CHRIS BRYANT’S

CCNP
SWITCH 300-115 STUDY GUIDE

C H R I S B R YA N T

Table of Content s

Chris Bryant, CCIE #12933
“The Computer Certification Bulldog”
Copyright © 2015 The Bryant Advantage, Inc.
All rights reserved.
Disclaimers and Legal Notices:
Copyright © The Bryant Advantage, 2015.
All rights reserved. This book or any portion thereof may not be reproduced or used in any manner whatsoever
without the express written permission of the publisher, except for the use of brief quotations in a book review.
No part of this publication may be stored in a retrieval system, transmitted, or reproduced in any way, including
but not limited to photocopy, photograph, magnetic, or other record, without the prior agreement and written
permission of the publisher.
The Bryant Advantage, Inc., has attempted throughout this book to distinguish proprietary trademarks from
descriptive terms by following the capitalization style used by the manufacturer. Copyrights and trademarks of all
products and services listed or described herein are property of their respective owners and companies. All rules
and laws pertaining to said copyrights and trademarks are inferred.
This study guide is intended to prepare candidates for Cisco’s CCNP SWITCH 300-115 certification exam. The
book has been made as accurate and complete as possible. No warranty or fitness is inferred or implied. Neither the
author nor The Bryant Advantage, Inc. has liability or responsibility to any entity or individual regarding loss or
damage arising from the use of this book. Passing the CCNP SWITCH exam is not guaranteed in any fashion.
The terms CCIE, CCNP, CCNA, Cisco IOS, Cisco Systems, IOS, and StackWise are all registered trademarks of Cisco
Systems, Inc. As always, no challenge to any trademark or copyright is intended in any of my books or video-based
courses.
ISBN: 1517351227
ISBN 10: 9781517351229

Chapter 1 Switching Fundamentals����������������������������������������������������������������������������������������������������������������������� 1
Chapter 2 The When, Where, and How Of VLANs����������������������������������������������������������������������������������������� 22
Chapter 3 Trunking����������������������������������������������������������������������������������������������������������������������������������������������� 40
Chapter 4 The VLAN Trunking Protocol (VTP) ��������������������������������������������������������������������������������������������� 63
Chapter 5 The Fundamentals Of STP����������������������������������������������������������������������������������������������������������������� 83
Chapter 6 STP -- Advanced Features and Versions������������������������������������������������������������������������������������������������������������������ 123
Chapter 7 Etherchannels������������������������������������������������������������������������������������������������������������������������������������� 157
Chapter 8 Multilayer Switching And High Availability Protocols��������������������������������������������������������������� 172
Chapter 9 Securing The Switches����������������������������������������������������������������������������������������������������������������������� 238
Chapter 10 Monitoring The Switches����������������������������������������������������������������������������������������������������������������� 319
Chapter 11 Network Design And Models����������������������������������������������������������������������������������������������������������� 361

A V E RY Br ief I nt roduc t ion
Before We G et St a r ted…
Thank you for making The Bryant Advantage part of your CCNP success story! I know you
have a lot of training options out there, from books to videos and everything in between,
and all of us here at TBA are very appreciative of your purchase.
During your studies, check out my YouTube channel! I’m starting an all-new CCNP SWITCH
300-115 Playlist in October 2015. With over 300 free videos there already, I know there’s
something there you’ll enjoy.
https://www.youtube.com/user/ccie12933
You’ll find additional free resources via these links:
Facebook: goo.gl/u72n1M
Google+: https://plus.google.com/+ccie12933
GNS3 (Free CCNP SWITCH Course!): goo.gl/yk2loM
Thanks again for your purchase, and now, let’s get started!
Chris Bryant
“The Computer Certification Bulldog”

our hosts had to share transmission media via a hub. 1 . so let’s give this material a good going-over before heading on to new material! Before proceeding. the predecessor to today’s switches.) Back in the day. but the item on the left is a hub. let’s have a moment of silence for two old friends. We won’t spend any time discussing floppy disks. (You’ll sometimes see a double-headed arrow on top of the icon representing a hub.C hapter 1: SWITCHING FUNDAMENTALS Your mastery of switching fundamentals can make the difference on exam day.

it’s unlikely that the data collision will reoccur. One reason we love switches is the creation of smaller collision domains. rendering the collided signals useless. we also get a lot more bandwidth! When hosts are connected to individual switch ports.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Since that backoff timer is set to a random value. The sending hosts will then invoke a backoff timer. we must have rules on when a host may transmit data. one collision domain” setup as microsegmentation. set to a random number of milliseconds. YouTube. all kinds of ultra-delay-sensitive voice and video traffic is present in today’s network that we were only dreaming about back in the days of the hub. a broadcast or multicast sent by any host connected to that switch will be received by every other host on that switch. and those built-in delays were a small domain. assuming FastEthernet ports. they will each begin the CSMA/CD process from the very beginning by listening to the wire. thankfully referred to as CSMA/CD. Today’s networks typically have each host connected to their own individual port on a switch. but we still have one large broadcast domain. That’s a lot of unnecessary broadcasts flying around our network. In short. Thanks to our switch. and by doing A host with data to send must first listen to the wire. meaning it checks the shared media to so. Dog videos. The hub might as well be a bomb at that point. we were darn glad to have CSMA/CD. one host’s data price to pay for sharing media. Cat videos. That takes care of the collision domain issue. the voltage on the wire will change. they no longer have to share bandwidth with other hosts. Otherwise. If the media is not in use. The hosts then have to retransmit the data. but it’s certainly a good one to know when you’re reading Cisco docs. If the media is in use.115 S T U DY G U I D E C H R I S B R YA N T Having just one collision domain may sound good. 2 3 . Some Cisco documentation refers to this “one host. If two hosts happen to send data at the exact same time. When each host’s backoff timer expires. the host sends the data. and there’s no guarantee that another collision won’t occur when that retransmission occurs! The set of rules for transmitting over Ethernet via shared media is Carrier Sense Multiple Access with Collision Detection. It’s not a term you hear often. Collisions literally cannot occur! see if another host is currently sending data. By default. With the When the sending hosts detect that voltage change. right switch config and network cards. Having one big collision domain just would not do today. because the data involved in the collision is going to “explode” when that collision occurs. Donkey videos. VoIP phones. With one big collision At the time. Vimeo. but it’s not. will be almost continually colliding with another host’s data. a separate collision domain is created for each host. the host backs off for a few milliseconds before listening to the wire again. indicating a data collision. they’ll send a jam signal indicating to the other hosts that they should not send data right now. We’ll start breaking up those broadcast domains in the Virtual LAN (VLAN) section of the course. Here’s the overall process… You know what wasn’t around though? Voice and video conferencing. which in turn means unnecessary work for the switch and for the hosts. each host can theoretically run at 200 Mbps (100 sending and 100 receiving). and all data involved is unusable.

you’d have to make a static MAC entry for 4 will be some entries for the CPU. so the switches have to build their MAC address tables in another fashion (or fashions). right? Wrong! The switch will actually look at the source MAC address before any other value. We’ll assume the switch has just been added to the network. it means I’m smart. That doesn’t mean I’m lazy. but that approach has a serious important point.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . switch. and they’ll look something like this: 5 . what common value does the switch look at first? B are connected to a hub. but it’s the major reason. that switch will forward it. Our routing table is helped along by dynamic routing protocols like EIGRP and OSPF. After all. When a switch receives a frame. the MAC address table isn’t empty. When I have a choice between letting the hardware do the work and me doing the work. the greater the chance of a mistyped entry. We’ll take a Let’s take a look at how a switch builds that all-important MAC address table. There is no equivalent to those protocols at Layer 2. using an odd topology to illustrate one forwarding option in particular. Every time you add a host to a switch. I’ll let the hardware do it every time. and we’ll also look at each process right after this pop quiz! see each of those frame forwarding options in action. It’s much more efficient to let the hardware carry out dynamic operations rather than forcing “Decisions. The logical question to that answer would be: “Why does the switch even care where the frame came from?” The answer: “Because source addresses of incoming frames are how the switch builds and maintains its MAC address table. the network admins.115 S T U DY G U I D E C H R I S B R YA N T that host. which brings up another We could build a MAC address table with all static entries.” That’s not the only reason for this behavior. In the heat of battle. If a port goes down and you switch the host connected to the bad port to a good port. When you first boot a switch. Decisions” you and I. filter it. it’s easy to forget to remove the old entry. which leads to even more unnecessary troubleshooting when the bad port is fixed and another host is eventually connected to it. the only way for the switch to get the frame where it needs to go is to look at its intended destination. or flood it. to handle everything statically. The more information you add statically. Hosts A and It makes perfect sense that the switch would look at the frame’s destination address first. which in turn leads to unnecessary troubleshooting. We’ll start with four hosts and one When a frame enters a switch. you won’t have full connectivity until you add a new static entry for that host’s MAC address. There drawback. which in turn is connected to a switch.

We’ll start our walkthrough with Host A sending a frame to Host C. so the switch will create one. there’s no entry for Host A’s address in the MAC table.0ccc. host resources. We know what happens when the switch receives that frame. If this is a 64-port switch and there’s a host on every port.aaaa DYNAMIC Fa0/1 At long last. so the switch makes one.cccd STATIC CPU The only way the switch can learn where the hosts are is for you and I to add a bunch of static entries (clumsy. it really can’t be avoided – but after the initial add. ------------ --------. or flooded? That depends on the answer to the next question the switch asks itself: “Do I have an entry for this destination address in my MAC address table?” The answer is no. but will there be an entry for the source MAC of that frame? MLS _ 1#show mac address-table dynamic Mac Address Table Vlan Mac Address Type ---. not scalable) or let the switch learn their addresses dynamically.aaaa. which is a huge waste of bandwidth.cccc.cccc. and switch resources. we’d rather not have much flooding. This is an unknown unicast frame. ------------ --------. sending a copy of the frame out of every single port on the switch except the port the frame rode in on.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1#show mac address-table Mac Address Table Vlan Mac Address Type Ports ---. filtered. MLS _ 1#show mac address-table dynamic Mac Address Table Vlan Mac Address Type Ports 1 aaaa. the switch then looks at the source MAC address of the frame and asks This flooding ensures the frame will go out the port leading to the correct host. since the frame is a unicast (destined for one particular host).aaaa. Our dynamic entries in that table are as follows: Host C will now respond to Host A with a frame of its own.aaaa DYNAMIC Fa0/1 1 cccc. but there is no entry for this address in the MAC table.0ccc. and it also guarantees the other hosts will get the frame. MLS _ 1#show mac address-table dynamic Ports 1 aaaa.cccc. 6 Mac Address Table Vlan Mac Address Type Ports 1 aaaa.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The frame enters the switch on fast0/1.aaaa DYNAMIC Fa0/1 No entry for cccc. All 0100. so the switch floods the frame.cccc DYNAMIC Fa0/2 7 .aaaa.cccc STATIC CPU All 0100. we get to the frame forwarding decision! Will this frame be forwarded. itself one simple question: “Do I have an entry for this address in my MAC address table?” the switch has to send 63 copies of the frame – 62 of which are totally unnecessary! There’s no grey area here – the answer is either yes or no! There’s nothing wrong with a little frame flooding as you add a host or switch to a network – Since we just turned the switch on.

MAC entry for each host. ----------.cccc. Vlan Mac Address Type Ports ---. Forwarded frames are sent out only via the port indicated by the MAC address table. frame is flooded.ffff. as will the switch. Multicast frames have a destination MAC in the range 0100. filtering also occurs when a frame is not sent out of a port because the destination is a known unicast. When Host A sends a frame to Host B.ffff and are treated in the same fashion as broadcast frames.aaaa DYNAMIC Fa0/1 1 bbbb. Please note that this is not a topology you’re going to see in many Flooding occurs when the switch has no entry for the frame’s destination MAC. I’m strictly presenting it to you to illustrate the switch’s third option for frame forwarding.aaaa.cccc DYNAMIC Fa0/2 the frame’s destination address of aaaa.5e00.115 S T U DY G U I D E C H R I S B R YA N T The dynamic entries in the table will now start to work in our favor. If Host A responds to Host C. and are treated in the same manner as unknown unicast frames. Frames flowing from Host A to Host C will now be forwarded out This messes with the switch’s mind for just a moment. “Filter” is a fancy big-city way of saying “the frame is dropped”. the switch will have an entry for Host C’s MAC address where it didn’t have one earlier. -------. Let’s jump ahead to a scenario where the topology is the same and the switch has a dynamic Let’s review those decisions and add a little broadcast / multicast discussion. Fa0/2 rather than being flooded. When a production networks (if at all). Broadcast frames are actually intended for all hosts. Unknown unicast frames are always flooded. We have an unusual setup where Hosts A and B are connected to a hub that is in turn connected to a switch.aaaa.ffff) are called broadcast frames. MLS _ 1#show mac address-table dynamic Mac Address Table Forwarding happens when the switch has an entry for the frame’s destination MAC. where unknown unicast frames are sent to all hosts as a side effect of the frame flooding. the 1 dddd. 9 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .dddd DYNAMIC Fa0/3 switch will forward the frame via Fa0/1. a copy of it is sent out of every port on the switch except the one it came in on. The switch checks for the source addresses in its MAC address table.5e7f.0000 – 0100. and since there is one. Technically. 1 aaaa. and sees that they’re both found off the same port! Frames with a destination MAC of all Fs (ffff. both of those hosts are found off port Fa0/1. B will get a copy of it through the hub. From the switch’s point of view.dddd.bbbb.aaaa in that table. and the switch then filters the frame.bbbb DYNAMIC Fa0/1 8 Filtering happens when the source and destination MAC addresses are found off the same port. The switch checks for 1 cccc.

days. Use IOS Help.IGMP. P .Router. C . For example. and that timer is reset when a frame comes in with that particular source MAC address. M . and minutes. T . let’s use show mac address-table dynamic interface to get info about only that particular port.) MLS _ 1#show mac address-table int fast 0/3 Mac Address Table 11 . you might be tempted to enter the following: MLS _ 1(config)#mac address-table aging-time 10 Not only is that wrong. (When you have 48 or so dynamically learned addresses. H . kilobits. hours. 10 minutes. it’s really wrong. B .Trans Bridge.Two-port Mac Relay Device ID Local Intrfce Holdtme ROUTER _ 1 Fas 0/1 177 R S I 2801 Fas 0/0 ROUTER _ 3 Fas 0/3 136 R S I 2801 Fas 0/0 Capability Platform Port ID Right! More about CDP later in the course.115 S T U DY G U I D E C H R I S B R YA N T More About That MAC Address Table I strongly urge you to use IOS Help to check any numeric value. gigabits – you get the idea. With time-based IOS commands. D . To demo this.Source Route Bridge S . The default aging time for dynamically friends – that’s why it’s there! learned MAC addresses is 300 seconds. be sure to use IOS Help to check the unit of time that particular command uses. as long as the switch hears from a host within any five-minute period. I . milliseconds. Let’s fix that: MLS _ 1(config)#mac address-table aging-time 600 Verify with show mac address-table aging-time. I’ll need to know the port ROUTER_3 is connected to. Right now. if I asked you to set the MAC address aging time to use different combinations of seconds.Remote. MLS _ 1#show mac address-table aging-time Global Aging Time: 600 10 Capability Codes: R . Data- I shall now hop down from Ye Olde Soapbox and we’ll march forward! Another factor in favor of dynamic MAC address table entries is the switch’s ability to dynamically adapt to a change in physical ports.Switch. Time-related commands When I was waxing poetic about dynamically learned MAC addresses. my dered how long those addresses stay in the table. IOS Help reveals that the time unit for this commands is seconds… MLS _ 1#show cdp neighbor MLS _ 1(config)#mac address-table aging-time ? <0-0> Do you know a command that will give us information about directly connected Cisco devices? Enter 0 to disable aging <10-1000000> Aging time in seconds MLS _ 1(config)#mac address-table aging-time … so our dynamic entries are now aging out in just 10 seconds. and you already knew that the command to change that value is mac addresstable aging-time. In short.CVTA.Phone. you’ll want to use this filter. I’m sure you won- based commands use megabits. that host’s MAC address stays in the table. r .Host.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Repeater.

If not. 1. You may have an MLS that spends most of its time routing. we’ll need the help of a Ternary Content Addressable Memory (TCAM) table. and there’s plenty of additional work with VLANs ahead! Fa0/3 Total Mac Addresses for this criterion: 1 MLS _ 1(config)#int fast 0/13 MLS _ 1(config-if)#switchport access vlan 13 So far. It’s common for multilayer switches to have multiple TCAM tables to go along with the multiple functions an MLS must handle. ----------. Earlier show commands told us that the previous port belonged to VLAN 13. ---------. here’s a reminder. so good! But now… port Fa0/3 goes BAD. by default. Fa0/13 We’ve been working with the MAC address table for a while now. 1 001f. 13 001f. advanced security. The default allocation of switch resources may not fit the role of the switch. I’ll move it to Fast0/11 and check the full dynamic address table.2754 DYNAMIC Ports C H R I S B R YA N T how to change a port’s VLAN membership. MLS _ 1#show vlan brief VLAN Name Status Ports ---. You likely remember 12 Switch Roles And The SDM The great thing about multilayer switches is their ability to fit almost any role in your network. With dynamically learned addresses. the entry for that address on Fa0/3 was removed. all we need to do is move that cable to a port that’s 1 default active working. -------.2754 DYNAMIC Fa0/13 13 0017. You’ll find more info on the TCAM in the Multilayer Switching portion of the course. -------------------------------.59e2. (All ports except those in #13) 13 VLAN0013 active Fa0/1. There is one thing you have to do manually in this situation. the resources are split up pretty much evenly between routing. while others act pretty much as L2 switches. TCAM tables have three values – 0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The MAC address table is also known as the Content Addressable Memory (CAM) table. ----------.474a DYNAMIC Fa0/1 Total Mac Addresses for this criterion: 2 For these tasks. -------. and that’s changing the VLAN membership of that port. so it’s good time to tell you the other name for this table. No aging was necessary – once the switch saw frames from ROUTER_3 come in on a new port. and our Cisco switch ports belong to VLAN 1 by default. Multilayer switches have other challenges and tasks besides Mac Address Table switching – routing.115 S T U DY G U I D E Vlan Mac Address Type ---.ca96. they’re 0 and 1). 13 . having “just” the CAM table MLS _ 1#show mac address-table dynamic is enough to get the job done. and for Layer 2 switching. While CAM table lookups use two values (no surprise. Fa0/3. and Quality of Service (QoS) to name just a few! Vlan Mac Address Type Ports ---. Success! ROUTER_3’s MAC address is correctly listed in the table. and “x” for “don’t care”.ca96.

VLAN – Supports the CAM table’s growth to contain the maximum number of unicast MAC addresses. but cannot take Access – If your MLS is running a whoooole lot of ACLs. including IPv6 multicast.115 S T U DY G U I D E switching. Wouldn’t it be great if we could allocate more system resources C H R I S B R YA N T To see the currently loaded template and its allocation settings. The selected template optimizes the resources in 15 . SDM does that for us with ease! (This is not the Security Device Manager that you may have used and studied previously. There’s no workaround for this one. Default – That’s the default template. as it will allocate resources to handle the maximum number of ACLs. When IOS Help says “bias”. this SDM is the Switching Database Manager.) MLS _ 1#show sdm prefer The current template is “desktop default” template. run show sdm prefer. to routing if the MLS is primarily going to route? How about making a larger MAC address table possible for an MLS that’s primarily going to switch? Thanks to SDM. you may un-cringe – these templates are already created! Let’s see the SDM number of IPv4 IGMP groups + multicast routes: 1K templates available on my switch: number of IPv4 unicast routes: 8K number of directly-connected IPv4 hosts: 6K MLS _ 1(config)#sdm prefer ? number of indirect IPv4 routes: 2K Access Access bias number of IPv4 policy based routing aces: 0 Default Default bias number of IPv4/MAC qos aces: 0. 14 Well. but when they can be changed. effect until the next reload. and if you cringe when you hear the word number of unicast mac addresses: 6K “template”. Some switches have default source allocations that can’t be changed. Very important: This template disables hardware routing.5K dual-ipv4-and-ipv6 Support both IPv4 and IPv6 number of IPv4/MAC security aces: 1K routing Unicast bias vlan VLAN bias Let’s load the VLAN template and see what happens. and security. Routing – Enhances the environment for IPv4 unicast routing. we really do have to reload the switch! I’ll do so now and run show sdm prefer after the reload. This template doesn’t support everything IPv6-wise. SDM uses templates to allocate system resources. we can do just that on many Cisco switches. so do your homework before applying this template.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . this template can come in handy. it means business! Here’s a quick look at each template and its MLS _ 1(config)#sdm prefer vlan capabilities: Changes to the running SDM preferences have been stored. MLS _ 1#show sdm prefer The current template is “desktop vlan” template. the first thing that’s going to happen is you and I being told we have to reload the switch for the template switch to take effect. and it treats all functions more or less equally Dual-ipv4-and-ipv6 – Great for an MLS running dual stack (both IPv4 and v6 at the same time). The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1024 VLANs. Use ‘show sdm prefer’ to see what SDM preference is currently active.

Can run in half.115 S T U DY G U I D E C H R I S B R YA N T the switch to support this level of features for number of IPv4 policy based routing aces: 0. Important stuff to keep in mind! Before we move on. but not the best. just for shiggles. Most Cisco switch ports we’ll number of directly-connected IPv4 hosts: 3K use in this course are FE ports. using the SDM vlan template! The selected template optimizes the resources in the switch to support this level of features for Let’s load the routing template and check the results. The Ethernet types and speeds we’ll see in this course: number of unicast mac addresses: 3K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 11K FastEthernet: 100 Mbps.5K number of IPv4/MAC qos aces: 0. but look at that Additional resources are indeed reserved for IPv4 unicast and PBR. here’s the allocation when the access template is in use. but we still have some room for MAC addresses. 17 .5K 8 routed interfaces and 1024 VLANs.5K number of IPv4/MAC security aces: 1K number of unicast mac addresses: 12K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 0 number of IPv4 policy based routing aces: 0 number of IPv4/MAC qos aces: 0. The SDM routing template doesn’t disable switching. MLS _ 1(config)#sdm prefer vlan Changes to the running SDM preferences have been stored. number of indirect IPv4 routes: 8K 16 Ethernet: 10 Mbps.or full-duplex mode.5K number of IPv4/MAC security aces: 1K Quite a difference! We now have twice the space for unicast mac addresses. Something to keep in mind when The current template is “desktop access IPv4” template. number of IPv4/MAC qos aces: 0. but the SDM vlan template does disable routing. After the reload: MLS _ 1#show sdm prefer The current template is “desktop routing” template. 8 routed interfaces and 1024 VLANs. MLS _ 1#show sdm prefer tradeoff! There’s no room for IPv4 unicast routes or PBR. The original.5K number of IPv4/MAC security aces: 2K The selected template optimizes the resources in the switch to support this level of features for Just Some Reminders… 8 routed interfaces and 1024 VLANs.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but cannot take effect until the next reload. Use ‘show sdm prefer’ to see what SDM preference is currently active. number of unicast mac addresses: 4K number of IPv4 IGMP groups + multicast routes: 1K number of IPv4 unicast routes: 6K number of directly-connected IPv4 hosts: 4K number of indirect IPv4 routes: 2K number of IPv4 policy based routing aces: 0.

allowing a decision as to speed and duplex that is as fast and efficient as not updated anymore and full-duplex usage with switches is used exclusively. our FLPs give more pulses in the same amount of time. Also expressed as GbE. since the max capabilities are the same on both sides! Both involved ports end up running at FastEthernet speed. The obvious question is: “Fast compared to what?” They’re fast compared to normal link pulses (NLPs): As expected. Here. Not much to decide here.000 Mbps). and port duplex settings. (Both drawings courtesy of Wikipedia. the highest common speed is preferred. If both ports support different speeds. let’s discuss some things that can go wrong with autonegotiation. Now. to the other. back to the demo… In the real world. full-duplex is (thankfully) always preferred.” possible without exceeding device capabilities. but requires higher-grade cables (Cat 6a or Cat7). Wikipedia: “Half-duplex giga- The FLP is basically a declaration of the capabilities of the sending device with regards to bit links connected through hubs are allowed by the specification. but the specification is speed and duplex. Can be run on The fundamental autonegotiation rules: copper cables.) MLS _ 1(config)#int fast 0/7 MLS _ 1(config-if)#speed ? 10 Force 10 Mbps operation 100 Force 100 Mbps operation Auto Enable AUTO speed configuration 18 19 . use autonegotiation on both ends of a connection and you’re gold. both devices will send fast link pulses and duplex settings on MLS_1. Port Speed. Does not support half-duplex links. With that in mind. Duplex.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . both are in the public domain. And Autonegotiation If both ports support half. ROUTER_3’s Fast 0/0 interface is connected to 0/7 on MLS_1.115 S T U DY G U I D E C H R I S B R YA N T Gig Ethernet: 1 Gbps (1000 Mbps).and full-duplex. port speeds. But what happens if MLS_1 is not running autonegotiation at all? Let’s find out while hardcoding the speed With both interfaces enabled for autonegotiation. 10 Gig Ethernet: 10 Gbps (10. set to full-duplex.

ca96. Encapsulation ARPA. PD brings us some good news: The device running autonegotiation can detect the speed of the remote device and adjust its speed accordingly. rxload 1/255 In short. 10Mb/s. DLY 1000 usec. we end up with parallel detection. ROUTER_3 will see data coming in at the same time it’s FastEthernet0/0 is up. so that interface will transmit or receive. ROUTER _ 3#show int fast 0/0 FastEthernet0/0 is up. (That’s verified by the show interface output just above. line protocol is up (connected) With one endpoint running autonegotiation and the other end not. reliability 255/255. line protocol is up transmitting. but our old pal Keepalive set (10 sec) CDP will let you know about ‘em in a heartbeat: Half-duplex. and it’s a problem that’s not always easy to spot. with MLS _ 1 FastEthernet0/7 (full duplex). ROUTER _ 3#show int fast 0/0 since it’s running at full-duplex.ca96. so it must set its own port to the dreaded half-duplex.2754) has. address is 001f. but it will not do both at the same time. MTU 1500 bytes. loopback not set These duplex mismatches can be tough to spot just by looking at the config. BW 10000 Kbit/sec. and will think a data collision has occurred when in reality no such collision Hardware is Gt96k FE. MLS_1 will go at data transmission with all guns blazing.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . as Router_3 will be unable to detect the remote endpoint’s duplex setting. you end up with a real mess. The router can’t assume full-duplex on that remote endpoint.2754 (bia 001f. 100BaseTX/FX Sadly. line protocol is up ROUTER_3 is running at half-duplex. ROUTER_3 detects the 10 Mbps speed on the remote endpoint and sets its own speed accordingly. txload 1/255. The physical interfaces and line protocols are still up on both devices: ROUTER _ 3(config)#int fast 0/0 ROUTER _ 3(config-if)#speed auto MLS _ 1#show int fast 0/7 ROUTER _ 3(config-if)#duplex auto FastEthernet0/7 is up. and a totally unnecessary one at that. That’s about as self-explanatory as a console message can get! Coming up next: The wonderful world of VLANs! 20 21 . it’s not all good with PD.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config-if)#speed 10 MLS _ 1(config-if)#duplex ? Auto Enable AUTO duplex configuration Full Force full duplex operation Half Force half-duplex operation MLS _ 1(config-if)#duplex full Now we have a problem.) *Apr 11: %CDP-4-DUPLEX _ MISMATCH: duplex mismatch discovered on FastEthernet0/0 (not full duplex).

WHERE. and they’re going to be all over your SWITCH exam. smaller broadcast domains. overall switch operation. and part of scoring points is books. cabling is forwarded only to hosts in the same VLAN as the original sender of the broadcast. don’t breeze through this section. making this a flat network Cisco’s best practice is to have one VLAN per IP subnet. 48. the broadcast.” That’s where VLANs come in. By default. On a switch with 24. ing these questions: “Why don’t we just use physical LANs? Why do we need virtual ones?” One great use for VLANs is to limit the scope of our old pal. In the following example.) 22 23 . or 60+ ports.) Our hosts are all in the same broadcast domain. the switch bunch of unnecessary broadcasts. and this is a best practice that topology. We’re in the exam room to score points. (More on that in the design section of this course. but we don’t run into many 5-host networks in the real world. not shown. (For clarity. Broadcasts are will forward a copy of the incoming broadcast to every other host. you’re creating multiple.C H R I S B R YA N T C hapter 2: THE WHEN. this broadcast flooding would have a negative impact on mastering VLAN fundamentals. which in turn lowers the number of overall broadcasts. a fancy way of saying “let’s only send the broadcasts where they need to go rather than just sending them everywhere. It’s doubtful that every host connected to your switch We limit the overall number of broadcasts by limiting their scope. works really well in real-world networking. VLANs are the core of your switching network. Broadcast propagation wouldn’t be a huge deal in a 5-host network. AND HOW OF VLANS I pride myself on presenting as many real-world networking examples as possible in my Even if you’ve just earned your CCNA. a switch will take an incoming broadcast and send a copy of it out of every single port except the port that received the original broadcast. Rest assured that this is not one of them. and your available bandwidth would start to get sucked up by a Speaking of that. Cisco also recommends that a VLAN doesn’t reach beyond the distribution layer in its 3-layer switching model. not give them away. let’s jump to the most fundamental of fundamentals by answer- actually needs the broadcast. When you create VLANs.

) Keep them in mind for the exam. All 12 ports on this particular switch are in the default VLAN. -------------------------------. Fa0/10. Fa0/6. Fa0/1. Fa0/8 1 default active Fa0/9. Fa0/5. I prefer show vlan brief.115 S T U DY G U I D E C H R I S B R YA N T The method used to determine a host’s VLAN membership depends on the kind of VLAN 1002 fddi-default act/unsup you’re using. Fa0/9. Fa0/7. while this is an important command to know. They’re legacy VLANs host doesn’t care about its VLAN membership. Fa0/8. Fa0/12 25 . “legacy”. it gives you a lot of info you be deleted. we’ll concentrate on static VLANs. Let’s take our first look at show vlan. The actual MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 enet 100001 1500 - - - - - 0 0 1002 fddi 101002 1500 - - - - - 0 0 1003 tr - - - - 0 0 101003 1500 - 1004 fdnet 101004 1500 - - - - - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 VLAN membership determination is still done by the switch. -------------------------------. ---------. Whether you’re using static or dynamic VLANs. Fa0/4. Fa0/2. Fa0/11. Fa0/12 24 Ports Fa0/1. the membership depends on the host’s MAC address. 1 default active Status ---. Fa0/2. VLAN 1. Remote SPAN VLANs Primary Secondary Type Ports ------. Fa0/11. (Never say “old” in networking. SW1#show vlan SW1#show vlan brief VLAN Name Status Ports VLAN Name ---. Fa0/7. ---------. not to how the VLAN is actually created. Fa0/3. Fa0/6. ---------. The terms “static” and “dynamic” refer to how the host is assigned VLAN membership. In this course. 1004 fddinet-default act/unsup 1005 trnet-default act/unsup VLAN Type SAID 1 With dynamic VLANs. the You may never use VLANs 1002 – 1005 in real-world networking. always say host is connected. Fa0/10. and static VLAN member- 1003 token-ring-default act/unsup ship is dependent on the port the host is connected to. It’s only important to the port to which the designed for use with FDDI and Token Ring. Fa0/3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/4 Fa0/5. really don’t need to start troubleshooting or to verify your work. The five VLANs shown are default VLANs and cannot To be blunt. -----------------.

VLANs are always in use.0 /24.1. we’ll use the single IP subnet 10.1. The ping results will look different than they Type escape sequence to abort. timeout is 2 seconds: munications issue comes down to a port being in a different VLAN than you thought it !!!!! was! Success rate is 100 percent (5/5). all hosts are in one single broadcast domain. round-trip min/avg/max = 4/6/8 ms I occasionally hear a network admin say “we don’t use VLANs. any broadcast sent by any host will be received by all of our other hosts. HOST1#ping 10. and every host can ping every other host. and right now.1.1.1.1. Each VLAN is its own broadcast domain. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).2. which is all we need to get started.) Let’s configure our switch to allow broadcasts sent by H1 to be forwarded only to H2 by putting them in their own little broadcast domain – that is.” and while that admin may not have configured VLANs.1. round-trip min/avg/max = 4/4/8 ms Let’s practice limiting the broadcast scope.1.2 This command shows you only the port memberships.1.1. To meet Cisco’s best practices. The pain will stop soon. 100-byte ICMP Echos to 10.4 serve as the last octet in the host’s IP address. Type escape sequence to abort. 1003 token-ring-default act/unsup (Always test your basic connectivity before starting a lab.1.) I’ll show the ping results here 1004 fddinet-default act/unsup only from H1 to save a little space. round-trip min/avg/max = 4/10/32 ms Right now.3. As your studies and career progress.1. We know what that means – a broadcast that comes in on any of these ports will be forwarded out every other port on the switch. Sending 5. which means it can belong to one and only one VLAN. Cisco switch ports are in VLAN 1 by default. would on a PC. as I’m using Cisco routers as my hosts.4. you’ll be surprised at how often a host-to-host com- Sending 5.1. 100-byte ICMP Echos to 10. using this four-host network for a lab.3 Type escape sequence to abort. I know you’ll take my word on the others! 1005 trnet-default act/unsup HOST1#ping 10. 26 27 . 100-byte ICMP Echos to 10. The second command defines VLAN membership. The first command puts the port into access mode. (I know I’m hitting you over the head with this. Sending 5.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E C H R I S B R YA N T 1002 fddi-default act/unsup I’ve used ping to test connectivity in the lab. and the host number will HOST1#ping 10. their own VLAN! We’ll place those two hosts into the not-yet-existent VLAN 12 with switchport mode access and switchport access vlan 12. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1.

bump revision number. you know what I’m going to say. Creating vlan 12 tb-vlan1 ID number of the first translational VLAN for this VLAN (or zero if none) If you try to put ports into a non-existent VLAN. VLAN configuration commands: Are If you earned your CCNA with me. Fa0/8. Fa0/4. This dynamic tb-vlan2 creation of a VLAN does NOT make this a dynamic VLAN. not the method of VLAN creation. Fa0/9. Fa0/11. Trust your config. I’ll create VLAN 20 on this switch. name it ACCOUNTING. ---------. SW1(config)#vlan 20 verify it! SW1#show vlan brief VLAN Name SW1(config-vlan)#? Status Ports ---. To create a VLAN manually. and then we’ll leave that VLAN alone for the duration of the lab. Fa0/6 Fa0/10 . Fa0/12 12 VLAN0012 active 20 ACCOUNTING active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup 29 Fa0/1. -------------------------------. The name command is the only one of these options we need to concern ourselves with. and exit mode media Media type of the VLAN mtu VLAN Maximum Transmission Unit name Ascii name of the VLAN no Negate a command or set its defaults 28 Fa0/3. Fa0/7. Fa0/2 Fa0/5.10 SAID SW1(config-if)#switchport access vlan ? shutdown Shutdown VLAN switching <1-1005> VLAN ID of the VLAN when this port is in access mode state Operational state of the VLAN dynamic When in access mode. use the vlan command. the switch will do it for you. The terms “static” and “dynamic” ID number of the second translational VLAN for this VLAN (or zero if none) refer to the method used to place hosts into a VLAN.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/1 parent ID number of the Parent VLAN of FDDI or Token Ring type VLANs SW1(config-if)#switchport mode access private-vlan Configure a private VLAN SW1(config-if)#switchport access ? remote-span Configure as Remote SPAN VLAN vlan Set VLAN when interface is in access mode ring Ring number of FDDI or Token Ring type VLANs said IEEE 802. but Maximum number of All Route Explorer hops for this VLAN (or 1 default active zero if none specified) Backupcrf Backup CRF mode of the VLAN bridge Bridging characteristics of the VLAN exit Apply changes.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . this interfaces VLAN is controlled by VMPS ste Maximum number of Spanning Tree Explorer hops for this VLAN (or zero if none specified) SW1(config-if)#switchport access vlan 12 stp Spanning tree characteristics of the VLAN % Access VLAN does not exist.

For brevity’s sake. The bad news is that no traffic is going from H1 to H3 or H4.. Fa0/8. Fa0/6 Fa0/10 Fa0/11. Inter-VLAN traffic requires the routing layer of the OSI model to get involved. and then we’ll move on. and VLAN 12 contains fast 0/1 and 0/2. Congratulations! Assuming all hosts are sending roughly the same number of broadcasts. in networking.. we’ll need to get a router involved. 1 default active Fa0/3.1. and all is well! The good news is that broadcasts from H1 aren’t going to H3 or H4.. a solution leads to another issue. even though they’re in the same IP subnet. Fa0/9. We’ll look at 30 31 .1. you just cut broadcast traffic in your network by 66%. Sometimes..1.. ---------.1.115 S T U DY G U I D E C H R I S B R YA N T Bingo! VLAN 20 sits empty. Let’s ping the network from H1. Fa0/2 HOST1#ping 10. If this is strictly a Layer 2 switch.1. -------------------------------. I’ll rename VLAN 12 “SUCCESS”. SW1(config)#vlan 12 SW1(config-vlan)#name SUCCESS HOST1#ping 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .3 Ports . Fa0/12 12 Or… IS it? SUCCESS active 20 ACCOUNTING active 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Fa0/1. If this is a Multi-Layer Switch (MLS).. Fa0/7. ---.. Fa0/4. we could enable IP routing on the switch and then work something out.1.4 . for the rest of this section I’ll show only the ping and ping result. Fa0/5.2 !!!!! SW1#show vlan brief VLAN Name Status HOST1#ping 10..

VMPS uses the source MAC address of incoming frames to determine the VLAN membership of the port receiving those frames. Before we hit dynamic VLANs. the larger the chance of a simple misconfigura- 1003 token-ring-default act/unsup tion. the core of dynamic VLAN configuration. it’s easy to misread. Fa0/2 20 OREGON active Fa0/9 35 GREENBAY active Fa0/10 42 OHIOSTATE active Fa0/8 You’re likely thinking “Hey Chris. -------------------------------. 1002 fddi-default act/unsup but the more manual configuration you do. When you have one or two VLANs. keep in mind that inter-VLAN traffic requires Layer 3 involvement. ---------. Fa0/4. ---------. we’d keep up with our network housekeeping and VLAN Name Status remove the config from 0/4. but you should be familiar with the basics of the VLAN Membership Policy Server (VMPS). (I’ll leave 0/4 as an access port. especially when one of your company’s VPs is yelling at you while you write the con- 1004 fddinet-default act/unsup fig. For now. let me give you a real-world networking tip that’s saved my hash on more than one occasion.115 S T U DY G U I D E C H R I S B R YA N T using an MLS in this situation later in the course. as in the following: Dynamic VLANs The actual configuration of dynamic VLANs is way out of the CCNP SWITCH exam scope. SW1(config-if)#switchport access vlan 12 Wouldn’t it be great if you could just detach the cable from 0/4 and plug it into 0/5. 1 default active Fa0/3. so moving the cable is all we have to do. Let’s say a problem has arisen with 0/4 on our current switch. that’s just going to make your troubleshooting harder! To see the ports in one particular VLAN. We’d need to manually configure 0/5 for SW1#show vlan brief that host.) Ports ---. and we need to move that host to 0/5. Fa0/5. When the switch sees frames coming in on 0/5 with a source MAC address that was in its SW1#show vlan id 35 MAC address table as belonging to 0/4… VLAN Name Status Ports ---. All you have to do is enter “21” for “12” on that 0/5 config and you have more trouble 1005 trnet-default act/unsup than you started with. 35 GREENBAY active Fa0/10 32 33 . the output of show vlan brief is easy to read. what’s the big deal?” I admit that it’s not a ton of work. and the VLAN membership adjusted automatically? That’s what VMPS brings to the table. and ports spread out among them. If you read fast0/10 as belonging to VLAN 42. It’s really easy for the eye to skip up a line as you read this output. One of the painful things about static VLANs becomes apparent when you need to move a host from one port to another. -------------------------------. Fa0/7 Fa0/11. and as good network admins. Once you get more VLANs.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . use show vlan id followed by the VLAN number. Fa0/12 SW1(config)#int fast 0/4 SW1(config-if)#no switchport access vlan 12 10 KANSASCITY active Fa0/6 SW1(config-if)#int fast 0/5 12 active SW1(config-if)#switchport mode access SUCCESS Fa0/1.

which can lead to time-related delivery issues with the voice traffic. “duh”. Some VMPS notes: Jitter is defined by Wikipedia as “the deviation from true periodicity of a presumed signal A somewhat odd default of VMPS is that PortFast is automatically enabled for a port when it receives its VLAN membership dynamically. Using a trunk gives us the advantage of creating a voice VLAN (VVID). I know. Trunk ports can’t receive a dynamic VLAN assignment. another to a PC. there is no special config needed on the PC. You have to disable port security on a port in order for that port dedicated to carrying voice traffic. Actually. Using this can be a big help with host DHCP issues. and will then dynamically change the VLAN membership of 0/5 and update its MAC address table.) access link. and the third is an internal connection to an Application-Specific Integrated Circuit (ASIC). non-voice data streams.” mode. it is attached directly to that switch. The VVID allows the highest Quality of Service avail- to get a dynamic VLAN assignment. A quick reminder: PortFast allows a port to go straight from blocking mode to forwarding in electronics and telecommunications. don’t play together at all. it’s really annoying. they able. One will be connected to a switch. The VMPS Server must be configured before you can dynamically assign any VLAN mem- The link between the switch and the IP phone can be configured as either an 802. 34 35 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . giving the delay-sensitive voice traffic priority over normal.115 S T U DY G U I D E C H R I S B R YA N T A Word Or Two On Voice VLANs Cisco IP Phones have three ports. (Yeah. often in relation to a reference clock source. With Cisco IP phones. Whichever definition you use. since by definition trunk ports already belong to all VLANs. The human ear will only accept 140 – 150 milliseconds of delay before it notices a problem with voice delivery.” Chris Bryant defines jitter as “that really annoying continual interruption in a voice stream that makes you want to tear your own eardrums out. a VLAN Port security and dynamic VLAN memberships don’t play well together. As far as the PC is concerned.1q trunk or bership. …the switch will realize what’s happened. It can then be disabled if you like. As far as the direct connection to the IP phone is concerned. Using an access link results in voice and data traffic being carried in the same VLAN. the PC is unaware and it doesn’t care! The key to keeping end users happy with voice-based traffic is to deliver it without jitter.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

Should the voice traffic start to be delayed, your end users begin to get annoyed, and your

dot1p

Priority tagged on PVID

support center phones start to ring!

none

Don’t tell telephone about voice vlan

We have four options for the switch-to-phone link:
Use an access link

untagged
Untagged on PVID

The <1 – 4094> option creates a voice VLAN and a dot1q trunk between the switch and IP
phone. As with data VLANs, if the VVID has not been previously created, the switch will

Use a trunk and use 802.1p

create it for you.

Use a trunk without tagging voice traffic
SW1(config-if)#switchport voice vlan 10

Use a trunk and specify a VVID

% Voice VLAN does not exist. Creating vlan 10

The question “Who’s The Boss?” has stumped the great scholars and live-in housekeepers
of eras past and present, but in this situation the boss is the switch, which tells the phone
which of those four options will be used.

Verify with show interface switchport. The output of this command is huge, so I’ll show only
the VLAN information here.
SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)

The interface is using VLAN 100 for normal data, and the native VLAN is unchanged from
the default, verified by this partial output of show interface switchport.

Administrative Native VLAN tagging: enabled
Voice VLAN: 10 (VLAN0010)

SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none

Using dot1p results in the IP phone granting voice traffic high priority, and voice traffic will

The PVID shown in the following options is the port VLAN ID, the number identifying the
non-voice VLAN.

be sent through VLAN 0.
SW1(config-if)#switchport voice vlan dot1p

SW1(config)#int fast 0/1
SW1(config-if)#switchport voice vlan ?
<1-4094> Vlan for voice traffic
36

SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)

37

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

Trunking Native Mode VLAN: 1 (default)

Administrative Native VLAN tagging: enabled

Administrative Native VLAN tagging: enabled

Voice VLAN: untagged

Voice VLAN: dot1p

A quick Portfast note to end our VVID discussion: Portfast is automatically enabled on
Using untagged results in voice packets being placed into the native VLAN.

a port when a voice VLAN is created, verified by show config and show spanning interface
portfast. Here’s that info for 0/2, which is using VLAN 100 for data and VLAN 11 for voice.

SW1(config-if)#switchport voice vlan untagged
SW1#show int fast 0/1 switchport

I didn’t manually enable portfast, but there it is!
interface FastEthernet0/2

Access Mode VLAN: 100 (VLAN0100)

switchport access vlan 100

Trunking Native Mode VLAN: 1 (default)

switchport mode access

Administrative Native VLAN tagging: enabled

switchport voice vlan 11

Voice VLAN: untagged

spanning-tree portfast
SW1#show spanning int fast 0/2 portfast
VLAN0011 enabled
VLAN0100 enabled

You’re unlikely to find all ports in a given VLAN to be on the same switch. With that in
Finally, none sets the port back to its default, where a trunk is not used and the voice and

mind, let’s head to the next section!

non-voice traffic use the access VLAN.
SW1(config-if)#switchport voice vlan none
SW1#show int fast 0/1 switchport
Access Mode VLAN: 100 (VLAN0100)
Trunking Native Mode VLAN: 1 (default)

38

39

C H R I S B R YA N T

A trunk is a member of all VLANs by default, allowing traffic for any and all VLANs to cross
the trunk (good idea). That includes broadcast traffic (not-so-good idea).
Theoretically, you need a crossover cable for a switch-to-switch connection, and that’s
what I’m using here. Some Cisco switch models allow you to use a straight-through cable

C hapter 3:

TRUNKING

for trunking. In any case, verify with show interface trunk.
SW2#show int trunk
Port

Mode

Encapsulation Status

Native vlan

Fa0/11 auto

n-802.1q trunking 12

Fa0/12 auto

n-802.1q trunking 12

It’s nice and neat to have all hosts in a VLAN connected to a single switch. It’s also
unlikely. In the next example, we have hosts in VLANs 1 and 12 connected to separate

Port

switches. The switches are connected via two crossover cables. Trunks do not require

Fa0/11 1-4094

you to use the identically numbered port on each switch (port 0/11 on each switch, for

Fa0/12 1-4094

Vlans allowed on trunk

example), but in labs it’s a great organizational tool.
Port

Vlans allowed and active in management domain

Fa0/11 1,12
Fa0/12 1,12
Port

Vlans in spanning tree forwarding state and not pruned

Fa0/11 none
Fa0/12 1,12

From left to right, that command shows us…
The ports attempting to trunk (if none are shown, none are trunking)
For frames to flow flawlessly and freely between two switches, a trunk must be established.
Sometimes all it takes to create a trunk is physically connecting the switches. On occasion,
it takes a little fine-tuning to get the job done. It’s a safe bet that your CCNP SWITCH exam
will test you on both scenarios!

The trunking mode each port is using
The encapsulation type
The status of the trunk (either “trunking” or “not trunking”)
The “native vlan”

40

41

vendor switching environment. round-trip min/avg/max = 4/6/8 ms 42 43 . but as with everything good in networking. that VLAN ID is read by the receiving switch. Both of these trunking protocols are point-to-point protocols. only Cisco switches understand ISL. round-trip min/avg/max = 4/5/8 ms HOST3#ping 10. Gi0/2 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Our pal show vlan brief will not show ports that are trunking. Fa0/8 as the trunking protocol. Fa0/17. there’s a little SW2#show vlan brief overhead involved. You can’t use ISL in a multi- see it here.1q (“dot1q”) is used Fa0/5. Fa0/21. we need to be Fa0/9. so let’s make sure we can ping between hosts in the same ISL will encapsulate every frame going across the trunk.1. with a switch at each endpoint. Our trunk is up and running. 1 default active Fa0/1.1. Fa0/10. which has to remove the encapsulation.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . HOST1#ping 10. Fa0/18. Fa0/3. Fa0/19. Fa0/22. Fa0/16. placing both a header and trailer VLAN. Fa0/6. where the frame has a VLAN VLAN Name Status ID attached by the sending switch. Fa0/24.115 S T U DY G U I D E C H R I S B R YA N T Know where you will not find your trunk ports? Aaaaaand it’s good! Trunking is a beautiful thing. since trunk ports are members of all VLANs. Fa0/4 The amount of overhead involved depends on whether ISL or IEEE 802. Fa0/14. That doesn’t sound like a big deal. check to see if the port is trunking. very clear on the features and drawbacks of each for our CCNP SWITCH exam.1.2 onto the frame (“double tagging”). The similarities end pretty quickly.4 !!!!! Success rate is 100 percent (5/5). Fa0/2. If you’re looking for a specific port’s VLAN membership and you don’t So much for the similarities! Now. for the differences… ISL is Cisco-proprietary. Ports and that switch knows that the VLAN ID indicates the destination VLAN. While most Cisco switches no longer support ISL. We’ll start by pinging H2 from H1 and then H4 from H3. Gi0/1. Fa0/15. In turn.1. Fa0/23. but the cumulative effect of adding that overhead to every frame adds up to a lot of extra effort on the part of both the sender and the receiver. ---. Fa0/7. Fa0/20. Fa0/13. -------------------------------. !!!!! Success rate is 100 percent (5/5). ---------. The overhead here involves frame tagging.

Fa0/9. and that includes encapsulation and de-encapsulation. No need to tag frames traversing access ports. making it suitable for use in a VLAN Name multi-vendor switching environment. We’ll see why that’s so important in just a moment. you’ll sometimes hear dot1q referred to as “internal tagging”. Fa0/3. Gi0/1. ISL adds a total overhead of 30 bytes. Fa0/7. ISL doesn’t understand the concept of the native VLAN (the default VLAN).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and if the frame is destined for the native VLAN. SW2#show vlan brief Dot1q is the industry-standard trunking protocol. That saves a little bit of overhead per frame. Those little overhead savings add up! If there is a particular VLAN responsible for a majority of traffic. Dot1q’s 4-byte addition is in the form of a tag inserted into the frame. Fa0/4. frames destined for the native VLAN are not tagged. Fa0/23. as it likely is. but they’re in different locations: ISL’s 4-byte trailer is just that – a trailer. The 4-byte trailer contains a Cyclic Redundancy Check (CRC) value.1Q (“dot1q”) results in much less overhead on our frames. Dot1q SW1#show vlan brief places only a 4-byte header on each frame. Fa0/8. 44 1 Status default active Ports Fa0/22. Verifying And Changing The Native VLAN When dot1q is our trunking protocol. Fa0/6. even that header isn’t put on the frame! When the receiving switch sees a VLAN Name frame with no VLAN ID. 26 bytes of that is in the header.) Using IEEE 802. so it’s often referred to as “single tagging”. (VLANs 1002 – 1005 not shown in following lab. Fa0/2. Dot1q adds only one tag. Fa0/10 Dot1q embeds the tagging information into the frame itself. which includes the VLAN ID. Now. that switch assumes the native VLAN is the destination ---. -------------------------------. An access port belongs to one and only one VLAN. Fa0/5. -------------------------------. about that native VLAN… a frame validity scheme that checks the frame’s integrity. ---------. we might want to change the native VLAN. ---------. Double tagging means double the workload on the switches! There’s even more to dislike regarding ISL. Fa0/24. so there’s no need for any VLAN ID info. For this reason.115 S T U DY G U I D E Everything we do on a Cisco switch has a cost in terms of time and effort. ---. This is an excellent reason to make sure your switches agree on the native 1 default active VLAN. 12 active Status ACCOUNTING A few more dot1q tidbits for you: Ports Fa0/1. VLAN. which in turn saves a great deal of overall overhead. The CRC is C H R I S B R YA N T Both ISL and dot1q bring a 4-byte addition to a frame. Gi0/2 45 .

Inconsistent peer vlan.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Port consistency restored. Fa0/20. Fa0/16. I received this stack of messages on SW1: 08:14:55: %SPANTREE-2-RECV _ PVID _ ERR: Received BPDU with inconsistent peer vlan id 1 on FastEthernet0/12 VLAN12. Inconsistent local vlan. Fa0/10. Fa0/4. Fa0/18. Fa0/9. Fa0/17. Assume an analysis of traffic going over the trunk has revealed that most frames are destined for VLAN 12. Fa0/2. I’ll use the always-handy interface range config option to change the native VLAN on both trunking ports on SW1 at one time. Fa0/6. Fa0/7.12 SW1(config-if-range)#switchport trunk ? allowed Set allowed VLAN characteristics when interface is in trunking mode native Set trunking native characteristics when interface is in trunking mode pruning Set pruning VLAN characteristics when interface is in trunking mode SW1(config-if-range)#switchport trunk native ? vlan Set native VLAN when interface is in trunking mode SW1(config-if-range)#switchport trunk native VLAN ? <1-1005> VLAN ID of the native VLAN when this port is in trunking mode SW1(config-if-range)#switchport trunk native VLAN 12 ? <cr> 08:14:55: %SPANTREE-2-BLOCK _ PVID _ LOCAL: Blocking FastEthernet0/12 on VLAN0012. 08:14:55: %SPANTREE-2-RECV _ PVID _ ERR: Received BPDU with inconsistent peer vlan id 1 on FastEthernet0/11 VLAN12. It can panic even the calmest network admin when six error messages come up at once. 47 . Inconsistent peer vlan. Fa0/19. just finish your config and all will be well. followed by the error message you can expect to see after you change the native VLAN on one switch and before you change it on the other switch. 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/12 on VLAN0012. Fa0/13. 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/11 on SW1(config-if-range)#switchport trunk native VLAN 12 46 VLAN0 012. along with all the talk of blocking ports! No worries.115 S T U DY G U I D E 12 ACCOUNTING active C H R I S B R YA N T Fa0/1. Port consistency restored. Fa0/3. Fa0/5. Inconsistent local vlan. Fa0/21 After completing that config. 08:14:55: %SPANTREE-2-BLOCK _ PVID _ LOCAL: Blocking FastEthernet0/11 on VLAN0012. Port consistency restored. Fa0/15. Fa0/8. I’ll use IOS Help to illustrate the options (or lack of) with this command. Port consistency restored. 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/11 on VLAN0001. It would make sense to make that our native VLAN. I’ll finish the config here and then hop back to SW1. 08:14:55: %SPANTREE-2-BLOCK _ PVID _ PEER: Blocking FastEthernet0/12 on VLAN0001. SW1(config)#int range fast 0/11 . 08:14:55: %SPANTREE-2-BLOCK _ PVID _ PEER: Blocking FastEthernet0/11 on VLAN000 SW1#1.12 SW2(config-if-range)#switchport trunk native vlan 12 SW1# 08:15:26: %SPANTREE-2-UNBLOCK _ CONSIST _ PORT: Unblocking FastEthernet0/12 on VLAN0001. We’ll use switchport trunk native vlan on both switches to make that happen. SW2(config)#int range fast 0/11 . Fa0/14.

C H R I S B R YA N T Note the default trunk modes are different. I’m not going to change the setting here – I just want to show you the options on this particular SW2#show int trunk Port If your switch is capable of running both ISL and dot1q.1q trunking 12 Fa0/12 auto n-802. Encapsulation Status Native vlan Fa0/11 auto n-802. a trunk will form.1q trunking 12 will not initiate a trunk.1q trunking 1 48 SW2(config)#int fast 0/11 SW2(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802. I’ve erased the previous switch configs and reloaded both switches. but that’s no longer the case.in front of the encapsulation type on SW2? That means the encapsulation type was negotiated rather than manually configured. which can run either ISL or dot1q. Did you notice the n. Dynamic auto (shown as “auto”) is the wallflower of trunking modes. If the encap type is configured and you want the port to negotiate instead. as SW2 is.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . We’ll again concentrate on the top of the output of show interface trunk. SW1 doesn’t SW1#show int trunk show the encap type as negotiated. In other words. the remote port has to ask a port in auto mode to trunk. Encapsulation Status Native vlan Dynamic desirable (shown as “desirable”) means that the port is actively attempting to form Port Mode Fa0/11 desirable 802. Should Trunking Negotiate? For this section. A port in auto mode SW2#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802. desirable.115 S T U DY G U I D E All looks well.1q trunking 1 Fa0/12 desirable 802. “Desirable” used to be the default for all Cisco switches. so they’re now both running at their defaults. If the remote port Fa0/12 desirable 802.1q trunking 1 Fa0/12 auto n-802. use this command with the negotiate option. the auto port will accept that. but verify with show interface trunk. shown here on both switches. but if the remote port initiates trunking. Here’s a review of the trunking modes: SW1#show int trunk Trunk mode is unconditional trunking. you can configure the switch.1q trunking 12 is running trunk.1q trunking 12 a trunk with the port at the remote end of the point-to-point connection.1q trunking 1 Mode encap type with switchport trunk encapsulation. Here’s why… Port Mode Encapsulation Status Native vlan Fa0/11 desirable 802.1q trunking encapsulation when trunking 49 . Oddly enough. or auto mode.

they must be configured as such before using switchport nonegotiate. starting with SW1. because this is one verbose command when left on its own! There’s some handy info in this output. the IOS will Leaving DTP running on ports that aren’t actually trunking is a BIG security risk. Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status. not with disabling DTP. 51 . We had the same command rejected twice since that’s how many ports we had in our interface range. We’ll do just that in our next lab. and trunk- SW1(config-if)#switchport trunk encapsulation ^ % Invalid input detected at ‘^’ marker.) It’s generally recommended that all ports have DTP disabled. why have the DTP overhead? 50 You’ll get slightly different messages from the IOS in this situation depending on the switch model and IOS version. A port running DTP will send DTP frames out every 30 seconds. it attempts to negotiate a trunk with the remote port. for example).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The encapsulation option won’t DTP on such ports makes it easier for an intruder to introduce a rogue switch to our net- even be available! work. DTP comes with a cost. We had no issue moving the interfaces from desirable to trunk mode. including 2950 switches. As with everything in networking. if there’s a device on the other end of the p-t-p connection that literally can’t trunk (a firewall.12 mode SW1(config-if-range)#switchport nonegotiate pruning Set pruning VLAN characteristics when interface is in trunking Command rejected: Conflict between ‘nonegotiate’ and ‘dynamic’ status. as the switch is kind SW1(config-if)#switchport trunk ? allowed Set allowed VLAN characteristics when interface is in trunking enough to tell us! mode native Set trunking native characteristics when interface is in trunking SW1(config)#interface range fast 0/11 . but what does that have to do with the “n-“ not being on SW1? Some Cisco switches only support dot1q. If the ports are not in unconditional trunking mode. Also. When this Cisco-proprietary point-to-point protocol is in action. Verify DTP settings with show interface switchport. In that case. Leaving not recognize this command.115 S T U DY G U I D E isl C H R I S B R YA N T Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on interface That’s all fine. ing mode be set to unconditional trunking. there’s no need for that same port to send DTP frames. nor ours. I highly recommend that you use the pipe option to skip to the interface you want. as shown on this Cisco 2950. which is now off. and we’re most interested in the “Negotiation Of Trunking” setting. (A rogue switch looks like a legit part of the network. When a port is configured as an unconditional trunk port. mode SW1(config-if-range)#switchport mode trunk SW1(config-if-range)#switchport nonegotiate To DTP Or Not To DTP The Dynamic Trunking Protocol (DTP) handles the actual trunk negotiation workload. We’ll disable DTP at the interface level with switchport nonegotiate. but it’s under the intruder’s control.

indicating that the port is in unconditional trunking mode. We need to define which Name: Fa0/12 encapsulation protocol the port is going to use. since negotiation is no longer involved. which indicates that the port is unconditionally trunking. No big deal. Operational Mode: trunk % Range command terminated because it failed on FastEthernet0/11 Administrative Trunking Encapsulation: dot1q SW2(config-if-range)# Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off This particular switch IOS rejected the command once and then terminated the range com- Access Mode VLAN: 1 (default) mand. The mode for 0/11 is now “on”.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . There’s a good reason you can’t go straight from auto to trunk mode.1q trunking 1 Fa0/12 on 802. SW2#show int trunk 53 . but I just want to point out why we only received one rejection when two Trunking Native Mode VLAN: 12 (VLAN0012) ports are in the range. let’s verify the trunks on SW1. and then we can go from auto to Switchport: Enabled trunk. 52 Verify the trunk mode with show interface trunk and then verify DTP has been disabled with show interface switchport. As we saw ear- SW1#show interface switchport | begin Fa0/12 lier. SW2 is capable of both ISL and dot1q encapsulation.1q trunking encapsulation when trunking negotiate Device Access Mode VLAN: 1 (default) Port dot1q Encapsulation Status Native vlan Fa0/11 on 802.12 Name: Fa0/11 SW2(config-if-range)#switchport mode trunk Switchport: Enabled Command rejected: An interface whose trunk encapsulation is “Auto” cannot be Administrative Mode: trunk configured to “trunk” mode.1q trunking 1 The mode has changed to “on”. SW2(config-if-range)#switchport mode trunk SW2(config-if-range)#switchport nonegotiate SW1#show int trunk Mode Interface uses only 802. Let’s head to SW2 and repeat the process.115 S T U DY G U I D E C H R I S B R YA N T SW1#show interface switchport | begin Fa0/11 SW2(config)#int range fast 0/11 . Port 0/11 no longer has the “n-“ in front of the encap type. Administrative Mode: trunk Operational Mode: trunk SW2(config-if-range)#switchport trunk encapsulation ? Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off isl Interface uses only ISL trunking encapsulation when trunking will negotiate trunking encapsulation with peer on interface Trunking Native Mode VLAN: 1 (default) SW2(config-if-range)#switchport trunk encapsulation dot1q While we’re here.

even one that isn’t showing up in show interface Administrative Trunking Encapsulation: dot1q trunk.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-4094 Fa0/12 1-4094 off.1q Native vlan not-trunking 12 Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Off For our next lab. the trunk is immediately lost. 54 Native vlan 55 . SW2#show int trunk SW2(config-if)#switchport mode ? access Filtering The VLANs Allowed To Use The Trunk Set trunking mode to TRUNK unconditionally We have an option for “off”. here’s the full output of show interface trunk on SW2. Setting a port to access mode turns trunking Port Mode Encapsulation Status Fa0/11 auto n-802.115 S T U DY G U I D E Port Mode Encapsulation Status Native vlan Fa0/11 on 802.1q trunking 1 Fa0/12 auto n-802. After a reload.1q trunking 1 C H R I S B R YA N T SW2(config)#int fast 0/11 SW2(config-if)#switchport mode access SW2#show int trunk SW2#show interface switchport | begin Fa0/11 Name: Fa0/11 Port Mode Switchport: Enabled Fa0/12 trunk Encapsulation Status 802.1q Native vlan trunking 1 Administrative Mode: trunk Operational Mode: trunk To see trunk settings for a particular port.1q trunking 1 Fa0/12 on 802. run show interface (interface type and number) trunk. Negotiation of Trunking: Off SW2#show interface fast 0/11 trunk Name: Fa0/12 Switchport: Enabled Port Mode Encapsulation Status Administrative Mode: trunk Fa0/11 off 802. That’s where you’ll see the trunk Operational Trunking Encapsulation: dot1q mode actually set to off.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but not for “on”. I’ve erased the config on both switches and set them back to their default There’s an oddity in the switchport mode options: Set trunking mode to ACCESS unconditionally dot1q-tunnel set trunking mode to TUNNEL unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode private-vlan Set private-vlan mode trunk settings. When I change 0/11’s mode to access.

201-4094 Fa0/12 1-199.201-4094 Fa0/12 1-99. When I first saw “VLANs allowed on trunk”. SW1 to SW2 (and vice versa).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . As expected.201-4094 The broadcast rears its ugly head yet again! There are no hosts on SW2 in VLAN 100 or 200.12 the trunk.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-99.200 Verify with show interface trunk. The command and the options in all their splendor: SW1(config-if)#switchport trunk allowed vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode add add VLANs to the current list all all VLANs except all VLANs except the following none no VLANs remove remove VLANs from the current list 56 SW1(config)#int range fast 0/11 . Here’s one great reason: SW1#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802. I’ll use it here to exclude VLANs 100 and 200 on both 0/11 and 0/12.12 Fa0/12 1. broadcast traffic for all VLANs will be sent from I’ll use the add option to add VLAN 100 back to the allowed list.12 SW1(config-if-range)#switchport trunk allowed vlan add 100 SW1#show int trunk Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802.1q trunking 1 Fa0/12 auto n-802.12 Port C H R I S B R YA N T SW1(config)#interface range fast 0/11 .101-199. We can eliminate unnecessary broadcasts by not allowing traffic for VLANs 100 and 200 to go from SW1 to SW2.1q trunking 1 Port Vlans allowed on trunk Fa0/11 1-199.12 Vlans in spanning tree forwarding state and not pruned Fa0/11 none SW1(config-if-range)#switchport trunk allowed vlan except 100. I immediately wondered why you would want to disable some VLANs on a trunk. We filter the list of VLANs allowed to send traffic across the trunk with switchport trunk allowed.101-199. but since trunk ports belong to all VLANs.115 S T U DY G U I D E Port Vlans allowed and active in management domain The except option is excellent when you need to exclude just one or a few VLANs.1q trunking 1 Fa0/12 auto n-802. Fa0/11 1. VLANs 100 and 200 are no longer allowed on Fa0/12 1.201-4094 57 .

to where we began! SW1(config)#int range fast 0/11 .101-199.201-4094 Fa0/12 1-4094 If I wanted to remove all VLANs from the allowed list. You’ll usually have more than one combination of these commands that will filter the VLANs on the allowed list the way you want them filtered.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .12 SW1(config)#int range fast 0/11 .201-4094 Fa0/11 1-4094 Fa0/12 1-99.1q trunking 1 Fa0/12 auto n-802.1q trunking 1 Fa0/12 auto n-802. Encapsulation Status Native vlan Fa0/11 auto n-802.115 S T U DY G U I D E C H R I S B R YA N T We just got word from our bosses that VLAN 100 should be on the disallowed list.12 SW1(config-if-range)#switchport trunk allowed vlan none What happens to traffic destined for a given VLAN when that same VLAN has already been removed from the allowed list? Let’s find out! I’ve placed H1 and H4 into VLAN 14. and pings go through just fine. I’d use the none option. and we’re right back put it there with the remove option.12 SW1(config-if-range)#switchport trunk allowed vlan remove 100 SW1(config-if-range)#switchport trunk allowed vlan all SW1#show int trunk SW1#show int trunk Port Mode Encapsulation Status Native vlan Port Mode Encapsulation Status Native vlan Fa0/11 auto n-802.1q trunking 1 Port Vlans allowed on trunk Fa0/11 none Fa0/12 none 58 59 .101-199. chang- SW1#show int trunk Port Mode ing nothing else.1q trunking 1 Port Vlans allowed on trunk Port Vlans allowed on trunk Fa0/11 1-99. SW1(config)#int range fast 0/11 . so let’s We can quickly reinstate all VLANs on the trunk with the all option.1q trunking 1 Fa0/12 auto n-802. There’s no “right” or “wrong” way to get the job done.1q trunking 1 Fa0/11 auto n-802. as long as you filter only the VLANs you want filtered.

4 (Ethernet0). len 100.1. d=10.4 (local). I’ll run debug ip packet on both hosts.4 (Ethernet0). timeout is 2 seconds: 1d01h: IP: s=10.1 Type escape sequence to abort.1.1. HOST1#ping 10. len 100.1. sending 1d01h: IP: s=10. d=10. since we caused the Port problem as part of the lab.1.1 (Ethernet0).1. We know why. Before sending the pings.1 (Ethernet0). It may very well be a device in the middle.1.1 (local). sending SW1(config)#int range fast 0/11 .1.1. d=10.4 (local).1.1.1.1. sending !!!!! Success rate is 0 percent (0/5) Success rate is 100 percent (5/5).1q trunking 1 Fa0/12 desirable 802. but they’re failing.1. sending.1.1.4 Type escape sequence to abort.1.1. This is an excellent reminder that when pings fail.1. perhaps! Adding VLAN 14 back to the allowed list resolves the issue.1 (Ethernet0).1. 100-byte ICMP Echos to 10. d=10.1.1. Sending 5. timeout is 2 seconds: trunk ports. sending 60 61 . 1d01h: IP: s=10.115 S T U DY G U I D E C H R I S B R YA N T HOST1#ping 10.1.1. len 100.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 1d01h: IP: s=10.1 All possible debugging has been turned off !!!!! Success rate is 100 percent (5/5). sending.1.1.1.1 (Ethernet0). sending.1 (Ethernet0).1.1. len 100.12 SW1(config-if-range)#switchport trunk allowed vlan add 14 SW1#show int trunk 1d01h: IP: s=10.1.12 1d01h: IP: s=10.1.1 (local). A Fa0/12 1-13. sending.4 (local).1.1 (local). d=10. SW1(config-if-range)#switchport trunk allowed vlan except 14 1d01h: IP: s=10. round-trip min/avg/max = 4/5/8 ms HOST4#ping 10.1. round-trip min/avg/max = 4/4/4 ms HOST1#undebug all HOST4#ping 10.1q trunking 1 HOST4#undebug all All possible debugging has been turned off The pings are leaving the hosts. len 100. 1d01h: IP: s=10.15-4094 the fault of the sender or intended recipient.1.4 (local). 100-byte ICMP Echos to 10. sending 1d01h: IP: s=10. d=10.1.1.1. len 100.1. d=10.1 (local).4 (Ethernet0). d=10.1.1. len 100. Let’s see what happens when VLAN 14 is removed from the allowed list on both of SW1’s Sending 5. d=10. it may not be Vlans allowed on trunk Fa0/11 1-13.1.4. SW1(config)#int range fast 0/11 .1.1.1.1.1. len 100.4 1d01h: IP: s=10.4 (local).4 (Ethernet0).1. d=10.4 (Ethernet0). SW1#show int trunk Port Mode Success rate is 0 percent (0/5) Encapsulation Status Native vlan Fa0/11 desirable 802. len 100.1. len 100.1 (local).1.1.1. sending.1.15-4094 switch.

I’ll create VLAN 100 on SW1. Fa0/7. ---------. Fa0/6. Fa0/4. Fa0/3. (I’ve removed VLANs 1002 – 1005 from the output of show vlan brief and will do so throughout this section.1.1. Fa0/9.1q trunking 1 Port Vlans allowed on trunk C hapter 4: Fa0/11 1-4094 Fa0/12 1-4094 THE VLAN TRUNKING PROTOCOL (VTP) HOST4#ping 10. VTP deals exclusively with trunking.) SW1#show vlan brief VLAN Name Status Ports ---. and then run show vlan brief for both switches. and any config from previous chapters or labs has been removed.1.1 !!!!! HOST1#ping 10. That’s what the VLAN Trunking Protocol is all about.1q trunking 1 Fa0/12 desirable 802. Fa0/2. Fa0/8. Fa0/10 62 63 . and that’s nected hosts.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/5. Both switches are at their default settings.4 !!!!! With VLANs and trunking down. 1 default active Fa0/1. we need to spread the word throughout the network We’ll start this section with our two-switch network and won’t even worry about the con- about the VLANs we create. -------------------------------.115 S T U DY G U I D E Port Mode Encapsulation Status Native vlan Fa0/11 desirable 802. and we’ll do the same! the subject of the next chapter! VTP allows each switch to have a synchronized view of the network’s active VLANs without necessarily having ports in every VLAN.1.

SW2’s ignorance of VLAN 100 isn’t hurting anything now. Fa0/19. 1 default active Fa0/1. these switches will be happy to let their neighbors in the same VTP domain know about these changes via VTP advertisements. but what about a 300-switch network? Statically ---. The key phrase: “in the same VTP domain”. That Ports would work well in a 3-switch network. you have. the more manual configuration SW2. that communication can’t happen. SW2 can only learn about VLAN 100 by manually creating that same VLAN on SW2 or to place a port on SW2 into VLAN 100. Fa0/24. When we place all three of these switches into the same VTP management domain (gener- Fa0/14. Fa0/18. Fa0/3. Fa0/13. Our Fa0/20. hosts in VLAN 100 can then communicate with no manual VLAN creation necessary on Fa0/23. the network admins. creating VLANs simply isn’t a scalable solution. Fa0/4. could certainly create VLAN 100 manually on SW2. Better yet. and since active SW2 doesn’t know VLAN 100 exists. Fa0/2. Fa0/8. Fa0/6. Fa0/5. Of course. Fa0/7. SW1#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 64 64 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled 65 . Fa0/9.115 S T U DY G U I D E 100 VLAN0100 C H R I S B R YA N T The only way for the two hosts in VLAN 100 to communicate is through SW2. know about and all three switches will have a like view of the VLANs on the network. so they’re dropped. SW2 doesn’t know how to handle incoming frames marked with VLAN ID 100. Fa0/22. Let’s step back to the two-switch network and put both switches into the VTP domain CCNP. Fa0/10. ---------. Fa0/21. Before doing so. they’ll exchange information about the VLANs they Fa0/17.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Fa0/15. ally referred to as a “VTP domain”). it does become a problem. but as our little network grows just a bit larger. let’s run show vtp status on both. Gi0/2 Right now. the more time it takes and the larger the chances of misconfiguration. SW2#show vlan brief VLAN Name Status You and I. -------------------------------. Gi0/1. as VLANs are created and deleted. Switches in one VTP domain will not exchange VLAN info with switches in another VTP domain. Fa0/16.

0 at 0-0-00 00:00:00 Configuration last modified by 0. a VTP domain…yet! That VTP ad contains info about the VTP domain.0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0.0 (no valid interface found) Local updater ID is 0.f780 Configuration last modified by 0.9466. and SW2 will then join that domain as a VTP Server.f780 Device ID : 0017.0 (no valid interface found) Feature VLAN: Feature VLAN: VTP Operating Mode : Server VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Maximum VLANs supported locally : 1005 Number of existing VLANs : 5 Number of existing VLANs : 5 Configuration Revision : 0 Configuration Revision : 0 The VTP Domain Name field is blank. SW1(config)#vtp domain CCNP Changing VTP domain name from NULL to CCNP SW1#show vtp status VTP Version : 2 Configuration Revision : 0 Maximum VLANs supported locally : 64 Number of existing VLANs : 5 VTP Operating Mode : Server VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled 66 Should you put SW1 into the domain CCNP and SW2 into the domain ccnp … SW2(config)#vtp domain ccnp Changing VTP domain name from CCNP to ccnp 67 .0.0.0 at 0-0-00 00:00:00 Local updater ID is 0.0. that event triggers a VTP advertisement to SW2.0.9466. which simply means that the switches haven’t joined After placing SW1 into that VTP domain.0.115 S T U DY G U I D E SW2#show vtp status C H R I S B R YA N T SW2#show vtp status VTP Version capable : 1 to 3 VTP Version capable : 1 to 3 VTP version running : 1 VTP version running : 1 VTP Domain Name : VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP Pruning Mode : Disabled VTP Traps Generation : Disabled VTP Traps Generation : Disabled Device ID : 0017.0.

Device ID : 0017. The output will be slightly different on each switch.0. There are times that IOS Help gives us wonderful descriptions for our options. client. we mean VTP version running : 1 “change the name of the VLAN”. We do NOT mean “add ports to a VLAN”.0.896: %SW _ VLAN-6-VTP _ DOMAIN _ NAME _ CHG: VTP domain C H R I S B R YA N T name VTP Traps Generation : Disabled changed to ccnp. Transparent Set the device to transparent mode.9466.0 (no valid interface found) The VTP Modes SW2#show vtp status VTP Version capable : 1 to 3 In VTP server mode. and transparent modes. Local updater ID is 0. with the options illustrated by vtp mode.0. IOS Help pretty much tells us what we already know.115 S T U DY G U I D E *Mar 1 00:29:00. we get the lay of the land via show vtp status.f780 *Mar 1 00:29:02. This is not one of those times.0. delete.0 (no valid interface found) *Mar 1 00:29:02. By “modify”.0.0 at 3-1-93 00:30:42 SW2(config)#vtp mode ? client Set the device to client mode. Feature VLAN: -------------- … you end up with a mess. and I have a feeling we need to know a little more about each mode! Local updater ID is 0. a switch can create. SW1#show vtp status VTP Version : 2 Configuration Revision : 2 VTP Operating Mode : Server Maximum VLANs supported locally : 1005 Number of existing VLANs : 7 Configuration Revision : 2 MD5 digest : 0x87 0xA7 0x10 0x69 0x58 0xA8 0x12 0x72 0x5D 0x74 0x8A 0xED 0x1F 0xE1 0x67 0xE2 The default VTP operating mode is server.0 at 3-1-93 00:30:42 on port Fa0/12 because of VTP domain mismatch.0.020: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation Configuration last modified by 0.0. off Set the device to off mode. Maximum VLANs supported locally : 64 Number of existing VLANs : 7 VTP Operating Mode : Server VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0x87 0xA7 0x10 0x69 0x58 0xA8 0x12 0x72 Configuration last modified by 0. We must have at least one switch in any VTP Pruning Mode : Disabled 68 69 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . server Set the device to server mode. and modify VLANs. which can be VTP Domain Name : CCNP done in server.078: %DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/11 because of VTP domain mismatch. but the most important VTP values are in each. Moral of the story: VTP domain names are case-sensitive! After switching (no pun intended – happy accident!) SW2 back to the VTP domain CCNP.0. We’ll follow this output by discussing the VTP Operating Mode info for each switch.

and the switch will not forward VTP advertisements.) VTP advertisements carry a configuration revision number (CRN) that enables VTP-enabled Another major difference between the modes is how they handle VTP advertisements.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . making them locally significant only. Makes sense. that switch will forward VTP advertisements that same switch – or more accurately. ‘Nuff said! since the only devices that need the advertisements are other switches! Switches in VTP transparent mode aren’t fully participating in the VTP domain. When a transparent switch receives VTP advertisements. or we couldn’t create new VLANs or delete As you’d expect. you’ll see the CRN near the top of the show vtp status output… 71 . landscape. a Transparent switch is running VTP v1. We must have at least one VTP server in our domain. sent anytime there’s a change in the VLAN we’re going to have a bunch of clients just looking at each other (and transparent switches just ignoring each other). VTP Clients do not originate VTP ads.115 S T U DY G U I D E C H R I S B R YA N T given VTP domain running in server mode. via its trunk ports even if the domain name of the downstream switches doesn’t match. SW2(config)#vtp mode client Setting device to VTP Client mode for VLANS. If previously existing ones.) VTP transparent switches do not synch their VTP databases with other VTP speakers in the same domain. disables VTP on the switch. It could be something as simple as renaming a VLAN. (This mode was one of the improvements that came along with VTP v3. which is what we’ll do in this lab. VTP Transparent switches take a slightly more complicated approach. VTP switches to ensure they have the latest VTP information. SW2(config)#vlan 100 VTP VLAN configuration not allowed when device is in CLIENT mode. They don’t even advertise their own VLAN information! VLANs created on a transparent VTP switch will not be advertised to other VTP speakers in the same domain. “off”. what doesn’t happen. the switch will only forward incoming VTP ads if Switches running in VTP client mode cannot create. and accept advertisements from other VTP servers their current VLAN database to make room for old information! and clients in the same domain. it will ignore the ads but forward them out its other trunks. the VTP version number and domain name is the same as those switches that would receive the forwarded advertisement. modify. (Hang in there with me on this one. or One VTP ad type is the subset advertisement. The fourth mode. 70 On some switches. The VTP Advertisement Process & Config Revision Number VTP advertisements are multicasts that are sent out only over trunk links. and isn’t available on previous versions. or delete VLANs. but will pass them across their trunks. Clients listen for VTP advertisements and update their databases appropriately when those ads arrive. and that they’re not overwriting servers originate VTP advertisements. That change doesn’t have to be a VLAN addition or deletion. Let’s see what happens after I make SW2 a VTP client and then try to create a VLAN on If the Transparent switch is running VTP v2.

When an incoming subset ad’s CRN is larger than the one on the receiving switch.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . you’ll see it near the bottom of that same command’s output.f780 Configuration last modified by 0. SW2 receives the subset ad with a CRN of 3. SW2 compares the incoming CRN to its own CRN (2). I’ll add a VLAN to SW1 and then recheck the CRN on each switch.0. also checking to be sure the VLAN is visible in SW2’s show vlan brief output.0. What hap- VTP Traps Generation : Disabled pened on each switch to make the CRN increment? Let’s take a behind-the-scenes look… Device ID : 0017. and the CRN incremented on both switches.9466. SW2#show vtp status Status ---.115 S T U DY G U I D E SW1#show vtp status C H R I S B R YA N T SW1(config)#vlan 300 VTP Version : 2 Configuration Revision : 2 SW1#show vtp status Maximum VLANs supported locally : 64 Configuration Revision Number of existing VLANs : 7 VTP Operating Mode : Server SW2#show vtp status VTP Domain Name : CCNP Configuration Revision VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled : 3 : 3 SW2#show vlan brief VLAN Name … and on others. 1 default active 100 VLAN0100 active VTP Version capable : 1 to 3 200 VLAN0200 active VTP version running : 1 300 VLAN0300 active VTP Domain Name : CCNP VTP Pruning Mode : Disabled VLAN 300 is in SW2’s database. and the CRN increments before that ad is sent across the trunk to SW2.0 at 3-1-93 00:30:42 The creation of VLAN 300 on SW1 triggers a subset advertisement from SW1. 72 73 . Feature VLAN: VTP Operating Mode : Client Maximum VLANs supported locally : 1005 Number of existing VLANs : 7 Configuration Revision : 2 Both switches have a CRN of 2. -------------------------------.

This is most likely to happen when a switch goes down and is replaced in a hurry with a switch from another client site. Since that new advertisement only includes VLAN 1. Just bouncing the switch isn’t enough. 30.115 S T U DY G U I D E C H R I S B R YA N T the contents of the ad are accepted and used to overwrite the receiving switch’s existing VTP database. then change it back to the original name.) rently in their VTP database. 20. We have a simple three-switch network with two Clients and one advertisement. the CRN MUST be set to zero before it’s inserted into the new network. That’s enough to cause a lot of trouble here. While a Client generally spends non-default VLANs in use are VLANs 10. or even from a CCNP / CCIE practice lab! No matter the source of the switch. just be sure to verify the zero before you proceed. A switch that was at another physical location is brought to this client site and installed in the CCNP domain. (That doesn’t make us lazy. (The VTP Clients will forward the VTP ad to SW2. so they synch their databases in accordance with this new You have to be sure to set the CRN to zero in one particular scenario. and the SW4 doesn’t even have to be in Server mode to ruin things. 74 Whichever you choose. The official name of this issue is “VTP synch issue”. We love the CRN! The switches make sure they’re accepting only the latest VLAN revision information. Change the VTP mode from server to transparent. 75 . Cisco theory says that there are two ways to ensure the CRN is set to zero: Change the VTP domain name to a nonexistent domain. its time listening for and forwarding VTP ads. or you’ll have a real mess on your hands.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Once that’s done. that makes The other switches will receive a VTP advertisement with a higher CRN than the one cur- us smart. since the CRN is kept in NVRAM. and you and I don’t have to do a thing. connectivity for the other five VLANs is lost. 40. The domain is CCNP. SW2 will increment its own CRN. then back to server. The problem: the CRN on that switch is 500. it does send a full Summary ad when it first comes online.) Server. and 50. but you’ll call it something much more profane if it happens to your network. and this switch only knows about VLAN 1. SW2 is busy sending an advertisement with CRN 300.

and the number of Subset Advertisements that will follow <1-3> Set the administrative domain VTP version number As you’d expect. deleted. there were some improvements when VTP v2 came along: this Summary ad. VTP v3 introduced the VTP mode off we saw earlier. which A transparent VTP switch running VTP v2 will forward VTP advertisements via its trunk may seem unnecessary. why does the client ever the domain and version number of the trunking switches had to match that of the transpar- have to request info? ent switch. and both ports. With v1. but serious improvements came along with the introduc- it’s deleted. you will not see the off option. Rather than wait for the Server’s ads to be triggered. throughout the network. VTP v2 performs a consistency check when changes are made to VLANs or the VTP con- Subset ads give more specific info about the VLAN that’s been changed. and the new VLAN name and/or MTU (if those values were changed). (Whew!) These requests come in handy should the client’s VLAN database become corrupt or if Those were solid improvements. that will allow the Client to rebuild its VLAN database. transparent Set the device to transparent mode. and the Server will answer with a series of Summary and Subset ads that can’t run VTP version 3. SW1(config)#vtp mode ? VTP Versions The available VTP versions are 1.). If you’re on a switch request VLAN info. even if the VTP domain name is different on the switches it’s trunking with. Token the VLAN names and numbers. the Client can explicitly tion of VTP v3. Subset Advertisements are sent by VTP Servers when there’s a VLAN configuration change. VTP v2 supports Token Ring VLANs and Token Ring switching. If those Summary Ads are coming every 5 minutes. and 3. VTP v3 can be enabled and disabled at the port level.115 S T U DY G U I D E The Three VTP Advertisement Types (And Two Directions!) C H R I S B R YA N T SW2#show vtp status VTP Version capable : 1 to 3 VTP version running : 1 VTP Domain Name : CCNP VTP Pruning Mode : Disabled VTP Traps Generation : Disabled SW2(config)#vtp version ? Summary Advertisements are sent by VTP Servers every 5 minutes OR upon a change in the VLAN database. or suspended. server Set the device to server mode. the VLAN type (Ethernet. etc. a timestamp. Client Advertisement Requests are requests from VTP Clients for VLAN information. Use vtp version to change versions. Summary and Subset ads are sent when there’s a VLAN change. 2.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . client Set the device to client mode. including whether figuration at the command-line interface (CLI). The consistency check is performed on the VLAN was actually created. FDDI. which helps to prevent incorrect names from propagation Ring. MD5 hash code. and a Cisco switch will run Version 1 by default. CRN. where v1 does not. 76 77 . Included in this ad type are the VTP domain name and version. rather than only at the switch level.

dat file is HUGE. I’ll do that after removing the previous password. Suffice to say I looked for the password and it wasn’t there. that’s the only device that can actually update other Mar 1 00:06:32. (Hey.318: %SW _ VLAN-6-OLD _ CONFIG _ FILE _ READ: Old version 2 VLAN switches in the VTP domain.. VTP v3 vs. 78 79 . and that is indeed Improvement was needed. I was already there!) SW2(config)#vtp password CCNP secret ? VTP secret has to be 32 characters in length SW2(config)#vtp password CCNP Setting device VTP password to CCNP SW2(config)#vtp password CCNP hidden SW2#show vtp password Setting device VTP password VTP Password: CCNP SW2#show vtp password You could also spot the VTP password in the vlan. Let’s upgrade SW2 to VTP v3 and then view our options for the VTP password.. and VTP v3 brought it. nor is it visible in the vlan... Cisco’s website documentation on VTP v3 mentions that show commands can’t be used to see the password. it was easy to compromise the password. the case! The vlan.dat I just didn’t feel up to a 32-character password.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . hidden Set the VTP password hidden option secret Specify the vtp password in encrypted form SW2(config)#vtp version 2 <cr> VTP version is already in V2.115 S T U DY G U I D E C H R I S B R YA N T The VTP Password (“Secure Mode”) SW2(config)#vtp password ? With previous versions of VTP. so I went with hidden. .CCNP.dat file. and you’ll be prompted one more time to ensure you’re the future. which really is the 00000000: BADB100D 00000002 02044343 4E500000 :[.dat file. Use vtp primary to make a VTP server the primary server. sure about making this switch the primary server. Version 3 files will be written in need the VTP password to do so. SW2(config)#no vtp password CCNP Clearing device VTP password. When you configure SW2(config)#vtp version 3 a VTP Server as the primary server.. Remember the VTP synch problem we saw earlier in this chapter? VTP v3 helps us prevent that problem (proactively!) by introducing the primary server concept. and then set a password. so I’m not showing the entire thing here.. VTP Password: 50EF55299259C91C41DDF825699A177D SW2#more vlan. . best option. The Synch Problem SW2#show vtp password The VTP password is not configured. as it was with VTP v2. I’ll configure SW2 SW2(config)#vtp password CCNP ? to run VTP v2. You configuration file detected and read OK.

which has hosts in This system is becoming primary server for feature vlan VLANs 2 – 10. and unknown unicasts should and should not be sent across the trunk to SW2. You’re better off if all your current switches are v3-capable. This means that the sending switch is likely sending unnecessary traffic. unknown unicasts. That switch is trunking with SW2.f780 has become the primary server for the VLAN VTP feature A Final Word About VTP Versions According to Cisco website documentation. 80 81 . A trunk port will forward broadcasts and multicasts for all VLANs it knows about.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . a switch will send a message to its trunking partners. unknown unicast. and multicasts. Do you want to continue? [confirm] SW2# *Mar 1 00:24:17. identifying the VLANs in use by the switch sending the message. regardless of whether the switch at the other end of the trunk actually has ports in those VLANs. if the switch can only run v1. VTP Pruning Trunk ports are members of all VLANs. broadcast. VTP v3 is friendly to VTP v2. or multicast traffic Enter VTP Password: belonging to VLANs 11 – 19 to SW2.115 S T U DY G U I D E C H R I S B R YA N T SW2#vtp primary vlan Here. Another major difference between versions to watch out for: VTP v1 and v2 support only VLANs 1 – 1005. where v3 supports the full range of extended VLANs (1 – 4094). No conflicting VTP3 devices found. Cisco strongly recommends that you determine whether your current switches are v2-capable before introducing v3 to your network. SW1 now knows which multicasts. and the recipient is receiving totally unnecessary traffic. SW1 has hosts in VLANs 2 – 19. If a switch running v1 detects a v3 switch. but v3 will not With VTP pruning. Naturally. the switch running v1 will attempt to upgrade to v2. work with v1. which leads to an issue involving broadcasts.9466. you’re stuck. There’s no reason to send broadcast.629: %SW _ VLAN-4-VTP _ PRIMARY _ SERVER _ CHG: 0017.

and unequal-cost load balancing possible. This becomes a lot clearer with examples and lab work. A single point of failure for anything add add VLANs to the current list in today’s networks just isn’t acceptable. we love redundancy. L3 routing protocols such as EIGRP and OSPF allow us to use secondary paths in addition to the primary paths. STP will realize this and begin to unblock the necessary ports to put the next best path into action. use the switchport trunk pruning vlan command. however.12 SW1(config-if-range)#switchport trunk pruning vlan ? WORD VLAN IDs of the allowed VLANs when this port is in trunking mode Whether it’s Layer 2 or Layer 3. as we like to do for routing? The problem at L2 is the possibility of switching loops. The basic purpose of the Spanning Tree Protocol (STP) is to identify valid loop-free paths and then choose the best of those paths for use. you say. With routing. holding those paths in standby. we want to use as many of those paths as is feasible. Here’s an example of such a loop where STP is not in action.115 S T U DY G U I D E Enabling VTP pruning is just as easy. THE FUNDAMENTALS OF STP SW1(config)#int range fast 0/11 . (More on that in your ROUTE studies!) At Layer 2. but they will not be used in addition to the primary path. You don’t even have to type “on”! SW2(config)#vtp pruning ? <cr> C hapter 5: SW2(config)#vtp pruning Pruning switched on That simple command makes VLANs 2 – 1001 eligible for pruning. 82 83 . but what about those redundant paths? Why can’t we use every single path from “A” to “B” for switching. our redundant paths need to be ready for action in case the primary path fails. making equal. You can’t prune the default VLANs! If you want to make some of those VLANs “prune-proof”. STP will then block ports on the valid but less desirable paths. Redundancy works just a bit differently at L2 except all VLANs except the following none no VLANs remove remove VLANs from the current list Enough of VLANs – for now! Let’s get started with the Spanning Tree Protocol! than L3. Should a primary path become unavailable.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . which we have plenty of in the next few sections of the course! So that’s all fine.

each switch will check its own MAC address table regarding an entry for the source MAC address of the frame. Now this is redundancy! We have three switches connecting two Ethernet segments. each host would still be able to reach every other host. either in full or in part There’s an unnecessary strain put on the switch CPU A lot of bandwidth is unnecessarily sucked up by all those broadcasts 85 . so if two switches go down. just wait until the other hosts start sending traffic! Slowly but surely (don’t call me Shirley). They’ll flood the frame out all ports except the one it came in on. Let’s say all three switches have just been turned on. it’s not on. so each switch will follow the default behavior for an unknown unicast address. we’re about to experience a switching loop. will see the frame just flooded by the other two switches. Before making a forwarding decision regarding the incoming frame. the switch is overwhelmed by those broadcasts and we have a broadcast storm. The problem is the source MAC address of each flooded frame. None of the switches have such an entry. without STP. Host 3. listing Host A as reachable via Fast0/1. In our example. which is still Host A’s MAC address. even in networks that don’t Just that quickly. On to the forwarding decision! None of the switches have an entry for the frame’s destination. Finally. and we always say “legacy” because we don’t like to say “old”. When each switch receives a frame on Fast 0/2 with Host A’s MAC address as the source. but in this example. switching loops cause three major problems: Frames can’t reach their intended destination. all three switches would receive the frame on their Fast0/1 interfaces. With this topology.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . more and more broadcast traffic is forwarded by the switches. each switch will then change the MAC address table setting for Host A to Fast 0/2. As those frames are flooded in turn. and Host A sends a frame to Host C. It’s a legacy term. Each switch have bridges. the switches will keep going back and forth on the MAC address table entry for Host A. 84 If you think that’s bad (and it is!).115 S T U DY G U I D E C H R I S B R YA N T Note: Switching loops are sometimes called “bridging loops”. the frames will be flooded out Fast0/2 on each switch. In short. Having STP on would help prevent switching loops. so they’ll each make an entry in their respective MAC tables.

switching loops don’t occur often. The non-roots will receive and All three switches are coming online at the same time. because STP does a great job of preventing switching loops before they happen. When they first arrive. and all three of them get very busy announcing that fact.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the resulting BID is 32768:11-22-33-44-55-66. and the MAC address of each switch is the switch’s number repeated 12 times. the BPDUs that are used in STP calculations. (Much more on these STP port states Each switch has a Bridge ID Priority value. they announce to everyone around them that they are the center of the universe. allowing it to hear BPDUs from other switches. In general. and the switch with the lowest MAC address wins. The Priority value comes first in the BID. all six ports in this example will go to the listening state. so all three believe they are the root forward a copy of that BPDU. If a Cisco switch has the default priority 32768 and a MAC later in this section. We’re going to concentrate on Configuration BPDUs. Since each switch believes it’s the root. you should ensure that your primary and secondary root bridges are your more powerful switches. We don’t want to leave those roles to chance – or the lowest MAC address! I’ll show you exactly how to be deterministic about root bridge elections after we walk through an example of a root bridge election using only the defaults. In any network. the MAC address is the deciding factor in the root bridge election. If the Priority is left at the default on all switches. The BID is a combination of a 2-byte Priority value and the switch’s 6-byte MAC address. TCN BPDUs will be covered later in this section. The Bridge Protocol Data Unit Types and The Root Bridge Election We have two BPDU types. and we’ll take a look at the election from each switch’s point of view. bridge. you’ll have switches that are more powerful than others in terms of processing power and speed.115 S T U DY G U I D E Luckily for us.) Here’s our network and the root bridge election from SW1’s perspective. Each switch has the default priority 32768. 86 87 . The switch with the lowest BID will win that coveted role. commonly referred to as a BID. address of 11-22-33-44-55-66. We’re about to walk through a root bridge election on a three-switch network. The root bridge is also the switch that decides what the STP timers will be. but non-root bridges do not actually create this BPDU type. C H R I S B R YA N T The Default Root Bridge Election Process Switches are a lot like people. both multicast to the well-known MAC address 01-80-c2-00-0000. Config BPDUs will be exchanged between our switches until one switch is elected root bridge. Unlike some people. Only the root bridge will originate Configuration BPDUs. It all begins with the exchange of Bridge Protocol Data Units (BPDUs). the switches get over it. But seriously folks. and we’ll see that in action after we have an election.

SW2 will stop originating Configuration BPDUs. from SW1. SW2 and SW3 recognize SW1 as the root – for now! Here’s the election from SW2’s perspective: Root bridge elections never really end. but in your production network. SW3 recognizes that the BPDU containing the best BID is coming SW1 continues to believe that it’s the root bridge and will continue to announce itself as such. These Config BPDUs go out every 2 seconds. For this lab. and is advertising a BID lower than that of SW1. SW4 will advertise this BID via a Configuration BPDU. SW1 will realize it’s no longer the root bridge. It’s a good idea to know how to see the BIDs of your live switches as well as spot the winner of a root bridge election that’s already taken place. While higher BIDs are winners in auctions. and when SW1 sees that BPDU.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . they’re losers in root bridge elections. However. but if another switch comes along that advertises a superior BID. SW1 is currently recognized as the root for this network. and the BPDU from SW3 will not change its mind. that switch would then become the root! SW4 has now come on board. SW4 will then take over that role. The election from SW3’s point of view: This example allowed you to see the details of a root bridge election. superior to that of SW3. and will instead begin to relay those sent by SW1. SW2 believes it’s the root. both containing BIDs higher than SW1’s SW3 is about to develop a massive inferiority complex! Both incoming BPDUs contain BIDs own BID. that election’s already taken place. the BPDU from SW1 will! When SW2 sees the BID inside the BPDU from SW1.115 S T U DY G U I D E C H R I S B R YA N T SW1 is receiving BPDUs from both SW2 and SW3. SW2 will realize it is not the root bridge for this network. with the switches trunking on their 0/11 and 0/12 ports. Just that quickly. and SW1 will begin forwarding the Configuration BPDUs it receives from SW4. 88 89 . so this process takes very little time. we’ll use a two-switch network.

90e2.90e2. run show All ports on the root bridge will be in forwarding mode (FWD).14 P2p There are four ways to tell you’re not on the root bridge. The root port is the port a switch will use to reach the root bridge. As odd as it sounds. ---------. --------.12 P2p There are four different ways to tell you’re on the root switch.Nbr Type ---------------. Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 128. since it doesn’t exist. The first listed here isn’t highlighted.2540 This bridge is the root Hello Time Bridge ID Priority 32769 Hello Time Aging Time 15 Port 13 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0017.) Let’s take a look at the root bridge will be in blocking mode (BLK). ----- --.115 S T U DY G U I D E C H R I S B R YA N T To see the BID of both the local switch and the root switch for a particular VLAN. No “This bridge is the root” message The MAC address under the Root ID and Bridge ID fields are different The switch has a root port (Fa0/11) There is a port in blocking mode 90 91 . the root bridge will have no root port.f780 2 sec Max Age 20 sec Forward Delay 15 sec Role Sts Cost 32769 Cost 19 (priority 32768 sys-id-ext 1) Address 000f.90e2. The other three ways: The MAC address of the Root ID (the info for the root) and the Bridge ID (the info for the local switch) is the same. bridge info for our default VLAN. ----- --. you ask? SW1#show spanning vlan 1 SW2#show spanning vlan 1 VLAN0001 VLAN0001 Spanning tree enabled protocol ieee Spanning tree enabled protocol ieee Root ID Priority Address 000f. Fa0/11 Desg FWD 19 128. ---------. but the other three are in bold. What do things look like on the non-root bridge.11 P2p Fa0/12 Desg FWD 19 128. so the root bridge doesn’t need one! Interface Role Sts Cost Prio.2540 2 sec Max Age 20 sec Forward Delay 15 sec Interface Root ID 32769 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Prio. No ports on the root spanning-tree vlan.9466.Nbr Type ---------------.13 P2p 128. (Each VLAN will have its own root switch.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . --------.2540 Priority Address 000f. The most obvious is the phrase “This bridge is the root”.

In the end. Every port on our switches has an assigned path cost. and that cost is used to arrive at the port’s root path cost. The path cost is strictly a local value and is not advertised to upstream or downstream switches. Path Costs. The root path cost goes from 0 to 19 (when received by SW2) to 38 (when received by SW3). rather than the two you might expect. 92 < Some config removed for clarity > 93 . The fewer ports that need to reopen.115 S T U DY G U I D E C H R I S B R YA N T STP prevents switching loops by putting some ports into blocking mode. one path between the switches is open and the other is closed. our two switches – and disallows the others by putting the minimum number of ports necessary into blocking mode. since every port These terms will become much clearer after the upcoming example! deciding factor was. the lower the path cost. Root Port Selection. In our two-switch network. The root path cost is a cumulative value reflecting the overall cost for a given port to reach the root. Only one is in blocking mode. and that cost increments as that BPDU is forwarded throughout the network. it will add the cost of the port the BPDU was SW2#show spanning vlan 1 received upon to the root path cost found in that incoming BPDU. instead of 0/12? Let’s zip back to our two-switch example.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . STP puts the minimum number of ports into blocking mode in order to speed up the process of bringing a new path up when the currently open one becomes unavailable. and Root Path Costs Wondering how SW2 chose 0/11 as its root port. When SW2 receives that BPDU. The Configuration BPDU carries the root path cost. involved here is a Fast Ethernet port. STP allows only one path between “Point A” and “Point B” – in this case. It’s important to note that the root path cost increments as BPDUs are received. The faster the port. The incoming root path cost should be the same for both ports on SW2. Let’s run show spanning-tree vlan to see what the It all begins with the root bridge transmitting a Configuration BPDU with the root path cost set to zero. not sent. the faster that new path will be available.

choose the port with the lowest root path cost.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . so we need a tiebreaker. but 0/11 was chosen as the root port over 0/12. Here’s the process for choosing the root port: Speaking of designated ports. 94 95 . we need one of those for the segment connecting SW2 and SW3. 0/11 and 0/12 are both receiving BPDUs from SW1. Next. both switches will have the exact same root path cost. ---------. They’re designated ports. the lowest sender Port ID wins. Next tiebreaker: choose the port receiving the BPDU with the lowest Sender BID. so SW2’s port on that shared segment becomes the DP. this is also a tie.115 S T U DY G U I D E Interface Role Sts Cost Prio. The port belonging to the switch with the lowest BID will become the designated port. We know that the ports on the root Fa0/11 Root FWD 19 128. being a shared network segment. and they’ll also be in forwarding mode. --------. and root ports will always be in forwarding mode (FWD). Fa0/12 Altn BLK 19 128. just in case that ends up First. the BPDU containing the lowest BID. Finally. C H R I S B R YA N T With all path costs the same. That’s a tie. frames coming from that host onto the segment shared by SW2 and SW3 might cause a switching loop if both switches could forward frames from that host to SW1. so STP better put a port or two in blocking mode soon! The path cost is 19 for each port. as both ports will have a root path cost of 19. We need one and only one designated port on that segment.13 P2p bridge aren’t root ports. we can quickly identify the root ports on SW2 and SW3. In this scenario. All ports are Fast Ethernet ports with a path cost of 19. It was zero on SW1 and incremented as the BPDUs were received by SW2. In this admittedly unlikely-to-be-seen-in-the-real-world scenario. There’s our tiebreaker. and fast 0/11 is your winnah! Let’s head back to our three-switch network and identify the root ports. ----- --. so this is a tie. The switch with the lowest root path cost will have its port on this shared segment named as the designated port.Nbr Type ---------------. That’s where the designated port (DP) comes in. Since both ports received their BPDUs directly from SW1. choose the port receiving the superior BPDU. We saw earlier that SW2’s BID is 32768:22-2222-22-22-22 and SW3’s is 32768:33-33-33-33-33-33. along with all ports on the root bridge.14 P2p We have four ports in forwarding mode.

that only happens now and Zen. to SW1 become unavailable. but placing that one particular port into blocking mode prevents switching loops from forming.) This is not a list of every possible speed. And speaking of Zen… SW3-to-SW2-to-SW1 root path cost: 38 (Two 100 Mbps links) Fast 0/2 becomes the root port. SW3-to-SW1 root path cost: 100 (One 10 Mbps link) Luckily. but lists the more common speeds you’ll bump into on Cisco switches. Some of the network maps I’ve think one is there that isn’t! values are from the most recent list on Cisco’s website. it would be really easy to say 0/1. so I’ll edit the “Root ID” and “Bridge ID” fields from the output. be sure to double-check the port speeds. It would also be really wrong. We need only the information at the bottom of that command’s output in this lab. and these your server room. and it’s really easy to miss a zero – or iar with the following port speeds. Let’s verify! 97 . job interview. The root path using that port has a cost of 38.115 S T U DY G U I D E Here’s the final result: C H R I S B R YA N T Keep STP costs in mind when eyeballing a network map on your CCNP SWITCH exam. five of them are in forwarding mode and only one is blocked. Do not jump to the conclusion that the physically shortest path is the logically shortest path. or during your network admin duties.5. Whether it’s in the exam room or We know the STP path costs are determined by port speed. 10 Gbps 1 Gbps 100 Mbps 16 Mbps 10 Mbps 4 Mbps 2 4 19 62 100 250 96 Changing A Port’s Path Cost We’ll verify port path cost changes with show spanning-tree vlan.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . while the The Shortest Path Is Not Always The Shortest Path more physically direct path has a root path cost of 100. and it couldn’t hurt to be famil- looked at over the years have a font size of about 0. (These port costs have changed over time. Putting just one of the two ports on the SW2–SW3 shared segment into blocking mode makes the cutover to that path for SW3 a little quicker. should the current path from SW2 If you were asked which of SW3’s two ports would become its root port. Of the six ports.

About 15 seconds after that output. That’s just what we back up while we check in on our root port situation! wanted – we just had to be a little patient! 98 99 . SW2(config-if)#spanning-tree cost ? changed state to up <1-200000000> port path cost SW2(config-if)#spanning-tree cost 9 SW2# show spanning vlan 1 Just a few seconds after changing the cost. as is the transition of 0/11 from forwarding to We want 0/12 to be the root. ----- --. 0/12 is in listening mode. What isn’t immediate is the transition of 0/12 from blocking to forwarding. About 15 seconds later… *Mar 2 05:35:41. ---------- mst Multiple spanning tree Fa0/11 Altn BLK 19 Fa0/12 Root LRN 9 port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link stack-port Enable stack port vlan VLAN Switch Spanning Tree SW2#show spanning vlan 1 Role Sts Cost 0/12 is now in learning mode. I ran the same SW2(config-if)#spanning-tree ? command: bpdufilter Don’t send or receive BPDUs on this interface bpduguard Don’t accept BPDUs on this interface cost Change an interface’s spanning tree port path cost guard Change an interface’s spanning tree guard mode Interface link-type Specify a link type for spanning tree protocol use ---------------. we get this little message: Interface Role Sts Cost ---------------. ---------- ---------------. ----- --.115 S T U DY G U I D E SW2#show spanning vlan 1 C H R I S B R YA N T SW2#show spanning vlan 1 Interface Interface Role Sts Cost Role Sts Cost ---------------. More on that shortly. ---------*Mar 2 05:31:08. but trust me – there’s a really good reason that change isn’t immediate. Fa0/11 Altn BLK 19 changed state to down Fa0/12 Root FWD 9 Doesn’t sound good! Our management interface. has gone down.802: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1.510: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. Lowering its path cost to 9 for all VLANs should do it! blocking. Let’s see if it comes … the VLAN1 interface comes back up and 0/12 is in forwarding mode. ----- --. ----- --. Vlan1. ---------- Fa0/11 Altn BLK 19 Fa0/11 Root FWD 19 Fa0/12 Root LIS 9 Fa0/12 Altn BLK 19 The change to 0/12’s path cost is immediate.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . SW2(config)#int fast 0/12 Right now.

but VLANs 30 and 40 should use the bottom trunk (Fa 0/12 on both switches).40 cost ? <1-200000000> Change an interface’s per VLAN spanning tree path cost Using cost is an all-or-nothing deal. We’ll change the path cost for 0/12 on SW2 to 9 for VLANs 30 and 40 while leaving it alone for VLANs 10 and 20. example: 1.40 ? cost Fa0/11 Change an interface’s per VLAN spanning tree path cost port-priority Change an interface’s spanning tree port priority 100 Interface Role Sts Cost ---------------. Interface Role Sts Cost ---------------.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ----- --.9-11 SW2(config-if)#spanning vlan 30. ----- --. using the cost option. This is per-VLAN The port begins to transition from blocking to forwarding for VLANs 30 and 40… SW2#show spanning vlan 30 load balancing. We’re just wasting the other path! We want VLANs 10 and 20 to continue to use the top path. and while it’s not perfect load balancing.115 S T U DY G U I D E Load Balancing On A Per-VLAN Basis C H R I S B R YA N T SW2(config-if)#spanning vlan 30.40 cost 9 In the following lab.7.3-5. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LIS 9 SW2#show spanning vlan 40 Interface Role Sts Cost ---------------. SW2#show spanning vlan 10 SW2(config)#int fast 0/10 SW2(config-if)#spanning vlan ? WORD vlan range. ---------- We’ll make this happen with spanning-tree vlan. all VLANs are using the top trunk (Fa 0/11 on both switches). it’s better than sending all our traffic across one trunk while treating the other trunk as strictly a backup. What if we want to change the cost for some VLANs while leaving it alone for others? SW2(config-if)#spanning vlan 30. Note the option to specify a range of VLANs. Altn BLK 19 Fa0/12 Root LIS 9 … but there’s no transition for VLANs 10 and 20. ---------Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 SW2#show spanning vlan 20 101 . ----- --.

----- --. ----- --. ---------SW2#show spanning vlan 40 Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 Interface Role Sts Cost ---------------. it enters listening mode Fa0/11 (LIS). Role Sts Cost ---------------. ---------Fa0/11 SW2#show spanning vlan 40 Altn BLK 19 Fa0/12 Root FWD 9 Interface Role Sts Cost ---------------. so we will too! A disabled port is simply a port that’s been administratively shut down. allowing the port to participate in the root bridge election. isn’t forwarding frames or even officially running STP. Interface Role Sts Cost ---------------. ----- --. Altn BLK 19 Fa0/12 Root FWD 9 SW2# show spanning vlan 40 All VLAN 30 and 40 traffic will now use the trunk that was previously unused. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LIS 9 The obvious question: “Listening for what?” A listening port is listening for BPDUs. No frame forwarding.115 S T U DY G U I D E Interface Let’s quickly review those STP port states. and therefore no dynamic learning of MAC addresses. About the only thing a blocked port can do is accept BPDUs SW2#show spanning vlan 30 from neighboring switches. A disabled port Thirty seconds or so later. The port still can’t do much. Once that port is administratively enabled. 102 103 . ----- --. the port goes into blocking state (BLK). A port in listening mode still can’t forward or receive frames. ---------- When a port starts the transition from blocking to forwarding. no frame receiving.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and 0/12 is now the root port for both VLANs 30 and 40. and as a result the port can’t learn MAC addresses. ---------Fa0/11 Root FWD 19 Fa0/12 Altn BLK 19 C H R I S B R YA N T The STP port state disabled is a little odd in that you won’t see “DIS” next to a port in the output of show spanning vlan. Pretty cool! Interface Role Sts Cost ---------------. ----- --. Cisco does consider this to be an official STP state. A listening port can send BPDUs as well. the transition has completed.

12 104 Role Sts Cost Prio. ----- --. VLANs 30 and 40 will continue to Interface use the trunk over 0/11. A port in learning mode continues to send and receive BPDUs. In this lab. Still tied? Choose the port receiving the BPDU with the lowest Sender BID.13 P2p Fa0/12 Desg FWD 19 128. The edited readout of show spanning vlan for each VLAN on SW1 reflects the default port priority of 128 on ports 0/11 and 0/12.115 S T U DY G U I D E As the transition continues. ---------.) ---------------. the port goes from learning to forwarding mode.14 P2p 105 . Finally. the port goes from listening to learning (LRN) mode. we’ll change the port priority of 0/12 to make it lower than that of 0/11 for some VLANs. During that lab. send and receive BPDUs. Still tied? Choose the port receiving a frame from the lowest sender Port ID.Nbr ----------------. That port ID is a combination of port priority and port number. ---------. we had the following ports sending BPDUs on SW1: Role Sts Cost Role Sts Cost Prio. while leaving it the same for oth- SW2#show spanning vlan 40 ers.Nbr Type ---------------.14 P2p SW1#show spanning vlan 20 SW1#show spanning vlan 1 Interface Interface Interface Prio.11 Fa0/12 Desg FWD 19 128. ----- --. --------. ----- --. Fa0/11 Desg FWD 19 128. C H R I S B R YA N T There’s another cute little way of performing per-VLAN load balancing on our switches. --------.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and continue to learn MAC addresses. choose the port receiving the superior BPDU. ---------Fa0/11 Altn BLK 19 Fa0/12 Root LRN 9 A learning port isn’t forwarding frames. and that’s by manipulating the port priority. ----- --. We’ll have VLANs 10 and 20 use the trunk over 0/12. Forwarding mode allows a port to forward and receive frames.Nbr Type ---------------. but it is learning MAC addresses and adding them to the switch’s MAC address table. (The commands from the previous load-balancing lab have been Role Sts Cost removed. SW1#show spanning vlan 10 Tie? Choose the port with the lowest root path cost. ---------. Fa0/11 Desg FWD 19 128. This is the only state where the port is actually forwarding frames! Let’s review that list we used for root port selection: First. Fa0/11 Desg FWD 19 128.13 P2p Fa0/12 Desg FWD 19 128.

----- --. ----- --. --------. ----- --. ---------. VLAN0010 Fa0/11 Altn BLK 19 128. Fa0/11 Desg FWD 19 128.84ae.Nbr Type ---------------.12 P2p SW2#show spanning vlan 30 The same commands on SW2 show the same port priority for each VLAN. ----- --. we’ll decrease the port priority for those Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec VLANs on fast 0/12.12 P2p Spanning tree enabled protocol ieee Root ID Priority 24586 SW2#show spanning vlan 40 Address 001c. --------.14 P2p SW1#show spanning vlan 40 Fa0/11 Altn BLK 19 128. ---------. --------.Nbr Type ---------------. Interface SW2#show spanning vlan 10 Role Sts Cost Prio. Interface Role Sts Cost Prio. and the switch Aging Time 300 doesn’t like it when you do not do so.13 P2p Fa0/12 Desg FWD 19 128. 12 (FastEthernet0/12) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Role Sts Cost Prio.3600 For VLANs 30 and 40 to start using fast 0/11.11 P2p Fa0/12 Root FWD 19 128.115 S T U DY G U I D E SW1#show spanning vlan 30 C H R I S B R YA N T Interface Role Sts Cost Prio.Nbr Type ---------------.13 P2p Fa0/12 Desg FWD 19 128.12 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio.11 P2p Fa0/12 Root FWD 19 128. Fa0/11 Desg FWD 19 128. ----- --.0fbf. The new port priority must be set in increments of 16. --------.Nbr Type Fa0/11 Altn BLK 19 128. --------. Interface Role Sts Cost Prio. ---------.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Nbr Type ---------------. ----- --. 106 107 . ---------.14 P2p Fa0/11 Altn BLK 19 128.Nbr Type ---------------.11 P2p Fa0/12 Root FWD 19 128.11 P2p Fa0/12 Root FWD 19 128.12 P2p 32778 (priority 32768 sys-id-ext 10) Address 000e. ---------. --------.2f00 Cost 19 Interface Port ---------------. ---------.

----- --.Nbr Type and show spanning vlan 20 on SW2.11 P2p Fa0/12 Root FWD 19 128.Nbr Type ---------------. Prio. ---------. ---------. As a result. Fa0/11 Desg FWD 19 128. VLANs 30 and 40 are now using the Fa0/11 Altn BLK 19 128.11 P2p Fa0/12 Altn BLK 19 128. ---------. --------. ---------.12 P2p SW1#show spanning vlan 30 VLANs 10 and 20 continue to use the trunk over fast 0/12. --------. Cost Change an interface’s per VLAN spanning tree path cost port-priority Change an interface’s spanning tree port priority SW1(config-if)#spanning vlan 30 port-priority ? SW2#show spanning vlan 30 Interface <0-240> port priority in increments of 16 Role Sts Cost Prio. ---------------.14 P2p SW2#show spanning vlan 10 Interface SW1#show spanning vlan 40 Interface Role Sts Cost Role Sts Cost Prio. the BPDU going from SW1 to SW2 over fast 0/11 ---------------. ----- --.11 P2p Fa0/12 Root FWD 19 128. ----- --. ----- --. show spanning vlan 30 and show spanning vlan 40 verify the change.14 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio. ----- --.Nbr Type ---------------.Nbr Type When it comes to VLANs 30 and 40.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . --------. --------.12 P2p % Port Priority in increments of 16 is required SW2#show spanning vlan 40 SW1(config-if)#spanning vlan 30 port-priority 64 SW1(config-if)#spanning vlan 40 port-priority 64 Interface Role Sts Cost Prio. verified by show spanning vlan 30 and show spanning vlan 40 on SW1(config-if)#spanning vlan 30 ? SW2.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/12 trunk over fast 0/11.12 P2p ---------------. verified by show spanning vlan 10 Interface Role Sts Cost Prio. Fa0/11 Desg FWD 19 128. ----- --.13 P2p Fa0/12 Desg FWD 19 64.Nbr Type ---------------. SW1(config-if)#spanning vlan 30 port-priority 35 Fa0/11 Root FWD 19 128. ---------. is now superior to that over fast 0/12. Fa0/11 Root FWD 19 128.13 P2p Fa0/12 Desg FWD 19 64.Nbr Type Fa0/11 Altn BLK 19 128. --------.12 P2p 108 109 . --------.11 P2p Fa0/12 Altn BLK 19 128. ---------.

---------. SW2#show spanning vlan 30 Interface Role Sts Cost Fa0/11 Root FWD 19 128. we’ll raise the port priority for VLANs 30 and 40 to 160 (a multiple of 160!).12 P2p SW1(config-if)#spanning vlan 40 port-priority 160 Whether you choose to lower or raise a port priority to get VLAN load balancing going is Raising the port priority on fast 0/11 has the same effect as reducing it on fast 0/12. VLANs 30 and 40 are using the trunk over fast 0/11… as with all Cisco exams. ----- --.11 P2p Fa0/12 Altn BLK 19 128. verified really up to you when it comes to real-world networking.115 S T U DY G U I D E Now. --------. SW1(config)#int fast 0/11 Fa0/11 Altn BLK 19 128. Could we have raised the port priority on 0/11 C H R I S B R YA N T SW2#show spanning vlan 30 rather than decreasing it on 0/12? Let’s find out! First.11 P2p Fa0/12 Root FWD 19 128. it’s great to know more than one way to get something done! 110 111 . ---------. ----- --. For CCNP SWITCH exam success. Fa0/11 Altn BLK 19 128. ---------. ---------. ----- --. --------.12 P2p On fast 0/11. --------. Interface Role Sts Cost Prio. ----- --. show spanning vlan 30 and show spanning vlan 40 verify the change back to fast 0/12.Nbr Type ---------------. --------. ---------.12 P2p SW1(config-if)#no spanning vlan 30 port-priority 64 SW2#show spanning vlan 40 On SW2. ---------.Nbr Type ---------------.Nbr Type ---------------.12 P2p SW2#show spanning vlan 40 SW2#show spanning vlan 10 Interface Role Sts Cost Prio.11 P2p SW1(config-if)#no spanning vlan 40 port-priority 64 Fa0/12 Altn BLK 19 128.11 P2p Fa0/12 Root FWD 19 128.12 P2p Prio. Interface Role Sts Cost Prio. Fa0/11 Altn BLK 19 128. ---------------.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Interface Role Sts Cost Prio.11 P2p SW1(config-if)#spanning vlan 30 port-priority 160 Fa0/12 Root FWD 19 128.Nbr Type … while VLANs 10 and 20 continue to use the trunk over fast 0/12. Fa0/11 Altn BLK 19 128.Nbr Type ---------------. --------. --------.Nbr Type ---------------. I’ll remove the two lab commands from fast 0/12 on SW1. SW1(config)#int fast 0/12 Fa0/11 Root FWD 19 128.12 P2p SW2#show spanning vlan 20 Interface Role Sts Cost Prio. by show spanning vlan on SW2.11 P2p Fa0/12 Root FWD 19 128. ----- --. ----- --. I already know what you’re gonna ask.

2540 forward-time Set the forward delay for the spanning tree This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f. but why do we see each one listed twice in that output? The first set of timers is in the Root ID field.Nbr Type ---------------. Maximum Age (Max Age) is how long a switch will retain the superior BPDU’s contents before discarding it. and those are the Use spanning vlan to change these timers. Default setting: 20 seconds.) Bridge ID do not matter. Fa0/11 Desg FWD 19 128. It’s this set of timers that is actually used 112 SW1#show spanning vlan 1 113 . <1-10> number of seconds between generation of config BPDUs SW1(config)#spanning vlan 1 Hello 5 SW1(config)#spanning vlan 1 forward ? <4-30> number of seconds for the forward delay timer SW1(config)#spanning vlan 1 forward 16 SW1(config)#spanning vlan 1 max-age ? Forward Delay is the length of the listening and learning port stages. always use these commands on your primary and secondary roots.2540 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 Interface Role Sts Cost hello-time Set the hello interval for the spanning tree max-age Set the max age interval for the spanning tree priority Set the bridge priority for the spanning tree root Configure switch as root <cr> SW1(config)#spanning vlan 1 Hello ? Prio. SW1(config)#spanning vlan 1 max-age 25 Verify with show spanning vlan. Those are important values to know. ---------. Spanning tree enabled protocol ieee Root ID Priority 32769 SW1(config)#spanning vlan 1 ? Address 000f.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . IOS shows us the ranges of allowable settings for each command. with a default of 15 <6-40> maximum number of seconds the information in a BPDU is valid seconds for each individual stage. For the change to take effect throughout SW1#show spanning vlan 1 the VLAN. particular root.12 P2p Hello Time defines how often the root bridge originates Config BPDUs. The second set of timers is found in the Bridge ID field. Unless you’re on the root. frankly.90e2.115 S T U DY G U I D E C H R I S B R YA N T STP Timers by the root and all switches that receive a Configuration BPDU that originated with that These timers are so important. ----- --. those timers under (That’s not the real reason.90e2. None of them can be set VLAN0001 to zero. you’ll see them twice when you run show spanning vlan! local switch’s setting for the timers.11 P2p Fa0/12 Desg FWD 19 128. --------. Default setting: 2 seconds. but you will see them twice.

2540 VLAN in our network. or we can spread the workload around a bit and let one switch be the root for some VLANs while another switch is the root for the rest of the VLANs.90e2. The switch with the lowest MAC Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec address will be crowned as the root. reloaded. depending on your network topology. It’s up to you! On the root bridge.2540 Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec Aging Time 300 We can choose another particular switch to be the root bridge for all VLANs. the settings in use are the ones under Root ID! 114 We’d like SW2 to be the root for VLANs 20 and 30 while leaving SW1 the root for VLANs 1 and 10. You can spread the root switch role around as much as you like. Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 000f. That might not be so bad. 20. and that’s not always best for our network.90e2. I did a write erase and delete vlan. and created What about the downstream.f780 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec As always. VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 000f. and we’ll be adding a switch and two cables as this lab progresses. we expect the timers in the Root ID and Bridge ID fields to be identical. Please note that the cabling has changed. Let’s use spanning vlan root primary to make SW2 the root for VLAN 20. and 30 for our next lab. SW2(config)#spanning vlan 20 root ? Primary Configure this switch as primary root for this spanning tree Secondary Configure switch as secondary root SW2(config)#spanning vlan 20 root primary 115 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .2540 Cost 19 Port 13 (FastEthernet0/11) Hello Time 5 sec Max Age 25 sec Forward Delay 16 sec Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0017.115 S T U DY G U I D E C H R I S B R YA N T Root Switch Selection: Be Deterministic VLAN0001 Spanning tree enabled protocol ieee Root ID Priority If we leave STP to its own devices. This bridge is the root but the default root switch selection is left up to chance. If you have 50 VLANs and five switches. Before this lab. SW1 is the root for all four VLANs. non-root switch though? VLANs 10. a single switch is going to be the root bridge for every 32769 Address 000f.9466. SW2#show spanning vlan 1 As expected. you could make each switch the root for 10 VLANs.dat on both switches.90e2.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

SW2#show spanning vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID

Priority

24596

Address 0017.9466.f780
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

I’m sure you noticed the secondary option. If you want a certain switch to take over as root
bridge if the current root goes down, run show spanning vlan root secondary on the desired

Done and done! The new root’s priority is 24596. That’s certainly good enough to make it

secondary bridge. That command will adjust the switch’s priority enough to make it the

the root, but where exactly did that priority come from? It depends...

backup root, but not enough to make it the primary root.

Current root priority greater than 24576? Result: priority of new root is 24576 (plus the

Let’s see that in action! SW2 is still the root for VLANs 20 and 30, and we’ve added a third

VLAN ID in this case, since system extension ID is running).

switch to the lab. We’ll concentrate on those two VLANs from here on out.

Current root priority less than 24576? Result: subtract 4096 from that root priority and
you have the new root priority!
We’ll now make SW2 the root for VLAN 30.
SW2(config)#spanning vlan 30 root primary
SW2#show spanning vlan 30
VLAN0030
Spanning tree enabled protocol ieee
Root ID

Priority

24606

Address 0017.9466.f780
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Here’s the Bridge ID info for both SW1 and SW2, and here’s a pop quiz: Which one of these
would take over as the root for VLAN 20 if SW2 went down?
SW1#show spanning vlan 20
Bridge ID Priority

32788 (priority 32768 sys-id-ext 20)

Address 000f.90e2.2540
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

116

117

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

It does indeed! (show spanning vlan 30 isn’t shown, but we know SW1 is the root for that

SW3#show spanning vlan 20
Bridge ID Priority

C H R I S B R YA N T

32788 (priority 32768 sys-id-ext 20)

VLAN as well.) SW2 will become the root for VLAN 20 again once it comes back up…

Address 001c.0fbf.2f00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

SW2#show spanning vlan 20

Aging Time 300 sec
VLAN0020

They both have the default priority, so it comes down to MAC address, and SW1’s MAC is

Spanning tree enabled protocol ieee

lower than that of SW3. SW1’s address begins with “000”, and SW3’s begins with “001”, so

Root ID

Priority

24596

nothing after that matters. I’ll reload SW2 and we’ll see if SW1 becomes the root in SW2’s

Address 0017.9466.f780

absence.

This bridge is the root

SW2#reload

… but we’d like SW3 to take over as the root for VLAN 20 when SW2 is unavailable, while

Proceed with reload? [confirm]

keeping SW1 as the root for VLAN 30 in that circumstance.

*Mar 1 01:27:11.899: %SYS-5-RELOAD: Reload requested by console.

SW3(config)#spanning vlan 20 root ?

SW1#show spanning vlan 20

Primary

Configure this switch as primary root for this spanning tree

Secondary Configure switch as secondary root

VLAN0020
Spanning tree enabled protocol ieee
Root ID

Let’s make it happen. Note the change to SW3’s priority.

Priority

32788

Address 000f.90e2.2540
This bridge is the root

SW3(config)#spanning vlan 20 root secondary
SW3#show spanning vlan 20
VLAN0020
Spanning tree enabled protocol ieee
Root ID

Priority

24596

When SW2 goes offline, SW1 will again take over the root bridge role for VLAN 30, but now
SW3 will take that role for VLAN 20.
SW2#reload
Proceed with reload? [confirm]

118

119

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T
SW1(config)#spanning vlan 20 priority 7000

SW1#show spanning vlan 30
This bridge is the root

% Bridge Priority must be in increments of 4096.
% Allowed values are:

SW3#show spanning vlan 20
This bridge is the root

0

4096 8192 12288 16384 20480 24576 28672

32768

36864 40960 45056 49152 53248 57344 61440

Hey, I tried using a non-4096 multiple!
By the way, we just got a call from the other BPDU type, demanding semi-equal time!

The Topology Change Notification BPDU
TCN BPDUs are generated by a switch when a port goes into forwarding mode or when a
port goes from forwarding or learning into blocking mode. The TCN doesn’t say exactly
what happened, just that something happened.

SW2 will again take over as the primary root for both VLANs when it comes back online.
SW3 remains the secondary for VLAN 20 and SW1 the secondary for VLAN 30.
If SW1 is the desired secondary root for VLAN 30, you’re fine right now, but what if another
switch is added to the network? That new switch might have a lower MAC than that of SW1.
In this situation, I would manually configure SW1 as the secondary root for VLAN 30.
Of the two methods to configure primary and secondary roots, I prefer the one we just used.
You can change the priority manually with spanning vlan priority, but the switch isn’t going

Each switch receiving the TCN will send an ACK back, and the TCN continues to be forwarded until it reaches the root.

to help you by saying “Hey, the priority you set isn’t low enough for this switch to become
the primary / secondary!” There’s one more thing that makes this method a tad complicated:
SW1(config)#spanning vlan 20 priority ?
<0-61440> bridge priority in increments of 4096

120

121

If you’re fuzzy on Portfast or any other advanced STP features. That makes sense. and to leave the timers alone. and if the timers haven’t been changed. Exception time! Changes to Portfast-enabled ports cannot result in the generation of a TCN BPDU. Let’s jump right in! Portfast Portfast allows a port running STP to go directly from blocking to forwarding mode. The aging time will stay at the new value for (Forward Delay + Max Age). so Portfast allows us to cheat just a bit in order to get that host up and running. When a port connected to a host goes into forwarding mode. that’s just 15 seconds! This allows the switch to quickly rid itself of nowinvalid MAC address table entries while keeping entries for hosts that are currently sending frames to that switch. If you have a host that has trouble getting an IP address via DHCP.115 S T U DY G U I D E When the root receives the TCN. The chances of a switching loop on a single port with a single host connected are very small. the root will acknowledge it in the form of a Configuration BPDU with the Topology Change bit set. yeah. Enabling this feature results in one long warning and an additional message. Enable portfast on a per-port level with spanning-tree portfast. 122 123 . and now you want to turn a couple of them off?” Well. Knowing where to run them and why is another matter. And I can hear you now…“We spent all that time talking about STP preventing switching loops. The STP learning and listening stages can interfere with your host’s DHCP address acquisition process. we’ll take care of that in the very next section! Putting these features into operation is easy. since the most common use of Portfast is when a single PC is directly connected to a switch port. so there’s no need to alert the entire network about it. By default. but only in a specific situation.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . that’s 35 seconds. C hapter 6: That BPDU with the TC bit set tells the receiving switches to change the aging time for their MAC tables from the default of 300 seconds to the duration of the Forward Delay STP — ADVANCED FEATURES AND VERSIONS timer. it doesn’t really affect STP operation. configuring Portfast on that host’s switchport is the way to go.

. there’s no “show spanning portfast” command. Connecting hubs. switches. bpdufilter Don’t send or receive BPDUs on this interface Connecting hubs. concentrators. when the interface is in a non-trunking mode. etc.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . After doing so.115 S T U DY G U I D E C H R I S B R YA N T SW2(config)#int fast 0/3 SW2(config-if)#spanning-tree portfast trunk SW2(config-if)#spanning-tree ? %Warning: portfast should only be enabled on ports connected to a single host.. port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link SW2(config)#spanning portfast ? stack-port Enable stack port Bpdufilter Enable portfast bpdu filter on this switch vlan VLAN Switch Spanning Tree Bpduguard Enable portfast bpdu guard on this switch Default Enable portfast by default on all access ports SW2(config-if)#spanning-tree portfast ? Disable Disable portfast for this interface SW2(config)#spanning portfast default Trunk %Warning: this command enables portfast by default on all interfaces. switches and bridges as they may create temporary bridging loops. we’ll be VLAN0020 disabled warned about it again! VLAN0030 disabled 124 125 . bridges. and after doing so. and has VLAN0001 disabled also let us know that trunking must be disabled in order for Portfast to be enabled.. to this interface bpduguard Don’t accept BPDUs on this interface when portfast is enabled. Use with CAUTION SW2#show spanning portfast ^ %Portfast has been configured on FastEthernet0/3 but will only have effect % Invalid input detected at ‘^’ marker.. etc. SW2#show spanning int fast 0/10 portfast The switch has given us a warning about the proper and improper use of Portfast. a slightly different mst Multiple spanning tree message appears. SW2(config-if)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. well. when portfast is enabled. switches. concentrators. You Enable portfast on the interface even in trunk mode <cr> should now disable portfast explicitly on switched ports leading to hubs. Using this command enables Portfast on all access ports. to this interface Verify with show spanning interface portfast. As IOS Help is so helpful to let us know. can cause temporary bridging loops. We VLAN0010 disabled do have the option of enabling Portfast on a trunk port. Use with cost Change an interface’s spanning tree port path cost CAUTION guard Change an interface’s spanning tree guard mode link-type Specify a link type for spanning tree protocol use Enable Portfast globally with spanning portfast default. bridges. can cause temporary bridging loops.

Uplinkfast is enabled globally and for all VLANs residing on the switch. but we’re advised over and over by Cisco not to use Portfast unless it’s on a port where a single host device is found. Configuring a port with Portfast is one way to avoid part of that delay. I mean 1 – 3 seconds. It’s all or nothing with this feature – you can’t run it on a per-port or per-VLAN basis. although some Cisco documentation makes it sound like there’s no delay at all. Frankly.152.and core-layer switches. another port in the uplink group will be transitioned immediately (almost) from SW2(config)#spanning uplinkfast ? max-update-rate Rate at which station address updates are sent blocking to forwarding. we’re looking at a 50-second delay before that port can actually begin forwarding frames. <cr> 126 127 . If the forwarding port in the uplink group senses that the primary link is down. The uplink group includes ports in blocking and tively prevents this switch from becoming the root unless all other switches go down. when Uplinkfast is first enabled. STP blocks one of our six ports in order when it detects that the original primary path to the root is available once more. there will be approximately a 50-second delay before that blocked port is open. This doesn’t take place immediately. in which case you have much bigger problems to deal with! forwarding mode. By default. The original root port on the Uplinkfast-enabled switch will become the root port again SW3 has two paths to the root. and assuming all port speeds are the same. The first is setting the switch priority to 49. down.115 S T U DY G U I D E C H R I S B R YA N T UplinkFast When a port goes through the blocking-to-forwarding transition. and Uplinkfast does have two immediate actions you should be aware of. Cisco strongly recommends Uplinkfast not be used on distribution. That almost-minute feels like almost-hours at times.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . This effec- With Uplinkfast in use. the direct physical path will be the path SW3 uses to reach the root. and they both occur that’s bad. Uplinkfast is Portfast for wiring closets. which is good. the ports SW3 could potentially use to reach the root switch are collectively referred to as an uplink group. If the open path between SW1 and SW3 goes onds before the primary root port enters forwarding state. What if the device off that port is another switch? By “almost immediately”. the switch will wait (2 x Forward Delay) + 5 sec- to prevent switching loops.

To avoid that. ---Fa0/12 Root FWD 3019 The STP port cost is increased by 3000.2540 Cost 3019 Port SW3(config)#spanning uplinkfast ? 14 (FastEthernet0/12) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 49153 (priority 49152 sys-id-ext 1) <cr> The cutover to the backup path is so fast that the MAC address tables of other switches Address 0017. and Aging Time 300 sec the source address – well. then SW3. which might be small or might be very large! Role Sts Cost -------------------- ----. You can disable the sending of those dummy frames by setting this value to zero. When the link SW2#show spanning vlan 1 between SW3 and SW1 goes down. and on occasion it works a little too well. If SW3’s MAC address table is particularly large.0ccd.f780 in the network may be out of date for a few seconds after the cutover. SW3 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec sends “dummy” multicast frames to SW2. That flooding quickly updates SW2’s MAC address table. then SW1. a little too fast! Let’s revisit the original network and add two hosts. UplinkFast works really well. that’s the rub. making it unlikely that this switch will be used to reach the root switch by any downstream switches.90e2. but the now-invalid entry VLAN0001 Spanning tree enabled protocol ieee Root ID C H R I S B R YA N T Priority to send frames to Host B via SW1 will still be in SW2’s table. Actually.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .9466.115 S T U DY G U I D E Frames from Host A will currently go through SW2. The destination address is 0100. SW3(config)#spanning uplinkfast max-update-rate ? <0-32000> Maximum number of update packets per second 128 129 . That’s where our single Uplinkfast option comes into play: 32769 Address 000f. We’re going to send these frames for every single Uplinkfast enabled Interface max-update-rate Rate at which station address updates are sent MAC address entry in SW3’s table. you may want to adjust the maximum update rate.cdcd. that path is no longer valid. which by default is 150 packets per second.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

Verify your Uplinkfast settings with show spanning uplinkfast.

C H R I S B R YA N T

and relays it to SW3. All is well until SW2 loses its connection to SW1, which means SW2
will start announcing itself as the root. SW3 will receive two separate BPDUs from two
claimants to the root bridge role.

SW3#show spanning uplinkfast
UplinkFast is enabled
Station update rate set to 150 packets/sec.
UplinkFast statistics
Number of transitions via uplinkFast (all VLANs)

: 0

Number of proxy multicast addresses transmitted (all VLANs) : 0

BackboneFast

SW3 compares the priority in each BPDU and sees SW2 has a higher BID, making the

The Cisco-proprietary feature BackboneFast helps our network recover from indirect link

MaxAge timer on the port leading to SW2 hits zero, that port will transition to the lis-

failures. The key word is indirect. If a switch detects an indirect link failure (a failure of

tening state and start relaying the information contained in the BPDU coming from SW1

a link not directly connected to the switch in question), BackboneFast goes into action.

– the superior BPDU.

BPDU from SW2 an inferior BPDU. As a result, SW3 ignores that BPDU. Once SW3’s

An indirect link failure is detected when an inferior BPDU is received, as we’ll see in the
upcoming walkthrough. Let’s take a look at a three-switch setup where all links are working (currently!), and STP is running as expected. All links are running at the same speed.

Backbonefast speeds up the overall process by skipping the MaxAge stage. This doesn’t
eliminate the delay, but it does cut the overall delay from 50 to 30 seconds (the overall duration of the listening and learning states).
SW1 has been elected root, and it sends Configuration BPDUs to SW2 and SW3 every two
seconds reminding them of that. In turn, SW2 takes the BPDU it’s receiving from SW1

130

When an indirect link outage is detected, the Root Link Query goes into action in the form
of requests and responses. These message types act as a sort of echo and echo reply combo.
131

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

The request is sent to ensure connectivity to the root, is sent via a port receiving BPDUs,

All switches in the network have to be able to send, relay, and respond to RLQ requests. Since

and is sent by the switch detecting the indirect link outage.

RLQ is enabled by enabling BackboneFast, you should run this feature on every switch in the

The request names the switch believed by the sender to be the root. The recipient forwards
that RLQ request out its own root port, and after a short period of time (hopefully), the
request comes back with the name of the root that can be reached via that port. If they
match, all is well!

network. The easiest part of BackboneFast is enabling it. This command is a true Cisco rarity
in that there are no options. Just enable it, and verify with show spanning backbonefast.
SW3(config)#spanning backbonefast ?
<cr>
SW3#show spanning backbonefast
BackboneFast is enabled

Root Guard
The root we’re guarding, of course, is the root switch!
There are two circumstances under which the recipient will respond immediately, one good
and one bad. The bad one: The recipient has a different root bridge listed.

The good one: The recipient IS the root bridge.

132

SW1 is entrenched as the root – until SW4 arrives!

133

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

C H R I S B R YA N T

SW4 will take over as the root due to its lower BID, and depending on your network design

Address 000f.90e2.2540

and the switches’ capabilities, you might not want that. SW4 could also be a rogue switch!

Cost 19

If we go to the trouble of deciding which switch should be the root, we should likely go to a

Port

little bit of trouble in protecting that switch’s role. That’s where Root Guard comes in.

Hello Time

Root Guard is configured at the port level, and disqualifies any switch downstream from
that port from becoming the primary or secondary root. To prevent SW4 from taking over

14 (FastEthernet0/12)

Bridge ID Priority

2 sec Max Age 20 sec Forward Delay 15 sec
32769 (priority 32768 sys-id-ext 1)

Address 001c.0fbf.2f00

either of those roles, configure Root Guard on SW3’s port leading to SW4.

Hello Time

When a superior BPDU is received on a port running Root Guard, that BPDU is discarded

2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300 sec

and the port put into root-inconsistent state. That’s verified by show spanning vlan and show
spanning inconsistent-ports as well as this console message I received once SW4 came online

Interface

and started sending those superior BPDUs to SW3.

------------------- ---- ----- -------- --------- ----------------------

Role Sts

Cost

Prio Nbr Type

Fa0/4

Desg BKN

19

128.6

%SPANTREE-2-ROOTGUARD _ BLOCK: Root guard blocking port Fast

Fa0/11

Altn BLK

19

128.13 P2p

Ethernet0/4 on VLAN0001.

Fa0/12

Root FWD 19

128.14 P2p

P2p *ROOT _ Inc

The interface receiving the superior BPDU isn’t totally shut down by Root Guard. It’s still
listening for BPDUs, and once those superior BPDUs stop coming, that port will transition
normally through the STP port states and will come out of root-inconsistent state on its
own. To illustrate, I’ll set SW4’s priority back to the default.
SW4(config)#no spanning vlan 1 priority 4096

SW4 quickly recognizes SW1 as the root…

SW4#show spanning vlan 1
SW3#show spanning vlan 1

VLAN0001
Spanning tree enabled protocol ieee

VLAN0001
Spanning tree enabled protocol ieee
Root ID

Priority

8193 (SW1 is still the root!)

134

Root ID

Priority 8193
Address 000f.90e2.2540

135

Use with bpduguard Don’t accept BPDUs on this interface CAUTION cost Change an interface’s spanning tree port path cost guard Change an interface’s spanning tree guard mode You would think that might discourage anyone thinking of connecting a switch to a link-type Specify a link type for spanning tree protocol use Portfast-enabled port.. We’ll use the topology from the Root Guard section to illustrate. SW3(config)#int fast 0/2 SW3(config-if)#spanning portfast SW3(config)#int fast 0/4 %Warning: portfast should only be enabled on ports connected to a single host. SW3#show spanning inc Name Interface Inconsistency -------------------. remember that Portfast warning? Of course you do! you to specify “enable” or “disable” – “spanning bpduguard” is not a legal command on its own. you ask? Well… Enabling BPDU Guard on SW3’s 0/4 port will block BPDUs coming in from SW4 and shut the BPDU Guard port down..C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . -----------------------.115 S T U DY G U I D E … and SW3’s 0/4 port is no longer root-inconsistent. superior or inferior. concentrators. I’ll open that port after enabling BPDU Guard. Number of inconsistent ports (segments) in the system : 0 What if we didn’t want any BPDUs coming in on SW3’s 0/4 port. Note that the command requires Hey. can cause temporary bridging loops. etc. and doing so creates the possibility of mst Multiple spanning tree a switching loop. C H R I S B R YA N T Enabling BPDU Guard on a port will result in that port going into error disabled state (“errdisabled state”) when any BPDU is received. port-priority Change an interface’s spanning tree port priority portfast Enable an interface to move directly to forwarding on link up 136 stack-port Enable stack port vlan VLAN Switch Spanning Tree 137 . bridges. to this interface bpdufilter Don’t send or receive BPDUs on this interface when portfast is enabled. switches. %SPANTREE-2-ROOTGUARD _ UNBLOCK: Root guard unblocking port FastEthernet0/4 on VLAN0001. but someone just might try it. SW3(config-if)#spanning ? Connecting hubs.

BPDU %PM-4-ERR _ DISABLE: bpduguard error detected on Fa0/4. SW3#show int fast 0/4 FastEthernet0/4 is down. regardless of Portfast: SW3(config)#int fast 0/4 need to do a shut/no shut to reset the port. SW3(config-if)#spanning bpdufilter ? Disable Disable BPDU filtering for this interface enable 138 Enable BPDU filtering for this interface 139 . line protocol is down (err-disabled) An error-disabled port must be cleared manually. SW3(config-if)#spanning bpduguard enable SW3(config)#spanning portfast bpduguard ? default Enable bpdu guard by default on all portfast ports SW3(config-if)#no shut %LINK-3-UPDOWN: Interface FastEthernet0/4. changed state to down %LINK-3-UPDOWN: Interface FastEthernet0/4. Once those BPDUs stop coming.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Disabling port.changedstate to up %SPANTREE-2-BLOCK _ BPDUGUARD: Received BPDU on port Fa0/4 with BPDU Guard enabled. changed state to up If you’re not using that method of enabling BPDU Guard. To enable this feature globally on all your Portfast-enabled ports: SW3(config)#spanning-tree portfast ? Bpdufilter Enable portfast bpdu filter on this switch Bpduguard Enable portfast bpdu guard on this switch Default Enable portfast by default on all access ports SW3(config)#spanning-tree portfast bpdufilter ? Default the port being disabled by BPDU Guard. you’ll Enable bpdu filter by default on all portfast ports SW3(config)#spanning-tree portfast bpdufilter default To enable and disable this feature at the port level. remember that it’s off by default and is enabled / disabled with spanning-tree bpduguard at the interface level. but it’s a good idea! It’s SW3(config-if)#spanning bpduguard ? Disable Disable BPDU guard for this interface such a good idea that you can globally enable BPDU Guard on all Portfast-enabled ports via Enable Enable BPDU guard for this interface spanning portfast bpduguard default. but the first BPDU that came in resulted in Filtering stops all BPDUs from leaving or being accepted on a Portfast-enabled port. BPDU Filtering We have a similar but not identical service at our disposal to stop unwanted BPDUs. putting Fa0/4 in errdisable state %LINEPROTO-5-UPDOWN: Line protocol on Int FastEthernet0/4. %LINEPROTO-5-UPDOWN:Line protocol on Int FastEthernet0/4.115 S T U DY G U I D E C H R I S B R YA N T You’re not required to run BPDU Guard on a Portfast-enabled port. changed state to down The interface came up physically and logically.

Port priority 128.90e2.3 Designated root has priority 32771. run spanning-tree loopguard default.2540 Designated port id is 128. To enable Loop Guard globally. address 000f. we better ensure we get the ones we need! 140 SW1(config)#spanning-tree loopguard default 141 . Instead. run show spanning summary. the port no longer receiving the BPDUs will go from blocking to loop-inconsistent. Loop Guard doesn’t allow that port on SW3 to go from blocking to forwarding. we have a problem. SW1(config)#spanning-tree loopguard ? Bpdu filter is enabled Default Enable loopguard by default on all ports BPDU: sent 23. forward delay 0. and the non-root switches are forwarding Switch is in pvst mode BPDUs to each other (hence the two-headed arrow). with show spanning interface detail. A switching loop is prevented. which acts a lot like blocking mode. along with gathering other important info. If the direct link between SW2 and SW3 goes unidirectional. C H R I S B R YA N T Loop Guard With our three-switch network back at its defaults. hold 0 Number of transitions to forwarding state: 1 The port is in the portfast mode Link type is shared by default all six ports hit forwarding mode. but not vice versa? SW3 will wait the duration of the MaxAge timer and then begin to transition the port on that link from blocking to forwarding. we have a switching loop. designated path cost 0 Timers: message age 0. received 0 With all this talk of blocking BPDUs. we know SW1 is originating Config SW3#show spanning summary BPDUs and sending them to both SW2 and SW3.115 S T U DY G U I D E To verify this and several other features we’ve seen (and will see!).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .90e2. Root bridge for: none Extended system ID is enabled Portfast Default is disabled PortFast BPDU Guard Default is enabled Portfast BPDU Filter Default is enabled Loopguard Default is disabled EtherChannel misconfig guard is enabled UplinkFast is disabled BackboneFast is enabled You can also verify a port’s individual BPDU Filter settings.2540 Designated bridge has priority 32771. What if SW3 can send BPDUs to SW2.3. the port will come back up on its own. address 000f. Port Identifier 128. When SW1#show spanning int fast 0/3 detail Port 3 (FastEthernet0/3) of VLAN0003 is forwarding Port path cost 100. and once the cable is repaired and the BPDUs begin flowing from SW2 to SW3 again.

the port will go port-inconsistent for VLAN 10 only. SW1(config)#udld ? Aggressive Enable UDLD protocol in aggressive mode on fiber ports except where locally configured enable Enable UDLD protocol on fiber ports except where locally configured UDLD’s basic operation is simple. 142 message Set UDLD message parameters Use the same command at the interface level. any circumstances.115 S T U DY G U I D E To enable Loop Guard on a per-port basis. and the results are much more… aggressive! The port will be put into err-disabled state after eight sent UDLD messages result in zero UDLD frames from the remote switch. and then the recipient sends it right back with info on the port that received the message. The port will missed messages. A UDLD-enabled port sends a UDLD frame across the link every 15 seconds. First. SW1(config)#int fast 0/2 SW1(config-if)#spanning-tree guard ? Loop Set guard mode to loop guard on interface none Set guard mode to none root Set guard mode to root guard on interface SW1(config-if)#spanning-tree guard loop To disable Loop Guard at the port level. If you don’t specify aggressive mode. the port is shut down after eight coming in for VLAN 10. but it operates on When UDLD runs in Normal mode. Second. Detecting Unidirectional Links With UDLD UDLD can be enabled and disabled on a global and per-port basis. BPDUs may not arrive at their destination due to a unidirectional link where SW1 can send to SW2. Of Oddities: Loop Guard is enabled globally or on a per-port basis.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . it gives us a syslog message to let us know about the problem. a per-VLAN basis. a UDLD message is sent every second once a possible unidirectional link is detected. and 30. the port defaults to normal mode. If something comes back. which doesn’t shut the port down under continue to operate normally for VLANs 20 and 30. and BPDUs stop We call this mode “aggressive” for two reasons. use udld followed by the mode you want. Run UDLD in aggressive mode. SW1(config-if)#no spanning-tree guard loop Dept. 20. we have a unidirectional link. but SW2 can’t send a BPDU back over the same connection. For global enabling and disabling. run spanning-tree guard loop. C H R I S B R YA N T The sent UDLD message lets the recipient know which port sent the message. we have a bidirectional link and all is well. as opposed to Normal mode. 143 . If a trunk is carrying traffic for VLANs 10. run no spanning-tree guard loop. If nothing comes back.

but the port roles themselves are different. if aggressive mode shuts a port down after failing to receive an echo reply to eight consecutive UDLD frames going out once per second.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . that port in RSTP. and still is in many networks. Note SW3 has multiple connections to the Ethernet from the remote endpoint doesn’t trigger the aggressive 8-second countdown to shut- segment. The root port concept stays the same as we move from STP to RSTP. Let’s take a look at the RSTP roles in will indeed start sending UDLD frames every 15 seconds. Non-root switches select a root port. letting the local switch know that the remote switch is indeed running UDLD. However. Once SW1 has received an echo reply from SW2. ting the port down. The overall 30-second delay built into STP convergence via the listening and learning states was once considered an acceptable delay.1w. Root and designated ports have already been selected. and that’s why <cr> the Rapid Spanning Tree Protocol (RSTP) was developed! RSTP is defined by IEEE 802. The absence of a UDLD echo this network. it must be enabled on both endpoints. The overall concept of the root bridge is still present Actually.115 S T U DY G U I D E C H R I S B R YA N T SW2(config-if)#udld ? port Enable UDLD protocol on this interface despite global UDLD setting SW2(config-if)#udld port ? aggressive Enable UDLD protocol in aggressive mode on this interface despite global UDLD setting disable Disable UDLD protocol on this interface despite global UDLD Rapid Spanning-Tree Protocol setting STP is fantastic at what it does – we’d just like it to get done a little faster. For UDLD to be effective. the remote switch has to answer back with a UDLD echo. Before that can happen. won’t the second port you configure always shut down before you finish the config? and it’s considered an extension of 802. SW2 and SW3 144 145 . When UDLD’s aggressive mode is configured on the first endpoint. no.1d. the eight-second countdown will begin if SW1 stops getting UDLD replies from SW2. Problem is. RSTP makes things just a bit more… rapid. where SW1 is the root. that port being the one with the lowest root path cost.

so RSTP doesn’t bother alerting the rest of the network about it. they don’t play a role. actually. STP ports disabled. A point-to-point port is any port running in full-duplex mode. so they can go straight from discarding to forwarding. since only a single host will be connected to that particular port. the DP will be the port with the lowest root path cost of all RSTP ports transition from discarding to learning. RSTP-enabled root bridges will not have There are slight and important differences between STP and RSTP port states as well. likely connected to a single host SW2’s port on the shared segment is an alternate port (ALT) – but what of the remaining port spanning-tree portfast command. Well. The root ports. 146 147 . the RSTP port transitions nected to that segment. just run the familiar RSTP edge ports are simply PortFast-enabled ports. The “alternate” refers to the port having an alternate path to the root switch than the actual root port does. To configure a port as an RSTP edge port. As you’d expect. blocking.) Here come the differences! RSTP has alternate ports rather than blocked ports. it’s “demoted” to a regular RSTP port and then generates a TCN BPDU. An edge port is simply a port on the edge of the network. (Any ports running half-duplex are considered shared ports and must run STP rather than RSTP.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but rather designated ports. RSTP does not consider that a change in the network. a designated port must be elected on the segment connecting initial RSTP port state. Finally. That’s hardly an earth-shattering change to our network. edge ports and point-to-point ports. If a BPDU comes in on an RSTP edge port. the equivalent of STP’s forwarding state. RSTP brings with it two unique port types.115 S T U DY G U I D E C H R I S B R YA N T have both selected their root ports. and listening are combined into the RSTP state discarding. This port gives SW3 a redundant path on that segment without guaranteeing that the root switch will still be accessible. As with STP. SW2 and SW3.) Edge ports play a huge part in RSTP’s determination of when a topology change has taken place. where incoming frames are discarded the ports on that segment. to the forwarding state. and we’ll assume that to be one of the two ports SW3 has con- but the MAC addresses are being learned by the switch. since RSTP considers a topology change to have taken place when a port moves into forwarding mode – unless that port is an edge port. such as an end user’s PC. on SW3? That port becomes the backup port for that segment. the As with our STP example. (More on that very soon. A quick comparison: STP: disabled > blocking > listening > learning > forwarding RSTP: discarding > learning > forwarding In addition to the familiar root port concept.

that’s when RSTP does bother letting the rest of the network know! RSTP does so by sending BPDUs out all non-edge designated 20 seconds! Compare that to the RSTP process. RSTP Synchronization The RSTP synch process is a simple series of handshakes between switches. At that point. How? When a switch running STP misses a BPDU. and as we’d expect. But not so fast. and would like to agree to the proposal. so that’s an edge port. SW2 will of course move its root port into forwarding. Switches that receive those BPDUs will remove all entries from their MAC tables except for the port the BPDU rode in on. Another major difference between STP and RSTP is the way BPDUs are generated. and if three BPDUs are missed. regardless of whether they’ve received a BPDU from the root in that period of time.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . where the superior BPDU is aged out when three Hello Time intervals pass without it being refreshed! ports. carried out until all switches in the network are – wait for it – synchronized! Let’s walk through the process with this three-switch network. Every switch expects to 148 SW2 realizes SW1 is the root. if you will. the MaxAge timer kicks in. SW2 will reply to the proposal with an agreement and will send a proposal of its own out any non-edge port that was just placed into discarding state.) This slight change in operation from STP to RSTP allows all switches to have a role in detecting link failures. those switches send BPDUs with the TC bit set out their non-edge DPs. and in order for SW2 to consider itself synched. That timer dictates how long the switch will retain the contents of the last superior BPDU it received before it ages out and the STP recalculation process begins. the root bridge generates and transmits BPDUs every two seconds. and the nonroot bridges read ‘em and relay ‘em. This change cuts the error detection process from 20 seconds in STP to 6 seconds in RSTP. (This hello time interval is the same in both STP and RSTP. There’s a lot going on here – and it goes on quickly! 149 . and that continues until the entire network’s been notified of the change – a “ripple effect”. SW2 has to synch itself. all ports on SW2 must either be discarding or an edge port. RSTP-enabled switches generate a BPDU every two seconds. my friend! First. the link is considered down. We see a PC off one of SW2’s ports. and the discovery of those failures is faster.115 S T U DY G U I D E C H R I S B R YA N T see a BPDU from its neighbor every two seconds. The switch then immediately ages out all information concerning the port that was receiving the BPDUs. With STP. now SW2 must place the port leading to SW3 into discarding mode. and naturally the TC bit is set on those BPDUs. We know the MaxAge default – When a non-edge port moves into forwarding mode.

SW2 is agreeing with SW1 while Bridge ID Priority 2 sec Max Age 20 sec Forward Delay 15 sec 32769 (priority 32768 sys-id-ext 1) almost simultaneously sending a proposal to SW3 (and any other downstream switches it’s Address 001c. ----- --.14 P2p Peer(STP) Note the output under “Type”.d480 Cost 19 Port 6 (FastEthernet0/4) Hello Time The ripple effect is powerful in RSTP synchronization. you know those connections are to switches running mst Multiple spanning tree mode pvst Per-Vlan spanning tree mode rapid-pvst Per-Vlan rapid spanning tree mode SW3(config)#spanning mode rapid-pvst ? <cr> SW3(config)#spanning mode rapid-pvst STP. and when there’s no additional info after “P2p”. the link is to an RSTP-enabled switch. -------. This is a full-duplex point-to-point link. Interface The Question Haunting Networks Everywhere Does RSTP play well with STP? Pretty well. It’s a rare occasion indeed when you need to manually change the link type on an interface. actually! If a switch is running RSTP and needs to communicate with switches using both STP and RSTP. In our lab. Fa0/4 Root FWD 19 128. a switch running RSTP. This ripple effect Aging Time 300 sec 2 sec Max Age 20 sec Forward Delay 15 sec fans throughout the entire network until all switches are synched.Nbr Type ------------------. SW3 goes through the same process we saw SW2 go through – SW3 Hello Time would accept that proposal from SW2 while sending proposals of its own. verified with show spanning vlan. just use spanning link-type. Role Sts Cost Prio. In turn. ---------. SW3 is running RSTP after being configured with the spanning-tree mode rapid-pvst command. but if you do. The link via Fast0/4 is to SW4.2f00 connected to).0fbf.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .13 P2p Peer(STP) Fa0/12 Desg FWD 19 128. SW3(config-if)#spanning-tree link-type ? point-to-point Consider the interface as point-to-point shared Consider the interface as shared SW3#show spanning vlan 1 150 151 .6 P2p Fa0/11 Desg FWD 19 128.90eb.115 S T U DY G U I D E C H R I S B R YA N T VLAN0001 Spanning tree enabled protocol rstp Root ID Priority 4097 Address 000f. it’s the version number in the BPDU that tells the switch how to handle things. When you see “Peer (STP)” as we do for SW3(config)#spanning mode ? the Fast0/11 and Fast0/12 links.

1s. and three switches that can handle some MST gives us a great middle ground. everything we do on a Cisco switch has a cost in terms of CPU and/or time. which has the same functionality as PVST while having the capability to run over ISL or dot1q trunks. MST earns its name from a scheme that allows multiple VLANs to be mapped to a single instance of STP. we can configure per-VLAN load balancing as we did in an earlier lab. rather than having an instance for every VLAN. We can’t perform any per-VLAN load balancing. we have 750 instances of STP running. Defined by IEEE 802. and the switches in any given region must agree on the MST config name. Switches that disagree on any of these values are in different regions. MST allows us to reduce the number of STP instances without knocking it all the way back to one. While it can be useful in the right environment. and MST BPDUs are used to exchange values between switches. MST serves as a middle ground between CST (one STP instance) and PVST (one STP instance per VLAN). one switch ends up handling all the traffic. so Cisco came up with PVST+. The Ugly: PVST requires ISL trunking. since that requires multiple instances of STP! PVST doesn’t play well with Common Spanning Tree (more on that in a moment). No matter the size of the network. the trunk is using a common instance of STP for all VLANs – hence the name. MST configs can become quite complex and a great deal of planning is recommended before you even start a config.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . “Common Spanning Tree”. Common Spanning Tree and Multiple Spanning Tree When our pal IEEE 802. The Good: PVST does allow for much better fine-tuning of spanning tree performance than regular ol’ STP does. More on that in just a minute. And speaking of CST… With PVST+. The Bad: Running PVST does mean extra work for your CPU and memory. MST was designed with enterprise networks in mind.1q (“dot1q”) is the trunking protocol. if we have 750 VLANs. and a digest value derived from the mapping table. 152 153 . the MST-instance / VLAN-mapping table. it’s not for every network. the config revision number. and the MST configuration revision number. or all of that traffic. so we could spread the workload around a bit. MST configuration involves logically dividing the switches into regions. Let’s say we have traffic for 750 VLANs coming in. the purpose of MST is to map multiple VLANs to a lesser number of STP instances. the Cisco-proprietary PVST runs a separate instance of STP for each VLAN. With PVST+. where we can map VLANs to instances of STP. As we know though.115 S T U DY G U I D E C H R I S B R YA N T Per-VLAN Spanning Tree Versions (PVST and PVST+) The ultimate “the name is the recipe” protocol. The MST BPDUs contain the MST config name. With CST’s one STP instance.

and only the IST is going to send MST BPDUs. and follow by dropping into MST configuration mode and naming the region and revision number. On occasion. exit exits entire network. SW3(config-mst)#revision 1 you’ll see the first ten MST instances referred to as “00” – “09”.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . SW3(config-mst)#? abort Exit region configuration mode. and it’s the IST instance that is responsible for keeping communications in the MST regions loop-free. CST doesn’t know what’s going on inside the regions. applying changes instance Map vlans to an MST instance name Set configuration name no Negate a command or set its defaults private-vlan Set private-vlan synchronization revision Set configuration revision number show Display region configurations SW3(config)#spanning-tree mst configuration The “IST” in each region stands for Internal Spanning Tree. those are decimal values. 300 -200 SW3(config-mst)#instance 1 vlan 1 – 250 SW3(config)#spanning-tree mode mst 154 155 . 72. SW3(config-mst)#instance ? <0-4094> MST instance id not hexadecimal values. MST’s job is to keep a loop-free topology in the MST region itself. Enable MST on the switch with spanning-tree mode mst. nor does it want to know. numbered 0 – 15. CST is going to maintain a loop-free the mode and does save your changes. SW3(config)#spanning-tree mode ? mst Multiple spanning tree mode pvst Per-Vlan spanning tree mode rapid-pvst Per-Vlan rapid spanning tree mode SW3(config-mst)#instance 1 ? vlan Range of vlans to add to the instance mapping SW3(config-mst)#instance 1 vlan ? LINE vlan range ex: 1-65. and MST is a “subset” of the network. SW3(config-mst)#name CCNP SW3(config-mst)#revision ? <0-65535> Configuration revision number Up to 16 MST instances (MSTIs) can exist in a region. abort exits the mode while not saving the changes. aborting changes exit Exit region configuration mode. network only with the links connecting the MST network subsets.115 S T U DY G U I D E C H R I S B R YA N T A good way to get a mental picture of MST – CST interoperability is that CST will cover the In MST configuration mode. MSTI Zero is reserved for the IST instance.

0 251-4094 1 1-250 An Etherchannel is a logical bundling of two to eight parallel trunks running between two switches. there are four FastEthernet trunks between SW2 and SW3. but the link is still considered up. ports placed inside an EC should be running at the same speed and have the same duplex settings.) STP considers an Etherchannel to be a single link. STP will give the link a higher cost due to the lost bandwidth. SW3(config-mst)#show pending Pending MST configuration C hapter 7: Name [CCNP] Revision 1 Instances configured 2 Instance Vlans mapped ETHERCHANNELS --------. regardless of how many physical links actually make up the Etherchannel. What’s not to love? (To avoid aggravation.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . That prevents the delay of bringing another link up! In our lab. STP allows us to use only one of the trunks. or even 10 Gig Ethernet ports Time to go from spanning to channeling! is aggregation. This is an MST configuration mode command. Gig Ethernet.115 S T U DY G U I D E Verify with show pending. and we love aggregation! We use more of our available bandwidth and we avoid some of that 50-second delay that comes with the MaxAge and Forward Delay timers. By default. 156 157 . If one or more of the physical links in the Etherchannel go down. This bundling of Fast Ethernet. VLANs not manually assigned to an instance are mapped to Instance Zero. though.

In the meantime. not only is the bandwidth of the links combined. if 0/21 goes down on SW3. changed state to up SW3#show spanning vlan 1 SW3(config)#int range fast 0/21 . ----- --. Let’s put 0/21. and 0/23 on both switches into an Etherchannel with the channel-group command. As it stands. SW2(config-if-range)#channel-group 1 ? Mode Etherchannel Mode of the interface SW2(config-if-range)#channel-group 1 mode ? active Enable LACP unconditionally 158 159 . We’ll leave 0/24 alone for now. This temporary lack of a forwarding port can be avoided with an Etherchannel. forwarding. By combining the SW3#show spanning vlan 1 physical ports into a single logical link. ----- --.23 SW3(config-if-range)#channel-group 5 mode on Interface Role Sts Cost ------------------. 0/22 will begin the transition from blocking to Let’s check out STP on SW3.115 S T U DY G U I D E SW2#show spanning vlan 1 C H R I S B R YA N T auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally Interface Role Sts Cost ------------------. ------------------.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel5. port-channel1 and port-channel5 are the Fa0/24 Altn BLK 19 logical representations of the Etherchannels on the respective switches. ----- --. changed state Fa0/21 Root FWD 19 to up Fa0/22 Altn BLK 19 Fa0/23 Altn BLK 19 The interfaces mentioned in the console messages. Fa0/21 Desg FWD 19 Fa0/22 Desg FWD 19 Fa0/23 Desg FWD 19 Fa0/24 Desg FWD 19 on Enable Etherchannel only passive Enable LACP only if a LACP device is detected SW2(config-if-range)#channel-group 1 mode on %LINK-3-UPDOWN: Interface Port-channel1.) I’ll use interface range to make things a little quicker. 0/22. communication between the two switches is lost. (The channel group number does not have to Fa0/24 Altn BLK 19 Po5 Root FWD 9 match between switches. but the failure of a link inside an Etherchannel will not force STP to start bringing another Interface Role-Sts-Cost port from blocking to forwarding.

etc.3ad (the IEEE standard. SW3#show spanning vlan 1 PAgP and LACP use different terminology to express the same modes. ----- --. Fa0/24 Desg FWD 19 Po1 Desg FWD 9 (LACP) and the Cisco-proprietary EC negotiation protocol is the Port Aggregation Protocol (PAgP). STP didn’t have to go to the trouble of opening 0/24. less than half that of a down link in the Etherchannel was detected by STP. The path cost for that port is 9. but single FastEthernet port! SW2 shows the same path cost result. Fa0/24 Desg FWD 19 Po1 Desg FWD 12 With PAgP. you know you’ll be waiting a long time. (Surprise!) We actually saw those in the channel-group command: Interface Role-Sts-Cost SW3(config)#int fast 0/24 ------------------. but only the eight ports with the lowest port priority will actually be part of the SW3(config-if)#shut EC. but I love how the protocol dynamically changes all of the other ports in an EC when you change a property of one of them statically (speed.115 S T U DY G U I D E C H R I S B R YA N T Things have changed! The Etherchannel (Po5. a port in desirable mode will initiate bundling with a remote port. not the year). ----- --.) 160 161 . to the STP costs and ports. LACP assigns a priority value to each port with Etherchannel capability. You can assign up to 16 ports to an LACP-negotiated SW3(config)#int fast 0/21 Etherchannel.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and with good reason. while a port in auto mode waits for the port on the other end of the trunk to start the process. (Forever. If the ports at each endpoint are in auto. The remaining ports will be bundled only if one or more of the already-bundled ports fails.). duplex. The tion in use. We’ll shut down 0/21 on R3 and then verify the changes. Fa0/24 Altn BLK 19 Po5 Root FWD 12 SW3(config-if)#channel-group 5 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected SW2#show spanning vlan 1 desirable Enable PAgP unconditionally on Enable Etherchannel only Interface Role-Sts-Cost passive Enable LACP only if a LACP device is detected ------------------. Let’s see what happens when one of the links inside the Etherchannel fails. short for port-channel 5) is now the connec- Thanks to our Etherchannel. Defined in 802. I hate typing “PAgP”. ----- --. if any. and the port’s path cost increased. the Etherchannel remained in forwarding mode and 0/24 stays blocked! SW2#show spanning vlan 1 Negotiating An Etherchannel Interface Role-Sts-Cost The industry standard EC negotiation protocol is the Link Aggregation Control Protocol ------------------.

24 desirable Enable PAgP unconditionally SW2(config-if-range)#channel-group 1 mode ? on Enable Etherchannel only active Enable LACP unconditionally passive Enable LACP only if a LACP device is detected auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally SW2(config-if-range)#channel-group 1 mode desir on Enable Etherchannel only passive Enable LACP only if a LACP device is detected SW3(config)#int range fast 0/21 . I created one with LACP. verified with show lacp neighbor.24 SW3(config-if-range)#channel-group 5 mode desir SW2(config-if-range)#channel-group 1 mode active SW3(config)#int range fast 0/21 . A .Device is in Auto mode. P.24 After removing the PAgP EC. Partner SW3#show lacp neighbor Flags: S . but I’m sure you can see that having a command that gives you the name.f780 Fa0/23 5s SC 10001 ports at each endpoint are passive.Device is sending Slow hello. SW2(config-if-range)#channel-group 1 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected SW2(config)#int range fast 0/21 .f780 Fa0/21 14s SC 10001 Fa0/22 SW2 0017. C- Device is in Consistent state.9466. device ID. SW2(config)#int range fast 0/21 .Device is in Active mode Channel group 5 neighbors SW3(config-if-range)#channel-group 5 mode active Partner Partner Partner Group Port Name Device ID Port Age Flags Cap.115 S T U DY G U I D E C H R I S B R YA N T With LACP. a port in active mode initiates bundling and passive ports are just that! If the Fa0/23 SW2 0017. and port of the partner in the group can be very helpful for verification and/or troubleshooting. verifying with show pagp neighbor.9466.f780 Fa0/22 2s SC 10001 162 P . Fa0/24 SW2 0017.9466.f780 Fa0/24 11s SC 10001 After re-opening 0/21 on SW3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .24 SW3#show pagp neighbor Flags: S . Fa0/21 SW2 0017.Device is requesting Fast LACPDUs A . an EC will never form.Device is in Passive mode Channel group 5 neighbors Partner’s information: 163 .9466.Device is requesting Slow LACPDUs F . We’re not going to get into every field of this output. I’ll put all available trunks into a PAgP Etherchannel.Device learns on physical port.

minimum links not met u . not Flags: D – down per-packet or per-frame. meaning they’re part of a port-channel.in use f . (We’re dealing with per-flow balancing here.) That algorithm can use any of the following: P . How about show etherchannel summary? Basically. 23s C H R I S B R YA N T f780 The output is different.suspended H . 20s key 0x0 32768 f780 0017. Channel-group listing: LACP That’s more like it! All four ports are marked with the “P” flag. -----------.Layer3 S .9466.not in use. unreleased or unsupported.failed to allocate aggregator Priority 32768 0017. 19s 0x0 0x1 0x119 0x3D 32768 f780 0017.9466. 5 Po5(SU) SW3#show etherchannel brief Fa0/21(P) Fa0/22(P) Fa0/23(P) Fa0/24(P) % Command accepted but obsolete. Group state = L2 Ports: 4 Maxports = 16 Port-channels: 1 Max Port-channels = 16 How The Link Is Chosen For A Particular Traffic Flow Protocol: LACP Etherchannels give us load balancing. a Cisco-proprietary hash algorithm is run that will deliver a value of 0 – 7.9466. I’ve also used show etherchannel brief in troubleshooting. Note the flags next to Po5. but matching up the Device ID and port information can be very helpful in troubleshooting.default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports -----. but last time I tried… M . more on that later!). “SU”. The Group: 5 “U” indicates the channel is in use (good) and the “S” means it’s a Layer 2 EC (hmmm. we have Minimum Links: 0 four parallel links in the EC.stand-alone s .Layer2 0x1 0x118 0x3D U . 21s 0x0 0x1 0x11A 0x3D 0x0 0x1 0x11B 0x3D f780 Fa0/24 SA 32768 0017. but not pure load balancing.waiting to be aggregated d .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E Port Flags LACP port Dev ID Fa0/21 SA Fa0/22 SA Fa0/23 SA Age Admin Oper Key Port Number Port State R . It’s these values that are used to determine SW3#show etherchannel summary which link will handle which traffic flow. ------------.unsuitable for bundling w .9466.bundled in port-channel I . In our lab. and that’s just what we wanted to see.Hot-standby (LACP only) Source IP address Destination IP address 164 165 . and those values are assigned to links in the EC. see documentation. but that doesn’t mean each link is carrying 25% of the load.

the load balancing method on a per-port or per-EC basis. That gives us a “0” for the first bit of the XOR result. we need the last two bits of each address for time the XOR operation is used is when one of the combination load-balancing methods our XOR. with only two possible answers: Since both bits in the 7th position and both bits in the 8th position match up.) For every method involving only one value.1 src-dst-mac Src XOR Dst Mac Addr 4 8 2 3 0.39. verify with show etherchannel load-balance. It’s a bit-by-bit comparison.2.4.38.49. the result is 0.39.47. “1” and “0”.38. from left to right. the hash of the bits reveals the port that will handle traffic for that 11 = 00001011 15 = 00001111 particular flow.47. If you want to break down the entire address for practice (ahem). source and destination port number. so we’ll first XOR the 7th bit of each octet.3. or the source and destination MAC address. use port-channel load-balance and If the compared bits are the same. The last octet of each address.15. Verify with show etherchannel load-balance. The only nation of 190. with the two lowest-order bits highlighted: The “XOR” choices balance on source and destination IP or source and destination MAC. The XOR operation’s name might look scary.1. we know our XOR return is “00”. When we XOR the Both source and destination MAC address 8th bit of each octet.49. or it may get the exclusive-OR operation (“XOR”) involved. so the switch will use the port assigned value “01” to send the data. “01” TCP / UDP port numbers converts to the decimal 1. is used – the source and destination IP address.11 and a desti- the traffic flow. but with a 4-link EC we only need the last two bits.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The switch may use the hash of the last low-order bits to choose the link that will carry Let’s walk through another example.7 src-ip Src IP Addr src-mac Src Mac Addr Using our four-link EC. using a source IP address of 179.3 0. the return is a “1” for the XOR’s second and final bit. resulting in the link assigned value 0 as the winner! To change the load-balancing method for your switch.5. 1 and 1. that’s a great idea.6. This is a global command – you can’t change If the compared bits are different. the result is 1. (You get the point.11 and destined for 210.2. let’s figure out which link traffic sourced from 179. SW3#show etherchannel load-balance EtherChannel Load-Balancing Configuration: 11 = 00001011 dst-ip 22 = 00010110 166 167 . With our four-path EC.115 S T U DY G U I D E Both source and destination IP address C H R I S B R YA N T We perform the XOR on a bit-by-bit basis. That’s it! The number of bits needed for the XOR depends on how many links we have in the EC: SW3(config)#port-channel load-balance ? dst-ip Dst IP Addr Number of links in EC # of lowest-order Possible results dst-mac Dst Mac Addr src-dst-ip Src XOR Dst IP Addr 2 bits to XOR 1 0.22 would use.1. but it’s one of the easiest math operations you’ll ever carry out.

SW3(config-if-range)#switchport trunk allowed vlan 100. portfast Spanning tree portfast options Here’s what happened after I changed the range of allowed VLANs on all ports in SW3’s EC transmit STP transmit parameters without doing so on the port-channel: uplinkfast Enable UplinkFast Feature vlan VLAN Switch Spanning Tree Ports configured for dynamic VLAN assignment from a VMPS cannot become part of an EC.1t extensions logging Enable Spanning tree logging loopguard Spanning tree loopguard options mode Spanning tree operating mode mst Multiple spanning tree configuration pathcost Spanning tree pathcost options The allowed range of VLANs on the ports in the EC must match that of the port-channel. Let’s use IOS Help to flesh this out.20 In the midst of all the loop guarding and MSTing and BackboneFasting we did earlier was a %EC-5-CANNOT _ BUNDLE2: Fa0/22 is not compatible with Po5 and will be suspended little something about ECs. run spanning ether- Hey. since the EC won’t be created in the first place if there’s a problem.115 S T U DY G U I D E EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Destination MAC address C H R I S B R YA N T SW2(config)#spanning etherchannel guard misconfig ? <cr> IPv4: Destination IP address If you use one of the EC negotiation protocols. nor can such a port remain part of an EC if that change occurs after the port is already part of an EC. you really shouldn’t run into an issue with a IPv6: Destination IP address misconfigured EC. (vlan mask is different) %EC-5-CANNOT _ BUNDLE2: Fa0/23 is not compatible with Po5 and will be suspended SW2(config)#spanning etherchannel ? Guard (vlan mask is different) Configure guard features for etherchannel %EC-5-CANNOT _ BUNDLE2: Fa0/24 is not compatible with Po5 and will be suspended (vlan mask is different) SW2(config)#spanning etherchannel guard ? Misconfig Enable guard to protect against etherchannel misconfiguration 168 %EC-5-CANNOT _ BUNDLE2: Fa0/23 is not compatible with Po5 and will be suspended (vlan mask is different) 169 . and you could run into trouble if one side of your links is set up for an EC and the other isn’t (I speak from experience). SW2(config)#spanning ? backbonefast Enable BackboneFast Feature etherchannel Spanning tree etherchannel specific configuration EC Troubleshooting Tips extend Spanning Tree 802. ports will be placed into err-disabled state if a condition exists that might result in a switching loop. The And finally…. channel-group “on” option sidesteps negotiation. As a result. Remember This? channel guard misconfig. To prevent the creation of a switching loop due to EC misconfiguration.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

You can’t have LACP negotiating one side and PAgP (Flags removed) negotiating the other.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . When I changed the allowed With our trunks neatly bundled. Know your LACP and PAgP modes! The mode doesn’t have to match. Let’s get started! VLAN setting for SW2’s 0/21. the EC came back up. and native VLAN. that port immediately unbundled. If you have Group Port-channel Protocol Ports destination IP addresses in your load-balancing methods! ������ ������������� ����������� 1 Po1(SU) LACP multiple source IP addresses and one destination IP address. Ports in an EC should have the same native VLAN set.300 SW2(config-if)#^Z SW2# *Mar 1 01:18:39. 170 171 .20 If one end of the EC is running in on mode.24 SW2(config-if-range)#switchport trunk allowed vlan 100. including speed. once I went to SW2 and ran the same command. but not a SPAN destination port. you know what to do – change it back! A few more notes that can save you CCNP exam points and troubleshooting time… A SPAN source port can be part of an Etherchannel.472: %EC-5-CANNOT _ BUNDLE2: Fa0/21 is not compatible with Fa0/22 and will be suspended (vlan mask is different) This is really true of any port attribute. but you do have to have SW2#show etherchannel summary LACP or PAgP modes on each side. it’s time to do a little multilayer switching and work with our First Hop Redundancy Protocols (FHRPs). be sure to choose the load-balancing method that fits your situation. If you change one of those and the EC comes down. the other end one has to as well. or you’ll never have an EC! Number of channel-groups in use: 1 Number of aggregators: C H R I S B R YA N T While keeping in mind that EC load-balancing methods do not have to match between 1 switches. there’s not much use in using Fa0/21(P) Fa0/22(P) Fa0/23(P) Fa0/24(P) Individual ports inside the EC must agree on this value as well.472: %EC-5-CANNOT _ BUNDLE2: Fa0/21 is not compatible with Fa0/22 and will be suspended (vlan mask is different) *Mar 1 01:18:39. Ports in an EC cannot be configured with port security.115 S T U DY G U I D E Not good! However. SW2(config)#int fast 0/21 SW2(config-if)#switchport trunk allowed vlan 200. duplex. SW2(config)#int range fast 0/21 .

the TCAM table stores everything the CAM table ever leaving the switch. From your CCNA studies. Application-Specific Integrated Circuits (ASICs) will perform the L2 rewriting operation of these packets. and never the two shall meet. this hardware switching is performed by a router processor (or “L3 engine”). the switch will run the legacy Multilayer Switching (MLS) or the newer Cisco Express Forwarding (CEF). If two hosts in separate VLANs are connected to the same mul- A simple CAM table can’t handle all of this. the correct configuration will allow that communication without the data Content Addressable Memory. including info regarding ACLs and QoS. a router runs at Layer 3. Basically. you know that the IP source and destination addresses of a packet do not change as the packet travels the network. To make this hardware-based packet processing happen. Route caching devices have both a routing processor and a switching engine. Multilayer Switching Methods The first MLS method is route caching. is still present in a multilayer switch. and QoS. including routing. the MAC address table. A flow is a unidirectional stream of 172 173 . The routing processor routes a flow’s first packet. Thing is.C H R I S B R YA N T C hapter 8: MULTILAYER SWITCHING AND HIGH AVAILABILITY PROTOCOLS When it comes to Cisco Catalyst switches. The table operates just as an L2 Let me take this time to “un-hit” you while introducing you to Layer 3 Switches. also known as multilayer switches. so we also have the TCAM table – Ternary tilayer switch. With multilayer switching. can’t. ACLs. also known as the bridging table. we have a lot more going on with our L3 switches. and on occasion switch runs at Layer 2. and then the switching engine takes over and forwards the rest of the packets in that flow. the switching engine snoops in on that packet and the destination. it’s the ASICs that perform this L2 address overwriting. the switching table. Multilayer switches are devices that switch and route packets in switch’s CAM table does. This processor must download routing information to the hardware itself. but the MAC addresses just might and probably will. The CAM And TCAM Tables One of the first things you get hit over the head with in your CCNA studies is that a The CAM table. the switch hardware itself.

starting will be switched by software. and you can’t tocol will be part of a single flow. and such packets sent by a given pro- Enabling CEF is EZ. The switch will make the same changes to the packet that a router would. the multilayer switch is just about ready to forward the packet. the Switched Virtual Interface (SVI). we’ll create SVIs that will allow hosts in different IP subnets and different VLANs to communicate without a separate L3 device. That’s where CEF comes in. masks. CEF is highly scalable and is also easier on a switch’s CPU than route caching. interface Vlan1 no ip address tion networks. The FIB contains the usual routing information we need – destina- Inter-VLAN Routing With An SVI Multilayer switches allow us to create a logical interface. and it’s the only default SVI. – and CEF will use the FIB to make L3 prefix-based decisions. must be on for CEF to run. (A host is considered adjacent to another if they’re just one hop apart. As adjacent hosts are discovered via ARP. let’s configure an L3 switch. there is a wildcard entry that redirects traffic to the routing engine. so it’s not available on all L3 switches.115 S T U DY G U I D E C H R I S B R YA N T packets from a given source to a given destination. The MLS cache entries support such where running “no cef” at the CLI will disable CEF. and creating one is just like creating a loopback inter- FIB is really just the IP routing table in another format.. Even though all other packets in the flow will be hardware- with a Switched Virtual Interface! switched.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .. If a source is sending both WWW and TFTP packets to turn it off! Since CEF is hardware-based rather than software-based. the FIB contains L3 information and is created via the IP routing table. etc. and that includes changing the L2 destination MAC address to the next-hop MAC address.1 . but what of L2? That’s where the AT comes in. Route caching can be effective. Success rate is 0 percent (0/5) 175 . and the AT contains L2 information and is created via the ARP table. In The FIB takes care of us at L3. this is not a situation the same destination. since the We can create an SVI for any VLAN.) this lab. Primarily designed for backbone switches. Summing it up. we have two flows of traffic. representing a VLAN. face. that next-hop L2 information is kept in the table for CEF switching. Should either the TCAM or AT hit capacity.1. create the interface. There’s no such command! IP routing unidirectional flows. CEF is on by default on any and all CEF-enabled switches. The VLAN 1 interface present by default on all L2 switches is an SVI. but there’s one slight drawback: the first packet in any flow With these important nuts and bolts out of the way. Just go into config mode. The FIB’s contents will mirror that of the IP routing table.. 174 R1#ping 30.1. it is more effective to have all of the packets switched by hardware. The L2 source address will be the MAC address of the switch interface transmitting the packet. next-hop IP addresses. this topology-based switching method requires special hardware. I’ll send pings between the two now. The two major components of CEF are the Forwarding Information Base (FIB) and the Adjacency Table (AT). give it an IP address.. At this point. even though we know darn well they can’t have a chat… yet. and you’re done.

address is 001c.0fbf. changed state to up SW3(config)#ip routing SW3(config-if)#ip address 30.OSPF NSSA external type 2 E1 - OSPF external type 1. L2 .1. We’ll now create two SVIs on the switch.2f41 (bia 001c. S .. IA .1. SW3. 2 masks C 20.candidate default. L1 .OSPF inter area N1 - OSPF NSSA external type 1.1.1. Vlan11 L 20.1.0fbf. N2 . line protocol is up Hardware is EtherSVI.EIGRP external.1.1.11 255.0 ICMP redirect cache is empty Last Use Total Uses Interface Doesn’t look good! Let’s enable IP routing.115 S T U DY G U I D E C H R I S B R YA N T R3#ping 20.0fbf.0.NHRP.OSPF external type 2 I - IS-IS..1.2f42 (bia 001c.11/24 176 20. line protocol is up Success rate is 0 percent (0/5) Hardware is EtherSVI.2f41) Internet address is 20. which is disabled on a multilayer switch by default! SW3(config-if)#int vlan 33 SW3(config-if)#ip address %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan33. C .OSPF.2f42) Internet address is 30.IS-IS level-2 ia - IS-IS inter area.255. E2 . H .0 SW3#show ip route Codes: L - local. su . Vlan33 is up.1. EX . * . B .11/32 is directly connected.per-user static route We’ll verify the status on both with this clipped output from show interface vlan.0/24 is directly connected.11 255. Both SVIs show as up/up immediately after creation on our multilayer switch.255. % . SW3#show ip route Default gateway is not set SW3(config)#int vlan 11 %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan11.0..periodic downloaded static route. + - replicated route. one representing VLAN 11 and the other Looks good! Let’s check those routing tables! VLAN 33.. 2 subnets.0fbf.255. changed state to up Host Gateway SW3(config-if)#ip address 20. R . Note that o - ODR. O .LISP the hardware is listed as “EtherSVI”.1.1.RIP.IS-IS summary.next hop override SW3#show int vlan11 Gateway of last resort is not set Vlan11 is up.1.static. Vlan11 177 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1 SW3#show int vlan 33 .0/8 is variably subnetted. P . U .255. address is 001c.mobile.1. M .11/24 The ports have already been placed into their respective VLANs and the ports are access ports. l .connected.1.BGP D - EIGRP.IS-IS level-1.

1.1. One SVI per VLAN and one VLAN per SVI.1. HOST3#ping 20. Vlan33 Vlan66. and no routing protocol is required in this case.11 Can they ping? Yes.0 30.0.115 S T U DY G U I D E 30.0. 3.1.1.1. !!!!! Success rate is 100 percent (5/5).831: %LINEPROTO-5-UPDOWN: Line protocol on Interface C 30.1. SW3(config)#int vlan 66 SW3(config-if)# 178 179 . they can! 4. 2 subnets.1 On L3 switches. Vlan33 SW3(config-if)#ip address 66. The only default SVI on the switch is the one for VLAN 1. If you create the SVI before doing that. we’ll use ip route to set the default gateway.1 255.1.0. Routed Ports (Layer 3 Ports) HOST1#ping 30. Since we’re using Cisco routers for hosts.0/8 is variably subnetted.0.1. but routed ports Success rate is 100 percent (5/5).0. The hosts must have their default gateway set to the IP address on the SVI representing their VLAN.0 That looks just a bit more like our routing table! When SVIs are in use. With that default gateway set correctly. Routed ports do not represent a particular VLAN as an SVI does. changed state to down L 30.0. line protocol is down 2.0 20.0. you end up with a sad SVI.1.255.0 0. round-trip min/avg/max = 4/5/8 ms SVI Success Tips: 1.1 Let’s add a router to our network that leads our hosts to the Internet.1.255.11 are up. Type escape sequence to abort. Have active ports in the VLAN before you create an SVI for that same VLAN. 2 masks C H R I S B R YA N T *Mar 1 03:14:32.0.11/32 is directly connected.0.0/24 is directly connected. If you don’t get the ping results you expect and your SVIs HOST1(config)#ip route 0. SW3#show int vlan 66 Vlan66 is down. HOST3(config)#ip route 0.1. the hosts can communicate. the default gateway on the hosts must be the IP address assigned to the SVI that represents that host’s VLAN. we also have the option of configuring a physical port as a routed port.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0.1.1. I can almost guarantee that the hosts have an incorrect default gateway set. round-trip min/avg/max = 4/5/8 ms are physical interfaces and SVIs are logical interfaces. You !!!!! assign an IP address to a routed port in the same way you would an SVI.0 0.

. That’s the normal and HOST1#ping 210. the router’s interface.1 to down .1.1. the port is running at L3. use no they can’t ping 210.1. changed state HOST3#ping 210.1. but comes back up in a few seconds. 2 subnets. FastEthernet0/0 SW3#ping 210.11 to up !!!!! SW3(config-if)#ip address 210.0/24 is directly connected. switchport followed by the desired IP address.1.11.1. Always a good sign! C 210.1. changed state HOST1#ping 210.1. To configure a routed port. changed state to down Success rate is 0 percent (0/5) %LINK-3-UPDOWN: Interface FastEthernet0/5.. round-trip min/avg/max = 4/5/8 ms SW3(config-if)#no switchport %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5. In the following config.1.0fbf.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0/24 is variably subnetted.1. we’ll configure EIGRP between the multilayer switch and the router. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/5. the line protocol on the switch port goes down. line protocol is up (connected) Hardware is Fast Ethernet. round-trip min/avg/max = 4/4/4 ms Verify addressing and status with show interface fast 0/5 and verify L3 status with show HOST3#ping 210.1 To remedy that. each host can ping 210. !!!!! Success rate is 100 percent (5/5).1.11 255. %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. Internet address is 210.1.11/24 R1#show ip route SW3#show int fast 0/5 switchport (code table removed for clarity) Name: Fa0/5 Gateway of last resort is not set Switchport: Disabled (Note: If this is disabled.1 interface switchport.255.. (that’s the default for many Cisco multilayer switches).2f44) The pings can’t find their way back to the hosts because the router has no path to either 20.. Success rate is 0 percent (0/5) SW3#show int fast 0/5 FastEthernet0/5 is up. the ports on our multilayer switch are still in L2 mode Right now. the switch’s interface in that subnet. 2 masks The switch can now ping 210. round-trip min/avg/max = 1/2/8 ms 180 181 . .1.11 expected behavior...115 S T U DY G U I D E C H R I S B R YA N T Even though IP routing is enabled.0fbf.1.1. the downstream router. The !!!!! adjacency comes up very quickly: Success rate is 100 percent (5/5).1.1.1.1.1.1.) 210. address is 001c.1.1.1.0 /24.0 Success rate is 100 percent (5/5).1..1.1.1.255.1. However.0 /24 or 30.2f44 (bia 001c.1..

1. 00:01:07. but important) SW3(config)#router eigrp 100 SW3(config-router)#no auto SW3(config-router)#network 210. 2 masks C 210.1. SW3#show ip cef Gateway of last resort is not set D We’ll wrap this section up with a look at the FIB.1. round-trip min/avg/max = 1/3/4 ms 182 protocol. round-trip min/avg/max = 1/3/4 ms High Availability Schemes And Redundancy Protocols Before we hit our First Hop Redundancy Protocols (FHRPs).0 /24 segment (“20.1.1.1. 00:01:00.1.1.1.0 0.1 (FastEthernet0/5) is up: new adjacency 1.1. we’re going to take a HOST3#ping 210.0.0.1.0/24 is subnetted.1.1.1.1.1.0.1.0.1.1.0.1.1.0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0 [90/28416] via 210. 1 subnets 20.1.1.1.1 brief and important look at two redundancy tactics that don’t involve a particular !!!!! Success rate is 100 percent (5/5). receive indicates packets that will be handled by the L3 engine. 2 subnets. and verify with show interface switchport.1.0/32 receive Vlan11 20.0 [90/28416] via 210.1.1/32 attached Vlan11 20.1. 2.0/0 receive 20.1/32 is directly connected.1. 183 .11.0.0.0.1. Prefix Next Hop Interface 0.0.1. now that we have some routes and other 30.1 !!!!! Success rate is 100 percent (5/5).255 %DUAL-5-NBRCHANGE: EIGRP-IPv4 100: Neighbor 210. Need to turn SW3(config-router)#network 30.1. The attached entries include directly connected addresses and subnets.0/24 attached Vlan11 20.0 0.1.1.255 the port’s L2 capabilities back on? Just use switchport and you’re gold! The router now has the VLAN subnets in its routing table… R1#show ip route 20.1.1.1. FastEthernet0/0 … and the hosts now have two-way connectivity with R1’s at 210.1.1.0/24 is variably subnetted. HOST1#ping 210. It’s off by default.1. FastEthernet0/0 30. Be sure to enable IP routing with the global ip routing command.0/24 is subnetted.255 no switchport command.0. 1 subnets D info in there! Here’s a segment of the FIB from the multilayer switch in our lab.11/32 receive Vlan11 20.0/24 is directly connected. Be just as sure to enable your routed port’s L3 capabilities with the interface-level SW3(config-router)#network 20.255/32”).1.11. Those include the broadcasts for the 20.0 0.0.115 S T U DY G U I D E C H R I S B R YA N T Routed Port Success Checklist (Short. FastEthernet0/0 210.255/32 receive Vlan11 Under “Next Hop”.1.1.1. FastEthernet0/0 L 210.

This sounds great.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . For the network to recover. the other the standby switch. fully initialized. Instead. but if it was all that great. that switch now becomes the active switch. since the two switches will now be using a lot of the same information. Our redundancy comes in the form of Stateful SwitchOver (SSO) and NonStop Forwarding (NSF). and we have a dual-active situation. the speed of the cutover to the picture – but which one? new active switch and the continued forwarding of packets during that cutover make the transition as smooth as the proverbial baby’s butt. When the previous switch is back online. One switch is the active switch. this would be the default and we wouldn’t have a standby! Dual-active is not desirable. with the standby ready to step in if the active switch becomes unavailable. the standby switch takes it upon itself to become the active switch. but what if the VSL itself goes down? How could the standby switch know whether the active switch is still active? The VSL is actually an Etherchannel. C H R I S B R YA N T Now back to our story! How does the standby switch know when it needs to take over as the active switch? The two switches regularly exchange control info over the VSL. All well and good. and ready to step in as the active router at a moment’s notice – literally! In this situation. including the same IP address. and RPR+ is faster than RPR. Side note: There are other redundancy modes available to us on Cat switches. At this point. SSO and NSF are enabled by default in a VSS config. and should the backup switch detect via the VSL that the active switch has failed. With SSO. It’ll stay that way until the VSL is back up. The physical switches in a VSS pair communicate via the virtual switch link (VSL). Even better. we’re representing a pair of physical switches (the “VSS Pair”) as a single logical switch. It’s the first active switch that drinks the virtual hemlock in the form of putting every single one of its non-VSL interfaces into err-disabled mode. one of these switches needs to take itself out of the (“route flapping”) during the cutover. both switches will be active.115 S T U DY G U I D E The Virtual Switching System With VSS. while RPR+ allows the backup supervisor to boot fully and initialize its routing engine. The active switch handles the workload. VSS goes into dual-active NSF is all about keeping the overall downtime to a minimum by preventing link flapping recovery. RPR allows the backup supervisor to boot partially. SSO is faster than RPR+. 184 185 . the backup supervisor is fully booted. and we have the ability to create MultiChassis Etherchannels where ports on the physical switches in the VSS can be bundled. Between SSO and NSF. it will not take over its original role as the active router. including Router Processor Redundancy (RPR) and Router Processor Redundancy Plus (RPR+).

the switch with the lowest MAC is selected as master. If one StackWise of our cables breaks. That switch is chosen via a master switch election: 1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the master will ask the newcomer if it’s running the same IOS image as the master. The master will download the Cisco IOS image from its own Flash to the new switch. 4. When we’re done connecting our the slightest break in service. we lose 50% of our capacity immediately. thankfully it’s a very temporary hit. StackWise requires every switch in the stack to run the same IOS. but there is a single point of pain. the switch with the best feature set wins. StackWise will take care of that for us! The master switch will autoconfig the new arrival with the stack’s IOS image. There is no single point of failure in a switch stack. all is not well. with this process: 1. If the new switch does not have the same IOS image. NSF works with RPR+ to keep things rolling when we’re cutting over from one master to another. The master switch is also responsible for letting non-masters know of additions and removals of switches in the stack. If none are selected in that manner. and QoS info to the non-masters. then send the config to the new switch. When we add a new switch to the stack. the switch that’s been up the longest wins. the network admins. When the VSL is repaired. switch also has to handle ping requests and remote connection requests.115 S T U DY G U I D E The remaining active switch will forward traffic normally. including downloading forwarding tables. 5. a copy of which is sent to every switch in the stack. (Get it?) StackWise lets us physically link up Forwarding (NSF) is supported in StackWise. The entire stack is given one IP address and one config file. The failover takes microseconds. You and I. the switch with the err-disabled ports will come back online and assume the standby role. C H R I S B R YA N T 3. but not of your CCNP Switch and Tshoot exams. Each path supports up to 16 Gbps in each direction. ACL info. If that’s somehow a tie. can not only add and remove switches without interrupt- Those exams will be covered with FHRP questions. 186 187 . The network admin can select a particular switch to be the master. a preconfigured switch wins over a non-preconfigured switch. and the new switch joins the stack. The master switch keeps a master MAC address table. That may be true of production networks. but we don’t even have to configure the new switch. a copy of which is sent to non-masters. If that’s a tie. and We’re about to stack cables in a wise manner. That’s quite a cap hit. 2. The master Most Cisco white papers on VSS will mention that VSS eliminates the need for an FHRP. and that’s the aptly named master switch. Our new pal NonStop switches with some very special stack interconnect cables. we end up with a fully functioning two-way path. the master sends the config to the new switch and all is well. but we’ll make it well One of these switches has to be a “boss switch”. If so. which helps the packets flowing when there’s to nine switches to create a switch unit or switch stack. RPR+ has those non-master switches fully initialized and ready to step in when needed. If that’s a tie. That master switch has quite the workload. and we’ll hit FHRPs hard right after this word to the (stack)wise! ing service.

It won’t surprise you to learn that 188 In our first lab. head to Cisco’s website and grab some PDFs. 172. let us know about the problem. the mas- the active router handles the actual workload while the standby routers do just that – stand ter switch will grab the IOS image from the TFTP server. Once that happens. This virtual router will have a MAC and IP address of its own. With that option.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Defined in RFC 2281.16. Cisco could probably have a certification based just on VSS and StackWise. The configuration will create a virtual router with the IP address 172. Those devices are actually communicating with a pseudorouter. live. let’s hope our hardware is compatible! This is enough to get you started with StackWise. Also. There’s a lot more to StackWise. We can configure a TFTP server for that IOS download.23. 189 . we’re moving on to FHRPs! The Hot Standby Routing Protocol In this section. by! HSRP ensures a high network uptime. If your network uses it or you want to learn more about it.23. the icon I’m using for multilayer switches is slightly different than the one you saw earlier – there’s no “Si” in the middle. I wanted to make sure you saw both versions.12 /24. frankly. just to their status in their HSRP group. send it to the new switch. the master will then upgrade every switch that was already part of the stack to that IOS. and it’s that address that should be used by all hosts in VLAN 100 as their default gateway.115 S T U DY G U I D E C H R I S B R YA N T 2. since the HSRP terminology refers to “active routers” and “standby routers”. along with the new switch.1 /24) and MLS_2 (int VLAN 100. If not. 3. Right now. I’m going to refer to routers rather than L3 switches.2 /24) are the routers in the HSRP group. and then wait for us to do something about it! Namely. The actual IP and MAC addresses of the physical routers in the group are unknown Whew! With all that said. the master expects to be supplied with an IOS image that supports the master’s hardware and the new switch’s hardware. The new switch can then join the stack. and the entire stack then goes The terms active and standby do not refer to the actual operational status of the routers. the master will put the new switch into suspension. a virtual router created by the HSRP configuration. One of the routers in the group is selected as the active router. single router. The first two possibilities assume that the new switch’s hardware can handle the necessary IOS image. MLS_1 (int VLAN 100. The theory and commands of HSRP run the same on an L3 switch as on a router. while others in the group are standby routers. since it routes IP traffic without reliance on a then send the config over. HSRP is a Cisco-proprietary router redundancy protocol in which routers are placed into an HSRP router group.16. to downstream devices. and downstream devices send data to those addresses. 172.23.16.

line protocol is up Hardware is EtherSVI.B.2/24 We’ll put both SVIs in HSRP group 5 and let ‘em fight it out over the active router role to see what happens.23.D Virtual IP address <cr> MLS _ 1(config-if)#standby 5 ip 172. address is 0017.115 S T U DY G U I D E C H R I S B R YA N T mac-refresh Refresh MAC cache on switch by periodically sending packe from virtual mac address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level redirect Configure sending of ICMP Redirect messages with an HSRP virtual IP address as the gateway IP address After verifying the SVI for VLAN 100 on each router. I’ll use IOS Help on MLS_1 to show our HSRP options.23.9466. The ip command is the only required command for HSRP.1 % address cannot equal interface IP address (so don’t try it!) MLS _ 1(config-if)#standby 5 ip 172.12 191 .16.23.C. we’re off! Hello and hold timers track Priority tracking version HSRP version MLS _ 1(config-if)#standby 5 ? MLS _ 1#show int vlan 100 authentication Authentication Vlan100 is up.23.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .f7c1 (bia 0017.1 ? MLS _ 1(config)#int vlan 100 secondary Make this IP address a secondary virtual IP address MLS _ 1(config-if)#standby ? <0-255> timers <cr> group number Authentication Authentication Delay HSRP initialisation delay Follow Name of HSRP group to follow Ip Enable HSRP IPv4 and set the virtual IP address 190 MLS _ 1(config-if)#standby 5 ip 172.0fbf.f7c1) Internet address is 172.23.1/24 MLS _ 2#show int vlan 100 Vlan100 is up.16.0fbf.9466. line protocol is up Hardware is EtherSVI.2f41) Internet address is 172.2f41 (bia 001c.16.16.16. follow Name of HSRP group to follow ip Enable HSRP IPv4 and set the virtual IP address name Redundancy name string preempt Overthrow lower priority Active routers priority Priority level timers Hello and hold timers track Priority tracking MLS _ 1(config-if)#standby 5 ip ? A. address is 001c.

12 Active virtual MAC address is 0000.ac05 Local virtual MAC address is 0000. your #1 friend when it comes to verifying and troubleshooting HSRP. Here’s our HSRP group: There’s a treasure trove of HSRP info here! From the top down.16. last state change 00:01:19 Virtual IP address is 172.0c07.115 S T U DY G U I D E C H R I S B R YA N T You can’t assign an IP address from the MLS as the IP address for the virtual router.23.Group 5 3 state changes.23. priority 100 (expires in 10. This is the Active router (“local”) The standby router is at 172.ac05 (v1 default) Hello time 3 sec.0c07. MLS _ 1#show standby Vlan100 .368 secs Virtual IP address is 172. there have been 2 state changes.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . priority 100 (expires in 9.0c07.1 and that router’s priority is 100 MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 5 ip 172. we see… Interface VLAN100 is in HSRP Group 5 This router is in the Active state. and finally.23.ac05 Local virtual MAC address is 0000. hold time 10 sec Next hello sent in 1. Let’s look at the same command’s output on MLS_1.ac05 (v1 default) Hello time 3 sec.16.16. the HSRP group name is displayed.1.936 secs Preemption disabled Active router is 172. last state change 00:01:45 State is Active 2 state changes.920 sec) Preemption disabled Standby router is local Active router is local Standby router is 172.23.23.272 sec) Priority 100 (default 100) Group name is “hsrp-Vl100-5” (default) Priority 100 (default 100) Group name is “hsrp-Vl100-5” (default) That output verifies everything we saw on MLS_2. and the last one was 1 minute and 19 seconds ago The virtual router’s IP address and MAC address This router sends HSRP Hellos every 3 seconds 192 193 .23.12 Let’s verify our config on MLS_2 with show standby.12 Active virtual MAC address is 0000.16.Group 5 MLS _ 2#show standby State is Standby Vlan100 .16.16.2. “Preemption” is disabled – more on that very soon! Let’s finish the config on MLS_2. The local HSRP priority is 100.0c07. hold time 10 sec Next hello sent in 2.

We’ll go double or nothing… MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 5 priority 200 … and we get nothing! Let’s verify the priority change: MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 5 ? Authentication Authentication Follow Name of HSRP group to follow Ip Enable HSRP IPv4 and set the virtual IP address Name Redundancy name string Preempt Overthrow lower priority Active routers Priority Priority level Timers Hello and hold timers Track Priority tracking MLS _ 1(config-if)#standby 5 preempt Just a few seconds after enabling preemption on MLS_1… MLS _ 1#show standby Vlan100 .368 sec) Standby router is local Most of that address was predetermined. Should there be a tie – and there always will be if the routers are left at their defaults – theory holds that the router with the highest IP address wins the election. always.16. last state change 00:17:26 Virtual IP address is 172. Local virtual MAC address is 0000.ac05 … MLS_1 takes over as the Active router.23. Group name is “hsrp-Vl100-5” (default) Had we gone with HSRP group 10. always verify your Active router. we didn’t enter any info regarding a MAC address. so let’s do the latter. Just raising the priority on MLS_1 isn’t enough to get the job done here. (Real world note: Always.) Let’s make MLS_1 the Active router by raising its priority. MLS_2 won the election in our first lab. The priority is 100 by default.0c07. Brush up on your hex before you take the SWITCH exam! Now that we have the MAC address source down. or MLS_1 must have preemption enabled. The MAC address 00-00-0c-07-ac-xx is HSRP’s Priority 200 (configured 200) well-known virtual MAC address.12 Active virtual MAC address is 0000.2.376 secs come from? Preemption disabled Active virtual MAC address is 0000. and the “xx” is the HSRP group number in hexadecimal. as we saw on both routers.23. let’s talk about that election. We’d like to avoid reloads here.16. This state change and the enabling of preemption are verified by show standby. Either we have to reload MLS_2 so MLS_1 can take over as Active in its absence.Group 5 %HSRP-5-STATECHANGE: Vlan100 Grp 5 state Standby -> Active State is Standby 1 state change. hold time 10 sec it! However. after all. Where the heck did that Next hello sent in 1.ac05 (v1 default) 194 195 . priority 100 (expires in 10. the address would have been 00-00-0c-07-ac-0a.0c07.0c07.ac05 Active router is 172. The HSRP Active Router Election The HSRP priority is the first value considered in the election.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . we’re the ones who configured Hello time 3 sec. so the theory holds true.115 S T U DY G U I D E C H R I S B R YA N T We know how the virtual router got its IP address.

Load Balancing With HSRP Had I wanted to delay any takeover by MLS_1. HSRP isn’t actually running at this point. You can also delay a takeover until after the next reload. hold time 10 sec Next hello sent in 0.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1#show standby Disabled: Similar to the disabled STP port state. but for t-shooting and exam prep. but is not the primary or standby router. this one requires a little help from those 60 hosts. As a result. let’s see them in order along with a quick description of each.2. MLS_2 is doing all the work of handling traffic from 60 hosts. Preemption enabled Active router is local Standby: The router is now a candidate to become the active router and continues to send Standby router is 172. (A short drive. Unlike the load balancing techniques we’ve used to this point. and MLS_2 is again the Active router.896 sec) hello packets. Speak: The router is now sending Hello messages and participating in the election of the primary and standby routers. <cr> MLS _ 1(config-if)#standby 5 preempt delay ? minimum Delay at least this long reload Delay after reload sync Wait for IP redundancy clients MLS _ 1(config-if)#standby 5 preempt delay minimum ? <0-3600> Number of seconds for minimum delay We’ve seen a few of the HSRP states.16. MLS _ 1(config-if)#standby 5 preempt ? delay Wait before preempting This redundancy is all well and good. I could have set delay on the preemption.12 to represent its 197 .23.ac05 (v1 default) Hello time 3 sec. in that you won’t see this state actually Vlan100 . but there’s one thing driving me crazy.Group 5 mentioned.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I admit.ac05 Local virtual MAC address is 0000.16.16. State is Active 2 state changes.0c07. but it is the official first HSRP port state.) I’ve reset the priority for both routers in Group 5 to 100. last state change 00:00:51 Virtual IP address is 172.23. Priority 200 (configured 200) Group name is “hsrp-Vl100-5” (default) Active: The router is now forwarding packets sent to the group’s virtual IP address. Listen: The router knows the virtual router’s IP address. and MLS_1 is just sitting there.23. HSRP Group 5 has MLS_2 as the Active router.0c07.976 secs Initial (INIT): The interface enters this state when HSRP is first enabled. It’s listening for Hello packets from those routers.12 Active virtual MAC address is 0000. 196 We’re going to put MLS_1 to work via HSRP load balancing. priority 100 (expires in 10. and that group is using 172.

16.1.21.16.1.23. Standby router is 172. priority 100 (expires in 9.21 Standby router is local MLS _ 1(config-if)#standby 10 priority 200 Priority 100 (default 100) Group name is “hsrp-Vl100-10” (default) MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 10 ip 172. and that group will use the address 172. We’re going to create Group 10 with the same two routers.16.16.2. half of the hosts would be configured with Verify with show standby. 172.Group 5 Preemption disabled Active router is 172. and we’ll send pings from each.23.21 MLS_1 is the Active router for Group 10.23.23. MLS _ 1#show standby Vlan100 .704 sec) Standby router is local Priority 100 (default 100) Vlan100 . To finish the load balancing. making sure that Active router is local MLS_1 is the Active. I’ve configured a different default gateway on Host 2 and Host 3.23. priority 200 (expires in 8.23.23. To test this.16.792 sec) Priority 201 (configured 201) MLS _ 2#show standby Vlan100 .23.2.16.384 sec) Priority 200 (configured 200) Vlan100 . priority 201 (expires in 9.808 sec) MLS _ 1(config-if)#standby 10 ip 172.16. priority 100 (expires in 10. and the other half with 172.23.12 as their default gateway.Group 10 Preemption disabled MLS _ 1(config)#int vlan 100 Active router is 172.16.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Group 5 Preemption enabled Active router is local Standby router is 172. I’ll show only the info related to the election.115 S T U DY G U I D E C H R I S B R YA N T virtual router.16. and MLS_2 is the Active router for Group 5.21 for its virtual router.Group 10 Preemption enabled 198 199 . just MLS _ 2(config-if)#standby 10 priority 100 (hardcoding the default) as we wanted.

23.16. the HSRP priority of the router is dec- MLS _ 2(config-if)#standby 1 ip 172. MLS _ 2#show standby Vlan100 .Group 1 State is Active Preemption disabled Active router is local Standby router is 172. (IP addresses shown for the multilayer switches in the next lab are for their SVI. When that tracked interface’s line protocol is down. round-trip min/avg/max = 1/3/4 ms HOST3#ping 172.656 sec) Priority 105 (configured 105) 200 201 . MLS _ 2(config-if)#standby 1 priority 105 but that other router must have preemption enabled. and the load is now shared! HSRP Interface Tracking If Fast 0/3 on MLS_2 fails. so as long as MLS_1 has preemption enabled.) MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 1 ip 172. In our next lab.23. MLS_2 has a priority of 105 and is the Active router. We This great feature enables the HSRP process to monitor a particular interface.21 !!!!! Success rate is 100 percent (5/5).23.1.115 S T U DY G U I D E C H R I S B R YA N T HOST2#ping 172. MLS_2 will handle all the traffic sent to the server behind MLS_2 and MLS_1. round-trip min/avg/max = 4/4/4 ms Both hosts are pinging their default gateways. That’s all well and good. HSRP’s default decrement with interface tracking is 10. interface VLAN100.12 remented.16.23. and the status of this interface will dynamically change the HSRP priority for a specified router – for better or for worse! can and will configure HSRP to drop MLS_2’s priority if the line protocol of Fast 0/3 on that server goes down. MLS_1 is the standby and has the default priority of 100. the hosts in VLAN 100 can’t reach the ecommerce server. As a result. priority 100 (expires in 8. the current priority would be fine for our purposes. This can lead to another HSRP router in the group becoming the Active router.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .16.23.16.12 !!!!! Success rate is 100 percent (5/5).12 MLS _ 1(config-if)#standby 1 preempt Verify with show standby. but there is a single point of failure – and we hate those. I’m showing you only the info relating to the election.16.

608 secs 202 203 . MLS_2’s priority should go down Priority 100 (default 100) to 95. if Fast0/3’s line protocol goes down.12 Preemption disabled Active virtual MAC address is 0000.184 sec) Priority 105 (configured 105) Hello time 3 sec.0c07. Standby router is local According to theory.16.1.Group 1 Local virtual MAC address is 0000. be sure the interface you’re tracking is up! MLS _ 2#show int fast 0/3 FastEthernet0/3 is up. MLS_1 should then take over as the Active.16. Let’s check show standby for verification. last state change 00:00:10 Virtual IP address is 172.0c07. priority 100 (expires in 11.16.23. last state change 00:00:17 Virtual IP address is 172. hold time 10 sec Next hello sent in 1. changed state to down %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Speak -> Standby MLS _ 2#show standby I removed the timestamps for clarity. I would not count Active router is 172.ac01 Vlan100 . hold time 10 sec Next hello sent in 0.23.Group 1 than 10 seconds.23. priority 105 (expires in 10.0c07.23.2.ac01 (v1 default) Hello time 3 sec. changed state to administratively down MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#standby 1 track fastethernet 0/3 %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3. Let’s shut Fast 0/3 down and see what happens! MLS _ 2(config)#int fast 0/3 MLS _ 2(config-if)#shut %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Up->Down %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Active -> Speak %LINK-5-CHANGED:Interface FastEthernet0/3.115 S T U DY G U I D E C H R I S B R YA N T Track interface FastEthernet0/3 state Up decrement 10 MLS _ 1#show standby Vlan100 .16. since MLS_1’s priority is the default of 100 and that router is configured for Before configuring HSRP interface tracking. so let me throw this in – all of that happened in less Vlan100 .ac01 (v1 default) Standby router is 172.Group 1 Group name is “hsrp-Vl100-1” (default) State is Standby Preemption enabled The default HSRP interface tracking decrement of 10 is shown to us here. preemption.464 sec) on your CCNP SWITCH and TSHOOT exams being so kind. line protocol is up (connected) We’ll add tracking to MLS_2’s HSRP config and verify with show standby. In turn.12 MLS _ 2#show standby Active virtual MAC address is 0000. State is Active 5 state changes.0c07.ac01 Active router is local Local virtual MAC address is 0000. so know it by heart.920 secs State is Standby 7 state changes.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

136 secs Preemption enabled Active router is local Standby router is 172.23. Let’s do that and then reopen Fast 0/3. the default decrement might not be enough for the failover to take place.23. MLS _ 2(config-if)#standby 1 preempt I’ll set MLS_2’s priority to 150 and then set a decrement of 51… MLS _ 2(config-if)#int fast 0/3 MLS _ 2(config-if)#no shut MLS _ 2(config)#int vlan 100 %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Down->Up MLS _ 2(config-if)#standby 1 priority 150 MLS _ 2(config-if)#standby 1 track fastethernet 0/3 ? %HSRP-5-STATECHANGE: Vlan100 Grp 1 state Standby -> Active <1-255> Decrement value <cr> %LINK-3-UPDOWN: Interface FastEthernet0/3.000 sec) Priority 105 (configured 105) Track interface FastEthernet0/3 state Up decrement 10 Group name is “hsrp-Vl100-1” (default) And that’s that! When Fast 0/3 on MLS_2 is back up. You can set a new decrement value at the very end of standby track.1.1. note that you never actually enter MLS _ 2(config)#int vlan 100 the word “decrement”. If MLS_2’s priority is 150 and MLS_1’s priority is 100. last state change 00:02:58 Track interface FastEthernet0/3 state Down decrement 10 Group name is “hsrp-Vl100-1” (default) Virtual IP address is 172.23. the priority will go back to 105.16.16.changed state to up 204 205 .16. On occasion.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Hello time 3 sec. priority 100 (expires in 10.115 S T U DY G U I D E C H R I S B R YA N T Preemption disabled MLS _ 2#show standby Active router is 172.ac01 (v1 default) MLS_2 is indeed the standby as a result of that decrement. the default decrement of 10 wouldn’t be enough for MLS_1 to take over as the Active should Fast 0/3 on MLS_2 go down.0c07.688 sec) Vlan100 .ac01 Local virtual MAC address is 0000.Group 1 State is Active Standby router is local Priority 95 (configured 105) 8 state changes. but MLS_2 will not become the Active router again unless we enable preemption. priority 100 (expires in 10.12 Active virtual MAC address is 0000. changed state to up MLS _ 2(config-if)#standby 1 track fastethernet 0/3 51 %LINEPROTO-5-UPDOWN:Line protocolon Interface FastEthernet0/3. hold time 10 sec Next hello sent in 1.0c07.

but just in case you need to change a few things. The default decrement would not have been enough to get the cutover done. because they are important.16. MLS _ 2(config-if)#int fast 0/3 MLS _ 2(config-if)#shut MLS _ 2(config-if)#standby 1 timers ? … and verify any changes with show standby. priority 100 (expires in 7. It is an option. You can leave most HSRP defaults as they are.23. group name appears at very bottom of Active router is 172. decrement to 51 and enabling MLS_1 for preemption (done in the previous lab) got the job done! MLS _ 2(config-if)#standby 1 authentication ? Changing This And That In HSRP I don’t like to call these “miscellaneous” commands. Choose “key string” to set a single word as the password.0c07.1.ac01 Want to change the HSRP group name from that ugly default? Use standby name.Group 1 Priority 99 (configured 150) Group name is “CCNP” (cfgd) Track interface FastEthernet0/3 state Down decrement 51 Group name is “hsrp-Vl100-1” (default) Want to set up authentication between your HSRP speakers? Use standby authentication. hold time 10 sec MLS _ 2(config-if)#standby 1 name CCNP Next hello sent in 2.0c07. but I know you won’t do that. You do have to enter a value for each timer.ac01 (v1 default) Hello time 3 sec. even if there’s one you’re not changing. Local virtual MAC address is 0000.560 secs Preemption enabled MLS _ 2#show standby (output edited.Group 1 <7-255> Hold time in seconds State is Standby 13 state changes.600 sec) Standby router is local output) Vlan100 . here’s how! 206 WORD Plain text authentication string (8 chars max) md5 Use MD5 authentication text Plain text authentication MLS _ 2(config-if)#standby 1 authentication md5 ? key-chain Set key chain key-string Set key string 207 . but they’re not everyday commands.16. last state change 00:00:05 MLS _ 2(config-if)#standby 1 timers 6 15 Virtual IP address is 172.115 S T U DY G U I D E … shut down fast 0/3… C H R I S B R YA N T To change the HSRP hello and hold timers.12 Active virtual MAC address is 0000. use standby timers.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 2#show standby <1-254> Hello interval in seconds msec Specify hello interval in milliseconds MLS _ 2(config-if)#standby 1 timers 6 ? Vlan100 .23. but setting the though. I’d tell you not to use plain text authentication.

23.16.0. and yes.12 standby 1 priority 150 These options should look familiar… standby 1 preempt standby 1 authentication md5 key-string 7 0327782536 standby 1 name CCNP MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#vrrp ? standby 1 track 1 decrement 51 <1-255> Group number 208 209 . MLS _ 2(config)#service password-encryption The result: interface Vlan100 ip address 172. using the same two multilayer switches and the same To disguise that password in the config. They’re so much alike that you pretty much learned VRRP during the last section. with one or two important differences (naturally!).0 standby 1 ip 172.16. though… VRRP’s equivalent to HSRP’s Active router is the Master router VRRP’s equivalent to HSRP’s Standby router is the Backup router interface Vlan100 Preemption is enabled by default in VRRP ip address 172.255.12 VRRP’s advertisements are multicast to 224.2 standby 1 preempt standby 1 authentication md5 key-string CCNP The MAC address of VRRP routers is 00-00-5e-00-01-xx. use your old friend service password-encryption.2 255.255.0. VRRP works very much like HSRP.115 S T U DY G U I D E MLS _ 2(config-if)#standby 1 authentication md5 key-string CCNP C H R I S B R YA N T VRRP – The Virtual Router Redundancy Protocol Defined in RFC 2338. not that the password is hashed in the config. VRRP is the open-standard equivalent of the Cisco-proprietary MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#standby 1 authentication md5 key-string CCNP Using MD5 authentication means that a hash of the password is sent to other HSRP group neighbors.18. the “xx” is the VRRP standby 1 name CCNP group number in hex standby 1 track 1 decrement 51 Let’s have a look at VRRP in action.16.255.23.0.23.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .23.255. Check out MLS_2’s config: HSRP.16. where HSRP ads are multicast to standby 1 priority 150 224. IP addresses as we used in the HSRP section. where you learned HSRP! Let’s check out those differences.0.2 255.0 standby 1 ip 172.

2 (local). priority is 200 Master Advertisement interval is 1.12 priority is raised.16.16.2.23.23.23.16.1 (local).16.23.23.115 S T U DY G U I D E C H R I S B R YA N T Virtual MAC address is 0000. MLS_1 should take over as The Master Router if its MLS _ 2(config-if)#vrrp 1 ip 172. priority is 100 priority Priority of this VRRP group Master Advertisement interval is 1.16.0101 MLS _ 2(config-if)#vrrp 1 ? authentication Authentication string Advertisement interval is 1.000 sec timers Set the VRRP timers Master Down interval is 3.609 sec Master Down interval is 3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .000 sec Master Advertisement interval is 1. correct? MLS _ 1(config)#int vlan 100 MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 1 ip 172.23.0101 Advertisement interval is 1.12 Virtual IP address is 172.458 sec) track Event Tracking With preemption enabled by default.0101 Virtual MAC address is 0000.000 sec description Group specific description Preemption enabled ip Enable Virtual Router Redundancy Protocol (VRRP) for IP Priority is 100 preempt Enable preemption of lower priority Master Master Router is 172.609 sec (expires in 3.Group 1 Vlan100 .16. priority is 100 Master Router is 172.218 sec Correct! MLS _ 1#show vrrp Vlan100 .12 MLS _ 1(config-if)#vrrp 1 priority 200 07:53:32: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master Let’s verify! MLS _ 2#show vrrp MLS _ 1#show vrrp Vlan100 .5e00.000 sec Preemption enabled Preemption enabled Priority is 100 Priority is 200 Master Router is 172.Group 1 While we’re at it.23.5e00. let’s do a little interface tracking after making MLS_2 the Master State is Backup again.12 210 211 .5e00.000 sec Master Down interval is 3.23.000 sec Advertisement interval is 1.16.Group 1 State is Master State is Master Virtual IP address is 172.12 Virtual MAC address is 0000. Virtual IP address is 172.16.

MLS_2 is the Master router. and we want MLS_1 to take that role should the line protocol on MLS_2’s Fast 0/3 interface go down. track Event Tracking MLS _ 2(config-if)#vrrp 1 track ? MLS _ 2(config)#track ? <1-1000> Tracked object <1-1000> Tracked object resolution Tracking resolution parameters timer Polling interval timers 212 MLS _ 2(config-if)#vrrp 1 track 1 ? 213 . (I’ve always remembered this preempt Enable preemption of lower priority Master by saying “track. Feel free to steal it. but that’s the easiest and most effective track to use for an timers Set the VRRP timers interface IMHO.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E MLS _ 2(config)#int vlan 100 C H R I S B R YA N T MLS _ 2(config)#track 1 ? MLS _ 2(config-if)#vrrp 1 priority 250 interface Select an interface to track 07:55:53: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master ip IP protocol list Group objects in a list The overall concept of tracking is the same in VRRP as it is in HSRP. Check the interface before you start tracking: MLS _ 2(config)#int vlan 100 MLS _ 2#show int fast 0/3 MLS _ 2(config-if)#vrrp 1 ? FastEthernet0/3 is up. but the process is a <cr> little bit different. but it isn’t.) We’re not limited to using the line priority Priority of this VRRP group protocol as the tracked object. line protocol is up (connected) authentication Authentication string description Group specific description With VRRP. we need to define the interface as an object before moving forward with the ip Enable Virtual Router Redundancy Protocol (VRRP) for IP actual vrrp track command. Here’s where we stand: MLS _ 2(config)#track 1 interface fast 0/3 ? ip IP parameters line-protocol Track interface line-protocol MLS _ 2(config)#track 1 interface fast 0/3 line-protocol ? <cr> MLS _ 2(config)#track 1 interface fast 0/3 line-protocol The object number referred to in the track command must be the same one used in the vrrp track command. then vrrp track”. Sounds complicated.

23.000 sec 214 215 .Group 1 State is Backup %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3.023 sec MLS _ 2(config-if)#vrrp 1 track 1 ? decrement Priority decrement Now we’ll shut down fast 0/3 and see what happens.000 sec Preemption enabled The tracking is working.0101 We accepted the VRRP default priority decrement (10).16. priority is 240 Virtual IP address is 172.5e00.23. Let’s change that Track object 1 state Up decrement 10 decrement to 51.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the decrement isn’t large enough to make MLS_1 the Master router.2 (local).0101 Advertisement interval is 1. priority is 250 Master Advertisement interval is 1.12 Virtual MAC address is 0000. MLS _ 2(config)#int fast 0/3 <cr> MLS _ 2(config-if)#vrrp 1 track 1 decrement 51 MLS _ 2(config-if)#shut %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Up->Down 08:14:20: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Master -> Backup %LINK-5-CHANGED: Interface FastEthernet0/3.5e00.23.16.Group 1 State is Master Master Router is 172. changed state to administr MLS _ 2#show vrrp atively down Vlan100 . changed state to down Virtual IP address is 172.000 sec Preemption enabled Priority is 240 (cfgd 250) MLS _ 2#show vrrp Track object 1 state Down decrement 10 Vlan100 .16.5e00.115 S T U DY G U I D E C H R I S B R YA N T decrement Priority decrement MLS _ 2#show vrrp <cr> Vlan100 . Verify the config: Advertisement interval is 1.Group 1 State is Master MLS _ 2(config-if)#vrrp 1 track 1 Virtual IP address is 172.12 Virtual MAC address is 0000.23.000 sec MLS _ 2(config)#int vlan 100 Master Down interval is 3.16.000 sec Virtual MAC address is 0000. but since we changed the default priority a couple of times early Priority is 250 on.0101 Master Down interval is 3.2 (local). Master Router is 172.23.16.023 sec Advertisement interval is 1.12 Master Advertisement interval is 1.

It’s all about the decrement – and in this case. changed state to down %TRACKING-5-STATE: 1 interface Fa0/3 line-protocol Down->Up %LINK-3-UPDOWN: Interface FastEthernet0/3. we’re going to use much the same technique as we did with HSRP. Changed state to up 08:34:58: %VRRP-6-STATECHANGE: Vl100 Grp 1 state Backup -> Master 216 MLS _ 2(config)#int vlan 100 MLS _ 2(config-if)#vrrp 55 ip 172.16. Half of the hosts will use VR #1 as their default gateway. priority is 200 Virtual IP address is 172. we need to create another VRRP virtual router.23.1.100 sec) Advertisement interval is 1. %SYS-5-CONFIG _ I: Configured from console by console %LINK-3-UPDOWN: Interface FastEthernet0/3. knowing how to create a VRRP tracked object! Since VRRP wasn’t exactly developed with load balancing in mind. MLS _ 2(config)#int fast 0/3 Let’s create another VRRP group with a new IP address for the virtual router.12 Master Advertisement interval is 1.023 sec (expires in 2.23.16.0101 Master Down interval is 3. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3.Group 1 Track object 1 state Down decrement 51 State is Master Master Router is 172.2 (local).C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . priority is 250 For VRRP load balancing. which means creating a separate VRRP group.000 sec Virtual MAC address is 0000.21 MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 55 ip 172.115 S T U DY G U I D E C H R I S B R YA N T Preemption enabled MLS _ 2#show vrrp Priority is 199 (cfgd 250) Vlan100 .21 %VRRP-6-STATECHANGE: Vl100 Grp 55 state Init -> Backup 217 .23.16. using vrrp MLS _ 2(config-if)#no shut priority to ensure MLS_1 becomes the Master for the new group.23. and the other half will use VR #2.16.000 sec Preemption enabled Priority is 250 Ta da! Track object 1 state Up decrement 51 Master Router is 172. I’ll unblock fast0/3 on MLS_2 and we’ll watch MLS_2 take over as Master. Before proceeding.23.16.5e00.

In the following illustration. MLS _ 2#show vrrp As with HSRP and VRRP.16.21 sciences at best and a pain in the buttocks at worst.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#int vlan 100 MLS _ 1(config-if)#vrrp 55 priority 200 %VRRP-6-STATECHANGE: Vl100 Grp 55 state Backup -> Master MLS_1 went to Backup for our new VRRP group first. well. because GLBP is Cisco-proprietary.16. For this reason. and the other half 172.12 The Gateway Load Balancing Protocol (GLBP) Vlan100 . GLBP routers will be placed into a router group. but then went to Master after having its priority for VRRP group 55 raised to 200. three hosts send an ARP request for the MAC of the virtual router. load balancing with these State is Master protocols is more of a workaround than a native behavior. After verifying that MLS_1 is the Master for VRRP group 55 and MLS_2 is the Master for group 1. State is Backup This is a major step forward over HSRP and VRRP load balancing.21. load balancing! It’s also suitable for use only on Cisco routers and switches.23. the hosts think they’re sending all of their data to a single gateway. but as we’ve seen.16. rather State is Master than having a primary router handle the entire load while the standby routers remain idle. Virtual IP address is 172.23. The primary purpose of the Virtual IP address is 172.12 With GLBP.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .23.23.21 Gateway Load Balancing Protocol is.23. By default.16.Group 55 a single default gateway on all of our hosts. MLS _ 1#show vrrp Let’s finish our look at FHRPs with a protocol that was actually built with load balancing Vlan100 .Group 1 allows every router in the group to handle some of the load in a round-robin manner. GLBP allows us to configure Vlan100 .16. both of which are inexact Virtual IP address is 172.Group 55 HSRP and VRRP have some great features. GLBP Vlan100 . we just need to configure half the hosts in VLAN 100 to use 172.16.Group 1 in mind! State is Backup Virtual IP address is 172. 218 219 .12 as their default gateway.23. but actually multiple gateways are in use at one time.

With that in mind. Our GLBP deployment in this illustration is using the default GLBP load balancing technique of round-robin. and the virtual MAC fol- with the next-highest GLBP priority in the group. I’m going to use the same multilayer switch icon and names of one of the routers in the group. It has assigned a virtual way address every time it sends an ARP request. This will also illustrate that GLBP runs the same on multilayer switches as used in the previous FHRP labs.0. if that’s a tie.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Should the AVG fail.) If any of the AVFs fail. Each physical device is running the IP address shown on its FastEthernet 0/0 interface.102 to detect the availability of other GLBP-speaking routers. and it’s that router that will respond with ARP responses that contain virtual MAC addresses assigned to the physical routers in the group. load destined for a MAC assigned to the down router. We can also use the AVG. The router with the highest GLBP priority is chosen as the Active Virtual Gateway. naturally. weighted assignments. Our lab is going to be a bit different than the previous HSRP and VRRP labs. where a host that sends an If all routers have the same GLBP priority. By default. MLS_4 is the AVG in GLBP group 1. so the first ARP response contains 220 routers in this lab. the router serving as the standby AVG will take over. The routers receiving and forwarding traffic received on these virtual MAC addresses are Active Virtual Forwarders (AVFs). 221 . would contain the virtual MAC of MLS_4.0. topology. Since GLBP doesn’t run on all Cisco switch platforms. host-dependent load balancing is the way MAC address of 00-07-b4-00-01-01 to MLS_1. If a host needs the same MAC gateto go. GLBP routers use Hellos multicast to “XX” is the GLBP group number. and here’s the addresses are Active Virtual Forwarders (AVFs). the more often a particular In the following illustration. the next the virtual MAC of MLS_2. GLBP will load-balance in a round-robin fashion. “YY” is the AVF number. and 00-07-b4-00-01-03 to MLS_3. The next response. and the third the virtual MAC of MLS_3. the router with the highest IP address becomes ARP request will receive a response from the next MAC address in line. putting us at the limit of four AVFs in a GLBP group. we’re going to use Cisco The AVG answers incoming ARP requests with ARP responses containing the virtual MAC and routers. where the higher the assigned weight.115 S T U DY G U I D E C H R I S B R YA N T the virtual MAC of MLS_1. the router with the next- lows this format: highest IP address takes that role. (That’s the router The AVG is also in charge of assigning the virtual MAC addresses. 00-07-b4-0001-02 to MLS_2. another router will handle the 00-07-b4-00-xx-yy 224. The routers receiving and forwarding traffic received on these virtual MAC router’s virtual MAC will be sent to a requesting host. 00-07-b4-00-01-04 to itself.

12 MLS _ 3(config-if)#glbp 1 preempt 222 Great info here! From top to bottom.16.23. followed by the state of Active. After the state change info.23.B.2. forwarder timeout 14400 sec Preemption enabled.23. it’s also incredibly verbose. hold time 10 sec Next hello sent in 2.16.ca96. thresholds: lower 1.23.Group 1 MLS _ 3(config)#int fast 0/0 State is Active MLS _ 3(config-if)#glbp 1 ? authentication Authentication method client-cache Client cache forwarder Forwarder configuration ip Enable group and set virtual IP address ipv6 Enable group for IPv6 and set the virtual IPv6 address load-balancing Load balancing method name Redundancy name preempt Overthrow lower priority designated routers priority Priority level timers Adjust GLBP timers weighting Gateway weighting and tracking 1 state change. min delay 0 sec Active is local Standby is 172. last state change 00:11:40 Virtual IP address is 172. priority 100 (expires in 9.59e2. along with some IOS Help on the first one: MLS _ 3#show glbp FastEthernet0/0 .16.16.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . upper 100 Load balancing: round-robin Group members: 0017. The beginning configuration.12 MLS _ 2(config-if)#glbp 1 preempt MLS _ 1(config-if)#glbp 1 ip 172. we see the interface and group number. starting with the first half.23. hello and 223 .1) <cr> MLS _ 3(config-if)#glbp 1 ip 172.23. MLS_3.272 secs Redirect time 600 sec.23.3) local MLS _ 3(config-if)#glbp 1 ip ? 001b.12 MLS _ 1(config-if)#glbp 1 preempt show glbp is an incredibly important GLBP command.2) A.16.888 sec) Priority 100 (default) Weighting 100 (default 100).D Virtual IP address 001f.16.d4c2.16. and the second half with the Active Virtual Forwarders.474a (172.2754 (172.C.0990 (172. The first half of the output deals with the Active Virtual Gateway selection. which means we’re on the AVG.23. We’re going to examine the output of this command on the current AVG.16.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 2(config-if)#glbp 1 ip 172.12 Hello time 3 sec.

weighting 100 (expires in 10. you’ll be clear – crystal clear – on the usage of each.392 sec remaining (maximum 600 sec) Time to live: 14399. along with “thresholds”.1 (primary).0101 (default) Owner ID is 0017. weighting 100 State is Listen MAC address is 0007. Redirection enabled. and they’ll each show their forwarder as State is Active 1 state change. min delay 30 sec Active is local.b400. min delay 30 sec Active is 172. and some timers new to us (“redirect” and “forwarder”). last state change 00:11:29 MAC address is 0007.3 (primary). 599.0103 (learnt) is given to the runner-up. weighting 100 (expires in 10.d4c2. The virtual MAC address for each router is shown in this output as well.115 S T U DY G U I D E hold time.474a “Active” while the other two are in “Listen”.23.b400.474a Forwarder 2 Time to live: 14399.0102 (default) Owner ID is 001b. Hellos from the local forwarder. which deals with the AVF status of each member.16.816 sec) 224 Preemption enabled.904 sec (maximum 14400 sec) Preemption enabled. MLS_2.59e2. These are not the virtual The local forwarder (Forwarder 3) is shown as “State is Active”. Much like beauty pageants. 599. This means that the other two AVFs are listening for Let’s have a look at the second half of the show glbp output.2754 Continuing down the output. Owner ID is 001f. but after the labs later in this section.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ers are shown as “State is Listen”.b400. min delay 30 sec Active is 172.23.b400. You’ll see an example of this in an upcoming lab. weighting 100 (expires in 10.656 sec) We then see the load balancing method in use is round-robin. min delay 30 sec Active is 172.360 sec (maximum 14400 sec) State is Listen MAC address is 0007. should MLS_3 be unable to fulfill its duties.23. Here’s that same info from MLS_2: There are 3 forwarders (1 active) Forwarder 1 Redirection enabled Preemption enabled. Following “Active is local”.b400. This is also from MLS_3. and the other two forward- MAC addresses that are sent by the AVG in response to ARP requests.16.d4c2.0990 Redirection enabled.912 sec Forwarder 2 State is Active 1 state change. one of the other AVFs would step in and handle traffic destined for that down AVF’s virtual MAC address. we see that preemption C H R I S B R YA N T Forwarder 3 is enabled. followed by the actual MAC and IP addresses of the GLBP group members. and should those hellos stop coming. the AVG title MAC address is 0007. There are 3 forwarders (1 active) Forwarder 1 Each physical router in our group is an AVF. the default for each. These values are often confused.59e2.0990 225 .2 (primary).0102 (learnt) Owner ID is 001b. also a GLBP default. we see the Priority and Weighting values are set to 100. we’re given the IP address and priority of the standby State is Listen AVG.904 sec remaining (maximum 600 sec) Time to live: 14399.16.0101 (learnt) Owner ID is 0017. last state change 00:28:09 MAC address is 0007.392 sec (maximum 14400 sec) Preemption enabled.ca96.

16.b400. weighting 100 (expires in 10. MLS_2 should take over as the AVG if MLS_3 is unavailable.784 sec (maximum 14400 sec) Preemption enabled.16.0990 Time to live: 14398. min delay 30 sec Preemption enabled.23.560 sec) Forwarder 3 According to that output. it’s a great place to get started with t-shooting.16. but just remember that the local MAC address is 0007.2754 Time to live: 14397. Preemption enabled.2 (primary). weighting 100 (expires in 10. weighting 100 (expires in 7.b400.b400.3 (primary).b400.23. min delay 30 sec Active is 172. weighting 100 Forwarder 3 State is Listen That differing info on your AVFs can throw you at first. MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#shut %GLBP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Listen -> Active MLS _ 2#show glbp brief State is Active 1 state change.12 local 172.2 - Fa0/0 1 3 - Listen 0007. you’re on the AVG.ca96.23.b400.23.1 - State is Listen MAC address is 0007. MLS _ 3#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 100 Active 172.0103 (learnt) AVF will always be seen as Active and the others will be listening in! Owner ID is 001f.474a devices with a number under “Fwd” are your AVFs.440 sec (maximum 14400 sec) Preemption enabled. min delay 30 sec Active is local.23.ca96. last state change 00:29:10 MAC address is 0007. Let’s test that by making MLS_3 unavailable and then running show glbp brief on MLS_2.136 sec (maximum 14400 sec) serve as both an AVG and an AVF.59e2.b400.b400.115 S T U DY G U I D E C H R I S B R YA N T Preemption enabled.16.2 Fa0/0 1 1 - Active 0007.23.0103 172. and while it doesn’t give the details the full command gives.936 sec) That same command’s output on MLS_1.0101 local - Fa0/0 1 2 - Listen 0007.0101 (learnt) When you see a dash under “Fwd” and “Active” under “State”.2754 226 Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 100 Active 172.d4c2. The Owner ID is 0017. and it’s commonplace for a router to Time to live: 14399.1 1 - 227 .16.16.112 sec) Forwarder 2 State is Listen MAC address is 0007. showing the local forwarder as Active and other two as listening: There are 3 forwarders (1 active) Forwarder 1 You’ll be happy to know there is a brief option for this command.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0103 (default) Owner ID is 001f.23.16.23.23.0102 (learnt) Owner ID is 001b.12 local 172.0102 172.16.16.1 (primary). min delay 30 sec Active is 172. min delay 30 sec Active is 172. weighting 100 Active is local.

0102 172.23.0101 local - Fa0/0 1 2 - Active 0007. forwarder timeout 14400 se The hello and hold times operate the same here as they do in HSRP – it’s the redirect and forwarder timeout values we need to examine closely.23.16. There are two others that can be a tad confusing at first. In the previous lab. which had been MLS_3’s virtual MAC address.16. What you might not have expected is that MLS_2 is now the Active router for the MAC address previously handled by MLS_3 (0007.2 - the first timer in this command.1 - Take careful note of both GLBP console messages. and it’s handling traffic sent to that MAC address as well as its own assigned address.12 Hello time 3 sec. They both have to Fa0/0 1 3 - Listen 0007.Group 1 State is Active 3 state changes.1 - be set even if you’re just changing one.b400. it reclaims the role of AVG and begins acting as an AVF for its original virtual MAC address. 0007.0102 local - Fa0/0 1 3 - Listen 0007.12 local 172. and watch your syntax! The redirect timer is Fa0/0 1 2 - Listen 0007.16.16. and that’s verified by show glbp brief. MLS _ 3#show glbp FastEthernet0/0 .23.b400. hold time 10 sec Next hello sent in 0.b400.23. That’s mighty kind of MLS_2.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .192 secs Redirect time 600 sec. MLS_2 began accepting frames with the destination 0007.0103 172.b400. and should you set the forwarder timeout too low… MAC address disappear from every GLBP router in the group. when the forwarder timeout timer expires.16. Let’s clear up any confusion on these right now. last state change 00:15:34 Virtual IP address is 172.b400. the now-disappeared VRF and its virtual Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 100 Active 172. they even have the same default.0102. MLS _ 3(config-if)#glbp 1 timers ? <1-60> 228 Hello interval in seconds 229 .0101. ness will not last forever. b400. We expected MLS_2 to take over as the AVG.16. MLS _ 3#show glbp brief Then.23.b400.115 S T U DY G U I D E Fa0/0 1 1 - Active 0007. When the redirect time expires. the AVG will no longer use the virtual MAC address in question as a response to ARP replies.23. and the timeout interval is the second.0103 172. C H R I S B R YA N T Watch The Timers Two of the GLBP timers are just the same as those found in HSRP.2 Fa0/0 1 1 - Active 0007.0101).b400.b400.0101 local - Use glbp timers redirect to change either timer. but that kindOnce MLS_3 comes back online.

but I did go back to the defaults after seeing that message. Hang in there dur- MLS _ 2(config-if)#glbp 1 priority 150 ing this quick explanation and then you’ll see it all in action.b400.0102 172.3 - Fa0/0 1 2 - Listen 0007.12 172.23. After changing the priority on MLS_1 to 125.0101 172.0101 172. and MLS_3 is the standby AVG since it has a higher IP address than MLS_1. but when you see it in action.2 - Fa0/0 1 3 - Active 0007.2 local Fa0/0 1 1 - Listen 0007.115 S T U DY G U I D E msec Specify hello interval in milliseconds C H R I S B R YA N T 01:24:57: %GLBP-6-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active redirect Specify timeout values for failed forwarders MLS _ 2#show glbp brief MLS _ 3(config-if)#glbp 1 timers redirect ? <0-3600> Interval in seconds to redirect to failed forwarders MLS _ 3(config-if)#glbp 1 timers redirect 1800 ? <2400-64800> Timeout interval in seconds for failed forwarders MLS _ 3(config-if)#glbp 1 timers redirect 1800 3600 ? <cr> Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 150 Active 172.23.b400.23. MLS _ 1(config)#int fast 0/0 MLS _ 1(config-if)#glbp 1 priority 125 MLS _ 1#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 125 Standby 172. assign it a priority higher than that of MLS _ 3(config-if)#glbp 1 timers redirect 1800 3600 % Forwarder timeout is less than the default ARP cache timeout (4 hours) … well.23. In these labs. you’ll wonder what the fuss was.0102 local - Fa0/0 1 3 - Listen 0007.16.0103 local - Now.3 - Fa0/0 1 2 - Active 0007.16.1 - 172.b400. Since we enabled preemption on all three routers at the beginning of the lab.16. all we need to do is raise the GLBP priority on MLS_2. MLS_3 was selected MLS_3 (100) and less than that of MLS_2 (150). show glbp brief verifies that MLS_1 is indeed the standby AVG while MLS_2 remains the AVG. Change these timers with care! MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#no glbp 1 timers redirect 1800 3600 Selecting The AVG And Backup AVG Selecting another router to serve as the AVG is no problem.23.0103 172.23.16.16. if you’ve ever watched Shark Tank. Using Weights And Tracking Slight warning: This is one of those things that sounds complicated when you hear or read MLS _ 2(config)#int fast 0/0 about it.b400.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The timer change does take effect.16.16. To make MLS_1 the standby AVG.3 MLS_2 has taken over as the AVG.” That’s pretty much what the router is telling us here.b400.12 local Fa0/0 1 1 - Listen 0007.23.16. you’ve heard Barbara Corcoran say “I’m going to give you a minute to rethink that. 230 231 .23. about those weights… because of its higher IP address – but perhaps we want MLS_2 to be the AVG instead.b400.

lower and upper: Before configuring interface tracking. I raised MLS_3’s priority to 160 and it is now the AVG for We can use interface tracking. In this lab.23. line protocol is up Huzzah! Now to set up tracking with the track command.b400. upper 100 Load balancing: round-robin 232 <1-500> Tracked object resolution Tracking resolution parameters timer Polling interval timers MLS _ 3(config)#track 1 ? application Application interface Select an interface to track ip IP protocol list Group objects in a list stub-object Stub tracking object <cr> 233 .1 - The default weight of a GLBP-enabled router is 100. and this is the value that determines whether a router can be a VRF.0103 172.12 Hello time 3 sec.Group 1 MLS _ 3(config)#track ? State is Active 5 state changes. min delay 0 sec Active is local Standby is 172. what do we do? CHECK THAT INTERFACE! MLS _ 3#show int fast 0/1 FastEthernet0/1 is up.b400.23.12 local 172.0101 local - Fa0/0 1 2 - Listen 0007. The weight has two default thresholds.23.0102 172.000 sec) Priority 160 (configured) Weighting 100 (default 100).16. which is a globally configured command rather than an interface-level command.16. priority 150 (expires in 8.2 Fa0/0 1 1 - Active 0007. the local router is eligible to be an AVF.992 secs Redirect time 600 sec.2. hold time 10 sec Next hello sent in 0.23. This does not in any way affect MLS_3’s status as the AVG.2 - Fa0/0 1 3 - Listen 0007. forwarder timeout 14400 sec Preemption enabled. MLS _ 3#show glbp FastEthernet0/0 .16.23.16. and those thresholds to determine whether the group.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . last state change 00:00:52 Virtual IP address is 172.b400.16. we’ll configure MLS_3 to disqualify itself as an AVF if the line protocol on fast 0/1 goes down.16. GLBP weight.23. MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#glbp 1 priority 160 MLS _ 3#show glbp brief Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172. thresholds: lower 1.115 S T U DY G U I D E C H R I S B R YA N T Before proceeding with this lab.

Weighting lower threshold value MLS _ 3#show glbp MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 ? upper Weighting upper threshold <cr> FastEthernet0/0 . MLS _ 3(config-if)#glbp 1 weighting ? <1-254> Weighting maximum value track Interface tracking MLS _ 3(config)#int fast 0/0 MLS _ 3(config-if)#glbp 1 weighting ? <1-254> Weighting maximum value track Interface tracking MLS _ 3(config-if)#glbp 1 weighting track ? <1-500> Tracked object MLS _ 3(config-if)#glbp 1 weighting track 1 ? MLS _ 3(config-if)#glbp 1 weighting 100 ? lower Weighting lower threshold upper Weighting upper threshold <cr> <cr> MLS _ 3(config-if)#glbp 1 weighting track 1 MLS _ 3(config-if)#glbp 1 weighting 100 lower ? <1-99> decrement Weighting decrement Verify with show glbp. it can no longer act as a VRF. that router can go right back to work as a VRF. threshold. When the router’s weight drops below the low for the decrement.16. First. which by default is 10. We’re accepting that default here by not entering a value ing along with the high and low thresholds.12 234 235 .115 S T U DY G U I D E MLS _ 3(config)#track 1 interface fastethernet0/1 ? ip IP parameters C H R I S B R YA N T MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper ? <95-100> Weighting upper threshold value line-protocol Track interface line-protocol MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper 100 ? MLS _ 3(config)#track 1 interface fastethernet0/1 line-protocol ? <cr> <cr> MLS _ 3(config-if)#glbp 1 weighting 100 lower 95 upper 100 MLS _ 3(config)#track 1 interface fastethernet0/1 line-protocol The second command needed here is the one specifying the interface to be tracked and the Now we’ll head back to the GLBP configuration. last state change 00:43:17 Virtual IP address is 172.23. we have to set up the value for weight- decrement. Once that weight meets or rises above the high threshold.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . We’ll keep the default weight of 100 while setting a low threshold of 95 and a high of 100.Group 1 State is Active 13 state changes.

b400. MLS_3 will resume its VRF duties. MLS _ 3#show glbp brief In short: Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172. *Apr 3 19:09:49: %GLBP-6-FWDSTATECHANGE: FastEthernet0/0 Grp 1 Fwd 1 state Listen -> Active MLS _ 3#show glbp brief show glbp tells us that the weight has indeed dropped to 90.16. priority 150 (expires in 8.b400. and use weighting to Fa0/0 1 1 - Listen 0007.0102 172. thresholds: lower 95.2 - Fa0/0 1 3 - Listen 0007.2 - affect a router’s ability to serve as an AVF.23. MLS_3 should be disqualified from consideration as a VRF if that weight drops below 95.0101.b400.16.23.16.1 - 236 Let’s shift our focus to securing our switches! 237 .16.16.0103 172.2.b400.23. low (configured 100). thresholds: lower 95. perhaps in tandem with interface tracking.115 S T U DY G U I D E C H R I S B R YA N T Hello time 3 sec.23.23.16.23.23. Interface Grp Fwd Pri State Address Active router Standby router Fa0/0 1 - 160 Active 172.b400. it’s no longer an AVF.b400.23. upper 100 Track object 1 state Down decrement 10 show glbp brief verifies that while MLS_3 is still the AVG.12 local 172.000 sec) Priority 160 (configured) Weighting 100 (configured 100).0101 local - Fa0/0 1 2 - Listen 0007. Weighting 90.344 secs Redirect time 600 sec.b400.0101 172. hold time 10 sec Next hello sent in 1. and shortly after we see the GLBP syslog message shown here.16.2 Use priority to affect the choice of your primary and backup AVGs.1 - The reason I ran this lab on our AVG is to emphasize that the AVG election and a router’s ability to serve as an AVF are two separate operations.0103 172.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .16. min delay 0 sec Active is local Standby is 172. MLS_2 is now handling traffic with a destination MAC of 0007. which was formerly handled by MLS_3.23. Let’s shut down fast 0/1 on that router and watch the fun! I’ll now bring MLS_3’s fast0/1 interface back online. forwarder timeout 14400 sec Preemption enabled.16.16.2 Fa0/0 1 1 - Active 0007. upper 100 Track object 1 state Up decrement 10 With this configuration.2 - Fa0/0 1 3 - Listen 0007.0102 172. Fa0/0 1 2 - Listen 0007.12 local 172.23.

C H R I S B R YA N T

C hapter 9:

SECURING THE
SWITCHES

Port security is enabled with the switchport port-security command, and before we can consider any options…
MLS _ 1(config-if)#switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.

… we need to make the port a non-trunking port. Port security can’t be configured on a
When some people think of network security, they immediately think of protecting their

port that even has a possibility of becoming a trunk. This switch has no trunks…

network from attacks originating on the outside of the network. We’re not “some people”,
though, and we can’t afford to think like that. Many successful network attacks are inside

MLS _ 1#show int trunk

jobs, and originate from seemingly innocent sources like DHCP, ARP, CDP, Telnet, and
< crickets chirping >

even from other hosts on the same VLAN.
While it’s certainly wise to protect the perimeter of our network, we have to be vigilant
against attacks from the interior too. We’ve got important work to do, so let’s get to it!

MLS _ 1#

… but we still can’t secure that port until it’s an access port. Let’s make that happen and

Port Security
A basic Cisco switch security feature that’s often overlooked, port security uses the
source MAC address of incoming frames as a password. A port enabled with port security
will expect frames sourced from a particular MAC address or group of addresses (“secure
MAC addresses”), and if frames with non-secure source MAC addresses come in on that
port, the port takes action ranging from shutting down to “just” letting you and I know
about it.

put it into VLAN 11.
MLS _ 1(config)#int fast 0/11
MLS _ 1(config-if)#switchport mode access
MLS _ 1(config-if)#switchport access vlan 11
% Access VLAN does not exist. Creating vlan 11
MLS _ 1(config-if)#switchport port-security

In a nutshell, port security entails having the switch look at the source MAC address of an
incoming frame and asking itself, “Do I trust the source of this frame?”

238

We’ll verify with show port-security and then view our switchport port-security options.

239

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

MLS _ 1#show port-security
Secure Port

Fa0/11

MLS _ 1(config-if)#switchport port-security aging type ?

MaxSecureAddr

CurrentAddr

SecurityViolation

(Count)

(Count)

(Count)

1

0

0

Total Addresses in System (excluding one mac per port)

Security Action

Shutdown

: 0

Max Addresses limit in System (excluding one mac per port) : 6144
MLS _ 1(config-if)#switchport port-security ?
Aging

C H R I S B R YA N T

Port-security aging commands

mac-address Secure mac address
maximum

Max secure addresses

violation

Security violation mode

<cr>

Let’s tackle each of these important options, starting with maximum, which defines the
number of secure MAC addresses the port can learn. The default is one, and the maximum you’ll see on your switch depends on your switch! I’ve seen ranges from 132 to the
whopping 6144 allowed on this port. (I would not recommend allowing 6,144 secure MAC
addresses on any port.)

absolute

Absolute aging (default)

inactivity

Aging based on inactivity time period

MLS _ 1(config-if)#switchport port-security aging time ?
<1-1440>

Aging time in minutes. Enter a value between 1 and 1440

MLS _ 1(config-if)#switchport port-security aging static ?
<cr>

We’ll use the mac-address option to define secure MAC addresses for this port, as well as
something called a “sticky address” (sounds gross, but it isn’t).
MLS _ 1(config-if)#switchport port-security mac-address ?
H.H.H

48 bit mac address

sticky

Configure dynamic secure addresses as sticky

MLS _ 1(config-if)#switchport port-security mac-address

The violation option defines the action the port should take when a frame with a non-secure
MAC address comes in.

MLS _ 1(config-if)#switchport port-security maximum ?
<1-6144> Maximum addresses

Use the aging options to define how long dynamically learned secure MAC addresses should
be considered secure. You have the rarely used option of enabling aging for static entries.
MLS _ 1(config-if)#switchport port-security aging ?
static

Enable aging for configured secure addresses

time

Port-security aging time

type

Port-security aging type

MLS _ 1(config-if)#switchport port-security violation ?
protect

Security violation protect mode

restrict

Security violation restrict mode

shutdown

Security violation shutdown mode

The default port security mode is shutdown, which does just that – the port is placed into
error-disabled state (“err-disabled”), and manual intervention is needed to reopen the port.
That means you or I have to fix the problem and then do a shut / no shut on the port. With
shutdown mode, an SNMP trap message is also generated.
Protect mode simply drops the offending frames and no other action is taken.

240

241

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 - 115 S T U DY G U I D E

Our middle-ground security mode is restrict. The non-secure frames are dropped, an SNMP

C H R I S B R YA N T

0017.59e2.474a on port FastEthernet0/1.

trap notification and a syslog message are generated, and the port remains open.
Here’s the network topology for the port-security labs. We’re using the hosts primarily to
send pings that will (or will not) trigger port security.

01:46:31:

%LINEPROTO-5-UPDOWN:

Line

protocol

on

Interface

FastEthernet0/1,

changed state to down
01:46:32: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

Looks like the data was NOT from a trusted source, as both show port-security and show int
fast 0/1 verify the security violation.
MLS _ 1#show port-security
Secure Port

Let’s see port security in action! I’ll configure port security on port fast0/1 after shutting
the interface, and then set the secure MAC address to aaaa-bbbb-cccc.

Fa0/1

MaxSecureAddr

CurrentAddr

SecurityViolation

(Count)

(Count)

(Count)

1

1

1

Security Action

Shutdown

MLS _ 1(config)#int fast 0/1

Total Addresses in System (excluding one mac per port)

: 0

MLS _ 1(config-if)#shut

Max Addresses limit in System (excluding one mac per port) : 6144

MLS _ 1(config-if)#switchport port-security
MLS _ 1(config-if)#switchport port-security mac-address aaaa.bbbb.cccc

MLS _ 1#show int fast 0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)

After reopening the port, I’ll send some pings from R1 and then quickly head back over to
the switch to see what happens.
R1#ping 172.16.23.222

Time for the network admins to step in! First, we resolve the problem by removing the currently defined secure MAC address on Fast0/1. When a secure MAC address is allowed on a
port, but none is defined, the next dynamically learned source MAC address is considered
Back on the switch:

the secure address. That’s why I shut the port before configuring port security – just in case
traffic came in on that port before I could finish.

SECURITY-2-PSECURE _ VIOLATION: Security violation occurred, caused by MAC address

242

243

Finally.222 ----------.bbbb. show port-security interface fast 0/1 verifies port security is enabled. the violation mode is at the default. Note carefully that you see the Security Action listed.474a - Back on the switch. MLS _ 1#show port-security address ? vlan Vlan limits MLS _ 1(config-if)#shut | MLS _ 1(config-if)#no shut <cr> 01:53:47: %LINEPROTO-5-UPDOWN: Line protocol on Interface Output modifiers FastEthernet0/1. Secure Mac Address Table Vlan Mac Address Type Ports ------------. secured and up. and that one current address is considered secure. 100 0017. the port.59e2. so we’ll verify that Total Addresses in System (excluding one mac per port) : 0 everything’s beautiful with three separate show port-security commands.cccc address configured earlier).bbbb. the port is but none has been taken as there are no Security Violations. We see there’s one secure address allowed on Fast0/1 (the default). R1#ping 172. and provides other handy info including the last source address of incoming frames and the VLAN it belonged to. starting with the Max Addresses limit in System (excluding one mac per port) : 6144 main one.16. along with the VLAN.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#int fast 0/1 marked as SecureDynamic since it is a secure address that was learned. SecureDynamic Fa0/1 Remaining Age (mins) -. -----. We’ll do a shut / no shut on the interface and verify with show int fast 0/1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . there’s no message about the port shutting down. and method used to learn the address. we’ll send some pings from R1 again and then head right back to the switch. MLS _ 1#show port-security Secure Port Fa0/1 MaxSecureAddr CurrentAddr SecurityViolation (Count) (Count) (Count) 1 1 0 Security Action Shutdown Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 6144 show port-security address verifies the exact address that’s been learned and considered secure.cccc (rather than statically. This one’s 244 MLS _ 1#show port-security interface fast 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 245 . changed state to up MLS _ 1#show port-security address 01:53:49: %LINK-3-UPDOWN: Interface FastEthernet0/1. dynamically MLS _ 1(config-if)#no switchport port-security mac-address aaaa. as with the aaaa.23. well. changed state to up To test the new config.

aaaa. R2#ping 172.115 S T U DY G U I D E C H R I S B R YA N T Configured MAC Addresses : 0 Aging Type Sticky MAC Addresses : 0 SecureStatic Address Aging : Disabled Last Source Address:Vlan : 0017.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 100 0017. MLS _ 1#show port-security int fast 0/2 100 aaaa.aaaa SecureConfigured Fa0/2 - Port Status : Secure-up Violation Mode : Shutdown Total Addresses in System (excluding one mac per port) : 2 Aging Time : 0 mins Max Addresses limit in System (excluding one mac per port) : 6144 246 247 Age . Let’s find out on port Fast0/2.111 Secure Mac Address Table Vlan Mac Address Type Ports ------------. the next dynamically learned MAC addresses will be considered secure until the limit is hit.16.d4c2. and note that there are now a total of 3 secure addresses and 2 configured addresses. If you allow a certain number of secure MAC addresses and don’t statically configure all of them.59e2.aaaa MLS _ 1#show port-security address I’ll then send pings from R2 and head quickly back over to the switch. fast0/2.59e2. Let’s run show port-security interface -.23.aaaa.0990:100 Security Violation Count : 0 I just know someone out there is wondering what happens if you allow multiple secure MAC addresses on a port. the next two source MAC addresses for incoming frames on that port would be considered secure. -----. : Absolute The port is secure and up.bbbb. where I’ll allow 3 addresses to be considered secure while configuring 2 static secure addresses. Remaining (mins) No messages on the switch regarding a shutdown.474a SecureDynamic Fa0/1 - 100 001b. Let’s run show port-security address and show port-security.aaaa SecureConfigured Fa0/2 - Port Security : Enabled 100 aaaa.aaaa only two static ones.bbbb. MLS _ 1(config-if)#switchport port-security mac-address aaaa.d4c2.0990 SecureDynamic Fa0/2 - ----------. Last Source Address:Vlan : 001b. not that they’ll actually age out in 59 seconds.474a:100 Maximum MAC Addresses : 3 Security Violation Count : 0 Total MAC Addresses : 3 Configured MAC Addresses : 2 The aging time of “0 minutes” means that secure MAC addresses will never age out on this Sticky MAC Addresses : 0 port. and you statically configure a few without hitting the maximum. Had we allowed four secure addresses and configured MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security MLS _ 1(config-if)#switchport port-security maximum 3 MLS _ 1(config-if)#switchport port-security mac-address aaaa.

474a SecureDynamic Fa0/1 - (Count) (Count) (Count) 100 001b.d4c2. Enter a value between 1 and 1440 MLS _ 1(config-if)#switchport port-security aging time 5 MLS _ 1#show port-security address MLS _ 1#show port-security address Secure Mac Address Table Secure Mac Address Table 248 249 . While we’re here.aaaa SecureConfigured Fa0/2 - Fa0/2 3 3 0 Shutdown 100 aaaa.aaaa.aaaa SecureConfigured Fa0/2 - : 2 Total Addresses in System (excluding one mac per port) Total Addresses in System (excluding one mac per port) Max Addresses limit in System (excluding one mac per port) : 6144 There are three entries for Fa0/2. Enter a value between 1 and 1440 MLS _ 1(config-if)#switchport port-security aging time 300 MLS _ 1(config-if)#switchport port-security aging type ? absolute Absolute aging (default) inactivity : 2 Aging based on inactivity time period minutes. two of them statically configured and the other dynamically learned.0990 SecureDynamic Fa0/2 299 Fa0/1 1 1 0 Shutdown 100 aaaa.59e2. Remaining Age (mins) MaxSecureAddr CurrentAddr SecurityViolation Security Action 100 0017. did I get that right? Nope. let’s enable aging and set it to 300 seconds (the default aging time for our “regular” MAC address table). We’ll accept the aging type default shown via IOS Help and then verify with show port-security address.bbbb.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security aging time ? <1-1440> Aging time in minutes. MLS _ 1(config)#int fast 0/2 MLS _ 1(config-if)#switchport port-security aging ? static Enable aging for configured secure addresses time Port-security aging time type Port-security aging type Max Addresses limit in System (excluding one mac per port) : 6144 So. I got it wrong – and here’s why I’m always telling you to check the unit of measure when you change anything on a Cisco router or switch.115 S T U DY G U I D E MLS _ 1#show port-security Secure Port C H R I S B R YA N T Vlan Mac Address Type Ports -. ------------. -----. The command to change the aging time of our entire MAC address table uses seconds… MLS _ 1(config)#mac address-table aging-time ? <0-0> Enter 0 to disable aging <10-1000000> Aging time in seconds … but the command to change the aging time of the secure MAC address table uses MLS _ 1(config-if)#switchport port-security aging time ? <1-1440> Aging time in minutes. ----------.

aaaa SecureConfigured Fa0/2 - port. for which the default of “no aging” has not been changed. 100 0017.aaaa. These addresses are written to the running config. 100 0017.aaaa. data.aaaa SecureConfigured Fa0/2 - Total Addresses in System (excluding one mac per port) Type Ports ------------. -----. 100 aaaa.474a Vlan Mac Address Type Ports -.115 S T U DY G U I D E Vlan Mac Address Type Ports -. ------------. changed state to up Always use IOS Help to check the unit of time. do that here. To have dynamically learned 100 aaaa. I’ll do a shut / no shut on the port to illustrate.aaaa SecureConfigured Fa0/2 - ----------. Remaining Age (mins) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 MLS _ 1# Fa0/1 - The same thing would happen if I rebooted the switch.d4c2. changed state to administratively down MLS _ 1#show port-security address Total Addresses in System (excluding one mac per port) : 2 Max Addresses limit in System (excluding one mac per port) : 6144 00:28:20: %LINK-3-UPDOWN: Interface FastEthernet0/1. SecureDynamic Remaining Age (mins) -----. then send pings from R1 and check the secure address table.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ------------. changed state to up 00:28:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1.bbbb.474a SecureDynamic Fa0/1 - %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1. changed state to down 250 Port-security aging commands mac-address Secure mac address 251 . Fa0/1 has one secure MAC address. Remaining Age (mins) C H R I S B R YA N T %LINK-5-CHANGED: Interface FastEthernet0/1. MLS _ 1(config)#int fast 0/1 MLS _ 1(config-if)#switchport port-security ? MLS _ 1(config)#int fast 0/1 Aging MLS _ 1(config-if)#shut %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan100.aaaa SecureConfigured Fa0/2 - addresses retained in case of a port reset or reboot. (The dynamically learned address for R2 has now aged out. when changing anything! MLS _ 1#show port-security address Secure Mac Address Table Making Secure Addresses Sticky Right now.) MLS _ 1#show port-security address Secure Mac Address Table Vlan Mac Address -.59e2.bbbb. ----------. changed state 100 001b.aaaa SecureConfigured Fa0/2 - 100 aaaa. so be sure to save the changes! I’ll That dynamically learned address will be lost if the port is reset or the switch is reloaded. enable sticky address learning on the 100 aaaa.aaaa SecureConfigured Fa0/2 - MLS _ 1(config-if)#no shut 100 aaaa.aaaa.bbbb. -----.0990 SecureDynamic Fa0/2 4 to down 100 aaaa. ----------.59e2.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 100 0017. Ports are shut down by port security due to a psecure-violation. use the all option.aaaa SecureConfigured Fa0/2 - 100 aaaa. Remaining Age (mins) 48 bit mac address Sticky Configure dynamic secure addresses as sticky Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 MLS _ 1(config-if)#switchport port-security mac-address sticky The entry is still in the table! I did reload the switch at this point.aaaa SecureConfigured Fa0/2 - <cr> 100 0017.23. To have errdisable recovery apply to ports placed into err-disabled state for any reason. along with the SecureConfigured addresses.aaaa. SecureSticky Fa0/1 - 100 aaaa.bbbb.aaaa.aaaa SecureConfigured Fa0/2 - 100 aaaa. Stickiness R1#ping 172. First. so we’ll enable this feature only for ports put into err-disabled state in that fashion. use errdisable recovery.16.aaaa SecureConfigured Fa0/2 - ----------.222 works! MLS _ 1#show port-security address Secure Mac Address Table Automatic Recovery From Err-Disabled Status Vlan Mac Address Type Ports -. of course! To have err-disabled ports come out of that state dynamically after a certain period of time. I’ll shut the port and then take a look at this table again. a port that goes into err-disabled state must be manually reset – after resolving the condition that put the port in that state to begin with. -----.474a Remaining Age (mins) We know via first-hand experience that by default.115 S T U DY G U I D E C H R I S B R YA N T maximum Max secure addresses Vlan Mac Address Type Ports violation Security violation mode -.59e2.H ----------.474a MLS _ 1(config-if)#switchport port-security mac-address ? H. define what conditions should be allowed to have ports use Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 6144 The address is now shown in the secure MAC table as “SecureSticky”. ------------. SecureSticky Fa0/1 - 100 aaaa. this feature with errdisable recovery cause.H. SW1(config)#errdisable recovery cause ? MLS _ 1(config)#int fast 0/1 MLS _ 1(config-if)#shut All Enable timer to recover from all causes Bpduguard Enable timer to recover from BPDU Guard error disable state MLS _ 1#show port-security address channel-misconfig Secure Mac Address Table Enable timer to recover from channel misconfig disable state 252 253 . and the address was still in the table after the reboot.59e2. ------------.bbbb. -----.

and all is well.115 S T U DY G U I D E dhcp-rate-limit C H R I S B R YA N T Enable timer to recover from dhcp-rate-limit error SW1(config)#errdisable recovery interval 30 disable state dtp-flap gbic-invalid Enable timer to recover from dtp-flap error disable At this point. you can’t use % Unrecognized command SW1(config)#errdisable recovery interval ? TACACS or TACACS+.aaaa. The name refers to IEEE 802.1x. and reconfigured stat the port with the single secure MAC address aaaa.aaaa. state psecure-violation Enable timer to recover from psecure violation disable … and 30 seconds later. I’ll and out of err-disabled state! set it to 30 seconds for our lab. The first frames that came in Enable timer to recover from invalid GBIC error disable from R2 shut the port down… state link-flap loopback pagp-flap Enable timer to recover from link-flap error disable %PM-4-ERR _ DISABLE: psecure-violation error detected on Fa0/2. use errdisable recovery interval.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . caused by Enable timer to recover from pagp-flap error disable MAC address 001b. It’s SW1(config)#erridsable recovery ? a bit unusual in that the Cisco authentication server must be RADIUS-based. I removed any previous port security config from Fa0/2.1x violation disable %PM-4-ERR _ RECOVER: Attempting to recover from psecure-violation err-disable state state on Fa0/2 udld Enable timer to recover from udld error disable state %LINK-3-UPDOWN: Interface FastEthernet0/2. SW1(config)#errdisable recovery cause psecure-violation SW1(config)#erridsable recovery interval ? % Unrecognized command Dot1x Port-Based Authentication We can take port-level security (cliché alert!) to the next level with dot1x port-based authentication.0990 on port FastEthernet0/2. putting Fa0/2 state in err-disable state Enable timer to recover from loopback detected disable state %PORT _ SECURITY-2-PSECURE _ VIOLATION: Security violation occurred. changed state to up unicast-flood Enable timer to recover from unicast flood disable %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2. the port begins to come out of err-disabled state! state security-violation Enable timer to recover from 802. the standard upon which this feature is based. <30-86400> timer-interval(sec) 254 255 .d4c2. changed state state to up vmps Enable timer to recover from vmps shutdown error disable state I then configured Fa0/2 to consider the first source MAC address learned on that port to be the secure address. You have to fix the problem or the port will bounce in To change the interval from the default of 300 seconds.

uncontrolled port can transmit without authentication. That’s a major departure from the switch features we’ve studied to date. STP.16. the network admins do not have to configure these logical ports. and a RADIUS server (the authentication server). MLS _ 1(config)#aaa authentication dot1x default ? cache Use Cached-group group Use Server-group local Use local username authentication. as only Default The default authentication list.55 technically RADIUS with EAP extensions. MLS _ 1(config)#aaa authentication dot1x default group ? MLS _ 1(config)#aaa new-model 256 257 . ourselves with right now is host. enable Set authentication list for enable. and then enable dot1x to use those RADIUS servers for authentication. but that physical port password-prompt Text to use when prompting for a password is logically divided into two ports by dot1x.1x. EAPOL. (The RADIUS version you’ll use is MLS _ 1(config)#radius-server host 172. We just need to configure the supplicant for dot1x! Suppress Do not send access request for a specific ty Strange but true: If the switch is ready for dot1x authentication and the supplicant isn’t. the controlled and uncontrolled ports. all traffic can be received and sent via the port. communications between the two will fail. but on a limited basis.23. and CDP can be transmitted at that time. We’ll follow that by pointing the switch to our RADIUS server(s).23. since few (if any) of those require us configuring anything on the host. MLS _ 1(config)#aaa authentication ? arap Set authentication lists for arap. Of course. once the user authenticates. eou Set authentication lists for EAPoUDP fail-message Message to use for failed login/authenticati login Set authentication lists for logins.55 key CCNP MLS _ 1(config)#aaa authentication dot1x ? The controlled port cannot transmit data until authentication actually takes place.) A typical dot1x port-based authentication deployment involves the dot1x-enabled PC (the supplicant). we first have to enable AAA with aaa new-model.) If the supplicant is running dot1x but the switch isn’t. the Extensible Authentication Protocol over LANs. By default. the PC will not concern itself with dot1x and will communicate with the switch as it normally would. To get started with dot1x. the PC has a single physical port connected to the switch. Dot1x handles that. Sgbp Set authentication lists for sgbp. the dot1x-enabled switch (the authenticator).1x EAPOL. attempts Set the maximum number of authentication att banner Message to use when starting login/authentic dot1x Set authentication lists for IEEE 802. username-prompt Text to use when prompting for a username MLS _ 1(config)#radius-server host 172. followed by the password for that server. (That’s not the strange part. longer rejected). Unlike ppp Set authentication lists for ppp. the only one we need to concern port must be configured for 802. The WORD Named authentication list (max 31 characters. typical subinterfaces.16.115 S T U DY G U I D E C H R I S B R YA N T A major difference between this feature and port security is that both the host and switch- The radius-server command literally has about 40 options.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .

including that of the client. system-auth-control Enable or Disable SysAuthControl test Configure dot1x test related parameters MLS _ 1(config)#dot1x system-auth-control And even more finally. where we want to analyze traffic sourced from the three PCs. force-authorized. we get to enable dot1x port-based authentication! MLS _ 1(config)#dot1x ? Credentials Configure 802. and we’ll use SPAN to capture that traffic. A common situation is illustrated here. we’re force-authorized PortState set to Authorized running local SPAN.115 S T U DY G U I D E C H R I S B R YA N T WORD Server-group name Now that we’ve covered port security and dot1x port-based authentication. and it’s a default you may well want to change. By default. That’s the default. question arises: “Can you run port security and dot1x authentication on the same port?” Radius Use list of all Radius hosts. tells the port to uncon- mirrored to the destination port.” SPAN We’ve securely secured our ports. and it’s the auto PortState will be set to AUTO destination port to which our network analyzer will be connected.1x authenticates the port and port security manages the number of MLS _ 1(config)#aaa authentication dot1x default group radius ? Finally. R1(config-if)#dot1x port-control ? SPAN allows the switch to mirror traffic from source port(s) to destination port. using no authentication. the analyzer needs a copy of every frame the hosts are sending and/or receiving.1x Supplicant behavior logging Set logging parameters supplicant 802. Surprisingly. both traffic destined for and sourced from the source ports are That’s a lot of force! The first force-based option. we’re likely to want to connect a network analyzer (“sniffer”) to one of those ports. which seems a tad harsh. ditionally authorize the host. we get to set the authentication type. as it allows a host to authorize via an exchange of dot1x messages. 802.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . a natural ldap Use list of all LDAP hosts. auto may be the way to go. since the source and destination ports are on the same switch (or same force-unauthorized PortState will be set to UnAuthorized switch stack). the answer is yes! From Cisco’s website: “When you enable port security and 802. To get the job done.1X credentials profiles Critical Set 802. In this example. force-unauthorized tells the port to never authorize the host.1X supplicant configuration MAC addresses allowed on that port. but one day. 258 259 .1x on a port.1x Critical Authentication parameters guest-vlan Configure Guest Vlan and 802.

and this is the one time in which seeing that an interface is “down and down” is what you should see! That’s all well and good. Cisco 2950s MLS _ 1(config)#monitor session 47 source interface fast0/3 . MLS _ 1(config)#monitor session 47 destination ? MLS _ 1(config)#monitor session ? Interface SPAN destination interface Remote SPAN destination Remote <1-66> SPAN session number MLS _ 1(config)#monitor session 47 destination interface fast 0/9 Let’s set up a local SPAN session. using ports Fa0/3.5 allow only two. and 5 as the source ports and Fa0/10 as the destination and then verifying with show monitor. line protocol is down (monitoring) No need to sweat. since it doesn’t matter to SPAN whether the source ports are all in the same Session 47 VLAN or not. you’ll see something that might make ya cuss: MLS _ 1(config)#monitor session 47 ? Destination SPAN destination interface or VLAN Filter SPAN filter VLAN Source SPAN source interface. or VSPAN) Port-channels. representing an entire Etherchannel Both : Fa0/3-5 Destination Ports Encapsulation Ingress MLS _ 1(config)#monitor session ? <1-66> SPAN session number : Fa0/9 : Native : Disabled Let me save you some seriously unnecessary troubleshooting time with this little tip! If you look at fast 0/9 right now. No need to run show vlan brief for MLS _ 1#show monitor VLAN info.115 S T U DY G U I D E C H R I S B R YA N T The command monitor session starts a SPAN session. and the number Port-channel Ethernet Channel of interfaces of simultaneous SPAN sessions you can run differs between switch platforms. That means you’re looking at a SPAN destination port. while the ones we’re on here allow just a few more.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 4.3 260 261 .3z destination ports. just read all the way to the end of that line and you’ll see (monitoring). Note that possible sources include: Individual ports Type : Local Session Source Ports : Entire VLANs (in which case you’re running VLAN-based SPAN. but what if SPAN isn’t all local? What if the traffic to be monitored is originating on one particular switch and the only vacant port available is on another MLS _ 1(config)#monitor session 47 source interface ? FastEthernet switch? FastEthernet IEEE 802. along with defining the source and GigabitEthernet GigabitEthernet IEEE 802. Multiple SPAN sessions are totally separate operations. VLAN MLS _ 1(config)#monitor session 47 source ? Interface SPAN source interface Remote SPAN source Remote Vlan SPAN source VLAN MLS _ 1#show int fast 0/9 FastEthernet0/9 is down.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1(config)#monitor session 1 source int fast 0/1 . Otherwise. Here’s the setup for our RSPAN lab: The config on MLS_2 will name the source as the RSPAN VLAN and the destination as the port connected to the analyzer. natch!). MLS _ 2(config)#monitor session 1 source remote vlan 30 MLS _ 2(config)#monitor session 1 destination int fast0/10 262 263 . that VLAN will have to be prop- <2-1001> Remote SPAN destination RSPAN VLAN number agated manually on every switch along that path. we’ll also define VLAN 30 as the RSPAN VLAN. MLS _ 1(config)#monitor session 1 destination remote vlan 30 MLS _ 1(config)#monitor session 1 destination remote vlan 30 ? <cr> MAC address learning is disabled for the RSPAN VLAN.115 S T U DY G U I D E C H R I S B R YA N T We’ll create VLAN 30 and identify it as the RSPAN VLAN with remote-span. we’ll set up the SPAN session by naming the source ports and configuring the RSPAN VLAN as the destination. MLS _ 1(config)#vlan 30 MLS _ 1(config-vlan)#remote-span On MLS_1.5 This isn’t a complex configuration. so don’t cut and paste ‘em! On MLS_2. they would all need to be RSPAN-capable. VTP pruning will prune the RSPAN VLAN under the same circumstances it would prune a normal VLAN. but we need to keep a few things in mind: MLS _ 1(config)#monitor session 1 destination remote ? If there were intermediate switches between the two shown in the previous example. MLS _ 2(config)#vlan 30 MLS _ 2(config-vlan)#remote-span Whew! After all that. but the commands will NOT be the same. RSPAN to the rescue! Configuring Remote SPAN on both switches will allow mirrored frames to be sent over the trunk via a separate VLAN that will carry only those mirrored frames. vlan Remote SPAN destination RSPAN VLAN MLS _ 1(config)#monitor session 1 destination remote vlan ? VTP treats the RSPAN VLAN like any other VLAN by propagating it throughout the VTP <1006-4094> Remote SPAN destination extended RSPAN VLAN number domain (if configured on a VTP server. The source and destination ports must be defined on both the switch containing the source ports and the switch connected to the network analyzer. the config is easy.

an entire VLAN can be configured as a source port. CDP. but it’s a good idea to have a destination port be equal or higher in speed than the source port(s). only the traffic going over that specific port will be mirrored. VLAN membership doesn’t matter. nor can a single port serve as the destination for multiple SPAN sessions. you need that command on every intermediate A source port can be monitored in multiple. you have to make the entire EC the source port. And just one more thing… remember the remote-span command we placed on both switches in our RSPAN config? If you have switches between the switch with source ports and the one with destination ports. Specify another range of interfaces - Specify a range of interfaces both Monitor received and transmitted traffic rx Monitor received traffic only tx Monitor transmitted traffic only <cr> A destination SPAN port doesn’t participate in STP. but be aware that every single bit of traffic on any of the ciously caused. broadcasts and multicasts begin to overwhelm your switch. these storms can also overwhelm your hosts with broadcasts and multicasts VLANs that are part of that trunk will be mirrored to the destination port. simultaneous SPAN sessions.115 S T U DY G U I D E The toughest part of working with SPAN can be remembering the ports that are eligible and not eligible to be source or destination ports. DTP. Here are some tips for a successful SPAN configuration: By default. A destination port cannot be a source port. Whether accidentally or maliflooded by the switch. Trunk ports can be configured as source and/or destination ports. the default behavior will result in the monitoring of all active VLANs on the trunk. PaGP. It’s enabled on a per-port basis: 264 265 . SW2(config)#monitor session 47 source interface fast 0/1 . Storm Control is specifically designed to proactively stop that flooding before our hosts are hit with a level of flooded traffic they just can’t handle. In your CCNA studies. The speed of the port doesn’t affect a port’s ability to be a source port. and you can use SPAN to monitor an entire EtherChannel by specifying that EC’s port-channel interface as the source. where the number of A trunk port can be a source port. or LACP. VTP. A source port can be part of an Etherchannel. all the way to the point of non-operation. Be aware that if a port that’s in an EC is a source port. A source port cannot also serve as a destination port. switch. ports from different VLANs can serve as source ports for the same SPAN session. To change this. traffic both from the source port and destined for the source port is mirrored to the destination port.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . nor a destination port. If you want all the traffic on an EC to be mirrored. While source ports can be part of an Etherchannel. Storm Control Commonly referred to as VSPAN. a destination port cannot. you learned of the danger of broadcast storms. C H R I S B R YA N T Destination port notes: A destination port can participate in only one SPAN session. use the rx and tx options at the end of monitor session.

SW1(config-if)#storm-control ? (Makes sense. about that action… SW1(config-if)#storm-control broadcast ? Level At times. ------.100> Enter Integer part of storm suppression level overboard. or show storm-control interface to see the info for just that interface! SW1#show storm-control fast 0/1 Interface Filter State Trap State Upper Lower Current Traps Sent ------. the option level will follow.00% 0 VLAN ACLs Let’s take a look at some Cisco switch security features that were developed specifically with VLANs in mind. which will show you information on all ports on the switch.115 S T U DY G U I D E C H R I S B R YA N T SW1(config)#int fast 0/1 goes above that level. which can also be configured using packets per second. (That is. SW1(config-if)#storm-control broadcast level 45 ? <0 . When the specified traffic type reaches that level. they’re dropped. We’ll use IOS Help to explore our options for broadcast storm control. ------------- ------------- ------.00% 35. SW1(config-if)#storm-control broadcast level 45 35 I’m using bandwidth usage percentage in this command. ------.) Choosing shutdown or trap adds the configured pps behavior to this default.00% 0. It might surprise you that we have the option for one or two levels! If you specify only the storm suppression level (the first value). and stops that action when the traffic type goes below that level. It’s not right or wrong to choose one option over the other – just choose the one that fits your situation. Storm Control takes action when the traffic type 266 Fa0/1 Forwarding inactive 45. The line storm-control broadcast level 45 35 means Storm Control will take action when broadcasts are taking up over 45% of available bandwidth and will stop that action when the level of broadcasts drops below 35% of that available bandwidth. 267 . action. starting with VLAN ACLs.100> Enter Integer part of lower suppression level <cr> SW1(config-if)#storm-control broadcast level 45 35 ? <cr> Verify your config with show storm-control. you may want to set a different level at which Storm Control should cease Set storm suppression level on this interface SW1(config-if)#storm-control action ? Shutdown Shutdown this interface if a storm occurs trap Send SNMP trap if a storm occurs SW1(config-if)#storm-control broadcast level ? Enter suppression level in packets per second What isn’t shown here is Storm Control’s default behavior of tossing the offending frames <0 . Now. Storm Control acts.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . right?) Action Action to take for storm-control Broadcast Broadcast address storm control Multicast Multicast address storm control Unicast Unicast address storm control For each traffic type listed.

0. but the ACL statement We want to stop these three hosts from communicating with any host in the 10.1.115 S T U DY G U I D E C H R I S B R YA N T You’ll certainly be familiar with ACLs and a few of their seemingly endless uses at this point in your Cisco studies! The ACL we’ve come to know and love has some limitations though.1.0. An ACL can be used to filter inter-VLAN traffic. The ACL will be used as the match criterion within the VACL. While an ACL can filter traffic travelling between VLANs… MLS _ 1(config)#ip access-list extended BLOCK _ FIRST _ THREE MLS _ 1(config-ext-nacl)#permit ip ? … it can’t do anything about traffic from one host in a VLAN to another host in the same VLAN.3 ? Why not.1. and we mean any host – even among each other! Right now.1.1.B. the deny is coming! subnet. not a deny.1.0.0 0.0.1.1.D Destination wildcard bits MLS _ 1(config-ext-nacl)#permit ip 10. we’ll still need to write an ACL.3 10. 268 269 .D Source wildcard bits MLS _ 1(config-ext-nacl)#permit ip 10.0.0. each host can ping the We’ll write the VACL with vlan access-map.255 Even though a VACL will do the actual filtering.1.0 0. while allowing all other traffic.C.1.B.0.3 10. No worries. but it limits ACL capability.255 ? A. You’ll see what I mean in the follow- I’m sure you noticed that the three source addresses named in the ACL are the ones that ing lab! won’t be allowed to communicate with other hosts on that subnet. but not intra-VLAN traffic.C. A.B. A.D Source address any Any source host host A single source host MLS _ 1(config-ext-nacl)#permit ip 10.1. This packet filtering via the switch hardware speeds up the overall process. Filtering between hosts in the same VLAN requires the use of a VLAN Access List (VACL).0. with any traffic matching that ACL to be dropped other (results not shown). you ask? It relates to the application of ACLs on a multilayer switch.0 0.0.0 0. but it’s the TCAM table – the Ternary Content-Addressable Memory table – that cuts down on the number of lookups required to compare a packet against an ACL.0 0.0 /24 is a permit.0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .B.D Destination address any Any destination host host A single destination host MLS _ 1(config-ext-nacl)#permit ip 10.1.C.0 ? A.1.C. The CAM table holds the dynamically and statically learned MAC addresses.1.

they’ll increment by 10.115 S T U DY G U I D E MLS _ 1(config)#vlan access-map ? WORD MLS _ 1(config)#vlan access-map NO _ 123 Vlan access map tag MLS _ 1(config-access-map)#action forward MLS _ 1(config)#vlan access-map NO _ 123 ? <0-65535> Sequence to insert to/delete from existing vlan access-map entry <cr> MLS _ 1(config-access-map)#match ? Ip IP based match Mac MAC based match the default for you via show vlan access-map: Vlan access-map “NO _ 123” 10 Match clauses: ip address: BLOCK _ FIRST _ THREE Match IP address to access control. MLS _ 1#show vlan access-map MLS _ 1(config-access-map)#match ip ? <1-199> No match was configured for the second VACL statement. MLS _ 1(config-access-map)#exit Hey. Adding it at the end wouldn’t do any good. Be careful to specify the VACL name in this command. since VACL sequence number 20 permits all MLS _ 1(config-access-map)#action drop traffic. you’d need to give it a sequence number between 10 and 20. 270 271 . we MLS _ 1(config)#vlan access-map NO _ 123 ? have to apply it in global configuration mode. we need to apply this thing! Don’t try to apply a VACL to a specific interface. If you follow my lead and don’t define them as you go. The VLAN to be filtered is specified at <0-65535> Sequence to insert to/delete from existing vlan access-map the end of the command with the vlan-list option. We can specify individual VLANs or entry go with the all option. not the <cr> ACL name. meaning the action of “forward” I didn’t enter a sequence number for those two VACL statements because I wanted to demo MLS _ 1(config)#vlan access-map NO _ 123 Address C H R I S B R YA N T Action: drop Vlan access-map “NO _ 123” 20 Match clauses: Action: Forward Access-list name MLS _ 1(config-access-map)#match ip address BLOCK _ FIRST _ THREE MLS _ 1(config-access-map)#action ? drop Drop packets forward Forward packets The “10” and “20” shown are the default sequence numbers. If you needed to add an action that involved dropping traffic. MLS _ 1(config-access-map)#match ip address ? IP access list (standard or extended) <1300-2699> IP expanded access list (standard or extended) WORD will be applied to any and all traffic that didn’t match previous statements.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Sequence numbers are fantastic for those situations where you later need to add an action.

since a private VLAN is truly unlike any other VLAN concept. starting with those three port types. This concept can throw you a bit at first.0 0. one type talks to some. MLS _ 1#show vlan access-map Vlan access-map “NO _ 123” 10 Two types of private VLANs. primary and secondary.3 <1-4094> VLAN id Success rate is 0 percent (0/5) all Add this filter to all VLANs HOST _ 1#ping 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .3 10.0 0.3 Success rate is 0 percent (0/5) MLS _ 1(config)#vlan filter NO _ 123 vlan-list 10 Verify with show ip access-list and show vlan access-map.1. and one type talks to practically no one.1. community and isolated.0.1.0. The terminology is unique as well.115 S T U DY G U I D E MLS _ 1(config)#vlan filter ? WORD C H R I S B R YA N T Match clauses: VLAN map name Action: Forward MLS _ 1(config)#vlan filter NO _ 123 ? vlan-list VLANs to apply filter to MLS _ 1(config)#vlan filter NO _ 123 vlan-list ? Hosts that could previously ping each other now cannot.1.1.0. but if you want to hide a host from the rest of your network – even going as far as hiding a host from other hosts in the same subnet – private VLANs are the way to go. we’ll take this concept one step at a time. we have two types of secondary VLANs.0. MLS _ 1#show vacl ^ Private VLANs give us all of the following: % Invalid input detected at ‘^’ marker.1. Match clauses: ip address: BLOCK _ FIRST _ THREE In turn. so hang in there and it’ll be second nature before you know it. and then test! Private VLANs Want to put a host in such a secret place that you yourself may never be able to find it? MLS _ 1#show ip access-list Extended IP access list BLOCK _ FIRST _ THREE 10 permit ip 10. Action: drop As always. thanks to our VACL! HOST _ 2#ping 10.1. Vlan access-map “NO _ 123” 20 272 273 . ^ % Invalid input detected at ‘^’ marker. Three port types – one type talks to everybody.25 MLS _ 1#show vlan access-list Private VLANs aren’t quite that private.1.

VLAN 100 is a secondary private VLAN (community). These hosts can communicate with other community ports in the same private VLAN as well as any device connected to a promiscuous port.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Ports in a community private VLAN can communicate with other ports in the same com- VLAN 300 will be the primary private VLAN. That’s it! In our config. munity as well as promiscuous ports in the primary. and the “child” private VLAN is the secondary private VLAN. those two hosts could not communicate with each other. powerful look at the private VLAN types. Host A has been placed into an isolated private VLAN. This port type can communicate with any host connected to any of the other two port types. They cannot communicate with Host A. The other hosts are in a community private VLAN. that device must be connected to a promiscuous port for the network to function correctly.115 S T U DY G U I D E C H R I S B R YA N T Hosts that need to talk to everyone will be connected to promiscuous ports. Hosts that just need to talk to some other devices are connected to community ports. Ports in an isolated private VLAN can only communicate with promiscuous ports in the parent private VLAN. we’ll use the following VLANs and VLAN types: can be mapped to only one primary. If we placed another host Now let’s have a brief. When you have a router or multilayer switch that serves as a default gateway. Our router is off fast0/12. Hosts connected to isolated ports can only communicate with hosts connected to promiscuous ports. A primary in the same isolated private VLAN that Host A is in now. Hosts that just don’t want anything to do with anybody are connected to the aptly named isolated ports. any kind of private VLAN! MLS _ 1(config)#vlan 100 Each of these concepts is illustrated here: MLS _ 1(config-vlan)#private-vlan ? association Configure association between private VLANs 274 community Configure the VLAN as a community private VLAN isolated Configure the VLAN as an isolated private VLAN primary Configure the VLAN as a primary private VLAN 275 . those hosts can’t intercommunicate. but a secondary private VLAN In the following configuration. Ports are Fa0/6 – 10. Ports are Fa0/1 – 5. so they can communicate with each other as well as the router. The “parent” private VLAN is the primary private VLAN. which is connected to a promiscuous port. Creating the first VLAN with VLAN config mode is no problem. but look what happens when we try to make it a community private VLAN – or for that matter. and will be able to communicate only with the router. Even if you have two isolated ports in the same private VLAN. About those secondary VLAN types… VLAN 200 is a secondary private VLAN (isolated). we’ll map primary private VLANs to secondary private VLANs. private VLAN can be mapped to multiple secondary VLANs.

115 S T U DY G U I D E MLS _ 1(config-vlan)#private-vlan community %Private VLANs can only be configured when VTP is in transparent/off mode. and that port must be made promiscuous. (This association is not the mapping I mentioned earlier. MLS _ 1(config)#int fast 0/12 MLS _ 1(config-if)#switchport mode ? access Set trunking mode to ACCESS unconditionally dot1q-tunnel set trunking mode to TUNNEL unconditionally dynamic Set trunking mode to dynamically negotiate access or trunk mode private-vlan Set private-vlan mode trunk Set trunking mode to TRUNK unconditionally MLS _ 1(config-if)#switchport mode private-vlan ? host Set the mode to private-vlan host promiscuous Set the mode to private-vlan promiscuous MLS _ 1(config-if)#switchport mode private-vlan promiscuous MLS _ 1(config)#vlan 300 MLS _ 1(config-vlan)#private-vlan primary MLS _ 1(config-vlan)#private-vlan association ? WORD VLAN IDs of the private VLANs to be configured add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list MLS _ 1(config-vlan)#private-vlan association 200. and then associate those two secondary private VLANs with this primary private VLAN.100 276 We’ll also need the primary vlan mapping command on that interface: MLS _ 1(config-if)#switchport private-vlan ? Association Set the private VLAN association host-association mapping Set the private VLAN host association Set the private VLAN promiscuous mapping 277 . like it says right there.) Once we do that. MLS _ 1(config)#vlan 100 MLS _ 1(config-vlan)#private-vlan ? association Configure association between private VLANs community Configure the VLAN as a community private VLAN isolated Configure the VLAN as an isolated private VLAN primary Configure the VLAN as a primary private VLAN MLS _ 1(config-vlan)#private-vlan community MLS _ 1(config-vlan)#vlan 200 MLS _ 1(config-vlan)#private-vlan isolated Now we’ll configure VLAN 300 as the primary private VLAN.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . both isolated and community Created our primary private VLAN Created an association between the secondary and primary private VLANs MLS _ 1(config)#vtp mode transparent Setting device to VTP Transparent mode for VLANS. C H R I S B R YA N T We’ve accomplished the following: Configured VTP to run in transparent mode (very important!) Created our secondary private VLANs.) Just two more things to do – place the ports into the proper VLAN and get that mapping done! The switch leading to the router is Fa0/12. configuring VLAN 100 as a community private VLAN and VLAN 200 as an isolated private VLAN is no problem. (Yes. Private VLANs can only be configured with VTP is in transparent mode.

2.10 DHCP And Multilayer Switches I’m sure you’re wondering why DHCP is smack in the middle of a CCNP SWITCH exam discussion of switch security features.5 MLS _ 1(config-if-range)#switchport mode private-vlan ? host Set the mode to private-vlan host promiscuous Set the mode to private-vlan promiscuous MLS _ 1(config-if-range)#switchport mode private-vlan host We’ll use interface range on Fa0/6 – 10 as well. There are two really good reasons for this: 1. the client broad- MLS _ 1(config-if-range)#switchport private-vlan ? casts a DHCP Discover packet. First.200 MLS _ 1(config-if-range)#switchport private-vlan host-association 300 200 Ports Fa0/1 – 5 are in VLAN 100. the better our security will be. 278 279 . DHCP is a topic on your CCNP SWITCH exam.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . and its purpose is to discover the network’s DHCP servers. We’ll use our buddy interface range to configure that port range with the private-vlan host and private-vlan host-association commands.200 ? <cr> Secondary extended range VLAN ID of the private VLAN host port association <2-1001> Secondary normal range VLAN ID of the private VLAN host port association MLS _ 1(config-if)#switchport private-vlan mapping 300 100. Securing DHCP is a vital part of our overall Cisco switch security strategy. using VLAN 200 instead of 100. MLS _ 1(config-if-range)#switchport mode private-vlan host Let’s jump right in with a quick review of the overall DHCP process. MLS _ 1(config)#int range fast 0/6 . MLS _ 1(config)#int range fast 0/1 . Verify your private VLAN config with the tricky-to-type show vlan private-vlan command.115 S T U DY G U I D E MLS _ 1(config-if)#switchport private-vlan mapping ? <1006-4094> <2-1001> C H R I S B R YA N T association Primary extended range VLAN ID of the private VLAN promiscuous host-association Set the private VLAN host association port mapping mapping Set the private VLAN promiscuous mapping Primary normal range VLAN ID of the private VLAN promiscuous port mapping MLS _ 1(config-if-range)#switchport private-vlan host-association ? <1006-4094> MLS _ 1(config-if)#switchport private-vlan mapping 300 ? WORD Set the private VLAN association Secondary VLAN IDs of the private VLAN promiscuous port Primary extended range VLAN ID of the private VLAN host port association <2-1001> mapping Primary normal range VLAN ID of the private VLAN port association add Add a VLAN to private VLAN list remove Remove a VLAN from private VLAN list MLS _ 1(config-if-range)#switchport private-vlan host-association 300 ? <1006-4094> MLS _ 1(config-if)#switchport private-vlan mapping 300 100. and the better our knowledge of DHCP. and on an interface level with show interface switchport.

since the The client will accept the first Offer received.1. but we don’t want to use the addresses 10. nor do we want to assign the IP address already assigned to the SVI The DHCP server whose offer is being accepted sends a DHCP Acknowledgement message back to the client. Using a multilayer switch as a DHCP server requires that switch to have an IP address on any subnet that it’s offering addresses from.B.D High IP address Generally speaking.1.1.0 10. Here’s the setup: MLS _ 1(config)#ip dhcp excluded-address 10.1. No problem there. along with notification on how long the client can keep that address (the lease).0.1. they’re both right.1.0. take it one command at a time and you’ll be fine.C. the default gateway.) MLS _ 1(config)#ip dhcp excluded-address ? A.0. but we do need to exclude that particular address from the DHCP pool.1. and technically int VLAN 4. The Request includes the part of the general DHCP configuration.0 10.1. ignoring the others.0 – 10. ip dhcp excluded-address gets the job done.0 ? A. IP address of the DHCP Server whose address offer is being accepted.0 MLS _ 1(config)#ip dhcp excluded-address 10. some say it’s a broadcast.B. we’re going sees a Request that does not include its own IP address.1.D Low IP address Vrf VRF name for excluded address range MLS _ 1(config)#ip dhcp excluded-address 10.1.0? <cr> MLS _ 1(config)#ip dhcp excluded-address 10. but I want to illustrate that you can use this command to exclude a single address. I could have used one command with the range 10.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . an entire range or both.0.1.0 /8 via DHCP.0. This includes an IP address the client can use. Here.0 – 10.0. This can drive you a bit crazy at first. and other info as desired and configured by you and I.1. and that’s it! (This ACK can be a unicast or a broadcast depending on the circumstances. but a Cisco router <cr> or multilayer switch can handle the role nicely! The syntax may seem a little odd at first. to assign addresses from 10.1.115 S T U DY G U I D E C H R I S B R YA N T The DHCP servers that receive that Discover packet respond with a broadcast in the form of a DHCP Offer packet.0. but like all things Cisco. not as cast DHCP Request message to indicate acceptance of the offer.1 280 281 . Some books say it’s a unicast. We’re going to do something a bit unusual in this section and have a Cisco router acquire an IP address via DHCP from a Cisco multilayer switch.C.1 10.0. you’ll have a traditional server for your DHCP server. the network admins.0. When a DHCP Server We can specify a single address to be excluded.0.1. The client uses a broad- ip dhcp excluded-address command we use for that purpose is configured globally.0. that server knows that its offer was not accepted.1.

C.0.0 ? MLS _ 1(dhcp-config)#lease 10 ? /nn or A.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .3 282 This is a value you won’t adjust often.0. If we get pings back. we’re now ready to create the DHCP pool with ip dhcp pool.1. Both the default router and DNS servers can be referred to by either their hostname or IP address. MLS _ 1(dhcp-config)#lease 10 10 10 ? <cr> MLS _ 1(dhcp-config)#domain-name ? MLS _ 1(dhcp-config)#lease 10 10 10 WORD Domain name A Cisco router acting as a DHCP server will check for IP address conflicts before assigning MLS _ 1(dhcp-config)#domain-name bryantadvantage.3.0? <0-365> Days A. MLS _ 1(dhcp-config)#lease ? MLS _ 1(dhcp-config)#network 10.3. C H R I S B R YA N T MLS _ 1(dhcp-config)#default-router ? Hostname or A. well.D Network mask or prefix length <0-23> Hours <cr> <cr> MLS _ 1(dhcp-config)#network 10. The conflict check takes the form of two pings sent to that address.D Router’s name or IP address MLS _ 1(config)#ip dhcp pool CCNP MLS _ 1(dhcp-config)# MLS _ 1(dhcp-config)#default-router 10. we can’t assign that address! Hostname or A.0.D Infinite Infinite lease MLS _ 1(dhcp-config)#network 10. we’re good and that address can MLS _ 1(dhcp-config)#dns-server ? be sent to the client.C. Use IOS Help to mask. and those MLS _ 1(dhcp-config)# pings will time out in 500 milliseconds.com an address.0.0.C. For the Define the lease length with lease. but if you want to change the number of pings sent and/or the timeout duration during the conflict check.B.B. or set it to never expire with infinite.115 S T U DY G U I D E With those tasks completed.0. using dns-server to <cr> give the DNS server location to clients.1 We’ll use network to define the range of addresses to be assigned to DHCP clients.B. If they time out.D Server’s name or IP address MLS _ 1(dhcp-config)#dns-server 10.C.0 /8 MLS _ 1(dhcp-config)#lease 10 10 ? <0-59> Minutes Other options include specifying a domain name with domain-name. and specifying the IP address of the default router with default-router. we’re given the rare option of entering the value in either prefix notation or the more check the units of time! familiar dotted decimal.1.B. use ip dhcp ping packets and ip dhcp 283 .

2 that these are globally configured commands. After all. 284 285 .636f. HOST _ 2(config)#int fast 0/0 HOST _ 2(config-if)#ip address dhcp Using ip helper-address on a router or multilayer switch allows the device to translate cer- HOST _ 2#show int fast 0/0 tain broadcasts to a unicast. MLS _ 1(config)#ip dhcp ping ? 302f. address is 001b.6434. The command syntax is exactly the same whether User name you’re configuring this command on a multilayer switch SVI or a router’s physical interface. and routers create broadcasts. Setting the number of ping packets to zero disables the conflict check. perhaps! MLS _ 1(config)#ip dhcp ping packets ? <0-10> Number of ping packets (0 disables ping) IP Helper Addresses <cr> Routers accept broadcasts. the first message in the entire process Let’s enable DHCP IP address acquisition on the router’s Fast0/0 interface and then verify is a broadcast! the addressing with show int fast 0/0 on the router and show ip dhcp binding on the multilayer switch.2/8 MLS _ 1#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Hardware address/ Type The command should be configured on the interface that will be receiving the broadcasts.1. 0063.d4c2.115 S T U DY G U I D E ping timeout.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . 2e30. line protocol is up Hardware is Gt96k FE. making forwarding possible. Mar 26 2015 01:16 AM Automatic 3031.6332.3939. FastEthernet0/0 is up.0990 (bia 001b.4661.1.2d30.30 packets Specify number of ping packets timeout Specify ping timeout On occasion we just might need some help with our DHCP broadcast messages… some helper addresses.0990) Internet address is 10.d4c2. That can present an issue with DHCP messages when a router is between <100-10000> Ping timeout in milliseconds the requesting host and the DHCP server. Note C H R I S B R YA N T 10.6973. but routers do not forward broad- MLS _ 1(config)#ip dhcp ping timeout ? casts by default.1.302d. not the interface closest to the destination.1.622e.

2 0063.4661. 3031.6 A device running ip helper-address to help with DHCP server reachability is said to be a DHCP relay agent. Note that the next FastEthernet0/0 10. BOOTP/DHCP Client. That rare occasion is when you need DHCP to give a client global Helper-address is global the same address every single time.6973. TIME. we’ll configure a manual binding for our router.1 get the client ID from the DHCP binding table. use the client-id option with ip address dhcp. TACACS.622e.5.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . That’s a lot of ID. If the client uses Ethernet. as this is the ASCII string representing the client ID.115 S T U DY G U I D E C H R I S B R YA N T The Dynamic Shall Become Static MLS _ 1(config)#int vlan 10 MLS _ 1(config-if)#ip address 10. HOST _ 1#show ip helper-address we don’t have to. Since that client already has an IP address from us.5.C. 2e30.6. just configure 302f.1.5. 10.255.D IP destination address User name global Helper-address is global vrf VRF name for helper-address (if different from interface VRF) 10. we need the client identifier of the client in question.1.5. That’s accurate. MLS _ 1(config-if)#ip helper-address MLS _ 1(config-if)#ip helper-address 10.2d30. you may need to create a static IP address binding (also called a “man- A. as nine common UDP service broadcasts are helped in this manner by this command.6332. DNS.302d. the identifier is simply a “01” in front of the MAC.1.1. because configur- vrf VRF name for helper-address (if different from interface VRF) ing these suckers can be a real pain in the butt. To get the classic Interface Helper-Address representation of that ID. but not entirely accurate.1. and even I don’t want to start typing all those numbers! Luckily.0 MLS _ 1(config-if)#ip helper-address ? On rare occasions. and IEN-116 name service all benefit from this command.C. BOOTP/ DHCP Server. Got multiple DHCP servers your switch needs help reaching? No worries.30 multiple ip helper-address statements and verify with show ip helper-address. Holy crap.B. TFTP. (The voice of experience speaks!) Before we start a manual binding. 286 HOST _ 2(config)#int fast 0/0 HOST _ 2(config-if)#ip address dhcp ? client-id Specify client-id to use hostname Specify value for hostname option <cr> 287 .255. NetBIOS name service.3939.1.6434. Here.B.D IP destination address ual” binding) in your network. NetBIOS datagram service. I’m saying “rare” in a hopeful voice.636f.6.5 address in the pool is assigned as a result of this change. as our router does. MLS _ 1#show ip dhcp binding R1(config)#int fast 0/0 IP address R1(config-if)#ip helper-address ? Client-ID/ Hardware address/ A.1 255.1 ? <cr> The Cisco identifier is going to look a lot like a MAC address. we can MLS _ 1(config-if)#ip helper-address 10.

We’re going to bind that client ID to the IP address 10.115 S T U DY G U I D E C H R I S B R YA N T HOST _ 2(config-if)#ip address dhcp client-id ? MLS _ 1(dhcp-config)#client-identifier 0100.1.1. 10.1. and then it’s on to DHCP Snooping! 288 289 Manual .90 05:54:55: %DHCP-6-ADDRESS _ ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10.0.1bd4. using the host command. origin. origin.3. and you’re done! Note that this that interface will receive the same IP address every time. With this. vrf or relay pools.90 FastEthernet FastEthernet IEEE 802.1. and soon saw… User name 10.0. hostname HOST _ 2 MLS _ 1(dhcp-config)#host 10.3 % This command may not be used with network. perhaps you’re starting to feel manual bindings are too much of a pain to bother HOST _ 2(config-if)#ip address dhcp client-id fastethernet 0/0 ? Hostname with.1.1. hostname HOST _ 2 Now there’s a value we can work with! For a manual binding.c209.0.1bd4.1bd4.0.1. Well.1. mask 255.3.90 % A binding for this client already exists.1. so I finished that config.3 IP address % This command may not be used with network.1bd4. mask 255. pool and make that happen.1. Let’s go into our previous DHCP is described as a manual binding and the lease is infinite. start in DHCP pool mode.90 Infinite the other required command for a DHCP manual binding? Now for just a bit of DHCP for IPv6.1. MLS _ 1#show ip dhcp binding Bindings from all pools not associated wit You also have to end any bindings that client currently has. reopened the inter- Hardware address/ face on R2.1. that doesn’t leave a lot of ways to use it! How about client-identifier.c209.3 0100. frankly.0. I’m about to make you feel better about them by telling you something that a lot of Specify value for hostname option books / study guides / PDFs / websites leave out – manual bindings have to be put into their <cr> own DHCP pool. The binding was then gone.3 MLS _ 1(dhcp-config)#client-identifier 0100. so All riiiiiiiiiiight! Verify on MLS_1 with show ip dhcp binding.0.c209.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Client-ID/ Lease expiration Type Hardware address/ User name Hmmmm.3. vrf or relay pools.c209. MLS _ 1#show ip dhcp binding MLS _ 1(config)#ip dhcp pool CCNP Bindings from all pools not associated with VRF: MLS _ 1(dhcp-config)#host 10. HOST _ 2(config-if)#ip address dhcp client-id fastethernet 0/0 HOST _ 2(config-if)# MLS _ 1(config)#ip dhcp pool STATIC _ BINDINGS %DHCP-6-ADDRESS _ ASSIGN: Interface FastEthernet0/0 assigned DHCP address 10. I did so by closing the fast0/0 IP address Client-ID/ interface on R2.1.3 0100.

the router attaches the network prefix to the host’s link-local address. there’s no dependency on a server. addressing information. it will disable its The key phrase in that description is “from a server”. complete with network prefix! need to make sure that no other host is using the same address. The local host will then send a Router Solicitation (RS) message that sounds like DHCP to you. but it never hurts to check. then the hex string FFFe. but we which results in the host’s full IPv6 address. not. that host will respond with a Neighbor IPv6 brings us autoconfiguration. and the entire process starts with the IPv6 host configuring its own link-local address. We can assign an IPv6 address to an SVI in almost the same way we’ve been assigning it an comes in. to be exact! with a destination of FF02::2. both stateless and stateful. Just don’t forget the “ipv6” in the command. Advertisement (NA). When the host that sent the NS receives the NA. If the DHCPv6 server goes down. then the second half of the MAC address. the RA gives the location of the DHCP server. I kid you DAD starts with a Neighbor Solicitation (NS) message asking if any other host on the link is and over again in the commands. well. Technically. using the same link-local address the NS-transmitting host just created for itself. one of the hardest things about learning IPv6 is getting used to entering “ipv6” over ROUTER1(config)#int fast 0/0 ROUTER1(config-if)#ipv6 address ? 290 WORD General prefix name X:X:X:X::X IPv6 link-local address X:X:X:X::X/<0-128> IPv6 prefix 291 . and that’s where the Duplicate Address Detection (DAD) feature If DHCP is not in use. It’s been successfully calculated. polling the router with an RS does speed up the overall process. but even though the host would only have to wait 10 seconds or so for an RA. What’s the host soliciting? It needs additional config information from a router in the form The last 64 bits are the interface identifier. IPv4 address throughout the course. That’s a remote possibility. the local host is satisfied that it has used when the host obtains an IPv6 address and other related information from a server. and if DHCP is in use. Stateful autoconfiguration is link-local address. Routers generally send these RAs periodically without an of the interface’s MAC address. the “all-routers” multicast address. the address is tentative at this point. we’re out of luck and up that well-known creek. With stateless autoconfiguration. Our 128-bit IPv6 address is created in this manner with stateless autoconfiguration: The first 64 bits of this self-generated address will be 1111 1110 10 (FE80).IP Version 6 Style If another host on the link is using that address. I personally like to write the “e” in express request from a host. it is – DHCPv6.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . which consists of (in order) the first half of a Router Advertisement (RA). If a unique link-local address.115 S T U DY G U I D E C H R I S B R YA N T DHCP . If no response to the NS is received. since it’s easy to read FFFE as FFFF. You’ll usually see that hex string referred to as “FFFE”. Information in the RA includes flags indicating whether the host should use DHCP for lower case. followed by 54 zeroes.

The host will receive the offer and set its default gateway accordingly. a DHCP rogue server. The options for host and client-identifier are missing. BUT – what if a DHCP server not under our administrative control. and if the host uses the Offer ROUTER1(config)#ipv6 dhcp ? database Configure IPv6 DHCP database agents from the rogue DHCP server. but the trouble can start as early as the host sending out a DHCP default Set a command to its defaults Discovery packet. and that’s for the simple reason that you can’t exclude addresses in IPv6 DHCP! 292 DHCP Snooping allows the switch to serve as a firewall between hosts and untrusted DHCP servers. joins our network? Many of the commands and concepts are carried straight over from IPv4. We don’t have the option to create manual bindings in IPv6 DHCP. the host listens for replies in the form of DHCP dns-server DNS servers Offers. the host will set its default gateway to the rogue server’s IP ping Configure IPv6 DHCP pinging address! The rogue server’s accepted Offer could set the host’s DNS server address to the pool Configure IPv6 DHCP pool rogue’s IP address as well.115 S T U DY G U I D E C H R I S B R YA N T DHCP Snoooooooooop (ing) ROUTER1(config)#ipv6 dhcp pool CCNP ROUTER1(config-dhcpv6)#? It’s hard to believe that something as innocent and commonplace as DHCP can be used IPv6 DHCP configuration commands: address IPv6 address allocation against our network. and for good reason. Once that happens. No problem here.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the switch snoops on DHCP conversations between those devices 293 . the domain-name Domain name to complete unqualified host names host accepts the very first offer it sees come in! exit Exit from DHCPv6 configuration mode import Import options information Information refresh option link-address Link-address to match nis NIS server options nisp NISP server options no Negate a command or set its defaults prefix-delegation IPv6 prefix delegation sip SIP server options sntp SNTP server options vendor-specific Configure Vendor-specific option Part of the Offer is the address the host should use as its default gateway. Basically. There’s no ipv6 dhcp excluded-address command. There’s also an option missing from our ipv6 dhcp list that we did have in IPv4: The host will use the info in the first Offer packet it receives. The host isn’t particularly discriminating about the offer it accepts. which opens the host and the network up to all kinds of nasty server Configure IPv6 DHCP server attacks. Actually. since only one DHCP Server is on the network.

MLS _ 1(config)#ip dhcp snooping vlan ? WORD DHCP Snooping vlan first number or vlan range. we’ll have no dynamic IP addressing and a lot When used with DHCP Snooping. use ip dhcp snooping information option.115 S T U DY G U I D E and makes decisions on which conversations are between trusted devices and which ones C H R I S B R YA N T Next step: Identify the VLANs that will use DHCP Snooping. DHCP messages MLS _ 1(config)#int fast 0/10 received on trusted interfaces will be allowed to pass through the switch.7.9-11 MLS _ 1(config)#ip dhcp snooping vlan 4 With our trusted DHCP server on port Fa0/10. are not. while DHCP mes- MLS _ 1(config-if)#ip dhcp snooping ? sages received on untrusted interfaces will be dropped by the switch AND the interface will information DHCP Snooping information go into err-disabled state. When DHCP packets with Option 82 set come in on untrusted First step: Enable DHCP Snooping on the switch. Otherwise. Instead. MLS _ 1(config)#ip dhcp snooping ? database DHCP snooping database agent information DHCP Snooping information verify DHCP snooping verify vlan DHCP Snooping vlan <cr> MLS _ 1(config)#ip dhcp snooping To enable this option. Sorry. and ports that have this option enabled. the switch considers all ports untrusted. so we better remember to trust some ports when running this feature. Trusted ports must be configured manually and explicitly by the network admin. those packets are not dropped. we’ll now trust that individual port: DHCP Snooping classifies switch interfaces as either trusted or untrusted. MLS _ 1(config-if)#ip dhcp snooping trust By default. example: 1. the switch the packet is then forwarded to a DHCP Server. 294 295 .3-5. limit DHCP Snooping limit trust DHCP Snooping trust config vlan DHCP Snooping vlan You’re now asking yourself whether there’s some automagical way for the switch to detect valid DHCP servers.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . no. the sinister-sounding Option 82 basically extends of err-disabled ports! Snooping’s trust boundary. injects its own DHCP relay info into the Option-82 field (including its MAC address).

that info is removed Smartlog is configured on following VLANs: and the packet is forwarded. none Smartlog is operational on following VLANs: none DHCP snooping is configured on the following L3 Interfaces: Insertion of option 82 is enabled circuit-id default format: vlan-mod-port This validity check is enabled by default. IOS Help doesn’t mention the measuring unit in this command. use no ip dhcp relay information check. the packet is dropped. giaddr Verify your config with show ip dhcp snooping. Verification of giaddr field is enabled BOOTP specific configuration information Relay agent information option prefer Option 82 on untrusted port is not allowed Verification of hwaddr field is enabled MLS _ 1(config)#no ip dhcp relay ? bootp remote-id: 0017.115 S T U DY G U I D E MLS _ 1(config)#ip dhcp snooping information ? option DHCP Snooping information option C H R I S B R YA N T MLS _ 1#show ip dhcp snooping Switch DHCP snooping is enabled DHCP snooping is configured on following VLANs: MLS _ 1(config)#ip dhcp snooping information option 4 DHCP snooping is operational on following VLANs: When the reply to that DHCP message comes back. That refers to the number of Option Insert relay information in BOOTREQUEST DHCP packets the interface can accept in one second. If not. If you want to turn it off for some reason. so it’s trust-all Received DHCP packets may contain relay info option with zero a good idea to know it’s packets per second. MLS _ 1(config)#int fast 0/9 MLS _ 1(config-if)#ip dhcp snooping ? information DHCP Snooping information 296 297 .C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . If so. -----------. FastEthernet0/10 yes yes Rate limit (pps) unlimited Check Validate relay information in BOOTREPLY Note the “rate limit” for the untrusted port is “unlimited”. Use ip dhcp snooping limit rate to set a Policy Define reforwarding policy limit for this value. ------.9466. the switch validates the message by 4 checking to see if its own Option 82 info was included in the reply.f780 (MAC) Relay agent server selection approach MLS _ 1(config)#no ip dhcp relay information ? DHCP snooping trust/rate is configured on the following Interfaces: Interface Trusted Allow option ----------------------.

Host A makes an entry in its ARP cache mapping 172.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E C H R I S B R YA N T limit DHCP Snooping limit Before responding. Dynamic ARP Inspection If you can’t trust DHCP. Host A is sending an ARP Request. and at that point. However. we have a problem. When H The rogue host can do the same for an ARP Request sent by Host B for Host A.1. not ARP. 172.12.12. As a result of this man-in-the-middle attack.cccc.12.cccc. Meanwhile.2 to cccc. all communications between A and B are going through the rogue host.2 respond with its MAC address. 298 299 . This happens through ARP Cache Poisoning. Here.12. also known as ARP Spoofing. because the Address Resolution Protocol can turn on us in a minute! A rogue device on our network can overhear part of the ARP conversation and make itself look like a legitimate part of the action.aaaa. if a rogue host responds to the original ARP Request. both hosts have a MAC address – IP address mapping for the other. The ARP Reply is vlan DHCP Snooping vlan then sent. who can you trust? Well.12. requesting the host with the IP address 172. Host B makes an entry in its local ARP cache mapping the source IP trust DHCP Snooping trust config address of the Request. to the mac address aaaa. leading to these two negative results: 1. the rogue host acquires Host B’s true MAC address via ARP. MLS _ 1(config-if)#ip dhcp snooping limit ? rate DHCP Snooping limit MLS _ 1(config-if)#ip dhcp snooping limit rate ? <1-2048> DHCP snooping rate limit MLS _ 1(config-if)#ip dhcp snooping limit rate 1000 ? <cr> Once Host A receives the ARP Reply.aaaa.12.

MLS _ 1#show ip arp inspection Source Mac Validation MLS _ 1(config)#ip arp inspection vlan ? WORD vlan range. The validate option gives us the option to go beyond DAI’s default inspection.9-11 300 : Disabled Destination Mac Validation : Disabled IP Address Validation : Enabled 301 . Verify with show ip dhcp snooping.7. example: 1. every single ARP Request and ARP Reply smartlog Smartlog all the logged pkts received on an untrusted interface is examined.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The next step in configuring DAI is to name the VLANs that will be using this feature. DAI is performed as ARP messages are received. MLS _ 1(config)#ip arp inspection ? filter Specify ARP acl to be applied log-buffer Log Buffer Configuration Once the IP – MAC address database is built. MLS _ 1(config)#ip arp inspection ? filter Specify ARP acl to be applied log-buffer Log Buffer Configuration smartlog Smartlog all the logged pkts validate Validate addresses vlan Enable/Disable ARP Inspection on vlans “ip” compares the ARP Request’s source IP against the destination IP of the ARP Reply. the ARP message is dropped.3-5. it follows that DHCP MLS _ 1(config)#ip arp inspection validate ? dst-mac Validate destination MAC address ip Validate IP addresses src-mac Validate source MAC address Snooping must be enabled before DAI is configured. and static ARP configurations can be also be used by DAI. Let’s use the ip option and verify with show ip arp inspection. “dst-mac” compares the destination MAC in the Ethernet header and the MAC destination address of the ARP message. If the ARP message has an approved validate Validate addresses MAC – IP address mapping. On trusted interfaces. not transmitted. the message is forwarded appropriately. Watch this one: DAI uses the concepts of trusted and untrusted ports.115 S T U DY G U I D E Dynamic ARP Inspection (DAI) prevents this behavior by building a database of trusted C H R I S B R YA N T MLS _ 1(config)#ip arp inspection vlan 4 IP – MAC address mappings. With DAI using the DHCP Snooping Database to get the job done. DAI allows the ARP message to pass without checking the database at all. If no such mapping vlan Enable/Disable ARP Inspection on vlans exists. This database is the same one built by the DHCP Snooping process. just as DHCP Snooping does. Here’s what happens with these enabled: MLS _ 1#show ip dhcp snooping “src-mac” compares the source MAC address in the Ethernet header and the MAC address Switch DHCP snooping is enabled of the source of the ARP message. but DAI has some major differences in how messages are treated by these port types.

Now. Source MAC Failures Should you run DAI in your network. you’ll likely run it on all of your switches. -----------. this scheme ensures that every ARP packet has to pass one checkpoint but no more than that. 4 0 0 Invalid Protocol Data --------------------- switches as trusted. for just one. MLS _ 1(config)#int fast 0/10 MLS _ 1(config-if)#ip arp inspection ? Limit Configure Rate limit of incoming ARP packets Trust Configure Trust state IP Source Guard Another “the name is the recipe” feature. ----------------. use ip arp inspection. ---------. To see this DAI info for all interfaces. 4 0 ACL Permits Probe Permits ----------. and it’s a -------------. Since DAI runs only on ingress ports. To trust one (or remove trust from one that was trusted). Forwarded -------------. you just might have a rogue device on your network. 0 If you see those validation failures start to add up. Off MLS _ 1#show ip arp inspection int fast 0/10 Vlan --.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config-if)#ip arp inspection trust ? Vlan Configuration Operation ACL Match --. -----------. run that command. IP Validation Failures ---------------------. name the interface at the end of the command. 0 N/A 0 0 good idea to avoid unnecessary inspection. -------------. ---------- ---------- 4 Enabled Vlan Active DHCP Logging ----------- ------------- 4 Deny <cr> MLS _ 1(config-if)#ip arp inspection trust ACL Logging --. Dropped DHCP Drops ---------- ---------- ACL Drops Interface 4 0 0 0 0 Trust State Rate (pps) ---------------. IP Source Guard prevents a host on the network from using another host’s IP address. Static ACL Deny Probe Logging Verify with show ip arp inspection interface. IP Source Guard works in tandem with DHCP 302 303 . Cisco’s recommended trusted / untrusted port config is to have all ports connected to hosts run as untrusted and all ports connected to Vlan Dest MAC Failures --. Burst Interval Fa0/10 Trusted None Vlan DHCP Permits --.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . about our ports! DAI considers all ports untrusted by default.

The port-security option enables an extra level of security. I’ll go with the default setting here and leave those options off. port-security and smartlog. to spoof that other Interface host’s IP address – the switch will simply drop that incoming traffic. we’d see a secure MAC address under IP-address. -----------------. That router is using a static address instead. ------------- --------------. the packets are dropped.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . are two important options to go with that. If you don’t need this feature. all is well. This IP address-to-switchport mapping is generally referred to as binding. With this feature enabled. the switch takes note of that IP address assignment. If those addresses match. if not. so we 304 305 .115 S T U DY G U I D E C H R I S B R YA N T Snooping and uses the same database to carry out this operation. so we need to have DHCP Once DHCP Snooping is enabled and verified. MLS _ 1#show ip verify source Should the host pretend to be another host on that subnet – that is. and be prepared to see “disabled” for “log” in the output of show ip verify source. a host that comes online and is connected to an untrusted port can receive only DHCP-related traffic. use ip verify source to enable IP Source Guard Snooping up and running before configuring IP Source Guard. Filter-type Filter-mode IP-address Mac-address Vlan -------. since the source IP Log address of that incoming traffic will not match the database’s entry for that port. ----------. as the source MAC address of incoming packets on that port will be checked against the local switch’s MAC address table. rather than deny-all. Fa0/3 ip active deny-all 1 If the device off fast 0/3 was getting its IP address via DHCP. Smartlog enables the switch to send dropped packets to a NetFlow collector. MLS _ 1(config)#int fast 0/3 MLS _ 1(config-if)#ip verify source ? port-security port security smartlog Smartlog denied packets <cr> MLS _ 1(config-if)#ip verify source The default value checked is the IP source address. leave it alone. this is IP Source Guard! There The switch then creates a VLAN ACL (VACL) that will only allow traffic to be processed by a port if the previously noted source IP address is present on incoming traffic. Once that host successfully acquires an IP address via DHCP. After all. at the interface level.

We’ll assume that VLAN 100 is the ultimate target.2754 vlan ? The intruding device must be attached to an access port. You can get the MAC address of this host C H R I S B R YA N T VLAN Hopping How can something that sounds so much fun be so evil? from the local switch’s MAC address table or from the device itself.3 1 disabled 306 307 .2754 vlan 1 10. Fa0/3 ip active 10.D ISL wouldn’t work at all for this attack. we have less overhead… we LOVE dot1q tagging and we’re not letting it go! MLS _ 1(config)#ip source binding ? H.C.1.115 S T U DY G U I D E have to create a manual binding for it with ip source binding in order to use IP Source Guard here. where an intruder transmits frames that are tagged MLS _ 1(config)#ip source binding 001f. the tag for VLAN 100 is still there! ------.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The command is long-winded.3 int fast 0/3 MLS _ 1#show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan Log The trunk receiving this double-tagged frame sees the tag for the native VLAN. the other carrying the VLAN number of the VLAN to be MLS _ 1(config)#ip source binding 001f. the native VLAN.ca96. <1-4094> binding VLAN number The VLAN used by that access port must be the native VLAN. and we love dot1q tagging! We get verify source.2754 vlan 1 10. but not difficult.H And if we follow a few simple network security tips. Interface binding interface MLS _ 1(config)#ip source binding 001f.3 int fast 0/3 ? <cr> MLS _ 1(config)#ip source binding 001f.1.1. ----------. binding IP address When that rogue host transmits a frame. we don’t have to! Let’s have a look at binding MAC address how VLAN Hopping attacks work. Problem is.2754 vlan 1 ? A. and as usual that tag is removed and then sent across the trunk.1. MLS _ 1(config)#ip source binding 001f.ca96. In the output of show ip VLAN Hopping techniques use dot1q tagging against us.2754 ? Vlan with two separate VLAN IDs.H.3 ? attacked. One form of hopping is double tagging. -----------------.1.1. so dot1q must be in use.1.2754 vlan 1 10.ca96. note that “log” is disabled – that’s Smartlog.ca96. ------------- --------------. Some very specific circumstances have to exist for this attack binding VLAN to bear fruit: MLS _ 1(config)#ip source binding 001f.1.ca96.ca96. the frame will have two tags – one indicating native VLAN membership.B.

There’s a classic defense for this attack. right? Right! It is a big deal! It seems innocent enough.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . (This is also a security vulnerability for Cisco switches whose default port trunking mode is Auto. concise network maps that show every physical connection in their network.” – Some networks do not. These simple network security tips – using an empty VLAN as the native VLAN. maybe the best of things. The rogue has now successfully hopped from one VLAN to Reading the other.Chris Bryant. “Remember Red. but VLAN Hopping has the port will trunk but isn’t actively looking to do so. but that stops double tagging in its tracks! switch. This solution leads to another prob- been used for a huge variety of network attacks. The Shawshank Redemption 308 309 . You may have a little more overhead as a result. Many well-meaning network admins will put this kind of port into Auto mode. Switch spoofing allows the rogue to pretend to be a member of all VLANs in our network.” -. meaning Big deal. and no good thing ever dies. Not good! Switch spoofing is a VLAN Hopping variation that’s even worse than double tagging. send DTP frames of its own. The Book You’re frame to ports in that VLAN. and these maps are regularly updated as their network changes. Every port on your switch that doesn’t lead to another switch known to be under your administrative control should be placed into access mode. Andy Dufresne. which leads to a trunk between our switch and someone else’s Classic solution: Make your native VLAN a VLAN that no hosts are actually a member of. ranging from Trojan horse virus propaga- lem. which means a port is switch spoof! sending out Dynamic Trunking Protocol frames in an aggressive effort to form a trunk. dynamic and auto trunking modes – will score points for you in the exam room and save you serious troubles in your server room! The Cisco Discovery Protocol Many companies have clear.115 S T U DY G U I D E C H R I S B R YA N T When the remote switch receives that frame. hope is a good thing. because a rogue host connected to a port in Auto mode can pretend it’s a switch and tion to stealing bank account numbers and passwords. it sees the tag for VLAN 100 and forwards the “Hope is a good thing. the switch just knows it’s sending DTP frames – it has no idea who’s actually receiving them. The switch is basically hoping nothing bad happens as a result of sending these frames blindly. disabling Problem is.) You can also go the extra mile (or extra command) and prune that native VLAN from the trunk. Doing so disables the port’s ability to create a trunk and the rogue host’s ability to Some Cisco switch ports run in dynamic desirable mode by default. but a lousy network security strategy.

and the holdtime is 180 seconds. To enable CDP globally. B . they’re not necessarily correct.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .Repeater. M .Source Route Bridge S . H . the remote device’s hostname. T . let’s run show cdp to see if CDP is enabled in the first place. Before we get to those commands.Trans Bridge. If you get global info.115 S T U DY G U I D E C H R I S B R YA N T A big part of network troubleshooting is quietly verifying what a client has told you. MLS _ 1#show cdp neighbor % CDP is not enabled Capability Codes: R . use cdp run (and no cdp run to turn it off globally).Phone. it’s on.Remote. C .542: %SYS-5-CONFIG _ I: Configure MLS _ 1#show cdp D . We can use the Cisco Discovery and/or cdp holdtime. it’s not! MLS _ 1(config)#cdp ? advertise-v2 CDP sends version-2 advertisements holdtime Specify the holdtime (in sec) to be sent in packets run Enable CDP timer Specify the rate at which CDP packets are sent (in sec) tlv Enable exchange of specific tlv information MLS _ 1(config)#cdp timer ? <5-254> MLS _ 1#show cdp Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled MLS _ 1#show cdp Rate at which CDP packets are sent (in sec) MLS _ 1(config)#cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet For that all-important info on directly connected Cisco devices.CVTA. It’s on by default but often disabled in production networks. MLS _ 1(config)#cdp run MLS _ 1(config)#^Z MLS _ 1#show *Mar 1 00:18:54. the local switch’s interface that is directly connected to the remote host. you just know that’s going to show up on your exam in some fashion.Switch. Protocol (CDP) to see what Cisco devices are directly connected to the Cisco device we’re currently working on. and if you don’t.Two-port Mac Relay Device ID Local Intrfce Holdtme Capability Platform Port ID HOST _ 3 Fas 0/3 122 R S I 2801 Fas 0/0 HOST _ 1 Fas 0/1 176 R S I 2801 Fas 0/0 From left to right. 311 . use cdp timer the other one at fast0/12!”. run show cdp neighbor.Host. Local interface.IGMP. P . and is Cisco-proprietary. Just CDP sends its announcements every 60 seconds to the destination MAC address because someone is looking over your shoulder and saying “That switch is connected to 01:00:0c:cc:cc:cc. This Layer 2 protocol runs globally and on a per-interface level by default on Cisco routers and switches. I . To change either of those.Router. r . When you have interface-level and globally-configured commands enabling and disabling the same protocol. we see… Global CDP information: Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled 310 Device ID.

just as you would turn off debugs before leaving.Repeater. run show cdp neighbor detail. T . Port ID (outgoing port): FastEthernet0/0 enable Enable CDP on interface Enable exchange of specific tlv information Holdtime : 125 sec Version : MLS _ 1(config-if)#cdp enable ? Cisco IOS Software. shooting.Trans Bridge. the remote device’s interface involved in the direct connection. 312 Duplex: full Management address(es): 313 . You may want to leave CDP on globally but disable / reenable it on a particular interface. HOST _ 3 Fas 0/3 148 Port ID.Router. Capability. so it’s a good guess that those are L3 switches! Platform. the remote device’s hardware platform. Capability Codes: R . B . and you turn it on for trouble- Capability Platform Port ID R S I 2801 Fas 0/0 For more details on those neighbors. use the commands no cdp enable and cdp enable to get the job done. Version 15. 2801 Software (C2801-ADVENTERPRISEK9 _ IVS-M). I .Phone. we have two devices that D .CVTA.Host.1(2 <cr> T2. the number of seconds the local device will retain the contents of the last CDP MLS _ 1#show cdp neighbor advertisement received from that remote host. the type of device the remote device is! In this case.1. Real-world courtesy tip: If your client has CDP turned off. H .Two-port Mac Relay can run as both routers and switches.Remote.com/techsupport MLS _ 1(config-if)#no cdp ? Copyright (c) 1986-2010 by Cisco Systems. RELEASE SOFTWARE (fc1) Technical Support: http://www. Inc.Source Route Bridge S . M . Host_1 disappears from the CDP table.cisco.IGMP. Entry address(es): Platform: Cisco 2801. Capabilities: Router Switch IGMP MLS _ 1(config-if)#cdp ? Interface: FastEthernet0/3. r . turn it back off before you leave.1.115 S T U DY G U I D E C H R I S B R YA N T Holdtime. enable Enable CDP on interface tlv Device ID: HOST _ 3 IP address: 10.3 MLS _ 1(config)#int fast 0/1 tlv MLS _ 1#show cdp neighbor detail Enable exchange of specific tlv information Compiled Sat 23-Oct-10 00:43 by prod _ rel _ team advertisement version: 2 MLS _ 1(config-if)#no cdp enable VTP Management Domain: ‘’ About 3 minutes after disabling CDP on that interface.Switch. This command gives you both the IP address and IOS version run by each neighbor. C . P . At the interface level.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Both connections here are to Cisco 2801 Device ID Local Intrfce Holdtme switches. We’ll disable CDP on the interface leading directly to Host 1.

where you can do without it. While not required reading for the CCNP exams.) There’s a very helpful extension. the Link Layer Discovery Protocol may come in handy. but there’s just one problem – all of the data sent to the remote host. so why do many networks disable it? CDP offers no authen- I’ve included a link to a Cisco PDF with a great deal of helpful info comparing LLDP- tication. You can MED and CDP. http://www. it’s being kept around for backward compatibility. where v1 doesn’t. we prefer “LLDP”. which is a 315 . I’m sure you noticed that the CDP commands referred to a “version 2”. “What happened to CDP version 1?” v1 is still available. which is no problem. is transmitted in clear text. You likely noted the term “tlv” in some of the CDP command options.” CDP does carry info that LLDP-MED doesn’t. LLDP for Media Endpoint Devices (LLDP-MED). “LLDP-MED is specified to operate only between endpoint devices such as IP phones and network connectivity devices such as switches.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . (TLVs are not exclusive to LLDP though. and like the non-encrypted-by-default enable password. accessible to everyone. LLDP is the vendor-independent equivalent of CDP and is defined by IEEE 802. including the following: MTU sizeVLAN Trunking Protocol information IP network prefix support (for ODR. For obvious reasons. comes into play when VoIP is in use. and use the interface-level commands to make that happen.cisco. SSH Telnet’s a great way to communicate with remote routers and switches. “tlv” refers to Type-Length-Value. including passwords. but all data (and the password!) is encrypted.1ab.html CDP. but it may also require a stronger IOS image and/or hardware that you don’t have in your network. and can report mis- Telnet vs. since the basic operation of SSH is similar to that of Telnet. which We really hate that. CDP v2 has greatly enhanced error-reporting capabilities (Cisco’s terms for this include “rapid reporting mechanism” or “enhanced reporting mechanism”). Any would-be network intruder who intercepts that transmission can easily enter our network and cause all kinds of trouble. I do recommend it for see by the info in the show cdp neighbor detail output that we don’t want this information greater understanding of LLDP-MED in particular. LLDP is also known as the Station and Media Access Control Connectivity Discovery. CDPv2 recognizes the native VLAN concept.115 S T U DY G U I D E C H R I S B R YA N T CDP gives you a lot of great info. nor does it use any kind of encryption – all CDP info is sent in clear text.com/en/US/technologies/tk652/tk701/technologies_white_paper0900a- The issue with disabling CDP is that many network management tools use info gathered by ecd804cd46d. Secure Shell (SSH) is basically encrypted Telnet. a series of informational messages sent by an LLDP-enabled device. To minimize the risk of running CDP. which brings up the musical question. matched native VLANs. According to Cisco’s website. In case you run into networks that (shudder) run non-Cisco devices. determine where it really needs to be running. On-Demand Routing) 314 SSH requires a little more config than Telnet.

run- [OK] (elapsed time was 1 seconds) ning transport input ssh and login local again applies that command to all lines.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Telnet allows the configuration of a one-size-fits-all password on the VTY lines line vty 5 15 (“password CCNP”). as the one I just wrote limited those five VTY lines to SSH connections. though. Telnet and SSH do share an important option.and MLS _ 1(config-line)#transport input ssh apply the ACL to the VTY lines with access-class. Be careful with your switch VTY line configs.115 S T U DY G U I D E problem.3.. line vty 5 15 login How many bits in the modulus [512]: % Generating 512 bit RSA keys. block untrusted addresses and allow everyone else in . Cisco switches have 16 lines: MLS _ 1(config)#crypto key generate rsa The name for the keys will be: MLS _ 1. To limit authentication to SSH and disallow Telnet login local authentication. and that’s the use of ACLs to determine MLS _ 1(config)#line vty 0 15 who should be able to connect. Choosing a key modulus greater than 512 may take a transport input ssh few minutes. keys will be non-exportable. and the username/password combination must MLS _ 1(config-line)#transport input ? match a database entry for authentication to be successful.3 316 317 . Each individual MLS _ 1(config-line)#login local user is assigned a password of their own. run transport input ssh on the VTY lines. you’ll need to configure a local database on the router or C H R I S B R YA N T transport input ssh use AAA. Create the ACL defining the source IP addresses of trusted MLS _ 1(config-line)#login local users – or as I’ve done here. all All protocols none No protocols MLS _ 1(config)#username tarrant password tarantula ssh TCP/IP SSH protocol MLS _ 1(config)#username signal password gasoline telnet TCP/IP Telnet protocol MLS _ 1(config)#username homer password beeeeeeer MLS _ 1(config-line)#transport input ssh SSH configuration also requires a domain name to be specified with ip domain-name and crypto key creation with crypto key generate rsa.bryantadvantage.3. transport input ssh MLS _ 1(config)#line vty 0 4 A local user database is created with the username /password command. For SSH authentication. Problem is..com line vty 0 4 Choose the size of the key modulus in the range of 360 to 4096 for your login local General Purpose Keys. Whoops! Easily fixed. line vty 0 4 MLS _ 1(config)#ip access-list standard STOPTHATGUY login local MLS _ 1(config-std-nacl)#deny host 3. After entering VTY line config mode with line vty 0 15. but SSH does not.

MLS _ 1(config)#logging ? Hostname or A.B. These messages can be quite helpful in figuring out what the heck just happened in your network – you just have to remain calm and read the message carefully. Let’s take a look at the logging options .115 S T U DY G U I D E MLS _ 1(config-std-nacl)#permit any MLS _ 1(config-std-nacl)#line vty 0 15 MLS _ 1(config-line)#access-class STOPTHATGUY ? in Filter incoming connections out Filter outgoing connections C hapter 10: MLS _ 1(config-line)#access-class STOPTHATGUY in Let’s take a deep breath and move from security to monitoring! MONITORING THE SWITCHES Syslog delivers messages regarding network events. The trap option is a bit more complex: MLS _ 1(config)#logging trap ? 318 <0-7> Logging severity level alerts Immediate action needed 319 (severity=1) .D IP address of the logging host That one’s simple enough! We just need to follow logging with the hostname or IP address of that host. and in that panic they miss the message that’s right in front of them. along with a timestamp that helps you determine when the event occurred. Logging is straightforward.C.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . but the logging command itself can be a little tricky. I say that because some network admins panic more than a little when these messages show up.

I personally find the milliseconds to be annoying. You can use the name As a result. of the level or the numeric value – just set it high enough so you get all the messages you need sent to that server. datetime Timestamp with date and time The switch console is set to display all syslog messages by default.115 S T U DY G U I D E C H R I S B R YA N T critical Critical conditions (severity=2) debugging Debugging messages (severity=7) emergencies System is unusable (severity=0) errors Error conditions (severity=3) localtime Use local time zone for timestamps informational Informational messages (severity=6) msec Include milliseconds in timestamp notifications Normal but significant conditions (severity=5) show-timezone Add time zone information to timestamp warnings Warning conditions (severity=4) year Include year in timestamp <cr> <cr> MLS _ 1(config)#service timestamps log datetime ? <cr> When you select a trap level. Therefore.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . so let’s get that practice with the latest syslog message on my L3 switch.465: %SYS-5-CONFIG _ I: Configured from console by console You can change the beginning of syslog messages to the timestamp format of your choice with service timestamps log. MLS _ 1(config)#service timestamps ? debug Timestamp debug messages log Timestamp log messages <cr> 02:54:56: %SYS-5-CONFIG _ I: Configured from console by console The “5” bolded above indicates the severity level. the next syslog message gives the date and time without the msecs. and 56 seconds. followed by the mnemonic for this mes- MLS _ 1(config)#service timestamps log ? sage and the message text itself. just choose that option! MLS _ 1(config)#service timestamps log uptime ? <cr> MLS _ 1(config)#service timestamps log uptime The next syslog message indicates this device has been up for 2 hours. To change this value. use logging console. so let’s keep the datetime format but leave the msec option off. *Mar 1 02:52:28: %SYS-5-CONFIG _ I: Configured from console by console Deciphering syslog messages takes a little practice. *Mar 1 02:50:32. all messages of the numeric severity you choose and all those MLS _ 1(config)#service timestamps log datetime with a lower numeric value are sent to the logging server specified with hostname. to send all log messages to the server. you need only specify level 7. 54 minutes. If you prefer to have the device uptime reflected in syslog messages. and I’ve kept it there uptime Timestamp with system uptime throughout the course. 320 321 .

RE (truncated for clarity at this point) Before we move to another topic. 0 overruns. to change the internal buffer from its default of 4096 bytes.352: %SYS-5-CONFIG _ I: Configured from memory by console *Mar 1 00:00:39. run logging buffered followed by the severity level. errors Error conditions (severity=3) filtering disabled informational Informational messages (severity=6) Buffer logging: level debugging.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .0(1)SE. 36 messages logged. alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) Console logging: level debugging. Throughout the book. *Mar 1 00:00:32. *Mar 1 00:00:38. debugging Debugging messages (severity=7) filtering disabled emergencies System is unusable (severity=0) Monitor logging: level debugging.183: %SYS-5-RESTART: System restarted -Cisco IOS Software. such as this one: 03:12:30: %SYS-5-CONFIG _ I: Configured from console by console 03:12:31: %LINK-3-UPDOWN: Interface FastEthernet0/0.505: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1. MLS _ 1(config)#logging buffered ? <0-7> Trap logging: level informational. changed state to up 322 323 . xml disabled. run this same command followed by the number of bytes desired. 36 messages logged. you’ve seen log messages regarding ports opening and closing. xml disabled.146: %DC-6-DEFAULT _ INIT _ INFO: Default Profiles DB not loaded. 39 message lines logged Logging severity level <4096-2147483647> Logging buffer size Log Buffer (4096 bytes): alerts Immediate action needed (severity=1) critical Critical conditions (severity=2) debugging Debugging messages (severity=7) discriminator Establish MD-Buffer association emergencies System is unusable (severity=0) errors Error conditions (severity=3) filtered Enable filtered logging informational Informational messages (severity=6) notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) To view the log along with log settings. C3560 Software (C3560-IPSERVICESK9-M). let me show you a nifty little trick. xml disabled. notifications Normal but significant conditions (severity=5) warnings Warning conditions (severity=4) To send log messages to the local device’s internal buffer. xml disabled. 0 flushes. 0 messages rate-limited. Version 15. filtering disabled) filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled File logging: disabled Persistent logging: disabled No active filter modules. 0 messages logged. cha nged state to downAuth Manager registration failed *Mar 1 00:00:36.115 S T U DY G U I D E MLS _ 1(config)#logging console ? C H R I S B R YA N T MLS _ 1#show logging <0-7> Logging severity level Syslog logging: enabled (0 messages dropped. run show logging.

changed state to down 03:12:35:  C H R I S B R YA N T 03:16:38: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. then fine-tune that setting ROUTER1(config-if)#shut 03:16:27: %LINK-5-CHANGED: Interface FastEthernet0/0. it’s time to get another time source. run the interface-level command no logging event link-status. To get those logging messages back. %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. but I’d be careful about turning too many log messages off. To prevent these particular messages from log- MLS _ 1(config-if)#no logging event ? ging. On routers. you may see bundle-status BUNDLE/UNBUNDLE messages only these two options: link-status UPDOWN and CHANGE messages nfas-status NFAS D-channel status messages ROUTER1(config)#int fast 0/0 spanning-tree Spanning-tree Interface events ROUTER1(config-if)#no logging event ? status Spanning-tree state change messages link-status UPDOWN and CHANGE messages subif-link-status Sub-interface UPDOWN and CHANGE messages subif-link-status Sub-interface UPDOWN and CHANGE messages trunk-status TRUNK status messages ROUTER1(config-if)#no logging event link-status Getting rid of the link up-down messages is a good way to keep the log size down and make ROUTER1(config-if)#shut the log easier to read. changed state to administratively down 03:16:28: If your timestamps reflect an era long gone. changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . run logging event link-status.037 UTC Mon Mar 1 1993 ROUTER1(config)#int fast 0/0 ROUTER1(config-if)#logging event link-status Yeah. MLS _ 1#clock ? set ROUTER1(config-if)#no shut 03:16:37: %LINK-3-UPDOWN: Interface FastEthernet0/0. Note where clock set is run as opposed to the other clock commands. the syslog messages regarding link and line protocol status are gone. You’ll have more options for this command on switches. changed state to up I like seeing these message in lab environments. changed state to up 324 Set the time and date MLS _ 1#clock set ? 325 . like that! We can set the local device’s time with clock set. MLS _ 1#show clock *04:55:05.115 S T U DY G U I D E 03:12:32:  %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0. you can fill up MLS _ 1(config)#int fast 0/1 a log pretty quickly with these messages. You might ROUTER1(config-if)#no shut just miss one you really need to see! 03:14:33: %SYS-5-CONFIG _ I: Configured from console by console Timestamping We received only the configuration message. but in production networks. changed state to down with clock timezone and clock summer-time.

we’re going to have a lot more initialize WORD first http://en. For your personal reference. The Network Time Protocol It’s vital for our routers and switches to have a central time source that allows our network devices to synchronize their clocks. whether that time source is another router in the same network or an external time source. so you gotta know yours! I live on the East Coast in the United States. accurate and synched time is a necessity. making troubleshooting a lot less frustrating. and it’s vital they have the same time. here’s the Wikipedia page listing all offsets: routers and switches. You haven’t lived until you bill a department for 67 days’ usage of a network resource – in a single month.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . name of time zone Synched time is important for our digital certificates as well. but in our networks. configured from console by console MLS _ 1(config)#clock timezone ? Initialize system clock on restart save backup of clock with NVRAM summer-time Configure summer (daylight savings) time Configure time zone last Last week of the month MLS _ 1(config)#clock summer-time EDT recurring The clock timezone command doesn’t list every time zone in the world.wikipedia. NTP allows us to specify time sources for our switches and routers.115 S T U DY G U I D E hh:mm:ss Current Time C H R I S B R YA N T WORD MLS _ 1#clock set 13:43:00 ? name of time zone in summer MLS _ 1(config)#clock summer-time EDT ? <1-31> Day of the month date Configure absolute summer time MONTH Month of the year recurring Configure recurring summer time MLS _ 1#clock set 13:43:00 March ? <1-31> MLS _ 1(config)#clock summer-time EDT recurring ? Day of the month MLS _ 1#clock set 13:43:00 March 25 ? <1993-2035> Year <cr> MLS _ 1#clock set 13:43:00 March 25 2015 04:59:01: %SYS-6-CLOCKUPDATE: System clock has been updated from 23:59:01 EST Sun Feb 28 1993 to 13:43:00 EDT Wed Mar 25 2015. Doing so allows our syslog timestamps to have accurate MLS _ 1(config)#clock timezone ? and synched time throughout the network. so I put Eastern Standard Time (EST) in for the time zone and -5 for the offset.23> First week of the month clock set is okay for one or two routers. nor the Coordinated Universal Time (UCT). MLS _ 1(config)#clock summer-time ? 326 327 .org/wiki/List_of_UTC_time_offsets name of time zone MLS _ 1(config)#clock ? timezone Week number to start <cr> MLS _ 1#clock set 13:43:00 March 25 2015 ? WORD <1-4> Hours offset from UTC MLS _ 1(config)#clock timezone EST -5 of accounting in your network. and if you’re using any kind MLS _ 1(config)#clock timezone EST ? <-23 . The Network Time Protocol (NTP) helps us make that happen.

with ROUTER_3 network – that’s the port NTP uses. just run a search on the you use NTP authentication and/or ACLs to prevent routers from outside your network from attempting to synch with one of your routers. ingly. They can also depend on NTP each IP address.115 S T U DY G U I D E C H R I S B R YA N T At the very top of our NTP hierarchy are stratum-0 devices. You Clients accept the time synch message from the server and set their internal clock accord- can’t configure a Cisco router to get its time directly from a stratum-0 server. or peers. 328 329 . The number following “stratum” in non-stratum-0 devices indicates how many hops away the device is from a stratum-0 device. We can choose to run NTP in broadcast mode or multicast mode as well. it’s imperative It’s strongly recommended that your network’s “outside” router receive its time from a public NTP timeserver. We’re not limited to the traditional Server/Client relationship with NTP. typically atomic clocks. term public NTP servers.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . clients. which the clients must be able to receive – otherwise. we’ll configure MLS_1 as our NTP Master and a timeserver. configured as a client of MLS_1. It’s highly recommended an NTP public timeserver be used as your NTP Master time source. As always. Clients do NOT sent NTP time synch messages back to the server. broadcasts for the correct time. and either peer can send time synch messages to the other. the router number serves as the last octet of Cisco routers can serve as NTP servers. NTP peers send NTP messages to each other. Be sure not to block UDP port 123 on that or other routers in your In our lab. With these methods. we’re wasting our time! Remember that routers don’t forward broadcasts or multicasts. Should you choose to use one of your network routers as the NTP Master. (And you thought you were done with hops in RIP!) Stratum-1 servers are generally referred to as time servers. NTP-based or otherwise. For the latest IP addresses of these servers. and we can configure a Cisco router to get its time from a stratum-1 device. The NTP server-client relationship is as you’d expect. with the server giving the correct time to clients. the server broadcasts or multicasts its NTP messages.

1.C. actual freq is 250.1.peer.1.D IP address of supervisor (127. reference is 10. There’s a lot of info here.000 0.1.127. .1 8 vrf VPN Routing/Forwarding Information * sys. we can configure The commands show ntp status and show ntp association verify NTP’s operation.outlyer. MLS _ 1#show clock st 7 when poll 8 16 reach delay offset disp 377 0. # selected.1. precision is 2**17 reference time is D8BD46F7.2092 Hz.B. since the only thing we’re MLS _ 1#show ntp association really telling the client is “Hey. Here’s the output from the server’s point of view.0.46BF9352 (09:38:47.1.1.1 . x falseticker. our NTP clients to have more than one time server to choose from.425 439. ~ configured 09:25:29. # selected.B. I’ll use ntp server to point R3 to this switch as its time source.1.167 EST Wed Mar 25 2015 MLS _ 1#show ntp status It ain’t 1993.1 nominal freq is 119. so we’ll take it! Our NTP options: Clock is synchronized.276 EST Wed Mar 25 2015) MLS _ 1(config)#ntp master ? (Output truncated for clarity) <1-15> Stratum number <cr> And from the client’s point of view: On R3.127.x) WORD Hostname of peer X:X:X:X::X IPv6 address of peer ROUTER _ 3#show ntp association ip Use IP for DNS resolution address ref clock st ipv6 Use IPv6 for DNS resolution *~10. ROUTER _ 3#show ntp status Clock is synchronized.1. + candidate.000 0.LOCL. which includes the reference address 127.1.peer. stratum 9. ~ configured ROUTER _ 3(config)#ntp server 10.1.1. which indicates that the synch is complete. actual freq is 119.1.2092 Hz. stratum 8.1. + candidate. x falseticker.4 127. indicating the time source is the switch’s internal clock. precision is 2**24 A.4 ROUTER _ 3(config)#ntp server ? nominal freq is 250. ROUTER _ 3(config)#ntp server 10.7 The NTP process likely strikes you as wide open to attack.outlyer.4 reference time is D8BD47D4. We’re also looking for that asterisk next to the address in show ntp association.” Let’s use NTP 330 331 .D IP address of peer Hostname or A.4 prefer ROUTER _ 3(config)#ntp server 10.C.F3858835 (14:42:28.127. We can also prefer one server over the other! Just use multiple ntp server commands while also using the prefer option to indicate the preferred server.951 UTC Wed Mar 25 2015) (Output truncated for clarity) when 64 poll reach delay offset disp 64 37 2.243 * sys.127.0000 Hz.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . here’s the IP address of the time server.0000 Hz.115 S T U DY G U I D E Let’s check the clock on our NTP-Master-to-be: C H R I S B R YA N T address ref clock *~127.0. .1.348 -66. reference is 127. and the phrase we’re looking for is “clock is synchronized”.77 If we’re fortunate and smart enough to have NTP Master redundancy.

either! ROUTER _ 3(config)#ntp trusted-key 1 ROUTER _ 3(config)#ntp server 10.115 S T U DY G U I D E C H R I S B R YA N T authentication to tie things down a bit. then MLS _ 1(config)#ntp authentication-key 1 md5 CCNP define a key and link that key to the ntp server command.127. but NTP authentication isn’t quite what it seems.124 939.1. it means detail! The authentication verifi- <1-4294967295> Key number ROUTER _ 3(config)#ntp authentication-key 1 ? md5 MD5 authentication cation is right at the top of the output: ROUTER _ 3#show ntp association detail ROUTER _ 3(config)#ntp authentication-key 1 md5 ? WORD Authentication key 10. our _ master. .1 . valid.127. time D8BE4169.1.4569D946 (08:27:21.1.1.271 UTC Thu Mar 26 2015) ROUTER _ 3(config)#ntp authentication-key 1 md5 CCNP That’s all well and good.1. I’ve left out most of the output of this command.1. valid.4 configured. peer poll intvl 64 ROUTER _ 3(config)#ntp server 10.1.127.4 burst Send a burst when peer is reachable iburst Send a burst when peer is unreachable ROUTER _ 1#show ntp assoc key Configure peer authentication key Address ref clock st when poll maxpoll Maximum poll interval *~10.4 ? ROUTER _ 1(config)#ntp server 10. authenticated. # selected.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .1.1.1. and it’s able to get time from MLS_1 with no problem – and no <1-4294967295> Key number authentication. time D8BE4561. sane.4 configured.1. + candidate. MLS _ 1(config)#ntp authenticate MLS _ 1(config)#ntp trusted-key 1 ROUTER _ 3(config)#ntp authenticate ROUTER _ 3(config)#ntp authentication-key ? Verify NTP authentication with show ntp association detail.1.4 127.1.1.peer. as we’ve seen.outlyer. Enabling NTP authentication on the server does NOT require NTP clients to use authentication.46322015 (08:44:17. our _ master. stratum 8 ref ID 127. because when it says “detail”. ~ configured prefer Prefer this peer when possible source Interface for source address version Configure NTP version reach delay 17 2.1 8 26 64 minpoll Minimum poll interval * sys.4 key 1 under our administrative control.1. We’ll enable this feature with ntp authenticate.4 key ? NTP authentication really just assures the client that it’s talking to an NTP server that’s <0-4294967295> Peer key number ROUTER _ 3(config)#ntp server 10. sane. x falseticker. We’ll need the same commands on the server (except the ntp server command. our poll intvl 64.1 . peer mode server.274 UTC Thu Mar 26 2015) <cr> our mode client.790 offset disp -8.53 ROUTER _ 1#show ntp assoc detail 10. I’ve just added ROUTER _ 3(config)#ntp trusted-key ? another router to our lab. of course!): 332 333 . stratum 8 ref ID 127.1.1.

115 S T U DY G U I D E C H R I S B R YA N T To further protect our NTP deployment.1.1. an NTP message is sent in reply.1.3.3 All possible debugging has been turned off (Router_3).1. the actual monitoring device.1. An SNMP deployment has three main parts: The SNMP Manager.1.3.1 on interface ‘Vlan13’ (10.1. and we’ll call that ACL in ntp access-group. from interface ‘Vlan13’ (10. the devices being monitored (and running an SNMP instance).1.1.1.1.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .4) 334 335 . MLS _ 1#debug ntp packet NTP packets debugging is on NTP message received from 10.1.1.1.4) … and a “SET” is a request from the Manager to the Agent.1.4) NTP message sent to 10.1. Our ACL will permit only the source IP address 10. A “GET” is a request for information… IP address of 10. requesting a certain variable be set to the value indicated in the SET.1.4) NTP message received from 10.1. With our time all synched up. but that message is not answered due to the ACL and ntp access-group command.3 on interface ‘Vlan13’ (10.1. let’s do some network monitoring! MLS _ 1(config)#access-list 22 permit host 10. we’ll configure an ACL on the server and use ntp MLS _ 1#u all access-group to apply it to NTP.1. from interface ‘Vlan13’ (10.1.1. The SNMP Agents.1 on interface ‘Vlan13’ (10.1.1.3 on interface ‘Vlan13’ (10.4) NTP message received from 10.3.1. The Management Information Base (MIB).1. MLS _ 1(config)#ntp access-group serve 22 debug ntp packets illustrates that when MLS_1 receives an NTP message from the permitted SNMP Managers poll Agents over UDP port 161.1.1 as well.1.1. The debug shows an NTP message coming in from 10.1.1. the database on the Agent that contains important information (“variables”) about the Agent.3 MLS _ 1(config)# SNMP MLS _ 1(config)#ntp access-group ? Peer Provide full access query-only Allow only control queries serve Provide server and query access serve-only Provide only server access MLS _ 1(config)#ntp access-group serve ? <1-99> Standard IP access list <1300-1999> Standard IP access list (expanded range) WORD Named access list The Simple Network Management Protocol is used to carry network management info from one network device to another. and these messages take the form of GETs and SETs.4) NTP message sent to 10.1. and you’ll find it in just about every network out there today. NTP message received from 10.

2c. Let’s start with creating an SNMP group and then assigning a user to that group. but when you break them down they’re easy to remember. the earlier versions do not. that variable undergoes a critical change. are a kind of password / authority level combination that allow you to set the strings as read-only or read-write. things are much more secure and just a tad more complex. MLS _ 1(config)#snmp-server community ? WORD SNMP community string MLS _ 1(config)#snmp-server community CCNP ? <1-99> Std IP accesslist allowing access with this community string <1300-1999>  Expanded IP accesslist allowing access with this community string WORD v1 group using the v1 security model v2c group using the v2c security model v3 group using the User Security Model (SNMPv3) MLS _ 1(config)#snmp-server group BULLDOGS v3 ? auth group using the authNoPriv Security Level noauth group using the noAuthNoPriv Security Level priv group using SNMPv3 authPriv security level A quick word about those three security levels – they look intimidating. It would then take 9 minutes and 57 seconds for the Manager to find out about the change! To get a quick notification on such an event without overloading the Manager. ever possible. We still have three versions of SNMP out there – versions 1. Let’s use IOS Help to venture through some of the most long-winded commands you’re ever going to see. but there’s one glaring issue. <cr> MLS _ 1(config)#snmp-server community CCNP ro ? <1-99> Std IP accesslist allowing access with this community string <1300-1999>  Expanded IP accesslist allowing access with this community string WORD Access-list name ipv6 Specify IPv6 Named Access-List <cr> MLS _ 1(config)#snmp-server community CCNP ro 15 This configuration would allow hosts identified by ACL 15 to have read-only access to all SNMP objects specified by this community string. found in SNMP v1 and 2c. you should use V3 when- With SNMP v3.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E C H R I S B R YA N T Seems like a good approach. Three seconds after the Agent answers one such GET. view Restrict this community to a named MIB view Let’s say our Manager is polling our Agent every 10 minutes regarding one particular variable. Access-list name 336 337 . SNMP community strings. The only way for the Manager to ro Read-only access with this community string receive immediate or even near-immediate notice of a critical network event is to poll the rw Read-write access with this community string Agents quite often. V3 has both authentication and encryption capabilities. For that reason alone. allowing the Agents to send a message to the Manager when such a variable changes. and the use of the other versions should be restricted to allowing read-only MLS _ 1(config)#snmp-server group BULLDOGS ? access via the use of community strings. which in turn sucks up bandwidth and is a hit on the Manager’s CPU. and 3 – and there are some serious security concerns with the earlier versions. we configure SNMP traps on the managed devices.

If no notify view is defined. and creating them is out of the CCNP SWITCH exam scope. but I do want you to know the defaults: If no read view is defined.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . which 128 Use 128 bit AES algorithm for encryption are both excellent choices when your hardware allows them. all objects can be read. Access specify an access-list associated with this group Priv encryption parameters for the user <cr> MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv ? 3des Use 168 bit 3DES algorithm for encryption aes Use AES algorithm for encryption des Use 56 bit DES algorithm for encryption MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv aes ? Now let’s create our user.115 S T U DY G U I D E authNoPriv – You have authentication. 192 Use 192 bit AES algorithm for encryption 256 Use 256 bit AES algorithm for encryption MLS _ 1(config)#snmp-server user CHRIS ? WORD Group to which the user belongs MLS _ 1(config)#snmp-server user CHRIS BULLDOGS ? Remote Specify a remote SNMP entity to which the user belongs v1 user using the v1 security model v2c user using the v2c security model 338 MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP priv aes 128 ? WORD privacy pasword for user MLS _ 1(config)#$S BULLDOGS v3 auth sha CCNP priv aes 128 TIREDOFTYPING ? access specify an access-list associated with this group <cr> 339 . but no privacy (no encryption) noAuthNoPriv – You’re really asking for it. If no write view is defined. no objects can be written. using SHA for authentication and AES 128-bit encryption. You have no authentication and no privacy (encryption). authPriv – Your SNMP packets are both authenticated and privacy is assured via encryption. group members are not sent notifications. MLS _ 1(config)#snmp-server group BULLDOGS v3 priv ? C H R I S B R YA N T v3 user using the v3 security model MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 ? Access specify an access-list associated with this group Auth authentication parameters for the user Encrypted specifying passwords as MD5 or SHA digests <cr> access specify an access-list associated with this group context specify a context to associate these views for the group md5 Use HMAC MD5 algorithm for authentication match context name match criteria sha Use HMAC SHA algorithm for authentication notify specify a notify view for the group read specify a read view for the group write specify a write view for the group <cr> MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth ? MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha ? WORD authentication pasword for user MLS _ 1(config)#snmp-server user CHRIS BULLDOGS v3 auth sha CCNP ? MLS _ 1(config)#snmp-server group BULLDOGS v3 priv The views mentioned in the last IOS Help readout aren’t required.

guaranteed performance. you were introduced to the Committed Information Rate (CIR).1.3 traps version 3 priv CHRIS Whew! You obviously have to do some serious planning for SNMPv3. the customer can then plan the WAN appropriately.1.3 ? WORD SNMPv1/v2c community string or SNMPv3 user name informs Send Inform messages to this host traps Send Trap messages to this host version SNMP version to use for notification messages vrf VPN Routing instance for this host MLS _ 1(config)#snmp-server host 10.3 traps version ? 1 Use SNMPv1 2c Use SNMPv2c 3 Use SNMPv3 Service Level Agreements During your Frame Relay studies in your CCNA days.1.1. but it pays off in the end with security notification host http://<Hostname or A. You may get more. <about 45 options. where a service provider guarantees a certain level of overall network uptime and performance.D>[:<port number>][/<uri>] HTTP address of XML that’s far superior to earlier versions.1.467: Configuring snmpv3 USM user. too many to list here> <cr> Finally.1.1. Here’s a sneak peek of the available tests: MLS _ 1(config)#snmp-server host 10. The SLA can involve just about any quality-measurable value in your network. from available bandwidth and acceptable levels of jitter in voice networks.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 .115 S T U DY G U I D E MLS _ 1(config)#$S BULLDOGS v3 auth sha CCNP priv aes 128 TIREDOFTYPING MLS _ 1(config)#^Z C H R I S B R YA N T WORD SNMPv1/v2c community string or SNMPv3 user name MLS _ 1(config)#snmp-server host 10. The CIR is basically a guarantee given to the customer by the Frame Relay service provider.3 traps version 3 priv CHRIS ? MLS _ 1# Mar 26 10:16:25. but this agreement is between different parties.3 traps version 3 priv ? 340 MLS _ 1(config)#ip sla 5 MLS _ 1(config-ip-sla)#? IP SLAs entry configuration commands: dhcp DHCP Operation 341 .B. we guarantee you’ll get “Y” amount of bandwidth. but we guarantee you won’t get less.1.1. persisting snmpEngineBoots.1. we’ll define the host to which we’ll send traps.1. notification host MLS _ 1(config)#snmp-server host 10. to DNS lookup time. It can be much like the CIR. including the encryp- WORD IP/IPV6 address of SNM tion type and bit level of same you’ll be able to use. The SLA is based on the concept of minimum.1.3 traps version 3 ? auth Use the SNMPv3 authNoPriv Security Level noauth Use the SNMPv3 noAuthNoPriv Security Level priv Use the SNMPv3 authPriv Security Level MLS _ 1(config)#snmp-server host 10. or it can be between the internal clients of a company and the network team at that same company.1.1. where the provider says “For X dollars. MLS _ 1(config)#snmp-server host ? MLS _ 1(config)#snmp-server host 10. trouble notification and resolution time.C.” Given that guarantee of minimum performance.3 traps ? WORD SNMPv1/v2c community string or SNMPv3 user name version SNMP version to use for notification messages MLS _ 1(config)#snmp-server host 10.

The low-memory Configure Low Water Memory Mark source wants to see if the packets are echoed back and how long the overall process takes. it’ll send a message back to the source indicating the same. but is an agreement on the rules of communication.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . This connection isn’t the actual SLA test. anyone?) An SLA setup consists of a source and a responder. To kick off the festivities. this timestamping only helps if the devices have synched time – NTP. Here are the first options for the ip sla command: MLS _ 1(config)#ip sla ? <1-2147483647> Entry Number enable Enable Event Notifications group Group Configuration or Group Scheduling key-chain Use MD5 Authentication for IP SLAs Control Messages logging Enable Syslog We now go from controlling to probing. the source sends control packets to the responder via UDP port 1967 in an attempt to create a control connection similar to that in FTP. (Of course. as the source sends test packets to the responder. it’ll send a message back indicating that decision. the rules sent to the responder are the port number to be listened to during the test and the time limit on that listening.) 342 343 . (If the responder doesn’t agree. Let’s tackle an SLA lab! MLS_1 will be the SLA source.115 S T U DY G U I D E dns DNS Query Operation exit Exit Operation Configuration ftp FTP Operation http HTTP Operation icmp-echo ICMP Echo Operation path-echo Path Discovered ICMP Echo Operation path-jitter Path Discovered ICMP Jitter Operation tcp-connect TCP Connect Operation udp-echo UDP Echo Operation udp-jitter UDP Jitter Operation video Video Operation C H R I S B R YA N T The responder adds timestamps to those packets both as the packets are accepted and then returned. This gives the sender a better idea of the overall time the responder took to process the packets as well as the overall round-trip time. and then the responder starts listening to the indicated port. with ROUTER_3 serving as the responder. In this case. and our story ends prematurely. reaction-configuration IP SLAs Reaction-Configuration reaction-trigger IP SLAs Trigger Assignment Should the responder be kind enough to agree.

3 as the target of the test.1.115 S T U DY G U I D E C H R I S B R YA N T read Read data for use with IP SLA source-interface reset IP SLAs Reset source-ip responder Enable IP SLAs Responder <cr> restart Restart An Active Entry schedule Entry Scheduling We’ll go with SLA entry number 5.1.D Destination IP address or hostname. we get to schedule this sucker! I’ll use IOS Help to show you the options and then start the test immediately. We’ll then choose the icmp-echo test. Source Interface (ingress icmp packet interface) Source Address MLS _ 1(config-ip-sla)#icmp-echo 10.C.3 We then drop into SLA ICMP Echo config mode (!).1.1.3 MLS _ 1(config-ip-sla-echo)#? IP SLAs Icmp Echo Configuration Commands: MLS _ 1(config)#ip sla 5 MLS _ 1(config-ip-sla)#? IP SLAs entry configuration commands: dhcp DHCP Operation dns DNS Query Operation exit Exit Operation Configuration ftp FTP Operation http HTTP Operation icmp-echo ICMP Echo Operation path-echo Path Discovered ICMP Echo Operation path-jitter Path Discovered ICMP Jitter Operation tcp-connect TCP Connect Operation udp-echo UDP Echo Operation udp-jitter UDP Jitter Operation video Video Operation default Set a command to its defaults exit Exit operation configuration frequency Frequency of an operation history History and Distribution Data no Negate a command or set its defaults owner Owner of Entry request-data-size Request data size tag User defined tag threshold Operation threshold in milliseconds timeout Timeout of an operation tos Type Of Service verify-data Verify data vrf Configure IP SLAs for a VPN Routing/Forwarding instance MLS _ 1(config-ip-sla-echo)#frequency ? <1-604800> MLS _ 1(config-ip-sla)#icmp-echo ? Frequency in seconds MLS _ 1(config-ip-sla-echo)#frequency 60 Hostname or A. Note the option to grant the test eternal life. where I’ll set a frequency of 60 seconds between tests. Note the option to configure the source interface and IP address – those options can come in handy in larger networks.3 ? 344 Finally. and accepting that value drops us into SLA entry config mode.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . we’ll leave those alone here.1. broadcast disallowed MLS _ 1(config-ip-sla)#icmp-echo 10. 345 .1.1.1. using 10. Since we only have one path from source to responder. That also happens to be the default! MLS _ 1(config-ip-sla)#icmp-echo 10.B.

and the most Number of history Buckets kept: 15 important info to us is near the top.0 346 IPSLA operation id: 5 Latest RTT: 1 milliseconds 347 . and we can see IP SLAs Infrastructure Engine-III that the tests are running a minute apart and they’ve both been successful. run show ip sla statistics. I’ll show you the entire output here. and we can see that’s ticking away. I ran the command twice.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . History Filter Type: None MLS _ 1#show ip sla config To view SLA statistics.115 S T U DY G U I D E MLS _ 1(config)#ip sla schedule ? <1-2147483647> C H R I S B R YA N T Type Of Service parameter: 0x0 Entry number Request size (ARR data portion): 28 Verify data: No MLS _ 1(config)#ip sla schedule 5 ? ageout How long to keep this Entry when inactive life Length of time to execute in seconds recurring Probe to be scheduled automatically every day start-time When to start this entry <cr> Vrf Name: Schedule: Operation frequency (seconds): 60 (not considered if randomly scheduled) Next Scheduled Start Time: Start Time already passed Group Scheduled : FALSE Randomly Scheduled : FALSE MLS _ 1(config)#ip sla schedule 5 life ? Life (seconds): 3600 <0-2147483647> Life seconds (default 3600) Entry Ageout (seconds): never forever continue running forever Recurring (Starting Everyday): FALSE MLS _ 1(config)#ip sla schedule 5 start-time ? after Start after a certain amount of time from now hh:mm Start time (hh:mm) hh:mm:ss Start time (hh:mm:ss) now Start now pending Start pending MLS _ 1(config)#ip sla schedule 5 start-time now Status of entry (SNMP RowStatus): Active Threshold (milliseconds): 5000 Distribution Statistics: Number of statistic hours kept: 2 Number of statistic distribution buckets kept: 1 Statistic distribution interval (milliseconds): 20 Enhanced History: History Statistics: Number of history Lives kept: 0 Verify your config with show ip sla config.1.1.3/0. The default Entry number: 5 TTL is 3600 seconds. Owner: Tag: MLS _ 1#show ip sla stat Operation timeout (milliseconds): 5000 IPSLAs Latest Operation Statistics Type of operation to perform: icmp-echo Target address/Source address: 10.0.0.

C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . ROUTER _ 3(config)#key chain CCNP Number of successes: 1 ROUTER _ 3(config-keychain)#key 1 Number of failures: 0 ROUTER _ 3(config-keychain-key)#key-string SPIDERS Operation time to live: 3552 sec ROUTER _ 3(config)#ip sla key-chain CCNP MLS _ 1#show ip sla stat MLS _ 1(config)#key chain CCNP IPSLAs Latest Operation Statistics MLS _ 1(config-keychain)#key 1 IPSLA operation id: 5 MLS _ 1(config-keychain-key)#key-string SPIDERS Latest RTT: 1 milliseconds Latest operation start time: 06:12:35 EST Thu Mar 26 2015 Latest operation return code: OK MLS _ 1(config)#ip sla key-chain CCNP Just one more SLA thing… I want to show you what the statistics output is when some- Number of successes: 2 thing’s gone wrong. did you notice I never configured anything on the responder? Since I was running a simple ICMP echo test. For After reopening the interface. and here’s what happened: MLS _ 1#show ip sla stat IPSLAs Latest Operation Statistics IPSLA operation id: 5 Latest RTT: NoConnection/Busy/Timeout MLS _ 1(config)#ip sla 5 Entry already running and cannot be modified Latest operation start time: 06:53:35 EST Thu Mar 26 2015 (only can delete (no) and start over) Latest operation return code: Timeout (check to see if the probe has finished exiting) Number of successes: 42 Number of failures: 1 It’s always something! Operation time to live: 1024 sec Hey. I tried to go back and set this test to live forever rather than time out. I shut ROUTER_3’s port down that leads to the switch. though. Here. the successes start incrementing again! some of those other tests. It doesn’t hurt anything MLS _ 1#show ip sla stat to enable SLA capabilities for the simpler tests. since I know the responder can handle pinging. IPSLAs Latest Operation Statistics IPSLA operation id: 5 ROUTER _ 3(config)#ip sla responder Latest RTT: 1 milliseconds 348 349 .115 S T U DY G U I D E Latest operation start time: 06:11:35 EST Thu Mar 26 2015 Latest operation return code: OK C H R I S B R YA N T We can secure our SLA config with a key-chain and the ip sla key-chain command. I didn’t need to. Here’s the Number of failures: 0 result of the very next echo test: Operation time to live: 3528 sec An interesting thing about SLA tests – you can’t edit one that’s in progress. Here. you may need ip sla responder.

let’s look at each “A” and see exactly what’s going on with each. work (or network service). but it makes it very difficult to run one process without Those As stand for authentication. That AAA might sound like a good thing. This is sometimes mand aaa new-model. Before we deal with configs though. so we 350 aaa new-model not only enables AAA. that is) originally MLS _ 1(config)#tacacs-server host 10. We do need to concern ourselves with Latest operation return code: OK these differences between TACACS+ and RADIUS: Number of successes: 43 TACACS+ encrypts the entire packet. you’ve already configured authen- Regardless of the “A” you’re configuring. that is). The location of the TACACS+ and/or RADIUS server must then be called a self-contained AAA deployment. RADIUS cannot control the authorization level of users. Operation time to live: 989 sec RADIUS actually combines the authentication and authorization processes. TACACS+.1. Authentication is the process of deciding if a given user should be allowed to access the net- running the other. an open-standard UDP-based protocol (ports 1812 and 1813. TACACS was the original version of the protocol and is rarely used today. As a CCNA and future CCNP. allowing another method of authentication to be used while still using TACACS+ for authorization and/ or accounting. configured.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . along with a shared encryption key that must be agreed upon by both client and server.115 S T U DY G U I D E C H R I S B R YA N T Latest operation start time: 06:54:35 EST Thu Mar 26 2015 don’t have to concern ourselves with that version.1. MLS _ 1(config)#aaa new-model RADIUS. As your network grows and you need a more scalable authentication scheme. it’s likely you’ll turn to one of the following protocols for your AAA deployment.1. TACACS+ runs each “A” as a separate process.3 key CCNP developed by the IETF.5 key CCIE You just might be asking yourself what happened to the original TACACS if we’re now using TACACS+. and accounting. since no external device is involved. MLS _ 1(config)#radius-server host 10. it also overrides every previously configured authentication method for the router lines – especially the vty lines! 351 . AAA must first be enabled with the global com- tication in the form of a local database of usernames and passwords.1. a Cisco-proprietary TCP-based protocol (port 49. Each “A” is a separate function and requires separate configuration. where RADIUS encrypts only the password in the Number of failures: 1 initial client-server packet. but TACACS+ can. authorization.

line Use line password for authentication. If you don’t see those authentication.1. I’ll go with TACACS+ and then check the options. IOS Help will not show me the remaining options since my statement is already at the legal limit. choose group and all will be revealed! MLS _ 1(config)#aaa authentication login ? WORD  Named authentication list (max 31 characters. A quick review on how to build one of those: MLS _ 1(config)#username bruno password wwwf MLS _ 1(config)#username thesz password nwa MLS _ 1(config)#username gagne password awa 352 the option to list more authentication choices. options in the above config.1. longer will be default MLS _ 1(config)#aaa authentication login default group ? rejected). the local database third. and they’ll be used in the order listed. with the switch And that’s that! However.1. and finally. none NO authentication. local Use local username authentication. line Use line password for authentication. a line password second. We now need to determine which servers will be used for RADIUS servers by drilling a little deeper with aaa authentication. Local Use local username authentication. we’ll use our TACACS+ and configured as a client of both. group Use Server-group krb5-telnet Allow logins only if already authenticated via Kerberos V krb5 Use Kerberos 5 authentication. with aaa authentication. If you try to list a fifth method as I did below.1.3 and our RADIUS server at 10. and this command is fine on its own – but why do I have Some choices might surprise you! We can configure authentication to use the enable password. 353 .115 S T U DY G U I D E C H R I S B R YA N T We have our TACACS+ server at 10. ldap Use list of all LDAP hosts. including “none”? We can actually name up to four methods. We have to create either a named authentication list or a default list that will be used for all authentications that don’t reference a named list. cache Use Cached-group group Use Server-group enable Use enable password for authentication. The local and local-case options allow us to use the local username/password database. the enable password. local-case Use case-sensitive local username authentication. none NO authentication. and in what order. tacacs+ Use list of all Tacacs+ hosts. MLS _ 1(config)#aaa authentication login default ? cache Use Cached-group MLS _ 1(config)#aaa authentication login default group tacacs+ ? enable Use enable password for authentication. Telnet. radius Use list of all Radius hosts. WORD Server-group name The default authentication list. IOS Help won’t even show you the remaining options once you hit four! The following statement lists TACACS+ as the first method. Let’s have a look at the options. We’ll go with the default list. there’s a good reason – they’re not there! To use TACACS+ or RADIUS in aaa authentication. krb5 Use Kerberos 5 authentication. from left to right. <cr> passwd-expiry enable the login list to provide password aging support Hmm. the IOS will not let you enter the 5th method.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . local-case Use case-sensitive local username authentication. and we could also use a line password. The tacacs+ choice is legal.5. instead of using the local database.

It’s always a good idea to list at least one authentication method that doesn’t require an external device.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . none NO authentication. If TACACS+ actively refuses the authentication attempt. the next method we choose in this line will be used. MLS_1(config)#aaa authentication login default group tacacs+ group radius local Finally. You don’t want to log out and then find authentication method used. TACACS+ will be the first authentication setup with a separate connection. are group Use Server-group we doing all this work just to have no authentication? In some cases – yes! krb5 Use Kerberos 5 authentication. You’re likely wondering why the heck “none” is an AAA authentication option.115 S T U DY G U I D E C H R I S B R YA N T MLS _ 1(config)#$ication login default group tacacs+ line local enable ? <cr> Let’s go back to an aaa authentication line with just one method listed. so no authentication is necessary if the external servers are down. the second method is not used. 354 355 . After all. local-case Use case-sensitive local username authentication. then our RADIUS server. MLS _ 1(config)#aaa authentication login default group tacacs+ ? cache Use Cached-group enable Use enable password for authentication. This authentication method list will try our defined TACACS+ server first. apply the authentication method list to the appropriate lines with login authentication. That way. Default Use the default authentication list. and always stay logged in while you test your Here’s the most important rule of this entire section. <cr> Always leave yourself a back door to get in. and will then use the local username/pw database if those servers are unavailable or return errors. local Use local username authentication. you can still authenticate! Some admins like to use none at the end of their authentication method list. In this line. The enable password is also a good choice. if the external devices aren’t available. I’ll apply the default list to the switch’s VTY lines. If the TACACS+ authentication attempt times out or an error out you can’t log back in! is encountered. line Use line password for authentication. That’s the end of the authentication try! MLS _ 1(config)#line vty 0 15 MLS _ 1(config-line)#login authentication ? WORD Use an authentication list with this name.

When you give something a name on a router or switch. For some reason.) Another time not to get cute is when you’re naming an AAA authentication list. As with authentication. or group. Real ugly. resulting in this command: MLS _ 1(config)#aaa authentication login PASSWORD group tacacs+ local That command confuses the uninitiated. configuration For downloading configurations from AAA serve console For enabling console authorization credential-download For downloading EAP credential from Local/RAD exec For starting an exec (shell). and TACACS+ server IP addresses. 356 357 . SLIP. make the name intuitive. (PPP. Ugly. particularly a meeting with high-ranking sensitive folk.115 S T U DY G U I D E MLS _ 1(config-line)#login authentication default ? C H R I S B R YA N T Authorization <cr> MLS _ 1(config-line)#login authentication default And now… a word to the wise. config-commands For configuration mode commands.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . MLS _ 1(config)#aaa authentication login tacacs+ group tacacs+ local prepaid For diameter prepaid services. because then you end up with one of these: MLS _ 1(config)#aaa authentication login login group tacacs+ local MLS _ 1(config)#aaa authentication login group group tacacs+ local Don’t get cute. don’t use a word already in the command! MLS _ 1(config)#aaa authorization exec ? WORD  Named authorization list (max 31 characters. ARAP) policy-if For diameter policy interface application. admins like to use AAA for the name of the list. we’ll have the option of creating a default list or a named list – and as always. aaa authorization creates a user profile that’s checked when a user attempts to use a particular command or service. At the very least. While authentication decides whether a given user should be allowed into our network. tacacs+. MLS _ 1(config)#aaa authorization ? auth-proxy For Authentication Proxy Services cache For AAA cache configuration commands For exec (shell) commands. so we’ll dive straight into the authorization options. don’t call it login. authorization dictates what users can do once they’re in. longer will rejected). AAA must be enabled with aaa new-model if you Don’t Get Cute haven’t already done so! We did just that in the last lab. Above all. Never set a password that you don’t want to say out loud at a meeting. radius. MLS _ 1(config)#aaa authentication login radius group tacacs+ local radius-proxy For proxying radius packets reverse-access For reverse access connections subscriber-service For iEdge subscriber services (VPDN etc) template Enable template authorization (Didn’t happen to me. multicast For downloading Multicast configurations from server network For network services. but I was there to see it. along with defining the RADIUS Don’t get cute with passwords.

If you’re dealing with PPP (or ARAP or SLIP for that matter). rejected). config-commands options. that method will MLS _ 1(config)#aaa accounting commands ? (obviously) consider the user authorized. Watch the commands and Naturally. None No accounting. AAA must be enabled before proceeding with accounting. go with the network option. Apply the authorization list to the appropriate lines with authorization. so we’re not going to walk through every single one. Getting that same info for privilege level 15 would be easy enough – just replace the “1” with “15”. MLS _ 1(config)#aaa authorization exec default ? cache Use Cached-group group Use server-group. This line would give us info on users who use commands while in privilege level 1. none No authorization (always succeeds). both when they start and stop. start-stop Record start and stop without waiting stop-only Record stop when service terminates. but I do want to show you a sample command on the switch.115 S T U DY G U I D E default The default authorization list. binations. while the second limits authorization to the use of configuration commands. This tracking can be for security purposes (detecting users doing things they shouldn’t be doing!) or for tracking network usage in order to bill other departments in your company. MLS _ 1(config-line)#authorization ? arap For Appletalk Remote Access Protocol Default commands For exec (shell) commands exec For starting an exec (shell) MLS _ 1(config)#aaa accounting commands 1 default ? reverse-access For reverse telnet connections MLS _ 1(config-line)#authorization commands ? <0-15> Enable level MLS _ 1(config-line)#authorization exec ? 358 The default accounting list. accounting tracks the resources used by that user. krb5-instance Use Kerberos instance privilege maps. <cr> MLS _ 1(config)#aaa accounting commands 1 default start-stop ? Broadcast Use Broadcast for Accounting 359 longer will be . config. If the user’s already authenticated. local Use local database. Also note the if-authenticated option. <0-15> Enable level MLS _ 1(config)#aaa accounting commands 1 ? WORD MLS _ 1(config)#line vty 0 15 Named Accounting list (max 31 characters. MLS _ 1(config)#aaa authorization exec default group tacacs+ local Frankly. authorization decides what users can do once they get in. if-authenticated Succeed if user has authenticated.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I could write a whole book solely on the many different aaa authorization com- C H R I S B R YA N T WORD Use an authorization list with this name default Use the default authorization list MLS _ 1(config-line)#authorization exec default Accounting Authentication decides who gets in and who doesn’t. though – the first means the user must be authorized to run any We’re not going to spend much time on accounting.

and stop in your CCNP studies. ARAP. MLS _ 1(config)#aaa accounting commands 1 default start-stop group tacacs+ ? Group Use Server-group <cr> MLS _ 1(config)#aaa accounting commands 1 default start-stop group tacacs+ AAA supports six different accounting formats: C hapter 11: NETWORK DESIGN AND MODELS Commands: Information regarding EXEC mode commands issued by a user. System: Non-user-related system-level events. 360 361 . records for calls that fail authentication. Having said that. your only responsibilities concerning the Cisco 3-Layer Hierarchical Model was memorizing the layers and their location.115 S T U DY G U I D E Group Use Server-group MLS _ 1(config)#aaa accounting commands 1 default start-stop group ? WORD Server-group name tacacs+ Use list of all Tacacs+ hosts. We’ll start this section with a review of the model. Connection: Information regarding all outbound connections made from a network access server. it is EXEC: Information about user EXEC terminal sessions. Network: Info on all PPP. so grab some caffeine and let’s dive right in! During your CCNA studies. and SLIP sessions. as we need to know what should and should not occur at each layer.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . The stakes are raised Resource: Info regarding start and stop records for calls passing authentication. and then delve into each layer in detail. Blunt as always: This isn’t the most exciting material in the course. very important material.

so we’ll leave most frame manipulation and filtering to other layers. The Enterprise Composite Network Model Before we dive into this topic.) The Distribution Layer Not all the work is done at the core layer! The demands on distribution-level switches is very high. The core layer is the backbone of our entire network. and we want the core layer to be concerned strictly with switching. As you know. It’s a lot easier to get everything you need when you’re buying than to go back and try to add it later. This is tomorrow’s “Where the $%)$ am I gonna plug this user in?” the nerve center of your entire network. tation on switch models carefully before making your purchase. and this is more than a full-time job! It’s vital that we keep extra. A 12-port switch might be fine for your needs at present. non-switching features off the core layer and let these switches do what they do best – switch. Today’s sufficient port density is Collision domains are found at the access layer. everything we do on a Cisco router or switch takes away from overall switch resources. you know there’s an exception to that rule. and should be used as such. (A campus network is basi- 363 . so fault tolerance should be at the highest level possible. The access-layer switches will have their uplinks connecting to our distribution-level switches. routing should take place at the distribution layer. you’ll find it in the distribution Today’s core switches are generally the multilayer switches we’ve worked with throughout this course. high switchport-to-user ratio”. and that exception is Quality of Service (QoS). so we’re interested in high-speed data transfer. Switches at the core layer allow distribution-layer switches to communicate. a very popular model used to design campus networks. capable of higher throughput than switches found at the other layers. With networking though. you had bought a larger switch with more ports. and you must plan for future network growth. and some basic QoS features all run here. Advanced QoS is generally performed at the core layer.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . switches is “low cost. so not only do the distribution-level switches need high-speed ports and links. very low latency. Core layer switches are generally the most powerful in your network. but a month from now you’ll wish and other traffic filtering methods for other layers of this model. and that’s it! When multilayer switches are in use.115 S T U DY G U I D E The Core Layer C H R I S B R YA N T decisions. The distribution layer also serves as a boundary for broadcasts and multicasts sent by access-layer devices. I want to remind you that network models are guidelines they have to have quite a few in order to connect to both the access and core-layer switches. That’s particularly true of the Enterprise Composite Network Distribution-layer switches must be able to handle redundancy for all links. Examine your cally a series of LANs interconnected via a network backbone. Be sure to examine your network’s requirements and review the documen- layer as well. Redundancy is important at this layer (of course! It’s important everywhere!). The access layer’s too busy with end users to handle routing.) network topology closely and check vendor documentation before making purchasing 362 Model. but we want a lot of redundancy in the core layer. A good rule of thumb for access-layer We always want redundancy. While QoS is configured at the core layer when possible. Leave your ACLs The Access Layer Here’s where the end users communicate with the network! VLAN membership. (MAC filtering is a pain to configure. although hopefully there are other ways to get the job done that you need done. and MAC address filtering can be performed here as well. I kid you not. traffic filtering.

The Enterprise Composite Network Model has three main parts: All four distribution-layer switches have connections to both switches in the Core Block. These models are strictly guidelines. there is no dedicated core switch. As you’d expect. This is a tremendous responsibility. and these core blocks allow the switch blocks to communicate. and that occasion may be not having the money to afford a setup like this. both the traditional L2 switches (found at the access layer) and multilayer switches. especially the dual core. the Enterprise Campus consists of these modules: Reality does rear its ugly head on occasion. leaving the core switches free to use all their resources to switch.115 S T U DY G U I D E C H R I S B R YA N T Switch blocks are units of access-layer and distribution-layer devices. We love this setup. Helpful guidelines. The Core Block serves as the camother Switch Block. In a collapsed core. we still have total connectivity. there’s no one right way to design an enterprise network. again) In turn again. allowing switches in one Switch Block to communicate with switches in the giving us as much redundancy as this topology can offer. These layers contain Let’s take a look at a typical campus network and see how these block types work together. The Service Provider Edge In turn.and distribution-layer switches are both found in this model’s Switch Block. if one of the core switches The Enterprise Edge goes down. where certain switches will perform as both Switch Block and Core Block Campus Infrastructure switches. the physical layout of the buildings as a unit and individually – these are just two important factors involved. The Enterprise Campus pus backbone. Server Farm Network Management Enterprise Edge (yes. such as a single building on a college campus or business park. and it’s the major reason I continue to mention that the access and distribution layers should handle many of the network services. the Campus Infrastructure model consists of these modules: Building Access (access-layer devices) Building Distribution (distribution-layer devices) Campus Backbone (Interconnects multiple Distribution modules) 364 365 . but guidelines nonetheless.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . Devices in a switch block work together to bring network access to a unit of the network. The number of LANs involved. Smaller networks (and admins on a tight budget!) can use a collapsed core setup. Our access. typically found in the distribution layer. Core blocks naturally consist of our high-powered core switches.

AAA servers. There are times when we’ve wanted to throw a server or two (or twelve) straight out the window. Two blocks will team up to bring our users that all-important internet connectivity – the Enterprise Edge Block and the Service Provider Edge Block. and core layers shown here is sometimes called the Campus Infrastructure. Note that each of the access switches have redundant uplinks to both distribution/core switches in their switch block. In today’s world. The distribution-layer switches again have redundant connections to the core switches. and network monitoring tools are found in almost every campus network today.115 S T U DY G U I D E C H R I S B R YA N T The four multilayer switches are working as both core-layer and distribution-layer switches. network management tools are a necessity. 366 367 . but we’re not quite done yet. intruder detection tools. but you already have a good idea of the sheer workload the core switches will be handling. The combination of access. Our core switches have even more work to do not. syslog servers. In a campus network. This is a relatively small campus network. All of these devices can be placed in a switch block of their own. distribution. the network management block.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . the server farm block is a separate switch block. complete with access and distribution-layer switches. but we’re not going to have much of a network without them.

remain the same no matter where the user is. shoot. Many of today’s networks don’t lend themselves well to this type of VLAN. so 80/20 traffic patterns are becoming increasingly rare. not more VLANs!” Hey. or when the hosts have similar resource requirements – for example. but users End-to-End And Local VLANs “Oh no. ETE VLANs should be designed with the 80/20 rule in mind. This level of access is more of a necessity than a luxury today. The following network diagram is very simple. ETE VLANs can come in handy as a security tool. assuming that 20% of traffic is local in scope and the other 80% will cross the network core. where 80% of the local traffic stays within the local area. we have no control over the actual structure of the block. Chris B. and that VLAN will are grouped by location in Local VLANs. That’s it! The end of the book! Thanks for reading. but these two VLAN types do fit in with our design chat.115 S T U DY G U I D E C H R I S B R YA N T The Enterprise Edge Block is naturally found at the edge of the campus network. and this block of routers and switches brings WAN connectivity to the rest of the campus network. And frankly.C H R I S B R YA N T ’ S C C N P S W I T C H 3 0 0 . I hear you. and it’s the final piece of the Internet connectivity puzzle for our campus network. While the Service Provider Edge Block is considered part of the campus network model. we don’t care! The key is that this block borders the Enterprise Edge Block. end-to-end VLANs span the entire network. and the other 20% will traverse the network core en route to a non-local destination. A user is assigned to a single VLAN. but you didn’t want your other hosts to even know of the existence of that resource. ETE VLANs must be accessible on every access-layer switch in order to accommodate mobile users. Well. The physical location of the user doesn’t matter. if you had certain hosts across the network that needed access to a particular network resource. Let’s spend a few minutes with each type… As you’d expect from the name. 368 369 . Physical location is unimportant in ETE VLANs. it’s easy to see why we want to dedicate as much of the switches’ capabilities to pure switching – the workload is huge! Local VLANs use the 20/80 rule. and I wish you all the best on your CCNP SWITCH exam and in your future studies. With all the lines leading to the core switches. The very nature of an end-to-end VLAN and the fact that it spans the entire network makes working with one a challenge. but even this network would be difficult to configure with ETE VLANs when the hosts need Internet connectivity or Cloud access.

Master your semester with Scribd & The New York Times

Special offer for students: Only $4.99/month.

Master your semester with Scribd & The New York Times

Cancel anytime.