 Port Vlans allowed on trunk C hapter 4: Fa0/11 1-4094 Fa0/12 1-4094 THE VLAN TRUNKING PROTOCOL (VTP) HOST4#ping 10. -------------------------------.1 !!!!! HOST1#ping 10. Fa0/6.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 1 default active Fa0/1. Fa0/3. and any config from previous chapters or labs has been removed.) SW1#show vlan brief VLAN Name Status Ports ---.1.1.1. VTP deals exclusively with trunking. Fa0/2. Fa0/4. (I’ve removed VLANs 1002 – 1005 from the output of show vlan brief and will do so throughout this section.

know about and all three switches will have a like view of the VLANs on the network. Before doing so.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/3. Switches in one VTP domain will not exchange VLAN info with switches in another VTP domain. SW2 can only learn about VLAN 100 by manually creating that same VLAN on SW2 or to place a port on SW2 into VLAN 100. Let’s step back to the two-switch network and put both switches into the VTP domain CCNP. Fa0/22. creating VLANs simply isn’t a scalable solution. Fa0/6. it does become a problem. 1 default active Fa0/1. Fa0/19. Fa0/24. Of course. SW2#show vlan brief VLAN Name Status You and I. you have. Fa0/7. they’ll exchange information about the VLANs they Fa0/17. ---------. That Ports would work well in a 3-switch network. the more manual configuration SW2. the network admins. Fa0/18. could certainly create VLAN 100 manually on SW2. Fa0/21. Fa0/5. SW2’s ignorance of VLAN 100 isn’t hurting anything now. as VLANs are created and deleted. these switches will be happy to let their neighbors in the same VTP domain know about these changes via VTP advertisements. Our Fa0/20. and since active SW2 doesn’t know VLAN 100 exists. Gi0/2 Right now. Fa0/10. ally referred to as a “VTP domain”). SW2 doesn’t know how to handle incoming frames marked with VLAN ID 100. Better yet. Fa0/8. the more time it takes and the larger the chances of misconfiguration. Fa0/2. Fa0/16. Fa0/15. Fa0/13. The key phrase: “in the same VTP domain”. SW1#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 64 64 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled 65 .115 S T U DY G U I D E 100 VLAN0100 C H R I S B R YA N T The only way for the two hosts in VLAN 100 to communicate is through SW2. Fa0/9. When we place all three of these switches into the same VTP management domain (gener- Fa0/14. let’s run show vtp status on both. but as our little network grows just a bit larger. hosts in VLAN 100 can then communicate with no manual VLAN creation necessary on Fa0/23. Fa0/4. that communication can’t happen. -------------------------------. so they’re dropped. Gi0/1. but what about a 300-switch network? Statically ---.

0 at 0-0-00 00:00:00 Local updater ID is 0.0 (no valid interface found) Local updater ID is 0.9466.f780 Device ID : 0017.0.0.0.0 (no valid interface found) Feature VLAN: Feature VLAN: VTP Operating Mode : Server VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 Number of existing VLANs : 5 Configuration Revision : 0 Configuration Revision : 0 The VTP Domain Name field is blank.0. a VTP domain…yet! That VTP ad contains info about the VTP domain.115 S T U DY G U I D E SW2#show vtp status C H R I S B R YA N T SW2#show vtp status VTP Version capable : 1 to 3 VTP Version capable : 1 to 3 VTP version running : 1 VTP version running : 1 VTP Domain Name : VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP Pruning Mode : Disabled VTP Traps Generation : Disabled VTP Traps Generation : Disabled Device ID : 0017.0.0.0 at 0-0-00 00:00:00 Configuration last modified by 0. SW1(config)#vtp domain CCNP Changing VTP domain name from NULL to CCNP SW1#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 64 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled 66 Should you put SW1 into the domain CCNP and SW2 into the domain ccnp … SW2(config)#vtp domain ccnp Changing VTP domain name from CCNP to ccnp 67 .0. which simply means that the switches haven’t joined After placing SW1 into that VTP domain.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .9466.0. and SW2 will then join that domain as a VTP Server.f780 Configuration last modified by 0. that event triggers a VTP advertisement to SW2.

with the options illustrated by vtp mode.0. delete.0.0. We do NOT mean “add ports to a VLAN”. Transparent Set the device to transparent mode. we get the lay of the land via show vtp status. and transparent modes.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Feature VLAN: -------------- … you end up with a mess. and I have a feeling we need to know a little more about each mode! Local updater ID is 0.f780 *Mar 1 00:29:02. There are times that IOS Help gives us wonderful descriptions for our options. but the most important VTP values are in each.020: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation Configuration last modified by 0.0. Moral of the story: VTP domain names are case-sensitive! After switching (no pun intended – happy accident!) SW2 back to the VTP domain CCNP. Local updater ID is 0. client.9466.0. The output will be slightly different on each switch.0 (no valid interface found) *Mar 1 00:29:02. and modify VLANs. a switch can create. which can be VTP Domain Name : CCNP done in server.0. Device ID : 0017.115 S T U DY G U I D E *Mar 1 00:29:00. IOS Help pretty much tells us what we already know. server Set the device to server mode. we mean VTP version running : 1 “change the name of the VLAN”. This is not one of those times. By “modify”.0 (no valid interface found) The VTP Modes SW2#show vtp status VTP Version capable : 1 to 3 In VTP server mode. We’ll follow this output by discussing the VTP Operating Mode info for each switch. Maximum VLANs supported locally : 64 Number of existing VLANs : 7 VTP Operating Mode : Server VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x87 0xA7 0x10 0x69 0x58 0xA8 0x12 0x72 Configuration last modified by 0. We must have at least one switch in any VTP Pruning Mode : Disabled 68 69 . SW1#show vtp status VTP Version : 2 Configuration Revision : 2 VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Number of existing VLANs : 7 Configuration Revision : 2 MD5 digest : 0x87 0xA7 0x10 0x69 0x58 0xA8 0x12 0x72 0x5D 0x74 0x8A 0xED 0x1F 0xE1 0x67 0xE2 The default VTP operating mode is server. off Set the device to off mode.0 at 3-1-93 00:30:42 on port Fa0/12 because of VTP domain mismatch.0.078: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/11 because of VTP domain mismatch.896: %SW _ VLAN-6-VTP _ DOMAIN _ NAME _ CHG: VTP domain C H R I S B R YA N T name VTP Traps Generation : Disabled changed to ccnp.0.0 at 3-1-93 00:30:42 SW2(config)#vtp mode ? client Set the device to client mode.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . “off”. what doesn’t happen. VTP switches to ensure they have the latest VTP information. 70 On some switches. They don’t even advertise their own VLAN information! VLANs created on a transparent VTP switch will not be advertised to other VTP speakers in the same domain. or we couldn’t create new VLANs or delete As you’d expect. or delete VLANs. We must have at least one VTP server in our domain. the switch will only forward incoming VTP ads if Switches running in VTP client mode cannot create. but will pass them across their trunks. VTP Transparent switches take a slightly more complicated approach. disables VTP on the switch. Makes sense. or One VTP ad type is the subset advertisement. sent anytime there’s a change in the VLAN we’re going to have a bunch of clients just looking at each other (and transparent switches just ignoring each other). That change doesn’t have to be a VLAN addition or deletion. making them locally significant only. that switch will forward VTP advertisements that same switch – or more accurately.115 S T U DY G U I D E C H R I S B R YA N T given VTP domain running in server mode. VTP Clients do not originate VTP ads. (Hang in there with me on this one. Let’s see what happens after I make SW2 a VTP client and then try to create a VLAN on If the Transparent switch is running VTP v2. and accept advertisements from other VTP servers their current VLAN database to make room for old information! and clients in the same domain. and that they’re not overwriting servers originate VTP advertisements. When a transparent switch receives VTP advertisements. you’ll see the CRN near the top of the show vtp status output… 71 .) VTP advertisements carry a configuration revision number (CRN) that enables VTP-enabled Another major difference between the modes is how they handle VTP advertisements. via its trunk ports even if the domain name of the downstream switches doesn’t match. the VTP version number and domain name is the same as those switches that would receive the forwarded advertisement. which is what we’ll do in this lab. it will ignore the ads but forward them out its other trunks. Clients listen for VTP advertisements and update their databases appropriately when those ads arrive. The fourth mode. (This mode was one of the improvements that came along with VTP v3. ‘Nuff said! since the only devices that need the advertisements are other switches! Switches in VTP transparent mode aren’t fully participating in the VTP domain. It could be something as simple as renaming a VLAN. The VTP Advertisement Process & Config Revision Number VTP advertisements are multicasts that are sent out only over trunk links. and the switch will not forward VTP advertisements. modify. SW2(config)#vlan 100 VTP VLAN configuration not allowed when device is in CLIENT mode. SW2(config)#vtp mode client Setting device to VTP Client mode for VLANS. a Transparent switch is running VTP v1. landscape. and isn’t available on previous versions. If previously existing ones.) VTP transparent switches do not synch their VTP databases with other VTP speakers in the same domain.

I’ll add a VLAN to SW1 and then recheck the CRN on each switch. SW2#show vtp status Status ---. SW2 compares the incoming CRN to its own CRN (2).0 at 3-1-93 00:30:42 The creation of VLAN 300 on SW1 triggers a subset advertisement from SW1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Feature VLAN: VTP Operating Mode : Client Maximum VLANs supported locally : 1005 Number of existing VLANs : 7 Configuration Revision : 2 Both switches have a CRN of 2. and the CRN incremented on both switches.115 S T U DY G U I D E SW1#show vtp status C H R I S B R YA N T SW1(config)#vlan 300 VTP Version : 2 Configuration Revision : 2 SW1#show vtp status Maximum VLANs supported locally : 64 Configuration Revision Number of existing VLANs : 7 VTP Operating Mode : Server SW2#show vtp status VTP Domain Name : CCNP Configuration Revision VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled : 3 : 3 SW2#show vlan brief VLAN Name … and on others. 72 73 . -------------------------------.0. SW2 receives the subset ad with a CRN of 3. you’ll see it near the bottom of that same command’s output.f780 Configuration last modified by 0. also checking to be sure the VLAN is visible in SW2’s show vlan brief output. 1 default active 100 VLAN0100 active VTP Version capable : 1 to 3 200 VLAN0200 active VTP version running : 1 300 VLAN0300 active VTP Domain Name : CCNP VTP Pruning Mode : Disabled VLAN 300 is in SW2’s database.0. What hap- VTP Traps Generation : Disabled pened on each switch to make the CRN increment? Let’s take a behind-the-scenes look… Device ID : 0017. When an incoming subset ad’s CRN is larger than the one on the receiving switch. and the CRN increments before that ad is sent across the trunk to SW2.9466.

just be sure to verify the zero before you proceed. its time listening for and forwarding VTP ads. then back to server. Just bouncing the switch isn’t enough. connectivity for the other five VLANs is lost. Cisco theory says that there are two ways to ensure the CRN is set to zero: Change the VTP domain name to a nonexistent domain. or even from a CCNP / CCIE practice lab! No matter the source of the switch. then change it back to the original name. and the SW4 doesn’t even have to be in Server mode to ruin things. While a Client generally spends non-default VLANs in use are VLANs 10. (The VTP Clients will forward the VTP ad to SW2. 40. This is most likely to happen when a switch goes down and is replaced in a hurry with a switch from another client site. SW2 is busy sending an advertisement with CRN 300. that makes The other switches will receive a VTP advertisement with a higher CRN than the one cur- us smart. and this switch only knows about VLAN 1. Change the VTP mode from server to transparent.) Server. A switch that was at another physical location is brought to this client site and installed in the CCNP domain. or you’ll have a real mess on your hands. We have a simple three-switch network with two Clients and one advertisement. SW2 will increment its own CRN. but you’ll call it something much more profane if it happens to your network.) rently in their VTP database. The problem: the CRN on that switch is 500.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and 50. 75 . The official name of this issue is “VTP synch issue”. since the CRN is kept in NVRAM. 20.115 S T U DY G U I D E C H R I S B R YA N T the contents of the ad are accepted and used to overwrite the receiving switch’s existing VTP database. 30. it does send a full Summary ad when it first comes online. The domain is CCNP. Once that’s done. (That doesn’t make us lazy. so they synch their databases in accordance with this new You have to be sure to set the CRN to zero in one particular scenario. We love the CRN! The switches make sure they’re accepting only the latest VLAN revision information. the CRN MUST be set to zero before it’s inserted into the new network. Since that new advertisement only includes VLAN 1. 74 Whichever you choose. That’s enough to cause a lot of trouble here. and you and I don’t have to do a thing.

). SW1(config)#vtp mode ? VTP Versions The available VTP versions are 1. and a Cisco switch will run Version 1 by default. VTP v2 performs a consistency check when changes are made to VLANs or the VTP con- Subset ads give more specific info about the VLAN that’s been changed. transparent Set the device to transparent mode. Summary and Subset ads are sent when there’s a VLAN change. Included in this ad type are the VTP domain name and version. With v1. etc.115 S T U DY G U I D E The Three VTP Advertisement Types (And Two Directions!) C H R I S B R YA N T SW2#show vtp status VTP Version capable : 1 to 3 VTP version running : 1 VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP Traps Generation : Disabled SW2(config)#vtp version ? Summary Advertisements are sent by VTP Servers every 5 minutes OR upon a change in the VLAN database. and the new VLAN name and/or MTU (if those values were changed). which helps to prevent incorrect names from propagation Ring. and the number of Subset Advertisements that will follow <1-3> Set the administrative domain VTP version number As you’d expect. VTP v3 introduced the VTP mode off we saw earlier. Token the VLAN names and numbers. MD5 hash code. rather than only at the switch level. you will not see the off option. VTP v3 can be enabled and disabled at the port level. Rather than wait for the Server’s ads to be triggered. the Client can explicitly tion of VTP v3. 2. and the Server will answer with a series of Summary and Subset ads that can’t run VTP version 3. FDDI. where v1 does not. the VLAN type (Ethernet. and 3. a timestamp. Client Advertisement Requests are requests from VTP Clients for VLAN information. 76 77 . If you’re on a switch request VLAN info. or suspended. Subset Advertisements are sent by VTP Servers when there’s a VLAN configuration change. CRN. and both ports. including whether figuration at the command-line interface (CLI). client Set the device to client mode. there were some improvements when VTP v2 came along: this Summary ad. server Set the device to server mode. throughout the network. If those Summary Ads are coming every 5 minutes. Use vtp version to change versions. which A transparent VTP switch running VTP v2 will forward VTP advertisements via its trunk may seem unnecessary. why does the client ever the domain and version number of the trunking switches had to match that of the transpar- have to request info? ent switch. but serious improvements came along with the introduc- it’s deleted. even if the VTP domain name is different on the switches it’s trunking with.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . that will allow the Client to rebuild its VLAN database. deleted. VTP v2 supports Token Ring VLANs and Token Ring switching. The consistency check is performed on the VLAN was actually created. (Whew!) These requests come in handy should the client’s VLAN database become corrupt or if Those were solid improvements.

Let’s upgrade SW2 to VTP v3 and then view our options for the VTP password. (Hey. I’ll do that after removing the previous password.. I was already there!) SW2(config)#vtp password CCNP secret ? VTP secret has to be 32 characters in length SW2(config)#vtp password CCNP Setting device VTP password to CCNP SW2(config)#vtp password CCNP hidden SW2#show vtp password Setting device VTP password VTP Password: CCNP SW2#show vtp password You could also spot the VTP password in the vlan. and that is indeed Improvement was needed. and VTP v3 brought it.dat file is HUGE. and you’ll be prompted one more time to ensure you’re the future. so I went with hidden.115 S T U DY G U I D E C H R I S B R YA N T The VTP Password (“Secure Mode”) SW2(config)#vtp password ? With previous versions of VTP.318: %SW _ VLAN-6-OLD _ CONFIG _ FILE _ READ: Old version 2 VLAN switches in the VTP domain.. Cisco’s website documentation on VTP v3 mentions that show commands can’t be used to see the password. best option.. so I’m not showing the entire thing here. VTP v3 vs. sure about making this switch the primary server.dat file. SW2(config)#no vtp password CCNP Clearing device VTP password.CCNP. that’s the only device that can actually update other Mar 1 00:06:32. and then set a password. Use vtp primary to make a VTP server the primary server. Remember the VTP synch problem we saw earlier in this chapter? VTP v3 helps us prevent that problem (proactively!) by introducing the primary server concept. 78 79 . .. You configuration file detected and read OK. which really is the 00000000: BADB100D 00000002 02044343 4E500000 :[. . Version 3 files will be written in need the VTP password to do so. Suffice to say I looked for the password and it wasn’t there.. VTP Password: 50EF55299259C91C41DDF825699A177D SW2#more vlan.dat I just didn’t feel up to a 32-character password. as it was with VTP v2. I’ll configure SW2 SW2(config)#vtp password CCNP ? to run VTP v2.dat file.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The Synch Problem SW2#show vtp password The VTP password is not configured. hidden Set the VTP password hidden option secret Specify the vtp password in encrypted form SW2(config)#vtp version 2 <cr> VTP version is already in V2. it was easy to compromise the password. nor is it visible in the vlan. the case! The vlan. When you configure SW2(config)#vtp version 3 a VTP Server as the primary server..

and multicasts. SW1 now knows which multicasts. or multicast traffic Enter VTP Password: belonging to VLANs 11 – 19 to SW2. There’s no reason to send broadcast. Naturally. identifying the VLANs in use by the switch sending the message. work with v1. which has hosts in This system is becoming primary server for feature vlan VLANs 2 – 10. and unknown unicasts should and should not be sent across the trunk to SW2. regardless of whether the switch at the other end of the trunk actually has ports in those VLANs. where v3 supports the full range of extended VLANs (1 – 4094). but v3 will not With VTP pruning. broadcast. the switch running v1 will attempt to upgrade to v2. a switch will send a message to its trunking partners. Do you want to continue? [confirm] SW2# *Mar 1 00:24:17. This means that the sending switch is likely sending unnecessary traffic. if the switch can only run v1. and the recipient is receiving totally unnecessary traffic. unknown unicast. A trunk port will forward broadcasts and multicasts for all VLANs it knows about.629: %SW _ VLAN-4-VTP _ PRIMARY _ SERVER _ CHG: 0017. VTP Pruning Trunk ports are members of all VLANs. you’re stuck. Cisco strongly recommends that you determine whether your current switches are v2-capable before introducing v3 to your network.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E C H R I S B R YA N T SW2#vtp primary vlan Here. If a switch running v1 detects a v3 switch. SW1 has hosts in VLANs 2 – 19.9466. No conflicting VTP3 devices found. 80 81 .f780 has become the primary server for the VLAN VTP feature A Final Word About VTP Versions According to Cisco website documentation. VTP v3 is friendly to VTP v2. You’re better off if all your current switches are v3-capable. That switch is trunking with SW2. Another major difference between versions to watch out for: VTP v1 and v2 support only VLANs 1 – 1005. which leads to an issue involving broadcasts. unknown unicasts.

You don’t even have to type “on”! SW2(config)#vtp pruning ? <cr> C hapter 5: SW2(config)#vtp pruning Pruning switched on That simple command makes VLANs 2 – 1001 eligible for pruning. (More on that in your ROUTE studies!) At Layer 2. STP will realize this and begin to unblock the necessary ports to put the next best path into action. The basic purpose of the Spanning Tree Protocol (STP) is to identify valid loop-free paths and then choose the best of those paths for use.115 S T U DY G U I D E Enabling VTP pruning is just as easy. which we have plenty of in the next few sections of the course! So that’s all fine. Redundancy works just a bit differently at L2 except all VLANs except the following none no VLANs remove remove VLANs from the current list Enough of VLANs – for now! Let’s get started with the Spanning Tree Protocol! than L3. but what about those redundant paths? Why can’t we use every single path from “A” to “B” for switching. This becomes a lot clearer with examples and lab work. STP will then block ports on the valid but less desirable paths. making equal.and unequal-cost load balancing possible. as we like to do for routing? The problem at L2 is the possibility of switching loops. A single point of failure for anything add add VLANs to the current list in today’s networks just isn’t acceptable.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but they will not be used in addition to the primary path. we want to use as many of those paths as is feasible. 82 83 . however. you say. With routing. we love redundancy. holding those paths in standby. Should a primary path become unavailable. our redundant paths need to be ready for action in case the primary path fails. use the switchport trunk pruning vlan command. THE FUNDAMENTALS OF STP SW1(config)#int range fast 0/11 . L3 routing protocols such as EIGRP and OSPF allow us to use secondary paths in addition to the primary paths. Here’s an example of such a loop where STP is not in action. You can’t prune the default VLANs! If you want to make some of those VLANs “prune-proof”.12 SW1(config-if-range)#switchport trunk pruning vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode Whether it’s Layer 2 or Layer 3.

the switch is overwhelmed by those broadcasts and we have a broadcast storm. without STP.115 S T U DY G U I D E C H R I S B R YA N T Note: Switching loops are sometimes called “bridging loops”. all three switches would receive the frame on their Fast0/1 interfaces. It’s a legacy term. With this topology. each host would still be able to reach every other host. more and more broadcast traffic is forwarded by the switches. When each switch receives a frame on Fast 0/2 with Host A’s MAC address as the source. either in full or in part There’s an unnecessary strain put on the switch CPU A lot of bandwidth is unnecessarily sucked up by all those broadcasts 85 . Now this is redundancy! We have three switches connecting two Ethernet segments. even in networks that don’t Just that quickly. In our example. On to the forwarding decision! None of the switches have an entry for the frame’s destination. will see the frame just flooded by the other two switches. Each switch have bridges. which is still Host A’s MAC address. The problem is the source MAC address of each flooded frame. each switch will then change the MAC address table setting for Host A to Fast 0/2. but in this example. They’ll flood the frame out all ports except the one it came in on. Finally. the switches will keep going back and forth on the MAC address table entry for Host A. Having STP on would help prevent switching loops. As those frames are flooded in turn. it’s not on. the frames will be flooded out Fast0/2 on each switch. None of the switches have such an entry. Let’s say all three switches have just been turned on. 84 If you think that’s bad (and it is!). so they’ll each make an entry in their respective MAC tables. Before making a forwarding decision regarding the incoming frame. each switch will check its own MAC address table regarding an entry for the source MAC address of the frame. listing Host A as reachable via Fast0/1. just wait until the other hosts start sending traffic! Slowly but surely (don’t call me Shirley). In short. and Host A sends a frame to Host C. switching loops cause three major problems: Frames can’t reach their intended destination.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . we’re about to experience a switching loop. so if two switches go down. and we always say “legacy” because we don’t like to say “old”. so each switch will follow the default behavior for an unknown unicast address. Host 3.

both multicast to the well-known MAC address 01-80-c2-00-0000. It all begins with the exchange of Bridge Protocol Data Units (BPDUs). because STP does a great job of preventing switching loops before they happen. the MAC address is the deciding factor in the root bridge election. In general. allowing it to hear BPDUs from other switches. the resulting BID is 32768:11-22-33-44-55-66.) Here’s our network and the root bridge election from SW1’s perspective. bridge. Each switch has the default priority 32768. and all three of them get very busy announcing that fact. The Priority value comes first in the BID. In any network. 86 87 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The Bridge Protocol Data Unit Types and The Root Bridge Election We have two BPDU types. Config BPDUs will be exchanged between our switches until one switch is elected root bridge. If a Cisco switch has the default priority 32768 and a MAC later in this section. The root bridge is also the switch that decides what the STP timers will be. But seriously folks. so all three believe they are the root forward a copy of that BPDU. We don’t want to leave those roles to chance – or the lowest MAC address! I’ll show you exactly how to be deterministic about root bridge elections after we walk through an example of a root bridge election using only the defaults. When they first arrive. switching loops don’t occur often. We’re about to walk through a root bridge election on a three-switch network. but non-root bridges do not actually create this BPDU type. The switch with the lowest BID will win that coveted role. and we’ll take a look at the election from each switch’s point of view. they announce to everyone around them that they are the center of the universe. the switches get over it. Only the root bridge will originate Configuration BPDUs. and the MAC address of each switch is the switch’s number repeated 12 times. the BPDUs that are used in STP calculations. C H R I S B R YA N T The Default Root Bridge Election Process Switches are a lot like people. commonly referred to as a BID. address of 11-22-33-44-55-66. Since each switch believes it’s the root. TCN BPDUs will be covered later in this section. The BID is a combination of a 2-byte Priority value and the switch’s 6-byte MAC address.115 S T U DY G U I D E Luckily for us. Unlike some people. (Much more on these STP port states Each switch has a Bridge ID Priority value. you’ll have switches that are more powerful than others in terms of processing power and speed. The non-roots will receive and All three switches are coming online at the same time. If the Priority is left at the default on all switches. you should ensure that your primary and secondary root bridges are your more powerful switches. all six ports in this example will go to the listening state. and the switch with the lowest MAC address wins. We’re going to concentrate on Configuration BPDUs. and we’ll see that in action after we have an election.

they’re losers in root bridge elections. and when SW1 sees that BPDU. SW1 is currently recognized as the root for this network. SW4 will then take over that role. SW2 will stop originating Configuration BPDUs. Just that quickly. and the BPDU from SW3 will not change its mind. the BPDU from SW1 will! When SW2 sees the BID inside the BPDU from SW1. SW1 will realize it’s no longer the root bridge. SW2 will realize it is not the root bridge for this network. These Config BPDUs go out every 2 seconds. and SW1 will begin forwarding the Configuration BPDUs it receives from SW4. with the switches trunking on their 0/11 and 0/12 ports. SW2 believes it’s the root.115 S T U DY G U I D E C H R I S B R YA N T SW1 is receiving BPDUs from both SW2 and SW3. SW4 will advertise this BID via a Configuration BPDU. While higher BIDs are winners in auctions. superior to that of SW3. It’s a good idea to know how to see the BIDs of your live switches as well as spot the winner of a root bridge election that’s already taken place. SW2 and SW3 recognize SW1 as the root – for now! Here’s the election from SW2’s perspective: Root bridge elections never really end. and will instead begin to relay those sent by SW1. so this process takes very little time. that election’s already taken place. we’ll use a two-switch network. from SW1. and is advertising a BID lower than that of SW1. both containing BIDs higher than SW1’s SW3 is about to develop a massive inferiority complex! Both incoming BPDUs contain BIDs own BID. For this lab. The election from SW3’s point of view: This example allowed you to see the details of a root bridge election.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but if another switch comes along that advertises a superior BID. that switch would then become the root! SW4 has now come on board. 88 89 . SW3 recognizes that the BPDU containing the best BID is coming SW1 continues to believe that it’s the root bridge and will continue to announce itself as such. but in your production network. However.

Nbr Type ---------------. The root port is the port a switch will use to reach the root bridge.90e2.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . No ports on the root spanning-tree vlan.115 S T U DY G U I D E C H R I S B R YA N T To see the BID of both the local switch and the root switch for a particular VLAN. run show All ports on the root bridge will be in forwarding mode (FWD). (Each VLAN will have its own root switch. --------.2540 2 sec Max Age 20 sec Forward Delay 15 sec Interface Root ID 32769 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Prio. What do things look like on the non-root bridge.12 P2p There are four different ways to tell you’re on the root switch. ----- --. The first listed here isn’t highlighted. the root bridge will have no root port.11 P2p Fa0/12 Desg FWD 19 128.) Let’s take a look at the root bridge will be in blocking mode (BLK).2540 This bridge is the root Hello Time Bridge ID Priority 32769 Hello Time Aging Time 15 Port 13 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0017. --------. The most obvious is the phrase “This bridge is the root”.14 P2p There are four ways to tell you’re not on the root bridge.f780 2 sec Max Age 20 sec Forward Delay 15 sec Role Sts Cost 32769 Cost 19 (priority 32768 sys-id-ext 1) Address 000f.2540 Priority Address 000f.13 P2p 128. you ask? SW1#show spanning vlan 1 SW2#show spanning vlan 1 VLAN0001 VLAN0001 Spanning tree enabled protocol ieee Spanning tree enabled protocol ieee Root ID Priority Address 000f.90e2. Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 128. Fa0/11 Desg FWD 19 128.Nbr Type ---------------. since it doesn’t exist. but the other three are in bold. ---------.9466. ---------. No “This bridge is the root” message The MAC address under the Root ID and Bridge ID fields are different The switch has a root port (Fa0/11) There is a port in blocking mode 90 91 .90e2. so the root bridge doesn’t need one! Interface Role Sts Cost Prio. As odd as it sounds. The other three ways: The MAC address of the Root ID (the info for the root) and the Bridge ID (the info for the local switch) is the same. bridge info for our default VLAN. ----- --.

and that cost increments as that BPDU is forwarded throughout the network. The faster the port. it will add the cost of the port the BPDU was SW2#show spanning vlan 1 received upon to the root path cost found in that incoming BPDU. the lower the path cost. In the end. since every port These terms will become much clearer after the upcoming example! deciding factor was. When SW2 receives that BPDU. The fewer ports that need to reopen. The Configuration BPDU carries the root path cost. rather than the two you might expect. one path between the switches is open and the other is closed. Root Port Selection.115 S T U DY G U I D E C H R I S B R YA N T STP prevents switching loops by putting some ports into blocking mode. It’s important to note that the root path cost increments as BPDUs are received. The incoming root path cost should be the same for both ports on SW2. involved here is a Fast Ethernet port. and that cost is used to arrive at the port’s root path cost. In our two-switch network. The root path cost goes from 0 to 19 (when received by SW2) to 38 (when received by SW3).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . not sent. 92 < Some config removed for clarity > 93 . The path cost is strictly a local value and is not advertised to upstream or downstream switches. Path Costs. Only one is in blocking mode. STP allows only one path between “Point A” and “Point B” – in this case. Every port on our switches has an assigned path cost. instead of 0/12? Let’s zip back to our two-switch example. STP puts the minimum number of ports into blocking mode in order to speed up the process of bringing a new path up when the currently open one becomes unavailable. the faster that new path will be available. The root path cost is a cumulative value reflecting the overall cost for a given port to reach the root. and Root Path Costs Wondering how SW2 chose 0/11 as its root port. our two switches – and disallows the others by putting the minimum number of ports necessary into blocking mode. Let’s run show spanning-tree vlan to see what the It all begins with the root bridge transmitting a Configuration BPDU with the root path cost set to zero.

as both ports will have a root path cost of 19. both switches will have the exact same root path cost. C H R I S B R YA N T With all path costs the same. along with all ports on the root bridge. We know that the ports on the root Fa0/11 Root FWD 19 128. We saw earlier that SW2’s BID is 32768:22-2222-22-22-22 and SW3’s is 32768:33-33-33-33-33-33. The port belonging to the switch with the lowest BID will become the designated port. choose the port receiving the superior BPDU. choose the port with the lowest root path cost.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and they’ll also be in forwarding mode. this is also a tie. but 0/11 was chosen as the root port over 0/12. We need one and only one designated port on that segment. Finally. so this is a tie. In this admittedly unlikely-to-be-seen-in-the-real-world scenario. That’s where the designated port (DP) comes in. so we need a tiebreaker. ----- --. The switch with the lowest root path cost will have its port on this shared segment named as the designated port. Next tiebreaker: choose the port receiving the BPDU with the lowest Sender BID. we can quickly identify the root ports on SW2 and SW3. the lowest sender Port ID wins. 0/11 and 0/12 are both receiving BPDUs from SW1. Since both ports received their BPDUs directly from SW1. just in case that ends up First. ---------. There’s our tiebreaker. Here’s the process for choosing the root port: Speaking of designated ports.115 S T U DY G U I D E Interface Role Sts Cost Prio. Next. the BPDU containing the lowest BID. frames coming from that host onto the segment shared by SW2 and SW3 might cause a switching loop if both switches could forward frames from that host to SW1. being a shared network segment. so SW2’s port on that shared segment becomes the DP. and fast 0/11 is your winnah! Let’s head back to our three-switch network and identify the root ports.14 P2p We have four ports in forwarding mode. --------. and root ports will always be in forwarding mode (FWD). Fa0/12 Altn BLK 19 128. That’s a tie. All ports are Fast Ethernet ports with a path cost of 19.13 P2p bridge aren’t root ports. In this scenario. we need one of those for the segment connecting SW2 and SW3.Nbr Type ---------------. so STP better put a port or two in blocking mode soon! The path cost is 19 for each port. It was zero on SW1 and incremented as the BPDUs were received by SW2. They’re designated ports. 94 95 .

We need only the information at the bottom of that command’s output in this lab. Of the six ports. it would be really easy to say 0/1. Do not jump to the conclusion that the physically shortest path is the logically shortest path. but placing that one particular port into blocking mode prevents switching loops from forming. The root path using that port has a cost of 38. to SW1 become unavailable. or during your network admin duties.) This is not a list of every possible speed. and it couldn’t hurt to be famil- looked at over the years have a font size of about 0. Putting just one of the two ports on the SW2–SW3 shared segment into blocking mode makes the cutover to that path for SW3 a little quicker. and it’s really easy to miss a zero – or iar with the following port speeds.115 S T U DY G U I D E Here’s the final result: C H R I S B R YA N T Keep STP costs in mind when eyeballing a network map on your CCNP SWITCH exam.5. Whether it’s in the exam room or We know the STP path costs are determined by port speed. Let’s verify! 97 . while the The Shortest Path Is Not Always The Shortest Path more physically direct path has a root path cost of 100. SW3-to-SW1 root path cost: 100 (One 10 Mbps link) Luckily. It would also be really wrong. five of them are in forwarding mode and only one is blocked. And speaking of Zen… SW3-to-SW2-to-SW1 root path cost: 38 (Two 100 Mbps links) Fast 0/2 becomes the root port. Some of the network maps I’ve think one is there that isn’t! values are from the most recent list on Cisco’s website. but lists the more common speeds you’ll bump into on Cisco switches. and these your server room. (These port costs have changed over time. job interview.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 10 Gbps 1 Gbps 100 Mbps 16 Mbps 10 Mbps 4 Mbps 2 4 19 62 100 250 96 Changing A Port’s Path Cost We’ll verify port path cost changes with show spanning-tree vlan. so I’ll edit the “Root ID” and “Bridge ID” fields from the output. should the current path from SW2 If you were asked which of SW3’s two ports would become its root port. that only happens now and Zen. be sure to double-check the port speeds.

510: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. as is the transition of 0/11 from forwarding to We want 0/12 to be the root.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . About 15 seconds after that output. ----- --. That’s just what we back up while we check in on our root port situation! wanted – we just had to be a little patient! 98 99 . SW2(config-if)#spanning-tree cost ? changed state to up <1-200000000> port path cost SW2(config-if)#spanning-tree cost 9 SW2# show spanning vlan 1 Just a few seconds after changing the cost. I ran the same SW2(config-if)#spanning-tree ? command: bpdufilter Don’t send or receive BPDUs on this interface bpduguard Don’t accept BPDUs on this interface cost Change an interface’s spanning tree port path cost guard Change an interface’s spanning tree guard mode Interface link-type Specify a link type for spanning tree protocol use ---------------. ----- --. Let’s see if it comes … the VLAN1 interface comes back up and 0/12 is in forwarding mode. More on that shortly. ----- --. ---------*Mar 2 05:31:08. but trust me – there’s a really good reason that change isn’t immediate. has gone down. we get this little message: Interface Role Sts Cost ---------------. ---------- mst Multiple spanning tree Fa0/11 Altn BLK 19 Fa0/12 Root LRN 9 port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link stack-port Enable stack port vlan VLAN Switch Spanning Tree SW2#show spanning vlan 1 Role Sts Cost 0/12 is now in learning mode. ---------- Fa0/11 Altn BLK 19 Fa0/11 Root FWD 19 Fa0/12 Root LIS 9 Fa0/12 Altn BLK 19 The change to 0/12’s path cost is immediate.115 S T U DY G U I D E SW2#show spanning vlan 1 C H R I S B R YA N T SW2#show spanning vlan 1 Interface Interface Role Sts Cost Role Sts Cost ---------------.802: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. Lowering its path cost to 9 for all VLANs should do it! blocking. Vlan1. 0/12 is in listening mode. Fa0/11 Altn BLK 19 changed state to down Fa0/12 Root FWD 9 Doesn’t sound good! Our management interface. What isn’t immediate is the transition of 0/12 from blocking to forwarding. SW2(config)#int fast 0/12 Right now. ----- --. About 15 seconds later… *Mar 2 05:35:41. ---------- ---------------.

9-11 SW2(config-if)#spanning vlan 30.7. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LIS 9 SW2#show spanning vlan 40 Interface Role Sts Cost ---------------.40 cost ? <1-200000000> Change an interface’s per VLAN spanning tree path cost Using cost is an all-or-nothing deal. Interface Role Sts Cost ---------------.115 S T U DY G U I D E Load Balancing On A Per-VLAN Basis C H R I S B R YA N T SW2(config-if)#spanning vlan 30. example: 1.40 ? cost Fa0/11 Change an interface’s per VLAN spanning tree path cost port-priority Change an interface’s spanning tree port priority 100 Interface Role Sts Cost ---------------. This is per-VLAN The port begins to transition from blocking to forwarding for VLANs 30 and 40… SW2#show spanning vlan 30 load balancing. ----- --. What if we want to change the cost for some VLANs while leaving it alone for others? SW2(config-if)#spanning vlan 30. and while it’s not perfect load balancing. ---------- We’ll make this happen with spanning-tree vlan.40 cost 9 In the following lab. using the cost option. Note the option to specify a range of VLANs. it’s better than sending all our traffic across one trunk while treating the other trunk as strictly a backup. SW2#show spanning vlan 10 SW2(config)#int fast 0/10 SW2(config-if)#spanning vlan ? WORD vlan range. We’ll change the path cost for 0/12 on SW2 to 9 for VLANs 30 and 40 while leaving it alone for VLANs 10 and 20. ---------Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 SW2#show spanning vlan 20 101 . We’re just wasting the other path! We want VLANs 10 and 20 to continue to use the top path. all VLANs are using the top trunk (Fa 0/11 on both switches). but VLANs 30 and 40 should use the bottom trunk (Fa 0/12 on both switches). Altn BLK 19 Fa0/12 Root LIS 9 … but there’s no transition for VLANs 10 and 20.3-5.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ----- --. ----- --.

----- --. it enters listening mode Fa0/11 (LIS). ---------SW2#show spanning vlan 40 Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 Interface Role Sts Cost ---------------. ----- --. so we will too! A disabled port is simply a port that’s been administratively shut down. and as a result the port can’t learn MAC addresses. No frame forwarding.115 S T U DY G U I D E Interface Let’s quickly review those STP port states. allowing the port to participate in the root bridge election.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . A port in listening mode still can’t forward or receive frames. ----- --. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LIS 9 The obvious question: “Listening for what?” A listening port is listening for BPDUs. ---------- When a port starts the transition from blocking to forwarding. and therefore no dynamic learning of MAC addresses. About the only thing a blocked port can do is accept BPDUs SW2#show spanning vlan 30 from neighboring switches. and 0/12 is now the root port for both VLANs 30 and 40. ----- --. the port goes into blocking state (BLK). ----- --. ---------Fa0/11 SW2#show spanning vlan 40 Altn BLK 19 Fa0/12 Root FWD 9 Interface Role Sts Cost ---------------. no frame receiving. The port still can’t do much. isn’t forwarding frames or even officially running STP. ---------Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 C H R I S B R YA N T The STP port state disabled is a little odd in that you won’t see “DIS” next to a port in the output of show spanning vlan. Altn BLK 19 Fa0/12 Root FWD 9 SW2# show spanning vlan 40 All VLAN 30 and 40 traffic will now use the trunk that was previously unused. Once that port is administratively enabled. the transition has completed. A disabled port Thirty seconds or so later. Role Sts Cost ---------------. Interface Role Sts Cost ---------------. Pretty cool! Interface Role Sts Cost ---------------. A listening port can send BPDUs as well. Cisco does consider this to be an official STP state. 102 103 .

----- --. The edited readout of show spanning vlan for each VLAN on SW1 reflects the default port priority of 128 on ports 0/11 and 0/12. Forwarding mode allows a port to forward and receive frames. and continue to learn MAC addresses. Still tied? Choose the port receiving a frame from the lowest sender Port ID.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but it is learning MAC addresses and adding them to the switch’s MAC address table. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LRN 9 A learning port isn’t forwarding frames. ----- --.13 P2p Fa0/12 Desg FWD 19 128.115 S T U DY G U I D E As the transition continues.14 P2p SW1#show spanning vlan 20 SW1#show spanning vlan 1 Interface Interface Interface Prio. A port in learning mode continues to send and receive BPDUs. Fa0/11 Desg FWD 19 128. We’ll have VLANs 10 and 20 use the trunk over 0/12.12 104 Role Sts Cost Prio. SW1#show spanning vlan 10 Tie? Choose the port with the lowest root path cost. Still tied? Choose the port receiving the BPDU with the lowest Sender BID. During that lab. In this lab. ---------. send and receive BPDUs. choose the port receiving the superior BPDU.Nbr ----------------. ---------. This is the only state where the port is actually forwarding frames! Let’s review that list we used for root port selection: First. Fa0/11 Desg FWD 19 128. Finally. and that’s by manipulating the port priority. ----- --. the port goes from learning to forwarding mode.13 P2p Fa0/12 Desg FWD 19 128.14 P2p 105 . ----- --. ---------.11 Fa0/12 Desg FWD 19 128. C H R I S B R YA N T There’s another cute little way of performing per-VLAN load balancing on our switches. VLANs 30 and 40 will continue to Interface use the trunk over 0/11. while leaving it the same for oth- SW2#show spanning vlan 40 ers. Fa0/11 Desg FWD 19 128. --------. we had the following ports sending BPDUs on SW1: Role Sts Cost Role Sts Cost Prio. That port ID is a combination of port priority and port number. we’ll change the port priority of 0/12 to make it lower than that of 0/11 for some VLANs.Nbr Type ---------------.) ---------------. --------.Nbr Type ---------------. the port goes from listening to learning (LRN) mode. (The commands from the previous load-balancing lab have been Role Sts Cost removed.

115 S T U DY G U I D E SW1#show spanning vlan 30 C H R I S B R YA N T Interface Role Sts Cost Prio. ---------.12 P2p 32778 (priority 32768 sys-id-ext 10) Address 000e.12 P2p Spanning tree enabled protocol ieee Root ID Priority 24586 SW2#show spanning vlan 40 Address 001c.3600 For VLANs 30 and 40 to start using fast 0/11.12 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio. ----- --. ---------.Nbr Type ---------------.11 P2p Fa0/12 Root FWD 19 128. and the switch Aging Time 300 doesn’t like it when you do not do so. Interface Role Sts Cost Prio. ---------. ----- --. --------.Nbr Type ---------------.11 P2p Fa0/12 Root FWD 19 128.12 P2p SW2#show spanning vlan 30 The same commands on SW2 show the same port priority for each VLAN. ----- --. The new port priority must be set in increments of 16.11 P2p Fa0/12 Root FWD 19 128.14 P2p Fa0/11 Altn BLK 19 128.2f00 Cost 19 Interface Port ---------------. Interface Role Sts Cost Prio. Fa0/11 Desg FWD 19 128. ----- --. ----- --. 106 107 .Nbr Type ---------------. ---------. --------. --------.0fbf. ---------. VLAN0010 Fa0/11 Altn BLK 19 128.14 P2p SW1#show spanning vlan 40 Fa0/11 Altn BLK 19 128. Fa0/11 Desg FWD 19 128.13 P2p Fa0/12 Desg FWD 19 128.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ----- --. 12 (FastEthernet0/12) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Role Sts Cost Prio. --------. ---------.11 P2p Fa0/12 Root FWD 19 128.Nbr Type ---------------. --------.Nbr Type Fa0/11 Altn BLK 19 128.84ae.13 P2p Fa0/12 Desg FWD 19 128. Interface SW2#show spanning vlan 10 Role Sts Cost Prio. --------.Nbr Type ---------------. we’ll decrease the port priority for those Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec VLANs on fast 0/12.

--------.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/12 trunk over fast 0/11. ---------. Fa0/11 Desg FWD 19 128. ---------. Cost Change an interface’s per VLAN spanning tree path cost port-priority Change an interface’s spanning tree port priority SW1(config-if)#spanning vlan 30 port-priority ? SW2#show spanning vlan 30 Interface <0-240> port priority in increments of 16 Role Sts Cost Prio.12 P2p % Port Priority in increments of 16 is required SW2#show spanning vlan 40 SW1(config-if)#spanning vlan 30 port-priority 64 SW1(config-if)#spanning vlan 40 port-priority 64 Interface Role Sts Cost Prio.Nbr Type When it comes to VLANs 30 and 40. --------.Nbr Type ---------------. ---------.11 P2p Fa0/12 Root FWD 19 128. ----- --. As a result. show spanning vlan 30 and show spanning vlan 40 verify the change. ----- --. VLANs 30 and 40 are now using the Fa0/11 Altn BLK 19 128. ----- --. is now superior to that over fast 0/12. ----- --. SW1(config-if)#spanning vlan 30 port-priority 35 Fa0/11 Root FWD 19 128. --------. the BPDU going from SW1 to SW2 over fast 0/11 ---------------. --------. verified by show spanning vlan 30 and show spanning vlan 40 on SW1(config-if)#spanning vlan 30 ? SW2.13 P2p Fa0/12 Desg FWD 19 64.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .11 P2p Fa0/12 Altn BLK 19 128.13 P2p Fa0/12 Desg FWD 19 64. --------. Fa0/11 Desg FWD 19 128. ---------. ---------.12 P2p 108 109 .12 P2p ---------------.Nbr Type ---------------.12 P2p SW1#show spanning vlan 30 VLANs 10 and 20 continue to use the trunk over fast 0/12.Nbr Type ---------------.14 P2p SW2#show spanning vlan 10 Interface SW1#show spanning vlan 40 Interface Role Sts Cost Role Sts Cost Prio.14 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio. ----- --. Fa0/11 Root FWD 19 128.11 P2p Fa0/12 Root FWD 19 128.Nbr Type and show spanning vlan 20 on SW2.Nbr Type Fa0/11 Altn BLK 19 128.11 P2p Fa0/12 Altn BLK 19 128. ---------------. ---------. --------. ----- --. verified by show spanning vlan 10 Interface Role Sts Cost Prio. Prio.

---------.12 P2p Prio.12 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio.Nbr Type ---------------. ----- --.Nbr Type ---------------. ---------. --------. ---------. show spanning vlan 30 and show spanning vlan 40 verify the change back to fast 0/12.115 S T U DY G U I D E Now. ----- --. ----- --. verified really up to you when it comes to real-world networking. --------. by show spanning vlan on SW2. ----- --.12 P2p SW1(config-if)#no spanning vlan 30 port-priority 64 SW2#show spanning vlan 40 On SW2. SW2#show spanning vlan 30 Interface Role Sts Cost Fa0/11 Root FWD 19 128. I already know what you’re gonna ask. ---------. I’ll remove the two lab commands from fast 0/12 on SW1.11 P2p SW1(config-if)#spanning vlan 30 port-priority 160 Fa0/12 Root FWD 19 128.11 P2p Fa0/12 Root FWD 19 128. it’s great to know more than one way to get something done! 110 111 .11 P2p Fa0/12 Root FWD 19 128.Nbr Type ---------------.12 P2p On fast 0/11. --------. For CCNP SWITCH exam success.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ---------. --------.11 P2p Fa0/12 Altn BLK 19 128. Fa0/11 Altn BLK 19 128. ---------. Fa0/11 Altn BLK 19 128. ----- --.12 P2p SW2#show spanning vlan 40 SW2#show spanning vlan 10 Interface Role Sts Cost Prio. Could we have raised the port priority on 0/11 C H R I S B R YA N T SW2#show spanning vlan 30 rather than decreasing it on 0/12? Let’s find out! First.Nbr Type ---------------. Interface Role Sts Cost Prio.Nbr Type ---------------. Interface Role Sts Cost Prio. --------. SW1(config)#int fast 0/12 Fa0/11 Root FWD 19 128.12 P2p SW1(config-if)#spanning vlan 40 port-priority 160 Whether you choose to lower or raise a port priority to get VLAN load balancing going is Raising the port priority on fast 0/11 has the same effect as reducing it on fast 0/12.11 P2p Fa0/12 Root FWD 19 128. SW1(config)#int fast 0/11 Fa0/11 Altn BLK 19 128. VLANs 30 and 40 are using the trunk over fast 0/11… as with all Cisco exams. --------. ----- --. Interface Role Sts Cost Prio.Nbr Type … while VLANs 10 and 20 continue to use the trunk over fast 0/12. we’ll raise the port priority for VLANs 30 and 40 to 160 (a multiple of 160!). ---------------. Fa0/11 Altn BLK 19 128.11 P2p SW1(config-if)#no spanning vlan 40 port-priority 64 Fa0/12 Altn BLK 19 128.

but you will see them twice. IOS shows us the ranges of allowable settings for each command. --------. Fa0/11 Desg FWD 19 128. SW1(config)#spanning vlan 1 max-age 25 Verify with show spanning vlan. For the change to take effect throughout SW1#show spanning vlan 1 the VLAN.2540 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost hello-time Set the hello interval for the spanning tree max-age Set the max age interval for the spanning tree priority Set the bridge priority for the spanning tree root Configure switch as root <cr> SW1(config)#spanning vlan 1 Hello ? Prio. <1-10> number of seconds between generation of config BPDUs SW1(config)#spanning vlan 1 Hello 5 SW1(config)#spanning vlan 1 forward ? <4-30> number of seconds for the forward delay timer SW1(config)#spanning vlan 1 forward 16 SW1(config)#spanning vlan 1 max-age ? Forward Delay is the length of the listening and learning port stages. Spanning tree enabled protocol ieee Root ID Priority 32769 SW1(config)#spanning vlan 1 ? Address 000f.12 P2p Hello Time defines how often the root bridge originates Config BPDUs. frankly. those timers under (That’s not the real reason.Nbr Type ---------------. Unless you’re on the root. The second set of timers is found in the Bridge ID field. None of them can be set VLAN0001 to zero. Default setting: 2 seconds.115 S T U DY G U I D E C H R I S B R YA N T STP Timers by the root and all switches that receive a Configuration BPDU that originated with that These timers are so important. ----- --. Those are important values to know.2540 forward-time Set the forward delay for the spanning tree This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f. Maximum Age (Max Age) is how long a switch will retain the superior BPDU’s contents before discarding it. ---------. and those are the Use spanning vlan to change these timers. you’ll see them twice when you run show spanning vlan! local switch’s setting for the timers.11 P2p Fa0/12 Desg FWD 19 128.) Bridge ID do not matter. but why do we see each one listed twice in that output? The first set of timers is in the Root ID field. It’s this set of timers that is actually used 112 SW1#show spanning vlan 1 113 . Default setting: 20 seconds.90e2. with a default of 15 <6-40> maximum number of seconds the information in a BPDU is valid seconds for each individual stage.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . always use these commands on your primary and secondary roots.90e2. particular root.

depending on your network topology. VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000f. we expect the timers in the Root ID and Bridge ID fields to be identical. and that’s not always best for our network. Please note that the cabling has changed.115 S T U DY G U I D E C H R I S B R YA N T Root Switch Selection: Be Deterministic VLAN0001 Spanning tree enabled protocol ieee Root ID Priority If we leave STP to its own devices. and 30 for our next lab. SW2#show spanning vlan 1 As expected. SW2(config)#spanning vlan 20 root ? Primary Configure this switch as primary root for this spanning tree Secondary Configure switch as secondary root SW2(config)#spanning vlan 20 root primary 115 . 20. non-root switch though? VLANs 10.dat on both switches.f780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec As always. and we’ll be adding a switch and two cables as this lab progresses. or we can spread the workload around a bit and let one switch be the root for some VLANs while another switch is the root for the rest of the VLANs. That might not be so bad. you could make each switch the root for 10 VLANs. The switch with the lowest MAC Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec address will be crowned as the root.90e2.2540 VLAN in our network. This bridge is the root but the default root switch selection is left up to chance. SW1 is the root for all four VLANs. You can spread the root switch role around as much as you like.90e2. reloaded. a single switch is going to be the root bridge for every 32769 Address 000f. Before this lab. If you have 50 VLANs and five switches. Let’s use spanning vlan root primary to make SW2 the root for VLAN 20.2540 Cost 19 Port 13 (FastEthernet0/11) Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0017. Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f. It’s up to you! On the root bridge. and created What about the downstream. I did a write erase and delete vlan.2540 Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec Aging Time 300 We can choose another particular switch to be the root bridge for all VLANs. the settings in use are the ones under Root ID! 114 We’d like SW2 to be the root for VLANs 20 and 30 while leaving SW1 the root for VLANs 1 and 10.9466.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .90e2.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

SW2#show spanning vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID

Priority

24596

Address 0017.9466.f780
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

I’m sure you noticed the secondary option. If you want a certain switch to take over as root
bridge if the current root goes down, run show spanning vlan root secondary on the desired

Done and done! The new root’s priority is 24596. That’s certainly good enough to make it

secondary bridge. That command will adjust the switch’s priority enough to make it the

the root, but where exactly did that priority come from? It depends...

backup root, but not enough to make it the primary root.

Current root priority greater than 24576? Result: priority of new root is 24576 (plus the

Let’s see that in action! SW2 is still the root for VLANs 20 and 30, and we’ve added a third

VLAN ID in this case, since system extension ID is running).

switch to the lab. We’ll concentrate on those two VLANs from here on out.

Current root priority less than 24576? Result: subtract 4096 from that root priority and
you have the new root priority!
We’ll now make SW2 the root for VLAN 30.
SW2(config)#spanning vlan 30 root primary
SW2#show spanning vlan 30
VLAN0030
Spanning tree enabled protocol ieee
Root ID

Priority

24606

Address 0017.9466.f780
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Here’s the Bridge ID info for both SW1 and SW2, and here’s a pop quiz: Which one of these
would take over as the root for VLAN 20 if SW2 went down?
SW1#show spanning vlan 20
Bridge ID Priority

32788 (priority 32768 sys-id-ext 20)

Address 000f.90e2.2540
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

116

117

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

It does indeed! (show spanning vlan 30 isn’t shown, but we know SW1 is the root for that

SW3#show spanning vlan 20
Bridge ID Priority

C H R I S B R YA N T

32788 (priority 32768 sys-id-ext 20)

VLAN as well.) SW2 will become the root for VLAN 20 again once it comes back up…

Address 001c.0fbf.2f00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

SW2#show spanning vlan 20

Aging Time 300 sec
VLAN0020

They both have the default priority, so it comes down to MAC address, and SW1’s MAC is

Spanning tree enabled protocol ieee

lower than that of SW3. SW1’s address begins with “000”, and SW3’s begins with “001”, so

Root ID

Priority

24596

nothing after that matters. I’ll reload SW2 and we’ll see if SW1 becomes the root in SW2’s

Address 0017.9466.f780

absence.

This bridge is the root

SW2#reload

… but we’d like SW3 to take over as the root for VLAN 20 when SW2 is unavailable, while

Proceed with reload? [confirm]

keeping SW1 as the root for VLAN 30 in that circumstance.

*Mar 1 01:27:11.899: %SYS-5-RELOAD: Reload requested by console.

SW3(config)#spanning vlan 20 root ?

SW1#show spanning vlan 20

Primary

Configure this switch as primary root for this spanning tree

Secondary Configure switch as secondary root

VLAN0020
Spanning tree enabled protocol ieee
Root ID

Let’s make it happen. Note the change to SW3’s priority.

Priority

32788

Address 000f.90e2.2540
This bridge is the root

SW3(config)#spanning vlan 20 root secondary
SW3#show spanning vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID

Priority

24596

When SW2 goes offline, SW1 will again take over the root bridge role for VLAN 30, but now
SW3 will take that role for VLAN 20.
SW2#reload
Proceed with reload? [confirm]

118

119

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T
SW1(config)#spanning vlan 20 priority 7000

SW1#show spanning vlan 30
This bridge is the root

% Bridge Priority must be in increments of 4096.
% Allowed values are:

SW3#show spanning vlan 20
This bridge is the root

0

4096 8192 12288 16384 20480 24576 28672

32768

36864 40960 45056 49152 53248 57344 61440

Hey, I tried using a non-4096 multiple!
By the way, we just got a call from the other BPDU type, demanding semi-equal time!

The Topology Change Notification BPDU
TCN BPDUs are generated by a switch when a port goes into forwarding mode or when a
port goes from forwarding or learning into blocking mode. The TCN doesn’t say exactly
what happened, just that something happened.

SW2 will again take over as the primary root for both VLANs when it comes back online.
SW3 remains the secondary for VLAN 20 and SW1 the secondary for VLAN 30.
If SW1 is the desired secondary root for VLAN 30, you’re fine right now, but what if another
switch is added to the network? That new switch might have a lower MAC than that of SW1.
In this situation, I would manually configure SW1 as the secondary root for VLAN 30.
Of the two methods to configure primary and secondary roots, I prefer the one we just used.
You can change the priority manually with spanning vlan priority, but the switch isn’t going

Each switch receiving the TCN will send an ACK back, and the TCN continues to be forwarded until it reaches the root.

to help you by saying “Hey, the priority you set isn’t low enough for this switch to become
the primary / secondary!” There’s one more thing that makes this method a tad complicated:
SW1(config)#spanning vlan 20 priority ?
<0-61440> bridge priority in increments of 4096

120

121

and if the timers haven’t been changed.115 S T U DY G U I D E When the root receives the TCN. The aging time will stay at the new value for (Forward Delay + Max Age). By default. the root will acknowledge it in the form of a Configuration BPDU with the Topology Change bit set. since the most common use of Portfast is when a single PC is directly connected to a switch port. The STP learning and listening stages can interfere with your host’s DHCP address acquisition process. If you have a host that has trouble getting an IP address via DHCP. Exception time! Changes to Portfast-enabled ports cannot result in the generation of a TCN BPDU. When a port connected to a host goes into forwarding mode. 122 123 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and now you want to turn a couple of them off?” Well. that’s just 15 seconds! This allows the switch to quickly rid itself of nowinvalid MAC address table entries while keeping entries for hosts that are currently sending frames to that switch. and to leave the timers alone. If you’re fuzzy on Portfast or any other advanced STP features. so Portfast allows us to cheat just a bit in order to get that host up and running. Enable portfast on a per-port level with spanning-tree portfast. C hapter 6: That BPDU with the TC bit set tells the receiving switches to change the aging time for their MAC tables from the default of 300 seconds to the duration of the Forward Delay STP — ADVANCED FEATURES AND VERSIONS timer. That makes sense. Knowing where to run them and why is another matter. Let’s jump right in! Portfast Portfast allows a port running STP to go directly from blocking to forwarding mode. but only in a specific situation. it doesn’t really affect STP operation. And I can hear you now…“We spent all that time talking about STP preventing switching loops. so there’s no need to alert the entire network about it. yeah. configuring Portfast on that host’s switchport is the way to go. Enabling this feature results in one long warning and an additional message. that’s 35 seconds. we’ll take care of that in the very next section! Putting these features into operation is easy. The chances of a switching loop on a single port with a single host connected are very small.

SW2#show spanning int fast 0/10 portfast The switch has given us a warning about the proper and improper use of Portfast. SW2(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Using this command enables Portfast on all access ports. etc. concentrators. when portfast is enabled. We VLAN0010 disabled do have the option of enabling Portfast on a trunk port.. concentrators. can cause temporary bridging loops. we’ll be VLAN0020 disabled warned about it again! VLAN0030 disabled 124 125 . Use with CAUTION SW2#show spanning portfast ^ %Portfast has been configured on FastEthernet0/3 but will only have effect % Invalid input detected at ‘^’ marker. and after doing so.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . to this interface bpduguard Don’t accept BPDUs on this interface when portfast is enabled.. As IOS Help is so helpful to let us know. switches. port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link SW2(config)#spanning portfast ? stack-port Enable stack port Bpdufilter Enable portfast bpdu filter on this switch vlan VLAN Switch Spanning Tree Bpduguard Enable portfast bpdu guard on this switch Default Enable portfast by default on all access ports SW2(config-if)#spanning-tree portfast ? Disable Disable portfast for this interface SW2(config)#spanning portfast default Trunk %Warning: this command enables portfast by default on all interfaces. a slightly different mst Multiple spanning tree message appears. bridges. Use with cost Change an interface’s spanning tree port path cost CAUTION guard Change an interface’s spanning tree guard mode link-type Specify a link type for spanning tree protocol use Enable Portfast globally with spanning portfast default. switches and bridges as they may create temporary bridging loops.. and has VLAN0001 disabled also let us know that trunking must be disabled in order for Portfast to be enabled. etc. After doing so.. bpdufilter Don’t send or receive BPDUs on this interface Connecting hubs. You Enable portfast on the interface even in trunk mode <cr> should now disable portfast explicitly on switched ports leading to hubs.115 S T U DY G U I D E C H R I S B R YA N T SW2(config)#int fast 0/3 SW2(config-if)#spanning-tree portfast trunk SW2(config-if)#spanning-tree ? %Warning: portfast should only be enabled on ports connected to a single host. well. Connecting hubs. can cause temporary bridging loops. switches. when the interface is in a non-trunking mode. bridges. to this interface Verify with show spanning interface portfast. there’s no “show spanning portfast” command.

I mean 1 – 3 seconds. This effec- With Uplinkfast in use. What if the device off that port is another switch? By “almost immediately”. <cr> 126 127 .115 S T U DY G U I D E C H R I S B R YA N T UplinkFast When a port goes through the blocking-to-forwarding transition. It’s all or nothing with this feature – you can’t run it on a per-port or per-VLAN basis.152. If the forwarding port in the uplink group senses that the primary link is down. although some Cisco documentation makes it sound like there’s no delay at all. there will be approximately a 50-second delay before that blocked port is open. Cisco strongly recommends Uplinkfast not be used on distribution. and assuming all port speeds are the same. Frankly. Uplinkfast is enabled globally and for all VLANs residing on the switch. but we’re advised over and over by Cisco not to use Portfast unless it’s on a port where a single host device is found. another port in the uplink group will be transitioned immediately (almost) from SW2(config)#spanning uplinkfast ? max-update-rate Rate at which station address updates are sent blocking to forwarding. the ports SW3 could potentially use to reach the root switch are collectively referred to as an uplink group. That almost-minute feels like almost-hours at times. The uplink group includes ports in blocking and tively prevents this switch from becoming the root unless all other switches go down.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The first is setting the switch priority to 49. when Uplinkfast is first enabled. we’re looking at a 50-second delay before that port can actually begin forwarding frames. in which case you have much bigger problems to deal with! forwarding mode. This doesn’t take place immediately. Configuring a port with Portfast is one way to avoid part of that delay.and core-layer switches. Uplinkfast is Portfast for wiring closets. which is good. If the open path between SW1 and SW3 goes onds before the primary root port enters forwarding state. STP blocks one of our six ports in order when it detects that the original primary path to the root is available once more. the switch will wait (2 x Forward Delay) + 5 sec- to prevent switching loops. down. and Uplinkfast does have two immediate actions you should be aware of. and they both occur that’s bad. The original root port on the Uplinkfast-enabled switch will become the root port again SW3 has two paths to the root. By default. the direct physical path will be the path SW3 uses to reach the root.

and on occasion it works a little too well. and Aging Time 300 sec the source address – well.f780 in the network may be out of date for a few seconds after the cutover. We’re going to send these frames for every single Uplinkfast enabled Interface max-update-rate Rate at which station address updates are sent MAC address entry in SW3’s table. which by default is 150 packets per second. If SW3’s MAC address table is particularly large. a little too fast! Let’s revisit the original network and add two hosts. then SW1. The destination address is 0100. that path is no longer valid. then SW3. When the link SW2#show spanning vlan 1 between SW3 and SW1 goes down. you may want to adjust the maximum update rate. To avoid that. but the now-invalid entry VLAN0001 Spanning tree enabled protocol ieee Root ID C H R I S B R YA N T Priority to send frames to Host B via SW1 will still be in SW2’s table.9466. That flooding quickly updates SW2’s MAC address table.90e2. SW3 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec sends “dummy” multicast frames to SW2. which might be small or might be very large! Role Sts Cost -------------------- ----. Actually. making it unlikely that this switch will be used to reach the root switch by any downstream switches. ---Fa0/12 Root FWD 3019 The STP port cost is increased by 3000. That’s where our single Uplinkfast option comes into play: 32769 Address 000f. UplinkFast works really well.cdcd. You can disable the sending of those dummy frames by setting this value to zero.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .2540 Cost 3019 Port SW3(config)#spanning uplinkfast ? 14 (FastEthernet0/12) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 49153 (priority 49152 sys-id-ext 1) <cr> The cutover to the backup path is so fast that the MAC address tables of other switches Address 0017. that’s the rub.115 S T U DY G U I D E Frames from Host A will currently go through SW2. SW3(config)#spanning uplinkfast max-update-rate ? <0-32000> Maximum number of update packets per second 128 129 .0ccd.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

Verify your Uplinkfast settings with show spanning uplinkfast.

C H R I S B R YA N T

and relays it to SW3. All is well until SW2 loses its connection to SW1, which means SW2
will start announcing itself as the root. SW3 will receive two separate BPDUs from two
claimants to the root bridge role.

SW3#show spanning uplinkfast
UplinkFast is enabled
Station update rate set to 150 packets/sec.
UplinkFast statistics
Number of transitions via uplinkFast (all VLANs)

: 0

Number of proxy multicast addresses transmitted (all VLANs) : 0

BackboneFast

SW3 compares the priority in each BPDU and sees SW2 has a higher BID, making the

The Cisco-proprietary feature BackboneFast helps our network recover from indirect link

MaxAge timer on the port leading to SW2 hits zero, that port will transition to the lis-

failures. The key word is indirect. If a switch detects an indirect link failure (a failure of

tening state and start relaying the information contained in the BPDU coming from SW1

a link not directly connected to the switch in question), BackboneFast goes into action.

– the superior BPDU.

BPDU from SW2 an inferior BPDU. As a result, SW3 ignores that BPDU. Once SW3’s

An indirect link failure is detected when an inferior BPDU is received, as we’ll see in the
upcoming walkthrough. Let’s take a look at a three-switch setup where all links are working (currently!), and STP is running as expected. All links are running at the same speed.

Backbonefast speeds up the overall process by skipping the MaxAge stage. This doesn’t
eliminate the delay, but it does cut the overall delay from 50 to 30 seconds (the overall duration of the listening and learning states).
SW1 has been elected root, and it sends Configuration BPDUs to SW2 and SW3 every two
seconds reminding them of that. In turn, SW2 takes the BPDU it’s receiving from SW1

130

When an indirect link outage is detected, the Root Link Query goes into action in the form
of requests and responses. These message types act as a sort of echo and echo reply combo.
131

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

The request is sent to ensure connectivity to the root, is sent via a port receiving BPDUs,

All switches in the network have to be able to send, relay, and respond to RLQ requests. Since

and is sent by the switch detecting the indirect link outage.

RLQ is enabled by enabling BackboneFast, you should run this feature on every switch in the

The request names the switch believed by the sender to be the root. The recipient forwards
that RLQ request out its own root port, and after a short period of time (hopefully), the
request comes back with the name of the root that can be reached via that port. If they
match, all is well!

network. The easiest part of BackboneFast is enabling it. This command is a true Cisco rarity
in that there are no options. Just enable it, and verify with show spanning backbonefast.
SW3(config)#spanning backbonefast ?
<cr>
SW3#show spanning backbonefast
BackboneFast is enabled

Root Guard
The root we’re guarding, of course, is the root switch!
There are two circumstances under which the recipient will respond immediately, one good
and one bad. The bad one: The recipient has a different root bridge listed.

The good one: The recipient IS the root bridge.

132

SW1 is entrenched as the root – until SW4 arrives!

133

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

SW4 will take over as the root due to its lower BID, and depending on your network design

Address 000f.90e2.2540

and the switches’ capabilities, you might not want that. SW4 could also be a rogue switch!

Cost 19

If we go to the trouble of deciding which switch should be the root, we should likely go to a

Port

little bit of trouble in protecting that switch’s role. That’s where Root Guard comes in.

Hello Time

Root Guard is configured at the port level, and disqualifies any switch downstream from
that port from becoming the primary or secondary root. To prevent SW4 from taking over

14 (FastEthernet0/12)

Bridge ID Priority

2 sec Max Age 20 sec Forward Delay 15 sec
32769 (priority 32768 sys-id-ext 1)

Address 001c.0fbf.2f00

either of those roles, configure Root Guard on SW3’s port leading to SW4.

Hello Time

When a superior BPDU is received on a port running Root Guard, that BPDU is discarded

2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

and the port put into root-inconsistent state. That’s verified by show spanning vlan and show
spanning inconsistent-ports as well as this console message I received once SW4 came online

Interface

and started sending those superior BPDUs to SW3.

------------------- ---- ----- -------- --------- ----------------------

Role Sts

Cost

Prio Nbr Type

Fa0/4

Desg BKN

19

128.6

%SPANTREE-2-ROOTGUARD _ BLOCK: Root guard blocking port Fast

Fa0/11

Altn BLK

19

128.13 P2p

Ethernet0/4 on VLAN0001.

Fa0/12

Root FWD 19

128.14 P2p

P2p *ROOT _ Inc

The interface receiving the superior BPDU isn’t totally shut down by Root Guard. It’s still
listening for BPDUs, and once those superior BPDUs stop coming, that port will transition
normally through the STP port states and will come out of root-inconsistent state on its
own. To illustrate, I’ll set SW4’s priority back to the default.
SW4(config)#no spanning vlan 1 priority 4096

SW4 quickly recognizes SW1 as the root…

SW4#show spanning vlan 1
SW3#show spanning vlan 1

VLAN0001
Spanning tree enabled protocol ieee

VLAN0001
Spanning tree enabled protocol ieee
Root ID

Priority

8193 (SW1 is still the root!)

134

Root ID

Priority 8193
Address 000f.90e2.2540

135

you ask? Well… Enabling BPDU Guard on SW3’s 0/4 port will block BPDUs coming in from SW4 and shut the BPDU Guard port down. port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link up 136 stack-port Enable stack port vlan VLAN Switch Spanning Tree 137 .. I’ll open that port after enabling BPDU Guard. remember that Portfast warning? Of course you do! you to specify “enable” or “disable” – “spanning bpduguard” is not a legal command on its own. superior or inferior. Use with bpduguard Don’t accept BPDUs on this interface CAUTION cost Change an interface’s spanning tree port path cost guard Change an interface’s spanning tree guard mode You would think that might discourage anyone thinking of connecting a switch to a link-type Specify a link type for spanning tree protocol use Portfast-enabled port. We’ll use the topology from the Root Guard section to illustrate. C H R I S B R YA N T Enabling BPDU Guard on a port will result in that port going into error disabled state (“errdisabled state”) when any BPDU is received. to this interface bpdufilter Don’t send or receive BPDUs on this interface when portfast is enabled. -----------------------. but someone just might try it. SW3(config)#int fast 0/2 SW3(config-if)#spanning portfast SW3(config)#int fast 0/4 %Warning: portfast should only be enabled on ports connected to a single host.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . can cause temporary bridging loops. SW3(config-if)#spanning ? Connecting hubs. bridges. and doing so creates the possibility of mst Multiple spanning tree a switching loop. SW3#show spanning inc Name Interface Inconsistency -------------------.. Number of inconsistent ports (segments) in the system : 0 What if we didn’t want any BPDUs coming in on SW3’s 0/4 port. etc. switches. concentrators. Note that the command requires Hey. %SPANTREE-2-ROOTGUARD _ UNBLOCK: Root guard unblocking port FastEthernet0/4 on VLAN0001.115 S T U DY G U I D E … and SW3’s 0/4 port is no longer root-inconsistent.

but it’s a good idea! It’s SW3(config-if)#spanning bpduguard ? Disable Disable BPDU guard for this interface such a good idea that you can globally enable BPDU Guard on all Portfast-enabled ports via Enable Enable BPDU guard for this interface spanning portfast bpduguard default. putting Fa0/4 in errdisable state %LINEPROTO-5-UPDOWN: Line protocol on Int FastEthernet0/4. Once those BPDUs stop coming.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . regardless of Portfast: SW3(config)#int fast 0/4 need to do a shut/no shut to reset the port. changed state to down The interface came up physically and logically.changedstate to up %SPANTREE-2-BLOCK _ BPDUGUARD: Received BPDU on port Fa0/4 with BPDU Guard enabled. BPDU Filtering We have a similar but not identical service at our disposal to stop unwanted BPDUs. SW3(config-if)#spanning bpduguard enable SW3(config)#spanning portfast bpduguard ? default Enable bpdu guard by default on all portfast ports SW3(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0/4. BPDU %PM-4-ERR _ DISABLE: bpduguard error detected on Fa0/4. remember that it’s off by default and is enabled / disabled with spanning-tree bpduguard at the interface level. line protocol is down (err-disabled) An error-disabled port must be cleared manually. To enable this feature globally on all your Portfast-enabled ports: SW3(config)#spanning-tree portfast ? Bpdufilter Enable portfast bpdu filter on this switch Bpduguard Enable portfast bpdu guard on this switch Default Enable portfast by default on all access ports SW3(config)#spanning-tree portfast bpdufilter ? Default the port being disabled by BPDU Guard. you’ll Enable bpdu filter by default on all portfast ports SW3(config)#spanning-tree portfast bpdufilter default To enable and disable this feature at the port level. SW3#show int fast 0/4 FastEthernet0/4 is down. %LINEPROTO-5-UPDOWN:Line protocol on Int FastEthernet0/4. changed state to up If you’re not using that method of enabling BPDU Guard. SW3(config-if)#spanning bpdufilter ? Disable Disable BPDU filtering for this interface enable 138 Enable BPDU filtering for this interface 139 .115 S T U DY G U I D E C H R I S B R YA N T You’re not required to run BPDU Guard on a Portfast-enabled port. changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/4. but the first BPDU that came in resulted in Filtering stops all BPDUs from leaving or being accepted on a Portfast-enabled port. Disabling port.

with show spanning interface detail.3 Designated root has priority 32771. To enable Loop Guard globally. Port priority 128. the port no longer receiving the BPDUs will go from blocking to loop-inconsistent. Instead.90e2. C H R I S B R YA N T Loop Guard With our three-switch network back at its defaults.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and the non-root switches are forwarding Switch is in pvst mode BPDUs to each other (hence the two-headed arrow). Root bridge for: none Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is enabled Portfast BPDU Filter Default is enabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is enabled You can also verify a port’s individual BPDU Filter settings.2540 Designated port id is 128. we have a switching loop. run show spanning summary.115 S T U DY G U I D E To verify this and several other features we’ve seen (and will see!). address 000f. Port Identifier 128. received 0 With all this talk of blocking BPDUs. run spanning-tree loopguard default. If the direct link between SW2 and SW3 goes unidirectional. designated path cost 0 Timers: message age 0. forward delay 0. which acts a lot like blocking mode. address 000f. SW1(config)#spanning-tree loopguard ? Bpdu filter is enabled Default Enable loopguard by default on all ports BPDU: sent 23. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is shared by default all six ports hit forwarding mode. A switching loop is prevented. When SW1#show spanning int fast 0/3 detail Port 3 (FastEthernet0/3) of VLAN0003 is forwarding Port path cost 100. along with gathering other important info.90e2. we know SW1 is originating Config SW3#show spanning summary BPDUs and sending them to both SW2 and SW3.3.2540 Designated bridge has priority 32771. we have a problem. the port will come back up on its own. but not vice versa? SW3 will wait the duration of the MaxAge timer and then begin to transition the port on that link from blocking to forwarding. we better ensure we get the ones we need! 140 SW1(config)#spanning-tree loopguard default 141 . and once the cable is repaired and the BPDUs begin flowing from SW2 to SW3 again. What if SW3 can send BPDUs to SW2. Loop Guard doesn’t allow that port on SW3 to go from blocking to forwarding.

142 message Set UDLD message parameters Use the same command at the interface level. but it operates on When UDLD runs in Normal mode. we have a bidirectional link and all is well. The port will missed messages. the port will go port-inconsistent for VLAN 10 only. A UDLD-enabled port sends a UDLD frame across the link every 15 seconds. Run UDLD in aggressive mode. 143 . any circumstances. a UDLD message is sent every second once a possible unidirectional link is detected. a per-VLAN basis. For global enabling and disabling. C H R I S B R YA N T The sent UDLD message lets the recipient know which port sent the message. 20. and then the recipient sends it right back with info on the port that received the message. SW1(config)#int fast 0/2 SW1(config-if)#spanning-tree guard ? Loop Set guard mode to loop guard on interface none Set guard mode to none root Set guard mode to root guard on interface SW1(config-if)#spanning-tree guard loop To disable Loop Guard at the port level. and BPDUs stop We call this mode “aggressive” for two reasons. First. If you don’t specify aggressive mode. run no spanning-tree guard loop. If nothing comes back. SW1(config-if)#no spanning-tree guard loop Dept. as opposed to Normal mode. Detecting Unidirectional Links With UDLD UDLD can be enabled and disabled on a global and per-port basis. BPDUs may not arrive at their destination due to a unidirectional link where SW1 can send to SW2. we have a unidirectional link.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and the results are much more… aggressive! The port will be put into err-disabled state after eight sent UDLD messages result in zero UDLD frames from the remote switch. SW1(config)#udld ? Aggressive Enable UDLD protocol in aggressive mode on fiber ports except where locally configured enable Enable UDLD protocol on fiber ports except where locally configured UDLD’s basic operation is simple. run spanning-tree guard loop. it gives us a syslog message to let us know about the problem. Of Oddities: Loop Guard is enabled globally or on a per-port basis. use udld followed by the mode you want. the port defaults to normal mode.115 S T U DY G U I D E To enable Loop Guard on a per-port basis. and 30. If something comes back. which doesn’t shut the port down under continue to operate normally for VLANs 20 and 30. If a trunk is carrying traffic for VLANs 10. but SW2 can’t send a BPDU back over the same connection. Second. the port is shut down after eight coming in for VLAN 10.

Let’s take a look at the RSTP roles in will indeed start sending UDLD frames every 15 seconds. The root port concept stays the same as we move from STP to RSTP. Note SW3 has multiple connections to the Ethernet from the remote endpoint doesn’t trigger the aggressive 8-second countdown to shut- segment. When UDLD’s aggressive mode is configured on the first endpoint. Problem is. that port being the one with the lowest root path cost. ting the port down. However. For UDLD to be effective. SW2 and SW3 144 145 . The overall concept of the root bridge is still present Actually. it must be enabled on both endpoints. and that’s why <cr> the Rapid Spanning Tree Protocol (RSTP) was developed! RSTP is defined by IEEE 802. Non-root switches select a root port.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the eight-second countdown will begin if SW1 stops getting UDLD replies from SW2. Before that can happen. The absence of a UDLD echo this network.115 S T U DY G U I D E C H R I S B R YA N T SW2(config-if)#udld ? port Enable UDLD protocol on this interface despite global UDLD setting SW2(config-if)#udld port ? aggressive Enable UDLD protocol in aggressive mode on this interface despite global UDLD setting disable Disable UDLD protocol on this interface despite global UDLD Rapid Spanning-Tree Protocol setting STP is fantastic at what it does – we’d just like it to get done a little faster. letting the local switch know that the remote switch is indeed running UDLD. that port in RSTP.1d. The overall 30-second delay built into STP convergence via the listening and learning states was once considered an acceptable delay. where SW1 is the root. won’t the second port you configure always shut down before you finish the config? and it’s considered an extension of 802. but the port roles themselves are different. no. and still is in many networks. Once SW1 has received an echo reply from SW2. the remote switch has to answer back with a UDLD echo. if aggressive mode shuts a port down after failing to receive an echo reply to eight consecutive UDLD frames going out once per second. RSTP makes things just a bit more… rapid. Root and designated ports have already been selected.1w.

the equivalent of STP’s forwarding state. SW2 and SW3. (More on that very soon. so they can go straight from discarding to forwarding. the DP will be the port with the lowest root path cost of all RSTP ports transition from discarding to learning. If a BPDU comes in on an RSTP edge port. 146 147 .) Edge ports play a huge part in RSTP’s determination of when a topology change has taken place.115 S T U DY G U I D E C H R I S B R YA N T have both selected their root ports. actually. The root ports. That’s hardly an earth-shattering change to our network. such as an end user’s PC. and we’ll assume that to be one of the two ports SW3 has con- but the MAC addresses are being learned by the switch. on SW3? That port becomes the backup port for that segment. STP ports disabled. A point-to-point port is any port running in full-duplex mode.) Here come the differences! RSTP has alternate ports rather than blocked ports. The “alternate” refers to the port having an alternate path to the root switch than the actual root port does. and listening are combined into the RSTP state discarding. As you’d expect. since RSTP considers a topology change to have taken place when a port moves into forwarding mode – unless that port is an edge port. the As with our STP example. it’s “demoted” to a regular RSTP port and then generates a TCN BPDU. they don’t play a role. A quick comparison: STP: disabled > blocking > listening > learning > forwarding RSTP: discarding > learning > forwarding In addition to the familiar root port concept. RSTP does not consider that a change in the network.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . RSTP-enabled root bridges will not have There are slight and important differences between STP and RSTP port states as well. As with STP. Well. the RSTP port transitions nected to that segment. RSTP brings with it two unique port types. a designated port must be elected on the segment connecting initial RSTP port state. to the forwarding state. blocking. (Any ports running half-duplex are considered shared ports and must run STP rather than RSTP. edge ports and point-to-point ports. Finally. where incoming frames are discarded the ports on that segment. so RSTP doesn’t bother alerting the rest of the network about it. This port gives SW3 a redundant path on that segment without guaranteeing that the root switch will still be accessible. likely connected to a single host SW2’s port on the shared segment is an alternate port (ALT) – but what of the remaining port spanning-tree portfast command. just run the familiar RSTP edge ports are simply PortFast-enabled ports. but rather designated ports. An edge port is simply a port on the edge of the network. since only a single host will be connected to that particular port. To configure a port as an RSTP edge port.

the link is considered down. and in order for SW2 to consider itself synched. There’s a lot going on here – and it goes on quickly! 149 . regardless of whether they’ve received a BPDU from the root in that period of time. (This hello time interval is the same in both STP and RSTP. and naturally the TC bit is set on those BPDUs. and the nonroot bridges read ‘em and relay ‘em. RSTP-enabled switches generate a BPDU every two seconds. Switches that receive those BPDUs will remove all entries from their MAC tables except for the port the BPDU rode in on. my friend! First. SW2 will reply to the proposal with an agreement and will send a proposal of its own out any non-edge port that was just placed into discarding state. At that point. now SW2 must place the port leading to SW3 into discarding mode. all ports on SW2 must either be discarding or an edge port. Every switch expects to 148 SW2 realizes SW1 is the root. That timer dictates how long the switch will retain the contents of the last superior BPDU it received before it ages out and the STP recalculation process begins.) This slight change in operation from STP to RSTP allows all switches to have a role in detecting link failures. Another major difference between STP and RSTP is the way BPDUs are generated. How? When a switch running STP misses a BPDU. We see a PC off one of SW2’s ports. so that’s an edge port. that’s when RSTP does bother letting the rest of the network know! RSTP does so by sending BPDUs out all non-edge designated 20 seconds! Compare that to the RSTP process. and that continues until the entire network’s been notified of the change – a “ripple effect”.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The switch then immediately ages out all information concerning the port that was receiving the BPDUs. and would like to agree to the proposal. where the superior BPDU is aged out when three Hello Time intervals pass without it being refreshed! ports. We know the MaxAge default – When a non-edge port moves into forwarding mode. and the discovery of those failures is faster. SW2 will of course move its root port into forwarding. With STP. the root bridge generates and transmits BPDUs every two seconds. and as we’d expect. if you will. carried out until all switches in the network are – wait for it – synchronized! Let’s walk through the process with this three-switch network. SW2 has to synch itself. This change cuts the error detection process from 20 seconds in STP to 6 seconds in RSTP. the MaxAge timer kicks in.115 S T U DY G U I D E C H R I S B R YA N T see a BPDU from its neighbor every two seconds. and if three BPDUs are missed. RSTP Synchronization The RSTP synch process is a simple series of handshakes between switches. those switches send BPDUs with the TC bit set out their non-edge DPs. But not so fast.

It’s a rare occasion indeed when you need to manually change the link type on an interface.Nbr Type ------------------. and when there’s no additional info after “P2p”.2f00 connected to). In our lab.6 P2p Fa0/11 Desg FWD 19 128. -------. When you see “Peer (STP)” as we do for SW3(config)#spanning mode ? the Fast0/11 and Fast0/12 links. This is a full-duplex point-to-point link. SW3 goes through the same process we saw SW2 go through – SW3 Hello Time would accept that proposal from SW2 while sending proposals of its own. SW3 is running RSTP after being configured with the spanning-tree mode rapid-pvst command. you know those connections are to switches running mst Multiple spanning tree mode pvst Per-Vlan spanning tree mode rapid-pvst Per-Vlan rapid spanning tree mode SW3(config)#spanning mode rapid-pvst ? <cr> SW3(config)#spanning mode rapid-pvst STP.14 P2p Peer(STP) Note the output under “Type”.d480 Cost 19 Port 6 (FastEthernet0/4) Hello Time The ripple effect is powerful in RSTP synchronization. Interface The Question Haunting Networks Everywhere Does RSTP play well with STP? Pretty well. verified with show spanning vlan. ---------. This ripple effect Aging Time 300 sec 2 sec Max Age 20 sec Forward Delay 15 sec fans throughout the entire network until all switches are synched.13 P2p Peer(STP) Fa0/12 Desg FWD 19 128.115 S T U DY G U I D E C H R I S B R YA N T VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 4097 Address 000f.90eb. In turn. SW2 is agreeing with SW1 while Bridge ID Priority 2 sec Max Age 20 sec Forward Delay 15 sec 32769 (priority 32768 sys-id-ext 1) almost simultaneously sending a proposal to SW3 (and any other downstream switches it’s Address 001c. just use spanning link-type. Fa0/4 Root FWD 19 128. ----- --.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0fbf. but if you do. it’s the version number in the BPDU that tells the switch how to handle things. SW3(config-if)#spanning-tree link-type ? point-to-point Consider the interface as point-to-point shared Consider the interface as shared SW3#show spanning vlan 1 150 151 . Role Sts Cost Prio. actually! If a switch is running RSTP and needs to communicate with switches using both STP and RSTP. the link is to an RSTP-enabled switch. a switch running RSTP. The link via Fast0/4 is to SW4.

if we have 750 VLANs. More on that in just a minute. the MST-instance / VLAN-mapping table. MST configuration involves logically dividing the switches into regions. With PVST+. since that requires multiple instances of STP! PVST doesn’t play well with Common Spanning Tree (more on that in a moment). The Good: PVST does allow for much better fine-tuning of spanning tree performance than regular ol’ STP does. which has the same functionality as PVST while having the capability to run over ISL or dot1q trunks. As we know though. With CST’s one STP instance. we have 750 instances of STP running. MST serves as a middle ground between CST (one STP instance) and PVST (one STP instance per VLAN). Common Spanning Tree and Multiple Spanning Tree When our pal IEEE 802. and MST BPDUs are used to exchange values between switches. MST allows us to reduce the number of STP instances without knocking it all the way back to one. The Ugly: PVST requires ISL trunking. one switch ends up handling all the traffic. the purpose of MST is to map multiple VLANs to a lesser number of STP instances. or all of that traffic. While it can be useful in the right environment. and the switches in any given region must agree on the MST config name.1q (“dot1q”) is the trunking protocol. and three switches that can handle some MST gives us a great middle ground. Switches that disagree on any of these values are in different regions.115 S T U DY G U I D E C H R I S B R YA N T Per-VLAN Spanning Tree Versions (PVST and PVST+) The ultimate “the name is the recipe” protocol.1s. The MST BPDUs contain the MST config name. 152 153 . Defined by IEEE 802. and the MST configuration revision number. We can’t perform any per-VLAN load balancing. The Bad: Running PVST does mean extra work for your CPU and memory. so we could spread the workload around a bit. “Common Spanning Tree”. MST earns its name from a scheme that allows multiple VLANs to be mapped to a single instance of STP.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . And speaking of CST… With PVST+. MST was designed with enterprise networks in mind. Let’s say we have traffic for 750 VLANs coming in. everything we do on a Cisco switch has a cost in terms of CPU and/or time. it’s not for every network. the config revision number. we can configure per-VLAN load balancing as we did in an earlier lab. the trunk is using a common instance of STP for all VLANs – hence the name. rather than having an instance for every VLAN. MST configs can become quite complex and a great deal of planning is recommended before you even start a config. and a digest value derived from the mapping table. the Cisco-proprietary PVST runs a separate instance of STP for each VLAN. where we can map VLANs to instances of STP. so Cisco came up with PVST+. No matter the size of the network.

those are decimal values. numbered 0 – 15. and follow by dropping into MST configuration mode and naming the region and revision number. CST doesn’t know what’s going on inside the regions. MST’s job is to keep a loop-free topology in the MST region itself. applying changes instance Map vlans to an MST instance name Set configuration name no Negate a command or set its defaults private-vlan Set private-vlan synchronization revision Set configuration revision number show Display region configurations SW3(config)#spanning-tree mst configuration The “IST” in each region stands for Internal Spanning Tree. SW3(config)#spanning-tree mode ? mst Multiple spanning tree mode pvst Per-Vlan spanning tree mode rapid-pvst Per-Vlan rapid spanning tree mode SW3(config-mst)#instance 1 ? vlan Range of vlans to add to the instance mapping SW3(config-mst)#instance 1 vlan ? LINE vlan range ex: 1-65. On occasion. abort exits the mode while not saving the changes.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . CST is going to maintain a loop-free the mode and does save your changes. aborting changes exit Exit region configuration mode. SW3(config-mst)#? abort Exit region configuration mode. network only with the links connecting the MST network subsets. nor does it want to know.115 S T U DY G U I D E C H R I S B R YA N T A good way to get a mental picture of MST – CST interoperability is that CST will cover the In MST configuration mode. exit exits entire network. 300 -200 SW3(config-mst)#instance 1 vlan 1 – 250 SW3(config)#spanning-tree mode mst 154 155 . MSTI Zero is reserved for the IST instance. SW3(config-mst)#revision 1 you’ll see the first ten MST instances referred to as “00” – “09”. and only the IST is going to send MST BPDUs. 72. Enable MST on the switch with spanning-tree mode mst. SW3(config-mst)#instance ? <0-4094> MST instance id not hexadecimal values. and it’s the IST instance that is responsible for keeping communications in the MST regions loop-free. and MST is a “subset” of the network. SW3(config-mst)#name CCNP SW3(config-mst)#revision ? <0-65535> Configuration revision number Up to 16 MST instances (MSTIs) can exist in a region.

0 251-4094 1 1-250 An Etherchannel is a logical bundling of two to eight parallel trunks running between two switches. there are four FastEthernet trunks between SW2 and SW3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . though. VLANs not manually assigned to an instance are mapped to Instance Zero. and we love aggregation! We use more of our available bandwidth and we avoid some of that 50-second delay that comes with the MaxAge and Forward Delay timers. STP allows us to use only one of the trunks. SW3(config-mst)#show pending Pending MST configuration C hapter 7: Name [CCNP] Revision 1 Instances configured 2 Instance Vlans mapped ETHERCHANNELS --------. What’s not to love? (To avoid aggravation. Gig Ethernet. By default. but the link is still considered up. ports placed inside an EC should be running at the same speed and have the same duplex settings. or even 10 Gig Ethernet ports Time to go from spanning to channeling! is aggregation. That prevents the delay of bringing another link up! In our lab.115 S T U DY G U I D E Verify with show pending. STP will give the link a higher cost due to the lost bandwidth. This is an MST configuration mode command. regardless of how many physical links actually make up the Etherchannel. 156 157 . If one or more of the physical links in the Etherchannel go down.) STP considers an Etherchannel to be a single link. This bundling of Fast Ethernet.

(The channel group number does not have to Fa0/24 Altn BLK 19 Po5 Root FWD 9 match between switches. Let’s put 0/21. As it stands. port-channel1 and port-channel5 are the Fa0/24 Altn BLK 19 logical representations of the Etherchannels on the respective switches. SW2(config-if-range)#channel-group 1 ? Mode Etherchannel Mode of the interface SW2(config-if-range)#channel-group 1 mode ? active Enable LACP unconditionally 158 159 . By combining the SW3#show spanning vlan 1 physical ports into a single logical link. ------------------. Fa0/21 Desg FWD 19 Fa0/22 Desg FWD 19 Fa0/23 Desg FWD 19 Fa0/24 Desg FWD 19 on Enable Etherchannel only passive Enable LACP only if a LACP device is detected SW2(config-if-range)#channel-group 1 mode on %LINK-3-UPDOWN: Interface Port-channel1.23 SW3(config-if-range)#channel-group 5 mode on Interface Role Sts Cost ------------------. and 0/23 on both switches into an Etherchannel with the channel-group command. 0/22. In the meantime. ----- --. changed state Fa0/21 Root FWD 19 to up Fa0/22 Altn BLK 19 Fa0/23 Altn BLK 19 The interfaces mentioned in the console messages. changed state to up SW3#show spanning vlan 1 SW3(config)#int range fast 0/21 . but the failure of a link inside an Etherchannel will not force STP to start bringing another Interface Role-Sts-Cost port from blocking to forwarding. We’ll leave 0/24 alone for now. forwarding. communication between the two switches is lost. ----- --. 0/22 will begin the transition from blocking to Let’s check out STP on SW3. if 0/21 goes down on SW3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .) I’ll use interface range to make things a little quicker.115 S T U DY G U I D E SW2#show spanning vlan 1 C H R I S B R YA N T auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally Interface Role Sts Cost ------------------. This temporary lack of a forwarding port can be avoided with an Etherchannel. %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel5. ----- --. not only is the bandwidth of the links combined.

the Etherchannel remained in forwarding mode and 0/24 stays blocked! SW2#show spanning vlan 1 Negotiating An Etherchannel Interface Role-Sts-Cost The industry standard EC negotiation protocol is the Link Aggregation Control Protocol ------------------. The remaining ports will be bundled only if one or more of the already-bundled ports fails. (Forever. but only the eight ports with the lowest port priority will actually be part of the SW3(config-if)#shut EC.). a port in desirable mode will initiate bundling with a remote port. to the STP costs and ports.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . if any. You can assign up to 16 ports to an LACP-negotiated SW3(config)#int fast 0/21 Etherchannel. STP didn’t have to go to the trouble of opening 0/24.3ad (the IEEE standard.115 S T U DY G U I D E C H R I S B R YA N T Things have changed! The Etherchannel (Po5. Defined in 802. and the port’s path cost increased. short for port-channel 5) is now the connec- Thanks to our Etherchannel.) 160 161 . you know you’ll be waiting a long time. etc. but single FastEthernet port! SW2 shows the same path cost result. ----- --. Let’s see what happens when one of the links inside the Etherchannel fails. ----- --. less than half that of a down link in the Etherchannel was detected by STP. LACP assigns a priority value to each port with Etherchannel capability. duplex. I hate typing “PAgP”. while a port in auto mode waits for the port on the other end of the trunk to start the process. ----- --. Fa0/24 Altn BLK 19 Po5 Root FWD 12 SW3(config-if)#channel-group 5 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected SW2#show spanning vlan 1 desirable Enable PAgP unconditionally on Enable Etherchannel only Interface Role-Sts-Cost passive Enable LACP only if a LACP device is detected ------------------. and with good reason. Fa0/24 Desg FWD 19 Po1 Desg FWD 12 With PAgP. The tion in use. SW3#show spanning vlan 1 PAgP and LACP use different terminology to express the same modes. If the ports at each endpoint are in auto. but I love how the protocol dynamically changes all of the other ports in an EC when you change a property of one of them statically (speed. We’ll shut down 0/21 on R3 and then verify the changes. (Surprise!) We actually saw those in the channel-group command: Interface Role-Sts-Cost SW3(config)#int fast 0/24 ------------------. Fa0/24 Desg FWD 19 Po1 Desg FWD 9 (LACP) and the Cisco-proprietary EC negotiation protocol is the Port Aggregation Protocol (PAgP). not the year). The path cost for that port is 9.

24 SW3(config-if-range)#channel-group 5 mode desir SW2(config-if-range)#channel-group 1 mode active SW3(config)#int range fast 0/21 .24 desirable Enable PAgP unconditionally SW2(config-if-range)#channel-group 1 mode ? on Enable Etherchannel only active Enable LACP unconditionally passive Enable LACP only if a LACP device is detected auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally SW2(config-if-range)#channel-group 1 mode desir on Enable Etherchannel only passive Enable LACP only if a LACP device is detected SW3(config)#int range fast 0/21 .115 S T U DY G U I D E C H R I S B R YA N T With LACP. P.24 After removing the PAgP EC.24 SW3#show pagp neighbor Flags: S .Device is requesting Fast LACPDUs A .Device is in Passive mode Channel group 5 neighbors Partner’s information: 163 .Device is sending Slow hello.9466. and port of the partner in the group can be very helpful for verification and/or troubleshooting. I’ll put all available trunks into a PAgP Etherchannel. a port in active mode initiates bundling and passive ports are just that! If the Fa0/23 SW2 0017. device ID.f780 Fa0/22 2s SC 10001 162 P . SW2(config-if-range)#channel-group 1 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected SW2(config)#int range fast 0/21 .Device is in Active mode Channel group 5 neighbors SW3(config-if-range)#channel-group 5 mode active Partner Partner Partner Group Port Name Device ID Port Age Flags Cap.f780 Fa0/23 5s SC 10001 ports at each endpoint are passive.Device is requesting Slow LACPDUs F .f780 Fa0/24 11s SC 10001 After re-opening 0/21 on SW3. Fa0/21 SW2 0017.f780 Fa0/21 14s SC 10001 Fa0/22 SW2 0017. SW2(config)#int range fast 0/21 . an EC will never form. A .9466.Device is in Auto mode. Fa0/24 SW2 0017.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but I’m sure you can see that having a command that gives you the name. verified with show lacp neighbor.Device learns on physical port.9466. Partner SW3#show lacp neighbor Flags: S . C- Device is in Consistent state. I created one with LACP. We’re not going to get into every field of this output.9466. verifying with show pagp neighbor.

but matching up the Device ID and port information can be very helpful in troubleshooting.9466.failed to allocate aggregator Priority 32768 0017.suspended H . It’s these values that are used to determine SW3#show etherchannel summary which link will handle which traffic flow. 20s key 0x0 32768 f780 0017.stand-alone s . but not pure load balancing. a Cisco-proprietary hash algorithm is run that will deliver a value of 0 – 7. 5 Po5(SU) SW3#show etherchannel brief Fa0/21(P) Fa0/22(P) Fa0/23(P) Fa0/24(P) % Command accepted but obsolete. unreleased or unsupported. we have Minimum Links: 0 four parallel links in the EC.) That algorithm can use any of the following: P .9466. more on that later!).Layer2 0x1 0x118 0x3D U . and those values are assigned to links in the EC.in use f . How about show etherchannel summary? Basically.115 S T U DY G U I D E Port Flags LACP port Dev ID Fa0/21 SA Fa0/22 SA Fa0/23 SA Age Admin Oper Key Port Number Port State R .waiting to be aggregated d .Hot-standby (LACP only) Source IP address Destination IP address 164 165 . Channel-group listing: LACP That’s more like it! All four ports are marked with the “P” flag. (We’re dealing with per-flow balancing here. see documentation. Group state = L2 Ports: 4 Maxports = 16 Port-channels: 1 Max Port-channels = 16 How The Link Is Chosen For A Particular Traffic Flow Protocol: LACP Etherchannels give us load balancing. 21s 0x0 0x1 0x11A 0x3D 0x0 0x1 0x11B 0x3D f780 Fa0/24 SA 32768 0017. I’ve also used show etherchannel brief in troubleshooting. “SU”. 19s 0x0 0x1 0x119 0x3D 32768 f780 0017.unsuitable for bundling w . meaning they’re part of a port-channel.Layer3 S . In our lab. but that doesn’t mean each link is carrying 25% of the load. ------------.9466.not in use. minimum links not met u . but last time I tried… M .9466. not Flags: D – down per-packet or per-frame. and that’s just what we wanted to see.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports -----.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Note the flags next to Po5.bundled in port-channel I . 23s C H R I S B R YA N T f780 The output is different. -----------. The Group: 5 “U” indicates the channel is in use (good) and the “S” means it’s a Layer 2 EC (hmmm.

“01” TCP / UDP port numbers converts to the decimal 1. or it may get the exclusive-OR operation (“XOR”) involved.38.39. (You get the point. but it’s one of the easiest math operations you’ll ever carry out.47.1. The switch may use the hash of the last low-order bits to choose the link that will carry Let’s walk through another example. let’s figure out which link traffic sourced from 179. is used – the source and destination IP address.11 and destined for 210. verify with show etherchannel load-balance.115 S T U DY G U I D E Both source and destination IP address C H R I S B R YA N T We perform the XOR on a bit-by-bit basis. The last octet of each address. the load balancing method on a per-port or per-EC basis.6.7 src-ip Src IP Addr src-mac Src Mac Addr Using our four-link EC.3. the return is a “1” for the XOR’s second and final bit. “1” and “0”. with only two possible answers: Since both bits in the 7th position and both bits in the 8th position match up. we need the last two bits of each address for time the XOR operation is used is when one of the combination load-balancing methods our XOR.2. If you want to break down the entire address for practice (ahem).3 0.11 and a desti- the traffic flow. The only nation of 190.47. That gives us a “0” for the first bit of the XOR result. so the switch will use the port assigned value “01” to send the data.49.1 src-dst-mac Src XOR Dst Mac Addr 4 8 2 3 0.49.1. using a source IP address of 179. SW3#show etherchannel load-balance EtherChannel Load-Balancing Configuration: 11 = 00001011 dst-ip 22 = 00010110 166 167 . from left to right. That’s it! The number of bits needed for the XOR depends on how many links we have in the EC: SW3(config)#port-channel load-balance ? dst-ip Dst IP Addr Number of links in EC # of lowest-order Possible results dst-mac Dst Mac Addr src-dst-ip Src XOR Dst IP Addr 2 bits to XOR 1 0.2.22 would use. the result is 0. so we’ll first XOR the 7th bit of each octet.15. the result is 1. or the source and destination MAC address. the hash of the bits reveals the port that will handle traffic for that 11 = 00001011 15 = 00001111 particular flow. use port-channel load-balance and If the compared bits are the same. It’s a bit-by-bit comparison. Verify with show etherchannel load-balance. source and destination port number. The XOR operation’s name might look scary. resulting in the link assigned value 0 as the winner! To change the load-balancing method for your switch. With our four-path EC. When we XOR the Both source and destination MAC address 8th bit of each octet. we know our XOR return is “00”. This is a global command – you can’t change If the compared bits are different.5. but with a 4-link EC we only need the last two bits. with the two lowest-order bits highlighted: The “XOR” choices balance on source and destination IP or source and destination MAC.39. 1 and 1.) For every method involving only one value.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .4.38. that’s a great idea.

run spanning ether- Hey. ports will be placed into err-disabled state if a condition exists that might result in a switching loop. To prevent the creation of a switching loop due to EC misconfiguration. portfast Spanning tree portfast options Here’s what happened after I changed the range of allowed VLANs on all ports in SW3’s EC transmit STP transmit parameters without doing so on the port-channel: uplinkfast Enable UplinkFast Feature vlan VLAN Switch Spanning Tree Ports configured for dynamic VLAN assignment from a VMPS cannot become part of an EC.115 S T U DY G U I D E EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Destination MAC address C H R I S B R YA N T SW2(config)#spanning etherchannel guard misconfig ? <cr> IPv4: Destination IP address If you use one of the EC negotiation protocols. channel-group “on” option sidesteps negotiation. (vlan mask is different) %EC-5-CANNOT _ BUNDLE2: Fa0/23 is not compatible with Po5 and will be suspended SW2(config)#spanning etherchannel ? Guard (vlan mask is different) Configure guard features for etherchannel %EC-5-CANNOT _ BUNDLE2: Fa0/24 is not compatible with Po5 and will be suspended (vlan mask is different) SW2(config)#spanning etherchannel guard ? Misconfig Enable guard to protect against etherchannel misconfiguration 168 %EC-5-CANNOT _ BUNDLE2: Fa0/23 is not compatible with Po5 and will be suspended (vlan mask is different) 169 . and you could run into trouble if one side of your links is set up for an EC and the other isn’t (I speak from experience).1t extensions logging Enable Spanning tree logging loopguard Spanning tree loopguard options mode Spanning tree operating mode mst Multiple spanning tree configuration pathcost Spanning tree pathcost options The allowed range of VLANs on the ports in the EC must match that of the port-channel. Remember This? channel guard misconfig. SW3(config-if-range)#switchport trunk allowed vlan 100.20 In the midst of all the loop guarding and MSTing and BackboneFasting we did earlier was a %EC-5-CANNOT _ BUNDLE2: Fa0/22 is not compatible with Po5 and will be suspended little something about ECs. SW2(config)#spanning ? backbonefast Enable BackboneFast Feature etherchannel Spanning tree etherchannel specific configuration EC Troubleshooting Tips extend Spanning Tree 802. As a result.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The And finally…. Let’s use IOS Help to flesh this out. nor can such a port remain part of an EC if that change occurs after the port is already part of an EC. since the EC won’t be created in the first place if there’s a problem. you really shouldn’t run into an issue with a IPv6: Destination IP address misconfigured EC.

20 If one end of the EC is running in on mode. there’s not much use in using Fa0/21(P) Fa0/22(P) Fa0/23(P) Fa0/24(P) Individual ports inside the EC must agree on this value as well. When I changed the allowed With our trunks neatly bundled. Know your LACP and PAgP modes! The mode doesn’t have to match. but you do have to have SW2#show etherchannel summary LACP or PAgP modes on each side. the other end one has to as well. If you change one of those and the EC comes down. be sure to choose the load-balancing method that fits your situation. you know what to do – change it back! A few more notes that can save you CCNP exam points and troubleshooting time… A SPAN source port can be part of an Etherchannel. Ports in an EC cannot be configured with port security. duplex. that port immediately unbundled. including speed. If you have Group Port-channel Protocol Ports destination IP addresses in your load-balancing methods! ������ ������������� ����������� 1 Po1(SU) LACP multiple source IP addresses and one destination IP address. once I went to SW2 and ran the same command. Let’s get started! VLAN setting for SW2’s 0/21. Ports in an EC should have the same native VLAN set. the EC came back up. but not a SPAN destination port. 170 171 .300 SW2(config-if)#^Z SW2# *Mar 1 01:18:39.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . You can’t have LACP negotiating one side and PAgP (Flags removed) negotiating the other.24 SW2(config-if-range)#switchport trunk allowed vlan 100.472: %EC-5-CANNOT _ BUNDLE2: Fa0/21 is not compatible with Fa0/22 and will be suspended (vlan mask is different) This is really true of any port attribute. or you’ll never have an EC! Number of channel-groups in use: 1 Number of aggregators: C H R I S B R YA N T While keeping in mind that EC load-balancing methods do not have to match between 1 switches. it’s time to do a little multilayer switching and work with our First Hop Redundancy Protocols (FHRPs).115 S T U DY G U I D E Not good! However. and native VLAN. SW2(config)#int fast 0/21 SW2(config-if)#switchport trunk allowed vlan 200.472: %EC-5-CANNOT _ BUNDLE2: Fa0/21 is not compatible with Fa0/22 and will be suspended (vlan mask is different) *Mar 1 01:18:39. SW2(config)#int range fast 0/21 .

can’t. but the MAC addresses just might and probably will. and then the switching engine takes over and forwards the rest of the packets in that flow. To make this hardware-based packet processing happen. the switch will run the legacy Multilayer Switching (MLS) or the newer Cisco Express Forwarding (CEF). it’s the ASICs that perform this L2 address overwriting. also known as the bridging table. The CAM And TCAM Tables One of the first things you get hit over the head with in your CCNA studies is that a The CAM table. including info regarding ACLs and QoS. This processor must download routing information to the hardware itself. With multilayer switching. the switching engine snoops in on that packet and the destination. so we also have the TCAM table – Ternary tilayer switch. Multilayer switches are devices that switch and route packets in switch’s CAM table does. A flow is a unidirectional stream of 172 173 . also known as multilayer switches. you know that the IP source and destination addresses of a packet do not change as the packet travels the network.C H R I S B R YA N T C hapter 8: MULTILAYER SWITCHING AND HIGH AVAILABILITY PROTOCOLS When it comes to Cisco Catalyst switches. Route caching devices have both a routing processor and a switching engine. The table operates just as an L2 Let me take this time to “un-hit” you while introducing you to Layer 3 Switches. If two hosts in separate VLANs are connected to the same mul- A simple CAM table can’t handle all of this. and on occasion switch runs at Layer 2. the switch hardware itself. the switching table. the TCAM table stores everything the CAM table ever leaving the switch. the MAC address table. Basically. is still present in a multilayer switch. and QoS. Thing is. a router runs at Layer 3. ACLs. including routing. Application-Specific Integrated Circuits (ASICs) will perform the L2 rewriting operation of these packets. From your CCNA studies. and never the two shall meet. The routing processor routes a flow’s first packet. we have a lot more going on with our L3 switches. this hardware switching is performed by a router processor (or “L3 engine”). Multilayer Switching Methods The first MLS method is route caching. the correct configuration will allow that communication without the data Content Addressable Memory.

Even though all other packets in the flow will be hardware- with a Switched Virtual Interface! switched. (A host is considered adjacent to another if they’re just one hop apart. The switch will make the same changes to the packet that a router would. Should either the TCAM or AT hit capacity.. we’ll create SVIs that will allow hosts in different IP subnets and different VLANs to communicate without a separate L3 device. there is a wildcard entry that redirects traffic to the routing engine.115 S T U DY G U I D E C H R I S B R YA N T packets from a given source to a given destination. I’ll send pings between the two now. the multilayer switch is just about ready to forward the packet. At this point. the Switched Virtual Interface (SVI).1. Just go into config mode. this topology-based switching method requires special hardware.1 . Primarily designed for backbone switches. and the AT contains L2 information and is created via the ARP table. The L2 source address will be the MAC address of the switch interface transmitting the packet. so it’s not available on all L3 switches. starting will be switched by software. The two major components of CEF are the Forwarding Information Base (FIB) and the Adjacency Table (AT). create the interface. The FIB contains the usual routing information we need – destina- Inter-VLAN Routing With An SVI Multilayer switches allow us to create a logical interface. In The FIB takes care of us at L3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . – and CEF will use the FIB to make L3 prefix-based decisions. The MLS cache entries support such where running “no cef” at the CLI will disable CEF. must be on for CEF to run. let’s configure an L3 switch. we have two flows of traffic. CEF is highly scalable and is also easier on a switch’s CPU than route caching. Summing it up. that next-hop L2 information is kept in the table for CEF switching. and creating one is just like creating a loopback inter- FIB is really just the IP routing table in another format.. face. interface Vlan1 no ip address tion networks.. next-hop IP addresses. That’s where CEF comes in. and such packets sent by a given pro- Enabling CEF is EZ. There’s no such command! IP routing unidirectional flows. since the We can create an SVI for any VLAN. 174 R1#ping 30. The VLAN 1 interface present by default on all L2 switches is an SVI. and you can’t tocol will be part of a single flow. this is not a situation the same destination. but what of L2? That’s where the AT comes in. Route caching can be effective. give it an IP address. the FIB contains L3 information and is created via the IP routing table. If a source is sending both WWW and TFTP packets to turn it off! Since CEF is hardware-based rather than software-based. As adjacent hosts are discovered via ARP. but there’s one slight drawback: the first packet in any flow With these important nuts and bolts out of the way. masks. and it’s the only default SVI. representing a VLAN. etc. Success rate is 0 percent (0/5) 175 . and you’re done. The FIB’s contents will mirror that of the IP routing table.) this lab.1. it is more effective to have all of the packets switched by hardware. and that includes changing the L2 destination MAC address to the next-hop MAC address. CEF is on by default on any and all CEF-enabled switches. even though we know darn well they can’t have a chat… yet..

EX . L2 . Vlan11 177 .next hop override SW3#show int vlan11 Gateway of last resort is not set Vlan11 is up.connected.1. E2 .. Vlan11 L 20.0fbf.1. + - replicated route. C . l .static.IS-IS level-1.IS-IS level-2 ia - IS-IS inter area.1.1. address is 001c. B .1. % .1. changed state to up SW3(config)#ip routing SW3(config-if)#ip address 30. R .11 255.OSPF external type 2 I - IS-IS.LISP the hardware is listed as “EtherSVI”. L1 .2f42) Internet address is 30. changed state to up Host Gateway SW3(config-if)#ip address 20.1 SW3#show int vlan 33 . 2 subnets.1.. We’ll now create two SVIs on the switch.OSPF. O ..per-user static route We’ll verify the status on both with this clipped output from show interface vlan.0 SW3#show ip route Codes: L - local. 2 masks C 20. su .candidate default. S . which is disabled on a multilayer switch by default! SW3(config-if)#int vlan 33 SW3(config-if)#ip address %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan33.mobile. IA .0fbf.255. SW3#show ip route Default gateway is not set SW3(config)#int vlan 11 %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan11.115 S T U DY G U I D E C H R I S B R YA N T R3#ping 20.1. * .RIP.11/24 The ports have already been placed into their respective VLANs and the ports are access ports.1.0/8 is variably subnetted.0/24 is directly connected.11/24 176 20.0.1.OSPF inter area N1 - OSPF NSSA external type 1.1. H .0 ICMP redirect cache is empty Last Use Total Uses Interface Doesn’t look good! Let’s enable IP routing. P .BGP D - EIGRP. Note that o - ODR.2f41) Internet address is 20. Both SVIs show as up/up immediately after creation on our multilayer switch.11/32 is directly connected.255. N2 .0fbf.2f41 (bia 001c.1.1.255.1. SW3.0fbf..periodic downloaded static route. address is 001c. U .OSPF NSSA external type 2 E1 - OSPF external type 1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .NHRP.IS-IS summary.255. M . one representing VLAN 11 and the other Looks good! Let’s check those routing tables! VLAN 33. line protocol is up Success rate is 0 percent (0/5) Hardware is EtherSVI.2f42 (bia 001c. Vlan33 is up. line protocol is up Hardware is EtherSVI.0.EIGRP external.11 255.

One SVI per VLAN and one VLAN per SVI.1 Let’s add a router to our network that leads our hosts to the Internet. The only default SVI on the switch is the one for VLAN 1.0.1. I can almost guarantee that the hosts have an incorrect default gateway set. they can! 4.0.0.0 That looks just a bit more like our routing table! When SVIs are in use.0.0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . round-trip min/avg/max = 4/5/8 ms SVI Success Tips: 1. !!!!! Success rate is 100 percent (5/5). the hosts can communicate.1. Vlan33 Vlan66.0.1.1.1.11/32 is directly connected.115 S T U DY G U I D E 30.1. Routed ports do not represent a particular VLAN as an SVI does. we also have the option of configuring a physical port as a routed port.1. but routed ports Success rate is 100 percent (5/5). line protocol is down 2.0 30.0 0. Since we’re using Cisco routers for hosts. With that default gateway set correctly.0. 2 masks C H R I S B R YA N T *Mar 1 03:14:32.255. SW3#show int vlan 66 Vlan66 is down. round-trip min/avg/max = 4/5/8 ms are physical interfaces and SVIs are logical interfaces.0.1. Type escape sequence to abort.1.1 255.0/24 is directly connected. If you don’t get the ping results you expect and your SVIs HOST1(config)#ip route 0. changed state to down L 30.11 are up. The hosts must have their default gateway set to the IP address on the SVI representing their VLAN.831: %LINEPROTO-5-UPDOWN: Line protocol on Interface C 30.1. Vlan33 SW3(config-if)#ip address 66. HOST3#ping 20. 2 subnets. You !!!!! assign an IP address to a routed port in the same way you would an SVI. you end up with a sad SVI.11 Can they ping? Yes.255.0. 3. the default gateway on the hosts must be the IP address assigned to the SVI that represents that host’s VLAN.1 On L3 switches.1. If you create the SVI before doing that. HOST3(config)#ip route 0.0/8 is variably subnetted.0 0. Routed Ports (Layer 3 Ports) HOST1#ping 30.1. and no routing protocol is required in this case.0.0 20. Have active ports in the VLAN before you create an SVI for that same VLAN. we’ll use ip route to set the default gateway.1. SW3(config)#int vlan 66 SW3(config-if)# 178 179 .1.

) 210...115 S T U DY G U I D E C H R I S B R YA N T Even though IP routing is enabled.1.1. 2 subnets.1. The !!!!! adjacency comes up very quickly: Success rate is 100 percent (5/5).1.1. address is 001c. round-trip min/avg/max = 4/4/4 ms Verify addressing and status with show interface fast 0/5 and verify L3 status with show HOST3#ping 210.1.. use no they can’t ping 210. !!!!! Success rate is 100 percent (5/5). Always a good sign! C 210. . but comes back up in a few seconds. changed state HOST3#ping 210.1.1. changed state HOST1#ping 210.1.1. the line protocol on the switch port goes down.0/24 is directly connected. switchport followed by the desired IP address. %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1.1.0 Success rate is 100 percent (5/5). Success rate is 0 percent (0/5) SW3#show int fast 0/5 FastEthernet0/5 is up.0 /24.11. That’s the normal and HOST1#ping 210.1.1.0 /24 or 30. 2 masks The switch can now ping 210.1.0fbf. the router’s interface.11 255. round-trip min/avg/max = 1/2/8 ms 180 181 .1. changed state to down Success rate is 0 percent (0/5) %LINK-3-UPDOWN: Interface FastEthernet0/5. line protocol is up (connected) Hardware is Fast Ethernet. we’ll configure EIGRP between the multilayer switch and the router.1. the downstream router. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5. each host can ping 210.255.1.11/24 R1#show ip route SW3#show int fast 0/5 switchport (code table removed for clarity) Name: Fa0/5 Gateway of last resort is not set Switchport: Disabled (Note: If this is disabled. the ports on our multilayer switch are still in L2 mode Right now.0/24 is variably subnetted.1.1.0fbf. To configure a routed port. (that’s the default for many Cisco multilayer switches).11 expected behavior. However.1..C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 ..1.1.11 to up !!!!! SW3(config-if)#ip address 210. FastEthernet0/0 SW3#ping 210.1.. the port is running at L3.1.2f44) The pings can’t find their way back to the hosts because the router has no path to either 20. In the following config.1.1.1. the switch’s interface in that subnet.1 to down ..2f44 (bia 001c. round-trip min/avg/max = 4/5/8 ms SW3(config-if)#no switchport %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5.1.1.1 To remedy that. Internet address is 210..1 interface switchport.255.1.

0 0.1.0.0/24 attached Vlan11 20. Be just as sure to enable your routed port’s L3 capabilities with the interface-level SW3(config-router)#network 20.0.1.0/24 is subnetted. The attached entries include directly connected addresses and subnets.11/32 receive Vlan11 20.1.0. Prefix Next Hop Interface 0.1 brief and important look at two redundancy tactics that don’t involve a particular !!!!! Success rate is 100 percent (5/5).115 S T U DY G U I D E C H R I S B R YA N T Routed Port Success Checklist (Short.1/32 is directly connected. 1 subnets 20. FastEthernet0/0 … and the hosts now have two-way connectivity with R1’s at 210.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1.1.1.1.1.1 (FastEthernet0/5) is up: new adjacency 1.1.1.255 %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 210.1. It’s off by default.1. Those include the broadcasts for the 20.1.255 the port’s L2 capabilities back on? Just use switchport and you’re gold! The router now has the VLAN subnets in its routing table… R1#show ip route 20.1.1.0.1.255 no switchport command. 2.1/32 attached Vlan11 20.0.1.1.1.0.1 !!!!! Success rate is 100 percent (5/5).1. but important) SW3(config)#router eigrp 100 SW3(config-router)#no auto SW3(config-router)#network 210.0 [90/28416] via 210.0/24 is subnetted.0/32 receive Vlan11 20. 2 masks C 210.0.1.1.0.1.1.1.0/24 is variably subnetted. round-trip min/avg/max = 1/3/4 ms 182 protocol. we’re going to take a HOST3#ping 210. FastEthernet0/0 210.0 /24 segment (“20.255/32”).0. receive indicates packets that will be handled by the L3 engine. Need to turn SW3(config-router)#network 30.1. and verify with show interface switchport.1.0/24 is directly connected.11.0 0.1. 2 subnets.1. 00:01:07.0/0 receive 20.1.1.1. HOST1#ping 210.1. SW3#show ip cef Gateway of last resort is not set D We’ll wrap this section up with a look at the FIB.1.1.0.1.1.1.1.255/32 receive Vlan11 Under “Next Hop”. FastEthernet0/0 L 210.0.1. FastEthernet0/0 30. round-trip min/avg/max = 1/3/4 ms High Availability Schemes And Redundancy Protocols Before we hit our First Hop Redundancy Protocols (FHRPs). now that we have some routes and other 30.1. 1 subnets D info in there! Here’s a segment of the FIB from the multilayer switch in our lab.11. 183 . 00:01:00.0. Be sure to enable IP routing with the global ip routing command.0 [90/28416] via 210.1.0 0.

the standby switch takes it upon itself to become the active switch. the backup supervisor is fully booted. while RPR+ allows the backup supervisor to boot fully and initialize its routing engine. This sounds great. fully initialized. One switch is the active switch. SSO and NSF are enabled by default in a VSS config. including Router Processor Redundancy (RPR) and Router Processor Redundancy Plus (RPR+). and should the backup switch detect via the VSL that the active switch has failed. Instead. including the same IP address. Between SSO and NSF. since the two switches will now be using a lot of the same information. and ready to step in as the active router at a moment’s notice – literally! In this situation. For the network to recover. one of these switches needs to take itself out of the (“route flapping”) during the cutover. this would be the default and we wouldn’t have a standby! Dual-active is not desirable. The physical switches in a VSS pair communicate via the virtual switch link (VSL). At this point. both switches will be active. it will not take over its original role as the active router. Side note: There are other redundancy modes available to us on Cat switches. When the previous switch is back online. All well and good. that switch now becomes the active switch.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E The Virtual Switching System With VSS. but if it was all that great. and we have a dual-active situation. C H R I S B R YA N T Now back to our story! How does the standby switch know when it needs to take over as the active switch? The two switches regularly exchange control info over the VSL. 184 185 . The active switch handles the workload. the other the standby switch. With SSO. with the standby ready to step in if the active switch becomes unavailable. VSS goes into dual-active NSF is all about keeping the overall downtime to a minimum by preventing link flapping recovery. but what if the VSL itself goes down? How could the standby switch know whether the active switch is still active? The VSL is actually an Etherchannel. SSO is faster than RPR+. It’ll stay that way until the VSL is back up. Our redundancy comes in the form of Stateful SwitchOver (SSO) and NonStop Forwarding (NSF). the speed of the cutover to the picture – but which one? new active switch and the continued forwarding of packets during that cutover make the transition as smooth as the proverbial baby’s butt. we’re representing a pair of physical switches (the “VSS Pair”) as a single logical switch. RPR allows the backup supervisor to boot partially. and we have the ability to create MultiChassis Etherchannels where ports on the physical switches in the VSS can be bundled. Even better. It’s the first active switch that drinks the virtual hemlock in the form of putting every single one of its non-VSL interfaces into err-disabled mode. and RPR+ is faster than RPR.

StackWise requires every switch in the stack to run the same IOS. RPR+ has those non-master switches fully initialized and ready to step in when needed. we lose 50% of our capacity immediately. Each path supports up to 16 Gbps in each direction. If the new switch does not have the same IOS image. a copy of which is sent to non-masters.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . which helps the packets flowing when there’s to nine switches to create a switch unit or switch stack. That switch is chosen via a master switch election: 1. and the new switch joins the stack. When we add a new switch to the stack. ACL info. 4. the switch with the best feature set wins. StackWise will take care of that for us! The master switch will autoconfig the new arrival with the stack’s IOS image. then send the config to the new switch. the network admins. If that’s somehow a tie. That master switch has quite the workload. including downloading forwarding tables. the master will ask the newcomer if it’s running the same IOS image as the master. can not only add and remove switches without interrupt- Those exams will be covered with FHRP questions. If one StackWise of our cables breaks. The network admin can select a particular switch to be the master. but there is a single point of pain. You and I. 5. but not of your CCNP Switch and Tshoot exams. That’s quite a cap hit. There is no single point of failure in a switch stack. the switch with the lowest MAC is selected as master. Our new pal NonStop switches with some very special stack interconnect cables. switch also has to handle ping requests and remote connection requests. and We’re about to stack cables in a wise manner. The master switch keeps a master MAC address table. the switch that’s been up the longest wins. 186 187 . (Get it?) StackWise lets us physically link up Forwarding (NSF) is supported in StackWise. When the VSL is repaired. If that’s a tie. The failover takes microseconds. 2. If so. NSF works with RPR+ to keep things rolling when we’re cutting over from one master to another. a preconfigured switch wins over a non-preconfigured switch. and we’ll hit FHRPs hard right after this word to the (stack)wise! ing service. and QoS info to the non-masters. we end up with a fully functioning two-way path. all is not well. and that’s the aptly named master switch. C H R I S B R YA N T 3. If none are selected in that manner. The master switch is also responsible for letting non-masters know of additions and removals of switches in the stack. the master sends the config to the new switch and all is well. The master Most Cisco white papers on VSS will mention that VSS eliminates the need for an FHRP. The master will download the Cisco IOS image from its own Flash to the new switch. a copy of which is sent to every switch in the stack.115 S T U DY G U I D E The remaining active switch will forward traffic normally. thankfully it’s a very temporary hit. The entire stack is given one IP address and one config file. That may be true of production networks. with this process: 1. the switch with the err-disabled ports will come back online and assume the standby role. If that’s a tie. but we don’t even have to configure the new switch. but we’ll make it well One of these switches has to be a “boss switch”. When we’re done connecting our the slightest break in service.

along with the new switch. HSRP is a Cisco-proprietary router redundancy protocol in which routers are placed into an HSRP router group. Also. the master will put the new switch into suspension. a virtual router created by the HSRP configuration. single router. I wanted to make sure you saw both versions. since the HSRP terminology refers to “active routers” and “standby routers”. The actual IP and MAC addresses of the physical routers in the group are unknown Whew! With all that said. while others in the group are standby routers. 3. we’re moving on to FHRPs! The Hot Standby Routing Protocol In this section. 172. and it’s that address that should be used by all hosts in VLAN 100 as their default gateway. The theory and commands of HSRP run the same on an L3 switch as on a router.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . It won’t surprise you to learn that 188 In our first lab. Right now.23.16. to downstream devices. There’s a lot more to StackWise. and the entire stack then goes The terms active and standby do not refer to the actual operational status of the routers. head to Cisco’s website and grab some PDFs. just to their status in their HSRP group. and downstream devices send data to those addresses. Those devices are actually communicating with a pseudorouter. We can configure a TFTP server for that IOS download. One of the routers in the group is selected as the active router. I’m going to refer to routers rather than L3 switches.16. the icon I’m using for multilayer switches is slightly different than the one you saw earlier – there’s no “Si” in the middle.2 /24) are the routers in the HSRP group. Defined in RFC 2281. the master will then upgrade every switch that was already part of the stack to that IOS. With that option. Cisco could probably have a certification based just on VSS and StackWise. If not.23. and then wait for us to do something about it! Namely. The configuration will create a virtual router with the IP address 172. 172. This virtual router will have a MAC and IP address of its own. by! HSRP ensures a high network uptime. If your network uses it or you want to learn more about it.16. the mas- the active router handles the actual workload while the standby routers do just that – stand ter switch will grab the IOS image from the TFTP server. let us know about the problem. The new switch can then join the stack. live.1 /24) and MLS_2 (int VLAN 100. since it routes IP traffic without reliance on a then send the config over. frankly.12 /24.115 S T U DY G U I D E C H R I S B R YA N T 2.23. send it to the new switch. 189 . Once that happens. The first two possibilities assume that the new switch’s hardware can handle the necessary IOS image. MLS_1 (int VLAN 100. the master expects to be supplied with an IOS image that supports the master’s hardware and the new switch’s hardware. let’s hope our hardware is compatible! This is enough to get you started with StackWise.

2f41 (bia 001c.16.16.D Virtual IP address <cr> MLS _ 1(config-if)#standby 5 ip 172.23.12 191 .16.f7c1) Internet address is 172.1/24 MLS _ 2#show int vlan 100 Vlan100 is up. The ip command is the only required command for HSRP. line protocol is up Hardware is EtherSVI. address is 0017.0fbf. I’ll use IOS Help on MLS_1 to show our HSRP options.B.16. follow Name of HSRP group to follow ip Enable HSRP IPv4 and set the virtual IP address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level timers Hello and hold timers track Priority tracking MLS _ 1(config-if)#standby 5 ip ? A.23.23.1 % address cannot equal interface IP address (so don’t try it!) MLS _ 1(config-if)#standby 5 ip 172.2/24 We’ll put both SVIs in HSRP group 5 and let ‘em fight it out over the active router role to see what happens.9466.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .2f41) Internet address is 172.C.115 S T U DY G U I D E C H R I S B R YA N T mac-refresh Refresh MAC cache on switch by periodically sending packe from virtual mac address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level redirect Configure sending of ICMP Redirect messages with an HSRP virtual IP address as the gateway IP address After verifying the SVI for VLAN 100 on each router. address is 001c. line protocol is up Hardware is EtherSVI.23.0fbf.23.1 ? MLS _ 1(config)#int vlan 100 secondary Make this IP address a secondary virtual IP address MLS _ 1(config-if)#standby ? <0-255> timers <cr> group number Authentication Authentication Delay HSRP initialisation delay Follow Name of HSRP group to follow Ip Enable HSRP IPv4 and set the virtual IP address 190 MLS _ 1(config-if)#standby 5 ip 172.9466.16.f7c1 (bia 0017. we’re off! Hello and hold timers track Priority tracking version HSRP version MLS _ 1(config-if)#standby 5 ? MLS _ 1#show int vlan 100 authentication Authentication Vlan100 is up.

Here’s our HSRP group: There’s a treasure trove of HSRP info here! From the top down. MLS _ 1#show standby Vlan100 .Group 5 MLS _ 2#show standby State is Standby Vlan100 .368 secs Virtual IP address is 172.16.23.ac05 (v1 default) Hello time 3 sec.23. last state change 00:01:19 Virtual IP address is 172.16.23. The local HSRP priority is 100.1. Let’s look at the same command’s output on MLS_1. and the last one was 1 minute and 19 seconds ago The virtual router’s IP address and MAC address This router sends HSRP Hellos every 3 seconds 192 193 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E C H R I S B R YA N T You can’t assign an IP address from the MLS as the IP address for the virtual router.ac05 (v1 default) Hello time 3 sec.2.23.1 and that router’s priority is 100 MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 5 ip 172.12 Active virtual MAC address is 0000.12 Let’s verify our config on MLS_2 with show standby.0c07. hold time 10 sec Next hello sent in 2.272 sec) Priority 100 (default 100) Group name is “hsrp-Vl100-5” (default) Priority 100 (default 100) Group name is “hsrp-Vl100-5” (default) That output verifies everything we saw on MLS_2.ac05 Local virtual MAC address is 0000. there have been 2 state changes. hold time 10 sec Next hello sent in 1.0c07.12 Active virtual MAC address is 0000. This is the Active router (“local”) The standby router is at 172.Group 5 3 state changes. your #1 friend when it comes to verifying and troubleshooting HSRP. priority 100 (expires in 9. priority 100 (expires in 10.ac05 Local virtual MAC address is 0000. the HSRP group name is displayed.23.16.0c07.16. last state change 00:01:45 State is Active 2 state changes. and finally. we see… Interface VLAN100 is in HSRP Group 5 This router is in the Active state. “Preemption” is disabled – more on that very soon! Let’s finish the config on MLS_2.936 secs Preemption disabled Active router is 172.920 sec) Preemption disabled Standby router is local Active router is local Standby router is 172.0c07.16.23.16.

always. MLS_2 won the election in our first lab.376 secs come from? Preemption disabled Active virtual MAC address is 0000. last state change 00:17:26 Virtual IP address is 172.ac05 Active router is 172. We’ll go double or nothing… MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 5 priority 200 … and we get nothing! Let’s verify the priority change: MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 5 ? Authentication Authentication Follow Name of HSRP group to follow Ip Enable HSRP IPv4 and set the virtual IP address Name Redundancy name string Preempt Overthrow lower priority Active routers Priority Priority level Timers Hello and hold timers Track Priority tracking MLS _ 1(config-if)#standby 5 preempt Just a few seconds after enabling preemption on MLS_1… MLS _ 1#show standby Vlan100 . so the theory holds true.23.2. priority 100 (expires in 10. Brush up on your hex before you take the SWITCH exam! Now that we have the MAC address source down. Either we have to reload MLS_2 so MLS_1 can take over as Active in its absence.) Let’s make MLS_1 the Active router by raising its priority. always verify your Active router.115 S T U DY G U I D E C H R I S B R YA N T We know how the virtual router got its IP address. so let’s do the latter. hold time 10 sec it! However.0c07.16. We’d like to avoid reloads here. after all. the address would have been 00-00-0c-07-ac-0a. Just raising the priority on MLS_1 isn’t enough to get the job done here. let’s talk about that election.368 sec) Standby router is local Most of that address was predetermined. we didn’t enter any info regarding a MAC address.ac05 … MLS_1 takes over as the Active router. or MLS_1 must have preemption enabled. we’re the ones who configured Hello time 3 sec.ac05 (v1 default) 194 195 . (Real world note: Always. as we saw on both routers. and the “xx” is the HSRP group number in hexadecimal. Local virtual MAC address is 0000. The MAC address 00-00-0c-07-ac-xx is HSRP’s Priority 200 (configured 200) well-known virtual MAC address. Group name is “hsrp-Vl100-5” (default) Had we gone with HSRP group 10.0c07. The HSRP Active Router Election The HSRP priority is the first value considered in the election. The priority is 100 by default. Where the heck did that Next hello sent in 1.23.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0c07.16. Should there be a tie – and there always will be if the routers are left at their defaults – theory holds that the router with the highest IP address wins the election.Group 5 %HSRP-5-STATECHANGE: Vlan100 Grp 5 state Standby -> Active State is Standby 1 state change.12 Active virtual MAC address is 0000. This state change and the enabling of preemption are verified by show standby.

16. and MLS_1 is just sitting there.) I’ve reset the priority for both routers in Group 5 to 100.976 secs Initial (INIT): The interface enters this state when HSRP is first enabled. but for t-shooting and exam prep.ac05 Local virtual MAC address is 0000. let’s see them in order along with a quick description of each. HSRP isn’t actually running at this point.16. and MLS_2 is again the Active router. <cr> MLS _ 1(config-if)#standby 5 preempt delay ? minimum Delay at least this long reload Delay after reload sync Wait for IP redundancy clients MLS _ 1(config-if)#standby 5 preempt delay minimum ? <0-3600> Number of seconds for minimum delay We’ve seen a few of the HSRP states. priority 100 (expires in 10.0c07. Load Balancing With HSRP Had I wanted to delay any takeover by MLS_1. in that you won’t see this state actually Vlan100 . As a result. State is Active 2 state changes. last state change 00:00:51 Virtual IP address is 172. 196 We’re going to put MLS_1 to work via HSRP load balancing. I could have set delay on the preemption.12 Active virtual MAC address is 0000.23.896 sec) hello packets.2. (A short drive.12 to represent its 197 .115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1#show standby Disabled: Similar to the disabled STP port state. but there’s one thing driving me crazy.23. HSRP Group 5 has MLS_2 as the Active router.23. but is not the primary or standby router. MLS _ 1(config-if)#standby 5 preempt ? delay Wait before preempting This redundancy is all well and good.Group 5 mentioned.0c07. Priority 200 (configured 200) Group name is “hsrp-Vl100-5” (default) Active: The router is now forwarding packets sent to the group’s virtual IP address. Listen: The router knows the virtual router’s IP address.ac05 (v1 default) Hello time 3 sec.16. this one requires a little help from those 60 hosts. You can also delay a takeover until after the next reload. I admit. and that group is using 172. hold time 10 sec Next hello sent in 0. Unlike the load balancing techniques we’ve used to this point. Preemption enabled Active router is local Standby: The router is now a candidate to become the active router and continues to send Standby router is 172. MLS_2 is doing all the work of handling traffic from 60 hosts.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but it is the official first HSRP port state. Speak: The router is now sending Hello messages and participating in the election of the primary and standby routers. It’s listening for Hello packets from those routers.

23.Group 10 Preemption enabled 198 199 . and we’ll send pings from each.23.808 sec) MLS _ 1(config-if)#standby 10 ip 172. 172.12 as their default gateway. We’re going to create Group 10 with the same two routers.23.16.Group 10 Preemption disabled MLS _ 1(config)#int vlan 100 Active router is 172.21. and MLS_2 is the Active router for Group 5.16. I’ll show only the info related to the election.Group 5 Preemption enabled Active router is local Standby router is 172.23.16.16.1.21 MLS_1 is the Active router for Group 10. priority 100 (expires in 10.2. and that group will use the address 172. priority 100 (expires in 9.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Standby router is 172.23.2.792 sec) Priority 201 (configured 201) MLS _ 2#show standby Vlan100 . I’ve configured a different default gateway on Host 2 and Host 3.16. priority 201 (expires in 9.704 sec) Standby router is local Priority 100 (default 100) Vlan100 .115 S T U DY G U I D E C H R I S B R YA N T virtual router. To test this. half of the hosts would be configured with Verify with show standby.Group 5 Preemption disabled Active router is 172.23. To finish the load balancing.16. MLS _ 1#show standby Vlan100 .23.21 Standby router is local MLS _ 1(config-if)#standby 10 priority 200 Priority 100 (default 100) Group name is “hsrp-Vl100-10” (default) MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 10 ip 172.23. making sure that Active router is local MLS_1 is the Active. just MLS _ 2(config-if)#standby 10 priority 100 (hardcoding the default) as we wanted.384 sec) Priority 200 (configured 200) Vlan100 .16.16.23.16. priority 200 (expires in 8.21 for its virtual router. and the other half with 172.1.

16.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . interface VLAN100.1. priority 100 (expires in 8.16.656 sec) Priority 105 (configured 105) 200 201 .23. MLS_2 has a priority of 105 and is the Active router. the hosts in VLAN 100 can’t reach the ecommerce server.16. the HSRP priority of the router is dec- MLS _ 2(config-if)#standby 1 ip 172. HSRP’s default decrement with interface tracking is 10. MLS_2 will handle all the traffic sent to the server behind MLS_2 and MLS_1. MLS_1 is the standby and has the default priority of 100.12 MLS _ 1(config-if)#standby 1 preempt Verify with show standby. and the status of this interface will dynamically change the HSRP priority for a specified router – for better or for worse! can and will configure HSRP to drop MLS_2’s priority if the line protocol of Fast 0/3 on that server goes down.23.115 S T U DY G U I D E C H R I S B R YA N T HOST2#ping 172.16. but there is a single point of failure – and we hate those. I’m showing you only the info relating to the election. (IP addresses shown for the multilayer switches in the next lab are for their SVI. so as long as MLS_1 has preemption enabled.) MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 1 ip 172.Group 1 State is Active Preemption disabled Active router is local Standby router is 172. We This great feature enables the HSRP process to monitor a particular interface. This can lead to another HSRP router in the group becoming the Active router.23. round-trip min/avg/max = 1/3/4 ms HOST3#ping 172.21 !!!!! Success rate is 100 percent (5/5). That’s all well and good. round-trip min/avg/max = 4/4/4 ms Both hosts are pinging their default gateways.16. As a result. MLS _ 2#show standby Vlan100 . the current priority would be fine for our purposes. and the load is now shared! HSRP Interface Tracking If Fast 0/3 on MLS_2 fails.23.12 remented.12 !!!!! Success rate is 100 percent (5/5). In our next lab. MLS _ 2(config-if)#standby 1 priority 105 but that other router must have preemption enabled. When that tracked interface’s line protocol is down.23.

if Fast0/3’s line protocol goes down.184 sec) Priority 105 (configured 105) Hello time 3 sec. MLS_1 should then take over as the Active. line protocol is up (connected) We’ll add tracking to MLS_2’s HSRP config and verify with show standby. Standby router is local According to theory. In turn. hold time 10 sec Next hello sent in 0. be sure the interface you’re tracking is up! MLS _ 2#show int fast 0/3 FastEthernet0/3 is up.23. last state change 00:00:17 Virtual IP address is 172. I would not count Active router is 172.Group 1 Group name is “hsrp-Vl100-1” (default) State is Standby Preemption enabled The default HSRP interface tracking decrement of 10 is shown to us here. MLS_2’s priority should go down Priority 100 (default 100) to 95. last state change 00:00:10 Virtual IP address is 172.12 Preemption disabled Active virtual MAC address is 0000.0c07.Group 1 than 10 seconds.464 sec) on your CCNP SWITCH and TSHOOT exams being so kind.0c07. changed state to administratively down MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 1 track fastethernet 0/3 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3. Let’s shut Fast 0/3 down and see what happens! MLS _ 2(config)#int fast 0/3 MLS _ 2(config-if)#shut %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Up->Down %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Active -> Speak %LINK-5-CHANGED:Interface FastEthernet0/3.ac01 Vlan100 .16. so let me throw this in – all of that happened in less Vlan100 .ac01 (v1 default) Standby router is 172.23. priority 100 (expires in 11.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . hold time 10 sec Next hello sent in 1. priority 105 (expires in 10.16.ac01 Active router is local Local virtual MAC address is 0000.115 S T U DY G U I D E C H R I S B R YA N T Track interface FastEthernet0/3 state Up decrement 10 MLS _ 1#show standby Vlan100 .23. Let’s check show standby for verification.12 MLS _ 2#show standby Active virtual MAC address is 0000.16.Group 1 Local virtual MAC address is 0000. State is Active 5 state changes.2.0c07.920 secs State is Standby 7 state changes.23. since MLS_1’s priority is the default of 100 and that router is configured for Before configuring HSRP interface tracking. changed state to down %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Speak -> Standby MLS _ 2#show standby I removed the timestamps for clarity. preemption. so know it by heart.ac01 (v1 default) Hello time 3 sec.608 secs 202 203 .1.16.0c07.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .16. note that you never actually enter MLS _ 2(config)#int vlan 100 the word “decrement”. MLS _ 2(config-if)#standby 1 preempt I’ll set MLS_2’s priority to 150 and then set a decrement of 51… MLS _ 2(config-if)#int fast 0/3 MLS _ 2(config-if)#no shut MLS _ 2(config)#int vlan 100 %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Down->Up MLS _ 2(config-if)#standby 1 priority 150 MLS _ 2(config-if)#standby 1 track fastethernet 0/3 ? %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Standby -> Active <1-255> Decrement value <cr> %LINK-3-UPDOWN: Interface FastEthernet0/3.1.0c07.115 S T U DY G U I D E C H R I S B R YA N T Preemption disabled MLS _ 2#show standby Active router is 172.12 Active virtual MAC address is 0000. the default decrement might not be enough for the failover to take place. changed state to up MLS _ 2(config-if)#standby 1 track fastethernet 0/3 51 %LINEPROTO-5-UPDOWN:Line protocolon Interface FastEthernet0/3.1.688 sec) Vlan100 . but MLS_2 will not become the Active router again unless we enable preemption. Hello time 3 sec. priority 100 (expires in 10.16. If MLS_2’s priority is 150 and MLS_1’s priority is 100. You can set a new decrement value at the very end of standby track.changed state to up 204 205 . the priority will go back to 105.23.ac01 (v1 default) MLS_2 is indeed the standby as a result of that decrement.ac01 Local virtual MAC address is 0000.000 sec) Priority 105 (configured 105) Track interface FastEthernet0/3 state Up decrement 10 Group name is “hsrp-Vl100-1” (default) And that’s that! When Fast 0/3 on MLS_2 is back up.Group 1 State is Active Standby router is local Priority 95 (configured 105) 8 state changes. last state change 00:02:58 Track interface FastEthernet0/3 state Down decrement 10 Group name is “hsrp-Vl100-1” (default) Virtual IP address is 172.0c07. On occasion.16. the default decrement of 10 wouldn’t be enough for MLS_1 to take over as the Active should Fast 0/3 on MLS_2 go down.23.23. hold time 10 sec Next hello sent in 1. priority 100 (expires in 10.136 secs Preemption enabled Active router is local Standby router is 172. Let’s do that and then reopen Fast 0/3.

even if there’s one you’re not changing. priority 100 (expires in 7.Group 1 <7-255> Hold time in seconds State is Standby 13 state changes.ac01 Want to change the HSRP group name from that ugly default? Use standby name. use standby timers. MLS _ 2#show standby <1-254> Hello interval in seconds msec Specify hello interval in milliseconds MLS _ 2(config-if)#standby 1 timers 6 ? Vlan100 . decrement to 51 and enabling MLS_1 for preemption (done in the previous lab) got the job done! MLS _ 2(config-if)#standby 1 authentication ? Changing This And That In HSRP I don’t like to call these “miscellaneous” commands.ac01 (v1 default) Hello time 3 sec. Choose “key string” to set a single word as the password.0c07.16. because they are important. last state change 00:00:05 MLS _ 2(config-if)#standby 1 timers 6 15 Virtual IP address is 172. It is an option. You can leave most HSRP defaults as they are.12 Active virtual MAC address is 0000.16.23. but setting the though.1.115 S T U DY G U I D E … shut down fast 0/3… C H R I S B R YA N T To change the HSRP hello and hold timers.Group 1 Priority 99 (configured 150) Group name is “CCNP” (cfgd) Track interface FastEthernet0/3 state Down decrement 51 Group name is “hsrp-Vl100-1” (default) Want to set up authentication between your HSRP speakers? Use standby authentication.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . group name appears at very bottom of Active router is 172. here’s how! 206 WORD Plain text authentication string (8 chars max) md5 Use MD5 authentication text Plain text authentication MLS _ 2(config-if)#standby 1 authentication md5 ? key-chain Set key chain key-string Set key string 207 . hold time 10 sec MLS _ 2(config-if)#standby 1 name CCNP Next hello sent in 2.600 sec) Standby router is local output) Vlan100 .0c07. You do have to enter a value for each timer. MLS _ 2(config-if)#int fast 0/3 MLS _ 2(config-if)#shut MLS _ 2(config-if)#standby 1 timers ? … and verify any changes with show standby. but they’re not everyday commands. I’d tell you not to use plain text authentication. but just in case you need to change a few things. Local virtual MAC address is 0000. The default decrement would not have been enough to get the cutover done. but I know you won’t do that.560 secs Preemption enabled MLS _ 2#show standby (output edited.23.

0.0.0 standby 1 ip 172.255.255.2 255.12 standby 1 priority 150 These options should look familiar… standby 1 preempt standby 1 authentication md5 key-string 7 0327782536 standby 1 name CCNP MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#vrrp ? standby 1 track 1 decrement 51 <1-255> Group number 208 209 .115 S T U DY G U I D E MLS _ 2(config-if)#standby 1 authentication md5 key-string CCNP C H R I S B R YA N T VRRP – The Virtual Router Redundancy Protocol Defined in RFC 2338. IP addresses as we used in the HSRP section.16.2 standby 1 preempt standby 1 authentication md5 key-string CCNP The MAC address of VRRP routers is 00-00-5e-00-01-xx. VRRP is the open-standard equivalent of the Cisco-proprietary MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 1 authentication md5 key-string CCNP Using MD5 authentication means that a hash of the password is sent to other HSRP group neighbors.18.23. though… VRRP’s equivalent to HSRP’s Active router is the Master router VRRP’s equivalent to HSRP’s Standby router is the Backup router interface Vlan100 Preemption is enabled by default in VRRP ip address 172.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Check out MLS_2’s config: HSRP.16. MLS _ 2(config)#service password-encryption The result: interface Vlan100 ip address 172. not that the password is hashed in the config.23. VRRP works very much like HSRP.16.16. They’re so much alike that you pretty much learned VRRP during the last section. the “xx” is the VRRP standby 1 name CCNP group number in hex standby 1 track 1 decrement 51 Let’s have a look at VRRP in action.0. using the same two multilayer switches and the same To disguise that password in the config.0. where HSRP ads are multicast to standby 1 priority 150 224.23. with one or two important differences (naturally!).2 255.0 standby 1 ip 172.12 VRRP’s advertisements are multicast to 224.255. and yes.23. use your old friend service password-encryption. where you learned HSRP! Let’s check out those differences.255.

16.115 S T U DY G U I D E C H R I S B R YA N T Virtual MAC address is 0000.23.0101 MLS _ 2(config-if)#vrrp 1 ? authentication Authentication string Advertisement interval is 1.000 sec Master Down interval is 3. priority is 100 Master Router is 172.Group 1 State is Master State is Master Virtual IP address is 172.2.12 Virtual MAC address is 0000.16.23. priority is 100 priority Priority of this VRRP group Master Advertisement interval is 1.16.23. correct? MLS _ 1(config)#int vlan 100 MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 1 ip 172.16.16.5e00.Group 1 Vlan100 .16.16.16.23.000 sec description Group specific description Preemption enabled ip Enable Virtual Router Redundancy Protocol (VRRP) for IP Priority is 100 preempt Enable preemption of lower priority Master Master Router is 172.458 sec) track Event Tracking With preemption enabled by default.609 sec (expires in 3.23.5e00.12 210 211 .12 Virtual IP address is 172. priority is 200 Master Advertisement interval is 1.23.000 sec Preemption enabled Preemption enabled Priority is 100 Priority is 200 Master Router is 172.0101 Advertisement interval is 1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Virtual IP address is 172. MLS_1 should take over as The Master Router if its MLS _ 2(config-if)#vrrp 1 ip 172.12 MLS _ 1(config-if)#vrrp 1 priority 200 07:53:32: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master Let’s verify! MLS _ 2#show vrrp MLS _ 1#show vrrp Vlan100 .000 sec Master Advertisement interval is 1.218 sec Correct! MLS _ 1#show vrrp Vlan100 .000 sec timers Set the VRRP timers Master Down interval is 3.000 sec Advertisement interval is 1. let’s do a little interface tracking after making MLS_2 the Master State is Backup again.1 (local).23.609 sec Master Down interval is 3.5e00.12 priority is raised.2 (local).Group 1 While we’re at it.23.0101 Virtual MAC address is 0000.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E MLS _ 2(config)#int vlan 100 C H R I S B R YA N T MLS _ 2(config)#track 1 ? MLS _ 2(config-if)#vrrp 1 priority 250 interface Select an interface to track 07:55:53: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master ip IP protocol list Group objects in a list The overall concept of tracking is the same in VRRP as it is in HSRP. track Event Tracking MLS _ 2(config-if)#vrrp 1 track ? MLS _ 2(config)#track ? <1-1000> Tracked object <1-1000> Tracked object resolution Tracking resolution parameters timer Polling interval timers 212 MLS _ 2(config-if)#vrrp 1 track 1 ? 213 . (I’ve always remembered this preempt Enable preemption of lower priority Master by saying “track. we need to define the interface as an object before moving forward with the ip Enable Virtual Router Redundancy Protocol (VRRP) for IP actual vrrp track command. Feel free to steal it. and we want MLS_1 to take that role should the line protocol on MLS_2’s Fast 0/3 interface go down. Sounds complicated. Check the interface before you start tracking: MLS _ 2(config)#int vlan 100 MLS _ 2#show int fast 0/3 MLS _ 2(config-if)#vrrp 1 ? FastEthernet0/3 is up. line protocol is up (connected) authentication Authentication string description Group specific description With VRRP. but it isn’t.) We’re not limited to using the line priority Priority of this VRRP group protocol as the tracked object. MLS_2 is the Master router. then vrrp track”. but the process is a <cr> little bit different. Here’s where we stand: MLS _ 2(config)#track 1 interface fast 0/3 ? ip IP parameters line-protocol Track interface line-protocol MLS _ 2(config)#track 1 interface fast 0/3 line-protocol ? <cr> MLS _ 2(config)#track 1 interface fast 0/3 line-protocol The object number referred to in the track command must be the same one used in the vrrp track command. but that’s the easiest and most effective track to use for an timers Set the VRRP timers interface IMHO.

000 sec Preemption enabled The tracking is working. the decrement isn’t large enough to make MLS_1 the Master router.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Group 1 State is Master Master Router is 172.23.2 (local).0101 We accepted the VRRP default priority decrement (10).12 Virtual MAC address is 0000.16.5e00. priority is 240 Virtual IP address is 172.16.12 Virtual MAC address is 0000.23. MLS _ 2(config)#int fast 0/3 <cr> MLS _ 2(config-if)#vrrp 1 track 1 decrement 51 MLS _ 2(config-if)#shut %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Up->Down 08:14:20: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Master -> Backup %LINK-5-CHANGED: Interface FastEthernet0/3.2 (local). Verify the config: Advertisement interval is 1.000 sec 214 215 .12 Master Advertisement interval is 1.000 sec Virtual MAC address is 0000.16. Master Router is 172.16. changed state to administr MLS _ 2#show vrrp atively down Vlan100 . Let’s change that Track object 1 state Up decrement 10 decrement to 51. but since we changed the default priority a couple of times early Priority is 250 on.Group 1 State is Master MLS _ 2(config-if)#vrrp 1 track 1 Virtual IP address is 172.023 sec Advertisement interval is 1. changed state to down Virtual IP address is 172.23.000 sec Preemption enabled Priority is 240 (cfgd 250) MLS _ 2#show vrrp Track object 1 state Down decrement 10 Vlan100 .23. priority is 250 Master Advertisement interval is 1.023 sec MLS _ 2(config-if)#vrrp 1 track 1 ? decrement Priority decrement Now we’ll shut down fast 0/3 and see what happens.0101 Advertisement interval is 1.16.0101 Master Down interval is 3.000 sec MLS _ 2(config)#int vlan 100 Master Down interval is 3.115 S T U DY G U I D E C H R I S B R YA N T decrement Priority decrement MLS _ 2#show vrrp <cr> Vlan100 .Group 1 State is Backup %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3.5e00.23.5e00.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .16.16.16. knowing how to create a VRRP tracked object! Since VRRP wasn’t exactly developed with load balancing in mind.Group 1 Track object 1 state Down decrement 51 State is Master Master Router is 172.16.115 S T U DY G U I D E C H R I S B R YA N T Preemption enabled MLS _ 2#show vrrp Priority is 199 (cfgd 250) Vlan100 .023 sec (expires in 2. and the other half will use VR #2. priority is 250 For VRRP load balancing.12 Master Advertisement interval is 1.5e00.21 %VRRP-6-STATECHANGE: Vl100 Grp 55 state Init -> Backup 217 .16. MLS _ 2(config)#int fast 0/3 Let’s create another VRRP group with a new IP address for the virtual router. Before proceeding. Changed state to up 08:34:58: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master 216 MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#vrrp 55 ip 172.23. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3.21 MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 55 ip 172. which means creating a separate VRRP group.23. we need to create another VRRP virtual router.23.000 sec Preemption enabled Priority is 250 Ta da! Track object 1 state Up decrement 51 Master Router is 172.1.23.100 sec) Advertisement interval is 1. using vrrp MLS _ 2(config-if)#no shut priority to ensure MLS_1 becomes the Master for the new group. %SYS-5-CONFIG _ I: Configured from console by console %LINK-3-UPDOWN: Interface FastEthernet0/3. Half of the hosts will use VR #1 as their default gateway. changed state to down %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Down->Up %LINK-3-UPDOWN: Interface FastEthernet0/3.2 (local). we’re going to use much the same technique as we did with HSRP.23.0101 Master Down interval is 3. priority is 200 Virtual IP address is 172. It’s all about the decrement – and in this case.000 sec Virtual MAC address is 0000. I’ll unblock fast0/3 on MLS_2 and we’ll watch MLS_2 take over as Master.

load balancing with these State is Master protocols is more of a workaround than a native behavior. because GLBP is Cisco-proprietary.16.12 The Gateway Load Balancing Protocol (GLBP) Vlan100 .23. After verifying that MLS_1 is the Master for VRRP group 55 and MLS_2 is the Master for group 1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .23.21.23.12 With GLBP. but then went to Master after having its priority for VRRP group 55 raised to 200.Group 1 in mind! State is Backup Virtual IP address is 172. three hosts send an ARP request for the MAC of the virtual router. For this reason.12 as their default gateway.16.Group 55 a single default gateway on all of our hosts. both of which are inexact Virtual IP address is 172. Virtual IP address is 172. load balancing! It’s also suitable for use only on Cisco routers and switches. By default.16. we just need to configure half the hosts in VLAN 100 to use 172.23. GLBP allows us to configure Vlan100 . GLBP Vlan100 .16. GLBP routers will be placed into a router group.21 sciences at best and a pain in the buttocks at worst.23. well.16.Group 55 HSRP and VRRP have some great features. In the following illustration. and the other half 172. but actually multiple gateways are in use at one time. but as we’ve seen. MLS _ 1#show vrrp Let’s finish our look at FHRPs with a protocol that was actually built with load balancing Vlan100 .16. rather State is Master than having a primary router handle the entire load while the standby routers remain idle. the hosts think they’re sending all of their data to a single gateway.Group 1 allows every router in the group to handle some of the load in a round-robin manner.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 55 priority 200 %VRRP-6-STATECHANGE: Vl100 Grp 55 state Backup -> Master MLS_1 went to Backup for our new VRRP group first. MLS _ 2#show vrrp As with HSRP and VRRP.21 Gateway Load Balancing Protocol is. 218 219 .23. State is Backup This is a major step forward over HSRP and VRRP load balancing. The primary purpose of the Virtual IP address is 172.

the router with the next- lows this format: highest IP address takes that role. if that’s a tie. load destined for a MAC assigned to the down router. By default.0. “YY” is the AVF number.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The routers receiving and forwarding traffic received on these virtual MAC router’s virtual MAC will be sent to a requesting host. This will also illustrate that GLBP runs the same on multilayer switches as used in the previous FHRP labs.102 to detect the availability of other GLBP-speaking routers. the next the virtual MAC of MLS_2. It has assigned a virtual way address every time it sends an ARP request. (That’s the router The AVG is also in charge of assigning the virtual MAC addresses.115 S T U DY G U I D E C H R I S B R YA N T the virtual MAC of MLS_1. 00-07-b4-00-01-04 to itself. would contain the virtual MAC of MLS_4. We can also use the AVG. and it’s that router that will respond with ARP responses that contain virtual MAC addresses assigned to the physical routers in the group. GLBP routers use Hellos multicast to “XX” is the GLBP group number. another router will handle the 00-07-b4-00-xx-yy 224. where the higher the assigned weight. and the virtual MAC fol- with the next-highest GLBP priority in the group. the router with the highest IP address becomes ARP request will receive a response from the next MAC address in line. With that in mind. topology. Should the AVG fail. If a host needs the same MAC gateto go. Each physical device is running the IP address shown on its FastEthernet 0/0 interface. where a host that sends an If all routers have the same GLBP priority. and 00-07-b4-00-01-03 to MLS_3. Our GLBP deployment in this illustration is using the default GLBP load balancing technique of round-robin. putting us at the limit of four AVFs in a GLBP group. host-dependent load balancing is the way MAC address of 00-07-b4-00-01-01 to MLS_1. The routers receiving and forwarding traffic received on these virtual MAC addresses are Active Virtual Forwarders (AVFs). 00-07-b4-0001-02 to MLS_2. naturally. and here’s the addresses are Active Virtual Forwarders (AVFs). weighted assignments. The next response. and the third the virtual MAC of MLS_3. I’m going to use the same multilayer switch icon and names of one of the routers in the group. Since GLBP doesn’t run on all Cisco switch platforms.0.) If any of the AVFs fail. The router with the highest GLBP priority is chosen as the Active Virtual Gateway. MLS_4 is the AVG in GLBP group 1. GLBP will load-balance in a round-robin fashion. the more often a particular In the following illustration. we’re going to use Cisco The AVG answers incoming ARP requests with ARP responses containing the virtual MAC and routers. the router serving as the standby AVG will take over. so the first ARP response contains 220 routers in this lab. Our lab is going to be a bit different than the previous HSRP and VRRP labs. 221 .

thresholds: lower 1.12 MLS _ 2(config-if)#glbp 1 preempt MLS _ 1(config-if)#glbp 1 ip 172.16.d4c2.23. we see the interface and group number. hold time 10 sec Next hello sent in 2. and the second half with the Active Virtual Forwarders.16.474a (172. followed by the state of Active. which means we’re on the AVG.272 secs Redirect time 600 sec.16.C. upper 100 Load balancing: round-robin Group members: 0017. last state change 00:11:40 Virtual IP address is 172. along with some IOS Help on the first one: MLS _ 3#show glbp FastEthernet0/0 .Group 1 MLS _ 3(config)#int fast 0/0 State is Active MLS _ 3(config-if)#glbp 1 ? authentication Authentication method client-cache Client cache forwarder Forwarder configuration ip Enable group and set virtual IP address ipv6 Enable group for IPv6 and set the virtual IPv6 address load-balancing Load balancing method name Redundancy name preempt Overthrow lower priority designated routers priority Priority level timers Adjust GLBP timers weighting Gateway weighting and tracking 1 state change.23. After the state change info.12 Hello time 3 sec.12 MLS _ 1(config-if)#glbp 1 preempt show glbp is an incredibly important GLBP command. forwarder timeout 14400 sec Preemption enabled.16. priority 100 (expires in 9.2754 (172.16.23.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 2(config-if)#glbp 1 ip 172.23.12 MLS _ 3(config-if)#glbp 1 preempt 222 Great info here! From top to bottom. min delay 0 sec Active is local Standby is 172.2.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The beginning configuration.59e2.23.2) A.B.16.23. it’s also incredibly verbose.16.0990 (172.1) <cr> MLS _ 3(config-if)#glbp 1 ip 172. MLS_3. We’re going to examine the output of this command on the current AVG. starting with the first half. hello and 223 .23.23.D Virtual IP address 001f.888 sec) Priority 100 (default) Weighting 100 (default 100). The first half of the output deals with the Active Virtual Gateway selection.ca96.3) local MLS _ 3(config-if)#glbp 1 ip ? 001b.16.

0101 (default) Owner ID is 0017. Following “Active is local”.b400. should MLS_3 be unable to fulfill its duties. last state change 00:11:29 MAC address is 0007. weighting 100 (expires in 10. 599.16.0102 (learnt) Owner ID is 001b.23. Owner ID is 001f. weighting 100 (expires in 10. but after the labs later in this section.0102 (default) Owner ID is 001b. MLS_2. There are 3 forwarders (1 active) Forwarder 1 Each physical router in our group is an AVF.904 sec (maximum 14400 sec) Preemption enabled. min delay 30 sec Active is 172. we’re given the IP address and priority of the standby State is Listen AVG.b400.0990 225 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .3 (primary). The virtual MAC address for each router is shown in this output as well. and should those hellos stop coming.0103 (learnt) is given to the runner-up.816 sec) 224 Preemption enabled. weighting 100 (expires in 10. and they’ll each show their forwarder as State is Active 1 state change. the default for each.1 (primary). These values are often confused. the AVG title MAC address is 0007. which deals with the AVF status of each member.d4c2. These are not the virtual The local forwarder (Forwarder 3) is shown as “State is Active”. ers are shown as “State is Listen”.474a “Active” while the other two are in “Listen”.59e2.d4c2. we see that preemption C H R I S B R YA N T Forwarder 3 is enabled. followed by the actual MAC and IP addresses of the GLBP group members. min delay 30 sec Active is local. and the other two forward- MAC addresses that are sent by the AVG in response to ARP requests.115 S T U DY G U I D E hold time.2 (primary).2754 Continuing down the output. also a GLBP default. Here’s that same info from MLS_2: There are 3 forwarders (1 active) Forwarder 1 Redirection enabled Preemption enabled.23.912 sec Forwarder 2 State is Active 1 state change. we see the Priority and Weighting values are set to 100.16.0990 Redirection enabled.23.16.474a Forwarder 2 Time to live: 14399.b400. This is also from MLS_3. Much like beauty pageants. Redirection enabled. min delay 30 sec Active is 172. and some timers new to us (“redirect” and “forwarder”).0101 (learnt) Owner ID is 0017. along with “thresholds”. one of the other AVFs would step in and handle traffic destined for that down AVF’s virtual MAC address.656 sec) We then see the load balancing method in use is round-robin.59e2.360 sec (maximum 14400 sec) State is Listen MAC address is 0007.b400. 599.392 sec remaining (maximum 600 sec) Time to live: 14399. This means that the other two AVFs are listening for Let’s have a look at the second half of the show glbp output. you’ll be clear – crystal clear – on the usage of each. min delay 30 sec Active is 172. last state change 00:28:09 MAC address is 0007.b400. You’ll see an example of this in an upcoming lab.ca96.904 sec remaining (maximum 600 sec) Time to live: 14399. Hellos from the local forwarder.392 sec (maximum 14400 sec) Preemption enabled. weighting 100 State is Listen MAC address is 0007.

2 - Fa0/0 1 3 - Listen 0007.23.0990 Time to live: 14398.16.16.1 - State is Listen MAC address is 0007.0103 (learnt) AVF will always be seen as Active and the others will be listening in! Owner ID is 001f.16.23. min delay 30 sec Active is 172.12 local 172.ca96.2 (primary).b400. you’re on the AVG.2754 226 Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 100 Active 172. weighting 100 Forwarder 3 State is Listen That differing info on your AVFs can throw you at first. and it’s commonplace for a router to Time to live: 14399.136 sec (maximum 14400 sec) serve as both an AVG and an AVF.23. weighting 100 (expires in 10.0101 local - Fa0/0 1 2 - Listen 0007.1 1 - 227 .d4c2.115 S T U DY G U I D E C H R I S B R YA N T Preemption enabled.b400. min delay 30 sec Active is local. MLS _ 3#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 100 Active 172.16.23.2754 Time to live: 14397. weighting 100 (expires in 7.16.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .936 sec) That same command’s output on MLS_1.1 (primary). MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#shut %GLBP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Listen -> Active MLS _ 2#show glbp brief State is Active 1 state change.16.560 sec) Forwarder 3 According to that output. min delay 30 sec Active is 172.112 sec) Forwarder 2 State is Listen MAC address is 0007.474a devices with a number under “Fwd” are your AVFs.2 Fa0/0 1 1 - Active 0007.0101 (learnt) When you see a dash under “Fwd” and “Active” under “State”. showing the local forwarder as Active and other two as listening: There are 3 forwarders (1 active) Forwarder 1 You’ll be happy to know there is a brief option for this command.16.b400.784 sec (maximum 14400 sec) Preemption enabled.0103 172. min delay 30 sec Preemption enabled. and while it doesn’t give the details the full command gives.12 local 172.16.23. Let’s test that by making MLS_3 unavailable and then running show glbp brief on MLS_2.440 sec (maximum 14400 sec) Preemption enabled. min delay 30 sec Active is 172. it’s a great place to get started with t-shooting.0102 (learnt) Owner ID is 001b.16. MLS_2 should take over as the AVG if MLS_3 is unavailable.3 (primary).59e2.23. weighting 100 (expires in 10.23. The Owner ID is 0017.23.b400.0103 (default) Owner ID is 001f.ca96. last state change 00:29:10 MAC address is 0007.b400. weighting 100 Active is local.b400.23.b400. Preemption enabled. but just remember that the local MAC address is 0007.0102 172.

They both have to Fa0/0 1 3 - Listen 0007.b400. but that kindOnce MLS_3 comes back online.16.0101. the AVG will no longer use the virtual MAC address in question as a response to ARP replies.16.b400.b400.16.0101 local - Fa0/0 1 2 - Active 0007. it reclaims the role of AVG and begins acting as an AVF for its original virtual MAC address. That’s mighty kind of MLS_2. forwarder timeout 14400 se The hello and hold times operate the same here as they do in HSRP – it’s the redirect and forwarder timeout values we need to examine closely.16. the now-disappeared VRF and its virtual Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 100 Active 172.23.1 - be set even if you’re just changing one.0102 local - Fa0/0 1 3 - Listen 0007.23.12 Hello time 3 sec.115 S T U DY G U I D E Fa0/0 1 1 - Active 0007. When the redirect time expires. C H R I S B R YA N T Watch The Timers Two of the GLBP timers are just the same as those found in HSRP.b400. and should you set the forwarder timeout too low… MAC address disappear from every GLBP router in the group.23. they even have the same default.b400.23.16.Group 1 State is Active 3 state changes. when the forwarder timeout timer expires.192 secs Redirect time 600 sec.0102 172. Let’s clear up any confusion on these right now.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and that’s verified by show glbp brief. MLS _ 3(config-if)#glbp 1 timers ? <1-60> 228 Hello interval in seconds 229 . We expected MLS_2 to take over as the AVG. MLS _ 3#show glbp FastEthernet0/0 .0103 172. hold time 10 sec Next hello sent in 0. b400.b400. In the previous lab.b400.1 - Take careful note of both GLBP console messages.12 local 172.b400.16. ness will not last forever.2 - the first timer in this command. What you might not have expected is that MLS_2 is now the Active router for the MAC address previously handled by MLS_3 (0007.2 Fa0/0 1 1 - Active 0007. and watch your syntax! The redirect timer is Fa0/0 1 2 - Listen 0007.0102.0103 172.23. which had been MLS_3’s virtual MAC address. MLS_2 began accepting frames with the destination 0007.23. and the timeout interval is the second. MLS _ 3#show glbp brief Then. 0007. last state change 00:15:34 Virtual IP address is 172. and it’s handling traffic sent to that MAC address as well as its own assigned address.0101). There are two others that can be a tad confusing at first.0101 local - Use glbp timers redirect to change either timer.

23.b400.b400. about those weights… because of its higher IP address – but perhaps we want MLS_2 to be the AVG instead.0103 local - Now.” That’s pretty much what the router is telling us here.16.2 local Fa0/0 1 1 - Listen 0007. To make MLS_1 the standby AVG.3 MLS_2 has taken over as the AVG. After changing the priority on MLS_1 to 125. if you’ve ever watched Shark Tank.1 - 172.3 - Fa0/0 1 2 - Active 0007.0103 172.16.23.12 172. In these labs. Since we enabled preemption on all three routers at the beginning of the lab.16.23. MLS _ 1(config)#int fast 0/0 MLS _ 1(config-if)#glbp 1 priority 125 MLS _ 1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 125 Standby 172.16.b400.0102 172.b400.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E msec Specify hello interval in milliseconds C H R I S B R YA N T 01:24:57: %GLBP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active redirect Specify timeout values for failed forwarders MLS _ 2#show glbp brief MLS _ 3(config-if)#glbp 1 timers redirect ? <0-3600> Interval in seconds to redirect to failed forwarders MLS _ 3(config-if)#glbp 1 timers redirect 1800 ? <2400-64800> Timeout interval in seconds for failed forwarders MLS _ 3(config-if)#glbp 1 timers redirect 1800 3600 ? <cr> Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 150 Active 172.0101 172. assign it a priority higher than that of MLS _ 3(config-if)#glbp 1 timers redirect 1800 3600 % Forwarder timeout is less than the default ARP cache timeout (4 hours) … well. and MLS_3 is the standby AVG since it has a higher IP address than MLS_1. all we need to do is raise the GLBP priority on MLS_2. but when you see it in action.16.23.23. The timer change does take effect. you’ll wonder what the fuss was.0101 172. show glbp brief verifies that MLS_1 is indeed the standby AVG while MLS_2 remains the AVG.3 - Fa0/0 1 2 - Listen 0007. Using Weights And Tracking Slight warning: This is one of those things that sounds complicated when you hear or read MLS _ 2(config)#int fast 0/0 about it. but I did go back to the defaults after seeing that message.b400.16.16. Change these timers with care! MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#no glbp 1 timers redirect 1800 3600 Selecting The AVG And Backup AVG Selecting another router to serve as the AVG is no problem. 230 231 .23. you’ve heard Barbara Corcoran say “I’m going to give you a minute to rethink that.12 local Fa0/0 1 1 - Listen 0007.2 - Fa0/0 1 3 - Active 0007. MLS_3 was selected MLS_3 (100) and less than that of MLS_2 (150).16.0102 local - Fa0/0 1 3 - Listen 0007.23.b400.23. Hang in there dur- MLS _ 2(config-if)#glbp 1 priority 150 ing this quick explanation and then you’ll see it all in action.

0101 local - Fa0/0 1 2 - Listen 0007. GLBP weight.Group 1 MLS _ 3(config)#track ? State is Active 5 state changes.12 local 172.1 - The default weight of a GLBP-enabled router is 100.2.2 - Fa0/0 1 3 - Listen 0007. MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#glbp 1 priority 160 MLS _ 3#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172. the local router is eligible to be an AVF.23. and those thresholds to determine whether the group.23.0103 172.992 secs Redirect time 600 sec. which is a globally configured command rather than an interface-level command.16.b400. min delay 0 sec Active is local Standby is 172. thresholds: lower 1. The weight has two default thresholds. line protocol is up Huzzah! Now to set up tracking with the track command.16. hold time 10 sec Next hello sent in 0.b400. I raised MLS_3’s priority to 160 and it is now the AVG for We can use interface tracking. upper 100 Load balancing: round-robin 232 <1-500> Tracked object resolution Tracking resolution parameters timer Polling interval timers MLS _ 3(config)#track 1 ? application Application interface Select an interface to track ip IP protocol list Group objects in a list stub-object Stub tracking object <cr> 233 . lower and upper: Before configuring interface tracking. forwarder timeout 14400 sec Preemption enabled.115 S T U DY G U I D E C H R I S B R YA N T Before proceeding with this lab. last state change 00:00:52 Virtual IP address is 172.16.b400. MLS _ 3#show glbp FastEthernet0/0 .12 Hello time 3 sec.23. In this lab.2 Fa0/0 1 1 - Active 0007.000 sec) Priority 160 (configured) Weighting 100 (default 100).16. priority 150 (expires in 8.23.16.23. and this is the value that determines whether a router can be a VRF. we’ll configure MLS_3 to disqualify itself as an AVF if the line protocol on fast 0/1 goes down.0102 172. what do we do? CHECK THAT INTERFACE! MLS _ 3#show int fast 0/1 FastEthernet0/1 is up.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . This does not in any way affect MLS_3’s status as the AVG.23.16.

Group 1 State is Active 13 state changes.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E MLS _ 3(config)#track 1 interface fastethernet0/1 ? ip IP parameters C H R I S B R YA N T MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper ? <95-100> Weighting upper threshold value line-protocol Track interface line-protocol MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper 100 ? MLS _ 3(config)#track 1 interface fastethernet0/1 line-protocol ? <cr> <cr> MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper 100 MLS _ 3(config)#track 1 interface fastethernet0/1 line-protocol The second command needed here is the one specifying the interface to be tracked and the Now we’ll head back to the GLBP configuration. which by default is 10. it can no longer act as a VRF. Weighting lower threshold value MLS _ 3#show glbp MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 ? upper Weighting upper threshold <cr> FastEthernet0/0 . MLS _ 3(config-if)#glbp 1 weighting ? <1-254> Weighting maximum value track Interface tracking MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#glbp 1 weighting ? <1-254> Weighting maximum value track Interface tracking MLS _ 3(config-if)#glbp 1 weighting track ? <1-500> Tracked object MLS _ 3(config-if)#glbp 1 weighting track 1 ? MLS _ 3(config-if)#glbp 1 weighting 100 ? lower Weighting lower threshold upper Weighting upper threshold <cr> <cr> MLS _ 3(config-if)#glbp 1 weighting track 1 MLS _ 3(config-if)#glbp 1 weighting 100 lower ? <1-99> decrement Weighting decrement Verify with show glbp. First. We’re accepting that default here by not entering a value ing along with the high and low thresholds. Once that weight meets or rises above the high threshold. last state change 00:43:17 Virtual IP address is 172. we have to set up the value for weight- decrement.23. threshold.16. that router can go right back to work as a VRF. We’ll keep the default weight of 100 while setting a low threshold of 95 and a high of 100. When the router’s weight drops below the low for the decrement.12 234 235 .

2 - Fa0/0 1 3 - Listen 0007.16.16.16.115 S T U DY G U I D E C H R I S B R YA N T Hello time 3 sec.12 local 172.344 secs Redirect time 600 sec.b400.2 Fa0/0 1 1 - Active 0007.23.0101 local - Fa0/0 1 2 - Listen 0007.b400. it’s no longer an AVF. MLS_2 is now handling traffic with a destination MAC of 0007. hold time 10 sec Next hello sent in 1.16.0103 172. upper 100 Track object 1 state Up decrement 10 With this configuration.2 - Fa0/0 1 3 - Listen 0007. priority 150 (expires in 8.16.16.000 sec) Priority 160 (configured) Weighting 100 (configured 100). and shortly after we see the GLBP syslog message shown here.0101. low (configured 100). Let’s shut down fast 0/1 on that router and watch the fun! I’ll now bring MLS_3’s fast0/1 interface back online. MLS _ 3#show glbp brief In short: Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172. thresholds: lower 95.2 Use priority to affect the choice of your primary and backup AVGs.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . *Apr 3 19:09:49: %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Listen -> Active MLS _ 3#show glbp brief show glbp tells us that the weight has indeed dropped to 90.23.23.0103 172. min delay 0 sec Active is local Standby is 172.0102 172. Weighting 90. which was formerly handled by MLS_3.16. MLS_3 should be disqualified from consideration as a VRF if that weight drops below 95.23.16.12 local 172.23.b400. forwarder timeout 14400 sec Preemption enabled. MLS_3 will resume its VRF duties.23.b400.0102 172. Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172.2. upper 100 Track object 1 state Down decrement 10 show glbp brief verifies that while MLS_3 is still the AVG.1 - 236 Let’s shift our focus to securing our switches! 237 .23.2 - affect a router’s ability to serve as an AVF. perhaps in tandem with interface tracking. Fa0/0 1 2 - Listen 0007. thresholds: lower 95.16.b400.1 - The reason I ran this lab on our AVG is to emphasize that the AVG election and a router’s ability to serve as an AVF are two separate operations.23.16. and use weighting to Fa0/0 1 1 - Listen 0007.23.0101 172.b400.23.b400.

C H R I S B R YA N T

C hapter 9:

SECURING THE
SWITCHES

Port security is enabled with the switchport port-security command, and before we can consider any options…
MLS _ 1(config-if)#switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.

… we need to make the port a non-trunking port. Port security can’t be configured on a
When some people think of network security, they immediately think of protecting their

port that even has a possibility of becoming a trunk. This switch has no trunks…

network from attacks originating on the outside of the network. We’re not “some people”,
though, and we can’t afford to think like that. Many successful network attacks are inside

MLS _ 1#show int trunk

jobs, and originate from seemingly innocent sources like DHCP, ARP, CDP, Telnet, and
< crickets chirping >

even from other hosts on the same VLAN.
While it’s certainly wise to protect the perimeter of our network, we have to be vigilant
against attacks from the interior too. We’ve got important work to do, so let’s get to it!

MLS _ 1#

… but we still can’t secure that port until it’s an access port. Let’s make that happen and

Port Security
A basic Cisco switch security feature that’s often overlooked, port security uses the
source MAC address of incoming frames as a password. A port enabled with port security
will expect frames sourced from a particular MAC address or group of addresses (“secure
MAC addresses”), and if frames with non-secure source MAC addresses come in on that
port, the port takes action ranging from shutting down to “just” letting you and I know
about it.

put it into VLAN 11.
MLS _ 1(config)#int fast 0/11
MLS _ 1(config-if)#switchport mode access
MLS _ 1(config-if)#switchport access vlan 11
% Access VLAN does not exist. Creating vlan 11
MLS _ 1(config-if)#switchport port-security

In a nutshell, port security entails having the switch look at the source MAC address of an
incoming frame and asking itself, “Do I trust the source of this frame?”

238

We’ll verify with show port-security and then view our switchport port-security options.

239

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

MLS _ 1#show port-security
Secure Port

Fa0/11

MLS _ 1(config-if)#switchport port-security aging type ?

MaxSecureAddr

CurrentAddr

SecurityViolation

(Count)

(Count)

(Count)

1

0

0

Total Addresses in System (excluding one mac per port)

Security Action

Shutdown

: 0

Max Addresses limit in System (excluding one mac per port) : 6144
MLS _ 1(config-if)#switchport port-security ?
Aging

C H R I S B R YA N T

Port-security aging commands

mac-address Secure mac address
maximum

Max secure addresses

violation

Security violation mode

<cr>

Let’s tackle each of these important options, starting with maximum, which defines the
number of secure MAC addresses the port can learn. The default is one, and the maximum you’ll see on your switch depends on your switch! I’ve seen ranges from 132 to the
whopping 6144 allowed on this port. (I would not recommend allowing 6,144 secure MAC
addresses on any port.)

absolute

Absolute aging (default)

inactivity

Aging based on inactivity time period

MLS _ 1(config-if)#switchport port-security aging time ?
<1-1440>

Aging time in minutes. Enter a value between 1 and 1440

MLS _ 1(config-if)#switchport port-security aging static ?
<cr>

We’ll use the mac-address option to define secure MAC addresses for this port, as well as
something called a “sticky address” (sounds gross, but it isn’t).
MLS _ 1(config-if)#switchport port-security mac-address ?
H.H.H

48 bit mac address

sticky

Configure dynamic secure addresses as sticky

MLS _ 1(config-if)#switchport port-security mac-address

The violation option defines the action the port should take when a frame with a non-secure
MAC address comes in.

MLS _ 1(config-if)#switchport port-security maximum ?
<1-6144> Maximum addresses

Use the aging options to define how long dynamically learned secure MAC addresses should
be considered secure. You have the rarely used option of enabling aging for static entries.
MLS _ 1(config-if)#switchport port-security aging ?
static

Enable aging for configured secure addresses

time

Port-security aging time

type

Port-security aging type

MLS _ 1(config-if)#switchport port-security violation ?
protect

Security violation protect mode

restrict

Security violation restrict mode

shutdown

Security violation shutdown mode

The default port security mode is shutdown, which does just that – the port is placed into
error-disabled state (“err-disabled”), and manual intervention is needed to reopen the port.
That means you or I have to fix the problem and then do a shut / no shut on the port. With
shutdown mode, an SNMP trap message is also generated.
Protect mode simply drops the offending frames and no other action is taken.

240

241

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

Our middle-ground security mode is restrict. The non-secure frames are dropped, an SNMP

C H R I S B R YA N T

0017.59e2.474a on port FastEthernet0/1.

trap notification and a syslog message are generated, and the port remains open.
Here’s the network topology for the port-security labs. We’re using the hosts primarily to
send pings that will (or will not) trigger port security.

01:46:31:

%LINEPROTO-5-UPDOWN:

Line

protocol

on

Interface

FastEthernet0/1,

changed state to down
01:46:32: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

Looks like the data was NOT from a trusted source, as both show port-security and show int
fast 0/1 verify the security violation.
MLS _ 1#show port-security
Secure Port

Let’s see port security in action! I’ll configure port security on port fast0/1 after shutting
the interface, and then set the secure MAC address to aaaa-bbbb-cccc.

Fa0/1

MaxSecureAddr

CurrentAddr

SecurityViolation

(Count)

(Count)

(Count)

1

1

1

Security Action

Shutdown

MLS _ 1(config)#int fast 0/1

Total Addresses in System (excluding one mac per port)

: 0

MLS _ 1(config-if)#shut

Max Addresses limit in System (excluding one mac per port) : 6144

MLS _ 1(config-if)#switchport port-security
MLS _ 1(config-if)#switchport port-security mac-address aaaa.bbbb.cccc

MLS _ 1#show int fast 0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)

After reopening the port, I’ll send some pings from R1 and then quickly head back over to
the switch to see what happens.
R1#ping 172.16.23.222

Time for the network admins to step in! First, we resolve the problem by removing the currently defined secure MAC address on Fast0/1. When a secure MAC address is allowed on a
port, but none is defined, the next dynamically learned source MAC address is considered
Back on the switch:

the secure address. That’s why I shut the port before configuring port security – just in case
traffic came in on that port before I could finish.

SECURITY-2-PSECURE _ VIOLATION: Security violation occurred, caused by MAC address

242

243

16.474a - Back on the switch. R1#ping 172.cccc address configured earlier). 100 0017. This one’s 244 MLS _ 1#show port-security interface fast 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 245 . MLS _ 1#show port-security Secure Port Fa0/1 MaxSecureAddr CurrentAddr SecurityViolation (Count) (Count) (Count) 1 1 0 Security Action Shutdown Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144 show port-security address verifies the exact address that’s been learned and considered secure. we’ll send some pings from R1 again and then head right back to the switch.23. as with the aaaa. Note carefully that you see the Security Action listed.59e2.bbbb. and that one current address is considered secure. changed state to up MLS _ 1#show port-security address 01:53:49: %LINK-3-UPDOWN: Interface FastEthernet0/1. Secure Mac Address Table Vlan Mac Address Type Ports ------------.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#int fast 0/1 marked as SecureDynamic since it is a secure address that was learned. the violation mode is at the default. changed state to up To test the new config. well. show port-security interface fast 0/1 verifies port security is enabled.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . dynamically MLS _ 1(config-if)#no switchport port-security mac-address aaaa. so we’ll verify that Total Addresses in System (excluding one mac per port) : 0 everything’s beautiful with three separate show port-security commands. We see there’s one secure address allowed on Fast0/1 (the default). and provides other handy info including the last source address of incoming frames and the VLAN it belonged to. secured and up. along with the VLAN. and method used to learn the address. the port is but none has been taken as there are no Security Violations. the port. SecureDynamic Fa0/1 Remaining Age (mins) -. We’ll do a shut / no shut on the interface and verify with show int fast 0/1.bbbb. Finally. MLS _ 1#show port-security address ? vlan Vlan limits MLS _ 1(config-if)#shut | MLS _ 1(config-if)#no shut <cr> 01:53:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface Output modifiers FastEthernet0/1. there’s no message about the port shutting down. -----. starting with the Max Addresses limit in System (excluding one mac per port) : 6144 main one.222 ----------.cccc (rather than statically.

R2#ping 172. MLS _ 1#show port-security int fast 0/2 100 aaaa.bbbb.115 S T U DY G U I D E C H R I S B R YA N T Configured MAC Addresses : 0 Aging Type Sticky MAC Addresses : 0 SecureStatic Address Aging : Disabled Last Source Address:Vlan : 0017.474a:100 Maximum MAC Addresses : 3 Security Violation Count : 0 Total MAC Addresses : 3 Configured MAC Addresses : 2 The aging time of “0 minutes” means that secure MAC addresses will never age out on this Sticky MAC Addresses : 0 port.0990 SecureDynamic Fa0/2 - ----------. Let’s run show port-security interface -. Let’s find out on port Fast0/2. the next two source MAC addresses for incoming frames on that port would be considered secure.aaaa.474a SecureDynamic Fa0/1 - 100 001b. Last Source Address:Vlan : 001b.aaaa SecureConfigured Fa0/2 - Port Security : Enabled 100 aaaa.0990:100 Security Violation Count : 0 I just know someone out there is wondering what happens if you allow multiple secure MAC addresses on a port. MLS _ 1(config-if)#switchport port-security mac-address aaaa. and you statically configure a few without hitting the maximum.bbbb. fast0/2.aaaa SecureConfigured Fa0/2 - Port Status : Secure-up Violation Mode : Shutdown Total Addresses in System (excluding one mac per port) : 2 Aging Time : 0 mins Max Addresses limit in System (excluding one mac per port) : 6144 246 247 Age .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .16. not that they’ll actually age out in 59 seconds. where I’ll allow 3 addresses to be considered secure while configuring 2 static secure addresses. Remaining (mins) No messages on the switch regarding a shutdown.23.aaaa MLS _ 1#show port-security address I’ll then send pings from R2 and head quickly back over to the switch.59e2. : Absolute The port is secure and up.aaaa. -----. 100 0017. Let’s run show port-security address and show port-security.d4c2. Had we allowed four secure addresses and configured MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security MLS _ 1(config-if)#switchport port-security maximum 3 MLS _ 1(config-if)#switchport port-security mac-address aaaa.aaaa only two static ones.d4c2.59e2. the next dynamically learned MAC addresses will be considered secure until the limit is hit. If you allow a certain number of secure MAC addresses and don’t statically configure all of them.111 Secure Mac Address Table Vlan Mac Address Type Ports ------------. and note that there are now a total of 3 secure addresses and 2 configured addresses.

-----. did I get that right? Nope.0990 SecureDynamic Fa0/2 299 Fa0/1 1 1 0 Shutdown 100 aaaa.aaaa SecureConfigured Fa0/2 - Fa0/2 3 3 0 Shutdown 100 aaaa. We’ll accept the aging type default shown via IOS Help and then verify with show port-security address.59e2.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security aging time ? <1-1440> Aging time in minutes.aaaa. let’s enable aging and set it to 300 seconds (the default aging time for our “regular” MAC address table). I got it wrong – and here’s why I’m always telling you to check the unit of measure when you change anything on a Cisco router or switch. While we’re here.474a SecureDynamic Fa0/1 - (Count) (Count) (Count) 100 001b. The command to change the aging time of our entire MAC address table uses seconds… MLS _ 1(config)#mac address-table aging-time ? <0-0> Enter 0 to disable aging <10-1000000> Aging time in seconds … but the command to change the aging time of the secure MAC address table uses MLS _ 1(config-if)#switchport port-security aging time ? <1-1440> Aging time in minutes.115 S T U DY G U I D E MLS _ 1#show port-security Secure Port C H R I S B R YA N T Vlan Mac Address Type Ports -.aaaa SecureConfigured Fa0/2 - : 2 Total Addresses in System (excluding one mac per port) Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 6144 There are three entries for Fa0/2.d4c2. ------------. MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security aging ? static Enable aging for configured secure addresses time Port-security aging time type Port-security aging type Max Addresses limit in System (excluding one mac per port) : 6144 So. two of them statically configured and the other dynamically learned. Enter a value between 1 and 1440 MLS _ 1(config-if)#switchport port-security aging time 5 MLS _ 1#show port-security address MLS _ 1#show port-security address Secure Mac Address Table Secure Mac Address Table 248 249 . Remaining Age (mins) MaxSecureAddr CurrentAddr SecurityViolation Security Action 100 0017.bbbb. ----------. Enter a value between 1 and 1440 MLS _ 1(config-if)#switchport port-security aging time 300 MLS _ 1(config-if)#switchport port-security aging type ? absolute Absolute aging (default) inactivity : 2 Aging based on inactivity time period minutes.

then send pings from R1 and check the secure address table.d4c2. changed state to administratively down MLS _ 1#show port-security address Total Addresses in System (excluding one mac per port) : 2 Max Addresses limit in System (excluding one mac per port) : 6144 00:28:20: %LINK-3-UPDOWN: Interface FastEthernet0/1.aaaa SecureConfigured Fa0/2 - ----------. These addresses are written to the running config. when changing anything! MLS _ 1#show port-security address Secure Mac Address Table Making Secure Addresses Sticky Right now.bbbb. 100 aaaa. for which the default of “no aging” has not been changed.) MLS _ 1#show port-security address Secure Mac Address Table Vlan Mac Address -. do that here. Remaining Age (mins) C H R I S B R YA N T %LINK-5-CHANGED: Interface FastEthernet0/1. ----------.59e2.115 S T U DY G U I D E Vlan Mac Address Type Ports -. 100 0017.59e2.bbbb. changed state to down 250 Port-security aging commands mac-address Secure mac address 251 .aaaa SecureConfigured Fa0/2 - 100 aaaa. data. Remaining Age (mins) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 MLS _ 1# Fa0/1 - The same thing would happen if I rebooted the switch. ------------.bbbb.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . changed state to up Always use IOS Help to check the unit of time. SecureDynamic Remaining Age (mins) -----.aaaa SecureConfigured Fa0/2 - Total Addresses in System (excluding one mac per port) Type Ports ------------. -----.474a Vlan Mac Address Type Ports -.474a SecureDynamic Fa0/1 - %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1.aaaa SecureConfigured Fa0/2 - addresses retained in case of a port reset or reboot.aaaa.aaaa SecureConfigured Fa0/2 - port. changed state to up 00:28:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1. -----. ----------. enable sticky address learning on the 100 aaaa.aaaa SecureConfigured Fa0/2 - MLS _ 1(config-if)#no shut 100 aaaa.aaaa. ------------. To have dynamically learned 100 aaaa. I’ll do a shut / no shut on the port to illustrate.0990 SecureDynamic Fa0/2 4 to down 100 aaaa. changed state 100 001b. (The dynamically learned address for R2 has now aged out. 100 0017. so be sure to save the changes! I’ll That dynamically learned address will be lost if the port is reset or the switch is reloaded.aaaa. Fa0/1 has one secure MAC address. MLS _ 1(config)#int fast 0/1 MLS _ 1(config-if)#switchport port-security ? MLS _ 1(config)#int fast 0/1 Aging MLS _ 1(config-if)#shut %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . First.H. I’ll shut the port and then take a look at this table again.aaaa SecureConfigured Fa0/2 - 100 aaaa. -----. this feature with errdisable recovery cause. ------------.aaaa. of course! To have err-disabled ports come out of that state dynamically after a certain period of time. use errdisable recovery. -----. To have errdisable recovery apply to ports placed into err-disabled state for any reason.222 works! MLS _ 1#show port-security address Secure Mac Address Table Automatic Recovery From Err-Disabled Status Vlan Mac Address Type Ports -.474a Remaining Age (mins) We know via first-hand experience that by default. 100 0017.115 S T U DY G U I D E C H R I S B R YA N T maximum Max secure addresses Vlan Mac Address Type Ports violation Security violation mode -.bbbb.16.H ----------.23.aaaa SecureConfigured Fa0/2 - 100 aaaa. along with the SecureConfigured addresses. and the address was still in the table after the reboot. Ports are shut down by port security due to a psecure-violation. a port that goes into err-disabled state must be manually reset – after resolving the condition that put the port in that state to begin with.aaaa. Remaining Age (mins) 48 bit mac address Sticky Configure dynamic secure addresses as sticky Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 MLS _ 1(config-if)#switchport port-security mac-address sticky The entry is still in the table! I did reload the switch at this point. SecureSticky Fa0/1 - 100 aaaa. SecureSticky Fa0/1 - 100 aaaa. use the all option.59e2.59e2. ------------. SW1(config)#errdisable recovery cause ? MLS _ 1(config)#int fast 0/1 MLS _ 1(config-if)#shut All Enable timer to recover from all causes Bpduguard Enable timer to recover from BPDU Guard error disable state MLS _ 1#show port-security address channel-misconfig Secure Mac Address Table Enable timer to recover from channel misconfig disable state 252 253 . define what conditions should be allowed to have ports use Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 The address is now shown in the secure MAC table as “SecureSticky”.474a MLS _ 1(config-if)#switchport port-security mac-address ? H. so we’ll enable this feature only for ports put into err-disabled state in that fashion. Stickiness R1#ping 172.aaaa SecureConfigured Fa0/2 - <cr> 100 0017.bbbb.aaaa SecureConfigured Fa0/2 - ----------.

I removed any previous port security config from Fa0/2. The first frames that came in Enable timer to recover from invalid GBIC error disable from R2 shut the port down… state link-flap loopback pagp-flap Enable timer to recover from link-flap error disable %PM-4-ERR _ DISABLE: psecure-violation error detected on Fa0/2.1x.d4c2. changed state state to up vmps Enable timer to recover from vmps shutdown error disable state I then configured Fa0/2 to consider the first source MAC address learned on that port to be the secure address. and reconfigured stat the port with the single secure MAC address aaaa. <30-86400> timer-interval(sec) 254 255 .aaaa.aaaa. and all is well. the port begins to come out of err-disabled state! state security-violation Enable timer to recover from 802.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I’ll and out of err-disabled state! set it to 30 seconds for our lab. changed state to up unicast-flood Enable timer to recover from unicast flood disable %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2. the standard upon which this feature is based. The name refers to IEEE 802. It’s SW1(config)#erridsable recovery ? a bit unusual in that the Cisco authentication server must be RADIUS-based. You have to fix the problem or the port will bounce in To change the interval from the default of 300 seconds.115 S T U DY G U I D E dhcp-rate-limit C H R I S B R YA N T Enable timer to recover from dhcp-rate-limit error SW1(config)#errdisable recovery interval 30 disable state dtp-flap gbic-invalid Enable timer to recover from dtp-flap error disable At this point. caused by Enable timer to recover from pagp-flap error disable MAC address 001b. putting Fa0/2 state in err-disable state Enable timer to recover from loopback detected disable state %PORT _ SECURITY-2-PSECURE _ VIOLATION: Security violation occurred. state psecure-violation Enable timer to recover from psecure violation disable … and 30 seconds later. use errdisable recovery interval. SW1(config)#errdisable recovery cause psecure-violation SW1(config)#erridsable recovery interval ? % Unrecognized command Dot1x Port-Based Authentication We can take port-level security (cliché alert!) to the next level with dot1x port-based authentication.1x violation disable %PM-4-ERR _ RECOVER: Attempting to recover from psecure-violation err-disable state state on Fa0/2 udld Enable timer to recover from udld error disable state %LINK-3-UPDOWN: Interface FastEthernet0/2.0990 on port FastEthernet0/2. you can’t use % Unrecognized command SW1(config)#errdisable recovery interval ? TACACS or TACACS+.

and then enable dot1x to use those RADIUS servers for authentication. since few (if any) of those require us configuring anything on the host. (That’s not the strange part. typical subinterfaces. MLS _ 1(config)#aaa authentication dot1x default ? cache Use Cached-group group Use Server-group local Use local username authentication. Of course. We’ll follow that by pointing the switch to our RADIUS server(s). and a RADIUS server (the authentication server). the controlled and uncontrolled ports. communications between the two will fail. (The RADIUS version you’ll use is MLS _ 1(config)#radius-server host 172. We just need to configure the supplicant for dot1x! Suppress Do not send access request for a specific ty Strange but true: If the switch is ready for dot1x authentication and the supplicant isn’t. To get started with dot1x. MLS _ 1(config)#aaa authentication ? arap Set authentication lists for arap. the only one we need to concern port must be configured for 802.) If the supplicant is running dot1x but the switch isn’t. uncontrolled port can transmit without authentication.55 technically RADIUS with EAP extensions.) A typical dot1x port-based authentication deployment involves the dot1x-enabled PC (the supplicant).23. longer rejected).1x. username-prompt Text to use when prompting for a username MLS _ 1(config)#radius-server host 172. but that physical port password-prompt Text to use when prompting for a password is logically divided into two ports by dot1x. and CDP can be transmitted at that time. Sgbp Set authentication lists for sgbp. EAPOL.16.115 S T U DY G U I D E C H R I S B R YA N T A major difference between this feature and port security is that both the host and switch- The radius-server command literally has about 40 options.55 key CCNP MLS _ 1(config)#aaa authentication dot1x ? The controlled port cannot transmit data until authentication actually takes place. followed by the password for that server. all traffic can be received and sent via the port. enable Set authentication list for enable. the PC has a single physical port connected to the switch. Dot1x handles that.23. STP.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the PC will not concern itself with dot1x and will communicate with the switch as it normally would. once the user authenticates. as only Default The default authentication list. the network admins do not have to configure these logical ports.16. The WORD Named authentication list (max 31 characters. MLS _ 1(config)#aaa authentication dot1x default group ? MLS _ 1(config)#aaa new-model 256 257 . eou Set authentication lists for EAPoUDP fail-message Message to use for failed login/authenticati login Set authentication lists for logins. attempts Set the maximum number of authentication att banner Message to use when starting login/authentic dot1x Set authentication lists for IEEE 802. That’s a major departure from the switch features we’ve studied to date.1x EAPOL. the dot1x-enabled switch (the authenticator). Unlike ppp Set authentication lists for ppp. ourselves with right now is host. but on a limited basis. we first have to enable AAA with aaa new-model. By default. the Extensible Authentication Protocol over LANs.

we’re force-authorized PortState set to Authorized running local SPAN. since the source and destination ports are on the same switch (or same force-unauthorized PortState will be set to UnAuthorized switch stack). including that of the client. both traffic destined for and sourced from the source ports are That’s a lot of force! The first force-based option. and we’ll use SPAN to capture that traffic.1X supplicant configuration MAC addresses allowed on that port.” SPAN We’ve securely secured our ports. which seems a tad harsh.1x authenticates the port and port security manages the number of MLS _ 1(config)#aaa authentication dot1x default group radius ? Finally. In this example. and it’s a default you may well want to change. as it allows a host to authorize via an exchange of dot1x messages. auto may be the way to go.1X credentials profiles Critical Set 802. ditionally authorize the host. we get to set the authentication type. force-authorized.1x on a port. we get to enable dot1x port-based authentication! MLS _ 1(config)#dot1x ? Credentials Configure 802. That’s the default. and it’s the auto PortState will be set to AUTO destination port to which our network analyzer will be connected. 802. By default. R1(config-if)#dot1x port-control ? SPAN allows the switch to mirror traffic from source port(s) to destination port. but one day. system-auth-control Enable or Disable SysAuthControl test Configure dot1x test related parameters MLS _ 1(config)#dot1x system-auth-control And even more finally. To get the job done. 258 259 . the analyzer needs a copy of every frame the hosts are sending and/or receiving.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E C H R I S B R YA N T WORD Server-group name Now that we’ve covered port security and dot1x port-based authentication. force-unauthorized tells the port to never authorize the host. we’re likely to want to connect a network analyzer (“sniffer”) to one of those ports. the answer is yes! From Cisco’s website: “When you enable port security and 802. tells the port to uncon- mirrored to the destination port. Surprisingly.1x Critical Authentication parameters guest-vlan Configure Guest Vlan and 802. A common situation is illustrated here. using no authentication. where we want to analyze traffic sourced from the three PCs.1x Supplicant behavior logging Set logging parameters supplicant 802. question arises: “Can you run port security and dot1x authentication on the same port?” Radius Use list of all Radius hosts. a natural ldap Use list of all LDAP hosts.

or VSPAN) Port-channels. MLS _ 1(config)#monitor session 47 destination ? MLS _ 1(config)#monitor session ? Interface SPAN destination interface Remote SPAN destination Remote <1-66> SPAN session number MLS _ 1(config)#monitor session 47 destination interface fast 0/9 Let’s set up a local SPAN session. and the number Port-channel Ethernet Channel of interfaces of simultaneous SPAN sessions you can run differs between switch platforms. No need to run show vlan brief for MLS _ 1#show monitor VLAN info. since it doesn’t matter to SPAN whether the source ports are all in the same Session 47 VLAN or not.5 allow only two. VLAN MLS _ 1(config)#monitor session 47 source ? Interface SPAN source interface Remote SPAN source Remote Vlan SPAN source VLAN MLS _ 1#show int fast 0/9 FastEthernet0/9 is down.115 S T U DY G U I D E C H R I S B R YA N T The command monitor session starts a SPAN session. and this is the one time in which seeing that an interface is “down and down” is what you should see! That’s all well and good.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . line protocol is down (monitoring) No need to sweat. just read all the way to the end of that line and you’ll see (monitoring). using ports Fa0/3. Note that possible sources include: Individual ports Type : Local Session Source Ports : Entire VLANs (in which case you’re running VLAN-based SPAN. representing an entire Etherchannel Both : Fa0/3-5 Destination Ports Encapsulation Ingress MLS _ 1(config)#monitor session ? <1-66> SPAN session number : Fa0/9 : Native : Disabled Let me save you some seriously unnecessary troubleshooting time with this little tip! If you look at fast 0/9 right now. Multiple SPAN sessions are totally separate operations. you’ll see something that might make ya cuss: MLS _ 1(config)#monitor session 47 ? Destination SPAN destination interface or VLAN Filter SPAN filter VLAN Source SPAN source interface. and 5 as the source ports and Fa0/10 as the destination and then verifying with show monitor.3z destination ports. along with defining the source and GigabitEthernet GigabitEthernet IEEE 802. 4. but what if SPAN isn’t all local? What if the traffic to be monitored is originating on one particular switch and the only vacant port available is on another MLS _ 1(config)#monitor session 47 source interface ? FastEthernet switch? FastEthernet IEEE 802. That means you’re looking at a SPAN destination port.3 260 261 . Cisco 2950s MLS _ 1(config)#monitor session 47 source interface fast0/3 . while the ones we’re on here allow just a few more.

we’ll also define VLAN 30 as the RSPAN VLAN. we’ll set up the SPAN session by naming the source ports and configuring the RSPAN VLAN as the destination. the config is easy. MLS _ 1(config)#vlan 30 MLS _ 1(config-vlan)#remote-span On MLS_1. Here’s the setup for our RSPAN lab: The config on MLS_2 will name the source as the RSPAN VLAN and the destination as the port connected to the analyzer. Otherwise. so don’t cut and paste ‘em! On MLS_2.5 This isn’t a complex configuration.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but we need to keep a few things in mind: MLS _ 1(config)#monitor session 1 destination remote ? If there were intermediate switches between the two shown in the previous example. that VLAN will have to be prop- <2-1001> Remote SPAN destination RSPAN VLAN number agated manually on every switch along that path. they would all need to be RSPAN-capable. VTP pruning will prune the RSPAN VLAN under the same circumstances it would prune a normal VLAN. RSPAN to the rescue! Configuring Remote SPAN on both switches will allow mirrored frames to be sent over the trunk via a separate VLAN that will carry only those mirrored frames. natch!). MLS _ 1(config)#monitor session 1 destination remote vlan 30 MLS _ 1(config)#monitor session 1 destination remote vlan 30 ? <cr> MAC address learning is disabled for the RSPAN VLAN.115 S T U DY G U I D E C H R I S B R YA N T We’ll create VLAN 30 and identify it as the RSPAN VLAN with remote-span. MLS _ 2(config)#vlan 30 MLS _ 2(config-vlan)#remote-span Whew! After all that. The source and destination ports must be defined on both the switch containing the source ports and the switch connected to the network analyzer. MLS _ 1(config)#monitor session 1 source int fast 0/1 . vlan Remote SPAN destination RSPAN VLAN MLS _ 1(config)#monitor session 1 destination remote vlan ? VTP treats the RSPAN VLAN like any other VLAN by propagating it throughout the VTP <1006-4094> Remote SPAN destination extended RSPAN VLAN number domain (if configured on a VTP server. but the commands will NOT be the same. MLS _ 2(config)#monitor session 1 source remote vlan 30 MLS _ 2(config)#monitor session 1 destination int fast0/10 262 263 .

While source ports can be part of an Etherchannel. ports from different VLANs can serve as source ports for the same SPAN session. PaGP. VLAN membership doesn’t matter. Specify another range of interfaces - Specify a range of interfaces both Monitor received and transmitted traffic rx Monitor received traffic only tx Monitor transmitted traffic only <cr> A destination SPAN port doesn’t participate in STP. these storms can also overwhelm your hosts with broadcasts and multicasts VLANs that are part of that trunk will be mirrored to the destination port. In your CCNA studies.115 S T U DY G U I D E The toughest part of working with SPAN can be remembering the ports that are eligible and not eligible to be source or destination ports. or LACP. Whether accidentally or maliflooded by the switch. A source port can be part of an Etherchannel. you need that command on every intermediate A source port can be monitored in multiple. nor a destination port. VTP. Storm Control is specifically designed to proactively stop that flooding before our hosts are hit with a level of flooded traffic they just can’t handle. C H R I S B R YA N T Destination port notes: A destination port can participate in only one SPAN session. Be aware that if a port that’s in an EC is a source port. all the way to the point of non-operation. the default behavior will result in the monitoring of all active VLANs on the trunk. use the rx and tx options at the end of monitor session. an entire VLAN can be configured as a source port. you learned of the danger of broadcast storms. broadcasts and multicasts begin to overwhelm your switch. CDP. but be aware that every single bit of traffic on any of the ciously caused. A destination port cannot be a source port. a destination port cannot. switch. where the number of A trunk port can be a source port. A source port cannot also serve as a destination port. nor can a single port serve as the destination for multiple SPAN sessions. If you want all the traffic on an EC to be mirrored. and you can use SPAN to monitor an entire EtherChannel by specifying that EC’s port-channel interface as the source. SW2(config)#monitor session 47 source interface fast 0/1 . simultaneous SPAN sessions. To change this. Storm Control Commonly referred to as VSPAN. DTP.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . only the traffic going over that specific port will be mirrored. And just one more thing… remember the remote-span command we placed on both switches in our RSPAN config? If you have switches between the switch with source ports and the one with destination ports. It’s enabled on a per-port basis: 264 265 . Trunk ports can be configured as source and/or destination ports. Here are some tips for a successful SPAN configuration: By default. The speed of the port doesn’t affect a port’s ability to be a source port. but it’s a good idea to have a destination port be equal or higher in speed than the source port(s). you have to make the entire EC the source port. traffic both from the source port and destined for the source port is mirrored to the destination port.

Storm Control acts.00% 0. When the specified traffic type reaches that level. It might surprise you that we have the option for one or two levels! If you specify only the storm suppression level (the first value). ------. (That is. starting with VLAN ACLs. they’re dropped.) Choosing shutdown or trap adds the configured pps behavior to this default. SW1(config-if)#storm-control ? (Makes sense. SW1(config-if)#storm-control broadcast level 45 ? <0 .100> Enter Integer part of storm suppression level overboard.00% 0 VLAN ACLs Let’s take a look at some Cisco switch security features that were developed specifically with VLANs in mind. Now. which will show you information on all ports on the switch.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the option level will follow. you may want to set a different level at which Storm Control should cease Set storm suppression level on this interface SW1(config-if)#storm-control action ? Shutdown Shutdown this interface if a storm occurs trap Send SNMP trap if a storm occurs SW1(config-if)#storm-control broadcast level ? Enter suppression level in packets per second What isn’t shown here is Storm Control’s default behavior of tossing the offending frames <0 . 267 . ------------- ------------- ------. We’ll use IOS Help to explore our options for broadcast storm control. The line storm-control broadcast level 45 35 means Storm Control will take action when broadcasts are taking up over 45% of available bandwidth and will stop that action when the level of broadcasts drops below 35% of that available bandwidth. It’s not right or wrong to choose one option over the other – just choose the one that fits your situation. Storm Control takes action when the traffic type 266 Fa0/1 Forwarding inactive 45.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/1 goes above that level. or show storm-control interface to see the info for just that interface! SW1#show storm-control fast 0/1 Interface Filter State Trap State Upper Lower Current Traps Sent ------. ------. SW1(config-if)#storm-control broadcast level 45 35 I’m using bandwidth usage percentage in this command. right?) Action Action to take for storm-control Broadcast Broadcast address storm control Multicast Multicast address storm control Unicast Unicast address storm control For each traffic type listed. action. about that action… SW1(config-if)#storm-control broadcast ? Level At times. which can also be configured using packets per second. and stops that action when the traffic type goes below that level.100> Enter Integer part of lower suppression level <cr> SW1(config-if)#storm-control broadcast level 45 35 ? <cr> Verify your config with show storm-control.00% 35.

but it limits ACL capability.D Destination wildcard bits MLS _ 1(config-ext-nacl)#permit ip 10. The CAM table holds the dynamically and statically learned MAC addresses.1.B.1.0 /24 is a permit.1. the deny is coming! subnet.C.0. but the ACL statement We want to stop these three hosts from communicating with any host in the 10.C. you ask? It relates to the application of ACLs on a multilayer switch.C. The ACL will be used as the match criterion within the VACL.D Source wildcard bits MLS _ 1(config-ext-nacl)#permit ip 10. we’ll still need to write an ACL.1. No worries. A.1. but it’s the TCAM table – the Ternary Content-Addressable Memory table – that cuts down on the number of lookups required to compare a packet against an ACL. while allowing all other traffic.3 10.B. and we mean any host – even among each other! Right now.1.0 0.0.B.0.0.1.1.D Source address any Any source host host A single source host MLS _ 1(config-ext-nacl)#permit ip 10.0 0. Filtering between hosts in the same VLAN requires the use of a VLAN Access List (VACL).1.3 10.115 S T U DY G U I D E C H R I S B R YA N T You’ll certainly be familiar with ACLs and a few of their seemingly endless uses at this point in your Cisco studies! The ACL we’ve come to know and love has some limitations though. 268 269 . but not intra-VLAN traffic.0.1.0.C.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .B. You’ll see what I mean in the follow- I’m sure you noticed that the three source addresses named in the ACL are the ones that ing lab! won’t be allowed to communicate with other hosts on that subnet. A. not a deny.0 ? A.0.0.1.3 ? Why not.0.0 0.D Destination address any Any destination host host A single destination host MLS _ 1(config-ext-nacl)#permit ip 10.0 0. This packet filtering via the switch hardware speeds up the overall process. While an ACL can filter traffic travelling between VLANs… MLS _ 1(config)#ip access-list extended BLOCK _ FIRST _ THREE MLS _ 1(config-ext-nacl)#permit ip ? … it can’t do anything about traffic from one host in a VLAN to another host in the same VLAN.255 Even though a VACL will do the actual filtering. An ACL can be used to filter inter-VLAN traffic. with any traffic matching that ACL to be dropped other (results not shown).1.0 0.1.1.0.255 ? A. each host can ping the We’ll write the VACL with vlan access-map.

If you follow my lead and don’t define them as you go.115 S T U DY G U I D E MLS _ 1(config)#vlan access-map ? WORD MLS _ 1(config)#vlan access-map NO _ 123 Vlan access map tag MLS _ 1(config-access-map)#action forward MLS _ 1(config)#vlan access-map NO _ 123 ? <0-65535> Sequence to insert to/delete from existing vlan access-map entry <cr> MLS _ 1(config-access-map)#match ? Ip IP based match Mac MAC based match the default for you via show vlan access-map: Vlan access-map “NO _ 123” 10 Match clauses: ip address: BLOCK _ FIRST _ THREE Match IP address to access control. meaning the action of “forward” I didn’t enter a sequence number for those two VACL statements because I wanted to demo MLS _ 1(config)#vlan access-map NO _ 123 Address C H R I S B R YA N T Action: drop Vlan access-map “NO _ 123” 20 Match clauses: Action: Forward Access-list name MLS _ 1(config-access-map)#match ip address BLOCK _ FIRST _ THREE MLS _ 1(config-access-map)#action ? drop Drop packets forward Forward packets The “10” and “20” shown are the default sequence numbers. The VLAN to be filtered is specified at <0-65535> Sequence to insert to/delete from existing vlan access-map the end of the command with the vlan-list option. MLS _ 1(config-access-map)#exit Hey. we MLS _ 1(config)#vlan access-map NO _ 123 ? have to apply it in global configuration mode. We can specify individual VLANs or entry go with the all option.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 270 271 . If you needed to add an action that involved dropping traffic. Be careful to specify the VACL name in this command. Sequence numbers are fantastic for those situations where you later need to add an action. we need to apply this thing! Don’t try to apply a VACL to a specific interface. they’ll increment by 10. Adding it at the end wouldn’t do any good. since VACL sequence number 20 permits all MLS _ 1(config-access-map)#action drop traffic. MLS _ 1#show vlan access-map MLS _ 1(config-access-map)#match ip ? <1-199> No match was configured for the second VACL statement. not the <cr> ACL name. MLS _ 1(config-access-map)#match ip address ? IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) WORD will be applied to any and all traffic that didn’t match previous statements. you’d need to give it a sequence number between 10 and 20.

Vlan access-map “NO _ 123” 20 272 273 .1. MLS _ 1#show vacl ^ Private VLANs give us all of the following: % Invalid input detected at ‘^’ marker. so hang in there and it’ll be second nature before you know it.3 Success rate is 0 percent (0/5) MLS _ 1(config)#vlan filter NO _ 123 vlan-list 10 Verify with show ip access-list and show vlan access-map. we have two types of secondary VLANs. community and isolated. The terminology is unique as well.1.0 0. we’ll take this concept one step at a time.1. Three port types – one type talks to everybody. and one type talks to practically no one. MLS _ 1#show vlan access-map Vlan access-map “NO _ 123” 10 Two types of private VLANs. but if you want to hide a host from the rest of your network – even going as far as hiding a host from other hosts in the same subnet – private VLANs are the way to go.3 10. starting with those three port types.1. Match clauses: ip address: BLOCK _ FIRST _ THREE In turn. since a private VLAN is truly unlike any other VLAN concept.0. Action: drop As always. primary and secondary. one type talks to some. thanks to our VACL! HOST _ 2#ping 10.25 MLS _ 1#show vlan access-list Private VLANs aren’t quite that private.3 <1-4094> VLAN id Success rate is 0 percent (0/5) all Add this filter to all VLANs HOST _ 1#ping 10.0 0.1. and then test! Private VLANs Want to put a host in such a secret place that you yourself may never be able to find it? MLS _ 1#show ip access-list Extended IP access list BLOCK _ FIRST _ THREE 10 permit ip 10. This concept can throw you a bit at first.0.115 S T U DY G U I D E MLS _ 1(config)#vlan filter ? WORD C H R I S B R YA N T Match clauses: VLAN map name Action: Forward MLS _ 1(config)#vlan filter NO _ 123 ? vlan-list VLANs to apply filter to MLS _ 1(config)#vlan filter NO _ 123 vlan-list ? Hosts that could previously ping each other now cannot.1.0.0.1. ^ % Invalid input detected at ‘^’ marker.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

Ports are Fa0/6 – 10. munity as well as promiscuous ports in the primary. those two hosts could not communicate with each other. and the “child” private VLAN is the secondary private VLAN. Ports are Fa0/1 – 5. so they can communicate with each other as well as the router. but look what happens when we try to make it a community private VLAN – or for that matter. and will be able to communicate only with the router. Ports in a community private VLAN can communicate with other ports in the same com- VLAN 300 will be the primary private VLAN.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . powerful look at the private VLAN types. The “parent” private VLAN is the primary private VLAN. Hosts that just need to talk to some other devices are connected to community ports. They cannot communicate with Host A. About those secondary VLAN types… VLAN 200 is a secondary private VLAN (isolated). Ports in an isolated private VLAN can only communicate with promiscuous ports in the parent private VLAN. Creating the first VLAN with VLAN config mode is no problem. The other hosts are in a community private VLAN. Hosts connected to isolated ports can only communicate with hosts connected to promiscuous ports. private VLAN can be mapped to multiple secondary VLANs. that device must be connected to a promiscuous port for the network to function correctly. When you have a router or multilayer switch that serves as a default gateway. A primary in the same isolated private VLAN that Host A is in now. VLAN 100 is a secondary private VLAN (community). Hosts that just don’t want anything to do with anybody are connected to the aptly named isolated ports. we’ll map primary private VLANs to secondary private VLANs. any kind of private VLAN! MLS _ 1(config)#vlan 100 Each of these concepts is illustrated here: MLS _ 1(config-vlan)#private-vlan ? association Configure association between private VLANs 274 community Configure the VLAN as a community private VLAN isolated Configure the VLAN as an isolated private VLAN primary Configure the VLAN as a primary private VLAN 275 . which is connected to a promiscuous port. If we placed another host Now let’s have a brief. This port type can communicate with any host connected to any of the other two port types. we’ll use the following VLANs and VLAN types: can be mapped to only one primary.115 S T U DY G U I D E C H R I S B R YA N T Hosts that need to talk to everyone will be connected to promiscuous ports. those hosts can’t intercommunicate. Our router is off fast0/12. Even if you have two isolated ports in the same private VLAN. That’s it! In our config. but a secondary private VLAN In the following configuration. Host A has been placed into an isolated private VLAN. These hosts can communicate with other community ports in the same private VLAN as well as any device connected to a promiscuous port.

115 S T U DY G U I D E MLS _ 1(config-vlan)#private-vlan community %Private VLANs can only be configured when VTP is in transparent/off mode. like it says right there. MLS _ 1(config)#int fast 0/12 MLS _ 1(config-if)#switchport mode ? access Set trunking mode to ACCESS unconditionally dot1q-tunnel set trunking mode to TUNNEL unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode private-vlan Set private-vlan mode trunk Set trunking mode to TRUNK unconditionally MLS _ 1(config-if)#switchport mode private-vlan ? host Set the mode to private-vlan host promiscuous Set the mode to private-vlan promiscuous MLS _ 1(config-if)#switchport mode private-vlan promiscuous MLS _ 1(config)#vlan 300 MLS _ 1(config-vlan)#private-vlan primary MLS _ 1(config-vlan)#private-vlan association ? WORD VLAN IDs of the private VLANs to be configured add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list MLS _ 1(config-vlan)#private-vlan association 200. configuring VLAN 100 as a community private VLAN and VLAN 200 as an isolated private VLAN is no problem. MLS _ 1(config)#vlan 100 MLS _ 1(config-vlan)#private-vlan ? association Configure association between private VLANs community Configure the VLAN as a community private VLAN isolated Configure the VLAN as an isolated private VLAN primary Configure the VLAN as a primary private VLAN MLS _ 1(config-vlan)#private-vlan community MLS _ 1(config-vlan)#vlan 200 MLS _ 1(config-vlan)#private-vlan isolated Now we’ll configure VLAN 300 as the primary private VLAN.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .) Just two more things to do – place the ports into the proper VLAN and get that mapping done! The switch leading to the router is Fa0/12. Private VLANs can only be configured with VTP is in transparent mode. both isolated and community Created our primary private VLAN Created an association between the secondary and primary private VLANs MLS _ 1(config)#vtp mode transparent Setting device to VTP Transparent mode for VLANS. and that port must be made promiscuous.) Once we do that. C H R I S B R YA N T We’ve accomplished the following: Configured VTP to run in transparent mode (very important!) Created our secondary private VLANs.100 276 We’ll also need the primary vlan mapping command on that interface: MLS _ 1(config-if)#switchport private-vlan ? Association Set the private VLAN association host-association mapping Set the private VLAN host association Set the private VLAN promiscuous mapping 277 . (This association is not the mapping I mentioned earlier. (Yes. and then associate those two secondary private VLANs with this primary private VLAN.

278 279 . and on an interface level with show interface switchport. using VLAN 200 instead of 100.10 DHCP And Multilayer Switches I’m sure you’re wondering why DHCP is smack in the middle of a CCNP SWITCH exam discussion of switch security features.5 MLS _ 1(config-if-range)#switchport mode private-vlan ? host Set the mode to private-vlan host promiscuous Set the mode to private-vlan promiscuous MLS _ 1(config-if-range)#switchport mode private-vlan host We’ll use interface range on Fa0/6 – 10 as well. MLS _ 1(config-if-range)#switchport mode private-vlan host Let’s jump right in with a quick review of the overall DHCP process. the client broad- MLS _ 1(config-if-range)#switchport private-vlan ? casts a DHCP Discover packet.115 S T U DY G U I D E MLS _ 1(config-if)#switchport private-vlan mapping ? <1006-4094> <2-1001> C H R I S B R YA N T association Primary extended range VLAN ID of the private VLAN promiscuous host-association Set the private VLAN host association port mapping mapping Set the private VLAN promiscuous mapping Primary normal range VLAN ID of the private VLAN promiscuous port mapping MLS _ 1(config-if-range)#switchport private-vlan host-association ? <1006-4094> MLS _ 1(config-if)#switchport private-vlan mapping 300 ? WORD Set the private VLAN association Secondary VLAN IDs of the private VLAN promiscuous port Primary extended range VLAN ID of the private VLAN host port association <2-1001> mapping Primary normal range VLAN ID of the private VLAN port association add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list MLS _ 1(config-if-range)#switchport private-vlan host-association 300 ? <1006-4094> MLS _ 1(config-if)#switchport private-vlan mapping 300 100. and its purpose is to discover the network’s DHCP servers.200 ? <cr> Secondary extended range VLAN ID of the private VLAN host port association <2-1001> Secondary normal range VLAN ID of the private VLAN host port association MLS _ 1(config-if)#switchport private-vlan mapping 300 100. Securing DHCP is a vital part of our overall Cisco switch security strategy. DHCP is a topic on your CCNP SWITCH exam. the better our security will be. Verify your private VLAN config with the tricky-to-type show vlan private-vlan command. First. MLS _ 1(config)#int range fast 0/1 . MLS _ 1(config)#int range fast 0/6 . 2. There are two really good reasons for this: 1.200 MLS _ 1(config-if-range)#switchport private-vlan host-association 300 200 Ports Fa0/1 – 5 are in VLAN 100. We’ll use our buddy interface range to configure that port range with the private-vlan host and private-vlan host-association commands. and the better our knowledge of DHCP.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

1.1. but we don’t want to use the addresses 10.0 ? A.0? <cr> MLS _ 1(config)#ip dhcp excluded-address 10. to assign addresses from 10.0. We’re going to do something a bit unusual in this section and have a Cisco router acquire an IP address via DHCP from a Cisco multilayer switch. and technically int VLAN 4. but a Cisco router <cr> or multilayer switch can handle the role nicely! The syntax may seem a little odd at first. take it one command at a time and you’ll be fine. The Request includes the part of the general DHCP configuration.0.0.0.1. since the The client will accept the first Offer received.D High IP address Generally speaking.B.0 10.B.0. Here’s the setup: MLS _ 1(config)#ip dhcp excluded-address 10. the network admins. IP address of the DHCP Server whose address offer is being accepted. Here. ip dhcp excluded-address gets the job done. I could have used one command with the range 10.0 10. they’re both right.1. the default gateway.C.0 – 10. not as cast DHCP Request message to indicate acceptance of the offer. The client uses a broad- ip dhcp excluded-address command we use for that purpose is configured globally. we’re going sees a Request that does not include its own IP address.115 S T U DY G U I D E C H R I S B R YA N T The DHCP servers that receive that Discover packet respond with a broadcast in the form of a DHCP Offer packet.0.0. but we do need to exclude that particular address from the DHCP pool. No problem there. along with notification on how long the client can keep that address (the lease). some say it’s a broadcast.1.1.0. and that’s it! (This ACK can be a unicast or a broadcast depending on the circumstances.0 – 10.1. ignoring the others.1.0 /8 via DHCP.1.) MLS _ 1(config)#ip dhcp excluded-address ? A.0. When a DHCP Server We can specify a single address to be excluded. Using a multilayer switch as a DHCP server requires that switch to have an IP address on any subnet that it’s offering addresses from.1.1.1. you’ll have a traditional server for your DHCP server. This includes an IP address the client can use.D Low IP address Vrf VRF name for excluded address range MLS _ 1(config)#ip dhcp excluded-address 10. that server knows that its offer was not accepted.0.1. but I want to illustrate that you can use this command to exclude a single address. but like all things Cisco. This can drive you a bit crazy at first.C.1.0.1. an entire range or both.1 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Some books say it’s a unicast. and other info as desired and configured by you and I.1 280 281 .0 MLS _ 1(config)#ip dhcp excluded-address 10. nor do we want to assign the IP address already assigned to the SVI The DHCP server whose offer is being accepted sends a DHCP Acknowledgement message back to the client.

C. C H R I S B R YA N T MLS _ 1(dhcp-config)#default-router ? Hostname or A. The conflict check takes the form of two pings sent to that address.B.com an address.C.B. well.B.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and specifying the IP address of the default router with default-router. If they time out.1.C. If we get pings back. we’re given the rare option of entering the value in either prefix notation or the more check the units of time! familiar dotted decimal.1 We’ll use network to define the range of addresses to be assigned to DHCP clients.3 282 This is a value you won’t adjust often.0.0? <0-365> Days A. we’re good and that address can MLS _ 1(dhcp-config)#dns-server ? be sent to the client.0. or set it to never expire with infinite. For the Define the lease length with lease.D Infinite Infinite lease MLS _ 1(dhcp-config)#network 10.115 S T U DY G U I D E With those tasks completed.1. we can’t assign that address! Hostname or A.B. using dns-server to <cr> give the DNS server location to clients.D Router’s name or IP address MLS _ 1(config)#ip dhcp pool CCNP MLS _ 1(dhcp-config)# MLS _ 1(dhcp-config)#default-router 10.3.0 /8 MLS _ 1(dhcp-config)#lease 10 10 ? <0-59> Minutes Other options include specifying a domain name with domain-name. we’re now ready to create the DHCP pool with ip dhcp pool. but if you want to change the number of pings sent and/or the timeout duration during the conflict check.0. and those MLS _ 1(dhcp-config)# pings will time out in 500 milliseconds. Use IOS Help to mask. Both the default router and DNS servers can be referred to by either their hostname or IP address. MLS _ 1(dhcp-config)#lease 10 10 10 ? <cr> MLS _ 1(dhcp-config)#domain-name ? MLS _ 1(dhcp-config)#lease 10 10 10 WORD Domain name A Cisco router acting as a DHCP server will check for IP address conflicts before assigning MLS _ 1(dhcp-config)#domain-name bryantadvantage.0 ? MLS _ 1(dhcp-config)#lease 10 ? /nn or A.0.0. use ip dhcp ping packets and ip dhcp 283 .C.D Server’s name or IP address MLS _ 1(dhcp-config)#dns-server 10.0.D Network mask or prefix length <0-23> Hours <cr> <cr> MLS _ 1(dhcp-config)#network 10. MLS _ 1(dhcp-config)#lease ? MLS _ 1(dhcp-config)#network 10.3.

Mar 26 2015 01:16 AM Automatic 3031.636f.1.0990) Internet address is 10.1.1. address is 001b.d4c2. After all.2d30. the first message in the entire process Let’s enable DHCP IP address acquisition on the router’s Fast0/0 interface and then verify is a broadcast! the addressing with show int fast 0/0 on the router and show ip dhcp binding on the multilayer switch.622e. making forwarding possible.d4c2.115 S T U DY G U I D E ping timeout. not the interface closest to the destination. FastEthernet0/0 is up. That can present an issue with DHCP messages when a router is between <100-10000> Ping timeout in milliseconds the requesting host and the DHCP server.2 that these are globally configured commands. but routers do not forward broad- MLS _ 1(config)#ip dhcp ping timeout ? casts by default. HOST _ 2(config)#int fast 0/0 HOST _ 2(config-if)#ip address dhcp Using ip helper-address on a router or multilayer switch allows the device to translate cer- HOST _ 2#show int fast 0/0 tain broadcasts to a unicast.4661. 0063. Note C H R I S B R YA N T 10. 2e30. MLS _ 1(config)#ip dhcp ping ? 302f.2/8 MLS _ 1#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ Type The command should be configured on the interface that will be receiving the broadcasts.3939. Setting the number of ping packets to zero disables the conflict check. perhaps! MLS _ 1(config)#ip dhcp ping packets ? <0-10> Number of ping packets (0 disables ping) IP Helper Addresses <cr> Routers accept broadcasts. The command syntax is exactly the same whether User name you’re configuring this command on a multilayer switch SVI or a router’s physical interface.30 packets Specify number of ping packets timeout Specify ping timeout On occasion we just might need some help with our DHCP broadcast messages… some helper addresses. line protocol is up Hardware is Gt96k FE.6332.6973. 284 285 .302d. and routers create broadcasts.6434.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1.0990 (bia 001b.

4661. MLS _ 1(config-if)#ip helper-address MLS _ 1(config-if)#ip helper-address 10.5. and IEN-116 name service all benefit from this command. Since that client already has an IP address from us.0 MLS _ 1(config-if)#ip helper-address ? On rare occasions. That’s accurate. 10.1.B.255.30 multiple ip helper-address statements and verify with show ip helper-address.255. as our router does. Holy crap.6332. Note that the next FastEthernet0/0 10. as this is the ASCII string representing the client ID. 286 HOST _ 2(config)#int fast 0/0 HOST _ 2(config-if)#ip address dhcp ? client-id Specify client-id to use hostname Specify value for hostname option <cr> 287 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1#show ip dhcp binding R1(config)#int fast 0/0 IP address R1(config-if)#ip helper-address ? Client-ID/ Hardware address/ A.636f.1 255.C. Here. 3031. BOOTP/DHCP Client. but not entirely accurate.5.6.5 address in the pool is assigned as a result of this change.D IP destination address User name global Helper-address is global vrf VRF name for helper-address (if different from interface VRF) 10. 2e30.6 A device running ip helper-address to help with DHCP server reachability is said to be a DHCP relay agent. Got multiple DHCP servers your switch needs help reaching? No worries. That’s a lot of ID.2 0063. the identifier is simply a “01” in front of the MAC.302d.5. we can MLS _ 1(config-if)#ip helper-address 10. as nine common UDP service broadcasts are helped in this manner by this command. I’m saying “rare” in a hopeful voice.1. TFTP.2d30. BOOTP/ DHCP Server. (The voice of experience speaks!) Before we start a manual binding.6. TACACS. DNS. just configure 302f.6434.1. That rare occasion is when you need DHCP to give a client global Helper-address is global the same address every single time.115 S T U DY G U I D E C H R I S B R YA N T The Dynamic Shall Become Static MLS _ 1(config)#int vlan 10 MLS _ 1(config-if)#ip address 10.1.C.5. use the client-id option with ip address dhcp.1. NetBIOS name service.622e. TIME. because configur- vrf VRF name for helper-address (if different from interface VRF) ing these suckers can be a real pain in the butt.1. we’ll configure a manual binding for our router. NetBIOS datagram service.B.1 get the client ID from the DHCP binding table.D IP destination address ual” binding) in your network. If the client uses Ethernet. To get the classic Interface Helper-Address representation of that ID.6973. we need the client identifier of the client in question. and even I don’t want to start typing all those numbers! Luckily.3939. you may need to create a static IP address binding (also called a “man- A.1 ? <cr> The Cisco identifier is going to look a lot like a MAC address. HOST _ 1#show ip helper-address we don’t have to.

so All riiiiiiiiiiight! Verify on MLS_1 with show ip dhcp binding.3 0100. so I finished that config. MLS _ 1#show ip dhcp binding Bindings from all pools not associated wit You also have to end any bindings that client currently has.0.90 Infinite the other required command for a DHCP manual binding? Now for just a bit of DHCP for IPv6.1bd4. origin. pool and make that happen.1. 10. hostname HOST _ 2 Now there’s a value we can work with! For a manual binding.0. perhaps you’re starting to feel manual bindings are too much of a pain to bother HOST _ 2(config-if)#ip address dhcp client-id fastethernet 0/0 ? Hostname with. Client-ID/ Lease expiration Type Hardware address/ User name Hmmmm.1bd4.c209. HOST _ 2(config-if)#ip address dhcp client-id fastethernet 0/0 HOST _ 2(config-if)# MLS _ 1(config)#ip dhcp pool STATIC _ BINDINGS %DHCP-6-ADDRESS _ ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.1.1. Let’s go into our previous DHCP is described as a manual binding and the lease is infinite. start in DHCP pool mode. The binding was then gone.3 MLS _ 1(dhcp-config)#client-identifier 0100. mask 255.3. mask 255. and soon saw… User name 10.0. and then it’s on to DHCP Snooping! 288 289 Manual .0.1bd4.1.1.3.1. MLS _ 1#show ip dhcp binding MLS _ 1(config)#ip dhcp pool CCNP Bindings from all pools not associated with VRF: MLS _ 1(dhcp-config)#host 10. I’m about to make you feel better about them by telling you something that a lot of Specify value for hostname option books / study guides / PDFs / websites leave out – manual bindings have to be put into their <cr> own DHCP pool.1.c209.1bd4. vrf or relay pools. using the host command.0.1.3.115 S T U DY G U I D E C H R I S B R YA N T HOST _ 2(config-if)#ip address dhcp client-id ? MLS _ 1(dhcp-config)#client-identifier 0100. vrf or relay pools.c209.1.3 0100. and you’re done! Note that this that interface will receive the same IP address every time.1.90 % A binding for this client already exists.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . We’re going to bind that client ID to the IP address 10.1.3 % This command may not be used with network.3 IP address % This command may not be used with network.0. reopened the inter- Hardware address/ face on R2.c209. With this.1. frankly. that doesn’t leave a lot of ways to use it! How about client-identifier. hostname HOST _ 2 MLS _ 1(dhcp-config)#host 10.90 FastEthernet FastEthernet IEEE 802.90 05:54:55: %DHCP-6-ADDRESS _ ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10. origin. I did so by closing the fast0/0 IP address Client-ID/ interface on R2.1.1. Well.

not. polling the router with an RS does speed up the overall process. there’s no dependency on a server. it will disable its The key phrase in that description is “from a server”. that host will respond with a Neighbor IPv6 brings us autoconfiguration. Technically. and that’s where the Duplicate Address Detection (DAD) feature If DHCP is not in use. Just don’t forget the “ipv6” in the command. complete with network prefix! need to make sure that no other host is using the same address. then the second half of the MAC address. both stateless and stateful. the address is tentative at this point. If no response to the NS is received. but it never hurts to check. addressing information. which consists of (in order) the first half of a Router Advertisement (RA). That’s a remote possibility. Our 128-bit IPv6 address is created in this manner with stateless autoconfiguration: The first 64 bits of this self-generated address will be 1111 1110 10 (FE80). It’s been successfully calculated.115 S T U DY G U I D E C H R I S B R YA N T DHCP . You’ll usually see that hex string referred to as “FFFE”. the RA gives the location of the DHCP server. Information in the RA includes flags indicating whether the host should use DHCP for lower case. Routers generally send these RAs periodically without an of the interface’s MAC address. and if DHCP is in use. When the host that sent the NS receives the NA. the “all-routers” multicast address. the local host is satisfied that it has used when the host obtains an IPv6 address and other related information from a server. I personally like to write the “e” in express request from a host. We can assign an IPv6 address to an SVI in almost the same way we’ve been assigning it an comes in. Stateful autoconfiguration is link-local address. and the entire process starts with the IPv6 host configuring its own link-local address. IPv4 address throughout the course. I kid you DAD starts with a Neighbor Solicitation (NS) message asking if any other host on the link is and over again in the commands. If a unique link-local address. The local host will then send a Router Solicitation (RS) message that sounds like DHCP to you.IP Version 6 Style If another host on the link is using that address. we’re out of luck and up that well-known creek. to be exact! with a destination of FF02::2.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Advertisement (NA). since it’s easy to read FFFE as FFFF. one of the hardest things about learning IPv6 is getting used to entering “ipv6” over ROUTER1(config)#int fast 0/0 ROUTER1(config-if)#ipv6 address ? 290 WORD General prefix name X:X:X:X::X IPv6 link-local address X:X:X:X::X/<0-128> IPv6 prefix 291 . but even though the host would only have to wait 10 seconds or so for an RA. using the same link-local address the NS-transmitting host just created for itself. followed by 54 zeroes. it is – DHCPv6. then the hex string FFFe. With stateless autoconfiguration. the router attaches the network prefix to the host’s link-local address. If the DHCPv6 server goes down. but we which results in the host’s full IPv6 address. well. What’s the host soliciting? It needs additional config information from a router in the form The last 64 bits are the interface identifier.

which opens the host and the network up to all kinds of nasty server Configure IPv6 DHCP server attacks. Basically. The host will receive the offer and set its default gateway accordingly. and that’s for the simple reason that you can’t exclude addresses in IPv6 DHCP! 292 DHCP Snooping allows the switch to serve as a firewall between hosts and untrusted DHCP servers. BUT – what if a DHCP server not under our administrative control. the host will set its default gateway to the rogue server’s IP ping Configure IPv6 DHCP pinging address! The rogue server’s accepted Offer could set the host’s DNS server address to the pool Configure IPv6 DHCP pool rogue’s IP address as well. and for good reason. The options for host and client-identifier are missing. We don’t have the option to create manual bindings in IPv6 DHCP. but the trouble can start as early as the host sending out a DHCP default Set a command to its defaults Discovery packet. Once that happens.115 S T U DY G U I D E C H R I S B R YA N T DHCP Snoooooooooop (ing) ROUTER1(config)#ipv6 dhcp pool CCNP ROUTER1(config-dhcpv6)#? It’s hard to believe that something as innocent and commonplace as DHCP can be used IPv6 DHCP configuration commands: address IPv6 address allocation against our network. The host isn’t particularly discriminating about the offer it accepts. No problem here. since only one DHCP Server is on the network. joins our network? Many of the commands and concepts are carried straight over from IPv4. a DHCP rogue server. There’s also an option missing from our ipv6 dhcp list that we did have in IPv4: The host will use the info in the first Offer packet it receives. the switch snoops on DHCP conversations between those devices 293 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . There’s no ipv6 dhcp excluded-address command. and if the host uses the Offer ROUTER1(config)#ipv6 dhcp ? database Configure IPv6 DHCP database agents from the rogue DHCP server. the host listens for replies in the form of DHCP dns-server DNS servers Offers. the domain-name Domain name to complete unqualified host names host accepts the very first offer it sees come in! exit Exit from DHCPv6 configuration mode import Import options information Information refresh option link-address Link-address to match nis NIS server options nisp NISP server options no Negate a command or set its defaults prefix-delegation IPv6 prefix delegation sip SIP server options sntp SNTP server options vendor-specific Configure Vendor-specific option Part of the Offer is the address the host should use as its default gateway. Actually.

the switch the packet is then forwarded to a DHCP Server. we’ll have no dynamic IP addressing and a lot When used with DHCP Snooping. Trusted ports must be configured manually and explicitly by the network admin. while DHCP mes- MLS _ 1(config-if)#ip dhcp snooping ? sages received on untrusted interfaces will be dropped by the switch AND the interface will information DHCP Snooping information go into err-disabled state. Otherwise. no. DHCP messages MLS _ 1(config)#int fast 0/10 received on trusted interfaces will be allowed to pass through the switch. we’ll now trust that individual port: DHCP Snooping classifies switch interfaces as either trusted or untrusted. so we better remember to trust some ports when running this feature. 294 295 .9-11 MLS _ 1(config)#ip dhcp snooping vlan 4 With our trusted DHCP server on port Fa0/10.115 S T U DY G U I D E and makes decisions on which conversations are between trusted devices and which ones C H R I S B R YA N T Next step: Identify the VLANs that will use DHCP Snooping. Sorry. example: 1. the switch considers all ports untrusted. MLS _ 1(config)#ip dhcp snooping ? database DHCP snooping database agent information DHCP Snooping information verify DHCP snooping verify vlan DHCP Snooping vlan <cr> MLS _ 1(config)#ip dhcp snooping To enable this option.7. Instead. limit DHCP Snooping limit trust DHCP Snooping trust config vlan DHCP Snooping vlan You’re now asking yourself whether there’s some automagical way for the switch to detect valid DHCP servers. MLS _ 1(config-if)#ip dhcp snooping trust By default. When DHCP packets with Option 82 set come in on untrusted First step: Enable DHCP Snooping on the switch. MLS _ 1(config)#ip dhcp snooping vlan ? WORD DHCP Snooping vlan first number or vlan range. those packets are not dropped. and ports that have this option enabled. the sinister-sounding Option 82 basically extends of err-disabled ports! Snooping’s trust boundary. are not. use ip dhcp snooping information option.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .3-5. injects its own DHCP relay info into the Option-82 field (including its MAC address).

that info is removed Smartlog is configured on following VLANs: and the packet is forwarded. That refers to the number of Option Insert relay information in BOOTREQUEST DHCP packets the interface can accept in one second. Verification of giaddr field is enabled BOOTP specific configuration information Relay agent information option prefer Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled MLS _ 1(config)#no ip dhcp relay ? bootp remote-id: 0017. IOS Help doesn’t mention the measuring unit in this command. the packet is dropped. Use ip dhcp snooping limit rate to set a Policy Define reforwarding policy limit for this value. If you want to turn it off for some reason. giaddr Verify your config with show ip dhcp snooping. use no ip dhcp relay information check.f780 (MAC) Relay agent server selection approach MLS _ 1(config)#no ip dhcp relay information ? DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option ----------------------.115 S T U DY G U I D E MLS _ 1(config)#ip dhcp snooping information ? option DHCP Snooping information option C H R I S B R YA N T MLS _ 1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: MLS _ 1(config)#ip dhcp snooping information option 4 DHCP snooping is operational on following VLANs: When the reply to that DHCP message comes back. so it’s trust-all Received DHCP packets may contain relay info option with zero a good idea to know it’s packets per second. the switch validates the message by 4 checking to see if its own Option 82 info was included in the reply. FastEthernet0/10 yes yes Rate limit (pps) unlimited Check Validate relay information in BOOTREPLY Note the “rate limit” for the untrusted port is “unlimited”. If not. ------. none Smartlog is operational on following VLANs: none DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is enabled circuit-id default format: vlan-mod-port This validity check is enabled by default. MLS _ 1(config)#int fast 0/9 MLS _ 1(config-if)#ip dhcp snooping ? information DHCP Snooping information 296 297 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .9466. If so. -----------.

12. Host B makes an entry in its local ARP cache mapping the source IP trust DHCP Snooping trust config address of the Request.12. However. 298 299 .2 respond with its MAC address. both hosts have a MAC address – IP address mapping for the other. This happens through ARP Cache Poisoning. to the mac address aaaa. Meanwhile. because the Address Resolution Protocol can turn on us in a minute! A rogue device on our network can overhear part of the ARP conversation and make itself look like a legitimate part of the action. Host A makes an entry in its ARP cache mapping 172.cccc. not ARP.12. requesting the host with the IP address 172.2 to cccc. if a rogue host responds to the original ARP Request. we have a problem.aaaa.cccc. who can you trust? Well.1.12.aaaa. When H The rogue host can do the same for an ARP Request sent by Host B for Host A. As a result of this man-in-the-middle attack. all communications between A and B are going through the rogue host. Here. leading to these two negative results: 1. 172. MLS _ 1(config-if)#ip dhcp snooping limit ? rate DHCP Snooping limit MLS _ 1(config-if)#ip dhcp snooping limit rate ? <1-2048> DHCP snooping rate limit MLS _ 1(config-if)#ip dhcp snooping limit rate 1000 ? <cr> Once Host A receives the ARP Reply. The ARP Reply is vlan DHCP Snooping vlan then sent. the rogue host acquires Host B’s true MAC address via ARP.12. Host A is sending an ARP Request.12. Dynamic ARP Inspection If you can’t trust DHCP. and at that point.115 S T U DY G U I D E C H R I S B R YA N T limit DHCP Snooping limit Before responding.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . also known as ARP Spoofing.

MLS _ 1(config)#ip arp inspection ? filter Specify ARP acl to be applied log-buffer Log Buffer Configuration Once the IP – MAC address database is built.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . With DAI using the DHCP Snooping Database to get the job done. Watch this one: DAI uses the concepts of trusted and untrusted ports. Here’s what happens with these enabled: MLS _ 1#show ip dhcp snooping “src-mac” compares the source MAC address in the Ethernet header and the MAC address Switch DHCP snooping is enabled of the source of the ARP message. “dst-mac” compares the destination MAC in the Ethernet header and the MAC destination address of the ARP message. Verify with show ip dhcp snooping.9-11 300 : Disabled Destination Mac Validation : Disabled IP Address Validation : Enabled 301 . Let’s use the ip option and verify with show ip arp inspection. This database is the same one built by the DHCP Snooping process. MLS _ 1(config)#ip arp inspection ? filter Specify ARP acl to be applied log-buffer Log Buffer Configuration smartlog Smartlog all the logged pkts validate Validate addresses vlan Enable/Disable ARP Inspection on vlans “ip” compares the ARP Request’s source IP against the destination IP of the ARP Reply. every single ARP Request and ARP Reply smartlog Smartlog all the logged pkts received on an untrusted interface is examined. the ARP message is dropped. On trusted interfaces. If the ARP message has an approved validate Validate addresses MAC – IP address mapping. The validate option gives us the option to go beyond DAI’s default inspection. The next step in configuring DAI is to name the VLANs that will be using this feature.3-5. DAI is performed as ARP messages are received. and static ARP configurations can be also be used by DAI. it follows that DHCP MLS _ 1(config)#ip arp inspection validate ? dst-mac Validate destination MAC address ip Validate IP addresses src-mac Validate source MAC address Snooping must be enabled before DAI is configured.115 S T U DY G U I D E Dynamic ARP Inspection (DAI) prevents this behavior by building a database of trusted C H R I S B R YA N T MLS _ 1(config)#ip arp inspection vlan 4 IP – MAC address mappings. just as DHCP Snooping does. MLS _ 1#show ip arp inspection Source Mac Validation MLS _ 1(config)#ip arp inspection vlan ? WORD vlan range. not transmitted. example: 1. If no such mapping vlan Enable/Disable ARP Inspection on vlans exists. but DAI has some major differences in how messages are treated by these port types.7. DAI allows the ARP message to pass without checking the database at all. the message is forwarded appropriately.

about our ports! DAI considers all ports untrusted by default. you just might have a rogue device on your network. ---------- ---------- 4 Enabled Vlan Active DHCP Logging ----------- ------------- 4 Deny <cr> MLS _ 1(config-if)#ip arp inspection trust ACL Logging --. use ip arp inspection. Forwarded -------------. name the interface at the end of the command. 0 If you see those validation failures start to add up. 0 N/A 0 0 good idea to avoid unnecessary inspection. and it’s a -------------. Now. ---------. Static ACL Deny Probe Logging Verify with show ip arp inspection interface. -------------. IP Source Guard works in tandem with DHCP 302 303 . -----------. this scheme ensures that every ARP packet has to pass one checkpoint but no more than that. Dropped DHCP Drops ---------- ---------- ACL Drops Interface 4 0 0 0 0 Trust State Rate (pps) ---------------. Burst Interval Fa0/10 Trusted None Vlan DHCP Permits --. 4 0 ACL Permits Probe Permits ----------. for just one. Since DAI runs only on ingress ports. you’ll likely run it on all of your switches.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config-if)#ip arp inspection trust ? Vlan Configuration Operation ACL Match --. ----------------. To trust one (or remove trust from one that was trusted). IP Validation Failures ---------------------. Off MLS _ 1#show ip arp inspection int fast 0/10 Vlan --. IP Source Guard prevents a host on the network from using another host’s IP address.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . To see this DAI info for all interfaces. 4 0 0 Invalid Protocol Data --------------------- switches as trusted. MLS _ 1(config)#int fast 0/10 MLS _ 1(config-if)#ip arp inspection ? Limit Configure Rate limit of incoming ARP packets Trust Configure Trust state IP Source Guard Another “the name is the recipe” feature. Source MAC Failures Should you run DAI in your network. -----------. run that command. Cisco’s recommended trusted / untrusted port config is to have all ports connected to hosts run as untrusted and all ports connected to Vlan Dest MAC Failures --.

are two important options to go with that.115 S T U DY G U I D E C H R I S B R YA N T Snooping and uses the same database to carry out this operation. After all. ------------- --------------. Smartlog enables the switch to send dropped packets to a NetFlow collector. If those addresses match. MLS _ 1(config)#int fast 0/3 MLS _ 1(config-if)#ip verify source ? port-security port security smartlog Smartlog denied packets <cr> MLS _ 1(config-if)#ip verify source The default value checked is the IP source address.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ----------. so we 304 305 . we’d see a secure MAC address under IP-address. the switch takes note of that IP address assignment. Once that host successfully acquires an IP address via DHCP. -----------------. port-security and smartlog. I’ll go with the default setting here and leave those options off. rather than deny-all. if not. With this feature enabled. a host that comes online and is connected to an untrusted port can receive only DHCP-related traffic. Fa0/3 ip active deny-all 1 If the device off fast 0/3 was getting its IP address via DHCP. as the source MAC address of incoming packets on that port will be checked against the local switch’s MAC address table. since the source IP Log address of that incoming traffic will not match the database’s entry for that port. use ip verify source to enable IP Source Guard Snooping up and running before configuring IP Source Guard. If you don’t need this feature. all is well. MLS _ 1#show ip verify source Should the host pretend to be another host on that subnet – that is. so we need to have DHCP Once DHCP Snooping is enabled and verified. That router is using a static address instead. the packets are dropped. Filter-type Filter-mode IP-address Mac-address Vlan -------. to spoof that other Interface host’s IP address – the switch will simply drop that incoming traffic. at the interface level. this is IP Source Guard! There The switch then creates a VLAN ACL (VACL) that will only allow traffic to be processed by a port if the previously noted source IP address is present on incoming traffic. leave it alone. The port-security option enables an extra level of security. This IP address-to-switchport mapping is generally referred to as binding. and be prepared to see “disabled” for “log” in the output of show ip verify source.

2754 vlan ? The intruding device must be attached to an access port. In the output of show ip VLAN Hopping techniques use dot1q tagging against us.1.ca96. the frame will have two tags – one indicating native VLAN membership. ----------. note that “log” is disabled – that’s Smartlog. the native VLAN. Interface binding interface MLS _ 1(config)#ip source binding 001f. ------------- --------------.1.ca96.H And if we follow a few simple network security tips.C. Fa0/3 ip active 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but not difficult.1.2754 vlan 1 10.3 int fast 0/3 ? <cr> MLS _ 1(config)#ip source binding 001f.3 1 disabled 306 307 . we have less overhead… we LOVE dot1q tagging and we’re not letting it go! MLS _ 1(config)#ip source binding ? H. binding IP address When that rogue host transmits a frame. -----------------.2754 vlan 1 10.ca96.1.115 S T U DY G U I D E have to create a manual binding for it with ip source binding in order to use IP Source Guard here.B. <1-4094> binding VLAN number The VLAN used by that access port must be the native VLAN.2754 vlan 1 10. The command is long-winded.1.3 ? attacked.2754 vlan 1 ? A. the tag for VLAN 100 is still there! ------.ca96.1.ca96. where an intruder transmits frames that are tagged MLS _ 1(config)#ip source binding 001f. so dot1q must be in use.2754 ? Vlan with two separate VLAN IDs.1. You can get the MAC address of this host C H R I S B R YA N T VLAN Hopping How can something that sounds so much fun be so evil? from the local switch’s MAC address table or from the device itself.3 int fast 0/3 MLS _ 1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan Log The trunk receiving this double-tagged frame sees the tag for the native VLAN. One form of hopping is double tagging.1. We’ll assume that VLAN 100 is the ultimate target. the other carrying the VLAN number of the VLAN to be MLS _ 1(config)#ip source binding 001f. MLS _ 1(config)#ip source binding 001f. we don’t have to! Let’s have a look at binding MAC address how VLAN Hopping attacks work. Some very specific circumstances have to exist for this attack binding VLAN to bear fruit: MLS _ 1(config)#ip source binding 001f. and we love dot1q tagging! We get verify source. Problem is. and as usual that tag is removed and then sent across the trunk.H.D ISL wouldn’t work at all for this attack.ca96.

The switch is basically hoping nothing bad happens as a result of sending these frames blindly. right? Right! It is a big deal! It seems innocent enough.” – Some networks do not. Not good! Switch spoofing is a VLAN Hopping variation that’s even worse than double tagging.115 S T U DY G U I D E C H R I S B R YA N T When the remote switch receives that frame. but a lousy network security strategy. meaning Big deal. but that stops double tagging in its tracks! switch. The rogue has now successfully hopped from one VLAN to Reading the other.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the switch just knows it’s sending DTP frames – it has no idea who’s actually receiving them. The Shawshank Redemption 308 309 . These simple network security tips – using an empty VLAN as the native VLAN. which means a port is switch spoof! sending out Dynamic Trunking Protocol frames in an aggressive effort to form a trunk. There’s a classic defense for this attack. which leads to a trunk between our switch and someone else’s Classic solution: Make your native VLAN a VLAN that no hosts are actually a member of. but VLAN Hopping has the port will trunk but isn’t actively looking to do so. concise network maps that show every physical connection in their network.Chris Bryant. maybe the best of things. This solution leads to another prob- been used for a huge variety of network attacks. because a rogue host connected to a port in Auto mode can pretend it’s a switch and tion to stealing bank account numbers and passwords. Andy Dufresne. and these maps are regularly updated as their network changes. Every port on your switch that doesn’t lead to another switch known to be under your administrative control should be placed into access mode. it sees the tag for VLAN 100 and forwards the “Hope is a good thing. and no good thing ever dies. send DTP frames of its own. (This is also a security vulnerability for Cisco switches whose default port trunking mode is Auto. Doing so disables the port’s ability to create a trunk and the rogue host’s ability to Some Cisco switch ports run in dynamic desirable mode by default. “Remember Red. dynamic and auto trunking modes – will score points for you in the exam room and save you serious troubles in your server room! The Cisco Discovery Protocol Many companies have clear. hope is a good thing. ranging from Trojan horse virus propaga- lem. The Book You’re frame to ports in that VLAN. disabling Problem is.) You can also go the extra mile (or extra command) and prune that native VLAN from the trunk. Many well-meaning network admins will put this kind of port into Auto mode.” -. You may have a little more overhead as a result. Switch spoofing allows the rogue to pretend to be a member of all VLANs in our network.

Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID HOST _ 3 Fas 0/3 122 R S I 2801 Fas 0/0 HOST _ 1 Fas 0/1 176 R S I 2801 Fas 0/0 From left to right. Before we get to those commands. Local interface.Host. let’s run show cdp to see if CDP is enabled in the first place. MLS _ 1#show cdp neighbor % CDP is not enabled Capability Codes: R . and the holdtime is 180 seconds.Remote. We can use the Cisco Discovery and/or cdp holdtime.542: %SYS-5-CONFIG _ I: Configure MLS _ 1#show cdp D . H . MLS _ 1(config)#cdp run MLS _ 1(config)#^Z MLS _ 1#show *Mar 1 00:18:54. B . M .CVTA.115 S T U DY G U I D E C H R I S B R YA N T A big part of network troubleshooting is quietly verifying what a client has told you. This Layer 2 protocol runs globally and on a per-interface level by default on Cisco routers and switches.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . C . the local switch’s interface that is directly connected to the remote host. To enable CDP globally.IGMP.Source Route Bridge S .Repeater. T . When you have interface-level and globally-configured commands enabling and disabling the same protocol. we see… Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled 310 Device ID.Phone. and is Cisco-proprietary.Trans Bridge. use cdp timer the other one at fast0/12!”. I . If you get global info. Protocol (CDP) to see what Cisco devices are directly connected to the Cisco device we’re currently working on. 311 . it’s not! MLS _ 1(config)#cdp ? advertise-v2 CDP sends version-2 advertisements holdtime Specify the holdtime (in sec) to be sent in packets run Enable CDP timer Specify the rate at which CDP packets are sent (in sec) tlv Enable exchange of specific tlv information MLS _ 1(config)#cdp timer ? <5-254> MLS _ 1#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled MLS _ 1#show cdp Rate at which CDP packets are sent (in sec) MLS _ 1(config)#cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet For that all-important info on directly connected Cisco devices. r . P .Router. the remote device’s hostname. you just know that’s going to show up on your exam in some fashion. run show cdp neighbor. To change either of those.Switch. and if you don’t. it’s on. use cdp run (and no cdp run to turn it off globally). they’re not necessarily correct. It’s on by default but often disabled in production networks. Just CDP sends its announcements every 60 seconds to the destination MAC address because someone is looking over your shoulder and saying “That switch is connected to 01:00:0c:cc:cc:cc.

Phone. Inc.com/techsupport MLS _ 1(config-if)#no cdp ? Copyright (c) 1986-2010 by Cisco Systems. Entry address(es): Platform: Cisco 2801. Real-world courtesy tip: If your client has CDP turned off. so it’s a good guess that those are L3 switches! Platform. P .1.Host. Capabilities: Router Switch IGMP MLS _ 1(config-if)#cdp ? Interface: FastEthernet0/3. run show cdp neighbor detail. turn it back off before you leave. HOST _ 3 Fas 0/3 148 Port ID.1(2 <cr> T2. 2801 Software (C2801-ADVENTERPRISEK9 _ IVS-M). use the commands no cdp enable and cdp enable to get the job done.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Switch.3 MLS _ 1(config)#int fast 0/1 tlv MLS _ 1#show cdp neighbor detail Enable exchange of specific tlv information Compiled Sat 23-Oct-10 00:43 by prod _ rel _ team advertisement version: 2 MLS _ 1(config-if)#no cdp enable VTP Management Domain: ‘’ About 3 minutes after disabling CDP on that interface. Version 15. RELEASE SOFTWARE (fc1) Technical Support: http://www.Two-port Mac Relay can run as both routers and switches. the number of seconds the local device will retain the contents of the last CDP MLS _ 1#show cdp neighbor advertisement received from that remote host. we have two devices that D . M . I . H . the remote device’s interface involved in the direct connection. Port ID (outgoing port): FastEthernet0/0 enable Enable CDP on interface Enable exchange of specific tlv information Holdtime : 125 sec Version : MLS _ 1(config-if)#cdp enable ? Cisco IOS Software. r . You may want to leave CDP on globally but disable / reenable it on a particular interface. At the interface level.Trans Bridge.Router.Source Route Bridge S . 312 Duplex: full Management address(es): 313 .cisco.1. B . T . enable Enable CDP on interface tlv Device ID: HOST _ 3 IP address: 10. We’ll disable CDP on the interface leading directly to Host 1. Both connections here are to Cisco 2801 Device ID Local Intrfce Holdtme switches. just as you would turn off debugs before leaving. C . and you turn it on for trouble- Capability Platform Port ID R S I 2801 Fas 0/0 For more details on those neighbors. the remote device’s hardware platform. Capability Codes: R . Host_1 disappears from the CDP table.CVTA.Remote. the type of device the remote device is! In this case. Capability.Repeater. shooting. This command gives you both the IP address and IOS version run by each neighbor.115 S T U DY G U I D E C H R I S B R YA N T Holdtime.IGMP.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Any would-be network intruder who intercepts that transmission can easily enter our network and cause all kinds of trouble. While not required reading for the CCNP exams.115 S T U DY G U I D E C H R I S B R YA N T CDP gives you a lot of great info. but it may also require a stronger IOS image and/or hardware that you don’t have in your network. accessible to everyone. comes into play when VoIP is in use. the Link Layer Discovery Protocol may come in handy. and can report mis- Telnet vs. For obvious reasons. To minimize the risk of running CDP. but all data (and the password!) is encrypted. which brings up the musical question. a series of informational messages sent by an LLDP-enabled device. including passwords. matched native VLANs. LLDP is also known as the Station and Media Access Control Connectivity Discovery. which is a 315 . CDPv2 recognizes the native VLAN concept. In case you run into networks that (shudder) run non-Cisco devices. determine where it really needs to be running. including the following: MTU sizeVLAN Trunking Protocol information IP network prefix support (for ODR. You likely noted the term “tlv” in some of the CDP command options. and like the non-encrypted-by-default enable password. You can MED and CDP. since the basic operation of SSH is similar to that of Telnet. which is no problem. so why do many networks disable it? CDP offers no authen- I’ve included a link to a Cisco PDF with a great deal of helpful info comparing LLDP- tication. “What happened to CDP version 1?” v1 is still available.” CDP does carry info that LLDP-MED doesn’t. we prefer “LLDP”. (TLVs are not exclusive to LLDP though. SSH Telnet’s a great way to communicate with remote routers and switches. nor does it use any kind of encryption – all CDP info is sent in clear text. I’m sure you noticed that the CDP commands referred to a “version 2”. and use the interface-level commands to make that happen. On-Demand Routing) 314 SSH requires a little more config than Telnet. According to Cisco’s website. LLDP is the vendor-independent equivalent of CDP and is defined by IEEE 802. CDP v2 has greatly enhanced error-reporting capabilities (Cisco’s terms for this include “rapid reporting mechanism” or “enhanced reporting mechanism”). LLDP for Media Endpoint Devices (LLDP-MED). where v1 doesn’t.) There’s a very helpful extension. is transmitted in clear text.com/en/US/technologies/tk652/tk701/technologies_white_paper0900a- The issue with disabling CDP is that many network management tools use info gathered by ecd804cd46d. “LLDP-MED is specified to operate only between endpoint devices such as IP phones and network connectivity devices such as switches.html CDP. I do recommend it for see by the info in the show cdp neighbor detail output that we don’t want this information greater understanding of LLDP-MED in particular. which We really hate that. “tlv” refers to Type-Length-Value. http://www. but there’s just one problem – all of the data sent to the remote host.1ab. it’s being kept around for backward compatibility. where you can do without it.cisco. Secure Shell (SSH) is basically encrypted Telnet.

as the one I just wrote limited those five VTY lines to SSH connections. line vty 5 15 login How many bits in the modulus [512]: % Generating 512 bit RSA keys. Whoops! Easily fixed. but SSH does not.bryantadvantage. and the username/password combination must MLS _ 1(config-line)#transport input ? match a database entry for authentication to be successful. Telnet allows the configuration of a one-size-fits-all password on the VTY lines line vty 5 15 (“password CCNP”). line vty 0 4 MLS _ 1(config)#ip access-list standard STOPTHATGUY login local MLS _ 1(config-std-nacl)#deny host 3. Problem is.com line vty 0 4 Choose the size of the key modulus in the range of 360 to 4096 for your login local General Purpose Keys. To limit authentication to SSH and disallow Telnet login local authentication. block untrusted addresses and allow everyone else in .3 316 317 . Telnet and SSH do share an important option..115 S T U DY G U I D E problem. After entering VTY line config mode with line vty 0 15. Cisco switches have 16 lines: MLS _ 1(config)#crypto key generate rsa The name for the keys will be: MLS _ 1. and that’s the use of ACLs to determine MLS _ 1(config)#line vty 0 15 who should be able to connect.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . all All protocols none No protocols MLS _ 1(config)#username tarrant password tarantula ssh TCP/IP SSH protocol MLS _ 1(config)#username signal password gasoline telnet TCP/IP Telnet protocol MLS _ 1(config)#username homer password beeeeeeer MLS _ 1(config-line)#transport input ssh SSH configuration also requires a domain name to be specified with ip domain-name and crypto key creation with crypto key generate rsa. run transport input ssh on the VTY lines. Choosing a key modulus greater than 512 may take a transport input ssh few minutes.3.3. keys will be non-exportable.and MLS _ 1(config-line)#transport input ssh apply the ACL to the VTY lines with access-class. For SSH authentication. Create the ACL defining the source IP addresses of trusted MLS _ 1(config-line)#login local users – or as I’ve done here. transport input ssh MLS _ 1(config)#line vty 0 4 A local user database is created with the username /password command. Be careful with your switch VTY line configs.. run- [OK] (elapsed time was 1 seconds) ning transport input ssh and login local again applies that command to all lines. you’ll need to configure a local database on the router or C H R I S B R YA N T transport input ssh use AAA. though. Each individual MLS _ 1(config-line)#login local user is assigned a password of their own.

D IP address of the logging host That one’s simple enough! We just need to follow logging with the hostname or IP address of that host. Logging is straightforward. MLS _ 1(config)#logging ? Hostname or A. I say that because some network admins panic more than a little when these messages show up. but the logging command itself can be a little tricky. along with a timestamp that helps you determine when the event occurred. These messages can be quite helpful in figuring out what the heck just happened in your network – you just have to remain calm and read the message carefully. and in that panic they miss the message that’s right in front of them.115 S T U DY G U I D E MLS _ 1(config-std-nacl)#permit any MLS _ 1(config-std-nacl)#line vty 0 15 MLS _ 1(config-line)#access-class STOPTHATGUY ? in Filter incoming connections out Filter outgoing connections C hapter 10: MLS _ 1(config-line)#access-class STOPTHATGUY in Let’s take a deep breath and move from security to monitoring! MONITORING THE SWITCHES Syslog delivers messages regarding network events.C.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Let’s take a look at the logging options .B. The trap option is a bit more complex: MLS _ 1(config)#logging trap ? 318 <0-7> Logging severity level alerts Immediate action needed 319 (severity=1) .

320 321 . so let’s get that practice with the latest syslog message on my L3 switch. and I’ve kept it there uptime Timestamp with system uptime throughout the course.465: %SYS-5-CONFIG _ I: Configured from console by console You can change the beginning of syslog messages to the timestamp format of your choice with service timestamps log.115 S T U DY G U I D E C H R I S B R YA N T critical Critical conditions (severity=2) debugging Debugging messages (severity=7) emergencies System is unusable (severity=0) errors Error conditions (severity=3) localtime Use local time zone for timestamps informational Informational messages (severity=6) msec Include milliseconds in timestamp notifications Normal but significant conditions (severity=5) show-timezone Add time zone information to timestamp warnings Warning conditions (severity=4) year Include year in timestamp <cr> <cr> MLS _ 1(config)#service timestamps log datetime ? <cr> When you select a trap level. 54 minutes. *Mar 1 02:52:28: %SYS-5-CONFIG _ I: Configured from console by console Deciphering syslog messages takes a little practice. datetime Timestamp with date and time The switch console is set to display all syslog messages by default. just choose that option! MLS _ 1(config)#service timestamps log uptime ? <cr> MLS _ 1(config)#service timestamps log uptime The next syslog message indicates this device has been up for 2 hours. *Mar 1 02:50:32. If you prefer to have the device uptime reflected in syslog messages. you need only specify level 7. and 56 seconds. To change this value. MLS _ 1(config)#service timestamps ? debug Timestamp debug messages log Timestamp log messages <cr> 02:54:56: %SYS-5-CONFIG _ I: Configured from console by console The “5” bolded above indicates the severity level. You can use the name As a result. the next syslog message gives the date and time without the msecs. all messages of the numeric severity you choose and all those MLS _ 1(config)#service timestamps log datetime with a lower numeric value are sent to the logging server specified with hostname. to send all log messages to the server. of the level or the numeric value – just set it high enough so you get all the messages you need sent to that server. use logging console. followed by the mnemonic for this mes- MLS _ 1(config)#service timestamps log ? sage and the message text itself. Therefore.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I personally find the milliseconds to be annoying. so let’s keep the datetime format but leave the msec option off.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . xml disabled. *Mar 1 00:00:38. notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) To send log messages to the local device’s internal buffer. 39 message lines logged Logging severity level <4096-2147483647> Logging buffer size Log Buffer (4096 bytes): alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) discriminator Establish MD-Buffer association emergencies System is unusable (severity=0) errors Error conditions (severity=3) filtered Enable filtered logging informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) To view the log along with log settings. Version 15. 0 flushes. let me show you a nifty little trick. MLS _ 1(config)#logging buffered ? <0-7> Trap logging: level informational. to change the internal buffer from its default of 4096 bytes. RE (truncated for clarity at this point) Before we move to another topic.146: %DC-6-DEFAULT _ INIT _ INFO: Default Profiles DB not loaded.115 S T U DY G U I D E MLS _ 1(config)#logging console ? C H R I S B R YA N T MLS _ 1#show logging <0-7> Logging severity level Syslog logging: enabled (0 messages dropped. cha nged state to downAuth Manager registration failed *Mar 1 00:00:36. 36 messages logged. debugging Debugging messages (severity=7) filtering disabled emergencies System is unusable (severity=0) Monitor logging: level debugging. alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) Console logging: level debugging. 36 messages logged. you’ve seen log messages regarding ports opening and closing. 0 overruns. run logging buffered followed by the severity level. C3560 Software (C3560-IPSERVICESK9-M). xml disabled. changed state to up 322 323 . filtering disabled) filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled File logging: disabled Persistent logging: disabled No active filter modules. 0 messages rate-limited. errors Error conditions (severity=3) filtering disabled informational Informational messages (severity=6) Buffer logging: level debugging. run this same command followed by the number of bytes desired.183: %SYS-5-RESTART: System restarted -Cisco IOS Software.0(1)SE. Throughout the book. xml disabled. run show logging. 0 messages logged. *Mar 1 00:00:32.505: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1.352: %SYS-5-CONFIG _ I: Configured from memory by console *Mar 1 00:00:39. xml disabled. such as this one: 03:12:30: %SYS-5-CONFIG _ I: Configured from console by console 03:12:31: %LINK-3-UPDOWN: Interface FastEthernet0/0.

you can fill up MLS _ 1(config)#int fast 0/1 a log pretty quickly with these messages. changed state to down 03:12:35:  C H R I S B R YA N T 03:16:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. then fine-tune that setting ROUTER1(config-if)#shut 03:16:27: %LINK-5-CHANGED: Interface FastEthernet0/0. but I’d be careful about turning too many log messages off. MLS _ 1#show clock *04:55:05. You’ll have more options for this command on switches. MLS _ 1#clock ? set ROUTER1(config-if)#no shut 03:16:37: %LINK-3-UPDOWN: Interface FastEthernet0/0.115 S T U DY G U I D E 03:12:32:  %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. You might ROUTER1(config-if)#no shut just miss one you really need to see! 03:14:33: %SYS-5-CONFIG _ I: Configured from console by console Timestamping We received only the configuration message. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. run logging event link-status. On routers. like that! We can set the local device’s time with clock set. changed state to up 324 Set the time and date MLS _ 1#clock set ? 325 . %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. changed state to up I like seeing these message in lab environments. but in production networks. changed state to administratively down 03:16:28: If your timestamps reflect an era long gone.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . To get those logging messages back. run the interface-level command no logging event link-status. Note where clock set is run as opposed to the other clock commands. changed state to down with clock timezone and clock summer-time. the syslog messages regarding link and line protocol status are gone. To prevent these particular messages from log- MLS _ 1(config-if)#no logging event ? ging.037 UTC Mon Mar 1 1993 ROUTER1(config)#int fast 0/0 ROUTER1(config-if)#logging event link-status Yeah. you may see bundle-status BUNDLE/UNBUNDLE messages only these two options: link-status UPDOWN and CHANGE messages nfas-status NFAS D-channel status messages ROUTER1(config)#int fast 0/0 spanning-tree Spanning-tree Interface events ROUTER1(config-if)#no logging event ? status Spanning-tree state change messages link-status UPDOWN and CHANGE messages subif-link-status Sub-interface UPDOWN and CHANGE messages subif-link-status Sub-interface UPDOWN and CHANGE messages trunk-status TRUNK status messages ROUTER1(config-if)#no logging event link-status Getting rid of the link up-down messages is a good way to keep the log size down and make ROUTER1(config-if)#shut the log easier to read. it’s time to get another time source.

NTP allows us to specify time sources for our switches and routers. nor the Coordinated Universal Time (UCT). so I put Eastern Standard Time (EST) in for the time zone and -5 for the offset. and it’s vital they have the same time. accurate and synched time is a necessity. Doing so allows our syslog timestamps to have accurate MLS _ 1(config)#clock timezone ? and synched time throughout the network. whether that time source is another router in the same network or an external time source.23> First week of the month clock set is okay for one or two routers. The Network Time Protocol (NTP) helps us make that happen. For your personal reference. configured from console by console MLS _ 1(config)#clock timezone ? Initialize system clock on restart save backup of clock with NVRAM summer-time Configure summer (daylight savings) time Configure time zone last Last week of the month MLS _ 1(config)#clock summer-time EDT recurring The clock timezone command doesn’t list every time zone in the world.org/wiki/List_of_UTC_time_offsets name of time zone MLS _ 1(config)#clock ? timezone Week number to start <cr> MLS _ 1#clock set 13:43:00 March 25 2015 ? WORD <1-4> Hours offset from UTC MLS _ 1(config)#clock timezone EST -5 of accounting in your network.wikipedia. and if you’re using any kind MLS _ 1(config)#clock timezone EST ? <-23 . You haven’t lived until you bill a department for 67 days’ usage of a network resource – in a single month. name of time zone Synched time is important for our digital certificates as well. MLS _ 1(config)#clock summer-time ? 326 327 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The Network Time Protocol It’s vital for our routers and switches to have a central time source that allows our network devices to synchronize their clocks. so you gotta know yours! I live on the East Coast in the United States.115 S T U DY G U I D E hh:mm:ss Current Time C H R I S B R YA N T WORD MLS _ 1#clock set 13:43:00 ? name of time zone in summer MLS _ 1(config)#clock summer-time EDT ? <1-31> Day of the month date Configure absolute summer time MONTH Month of the year recurring Configure recurring summer time MLS _ 1#clock set 13:43:00 March ? <1-31> MLS _ 1(config)#clock summer-time EDT recurring ? Day of the month MLS _ 1#clock set 13:43:00 March 25 ? <1993-2035> Year <cr> MLS _ 1#clock set 13:43:00 March 25 2015 04:59:01: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:59:01 EST Sun Feb 28 1993 to 13:43:00 EDT Wed Mar 25 2015. we’re going to have a lot more initialize WORD first http://en. but in our networks. making troubleshooting a lot less frustrating. here’s the Wikipedia page listing all offsets: routers and switches.

and either peer can send time synch messages to the other. and we can configure a Cisco router to get its time from a stratum-1 device. NTP-based or otherwise. Should you choose to use one of your network routers as the NTP Master. configured as a client of MLS_1. it’s imperative It’s strongly recommended that your network’s “outside” router receive its time from a public NTP timeserver. The number following “stratum” in non-stratum-0 devices indicates how many hops away the device is from a stratum-0 device. we’ll configure MLS_1 as our NTP Master and a timeserver. As always. You Clients accept the time synch message from the server and set their internal clock accord- can’t configure a Cisco router to get its time directly from a stratum-0 server. just run a search on the you use NTP authentication and/or ACLs to prevent routers from outside your network from attempting to synch with one of your routers. For the latest IP addresses of these servers. with the server giving the correct time to clients. typically atomic clocks. which the clients must be able to receive – otherwise. clients.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the router number serves as the last octet of Cisco routers can serve as NTP servers. ingly. We’re not limited to the traditional Server/Client relationship with NTP. They can also depend on NTP each IP address. We can choose to run NTP in broadcast mode or multicast mode as well. term public NTP servers. broadcasts for the correct time. (And you thought you were done with hops in RIP!) Stratum-1 servers are generally referred to as time servers. The NTP server-client relationship is as you’d expect.115 S T U DY G U I D E C H R I S B R YA N T At the very top of our NTP hierarchy are stratum-0 devices. With these methods. Clients do NOT sent NTP time synch messages back to the server. with ROUTER_3 network – that’s the port NTP uses. or peers. It’s highly recommended an NTP public timeserver be used as your NTP Master time source. NTP peers send NTP messages to each other. 328 329 . we’re wasting our time! Remember that routers don’t forward broadcasts or multicasts. the server broadcasts or multicasts its NTP messages. Be sure not to block UDP port 123 on that or other routers in your In our lab.

our NTP clients to have more than one time server to choose from.0000 Hz.outlyer. reference is 10.x) WORD Hostname of peer X:X:X:X::X IPv6 address of peer ROUTER _ 3#show ntp association ip Use IP for DNS resolution address ref clock st ipv6 Use IPv6 for DNS resolution *~10.1. since the only thing we’re MLS _ 1#show ntp association really telling the client is “Hey. There’s a lot of info here.000 0.1. indicating the time source is the switch’s internal clock.1. precision is 2**24 A. # selected. precision is 2**17 reference time is D8BD46F7. and the phrase we’re looking for is “clock is synchronized”. so we’ll take it! Our NTP options: Clock is synchronized.0.348 -66.1. I’ll use ntp server to point R3 to this switch as its time source.D IP address of supervisor (127. We can also prefer one server over the other! Just use multiple ntp server commands while also using the prefer option to indicate the preferred server. ROUTER _ 3#show ntp status Clock is synchronized. # selected. actual freq is 250.425 439.peer.4 prefer ROUTER _ 3(config)#ntp server 10.46BF9352 (09:38:47. MLS _ 1#show clock st 7 when poll 8 16 reach delay offset disp 377 0. + candidate. ~ configured ROUTER _ 3(config)#ntp server 10.LOCL.4 ROUTER _ 3(config)#ntp server ? nominal freq is 250.127.C.2092 Hz.276 EST Wed Mar 25 2015) MLS _ 1(config)#ntp master ? (Output truncated for clarity) <1-15> Stratum number <cr> And from the client’s point of view: On R3.4 reference time is D8BD47D4.4 127.1.127. ROUTER _ 3(config)#ntp server 10.1.B.1. ~ configured 09:25:29.1. x falseticker.B.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1 nominal freq is 119. x falseticker.951 UTC Wed Mar 25 2015) (Output truncated for clarity) when 64 poll reach delay offset disp 64 37 2.7 The NTP process likely strikes you as wide open to attack.167 EST Wed Mar 25 2015 MLS _ 1#show ntp status It ain’t 1993.peer. we can configure The commands show ntp status and show ntp association verify NTP’s operation.1.1.2092 Hz.F3858835 (14:42:28.0000 Hz.” Let’s use NTP 330 331 .C. + candidate.1.D IP address of peer Hostname or A.243 * sys.1. We’re also looking for that asterisk next to the address in show ntp association.1. reference is 127.115 S T U DY G U I D E Let’s check the clock on our NTP-Master-to-be: C H R I S B R YA N T address ref clock *~127.outlyer. .127.000 0.1.0.1 8 vrf VPN Routing/Forwarding Information * sys.127.1 . which includes the reference address 127.1. Here’s the output from the server’s point of view. which indicates that the synch is complete. . stratum 9. actual freq is 119. here’s the IP address of the time server. stratum 8.77 If we’re fortunate and smart enough to have NTP Master redundancy.

then MLS _ 1(config)#ntp authentication-key 1 md5 CCNP define a key and link that key to the ntp server command.53 ROUTER _ 1#show ntp assoc detail 10. sane.1.4 configured.271 UTC Thu Mar 26 2015) ROUTER _ 3(config)#ntp authentication-key 1 md5 CCNP That’s all well and good. stratum 8 ref ID 127.1. Enabling NTP authentication on the server does NOT require NTP clients to use authentication.115 S T U DY G U I D E C H R I S B R YA N T authentication to tie things down a bit.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .127.4 127. # selected.peer. stratum 8 ref ID 127. either! ROUTER _ 3(config)#ntp trusted-key 1 ROUTER _ 3(config)#ntp server 10. . it means detail! The authentication verifi- <1-4294967295> Key number ROUTER _ 3(config)#ntp authentication-key 1 ? md5 MD5 authentication cation is right at the top of the output: ROUTER _ 3#show ntp association detail ROUTER _ 3(config)#ntp authentication-key 1 md5 ? WORD Authentication key 10. and it’s able to get time from MLS_1 with no problem – and no <1-4294967295> Key number authentication.1 8 26 64 minpoll Minimum poll interval * sys.1.1.1. valid.1. I’ve just added ROUTER _ 3(config)#ntp trusted-key ? another router to our lab.127.1.1. ~ configured prefer Prefer this peer when possible source Interface for source address version Configure NTP version reach delay 17 2. because when it says “detail”.1. time D8BE4169. our _ master.1. sane. peer mode server.790 offset disp -8. + candidate. authenticated.outlyer.127.46322015 (08:44:17.4 configured. x falseticker.4569D946 (08:27:21.4 key 1 under our administrative control.124 939. We’ll need the same commands on the server (except the ntp server command. valid. of course!): 332 333 .1.1. We’ll enable this feature with ntp authenticate.1.4 burst Send a burst when peer is reachable iburst Send a burst when peer is unreachable ROUTER _ 1#show ntp assoc key Configure peer authentication key Address ref clock st when poll maxpoll Maximum poll interval *~10.1.1.4 key ? NTP authentication really just assures the client that it’s talking to an NTP server that’s <0-4294967295> Peer key number ROUTER _ 3(config)#ntp server 10. peer poll intvl 64 ROUTER _ 3(config)#ntp server 10.1 . but NTP authentication isn’t quite what it seems. I’ve left out most of the output of this command. our poll intvl 64. our _ master. as we’ve seen. MLS _ 1(config)#ntp authenticate MLS _ 1(config)#ntp trusted-key 1 ROUTER _ 3(config)#ntp authenticate ROUTER _ 3(config)#ntp authentication-key ? Verify NTP authentication with show ntp association detail.1. time D8BE4561.4 ? ROUTER _ 1(config)#ntp server 10.1.1 .274 UTC Thu Mar 26 2015) <cr> our mode client.

1. An SNMP deployment has three main parts: The SNMP Manager. NTP message received from 10. the devices being monitored (and running an SNMP instance).4) NTP message received from 10.1.1.4) NTP message sent to 10.1. With our time all synched up.3 on interface ‘Vlan13’ (10.1.1.1 on interface ‘Vlan13’ (10. The debug shows an NTP message coming in from 10.1.1.1.1.1.4) NTP message sent to 10. Our ACL will permit only the source IP address 10.1. requesting a certain variable be set to the value indicated in the SET.1. from interface ‘Vlan13’ (10.1.3.1.115 S T U DY G U I D E C H R I S B R YA N T To further protect our NTP deployment. The Management Information Base (MIB). and you’ll find it in just about every network out there today.1 on interface ‘Vlan13’ (10. A “GET” is a request for information… IP address of 10. The SNMP Agents. an NTP message is sent in reply.1.1.1. MLS _ 1(config)#ntp access-group serve 22 debug ntp packets illustrates that when MLS_1 receives an NTP message from the permitted SNMP Managers poll Agents over UDP port 161. but that message is not answered due to the ACL and ntp access-group command.1.4) NTP message received from 10. the database on the Agent that contains important information (“variables”) about the Agent.3. let’s do some network monitoring! MLS _ 1(config)#access-list 22 permit host 10.1. we’ll configure an ACL on the server and use ntp MLS _ 1#u all access-group to apply it to NTP.1.1. the actual monitoring device.1 as well. MLS _ 1#debug ntp packet NTP packets debugging is on NTP message received from 10.1. and we’ll call that ACL in ntp access-group.1.1.1.1.3.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .4) … and a “SET” is a request from the Manager to the Agent.1. and these messages take the form of GETs and SETs.3 on interface ‘Vlan13’ (10. from interface ‘Vlan13’ (10.1.1.4) 334 335 .3 All possible debugging has been turned off (Router_3).3 MLS _ 1(config)# SNMP MLS _ 1(config)#ntp access-group ? Peer Provide full access query-only Allow only control queries serve Provide server and query access serve-only Provide only server access MLS _ 1(config)#ntp access-group serve ? <1-99> Standard IP access list <1300-1999> Standard IP access list (expanded range) WORD Named access list The Simple Network Management Protocol is used to carry network management info from one network device to another.1.

but when you break them down they’re easy to remember. view Restrict this community to a named MIB view Let’s say our Manager is polling our Agent every 10 minutes regarding one particular variable.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . you should use V3 when- With SNMP v3. which in turn sucks up bandwidth and is a hit on the Manager’s CPU. It would then take 9 minutes and 57 seconds for the Manager to find out about the change! To get a quick notification on such an event without overloading the Manager. are a kind of password / authority level combination that allow you to set the strings as read-only or read-write. ever possible. Let’s use IOS Help to venture through some of the most long-winded commands you’re ever going to see. MLS _ 1(config)#snmp-server community ? WORD SNMP community string MLS _ 1(config)#snmp-server community CCNP ? <1-99> Std IP accesslist allowing access with this community string <1300-1999>  Expanded IP accesslist allowing access with this community string WORD v1 group using the v1 security model v2c group using the v2c security model v3 group using the User Security Model (SNMPv3) MLS _ 1(config)#snmp-server group BULLDOGS v3 ? auth group using the authNoPriv Security Level noauth group using the noAuthNoPriv Security Level priv group using SNMPv3 authPriv security level A quick word about those three security levels – they look intimidating. Access-list name 336 337 . We still have three versions of SNMP out there – versions 1. Let’s start with creating an SNMP group and then assigning a user to that group.115 S T U DY G U I D E C H R I S B R YA N T Seems like a good approach. and the use of the other versions should be restricted to allowing read-only MLS _ 1(config)#snmp-server group BULLDOGS ? access via the use of community strings. 2c. the earlier versions do not. The only way for the Manager to ro Read-only access with this community string receive immediate or even near-immediate notice of a critical network event is to poll the rw Read-write access with this community string Agents quite often. SNMP community strings. found in SNMP v1 and 2c. For that reason alone. and 3 – and there are some serious security concerns with the earlier versions. Three seconds after the Agent answers one such GET. that variable undergoes a critical change. we configure SNMP traps on the managed devices. but there’s one glaring issue. allowing the Agents to send a message to the Manager when such a variable changes. V3 has both authentication and encryption capabilities. things are much more secure and just a tad more complex. <cr> MLS _ 1(config)#snmp-server community CCNP ro ? <1-99> Std IP accesslist allowing access with this community string <1300-1999>  Expanded IP accesslist allowing access with this community string WORD Access-list name ipv6 Specify IPv6 Named Access-List <cr> MLS _ 1(config)#snmp-server community CCNP ro 15 This configuration would allow hosts identified by ACL 15 to have read-only access to all SNMP objects specified by this community string.

MLS _ 1(config)#snmp-server group BULLDOGS v3 priv ? C H R I S B R YA N T v3 user using the v3 security model MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 ? Access specify an access-list associated with this group Auth authentication parameters for the user Encrypted specifying passwords as MD5 or SHA digests <cr> access specify an access-list associated with this group context specify a context to associate these views for the group md5 Use HMAC MD5 algorithm for authentication match context name match criteria sha Use HMAC SHA algorithm for authentication notify specify a notify view for the group read specify a read view for the group write specify a write view for the group <cr> MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth ? MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha ? WORD authentication pasword for user MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP ? MLS _ 1(config)#snmp-server group BULLDOGS v3 priv The views mentioned in the last IOS Help readout aren’t required. no objects can be written. using SHA for authentication and AES 128-bit encryption. You have no authentication and no privacy (encryption). and creating them is out of the CCNP SWITCH exam scope. group members are not sent notifications. 192 Use 192 bit AES algorithm for encryption 256 Use 256 bit AES algorithm for encryption MLS _ 1(config)#snmp-server user CHRIS ? WORD Group to which the user belongs MLS _ 1(config)#snmp-server user CHRIS BULLDOGS ? Remote Specify a remote SNMP entity to which the user belongs v1 user using the v1 security model v2c user using the v2c security model 338 MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv aes 128 ? WORD privacy pasword for user MLS _ 1(config)#$S BULLDOGS v3 auth sha CCNP priv aes 128 TIREDOFTYPING ? access specify an access-list associated with this group <cr> 339 . which 128 Use 128 bit AES algorithm for encryption are both excellent choices when your hardware allows them. authPriv – Your SNMP packets are both authenticated and privacy is assured via encryption. all objects can be read. If no write view is defined. If no notify view is defined. but I do want you to know the defaults: If no read view is defined. Access specify an access-list associated with this group Priv encryption parameters for the user <cr> MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv ? 3des Use 168 bit 3DES algorithm for encryption aes Use AES algorithm for encryption des Use 56 bit DES algorithm for encryption MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv aes ? Now let’s create our user.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but no privacy (no encryption) noAuthNoPriv – You’re really asking for it.115 S T U DY G U I D E authNoPriv – You have authentication.

to DNS lookup time. guaranteed performance. the customer can then plan the WAN appropriately.1.1.C. The SLA can involve just about any quality-measurable value in your network. but it pays off in the end with security notification host http://<Hostname or A.3 traps version 3 ? auth Use the SNMPv3 authNoPriv Security Level noauth Use the SNMPv3 noAuthNoPriv Security Level priv Use the SNMPv3 authPriv Security Level MLS _ 1(config)#snmp-server host 10. or it can be between the internal clients of a company and the network team at that same company. <about 45 options. where the provider says “For X dollars. Here’s a sneak peek of the available tests: MLS _ 1(config)#snmp-server host 10.1.1. where a service provider guarantees a certain level of overall network uptime and performance.1.1.3 traps version 3 priv ? 340 MLS _ 1(config)#ip sla 5 MLS _ 1(config-ip-sla)#? IP SLAs entry configuration commands: dhcp DHCP Operation 341 . but this agreement is between different parties.1.115 S T U DY G U I D E MLS _ 1(config)#$S BULLDOGS v3 auth sha CCNP priv aes 128 TIREDOFTYPING MLS _ 1(config)#^Z C H R I S B R YA N T WORD SNMPv1/v2c community string or SNMPv3 user name MLS _ 1(config)#snmp-server host 10. from available bandwidth and acceptable levels of jitter in voice networks.B.3 ? WORD SNMPv1/v2c community string or SNMPv3 user name informs Send Inform messages to this host traps Send Trap messages to this host version SNMP version to use for notification messages vrf VPN Routing instance for this host MLS _ 1(config)#snmp-server host 10. You may get more. MLS _ 1(config)#snmp-server host ? MLS _ 1(config)#snmp-server host 10. too many to list here> <cr> Finally.1. we guarantee you’ll get “Y” amount of bandwidth. The CIR is basically a guarantee given to the customer by the Frame Relay service provider. including the encryp- WORD IP/IPV6 address of SNM tion type and bit level of same you’ll be able to use.1.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The SLA is based on the concept of minimum. notification host MLS _ 1(config)#snmp-server host 10.1.” Given that guarantee of minimum performance.1.1.3 traps version 3 priv CHRIS Whew! You obviously have to do some serious planning for SNMPv3.467: Configuring snmpv3 USM user. we’ll define the host to which we’ll send traps. persisting snmpEngineBoots. you were introduced to the Committed Information Rate (CIR). trouble notification and resolution time.3 traps version 3 priv CHRIS ? MLS _ 1# Mar 26 10:16:25.3 traps ? WORD SNMPv1/v2c community string or SNMPv3 user name version SNMP version to use for notification messages MLS _ 1(config)#snmp-server host 10.3 traps version ? 1 Use SNMPv1 2c Use SNMPv2c 3 Use SNMPv3 Service Level Agreements During your Frame Relay studies in your CCNA days. but we guarantee you won’t get less.1.D>[:<port number>][/<uri>] HTTP address of XML that’s far superior to earlier versions. It can be much like the CIR.

Let’s tackle an SLA lab! MLS_1 will be the SLA source. but is an agreement on the rules of communication. and then the responder starts listening to the indicated port. this timestamping only helps if the devices have synched time – NTP. the rules sent to the responder are the port number to be listened to during the test and the time limit on that listening.) 342 343 . Here are the first options for the ip sla command: MLS _ 1(config)#ip sla ? <1-2147483647> Entry Number enable Enable Event Notifications group Group Configuration or Group Scheduling key-chain Use MD5 Authentication for IP SLAs Control Messages logging Enable Syslog We now go from controlling to probing. This connection isn’t the actual SLA test. anyone?) An SLA setup consists of a source and a responder. it’ll send a message back indicating that decision. In this case. The low-memory Configure Low Water Memory Mark source wants to see if the packets are echoed back and how long the overall process takes. (If the responder doesn’t agree. This gives the sender a better idea of the overall time the responder took to process the packets as well as the overall round-trip time. and our story ends prematurely. the source sends control packets to the responder via UDP port 1967 in an attempt to create a control connection similar to that in FTP. To kick off the festivities. reaction-configuration IP SLAs Reaction-Configuration reaction-trigger IP SLAs Trigger Assignment Should the responder be kind enough to agree.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . as the source sends test packets to the responder. (Of course. with ROUTER_3 serving as the responder. it’ll send a message back to the source indicating the same.115 S T U DY G U I D E dns DNS Query Operation exit Exit Operation Configuration ftp FTP Operation http HTTP Operation icmp-echo ICMP Echo Operation path-echo Path Discovered ICMP Echo Operation path-jitter Path Discovered ICMP Jitter Operation tcp-connect TCP Connect Operation udp-echo UDP Echo Operation udp-jitter UDP Jitter Operation video Video Operation C H R I S B R YA N T The responder adds timestamps to those packets both as the packets are accepted and then returned.

1.3 as the target of the test. using 10. Note the option to grant the test eternal life.3 We then drop into SLA ICMP Echo config mode (!).1.D Destination IP address or hostname. We’ll then choose the icmp-echo test. 345 .B.C. Note the option to configure the source interface and IP address – those options can come in handy in larger networks. where I’ll set a frequency of 60 seconds between tests.3 ? 344 Finally. broadcast disallowed MLS _ 1(config-ip-sla)#icmp-echo 10.1. Source Interface (ingress icmp packet interface) Source Address MLS _ 1(config-ip-sla)#icmp-echo 10. Since we only have one path from source to responder. we get to schedule this sucker! I’ll use IOS Help to show you the options and then start the test immediately. and accepting that value drops us into SLA entry config mode.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .3 MLS _ 1(config-ip-sla-echo)#? IP SLAs Icmp Echo Configuration Commands: MLS _ 1(config)#ip sla 5 MLS _ 1(config-ip-sla)#? IP SLAs entry configuration commands: dhcp DHCP Operation dns DNS Query Operation exit Exit Operation Configuration ftp FTP Operation http HTTP Operation icmp-echo ICMP Echo Operation path-echo Path Discovered ICMP Echo Operation path-jitter Path Discovered ICMP Jitter Operation tcp-connect TCP Connect Operation udp-echo UDP Echo Operation udp-jitter UDP Jitter Operation video Video Operation default Set a command to its defaults exit Exit operation configuration frequency Frequency of an operation history History and Distribution Data no Negate a command or set its defaults owner Owner of Entry request-data-size Request data size tag User defined tag threshold Operation threshold in milliseconds timeout Timeout of an operation tos Type Of Service verify-data Verify data vrf Configure IP SLAs for a VPN Routing/Forwarding instance MLS _ 1(config-ip-sla-echo)#frequency ? <1-604800> MLS _ 1(config-ip-sla)#icmp-echo ? Frequency in seconds MLS _ 1(config-ip-sla-echo)#frequency 60 Hostname or A. That also happens to be the default! MLS _ 1(config-ip-sla)#icmp-echo 10.115 S T U DY G U I D E C H R I S B R YA N T read Read data for use with IP SLA source-interface reset IP SLAs Reset source-ip responder Enable IP SLAs Responder <cr> restart Restart An Active Entry schedule Entry Scheduling We’ll go with SLA entry number 5.1. we’ll leave those alone here.1.1.1.

and we can see IP SLAs Infrastructure Engine-III that the tests are running a minute apart and they’ve both been successful.3/0.0. and we can see that’s ticking away. run show ip sla statistics.1. History Filter Type: None MLS _ 1#show ip sla config To view SLA statistics.0 346 IPSLA operation id: 5 Latest RTT: 1 milliseconds 347 . Owner: Tag: MLS _ 1#show ip sla stat Operation timeout (milliseconds): 5000 IPSLAs Latest Operation Statistics Type of operation to perform: icmp-echo Target address/Source address: 10.115 S T U DY G U I D E MLS _ 1(config)#ip sla schedule ? <1-2147483647> C H R I S B R YA N T Type Of Service parameter: 0x0 Entry number Request size (ARR data portion): 28 Verify data: No MLS _ 1(config)#ip sla schedule 5 ? ageout How long to keep this Entry when inactive life Length of time to execute in seconds recurring Probe to be scheduled automatically every day start-time When to start this entry <cr> Vrf Name: Schedule: Operation frequency (seconds): 60 (not considered if randomly scheduled) Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Randomly Scheduled : FALSE MLS _ 1(config)#ip sla schedule 5 life ? Life (seconds): 3600 <0-2147483647> Life seconds (default 3600) Entry Ageout (seconds): never forever continue running forever Recurring (Starting Everyday): FALSE MLS _ 1(config)#ip sla schedule 5 start-time ? after Start after a certain amount of time from now hh:mm Start time (hh:mm) hh:mm:ss Start time (hh:mm:ss) now Start now pending Start pending MLS _ 1(config)#ip sla schedule 5 start-time now Status of entry (SNMP RowStatus): Active Threshold (milliseconds): 5000 Distribution Statistics: Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic distribution interval (milliseconds): 20 Enhanced History: History Statistics: Number of history Lives kept: 0 Verify your config with show ip sla config.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1. The default Entry number: 5 TTL is 3600 seconds. I ran the command twice. I’ll show you the entire output here. and the most Number of history Buckets kept: 15 important info to us is near the top.0.

did you notice I never configured anything on the responder? Since I was running a simple ICMP echo test. you may need ip sla responder. For After reopening the interface. IPSLAs Latest Operation Statistics IPSLA operation id: 5 ROUTER _ 3(config)#ip sla responder Latest RTT: 1 milliseconds 348 349 .115 S T U DY G U I D E Latest operation start time: 06:11:35 EST Thu Mar 26 2015 Latest operation return code: OK C H R I S B R YA N T We can secure our SLA config with a key-chain and the ip sla key-chain command. Here. the successes start incrementing again! some of those other tests.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Here’s the Number of failures: 0 result of the very next echo test: Operation time to live: 3528 sec An interesting thing about SLA tests – you can’t edit one that’s in progress. and here’s what happened: MLS _ 1#show ip sla stat IPSLAs Latest Operation Statistics IPSLA operation id: 5 Latest RTT: NoConnection/Busy/Timeout MLS _ 1(config)#ip sla 5 Entry already running and cannot be modified Latest operation start time: 06:53:35 EST Thu Mar 26 2015 (only can delete (no) and start over) Latest operation return code: Timeout (check to see if the probe has finished exiting) Number of successes: 42 Number of failures: 1 It’s always something! Operation time to live: 1024 sec Hey. I didn’t need to. Here. I shut ROUTER_3’s port down that leads to the switch. ROUTER _ 3(config)#key chain CCNP Number of successes: 1 ROUTER _ 3(config-keychain)#key 1 Number of failures: 0 ROUTER _ 3(config-keychain-key)#key-string SPIDERS Operation time to live: 3552 sec ROUTER _ 3(config)#ip sla key-chain CCNP MLS _ 1#show ip sla stat MLS _ 1(config)#key chain CCNP IPSLAs Latest Operation Statistics MLS _ 1(config-keychain)#key 1 IPSLA operation id: 5 MLS _ 1(config-keychain-key)#key-string SPIDERS Latest RTT: 1 milliseconds Latest operation start time: 06:12:35 EST Thu Mar 26 2015 Latest operation return code: OK MLS _ 1(config)#ip sla key-chain CCNP Just one more SLA thing… I want to show you what the statistics output is when some- Number of successes: 2 thing’s gone wrong. though. I tried to go back and set this test to live forever rather than time out. since I know the responder can handle pinging. It doesn’t hurt anything MLS _ 1#show ip sla stat to enable SLA capabilities for the simpler tests.

that is) originally MLS _ 1(config)#tacacs-server host 10. Each “A” is a separate function and requires separate configuration. TACACS+ runs each “A” as a separate process. an open-standard UDP-based protocol (ports 1812 and 1813. TACACS+. As a CCNA and future CCNP. that is). RADIUS cannot control the authorization level of users.115 S T U DY G U I D E C H R I S B R YA N T Latest operation start time: 06:54:35 EST Thu Mar 26 2015 don’t have to concern ourselves with that version. configured. work (or network service). authorization. so we 350 aaa new-model not only enables AAA. you’ve already configured authen- Regardless of the “A” you’re configuring. TACACS was the original version of the protocol and is rarely used today. Before we deal with configs though. it also overrides every previously configured authentication method for the router lines – especially the vty lines! 351 .3 key CCNP developed by the IETF. allowing another method of authentication to be used while still using TACACS+ for authorization and/ or accounting. since no external device is involved. Authentication is the process of deciding if a given user should be allowed to access the net- running the other. but it makes it very difficult to run one process without Those As stand for authentication. As your network grows and you need a more scalable authentication scheme. That AAA might sound like a good thing. a Cisco-proprietary TCP-based protocol (port 49. AAA must first be enabled with the global com- tication in the form of a local database of usernames and passwords.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1(config)#radius-server host 10.1. where RADIUS encrypts only the password in the Number of failures: 1 initial client-server packet.5 key CCIE You just might be asking yourself what happened to the original TACACS if we’re now using TACACS+.1.1. This is sometimes mand aaa new-model. Operation time to live: 989 sec RADIUS actually combines the authentication and authorization processes.1. and accounting. The location of the TACACS+ and/or RADIUS server must then be called a self-contained AAA deployment. MLS _ 1(config)#aaa new-model RADIUS. let’s look at each “A” and see exactly what’s going on with each. along with a shared encryption key that must be agreed upon by both client and server. We do need to concern ourselves with Latest operation return code: OK these differences between TACACS+ and RADIUS: Number of successes: 43 TACACS+ encrypts the entire packet. it’s likely you’ll turn to one of the following protocols for your AAA deployment. but TACACS+ can.

options in the above config. we’ll use our TACACS+ and configured as a client of both.5. radius Use list of all Radius hosts. local-case Use case-sensitive local username authentication. and they’ll be used in the order listed. tacacs+ Use list of all Tacacs+ hosts. local Use local username authentication. with aaa authentication. line Use line password for authentication. 353 . and in what order. If you don’t see those authentication. there’s a good reason – they’re not there! To use TACACS+ or RADIUS in aaa authentication. We’ll go with the default list. cache Use Cached-group group Use Server-group enable Use enable password for authentication. none NO authentication. instead of using the local database.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . If you try to list a fifth method as I did below. WORD Server-group name The default authentication list. The local and local-case options allow us to use the local username/password database.1. a line password second. and this command is fine on its own – but why do I have Some choices might surprise you! We can configure authentication to use the enable password. We have to create either a named authentication list or a default list that will be used for all authentications that don’t reference a named list. <cr> passwd-expiry enable the login list to provide password aging support Hmm. IOS Help won’t even show you the remaining options once you hit four! The following statement lists TACACS+ as the first method.3 and our RADIUS server at 10. group Use Server-group krb5-telnet Allow logins only if already authenticated via Kerberos V krb5 Use Kerberos 5 authentication. and we could also use a line password. choose group and all will be revealed! MLS _ 1(config)#aaa authentication login ? WORD  Named authentication list (max 31 characters. the enable password. I’ll go with TACACS+ and then check the options. and finally. local-case Use case-sensitive local username authentication. the IOS will not let you enter the 5th method.115 S T U DY G U I D E C H R I S B R YA N T We have our TACACS+ server at 10. krb5 Use Kerberos 5 authentication. IOS Help will not show me the remaining options since my statement is already at the legal limit. with the switch And that’s that! However. We now need to determine which servers will be used for RADIUS servers by drilling a little deeper with aaa authentication.1. longer will be default MLS _ 1(config)#aaa authentication login default group ? rejected). from left to right. the local database third. line Use line password for authentication. Local Use local username authentication.1. ldap Use list of all LDAP hosts.1. including “none”? We can actually name up to four methods. Let’s have a look at the options. none NO authentication. Telnet. A quick review on how to build one of those: MLS _ 1(config)#username bruno password wwwf MLS _ 1(config)#username thesz password nwa MLS _ 1(config)#username gagne password awa 352 the option to list more authentication choices. MLS _ 1(config)#aaa authentication login default ? cache Use Cached-group MLS _ 1(config)#aaa authentication login default group tacacs+ ? enable Use enable password for authentication. The tacacs+ choice is legal.

the next method we choose in this line will be used. if the external devices aren’t available. This authentication method list will try our defined TACACS+ server first. 354 355 . and will then use the local username/pw database if those servers are unavailable or return errors. You’re likely wondering why the heck “none” is an AAA authentication option. If TACACS+ actively refuses the authentication attempt.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#$ication login default group tacacs+ line local enable ? <cr> Let’s go back to an aaa authentication line with just one method listed. so no authentication is necessary if the external servers are down. You don’t want to log out and then find authentication method used. The enable password is also a good choice. MLS _ 1(config)#aaa authentication login default group tacacs+ ? cache Use Cached-group enable Use enable password for authentication. That way. Default Use the default authentication list.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . It’s always a good idea to list at least one authentication method that doesn’t require an external device. apply the authentication method list to the appropriate lines with login authentication. local Use local username authentication. TACACS+ will be the first authentication setup with a separate connection. line Use line password for authentication. In this line. After all. If the TACACS+ authentication attempt times out or an error out you can’t log back in! is encountered. the second method is not used. local-case Use case-sensitive local username authentication. none NO authentication. That’s the end of the authentication try! MLS _ 1(config)#line vty 0 15 MLS _ 1(config-line)#login authentication ? WORD Use an authentication list with this name. <cr> Always leave yourself a back door to get in. I’ll apply the default list to the switch’s VTY lines. then our RADIUS server. you can still authenticate! Some admins like to use none at the end of their authentication method list. and always stay logged in while you test your Here’s the most important rule of this entire section. MLS_1(config)#aaa authentication login default group tacacs+ group radius local Finally. are group Use Server-group we doing all this work just to have no authentication? In some cases – yes! krb5 Use Kerberos 5 authentication.

or group. 356 357 . particularly a meeting with high-ranking sensitive folk.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . When you give something a name on a router or switch. radius. don’t call it login. but I was there to see it. so we’ll dive straight into the authorization options.115 S T U DY G U I D E MLS _ 1(config-line)#login authentication default ? C H R I S B R YA N T Authorization <cr> MLS _ 1(config-line)#login authentication default And now… a word to the wise. and TACACS+ server IP addresses. AAA must be enabled with aaa new-model if you Don’t Get Cute haven’t already done so! We did just that in the last lab. (PPP. While authentication decides whether a given user should be allowed into our network. ARAP) policy-if For diameter policy interface application. tacacs+. Above all. Ugly. For some reason. don’t use a word already in the command! MLS _ 1(config)#aaa authorization exec ? WORD  Named authorization list (max 31 characters. authorization dictates what users can do once they’re in. along with defining the RADIUS Don’t get cute with passwords. Never set a password that you don’t want to say out loud at a meeting. multicast For downloading Multicast configurations from server network For network services. we’ll have the option of creating a default list or a named list – and as always. because then you end up with one of these: MLS _ 1(config)#aaa authentication login login group tacacs+ local MLS _ 1(config)#aaa authentication login group group tacacs+ local Don’t get cute. aaa authorization creates a user profile that’s checked when a user attempts to use a particular command or service. longer will rejected). SLIP. MLS _ 1(config)#aaa authorization ? auth-proxy For Authentication Proxy Services cache For AAA cache configuration commands For exec (shell) commands. As with authentication. configuration For downloading configurations from AAA serve console For enabling console authorization credential-download For downloading EAP credential from Local/RAD exec For starting an exec (shell). Real ugly. MLS _ 1(config)#aaa authentication login radius group tacacs+ local radius-proxy For proxying radius packets reverse-access For reverse access connections subscriber-service For iEdge subscriber services (VPDN etc) template Enable template authorization (Didn’t happen to me. admins like to use AAA for the name of the list.) Another time not to get cute is when you’re naming an AAA authentication list. resulting in this command: MLS _ 1(config)#aaa authentication login PASSWORD group tacacs+ local That command confuses the uninitiated. At the very least. config-commands For configuration mode commands. make the name intuitive. MLS _ 1(config)#aaa authentication login tacacs+ group tacacs+ local prepaid For diameter prepaid services.

none No authorization (always succeeds). This line would give us info on users who use commands while in privilege level 1. go with the network option. binations. I could write a whole book solely on the many different aaa authorization com- C H R I S B R YA N T WORD Use an authorization list with this name default Use the default authorization list MLS _ 1(config-line)#authorization exec default Accounting Authentication decides who gets in and who doesn’t. MLS _ 1(config)#aaa authorization exec default group tacacs+ local Frankly. Getting that same info for privilege level 15 would be easy enough – just replace the “1” with “15”. Also note the if-authenticated option. MLS _ 1(config)#aaa authorization exec default ? cache Use Cached-group group Use server-group. that method will MLS _ 1(config)#aaa accounting commands ? (obviously) consider the user authorized. This tracking can be for security purposes (detecting users doing things they shouldn’t be doing!) or for tracking network usage in order to bill other departments in your company. config-commands options. accounting tracks the resources used by that user. authorization decides what users can do once they get in. <cr> MLS _ 1(config)#aaa accounting commands 1 default start-stop ? Broadcast Use Broadcast for Accounting 359 longer will be . both when they start and stop. None No accounting. config. rejected). though – the first means the user must be authorized to run any We’re not going to spend much time on accounting. If you’re dealing with PPP (or ARAP or SLIP for that matter). Watch the commands and Naturally. Apply the authorization list to the appropriate lines with authorization. if-authenticated Succeed if user has authenticated. krb5-instance Use Kerberos instance privilege maps. start-stop Record start and stop without waiting stop-only Record stop when service terminates.115 S T U DY G U I D E default The default authorization list. MLS _ 1(config-line)#authorization ? arap For Appletalk Remote Access Protocol Default commands For exec (shell) commands exec For starting an exec (shell) MLS _ 1(config)#aaa accounting commands 1 default ? reverse-access For reverse telnet connections MLS _ 1(config-line)#authorization commands ? <0-15> Enable level MLS _ 1(config-line)#authorization exec ? 358 The default accounting list. AAA must be enabled before proceeding with accounting. local Use local database. but I do want to show you a sample command on the switch. so we’re not going to walk through every single one.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . <0-15> Enable level MLS _ 1(config)#aaa accounting commands 1 ? WORD MLS _ 1(config)#line vty 0 15 Named Accounting list (max 31 characters. If the user’s already authenticated. while the second limits authorization to the use of configuration commands.

Blunt as always: This isn’t the most exciting material in the course. and then delve into each layer in detail. and SLIP sessions. 360 361 . records for calls that fail authentication. MLS _ 1(config)#aaa accounting commands 1 default start-stop group tacacs+ ? Group Use Server-group <cr> MLS _ 1(config)#aaa accounting commands 1 default start-stop group tacacs+ AAA supports six different accounting formats: C hapter 11: NETWORK DESIGN AND MODELS Commands: Information regarding EXEC mode commands issued by a user. it is EXEC: Information about user EXEC terminal sessions. Having said that. Network: Info on all PPP. The stakes are raised Resource: Info regarding start and stop records for calls passing authentication.115 S T U DY G U I D E Group Use Server-group MLS _ 1(config)#aaa accounting commands 1 default start-stop group ? WORD Server-group name tacacs+ Use list of all Tacacs+ hosts. and stop in your CCNP studies. ARAP. System: Non-user-related system-level events. Connection: Information regarding all outbound connections made from a network access server. We’ll start this section with a review of the model. so grab some caffeine and let’s dive right in! During your CCNA studies.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . as we need to know what should and should not occur at each layer. very important material. your only responsibilities concerning the Cisco 3-Layer Hierarchical Model was memorizing the layers and their location.

and that’s it! When multilayer switches are in use. It’s a lot easier to get everything you need when you’re buying than to go back and try to add it later. traffic filtering. That’s particularly true of the Enterprise Composite Network Distribution-layer switches must be able to handle redundancy for all links. (MAC filtering is a pain to configure. very low latency. routing should take place at the distribution layer. The access layer’s too busy with end users to handle routing. capable of higher throughput than switches found at the other layers. Today’s sufficient port density is Collision domains are found at the access layer.) The Distribution Layer Not all the work is done at the core layer! The demands on distribution-level switches is very high. you know there’s an exception to that rule. but we want a lot of redundancy in the core layer. so we’ll leave most frame manipulation and filtering to other layers. This is tomorrow’s “Where the $%)$ am I gonna plug this user in?” the nerve center of your entire network. and you must plan for future network growth. non-switching features off the core layer and let these switches do what they do best – switch. Advanced QoS is generally performed at the core layer. everything we do on a Cisco router or switch takes away from overall switch resources. Examine your cally a series of LANs interconnected via a network backbone. so not only do the distribution-level switches need high-speed ports and links.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I want to remind you that network models are guidelines they have to have quite a few in order to connect to both the access and core-layer switches. While QoS is configured at the core layer when possible. The distribution layer also serves as a boundary for broadcasts and multicasts sent by access-layer devices. so fault tolerance should be at the highest level possible. and should be used as such. With networking though. you had bought a larger switch with more ports. A good rule of thumb for access-layer We always want redundancy. Core layer switches are generally the most powerful in your network. but a month from now you’ll wish and other traffic filtering methods for other layers of this model. so we’re interested in high-speed data transfer. a very popular model used to design campus networks. and this is more than a full-time job! It’s vital that we keep extra. Leave your ACLs The Access Layer Here’s where the end users communicate with the network! VLAN membership. you’ll find it in the distribution Today’s core switches are generally the multilayer switches we’ve worked with throughout this course. and some basic QoS features all run here. Be sure to examine your network’s requirements and review the documen- layer as well. high switchport-to-user ratio”. Switches at the core layer allow distribution-layer switches to communicate. The access-layer switches will have their uplinks connecting to our distribution-level switches. A 12-port switch might be fine for your needs at present.115 S T U DY G U I D E The Core Layer C H R I S B R YA N T decisions. although hopefully there are other ways to get the job done that you need done. Redundancy is important at this layer (of course! It’s important everywhere!). I kid you not. and MAC address filtering can be performed here as well.) network topology closely and check vendor documentation before making purchasing 362 Model. The core layer is the backbone of our entire network. switches is “low cost. The Enterprise Composite Network Model Before we dive into this topic. and that exception is Quality of Service (QoS). As you know. (A campus network is basi- 363 . tation on switch models carefully before making your purchase. and we want the core layer to be concerned strictly with switching.

and it’s the major reason I continue to mention that the access and distribution layers should handle many of the network services. there’s no one right way to design an enterprise network. These layers contain Let’s take a look at a typical campus network and see how these block types work together.115 S T U DY G U I D E C H R I S B R YA N T Switch blocks are units of access-layer and distribution-layer devices. allowing switches in one Switch Block to communicate with switches in the giving us as much redundancy as this topology can offer. The number of LANs involved. we still have total connectivity. These models are strictly guidelines. there is no dedicated core switch. if one of the core switches The Enterprise Edge goes down. such as a single building on a college campus or business park. both the traditional L2 switches (found at the access layer) and multilayer switches. The Enterprise Campus pus backbone. the physical layout of the buildings as a unit and individually – these are just two important factors involved. Our access. We love this setup. As you’d expect. leaving the core switches free to use all their resources to switch. especially the dual core. This is a tremendous responsibility. Devices in a switch block work together to bring network access to a unit of the network. and these core blocks allow the switch blocks to communicate. Smaller networks (and admins on a tight budget!) can use a collapsed core setup. the Enterprise Campus consists of these modules: Reality does rear its ugly head on occasion. again) In turn again. Core blocks naturally consist of our high-powered core switches. The Service Provider Edge In turn. In a collapsed core. the Campus Infrastructure model consists of these modules: Building Access (access-layer devices) Building Distribution (distribution-layer devices) Campus Backbone (Interconnects multiple Distribution modules) 364 365 . Helpful guidelines. The Core Block serves as the camother Switch Block. typically found in the distribution layer. but guidelines nonetheless.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and that occasion may be not having the money to afford a setup like this. where certain switches will perform as both Switch Block and Core Block Campus Infrastructure switches. The Enterprise Composite Network Model has three main parts: All four distribution-layer switches have connections to both switches in the Core Block. Server Farm Network Management Enterprise Edge (yes.and distribution-layer switches are both found in this model’s Switch Block.

network management tools are a necessity. 366 367 . The distribution-layer switches again have redundant connections to the core switches. the server farm block is a separate switch block. All of these devices can be placed in a switch block of their own. and core layers shown here is sometimes called the Campus Infrastructure. This is a relatively small campus network. There are times when we’ve wanted to throw a server or two (or twelve) straight out the window. AAA servers. In today’s world.115 S T U DY G U I D E C H R I S B R YA N T The four multilayer switches are working as both core-layer and distribution-layer switches. Two blocks will team up to bring our users that all-important internet connectivity – the Enterprise Edge Block and the Service Provider Edge Block. but we’re not quite done yet. but we’re not going to have much of a network without them. and network monitoring tools are found in almost every campus network today. Note that each of the access switches have redundant uplinks to both distribution/core switches in their switch block. distribution. complete with access and distribution-layer switches. intruder detection tools. Our core switches have even more work to do not. syslog servers.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The combination of access. the network management block. but you already have a good idea of the sheer workload the core switches will be handling. In a campus network.

we don’t care! The key is that this block borders the Enterprise Edge Block. and the other 20% will traverse the network core en route to a non-local destination. end-to-end VLANs span the entire network. With all the lines leading to the core switches. so 80/20 traffic patterns are becoming increasingly rare. And frankly. but you didn’t want your other hosts to even know of the existence of that resource. While the Service Provider Edge Block is considered part of the campus network model. but even this network would be difficult to configure with ETE VLANs when the hosts need Internet connectivity or Cloud access. The physical location of the user doesn’t matter. I hear you. ETE VLANs can come in handy as a security tool. shoot. Chris B. ETE VLANs must be accessible on every access-layer switch in order to accommodate mobile users. we have no control over the actual structure of the block. 368 369 . Well. The following network diagram is very simple. and that VLAN will are grouped by location in Local VLANs. A user is assigned to a single VLAN. That’s it! The end of the book! Thanks for reading. if you had certain hosts across the network that needed access to a particular network resource. This level of access is more of a necessity than a luxury today. remain the same no matter where the user is. but users End-to-End And Local VLANs “Oh no. but these two VLAN types do fit in with our design chat. and I wish you all the best on your CCNP SWITCH exam and in your future studies. assuming that 20% of traffic is local in scope and the other 80% will cross the network core. and this block of routers and switches brings WAN connectivity to the rest of the campus network. Physical location is unimportant in ETE VLANs. not more VLANs!” Hey. or when the hosts have similar resource requirements – for example.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ETE VLANs should be designed with the 80/20 rule in mind. and it’s the final piece of the Internet connectivity puzzle for our campus network. Many of today’s networks don’t lend themselves well to this type of VLAN.115 S T U DY G U I D E C H R I S B R YA N T The Enterprise Edge Block is naturally found at the edge of the campus network. where 80% of the local traffic stays within the local area. The very nature of an end-to-end VLAN and the fact that it spans the entire network makes working with one a challenge. it’s easy to see why we want to dedicate as much of the switches’ capabilities to pure switching – the workload is huge! Local VLANs use the 20/80 rule. Let’s spend a few minutes with each type… As you’d expect from the name.