You are on page 1of 111

BCMSN

Building Cisco Multilayer Switched Networks

Cisco CCNP

© Train Signal, Inc., 2002-2007

Welcome To Your BCMSN Video Boot Camp!
Topics: • LAN Switching Basics • Virtual LANs (VLANs) • VLAN Trunking Protocol (VTP) • Spanning Tree Protocol (STP) • Advanced Spanning Tree Protocol Features • Etherchannels • Securing Switches • Multilayer Switching • IP Telephony & Cisco IP Phones • Wireless Networking • Network Design and Models • Queueing (Bonus Video)
© Train Signal, Inc., 2002-2007

Your Instructor:
• • • • Chris Bryant, CCIE #12933 Earned my CCIE on February 26, 2004 Founded The Bryant Advantage in June of that year My Video Boot Camps and other study materials place an emphasis on clearly explained theory and plenty of work on REAL CISCO routers and switches • Real Education + Real Equipment = Real CCNAs and CCNPs • A+, Network+, Security+, and Microsoft Vista Certification tutorials and study tools • Visit the website: www.thebryantadvantage.com
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

1

Exam Prep Tips: • Take your time and master the material. • Get some hands-on work with the BCMSN-level protocols. • Do not practice debugs on a production network at any time. • Get plenty of rest the day before exam. By that time, the die is cast. • Don't cram for the exam. Prepare.
© Train Signal, Inc., 2002-2007

LAN Switching Basics

• • • •

Ethernet, Fast Ethernet, Gig Ethernet Quick cabling overview Basic Switch Operation Filenames and autorecovery

© Train Signal, Inc., 2002-2007

Ethernet
• Good old "basic" Ethernet is based on IEEE 802.3, and offers a bandwidth of 10 MB to end users. The more users there are on an Ethernet segment, the higher the chance of collisions, which render signals sent by the hosts to an unusable state. When the hosts are connected to their own individual switch ports, they will each get a dedicated 10 MB and the chance of collisions is eliminated. Each port on a switch is its own collision domain. • Ethernet uses UTP cabling (Unshielded Twisted Pair), and this cable type has a length limit of 100 meters. Referring to the Cisco three-layer networking model, Ethernet is generally going to be found at the access layer, connecting end users to the network.
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

2

Fast Ethernet – Part 1
• Fast Ethernet is defined in IEEE 802.3u, and operates at 100 MB. FE can use UTP or fiber-optic wiring. When full-duplex FE is in operation, the effective bandwidth is 200 MBPS, since FE ports can send and receive at the same time. • You'll see "10/100" ports on many switches. This means that the port will work with an Ethernet or Fast Ethernet connection, and the port speed can be negotiated between the switch and the connected device. To allow this negotiation, both end devices should be set for "auto", short for autonegotiation. And as you know, if you're connecting a server, router, or workstation to a switch, you'll need a straight-through cable.
© Train Signal, Inc., 2002-2007

Fast Ethernet – Part 2
• Fast Ethernet ports can also be used to create a Fast EtherChannel. An Etherchannel, or EC, is a logical bundling of physical connections between switches. A Fast EC can bundle up to eight physical connections, resulting in throughput of up to 1600 MBPS! • As with Ethernet, Fast Ethernet connections can connect end users to the access-layer switches. FE ports can also be used to form a trunk between the access and distributionlayer switches, but hopefully we've got some Gigabit Ethernet ports to handle that.

© Train Signal, Inc., 2002-2007

Gigabit Ethernet
• The next logical step is Gigabit Ethernet, often referred to as "Gig Ethernet". Gig Ethernet will support speeds up to 1000 MBPS, or 1 Gigabit Per Second (GBPS). • The cabling you use with your Gig Ethernet ports is going to vary widely. The necessary cable is determined by the Gigabit Ethernet standard in use on your particular switch. Some of the more common cable types to use with Gigabit Ethernet are Shielded Twisted-Pair (STP), Multimode Fiber (MMF) cable with either a 50- or 62.5 micron core, and Single-Mode Fiber (SMF) with an 8-, 9-, or 50-micron core. • Make sure to check your switch's documentation before you start buying cables!
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

3

. Many laptops no longer have a DB9 port. you'll also need a transceiver for the router. 2002-2007 A Quick Cable Review • To connect your PC to the console port of a switch. © Train Signal. Inc. you'll need a crossover cable. you must have a rollover cable.com 4 . • To connect two switches. PC. the less bandwidth that's available.Trial :: http://www. 10Gig Ethernet will only work on fiber-optic and in full-duplex mode.10 Gigabit Ethernet • Often referred to in documentation as 10GbE. Inc.docudesk.. Check your PC in advance to make sure you don't need an adapter for the rollover cable. The transceiver connects to the router and the cable connects to the transceiver. © Train Signal. or server to a switch. The available speed is dependent on the cable length . you'll need a straight-through cable. (That's the only way all that speed can be used!) © Train Signal. 2002-2007 Long Range Ethernet • No. The preexisting wiring is usually going to be the phone wires.the longer the wire. • To connect a router. 2002-2007 PDF Created with deskPDF PDF Writer . If the router has an AUI port. Inc.. LRE isn't faster than 10 Gig Ethernet! LRE can use preexisting wiring to provide Ethernet service to a building that might not otherwise have it.

docudesk. © Train Signal. to forward or filter frames as needed. the switch checks its MAC table to see if there's an entry for that address.. Inc. This frame will be flooded it will be sent out every switch port except the one it came in on. is a module that fits into a Gig Ethernet port. Inc. the switch adds that address to its MAC table along with the port used to reach that address. 2002-2007 Destination MAC – Part 1 • The switch will then check its MAC table for the destination MAC. pronounced "geebic".com 5 . These modules are hot-swappable for easier migration to a new media type. – The destination MAC is a unicast and there is an entry for the address in the MAC table. There are four possibilities for that destination MAC: – The destination MAC is a unicast and there is no entry for the address in the MAC table..What's A "Geebic"? • A GBIC.Trial :: http://www. In this case. The switch does this by examining the source MAC address before deciding how to get the frame to the destination MAC address. When a switch is first powered on. 2002-2007 PDF Created with deskPDF PDF Writer . • When a switch examines the source MAC of a frame. the frame will be sent out only the port leading to the host with the proper destination MAC. © Train Signal. While a MAC table can be populated with static MAC entries. Inc. it's more efficient to have the switch learn the addresses dynamically. If not. its MAC address table is empty. more commonly referred to as MAC addresses. 2002-2007 MAC Table • A switch uses Layer 2 addresses. © Train Signal..

EA1. ever wonder what a Cisco filename means? Look at the IOS image filename on the switch we've been using in this section: • c2950-i6q4l2-mz. AND the source and destination address are found off the same port. © Train Signal.bin • Believe it or not. 2002-2007 Content Addressable Memory Table • The official terminology for the MAC table is the CAM table.. – The destination MAC is a broadcast or multicast. remember that you can use this method to do so with any IOS filename. that mix of numbers and letters actually means something. Depending on who you talk to. There is a standard for IOS filenames.Trial :: http://www. so as we decipher this filename. 2002-2007 Cisco Filename – Part 1 • Speaking of which.. or Content Addressable Memory table. but they're all the same thing.docudesk.121-19.This one's easy. Inc. Inc.. and there is an entry for the address in the MAC table.. 2002-2007 PDF Created with deskPDF PDF Writer . © Train Signal.it will not be forwarded at all by the switch.Destination MAC – Part 2 – The destination MAC is a unicast. in which case the frame will be sent out every port except the one it was received upon. © Train Signal.com 6 . This frame will be filtered . you'll hear this table called… – the MAC address table – the CAM table – the bridging table • . Inc. • c2950 .. since we're working on a Catalyst 2950 switch.

12.Cisco Filename – Part 2 • i6q4l2 .Trial :: http://www. Inc.EA1 . as you'd suspect. the z indicates a zip-compressed image.. 2002-2007 PDF Created with deskPDF PDF Writer .The m indicates that the image is running in RAM. By default. though. a port in errdisabled state has to be manually reopened. © Train Signal. The i at the beginning of this feature set description indicates a switch running an IP feature set.bin indicates that the image file is a binary executable. a green LED indicates an active port. Before doing so. under certain circumstances such as a violation of port security.com 7 .The 121 indicates the major IOS release version. We'll use the "all" option here to allow the port to autorecover from any err-disabled state. in this case the first one ("A"). • 121-19.docudesk. 2002-2007 Autorecovery From An Err-Disabled State • A switch port will be placed into error-disabled state.This part describes the switch's feature set. and this can be configured with the errdisable recovery interval command..) • You may have a situation where you want the port to reenable itself after a certain period of time. Inc.1.. (The port LED will go out as well. © Train Signal. The 19 is the maintenance release. 2002-2007 Virtual LANs (VLANs) • • • • • • • • • • • Why use VLANs Static and Dynamic VLANs Trunking ISL and Dot1q Troubleshooting Trunks The Native VLAN Dynamic Trunking Protocolynamic Trunking Protocol Trunking Modes VLAN Database Mode Design Guidelines End-to-end and Local VLANs © Train Signal. and finally the . referred to on the switch as err-disabled. Inc. A indicates the interim build level. The 1 indicates the first build of that level. • mz . The E indicates an Early Deployment of features. you must define the causes from which the port can recover automatically.

© Train Signal. Inc.. Inc.. The physical location of the hosts does not matter. Unless you then make them known to the rest of the network via router-on-a-stick or a Layer 3 switch.Trial :: http://www. that switch will forward that broadcast only via ports that are in the same VLAN. these hosts will not be known or reachable by hosts in other VLANs.docudesk. and this is a best practice that works very well in the real world.com 8 . If you have a network segment with hosts whose very existence should not be known by the rest of the network. • By creating VLANs. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . When a switch receives a broadcast packet from a host in one particular VLAN. © Train Signal. • Cisco's best practice is to have one VLAN per IP subnet. 2002-2007 Reasons for VLANs – Part 2 • We can use Virtual LANs (VLANs) to restrict broadcasts by creating logical groups of hosts.. One of the first switching concepts you learned was that a switch that receives a broadcast will forward it out every other port on the switch except the one that it was originally received on. you create multiple broadcast domains while also lowering the number of multicasts sent throughout the network. © Train Signal. because these are virtual local area networks. 2002-2007 Reasons for VLANs – Part 3 • There's one more reason that may lead you to create VLANs. just put these hosts into their own VLAN.Reasons for VLANs – Part 1 • The most common reason for creating VLANs is to prevent the excess traffic caused by a switch's default behavior when it receives a broadcast.

but there are two commands needed to do so.Trial :: http://www. these ports are running in dynamic desirable trunking mode. but as a CCNP you need to know the basics of VMPS .) © Train Signal. 2002-2007 Speed and Duplex Settings • What if Hosts 1 and 2 still couldn't ping each other. First. even though they're obviously in the same subnet and the same VLAN? There are two places you should look that might not occur to you right away.docudesk. check the MAC table on the switch and make sure the hosts in question have an entry in the table to begin with. (Yet another reason that the first value a switch looks at on an incoming frame is the source MAC address. Inc. The problem is that a trunk port belongs to all VLANs by default. By default.. Inc. The configuration of dynamic VLANs is far out of the scope of the BCMSN exam.com 9 . meaning that the port is actively attempting to form a trunk with a remote switch. you have to change the configuration of the switch to reflect these changes.. Using VMPS results in these changes being performed dynamically. and we want to put this port into a single VLAN only.a VLAN Membership Policy Server. because the port's VLAN membership is decided by the source MAC address of the device connected to that port.Static VLAN • It's easy to put a port into a static VLAN. 2002-2007 VLAN Membership Policy Server – Part 1 • If we have "static VLANs". check speed and duplex settings on the switch ports.. 2002-2007 PDF Created with deskPDF PDF Writer . • When you move a user from one port to another using static VLANs. Inc. © Train Signal. Second. it follows that there is such a thing as a "dynamic VLAN". © Train Signal.

docudesk. • When dynamic VLANs are in use. PortFast is enabled by default when a port receives a dynamic VLAN assignment. • Again. and that downloading occurs every time you power cycle the VMPS server.. the port number isn't important . With VMPS. © Train Signal. © Train Signal. and the VMPS would dynamically place that port into VLAN 12. but keep in mind that PortFast will run on a dynamic VLAN port by default. PortFast is automatically enabled for that port! There's no problem with PortFast being turned off on that port if you feel it necessary. Trunking must be disabled to make a port a dynamic port. Inc. Inc. • Trunking ports cannot be made dynamic ports. • What if we had to move Host 1's connection to the switch to port 0/6? With static VLANs. 2002-2007 VLAN Membership Policy Server – Part 3 • An interesting default of VMPS is that when a port receives a dynamic VLAN assignment.. we'd have to connect to the switch. 2002-2007 Some things to watch out for when configuring VMPS: • The VMPS server has to be configured before configuring the ports as dynamic. • VMPS uses UDP to listen to client requests. Inc.the MAC address of the host connected to the port is the deciding factor regarding VLAN membership. and then place the port into VLAN 12. configure the port as an access port. © Train Signal. the only thing we'd have to do is reconnect the cable to port 0/6.com 10 . that feature must be turned off before configuring a port as dynamic. • If a port is configured with port security.Trial :: http://www. 2002-2007 PDF Created with deskPDF PDF Writer . since by definition trunking ports must belong to all VLANs.VLAN Membership Policy Server – Part 2 • VMPS uses a TFTP server to help in this dynamic port assignment scheme.. A database on the TFTP server that maps source MAC addresses to VLANs is downloaded to the VMPS server.

Trial :: http://www. ISL will place both a header and trailer onto the frame.and I can practically guarantee your BCMSN exam just might discuss these encap types! Let's take a detailed look at each right now. and another drawback to ISL is that ISL does not use the concept of the native VLAN. that switch will examine this ID and then forward the frame appropriately. the duplex setting. so traffic for any and all VLANs can travel across this trunk.Trunk – Part 1 • A trunk is a point-to-point connection between two physically connected switches that allows traffic to flow between the switches.. That's one drawback. • The 26-byte header that is added to the frame by ISL contains the VLAN ID. When the frame arrives at the remote switch. © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer . This increases the overhead on the trunk line. encapsulating it. That includes broadcast traffic! • How does the receiving switch know what VLAN the frame belongs to? The frames are tagged by the transmitting switch with a VLAN ID.1q . This means that every single frame transmitted across the trunk will be encapsulated. the ports must agree on the speed. 2002-2007 ISL – Part 1 • ISL is Cisco-proprietary. and the encapsulation type. so let's review those before we examine a third trunking protocol that you didn't learn during your CCNA studies. reflecting the number of the VLAN whose member ports should receive this frame. • By default. but there are others. © Train Signal. © Train Signal. a trunk port is a member of all VLANs. 2002-2007 Trunk – Part 2 • You may have had a CCNA flashback when I mentioned "dot1q"! There were quite a few differences between the trunking protocols ISL and dot1q. Inc. • For a trunk to form successfully. • You know that the default VLAN is also known as the "native VLAN".docudesk. The CRC is a frame validity scheme that checks the frame's integrity.. regardless of the VLAN the traffic is destined for. the 4-byte trailer contains a Cyclic Redundancy Check (CRC) value. Inc. Many Cisco switches offer the choice of ISL and IEEE 802.com 11 . making it unsuitable for a multivendor environment. Inc..

(The maximum size for an Ethernet frame is 1518 bytes. Inc.) • For that reason. 2002-2007 Dot1q – Part 1 • In contrast. You'll occasionally hear this referred to as internal tagging. © Train Signal. 2002-2007 Dot1q – Part 2 • Other dot1q facts you should be familiar with: – Dot1q actually embeds the tagging information into the frame itself. When the remote port receives an untagged frame. If the frame is destined for hosts residing in the native VLAN.com 12 .. A 4-byte header is added to the frame. the switch knows that these untagged frames are destined for the native VLAN. • Since the dot1q header is only 4 bytes in size.Trial :: http://www..ISL – Part 2 • In turn. even that small header isn't added. ISL encapsulation adds 30 bytes total to the size of the frame. resulting in less overhead than ISL and resulting in a maximum frame size of 1522 bytes. dot1q does not encapsulate frames. using dot1q lessens the chance of oversized frames. the remote partner will consider the ISLencapsulated frames as giants. – Dot1q is the "open standard" or "industry standard" trunking protocol and is suitable for a multivendor environment. Inc.docudesk. – Dot1q does not change the destination MAC address in any way. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . potentially making them too large for the switch to handle.. this encapsulation leads to another potential issue. Frames larger than that are called giants. © Train Signal. and isn't even placed on every frame. if one trunking switch is using ISL and its remote partner is not. © Train Signal.

because they don't use the native VLAN to begin with..Point-to-point Protocols • Believe it or not. Inc.just like ISDN. ISL and dot1q actually have something in common! They're both considered point-to-point protocols.Trial :: http://www.. © Train Signal. make sure the port you want to trunk is a Layer 2 port by configuring the interface-level command switchport on it.. runts are frames less than 64 bytes in size. While giants are too large to be successfully transmitted. Check the documentation for your switch to see if this is the case for your model. – If you're working on a multilayer switch (also called a "Layer 3 switch"). but thanks to IEEE 802. Inc. they're case-sensitive.make sure to have them straight: • ISL: 4-byte trailer (with CRC value) • dot1q: 4-byte header inserted into the frame © Train Signal. ISL switches don't care about the native VLAN setting. – You can configure a 10. – Giants are frames that are larger than 1518 bytes. and that's it . Some Catalyst switches have Cisco-proprietary hardware that allows them to handle the larger frames. (The opposite of a giant is a runt. the port speed and port duplex setting should be the same on the two trunking ports. and I've bumped into quite a few "gotchas" that you might not think to look at in a production network. © Train Signal. since by definition a trunk only has two endpoints. • Also notice that there's a 4-byte addition in both ISL and dot1q .docudesk. 2002-2007 Gotchas – Part 1 • I've created a lot of trunks over the years.watch those domain names. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . the maximum frame length can be extended to 1522 bytes. 2002-2007 Gotchas – Part 2 – Dot1q does add 4 bytes to the frame. – For trunks to work properly. – Changing the native VLAN on one switch does not dynamically change the native VLAN on a remote trunking partner. 100.3ac. or 1000 MBPS interface as a trunk.) – Both switches must be in the same VTP domain .com 13 . and these can occur on ISL since they add 30 bytes to the frame.

. negotiate.docudesk. • Changing the native VLAN on one switch in a trunk does not automatically change it for the other switch! © Train Signal. Inc. and there aren't any. The trunk ports will then negotiate between ISL and dot1q. if you use IOS Help to display your switch's encapsulation choices. use the switchport trunk encapsulation command. • The native vlan can be changed with the switchport trunk native vlan command. 2002-2007 PDF Created with deskPDF PDF Writer . regardless of whether it once was a trunk port. 2002-2007 switchport trunk encapsulation command – Part 2 • Notice that there's a third option. • By the way. but you should be prepared for an error message very quickly after configuring it on one side of the trunk. Inc. Rack1SW1(config-if)#switchport trunk encapsulation ? dot1q Interface uses only 802. We'll change the native vlan setting on fast 0/11 on one side of an existing trunk and see what happens. ISL will be selected.com 14 . 2002-2007 switchport trunk encapsulation command – Part 1 • To manually configure a trunk port to run ISL or dot1q. the native VLAN is VLAN 1. Inc.Native VLAN • By default. If the negotiating ports support both protocols.1q trunking encapsulation when trunking isl Interface uses only ISL trunking encapsulation when trunking negotiate Device will negotiate trunking encapsulation with peer on interface © Train Signal. The native VLAN is the VLAN the port will belong to when it is not trunking. that's a pretty good sign that your switch supports only dot1q! SW1(config)#interface fast 0/11 SW1(config-if)#switchport trunk encapsulation ? % Unrecognized command © Train Signal...Trial :: http://www. and naturally it must be a protocol that both ports support.

. a trunk line will form. Also.docudesk. but will accept negotiation begun by the remote switch. dynamic desirable. As long as the remote trunk port is configured as dynamic desirable or trunk. © Train Signal. Since this port cannot negotiate. but there is a cost in overhead . but there's a third trunking protocol involved as well. This sounds great. but as you see below. The Ciscoproprietary Dynamic Trunking Protocol actively attempts to negotiate a trunk line with the remote switch. Turning off DTP when you place a port in trunk mode is a great idea. Inc.com 15 . If the local switch port is running dynamic desirable and the remote switch port is running in trunk. a trunk will form in less than 10 seconds with no additional configuration needed. it's standard procedure to place the remote port in trunk mode. • DTP can be turned off at the interface level with the switchport nonegotiate command. 2002-2007 Dynamic auto mode • Dynamic auto is the "oddball" trunking mode.there's no need to send DTP frames. because there's no use in sending negotiation frames every 30 seconds if no negotiation is necessary! • Dynamic desirable is the default setting for most Cisco switch ports today. Inc.a firewall. Inc. a trunk will form. © Train Signal. you cannot turn DTP off until the port is no longer in dynamic desirable trunking mode. 2002-2007 PDF Created with deskPDF PDF Writer . • If you decide to configure a port as a non-negotiable trunk port.Dynamic Trunking Protocol • You learned about ISL and dot1q in your CCNA studies.if they're both in dynamic auto mode. or dynamic auto.. • It's important to note that this setting does not have to match between two potential trunk ports. • Is there a chance that two ports that are both in one of these three modes will not successfully form a trunk? Yes . for example . there's no need for the port to send DTP frames.Trial :: http://www.. One port could be in dynamic desirable and the other in trunk mode. This is because a port in dynamic desirable mode is sending and responding to DTP frames.this port is in unconditional trunk mode and cannot be an access port. if there's a device on the other end of the line that can't trunk at all . 2002-2007 Trunk mode • Trunk mode means just that .DTP frames are transmitted every 30 seconds. and the trunk would come up. • If you connect two 2950s with a crossover cable. © Train Signal. A port configured as dynamic auto (often called simply "auto") will not actively negotiate a trunk.

though.which of course means that your changes aren't saved! It's always a good idea to know how to do something more than one way in Ciscoland. © Train Signal.com 16 . 2002-2007 Snowflakes – Part 1 • Learning to design anything from a class or study guide can be frustrating. because it's very easy to save your changes incorrectly . You need to know about the following VLAN design types for both the exam and the real world.. What works well for "Network A" may be inefficient for "Network B".. Inc.Naming VLANs • You can give your VLAN a more intuitive name with the name command. 2002-2007 PDF Created with deskPDF PDF Writer . no two networks are alike. © Train Signal.Trial :: http://www. • In my BSCI Study Guide's discussion of Cisco's Three-Layer Hierarchical Networking Model. because like snowflakes.docudesk. Inc. 2002-2007 VLAN database mode • You'll notice that all of the configurations in this study guide use the CLI commands to configure VLANs.switch! © Train Signal. and that's using VLAN database mode. You enter this mode by typing vlan database at the command prompt. so let's take a look at this mode. • I personally don't like using this mode. Inc. I mention that it's important to let the Distribution layer handle the "little things" in order to allow the core switches to do what they do best .. There is a second way to do so. but as always you've got to be able to apply your knowledge to your network's needs.

the name is the recipe as end-to-end VLANs will span the entire network. • End-to-end VLANs must be accessible on every access-layer switch to accommodate mobile users.docudesk. but you didn't even want your other hosts to know of the existence of that resource. particularly if we allow it to flow through the core switches. we're looking at much the same scenario.Snowflakes – Part 2 • With VLAN design. © Train Signal.. Inc. and that VLAN will remain the same no matter where the user is. as one is following the 80/20 rule and the other is following the 20/80 rule. end-to-end and local. • • There are two major VLAN designs. If we don't control broadcast and multicast traffic. it can soon affect our network negatively. • End-to-end VLANs can come in handy as a security tool and/or when the hosts have similar resource requirements for example. if you had certain hosts across the network that needed access to a particular network resource. Inc. Watch the details here.. 2002-2007 End-to-End and Local VLANs – Part 1 • With end-to-end VLANs. © Train Signal. :) © Train Signal. 2002-2007 End-to-End and Local VLANs – Part 2 • End-to-end VLANs should be designed with the 80/20 rule in mind. 2002-2007 PDF Created with deskPDF PDF Writer . Your VLAN scheme should keep as many broadcasts and multicasts away from the core switches as is possible. I can tell you that this VLAN type is a real pain in the butt to configure. The physical location of the user does not matter. Inc.Trial :: http://www. However.com 17 . as a user is assigned to a single VLAN. where 80 percent of the local traffic stays within the local area and the other 20 percent will traverse the network core en route to a remote destination..

Inc. Inc. the end user must go across a WAN to reach the server farm.com 18 . Inc.DAT File VTP Secure Mode © Train Signal. VTP also allows network administrators to restrict the switches upon which VLANs can be created. 2002-2007 PDF Created with deskPDF PDF Writer ..Local VLANs • Local VLANs are designed with the 20/80 rule in mind. 2002-2007 VLAN Trunking Protocol (VTP) • • • • • • • • Why use VTP? Configuring VTP VTP Modes VTP Advertisement Process Synchronization & Advertisement Details VTP Features & Versions The VLAN. © Train Signal.. while the other 80 percent will traverse the network core.docudesk.Trial :: http://www.and even in the simplified network diagram above. or modified. users are grouped by location in Local VLANs. 2002-2007 VTP • VLAN Trunking Protocol (VTP) allows each switch in a network to have an overall view of the active VLANs. deleted. While physical location is unimportant in end-to-end VLANs. such as server farms . another reason that 80/20 traffic patterns aren't seen as often as they were in the past. © Train Signal.. • More and more networks are using centralized data depositories. Local VLANs assume that 20 percent of traffic is local in scope.

(Bear with me here.. The only place you'll probably see that full phrase is on the exam.Trial :: http://www. modify. (The official term for a VTP domain is "management domain". By default. run show vtp status. V1 and V2. modify. 2002-2007 Server mode • In Server mode. © Train Signal. and the main difference between the two versions affects how a VTP Transparent switch handles an incoming VTP advertisement. Cisco switches are not in a VTP domain. and delete VLANs. This means that a VTP deployment has to have at least one Server. Before working with VTP in a home lab or production network.. • The key phrase there is "in the same domain". • VTP Transparent mode actually means that the switch isn't participating in VTP. Clients do listen for VTP advertisements and act accordingly when VTP advertisements notify the Client of VLAN changes. This is the default setting for Cisco switches.) © Train Signal. making them locally significant only. or VLAN creation will not be possible. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 VTP Versions • There are two versions of VTP. the major feature of VTP is the transmission of VTP advertisements that notify neighboring switches in the same domain of any VLANs in existence on the switch sending the advertisements.com 19 . Inc..) Transparent VTP switches don't synchronize their VTP databases with other VTP speakers. or delete VLANs. • Switches running in Client mode cannot be used to create. they don't even advertise their own VLAN information! Therefore. any VLANs created on a Transparent VTP switch will not be advertised to other VTP speakers in the domain.Major Feature of VTP • Luckily. Inc. © Train Signal. a VTP switch can be used to create. • VTP Version 2: The Transparent switch will forward VTP advertisements via its trunk port(s) even if the domain name does not match. • VTP Version 1: The Transparent switch will forward that advertisement's information only if the VTP version number and domain name on that switch is the same as that of downstream switches.docudesk. but we'll just call them domains in this section. Inc.

The hosts in VLAN 10 in the following exhibit would not receive VTP advertisements. so VTP advertisements are sent out trunk ports only.. © Train Signal. © Train Signal. Inc. and this configuration revision number increments by one before it is sent.Trial :: http://www. Inc. 2002-2007 Configuration revision – Part 1 • Along with the VTP domain name.Switches • Which Switches Should Be Servers. VTP advertisements carry a configuration revision number that enables VTP switches to make sure they have the latest VLAN information.docudesk.if you can absolutely secure a switch.com 20 .. but I will share a simple method that's always worked for me .. but they are not sent out every port on the switch. make it a VTP server. you may consider making that switch a VTP Client in order to minimize the chance of unwanted or unauthorized changes being made to your VLAN scheme. © Train Signal. Which Should Be Clients? – You have to decide this for yourself in your production network. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . VTP advertisements are sent when there has been a change in a switch's VLAN database. 2002-2007 The VTP Advertisement Process • VTP Advertisements are multicasts. If multiple admins will have access to the switch. The only devices that need the VTP advertisements are other switches that are trunking with the local switch.

If the answer is yes. © Train Signal.. 2002-2007 Potential issue • This brings up a potential issue that I've seen more than once in the real world. Before accepting the changes reflected in the advertisement.. In this case. Inc. Inc. SW1 compares the revision number in the advertisement to its own revision number. © Train Signal.. you have to make sure that its revision number is zero .and that goes for Clients as well as Servers.Configuration revision – Part 2 • SW1 received a VTP advertisement from SW2.com 21 . 2002-2007 PDF Created with deskPDF PDF Writer . • If SW1's revision number had been higher than that in the VTP advertisement from SW2. When you introduce a new switch into a VTP domain. That revision number has to be reset to zero! If you ever see VLAN connectivity suddenly lost in your network. you should immediately check to see if a new switch was recently installed. but the switches are all functional. I can practically guarantee that the revision number is the issue.Trial :: http://www. 2002-2007 Revision number • I've seen this happen with switches that were brought it to swap out with a downed switch. the advertisement would have been ignored. the revision number on the incoming advertisement was 2 and R1's revision number was 1. Inc. © Train Signal.docudesk. • This indicates to SW11 that the information contained in this VTP advertisement is more recent than its own VLAN information. so the advertisement is accepted.

com 22 . Information included in the summary advertisement: – – – – – VTP domain name and version Configuration revision number MD5 hash code Timestamp Number of subset advertisements that will follow this ad © Train Signal.. or suspended – The new name of the VLAN – The new Maximum Transmission Unit (MTU) – VLAN Type (Ethernet. • Summary Advertisements are transmitted by VTP servers every 5 minutes. Inc. 2002-2007 Subset Advertisements • Subset Advertisements are transmitted by VTP servers upon a VLAN configuration change.docudesk. including: – Whether the VLAN was created. 2002-2007 PDF Created with deskPDF PDF Writer .. Inc. Token Ring.Cisco Theory • Cisco theory holds that there are two ways to reset a switch's revision number to zero: – Change the VTP domain name to a nonexistent domain.. Inc. or upon a change in the VLAN database. then change it back to the original name. 2002-2007 VTP Advertisements • There are three major types of VTP advertisements . activated. – Change the VTP mode to Transparent. deleted. then change it back to Server. Keep in mind that Cisco switches only accept VTP advertisements from other switches in the same VTP domain.Trial :: http://www. Subset ads give specific information regarding the VLAN that's been changed.here's what they are and what they do. FDDI) © Train Signal. © Train Signal.

2002-2007 PDF Created with deskPDF PDF Writer .Trial :: http://www. Why would a client request this information? Most likely because the VLAN database has been corrupted or deleted. 2002-2007 Enabling pruning • Enabling pruning on one VTP Server actually enables pruning for the entire domain.. 2002-2007 VTP Pruning • Trunk ports belong to all VLANs. Inc.com 23 .a request for VLAN information from the client. which leads to an issue involving broadcasts and multicasts. A trunk port will forward broadcasts and multicasts for all VLANs it knows about. The VTP Server will respond to this request with a series of Summary and Subset advertisements.. © Train Signal..Client Advertisement Requests • Client Advertisement Requests are just that . Inc. © Train Signal. but I wanted to show you that a switch has to be in Server mode to have pruning enabled. Inc. regardless of whether the remote switch actually has ports in that VLAN or not! © Train Signal.docudesk. It doesn't hurt anything to enter the command vtp pruning on all Servers in the domain. but it's unnecessary.

everything's gone. you're prompted to go into setup mode. • A switch running VTPv2 and Transparent mode will forward VTP advertisements received from VTP Servers in that same domain. This helps to prevent incorrect / inaccurate names from being propagated throughout the network. All IP addressing. 2002-2007 write erase • Those of you with switches in your home labs have probably run into this situation.. where Version 1 does not. Inc. including the 2950. VTP v2 has several advantages over VTPv1.Trial :: http://www. static routes . reload them. So what's being checked? VLAN names and numbers.. The next version was Version 2. and that's the default on many newer models.com 24 . The first version of VTP was VTP Version 1..show vtp status • By now. • As RIPv2 has advantages over RIPv1. • Version 2 supports Token Ring VLANs and Token Ring switching. © Train Signal. Version 2 will perform a consistency check. routing protocols.docudesk. Inc. you've probably noticed that the first field in the readout of show vtp status is the VTP version. 2002-2007 Consistency check • When changes are made to VLANs or the VTP configuration at the command-line interface (CLI). You run a write erase on your routers. © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer . © Train Signal. Inc. and that is the default of some older Cisco switches. and since NVRAM is now empty.

. Inc. Inc. Every switch in the domain must have a matching password.the ones in your network control room.VTP password • By setting a VTP password. Your VTP Servers should be the switches that are accessible only by you and a trusted few.. stick with Server and Client. :) • Some campus networks will have switches that can be easily secured . © Train Signal.com 25 .docudesk. Inc.and others that may be more accessible to others. 2002-2007 VTP Configuration Tips • Unless you have a very good reason to put a switch into Transparent mode. or you've made it possible to create and delete VLANs on every switch in your network.. Don't leave every switch in your VTP domain at the default of Server. 2002-2007 PDF Created with deskPDF PDF Writer . you place the entire VTP domain into Secure Mode. © Train Signal. for example . but it causes less confusion in the future for other network admins who don't understand Transparent mode as well as you do.Trial :: http://www. Not only does this ensure that the VTP databases in your network will be synchronized. 2002-2007 Spanning Tree Protocol (STP) • • • • • Switching Basics BPDUs & the Root Bridge Election Root Port Selection & Cost STP Port States & Timers Making a Nonroot Switch the Root – Why and How • TCN BPDUs • Load Sharing with the port-priority command • Extended System ID Failure © Train Signal.

more commonly referred to as a BID. the MAC address is the deciding factor in the root bridge election.Trial :: http://www. • Broadcast frames are destined for all hosts. Such a frame would be forwarded only out the appropriate port. © Train Signal. • BPDUs also carry out the election to decide which switch will be the Root Bridge. • This BID is a combination of a default priority value and the switch's MAC address. Inc. the non-root bridges will forward copies of that BPDU.. Broadcast and multicast frames are also forwarded out every port except the one they came in on. Each switch will have a Bridge ID Priority value. while multicast frames are destined for a specific group of hosts. if a Cisco switch has the default priority value of 32.Unknown unicast frames • Unknown unicast frames are frames destined for a particular host. and this destination host has an entry in the switch's MAC table.. Once a root bridge is elected. with the priority value listed first. (It might not have been well-known to you before.768 and a MAC address of 11-22-33-44-55-66. the BID would be 32768:11-22-3344-55-66.this is the switch that decides what the STP values and timers will be. but it is now!) We've actually got two different BPDU types: – Topology Change Notification (TCN) – Configuration • We'll talk about TCNs later in this section. 2002-2007 The Role Of BPDUs • BPDUs are transmitted every two seconds to the wellknown multicast MAC address 01-80-c2-00-00-00. • Known unicast frames are frames destined for a particular host. The Root Bridge is the "boss" of the switching network . 2002-2007 Configuration BPDUs • Configuration BPDUs are used for the actual STP calculations.docudesk. but for now it's enough to know that the name is the recipe . only that root bridge will originate Configuration BPDUs. Unknown unicast frames are forwarded out every port except the one they came in on. if the switch priority is left at the default on all switches. For example. © Train Signal. Therefore. Under no circumstances will a switch send a frame back out the same port it came in on.a switch sends a TCN when there is a change in the network topology. Inc. but there is no MAC address table entry for that destination. © Train Signal. Inc.. 2002-2007 PDF Created with deskPDF PDF Writer .com 26 .

© Train Signal. No switch downstream of SW3 will know of any Path Costs on SW2 or SW3 the downstream switches will only see the cumulative cost. Inc. • The BPDU actually carries the Root Path Cost. That new root path cost value will be reflected in the BDPU that switch then sends out. that switch adds the cost of the port the BPDU was received on to the incoming Root Path Cost.. and this cost increments as the BPDU is forwarded throughout the network. SW3 doesn't have any idea what the Path Cost on SW2 is.. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . and doesn't particularly care. not sent. 2002-2007 The Path Cost • The Path Cost is locally significant only. the Root Path Cost.Root port • The port that SW2 is using to reach the root bridge is called the root port. Each switch port has an assigned Path Cost.Trial :: http://www. and it wasn't selected at random.. In the previous example. and this Path Cost is used to arrive at the Root Path Cost. Inc.com 27 . © Train Signal. Root Path Cost increments as BPDUs are received. 2002-2007 The root bridge • The root bridge will transmit a BPDU with the Root Path Cost set to zero. When a neighboring switch receives this BDPU. © Train Signal. A port's Path Cost is locally significant only and is unknown by downstream switches.docudesk.

– – – – 10 MBPS Port: Originally 100. © Train Signal. That was the tiebreaker here. By "superior BPDU". now 2 © Train Signal. still 100 100 MBPS Port: Originally 10.. – Choose the port receiving the superior BPDU. so you'll be shown both here. this is another command that you should have a very good reason for configuring before using it. That's a tie here. Since the same switch is sending both BPDUs. SW2 shows a Path Cost of 19 for both ports 0/11 and 0/12. – Choose the lowest Port ID.com 28 . 2002-2007 How Root Path Costs Are Determined • The default STP Path Costs are determined by the speed of the port. These path costs have changed from their original values. – Choose the port receiving the BPDU with the lowest Sender BID. 2002-2007 PDF Created with deskPDF PDF Writer . now 19 1 GBPS Port: Originally 1.docudesk. Inc.SW1 .Process of choosing a Root Port • Here's the process of choosing a Root Port. too. and how these steps factored into SW2's decision-making process.. Make sure to add up the Root Path Cost for other available paths before changing a port's Path Cost to ensure you're getting the results you want . now 4 10 GBPS Port: Originally 1.Trial :: http://www. The BPDUs are coming from the same switch . – Choose the port with the lowest Root Path Cost to the root bridge.so this is a tie.or perhaps avoid results you don't want! • In the following example. Inc. Inc. 2002-2007 Changing A Port's Path Cost • Like other STP commands and features.. © Train Signal. The costs we'll see on the switches in this section are the revised costs. we mean the one with the lowest BID. that's a tie here as well.

2002-2007 PDF Created with deskPDF PDF Writer .Trial :: http://www. About the only thing this port can do is accept BPDUs from neighboring switches. This allows a port to forward and receive data frames. Cisco does officially consider this to be an STP state. Inc. © Train Signal. As the name implies.docudesk.com 29 . A disabled port is one that is administratively shut down. 2002-2007 STP port state – Part 2 • Once the port is opened. Inc. but the port is learning MAC addresses by adding them to the switch's MAC address table. and the MAC address table is not yet being updated. but it's not even officially taking place in STP. you're not going to look into the STP table of a VLAN and see "DIS" next to a port. © Train Signal. The obvious question is "listening for what?" Listening for BPDUs . © Train Signal.and this port can now send BPDUs as well. a port enters forwarding mode. Inc.. • A port will then go from blocking mode into listening mode. it's not yet forwarding frames. 2002-2007 learning mode • When the port goes into learning mode. the port can't do much in this state .STP port state – Part 1 • Disabled isn't generally thought of as an STP port state.. The port still can't forward or receive data frames. send and receive BPDUs. use the show spanning-tree interface command. • Finally. and therefore no learning of MAC addresses. the port will go into blocking state. A disabled port obviously isn't forwarding frames. • To see the STP mode of a given interface.no frame forwarding. though.. no frame receiving. and place MAC addresses in its MAC table.

What you might not have known is that if you decide to change any and all of these timers. • Don't believe me? :) We'll prove that very shortly. this is set to 2 seconds. let's review the STP timer basics.9375.. 2002-2007 Timers – Part 2 • Hello Time defines how often the Root Bridge will originate Configuration BPDUs. referred to by the switch as MaxAge. © Train Signal. is the amount of time a switch will retain the superior BPDU's contents before discarding it. The default is 20 seconds.docudesk.de00 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 24596 (priority 24576 sys-id-ext 20) Address 0011. © Train Signal. • Maximum Age. Right now. By default. • Forward Delay is the length of both the listening and learning STP stages.9375. with a default value of 15 seconds. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . that change must be configured on the root bridge! The root bridge will inform the nonroot switches of the change via BPDUs. Inc..Timers – Part 1 • You may remember these timers from your CCNA studies as well.Trial :: http://www. 2002-2007 Example 1 SW3(config)#spanning vlan 20 root primary SW3#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 24596 Address 0011. Inc.de00 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 © Train Signal.. and you should also remember that these timers should not be changed lightly.com 30 .

557d. 2002-2007 Example 4 SW1(config)#spanning vlan 20 root secondary SW1#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 24596 Address 0011.de00 Cost 38 Port 15 (FastEthernet0/13) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 0019.19c7.Example 2 SW2#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 32788 Address 0011. Inc.8880 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 © Train Signal.8880 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 © Train Signal. Inc. Inc. 2002-2007 PDF Created with deskPDF PDF Writer .de00 Cost 38 Port 15 (FastEthernet0/13) Hello Time 2 sec Max Age 20 sec Bridge ID Forward Delay 15 sec Priority 28692 (priority 28672 sys-id-ext 20) Address 0019. 2002-2007 Example 3 SW1#show spanning vlan 20 VLAN0020 Spanning tree enabled protocol ieee Root ID Priority 32788 Address 0011.com 31 .Trial :: http://www.9375.de00 Cost 19 Port 24 (FastEthernet0/22) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32788 (priority 32768 sys-id-ext 20) Address 0018....557d.9375.docudesk.2700 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 © Train Signal.9375.

© Train Signal.. Ideally.576. which allows for the highest optimization of STP. we're not configuring an exact priority with that command. Access switches are those found closest to the end users. Distribution. The TCN doesn't say exactly what happened. 2002-2007 PDF Created with deskPDF PDF Writer .Trial :: http://www.com 32 . the root bridge should be a core switch. just that something happened. and the root bridge should not be an access-layer switch. it doesn't give the other switches a lot of detail. 2002-2007 Where Should The Root Bridge Be Located? • I'm sure you remember the Cisco Three-Layer Hierarchical Model. Inc. but a TCN BPDU will be generated by any switch in the network when one of two things happen: – A port goes into Forwarding mode – A port goes from Forwarding or Learning mode into Blocking mode • While the TCN BPDU is important. which lists the three layers of a switching network .. Inc.Core. the switch subtracts 4096 from the root bridge's priority in order to become the root. – If the current root bridge's priority is less than 24. © Train Signal. You saw that in the previous example. 2002-2007 Topology Change Notifications (TCNs) • Configuration BPDUs are originated only by the root bridge.docudesk. the switch sets its priority to 24576 in order to become the root. © Train Signal.. Here's how the STP process handles this: – If the current root bridge's priority is greater than 24. Inc. and Access.spanning-tree vlan root • Ever wondered how the STP process decides what priority should be set when the spanning-tree vlan root command is used? After all.576.

how many port or ports in this example will be in STP Blocking mode? Which one(s)? © Train Signal... Inc.) • A natural question is "How long will the aging time for the MAC table stay at the Forward Delay value?" Here's the quick formula for the answer: • (Forward Delay) + (Max Age) • Assuming the default settings. Before we go forward. 2002-2007 Load Sharing With The portpriority Command • We can actually change a port's priority for some VLANs and leave it at the default for other VLANs in order to perform load balancing over a trunk. • I've created ten VLANs. 2002-2007 PDF Created with deskPDF PDF Writer .. and yet another reason to consider leaving the STP timers at their defaults! © Train Signal.20. and since such a port going into Forwarding mode doesn't impact STP operation. that's 15 seconds.docudesk. SW1 is the root for all ten VLANs. that's a total of 35 seconds. there's no need to alert the entire network about it. and then change this behavior just a bit with the port-priority command. Inc.Trial :: http://www. if not downright hesitant.Default aging time • This indicates to all receiving switches that the default aging time for their MAC tables should be changed from the default of 5 minutes to whatever the Forward Delay value is .. Let's take a look at the default behavior of a trunk between to switches when we have ten VLANs. The most common usage of Portfast is when a single PC is connected directly to the switch port. 2002-2007 TCNs And The Portfast Exception • Cisco switching veterans just know that Portfast has to get involved here somewhere! Portfastenabled ports cannot result in TCN generation.com 33 . © Train Signal. for this example. which makes perfect sense. 11 . (Another reason to be careful. Inc. to start adjusting STP timers.by default. using your knowledge of switching..

we took a look at part of a switch's configuration and saw this line: spanning-tree extend system-id • Defined in IEEE 802. Inc. Loop Guard UDLD. CST. so the BID priority is 32768 + 20.com 34 . Uplinkfast. Inc. Backbonefast Root Guard. © Train Signal. which in turn allows the switch to support up to 4096 VLANs.. MST © Train Signal. it can be enabled with the set spantree macreduction command. 2002-2007 Advanced STP Features • • • • Portfast.4096. Inc. the Extended System ID feature greatly extends the number of STP instances that can be supported by the switch.) © Train Signal. (set commands are run on CatOS switches only ..1(8)EA or later. which equals 32788. it's called STP MAC Address Reduction. It is enabled by default on 2950 and 3550 switches with an IOS version of 12. PVST+.IOS-based switches use the CLI commands you see throughout this book. The extended VLANs will be numbered 1025 . Disabled by default. The sys-id-ext value just happens to be the VLAN number.docudesk. • You can't use this feature on all Cisco switches.Trial :: http://www. with those switches.1t.The Extended System ID Feature • Earlier in this section. • Some switches running CatOS can support this feature.. 2002-2007 The BID priority • The BID priority is the default priority of 32768 plus the System ID Extension value (sys-id-ext). 2002-2007 PDF Created with deskPDF PDF Writer . BPDU Skew Detection Rapid STP. PVST. though. BPDU Guard.

3 seconds. but again.Trial :: http://www.it actually takes 1 . it's enabled globally and for all VLANs residing on the switch. 2002-2007 Details regarding Uplinkfast • Some additional details regarding Uplinkfast: – The actual transition from blocking to forwarding isn't really "immediate" .it's all or nothing. you can only use it when a single host device is found off the port. you're looking at a 50second delay before that port can actually begin forwarding frames. Portfast allows a port running STP to go directly from blocking to forwarding mode. © Train Signal.com 35 . © Train Signal.docudesk. – When Uplinkfast is enabled.Portfast • You should remember this one from your CCNA studies! Suitable only for switch ports connected directly to a single host. Configuring a port with Portfast is one way to get around that. You can't run Uplinkfast on some ports or on a per-VLAN basis . Inc. 2002-2007 Uplinkfast • When a port goes through the transition from blocking to forwarding. Inc. What if the device connected to a port is another switch? © Train Signal... Inc. 2002-2007 PDF Created with deskPDF PDF Writer .. Next to a 50-second delay. that certainly seems immediate! – Uplinkfast cannot be configured on a root switch.

Trial :: http://www. the switch priority will be set to 49. which means that if all other switches are still at their default priority. 2002-2007 PDF Created with deskPDF PDF Writer .actually..it's not recommended for core and distribution-layer switches.Root port • The original root port will become the root port again when it detects that its link to the root switch has come back up.. two immediate actions! – First. Uplinkfast should be configured only on access-layer switches.. and the switches that are farthest away from the root switches will be the access switches. The switch uses the following formula to determine how long to wait before transitioning the original root port back to the forwarding state: • ( 2 x FwdDelay) + 5 seconds © Train Signal. – Additionally. making it highly unlikely that this switch will be used to reach the root switch by any downstream switches. The access switches will be the ones closest to the end users. Inc. © Train Signal. they'd all have to go down before this switch can possibly become the root switch.docudesk. Inc. 2002-2007 Where To Apply Uplinkfast • As with all the topics in this section. This does not take place immediately. 2002-2007 Immediate action • Uplinkfast will take immediate action to ensure that a switch cannot become the root switch -. it's not enough to know the definition of Uplinkfast and what it does you've got to know where to configure it for best results. • Uplinkfast is a wiring-closet switch feature .com 36 .152. © Train Signal. the STP Port Cost will be increased by 3000. Inc. It's a safe bet that the root switches are going to be found in the core layer.

Backbonefast goes into action. 2002-2007 RLQ Request • Upon receiving a RLQ request. The RLQ request identifies the bridge that is considered the root bridge.docudesk. • The key word there is indirect.a failure of a link that is not directly connected to the core switch in question . but considers the root switch named in the RLQ request to indeed be the root switch. If they're one and the same. • This indirect link failure is detected when an inferior BPDU is received.com 37 . the RLQ request is relayed toward the root switch by sending it out the root port. and the RLQ response will identify the root bridge that can be accessed via that port.. because it considers another switch to be the root bridge • The third possibility is that the receiving switch is not the root. In that case. but the 15-second Listening and Learning stages still have to run. but they've got limitations on when they can and should be run. Inc. 2002-2007 PDF Created with deskPDF PDF Writer .Backbonefast • Uplinkfast and Portfast are great.. The purpose of these RLQ requests is to ensure that the local switch still has connectivity to the root switch.Trial :: http://www. © Train Signal. but the Cisco-proprietary feature Backbonefast can be used to help recover from indirect link failures. a switch will answer immediately under one of two conditions: – The receiving switch is indeed the root bridge named in the RLQ request – The receiving switch has no connectivity to the root bridge named in the RLQ request. © Train Signal. You definitely can't run either one in a network backbone. While this does not eliminate delays as efficiently as PortFast and UplinkFast. RLQ uses a series of requests and responses to detect indirect link outages. 2002-2007 Root Link Query • BackboneFast uses the Root Link Query (RLQ) protocol. Inc.) © Train Signal. everything's fine. • RLQ requests are transmitted via the ports that would normally be receiving BPDUs. but the delay is cut from 50 seconds to 30. Inc. If a core switch detects an indirect link failure . (MaxAge's default value is 20 seconds.. this process skips the MaxAge stage. • When BackboneFast is configured.

com 38 . shown on the switch as err-disabled.. 2002-2007 Root Guard • Root Guard is configured at the port level.docudesk.. and put the port into rootinconsistent state. SW3 will allow that port to transition normally through the STP port states. we have to know more than the command! We've got to know where to configure it as well. When those superior BPDUs stop coming. © Train Signal.BackboneFast into action • To put BackboneFast into action in our network. the port will be shut down and placed into error disabled state. Inc. and RLQ is enabled by enabling BackboneFast. relay. 2002-2007 BPDU Guard • BPDU Guard protects against this disastrous possibility. and respond to RLQ requests.Trial :: http://www. Inc. discard it. Inc. © Train Signal. © Train Signal. Since all switches in the network have to be able to send. • Root Guard will actually block that superior BPDU. If any BPDU comes in on a port that's running BPDU Guard.. 2002-2007 PDF Created with deskPDF PDF Writer . every switch in the network should be configured for BackboneFast when using this feature. and disqualifies any switch that is downstream from that port from becoming the root or secondary root.

Inc. Inc. © Train Signal. normal and aggressive. and the port will not send any BPDUs in return.docudesk. 2002-2007 PDF Created with deskPDF PDF Writer . – Enabling BPDU Filtering on a specific port or ports.com 39 .. • UDLD has two modes of operation. 2002-2007 Unidirectional Link Detection (UDLD) • Most problems involving the physical link will make data transfer in either direction impossible. UDLD generates a syslog message but does not shut the port down. will result in received BPDUs being quietly ignored. UDLD generates a syslog message but does not shut the port down. Inc. © Train Signal.this feature works differently when it's configured globally as opposed to configuring it on a per-interface level. – Globally enabling BPDU Filtering will have a PortFastenabled port stop running PortFast when the port receives a BPDU. When a unidirectional link is detected in normal mode. the port will be put into error disabled state ("err-disabled") after eight UDLD messages receive no echo from the remote switch. © Train Signal.. but you have to be careful how you configure it .PortFast BPDU Filtering • What if you don't want the port to be put into err-disabled state when it receives a BPDU? You can use BPDU Filtering.Trial :: http://www. Those incoming BPDUs will be dropped. but not the other. • In aggressive mode. Why is it called "aggressive"? Because the UDLD messages will go out at a rate of one per second when a potential unidirectional link is found.. there are situations where a physical layer issue disables data transfer in one direction. 2002-2007 Normal mode • When a unidirectional link is detected in normal mode. Particularly with fiber optic. rather than enabling it globally.

2002-2007 Loop Guard • We've had BPDU Guard. but it can indeed lead to a switching loop. The problem comes in when the half-duplex port listens to the segment. • Loop Guard does not allow a port to go from blocking to forwarding in this situation.. Root Guard. © Train Signal. but the half-duplex port will.com 40 .. which is basically still blocking mode.docudesk. Inc. Loop Guard! You can probably guess that the "loop" being guarded against is a switching loop. Inc.. and the switches should relay the BDPUs fast enough so every switch is seeing a BPDU every two seconds.. 2002-2007 PDF Created with deskPDF PDF Writer . and why do I want to detect it?" What we're actually attempting to detect are BPDUs that aren't being relayed as quickly as they should be. change that of any trunking partner! • Believe it or not. and a switching loop will not form © Train Signal. This should happen quickly all around. © Train Signal.Duplex Mismatches And Switching Loops • A duplex mismatch between two trunking switches isn't quite a unidirectional link. and now. but if you change one switch port's duplex setting. hears nothing.. and the non-root switches relay that BPDU down the STP tree.. the root bridge transmits BPDUs. and sends frames as it normally would under CSMA/CD rules. Inc. but how does Loop Guard prevent switching loops? Let's revisit an earlier example to see how the absence of BPDUs can result in a switching loop. the port will go from blocking to loop-inconsistent. • After the root bridge election..Trial :: http://www. "What is a BPDU Skew. the switching loop potential is caused by CSMA/CD! The full-duplex port will not perform CSMA/CD.. You're not often going to change switch duplex settings. 2002-2007 BPDU Skew Detection • You may look at that feature's name and think. especially on trunk ports. since the root bridge will be sending a BPDU every two seconds by default ("hello time"). With Loop Guard enabled..

2002-2007 Port types unique to RSTP • There are other port types unique to RSTP. but the port roles themselves are different between STP and RSTP. An edge port will operate just like an STP port that is running Portfast.1w.Trial :: http://www.1d.. 2002-2007 Transition States • Let's compare the transition states: • STP: disabled > blocking > listening > learning > forwarding • RSTP: discarding > learning > forwarding © Train Signal. • Root bridges are still elected with RSTP.a port on the edge of the network.. it's RSTP. and is considered an extension of 802. © Train Signal. most likely an end user's PC. RSTP is defined by IEEE 802. © Train Signal. • A point-to-point port is any port that is connected to another switch and is running in full-duplex mode. or Rapid Spanning Tree Protocol.docudesk. Inc. Inc.and now here's another kind of STP! Specifically.com 41 . it's a switch port that is connected to a single host. 2002-2007 PDF Created with deskPDF PDF Writer . where SW1 is the root. In this case. and you've got all these STP features down .. Let's take a look at the RSTP port roles in the following three-switch network. You know what a root port is. An edge port is just what it sounds like . Inc. Note that SW3 has multiple connections to the ethernet segment. but RSTP also has edge ports and point-to-point ports.Rapid Spanning Tree Protocol • So you understand STP.

since only a single host will be connected to that particular port.Edge Ports And RSTP Topology Changes • Edge ports play a role in when RSTP considers a topology change to have taken place. Inc. the nonroot bridges simply forward. but discovery of link failures is faster. • RSTP-enabled switches generate a BPDU every two seconds. I should say that they don't play a role. When an edge port moves into Forwarding mode. • When a topology change is discovered by a switch running RSTP. the interval at which switches send BPDUs. only the root bridge is sending BPDUs every two seconds. This cuts the error detection process from 20 seconds in STP to 6 seconds in RSTP.com 42 . is two seconds in both STP and RSTP. 2002-2007 Difference between STP and RSTP • Another major difference between STP and RSTP is the way BPDUs are handled. 2002-2007 PDF Created with deskPDF PDF Writer .unless that port is an edge port. or relay. and if three BPDUs are missed. Rather. RSTP doesn't consider that a topology change. 2002-2007 Detecting Link Failures • This change not only allows all switches in the network to have a role in detecting link failures. The switch then immediately ages out all information concerning that port. Inc. that switch sends BPDUs with the Topology Change (TC) bit set © Train Signal.docudesk...Trial :: http://www. Why? Because every switch expects to see a BPDU from its neighbor every two seconds. because RSTP considers a topology change to have taken place when a port moves into Forwarding mode .) © Train Signal. With STP. regardless of whether they have received a BPDU from the root switch or not. (The default value of hello time. Inc. © Train Signal. the link is considered down.. that BPDU when they receive it.

MaxAge timer • When a switch running STP misses a BPDU. 2002-2007 BPDU format • The BPDU format is the same for STP and RSTP. • The RSTP BPDU is also of a totally different type (Type 2. © Train Signal. Portfast. © Train Signal. • The Ugly: PVST is Cisco-proprietary.ISL.docudesk. Inc. 2002-2007 Per-VLAN Spanning Tree Versions (PVST and PVST+) • The ultimate "the name is the recipe" protocol. 2002-2007 PDF Created with deskPDF PDF Writer .Trial :: http://www. well. Inc. • When a switch running RSTP misses three BPDUs. and Backbonefast are built-in to RSTP. Inc. Since the default hello-time is 2 seconds for both STP and RSTP. but RSTP uses all flag bits available in the BPDU for various purposes including state negotiation between neighbors. but STP uses only the Topology Change (TC) and Topology Change Ack (TCA) flags.. which allows an RSTP-enabled switch to detect older switches. MaxAge is 20 seconds. it takes an RSTP-enabled switch only 6 seconds overall to determine that a link to a neighbor has failed. the MaxAge timer begins.. so it must run over the Cisco-proprietary trunking protocol . By default. © Train Signal.. This timer dictates how long the switch will retain the last BPDU before timing it out and beginning the STP recalculation process. • The Bad: Running PVST does mean extra work for your CPU and memory. • Switching features we looked at earlier in this section Uplinkfast. it will immediately are out the superior BPDU's information and begin the STP recalculation process.com 43 . runs a separate instance of STP for each VLAN! • The Good: PVST does allow for much better fine-tuning of spanning-tree performance than does regular old STP. Version 2). The details of this negotiation are out of the scope of the BCMSN exam. but can easily be found on the Internet by searching for "RSTP" in your favorite search engine. the Ciscoproprietary PVST.

– If you configure a switch running PVST+ to use RSTP.Rapid Per-VLAN Spanning Tree Plus. with the + version using dot1q rather than ISL. but this combination is running in many a network right now . you just know they have to have their own version of STP! Per-VLAN Spanning Tree Plus (PVST+) is just what it sounds like . so while it can be very useful in the right environment. PVST+ is Ciscoproprietary as well.. Using PVST+ along with CST and PVST can be a little difficult to fine-tune at first. • MST was designed with enterprise networks in mind. Inc. • PVST+ can serve as an intermediary between groups of PVST switches and switches running CST.docudesk. Inc.every VLAN has its own instance of STP running. rather than having an instance for every VLAN in the network.Trial :: http://www. 2002-2007 Multiple Spanning Tree • Defined by IEEE 802. MST serves as a middle ground between STP and PVST. 2002-2007 PDF Created with deskPDF PDF Writer . PVST has an instance for every VLAN.com 44 . it's not for every network. the groups wouldn't be able to communicate. Multiple Spanning Tree gets its name from a scheme that allows multiple VLANs to be mapped to a single instance of STP.. 2002-2007 Rapid Per-VLAN Spanning Tree Plus (RPVST +) • Now there's a mouthful! – Cisco being Cisco. The good news is that the command is very simple. you end up with RPVST+ . Inc. © Train Signal.PVST • PVST doesn't play well at all with CST. PVST+ is described by Cisco's website as having the same functionality as PVST.1s.and working fine! © Train Signal. and MST allows you to reduce the number of STP instances without knocking it all the way back to one. and we'll use IOS Help to look at some other options: © Train Signal.. so Cisco came up with PVST+. otherwise. • CST (Common Spanning Tree) uses a single instance of STP. PVST+ allows per-VLAN load balancing and is also Cisco-proprietary.

and it doesn't want to know. MSTI 0 is reserved for the IST instance.there's no such thing as "VTP For MST". • Here's the good part -. 2002-2007 IST • The "IST" in each region stands for Internal Spanning Tree.. revision number. 2002-2007 PDF Created with deskPDF PDF Writer .. however. 2002-2007 MST configurations • MST configurations can become quite complex and a great deal of planning is recommended before implementing it.they're not advertised. © Train Signal. (No. and a digest value derived from the mapping table. Inc. © Train Signal. they are in different regions. CST doesn't know what's going on inside the region. No matter the size of the network. you've got to configure every switch in your network with those mappings . and MST is a "subset" of the network. Each and every switch in your MST deployment must be configured manually. and it's the IST instance that is responsible for keeping communications in the MST Region loop-free. © Train Signal.Trial :: http://www. Switches send MST BPDUs that contain the configuration name.com 45 . • Up to 16 MST instances (MSTIs) can exist in a region. Inc. keep the central point in mind .docudesk. • Occasionally the first ten MST instances are referred to as "00" . Inc."09".Configuration of MST • The configuration of MST involves logically dividing the switches into regions. and it's MST's job to keep a loop-free topology in the MST region.the purpose of MST is to map multiple VLANs to a lesser number of STP instances.they're regular old decimals.. • A good way to get a mental picture of the interoperability of MST and CST is that CST will cover the entire network. and only the IST is going to send MST BPDUs. CST is going to maintain a loop-free network only with the links connecting the MST network subnets. and the switches in any given region must agree of the following: – The MST configuration name – The MST instance-to-VLAN Mapping table – The MST configuration revision number • If any of these three values are not agreed upon by two given switches. These are not hex values . numbered 0 through 15. I'm not kidding!) When you create VLAN mappings in MST.

2002-2007 Enabling MST – Part 2 • To map VLANs to a particular MST instance: SW2(config-mst)# instance 1 10. allowing for greater flexibility with trunk usage (per-VLAN load balancing. © Train Signal.Trial :: http://www. 2002-2007 PDF Created with deskPDF PDF Writer . for example) © Train Signal. Inc. • STP: 100 VLANs results in one STP process • PVST: 100 VLANs results in 100 STP processes. Inc.. SW2(config)# spanning-tree mode mst configuration SW2(config-mst)# name REGION1 SW2(config-mst)# revision 1 © Train Signal.13. 14-20 • Note that I could use commas to separate individual VLANs or use a hyphen to indicate a range of them.com 46 . 2002-2007 Why Does Anyone Run STP Instead Of PVST? • Like the TCP vs. When mapping VLANs.. remember that by default all VLANs will be mapped to the IST.Enabling MST – Part 1 • A good place to start is to enable MST on the switch: SW2(config)# spanning-tree mode mst • The name and revision number must now be set. UDP argument from your CCNA studies. this seems like a bit of a nobrainer.docudesk.. Inc.

but many CCNA books either leave Etherchannels out entirely or mention them briefly. • After that review. You may not have even seen an Etherchannel question on your CCNA exam. © Train Signal. we'll begin an in-depth examination of how Etherchannels work. Inc. This provides greater throughput. • If one of the physical links making up the logical Etherchannel should fail. © Train Signal. STP sees only the Etherchannel.com 47 . 2002-2007 Etherchannels • Etherchannels aren't just important for your BCMSN studies. • Etherchannels are part of the CCNA curriculum.. 2002-2007 PDF Created with deskPDF PDF Writer . • Etherchannels use the Exclusive OR (XOR) algorithm to determine which channel in the EC to use to transmit data to the remote switch. since STP doesn’t know the physical link went down. there is no STP reconfiguration. 2002-2007 Logical Bundling • An Etherchannel is the logical bundling of two to eight parallel Ethernet trunks. Knowing how to configure and troubleshoot them is a vital skill that any CCNP must have.Etherchannels © Train Signal.. • Spanning-Tree Protocol (STP) considers an Etherchannel to be one link.docudesk. and is another effective way to avoid the 50-second wait between blocking and forwarding states in case of a link failure. This bundling of trunks is also referred to as aggregation.. Inc.Trial :: http://www. so we're going to begin this section with a review of what an Etherchannel is and why we would configure one. and a single link failure will not bring an Etherchannel down. they're a vital part of many of today's networks. Inc. and I'll show you some real-world examples of common Etherchannel configuration errors to help you master this skill for the BCMSN exam and for the real world.

STP will not recalculate. 2002-2007 Negotiating An Etherchannel • There are two protocols that can be used to negotiate an etherchannel.Trial :: http://www. • PAgP packets are sent between Cisco switches via ports that have the capacity to be placed into an etherchannel.. the PAgP packets will check the capabilities of the remote ports against those of the local switch ports. 2002-2007 Remote Port Group • The remote port group number must match the number configured on the local switch • The device ID of all remote ports must be the same ..docudesk. Inc. Inc. First. Inc. The industry standard is the Link Aggregation Control Protocol (LACP). While some bandwidth is obviously lost.com 48 .after all. The remote ports are checked for two important values. the logical link itself stays up. © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer .Logical Link • If one of the three physical links goes down.it will happen so fast that you won't even hear about it from your end users! © Train Signal. and the Ciscoproprietary option is the Port Aggregation Protocol (PAgP).. if the remote ports are on separate switches. Data that is traveling over the downed physical link will be rerouted to another physical link in a matter of milliseconds . that would defeat the purpose of configuring an etherchannel! © Train Signal.

Inc. 2002-2007 PAgP and LACP • PAgP and LACP use different terminology to express the same modes. which means that there is no negotiation at all. where active ports initiate bundling and passive ports wait for the remote switch to do so. use the on option."active" and "desirable" for the local port to initiate the EC.if both ports are set to auto. You can actually assign up to 16 ports to belong to an LACP-negotiated etherchannel.Trial :: http://www. • The industry standard bundling protocol defined in 802. • For an EC to form. if both ports are set to "passive". LACP must have at least one of the two ports on each physical link set for "active". • To verify both PAgP and LACP neighbors. but it's a real good idea to know all about PAgP and LACP. on. PAgP will allow the etherchannel to dynamically adapt to this change..com 49 . "auto" and "passive" if the remote port is going to initiate the EC. Inc. the link won't join the EC. © Train Signal. but only the eight ports with the lowest port priority will be bundled. PAgP has a dynamic mode and auto mode. 2002-2007 PDF Created with deskPDF PDF Writer . The same can be said for PAgP and the settings "auto" and "desirable" . Personally. The other ports will be bundled only if one or more of the bundled ports fails. this is the one I use in real-world networks. To enable the etherchannel with no negotiation.. A port in dynamic mode will initiate bundling with a remote switch. LACP assigns a priority value to each port that has etherchannel capability. © Train Signal. no EC will be built. © Train Signal.PAgP • PAgP also has the capability of changing a characteristic of the etherchannel as a whole if one of the ports in the etherchannel is changed. you can use the show pagp neighbor and show lacp neighbor commands. 2002-2007 Initiating EC • You can see the different terminology LACP and PAgP use for the same results .docudesk. LACP uses active and passive modes. while a port in auto mode waits for the remote switch to do so. • There's a third option..3ad. Inc. If you change the speed of one of the ports in an etherchannel.

I get the EC error message again. SW1(config)#int fast 0/12 SW1(config-if)#no switchport trunk allowed vlan 100. Inc. but notice that the allowed VLANs on these two ports is different.20 no ip address channel-group 1 mode on ! interface FastEthernet0/12 switchport trunk allowed vlan 100..Trial :: http://www.20 02:51:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/12. Ports configured for dynamic VLAN assignment from a VMPS cannot remain or become part of an EC.. but once I change port 0/12's config to match 0/11's.Troubleshooting EtherChannels • Once you get an EC up and running. here are a few things to watch out for: • Changing the VLAN assignment mode to dynamic. the EC forms. That will prevent an EC from working correctly...200 no ip address channel-group 1 mode on . Here's a reenactment of an EC issue I ran into once.unless a port setting changes. 2002-2007 Error Message interface FastEthernet0/11 switchport trunk allowed vlan 10. • The allowed range of VLANs for the EC must match that of the ports. Here's the error message that occurs in a scenario like this: 02:46:10: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different) © Train Signal. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . The configuration of the channel-group looked just fine… © Train Signal.docudesk. changed state to up © Train Signal.200 02:51:15: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different) 02:51:15: %EC-5-CANNOT_BUNDLE2: Fa0/12 is not compatible with Fa0/11 and will be suspended (vlan mask is different) SW1(config-if)#switchport trunk allowed vlan 10.com 50 . Inc. 2002-2007 EC Error • When I remove the original command. From personal experience. it generally stays that way .

2002-2007 PDF Created with deskPDF PDF Writer .. 2002-2007 Physical security • Physical security .. Ports need to be running the same speed. you know what to do . change 'em on occasion (and that occasion should not be the Millennium) • Different privilege levels . duplex. Inc. Dynamic ARP Inspection.Changing Port Attribute • Changing a port attribute. and it's also the most ignored.set 'em.. IP Secure Guard • MAC Address Flooding & VLAN Hopping Attacks © Train Signal. 2002-2007 Securing the Switches • • • • • • Introduction to AAA Port Security & Dot1x Port-Based Authentication SPAN VLAN ACLs Private VLANs DHCP Snooping. positively need it.not every user needs the same level of access to potentially destructive commands.docudesk. Inc. © Train Signal. and just about any other value you can think of! If you change a port setting and the EC comes down. • Grant remote access only to those who absolutely. and switches up! This is the most basic form of network security. Inc.lock those servers. native VLAN.com 51 .change the port setting back! © Train Signal. routers. • Passwords .Trial :: http://www.

we authorized that user to pretty much do what they want to do. a UDP service) or TACACS+ servers (Terminal Access Controller Access Control System.AAA • You may have heard or read the acronym AAA in Cisco switch documentation. This stands for Authentication. 2002-2007 Accounting • For some of us. but you're already working with AAA. and when we granted one of our Telnet users privilege level 15.Trial :: http://www. Assigning the right to perform given tasks is Authorization. a method list must be defined: © Train Signal.. TACACS+ can be configured to force the user to be authenticated for any of the tasks seen here in IOS Help. Inc. As with the previous AAA services.com 52 . "A".Accounting. © Train Signal. We're going to look at a basic switch config that could get us started with either.. • Both RADIUS and TACACS+ offer a lot of options. and Accounting . First.) © Train Signal. 2002-2007 Authorization • The second A is Authorization. anyway! • The passwords we've set here are part of Authentication. a TCP service). As in. we've got to enable AAA on the switch. Inc. 2002-2007 PDF Created with deskPDF PDF Writer .. "holding people accountable for what they do!" • Accounting will use a RADIUS or TACACS+ server to track user activity. While RADIUS is limited in the different levels of authorization. this is the best part of AAA . and we've already configured a little of that as well. We can also use RADIUS servers (Remote Authentication Dial-In User Service. (This is not required if only the local database will be used. and this local database of passwords is just one method of authenticating users. Authorization.docudesk.and you didn't know it. Inc. Well.

Inc.aaaa.Port Security • Here's another basic security feature that's regularly overlooked. 2002-2007 PDF Created with deskPDF PDF Writer . it will shut down.cccc.by default. but is very powerful. What if you allow for more secure MAC address than you actually configure manually.. 2002-2007 Little “gotcha” • There is a little "gotcha" with port security that you need to be aware of. the port will take action .1x ports © Train Signal. Port security uses a host's MAC address as a password. 2002-2007 Port Security Feature • Port security is a great feature.docudesk. Inc.cccc port-security port-security maximum 3 port-security mac-address port-security mac-address © Train Signal.com 53 . There are a few port types that you can't configure with port security: – – – – trunk ports ports placed in an Etherchannel destination SPAN port 802. You can specify the number of secure MAC addresses. as shown below? SW1(config-if)#switchport SW1(config-if)#switchport SW1(config-if)#switchport aaaa. and you can specify secure MAC addresses as well. but you can't run it on all ports. Inc.Trial :: http://www. © Train Signal. and if a device with a different MAC address sends frames to the switch on that port..aaaa SW1(config-if)#switchport cccc..

• A port in force-unauthorized state literally has the port unable to authorize any client . since most other switch features don't require anything of the host. © Train Signal.docudesk. © Train Signal.even clients who could otherwise successfully authenticate! • The auto setting enables dot1x on the port. Inc. The name refers to IEEE 802. 2002-2007 EAPOL. does just what it sounds like . once the user authenticates.you can't use TACACS or TACACS+. normal transmission and receiving can begin. That's a major departure from many of the switch features we've studied to date. this is the most common setting. all traffic can be received and transmitted through this port. • One major difference between dot1x port-based authentication and port security is that both the host and switch port must be configured for 802. Unusually enough. Only the necessary EAPOL frames will be sent and received while the port's unauthorized. but we can take it a step further with dot1x port-based authentication.. which will begin the process as unauthorized. Usually the PC isn't aware of what the switch is doing. Inc. there is no authentication on this port type..Trial :: http://www. Basically. STP and CDP • Until the user is authenticated.. Not this time! © Train Signal. the standard upon which this feature is based. but authentication is not required. the Cisco authentication server must be RADIUS .1x EAPOL (Extensible Authentication Protocol over LANs). 2002-2007 PDF Created with deskPDF PDF Writer . Not surprisingly. Inc.it forces the port to authorize any host attempting to use the port. Once the authentication is complete. only the following protocols can travel through the port: – EAPOL – STP – CDP • By default.Dot1x Port-Based Authentication • Port security is good. the default.1x. 2002-2007 Force-authorized • Force-authorized.com 54 . and doesn't need to know.

© Train Signal. VLAN-based SPAN (VSPAN) would be in effect. but more powerful switches can run as many as 64 sessions at once. Inc.. 2002-2007 Command monitor session • The command monitor session starts a SPAN session. Cat 3550s and 2950s support only two. Inc.. we're running Local SPAN.com 55 . Inc. (In some Cisco documentation. because there are several different versions of SPAN. © Train Signal. 2002-2007 Local SPAN • In the previous example. © Train Signal.Trial :: http://www. though. the destination port is referred to as the monitor port. 2002-2007 PDF Created with deskPDF PDF Writer . but the number of simultaneous sessions you can run differs from one switch platform to another.SPAN • SPAN allows the switch to mirror the traffic from the source port(s) to the destination port to which the network analyzer is attached.) • SPAN works very well. It's the location of the source ports that determines the SPAN version that needs to run on the switch. Studying SPAN for exams and network usage can seem complicated at first. since the destination and source ports are all on the same switch.. The sessions are totally separate operations. along with allowing the configuration of the source and destination. The versions are much the same. the real difference comes in when you define the source ports. and the basic operation is simple. If the source was a VLAN rather than a collection of physical ports.docudesk. though.

FastEthernet. but the commands are not the same on each. • A source port can be any port type .docudesk. – The source and destination must be defined on both the switch with the source port and the switch connected to the network analyzer. © Train Signal. simultaneous SPAN sessions. • A source port can be part of an Etherchannel. © Train Signal. © Train Signal. 2002-2007 Source port notes: • A source port can be monitored in multiple. • A source port cannot be configured as a destination port. but there are some factors you need to consider when configuring RSPAN: – If there were intermediate switches between the two shown in the above example. Inc. Inc.Trial :: http://www. they would all need to be RSPAN-capable.com 56 . – VTP treats the RSPAN VLAN like any other VLAN. VTP Pruning will also prune the RSPAN VLAN under the same circumstances that it would prune a "normal" VLAN.Ethernet.... It will be propagated throughout the VTP domain if configured on a VTP server. Inc. Otherwise. etc. it's got to be manually configured on every switch along the intermediate path.RSPAN Configuration – Part 1 • RSPAN configuration is simple. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 RSPAN Configuration Part 2 – MAC address learning is disabled for the RSPAN VLAN.

2002-2007 PDF Created with deskPDF PDF Writer . This is Enhanced SPAN. many uses! Access lists do have their limitations. © Train Signal. You'll still see it occasionally.com 57 . VTP. you're very familiar with access lists and their many.Ternary Content Addressable Memory .docudesk. though. it can't do anything about traffic from one host in a VLAN to another host in the same VLAN.. © Train Signal.cuts down on the number of lookups required to compare a packet against an ACL. CDP. or DTP. You know that the CAM (Content Addressable Memory) table holds the MAC addresses that the switch has learned. and some of Cisco's documentation mentions that this term has been used so often to describe different additions that the term has lost meaning.. you may see the term "ESPAN" in some SPAN documentation. While an ACL can filter traffic traveling between VLANs. but it doesn't refer to any specific addition or change to SPAN. but the TCAM . 2002-2007 Access lists • At this point in your Cisco studies. • A destination port doesn't participate in STP. Inc. • Why not? It relates to how ACLs are applied on a multilayer switch. © Train Signal. 2002-2007 ESPAN • Finally.Trial :: http://www. many. • A destination port cannot be part of an Etherchannel. Inc. PaGP.. • A destination port can participate in only one SPAN session. Inc.Destination port notes: • A destination port can be any port type. LACP. • A destination port cannot be a source port.

I mentioned that ACL processing in multilayer switches is performed in hardware.they're applied in global configuration mode. © Train Signal. If traffic is not expressly forwarded. If the hardware hits its storage limit for ACL configs. resulting in even more packets begin sent to the CPU. the switch performance can degrade. • A routing ACL can be applied to a SVI to filter inbound and/or outbound traffic just as you would apply one to a physical interface.) © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer .. Inc. Inc. should be filtered with VACLs • VACLs run from top to bottom. 2002-2007 Possible Side Effect – Part 1 • A Possible Side Effect Of Performing ACL Processing In Hardware – At the beginning of the VACL section. They are still active while being edited.Trial :: http://www. (I've seen that.. and it's ugly.docudesk. but VACLs are not applied in that way . There will still be some traffic that is sent to the CPU for software processing.Additional notes and tips regarding VACLs – Part 1 • Bridged traffic. as well as non-IP and non-IPX traffic. 2002-2007 Additional notes and tips regarding VACLs – Part 2 • Only one VACL can be applied to a VLAN • The sequence numbers allow you to go back and add lines without rewriting the entire VACL. and run until a match occurs • VACLs have an implicit deny at the end.com 58 .. Inc. The VACL equivalent of "permit all" is an "action forward" clause with no match criterion. Avoid it. as shown in the previous example. and that forwarding rate is much lower than the rate for the traffic forwarded by the switch hardware. it's implicitly dropped! © Train Signal.

Inc.com 59 . including other hosts in its own secondary VLAN -this is an isolated private VLAN © Train Signal. not the hardware. the host can also communicate with other hosts in that private VLAN. which is going to have one of two results: – The host will be able to communicate with other hosts in the secondary VLAN and with the primary VLAN. Inc. and they may surprise you: • Excessive logging • Use of ICMP Unreachable messages – Use the log option with care.. © Train Signal.this is promiscuous mode.. the router is located off a switch port that has been configured as a private VLAN port.Possible Side Effect – Part 2 – Cisco's website lists two other factors that may result in too many packets being sent to the CPU. This is the recommended mode for ports connected to gateway devices.Trial :: http://www. Logging must be performed by the switch software. but not with hosts in other secondary VLANs . such as the router seen below. There are options here as well: – The device connected to the private VLAN port can communicate with any device connected to any primary or secondary VLAN .this is a community private VLAN – The host can communicate with the primary VLAN. Inc. 2002-2007 Private VLANs • This may well be the ultimate in filtering VLAN traffic! Hosts can be placed into a secondary VLAN. 2002-2007 Example • In the following example. If the host is configured as part of a community private VLAN. but with no other hosts. 2002-2007 PDF Created with deskPDF PDF Writer . – The host connected to the port is on either type of private VLAN (isolated or community). © Train Signal..docudesk. and can communicate with devices found off other promiscuous ports.

docudesk..trusted and untrusted.in this case. • From your CCNA studies. the switch considers all ports untrusted . This happens through ARP Cache Poisoning.. © Train Signal. • By default. you know all about Address Resolution Protocol and how it operates. it listens for DHCPOffer packets .com 60 . Not only will DHCP messages received on untrusted interfaces be dropped by the switch. but something as innocent as DHCP can be used for network attacks. 2002-2007 Dynamic ARP Inspection • Just as we must protect against rogue DHCP servers.DHCP Snooping – Part 1 • It may be hard to believe.which means we better remember to configure the switch to trust some ports when we enable DHCP Snooping! © Train Signal. Inc. (This is also known as ARP Spoofing . • DHCP messages received on trusted interfaces will be allowed to pass through the switch..Trial :: http://www.and as we know. we have to be wary of rogue ARP users as well. Inc. 2002-2007 DHCP Snooping – Part 2 • DHCP Snooping allows the switch to serve as a firewall between hosts and untrusted DHCP servers. A rogue device can overhear part of the ARP process in action and make itself look like a legitimate part of the network. The potential for trouble starts when a host sends out a DHCPDiscovery packet. the interface itself will be placed into err-disabled state. 2002-2007 PDF Created with deskPDF PDF Writer .) • ARP Cache Poisoning starts innocently enough . DHCP Snooping classifies interfaces on the switch into one of two categories . through the basic ARP process on a switch. Inc.be aware of both names for your exam. the host will accept the first Offer it gets! © Train Signal.

the ARP message is dropped. • If the interface has been configured as trusted.docudesk.Trial :: http://www. DAI allows the ARP message to pass through without checking the database of trusted mappings.. Inc. © Train Signal. • Once the IP-MAC address database is built. 2002-2007 Trusted/untrusted port configuration • Cisco's recommended trusted/untrusted port configuration is to have all ports connected to hosts run as untrusted and all ports connected to switches as trusted. Since DAI runs only on ingress ports. this configuration scheme ensures that every ARP packet is checked once.The rogue host • The rogue host has effectively placed itself into the middle of the communication. When the rogue host does the same for an ARP Request being sent from Host B to Host A. and static ARP configurations can be used by DAI as well. all communications between Host A and Host B will actually be going through the rogue host. • Enabling Dynamic ARP Inspection (DAI) prevents this behavior by building a database of trusted MAC-IP address mappings.com 61 . 2002-2007 PDF Created with deskPDF PDF Writer . DAI is performed as ARP messages are received.. every single ARP Request and ARP Reply received on an untrusted interface is examined. leading to the term man in the middle for this kind of network attack. © Train Signal. Inc. However. untrusted ports in DAI do not automatically drop ARP Requests and Replies. but no more than that. © Train Signal. If the ARP message has an approved MAC-IP address mapping. This database is the same database that is built by the DHCP Snooping process. just as DHCP Snooping does. the message is forwarded appropriately. Inc.. 2002-2007 Trusted and untrusted ports • DAI uses the concept of trusted and untrusted ports. • There is no problem with running DAI on trunk ports or ports bundled into an Etherchannel. not transmitted. if not.

.. As the switch's MAC address table capabilities are exhausted. Inc. the MAC address table fills to capacity. When the client successfully acquires an IP address from the DHCP Server. © Train Signal.docudesk. the only traffic that can reach that host are DHCP packets. • As with DAI. all unpleasant: • As mentioned.IP Source Guard • We can use IP Source Guard to prevent a host on the network from using another host's IP address. © Train Signal. 2002-2007 MAC Address Flooding Attacks • Since ARP. and DHCP all have potential security issues. Inc. • The large number of unnecessary broadcasts quickly consumes bandwidth as well as overall switch resources. we can't leave MAC addresses out because network attackers sure won't do so! • A MAC Address Flooding attack is an attempt by a network intruder to overwhelm the switch memory reserved for maintenance of the MAC address table. 2002-2007 This has three side effects.and this results in those valid frames being broadcast instead of unicast. 2002-2007 PDF Created with deskPDF PDF Writer .all of them invalid.including the port the intruder is using. © Train Signal. • The intruder generates a large number of frames with different source MAC addresses . since the unnecessarily broadcasted packets will be sent out every port on the switch .Trial :: http://www. DHCP Snooping must be enabled before enabling IP Source Guard.. • The intruder can easily intercept packets with a packet sniffer. When the host first comes online and connects to an untrusted port on the switch. preventing legitimate entries from being made. Inc. IP addresses. valid entries cannot be made .com 62 . and uses the DHCP Snooping database to carry out this operation. the switch makes a note of this IP address assignment. IP Source Guard works in tandem with DHCP Snooping.

port-based authentication and port security.the key is to keep them out in the first place.com 63 .. • The term "native VLAN" tips us off to the third requirement . As you'll see in our example.dot1q must be the trunking protocol in use.Trial :: http://www. but it's quite the opposite. 2002-2007 Double Tagging • One form of VLAN Hopping is double tagging. © Train Signal. since ISL doesn't use the native VLAN.MAC Address Flooding • You can combat MAC Address Flooding with two of the features we addresses earlier in this section . Inc. © Train Signal. • The VLAN used by that access port must be the native VLAN. © Train Signal. Inc.that stops this version of VLAN Hopping right in its tracks. 2002-2007 PDF Created with deskPDF PDF Writer .docudesk. Inc. VLAN Hopping has been used for network attacks ranging from Trojan horse virus propagation to stealing bank account numbers and passwords. so named because the intruder will transmit frames that are "double tagged" with two separate VLAN IDs.. The key isn't to fight the intruder once they're in our network .. 2002-2007 VLAN Hopping • VLAN Hopping seems innocent enough. we reduce the potential for an intruder to unleash a MAC Address Flooding attack on our network. certain circumstances must exist for a double tagging attack to be successful: • The intruder's host device must be attached to an access port. That's why you often see the native VLAN of a network such as the one above set to a VLAN that no host on the network is a member of . By making sure our host devices are indeed who we think they are.

2002-2007 Multilayer Switching • • • • Route Caching.. this hardware switching is performed by a router processor (or L3 engine).com 64 . Switch spoofing is another variation of VLAN Hopping that is even worse than double tagging. This processor must download routing information to the hardware itself.. • Many Cisco switch ports now run in dynamic desirable mode by default. which means that a port is sending out Dynamic Trunking Protocol frames in an aggressive effort to form a trunk. VRRP. © Train Signal. because this version allows the rogue to pretend to be a member of *all* VLANs in your network. © Train Signal. or the newer Cisco Express Forwarding (CEF).. I mean "legacy" Multilayer Switching (MLS). since the switch doesn't really know what kind of device is receiving the DTP frames.docudesk.. Inc. 2002-2007 What Is Multilayer Switching? • Multilayer switches are devices that switch and route packets in the switch hardware itself. Inc. GLBP) • Server Load Balancing (SLB) © Train Signal. A good phrase to describe a multilayer switch is "pure performance" these switches can perform packet switching up to ten times as fast as a pure L3 router. • When it comes to Cisco Catalyst switches. To make this hardware-based packet processing happen.Switch Spoofing • Notice that I said "this version". Cat switches will run either the older. Inc. A potential problem exists.um. IRDP.. Cisco Express Forwarding Inter-VLAN Routing & SVIs Fallback Bridging Router Redundancy Protocols (HSRP.Trial :: http://www.. 2002-2007 PDF Created with deskPDF PDF Writer .

© Train Signal. and packets on the same flow will share the same protocol. the switching engine snoops in on that packet and the destination. there are actually two flows of traffic. this topology-based switching method requires special hardware. if a source is sending both WWW and TFTP packets to the same destination.Trial :: http://www. • Now. Inc. it's the ASICs that perform this L2 address overwriting. Primarily designed for backbone switches. • CEF can't be configured on 2950 switches. This method may be more familiar to you as NetFlow switching. though. With multilayer switching. Route caching devices have both a routing processor and a switching engine. 2002-2007 Cisco Express Forwarding • Cisco Express Forwarding (CEF) is a highly popular method of multilayer switching. and is also easier on a switch's CPU than route caching. You know from your CCNA studies that while the IP source and destination address of a packet will not change during its travels through the network. © Train Signal.ASICs • Application-Specific Integrated Circuits (ASICs) will perform the L2 rewriting operation of these packets.docudesk. The MLS cache entries support such unidirectional flows. • CEF has two major components . 2002-2007 Route Caching • The first multilayer switching (MLS) method is route caching. Inc.com 65 .. © Train Signal. That is. Inc.. the L2 source and addresses may and probably will.. and that improvement is Cisco Express Forwarding.the Forwarding Information Base and the Adjacency Table. • There's always room for improvement from the first implementation of anything. 2002-2007 PDF Created with deskPDF PDF Writer . CEF is highly scalable. but you will see it on 3550s and several other higher-numbered series. The routing processor routes a flow's first packet. what exactly does a "flow" consist of? A flow is a unidirectional stream of packets from a source to a destination. so it's not available on all L3 switches. and the switching engine takes over and forwards the rest of the packets in that flow.

.Trial :: http://www. © Train Signal. Trying to view the FIB of a switch with IP routing not enabled results in this console readout. • Once the appropriate L3 and L2 next-hop addresses have been found. however. to the MAC address on the MLS switch interface that transmits the packet.com 66 . Inc. CEF is hardware-based. and you can't turn it off.the destination networks.that's going to be changed to the next-hop destination. 2002-2007 Enabling DEF • Enabling CEF is about as simple as it gets.. Remember. As adjacent hosts are discovered via ARP. the MLS is just about ready to forward the packet. the FIB is really just the IP routing table in another format. and that includes changing the L2 destination MAC address . but what of the L2 information we need? That's found in the Adjacency Table (AT).. • The FIB's contents will mirror that of the IP routing table actually. You can view the FIB with the show ip cef command. but it's not found in a typical routing table. CEF-enabled switches keep a Forwarding Information Base (FIB) that contains the usual routing information . that next-hop L2 information is kept in this table for CEF switching. CEF is on by default on any and all CEF-enabled switches. © Train Signal. The MLS will make the same changes to the packet as a router normally would. their masks. etc .DEF-Enabled Devices • CEF-enabled devices the same routing information that a router would. 2002-2007 FIB • The FIB takes care of the L3 routing information. The L3 destination will remain the same. not software-based. There's no such command! • A multilayer switch must have IP routing enabled for CEF to run.docudesk.and CEF will use the FIB to make L3 prefix-based decisions. as I'm sure you remember from your CCNA studies. the next-hop IP addresses. Inc. (The L2 source address will change as well.. Inc. 2002-2007 PDF Created with deskPDF PDF Writer .. so it's not a situation where running "no cef" on a switch will disable CEF.) © Train Signal.

. not every L3 switch can run CEF. and I know you won't be surprised to find they are also referred to by several different names. and then after enabling IP routing.0/24 receive 255.. 2002-2007 The Control Plane And The Data Plane • These are both logical planes found in CEF multilayer switching. which makes the FIB and AT creation possible.0.0.0. • These all refer to the control plane: – – – "CEF control plane" "control plane" "Layer 3 engine" or "Layer 3 forwarding engine" • The control plane's job is to first build the ARP and IP routing tables.. the data plane is also called by several different names: – – – "data plane" "hardware engine" "ASIC" © Train Signal. 2002-2007 L3 Switching • As with several advanced L3 switching capabilities. Keep in mind that switches that do support CEF do so by default.255. Inc. © Train Signal. and CEF can't be turned off on those switches! • CEF does support per-packet and perdestination load balancing.255/32 receive Interface © Train Signal..255. the 2900XL and 3500XL do not support CEF. 2002-2007 PDF Created with deskPDF PDF Writer .0. For instance.0. SW2(config)#ip routing SW2#show ip cef Prefix Next Hop 0. but again does not do so on all multilayer switches.Trial :: http://www.0/4 drop 224.0/32 receive 224.0.com 67 . Inc.. Inc.docudesk. • In turn. Be sure to check your switch's capabilities before purchasing.Example SW2#show ip cef %IPv4 CEF not running .

The name is the recipe the CEF workload is distributed over multiple CPUs.3 Ethernet packets – – • Note that packets with TCP header options are still switched in hardware. Here are just a few of the packet types that must be software switched: Packets with IP header options Packets that will be fragmented before transmission (because they're exceeding the MTU) – 802. Inc. © Train Signal. 2. 2002-2007 PDF Created with deskPDF PDF Writer . here's the order: 1.. CEF 3.but these tortoises are not going to win a race.. but it's the data plane that does the actual work! It's the data plane that places data in the L3 switch's memory while the FIB and AT tables are consulted.Tables for L3 Switching • The control plane builds the tables necessary for L3 switching.docudesk. it's the IP header options that cause trouble! © Train Signal. Inc. That Is) • Exception packets are packets that cannot be hardware switched. According to Cisco's website.. 2002-2007 Exceptions To The Rule (Of L3 Switching. then nextfastest. 2002-2007 Switching Options • With so many switching options available today. Distributed CEF (DCEF). and so on.com 68 . and then performs any necessary encapsulation before forwarding the data to the next hop. Fast Switching 4.software switching! Comparing hardware switching to software switching is much like comparing the hare to the tortoise . Inc. which leaves us only one option .Trial :: http://www. Process Switching © Train Signal. it's hard to keep up with which option is fastest.

2002-2007 PDF Created with deskPDF PDF Writer .. (The port on the router needs to be a FastEthernet port. Configuring router-on-a-stick is one way to get inter-VLAN communication going.no router-on-a-stick needed! © Train Signal. © Train Signal. that's the end of your inter-VLAN traffic.Inter-VLAN Communication – Part 1 • Since you learned in your CCNA studies that switching only happens on switches and routing only happens on routers. If that FastEthernet port goes down. 2002-2007 Inter-VLAN Communication – Part 2 • Router-on-a-stick does put an extra load on the router's processor as well. Inc. and it requires only a single physical connection from the router to the switch. a Catalyst 5000 switch's RSM takes the place of an external router . For example. but we also have the option of using a switch with an internal route processor or Route Switch Module (RSM).Trial :: http://www. Inc. but it does have its drawbacks. 2002-2007 Configuring traffic • Bringing an external router into the picture is one method of configuring inter-VLAN traffic. remember.. so you have to be careful as to which router in your network you select for this job. I can tell you that it works beautifully. • The biggest concern I have personally with ROAS is that the router becomes a single point of failure. you also learned that a router has to get involved for interVLAN communication.. Depending on how many VLANs are involved in this configuration.) • Having configured router-on-a-stick many times.docudesk. they may not get all the bandwidth they need. Inc. © Train Signal.com 69 .

2002-2007 Important Details • As always. Inc. To configure a port as a routing port. but they're not the same thing.. © Train Signal.Trial :: http://www. 2002-2007 L2 Mode • Remember. there are some simple but important details to keep in mind when configuring SVIs. and that VLAN must be active at the time of SVI creation – Theoretically. the ports on a multilayer switch will all be running in L2 mode by default. 2002-2007 PDF Created with deskPDF PDF Writer . followed by the appropriate IP address. you need to open the SVI with no shut just as you would open a physical interface after configuring an IP address – Remember that the VLAN and SVI work together.docudesk. use the no switchport command... Creating a VLAN doesn't create an SVI. Inc. Inc. © Train Signal.Step One • Step One In L3 Switching Troubleshooting: • Make Sure IP Routing Is On! © Train Signal.com 70 . – You need to create the VLAN before the SVI. and creating an SVI doesn't create a VLAN.

. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 Redundancy – Part 1 • In networking. For true network redundancy. 2002-2007 Commands • To create a bridge group: MLS(config)# bridge-group 1 • To join a SVI to a bridge group: MLS(config)#interface vlan 10 MLS(config-if)#bridge-group 1 © Train Signal. we need two things: – A secondary router to handle the load when the primary goes down – A protocol to get the networks using that secondary protocol as soon as possible © Train Signal. in the case of SNA and LAT. you'll need fallback bridging to get this traffic from one VLAN to another. and the SVIs will have to be added to these bridge groups. LAT. are nonroutable protocols.com 71 . Hosts are relying on that router as a gateway to send packets to remote networks..Trial :: http://www. and AppleTalk are either not supported by CEF or.Fallback Bridging • Odds are that you'll never need to configure fallback bridging. © Train Signal. • Fallback bridging involves the creation of bridge groups. we've obviously got real problems. If you're running any of these on an CEF-enabled switch. If a router goes down. Inc. SNA. Inc..docudesk. but it falls under the category of "it couldn't hurt to know it". we'll take as much redundancy as we can get. CEF has a limitation in that IPX.

. physical router as the default gateway. 2002-2007 ICMP Router Discovery Protocol • Defined in RFC 1256. Inc. In the following example. asking IRDP routers to send Router Advertisement packets. 2002-2007 PDF Created with deskPDF PDF Writer . but how they get there is another story. © Train Signal. it will choose one as its primary and will start using the other router if the primary goes down.Trial :: http://www. but you do see it in Cisco routers as well. • Hosts may also generate Router Solicitation messages.2 as their default gateway.com 72 .1 or 172. 2002-2007 IRDP • IRDP does not involve a virtual router of any kind . • To enable IRDP on a router's interface. not the IP and MAC address of a virtual router. the PCs will choose either 172. just use the ip irdp command.12.. It's a story you can expect to be asked about quite a bit on your exam. If a host hears from more than one IRDP router. they will be using the IP and MAC address of a real. © Train Signal.12. IRDP is commonly used by Windows DHCP clients and several Unix variations.docudesk.after all.1.Redundancy – Part 2 • That second point is so important that Cisco currently offers four separate protocols to expedite the cutover to the secondary router.. Inc. Inc. so let's get to work and hit the details of these four redundancy strategies. IRDP is an extension of ICMP . usually at startup. MLS(config)# interface serial0 MLS(config-if)# ip irdp © Train Signal. These methods have much the same end result. it is the ICMP Router Discovery Protocol! • IRDP routers will generate Router Advertisement packets that will be heard by hosts on that segment.when hosts transmit data.1.

© Train Signal. However. © Train Signal. though! By configuring multiple HSRP groups on a single interface. and that primary will handle the routing while the other routers are in standby. the group number is 5. we'd see 11 at the end of the MAC address .docudesk. HSRP is a Cisco-proprietary protocol in which routers are put into an HSRP router group.one unit of 16. That's a good skill to have for the exam. but not a MAC address.. They're communicating with a pseudorouter. most of the work is already done before the configuration is even begun.Trial :: http://www. and xx is the group number in hexadecimal.com 73 . • One of the routers will be selected as the primary. HSRP is considered a high-availability network service. © Train Signal.HSRP – Part 1 • Defined in RFC 2281. In this fashion. • In this example. HSRP load balancing can be achieved. How did the HSRP process arrive at a MAC of 00-00-0c-07-ac-05? • Well. which is expressed as 05 with a two-bit hex character. Inc. one unit of 1. there is a MAC address under the show standby output on R3. 2002-2007 PDF Created with deskPDF PDF Writer .. The MAC address 00-00-0c-07ac-xx is HSRP's well-known virtual MAC address. Inc. If the group number had been 17. a "virtual router" created by the HSRP configuration. Inc. 2002-2007 HSRP – Part 2 • The hosts using HSRP as a gateway don't know the actual IP or MAC addresses of the routers in the group. since it routes IP traffic without relying on a single router.. HSRP ensures a high network uptime. ready to handle the load if the primary router becomes unavailable. This virtual router will have a virtual MAC and IP address as well. • The standby routers aren't just going to be sitting there. Along with dynamic routing protocols and STP. so make sure you're comfortable with hex conversions. the active router. 2002-2007 IP Address and Virtual Router • An IP address was assigned to the virtual router. since all three have an almost immediate cutover to a secondary path when the primary path is unavailable.

Inc. but HSRP speakers in the same group should have the same timers. Inc. they're wrong .Trial :: http://www.you just have to use the preempt option on the standby priority command. 2002-2007 Priority • Another key value in the show standby command is the priority. © Train Signal. • What you do not have to do is configure the preempt command if you want the standby to take over as the active router if the current active router goes down. That's the default behavior of HSRP. but it's doubtful you'll ever need to do that. So if anyone tells you that you have to take a router down to change the Active router. 2002-2007 PDF Created with deskPDF PDF Writer . We'll raise the default priority on R2 and see the results. 2002-2007 Local State Change • In just a few seconds. with a 10-second holdtime. © Train Signal.docudesk. These values can be changed with the standby command. The router with the highest priority will be the primary HSRP router.. You can even tie down the hello time to the millisecond. Show standby confirms that R2. a message appears that the local state has changed from standby to active. © Train Signal. Inc. as shown in both show standby outputs..com 74 . The preempt command is strictly intended to allow a router to take over as the active router without the current active router going down.the primary. R3 is now the standby. with the router with the highest IP address on an HSRP-enabled interface becoming the primary if there is a tie on priority..HSRP Speakers • The output of the show standby command also tells us that the HSRP speakers are sending Hellos every 3 seconds. the local router. The default is 100. is now the active router .

Inc. but Fast Ethernet switches will have either the EMI or Standard Multilayer Image (SMI). Some HSRP documentation states that Token Ring interfaces can support a maximum of three HSRP groups. R2 will be the primary for Group 1 and R3 will be the primary for Group 2. Gig Ethernet switches will have that image. (In production networks.. The SMI can be upgraded to the EMI. and FDDI LANs.docudesk. there will be two HSRP groups created for the one VLAN. Just make sure you're not duplicating a MAC address that's already on your network! © Train Signal. you can configure HSRP on routed ports. and Layer 3 portchannels (an Etherchannel with an IP address). 2002-2007 PDF Created with deskPDF PDF Writer . Let's say we have six hosts and two separate HSRP devices. though! • HSRP can run on Ethernet... you'll need to check the documentation for your software.com 75 . 2002-2007 Some other HSRP notes • HSRP updates can be authenticated by using the standby command with the authentication option.Standby macaddress command • On rare occasions. SVIs. but it's not quite the load balancing you've learned about with some dynamic protocols. you may have to change the MAC address assigned to the virtual router. Inc. • HSRP requires the Enhanced Multilayer Software Image (EMI) to run on an L3 switch. 2002-2007 Load Balancing with HSRP • We can do some load balancing with HSRP. Check your documentation. Not for free. because not all hardware platforms support multiple groups. Token Ring. © Train Signal. For HSRP load balancing.) © Train Signal. This is done with the standby mac-address command. • If you're configuring HSRP on a multilayer switch.Trial :: http://www. Inc.

At this point. Inc. 3000. others do not. 2002-2007 PDF Created with deskPDF PDF Writer . and sends Hello messages. • Initial (Init) -. • Standby -.The router now knows the virtual IP address. © Train Signal.HSRP States • Disabled .Some HSRP documentation lists this as a state. and it doesn't know the IP address of that router. Disabled means that the interface isn't running HSRP yet.. 2002-2007 Multiple HSRP Groups • Note that an HSRP router doesn't send Hellos until it reaches the Speak state. and 4000 routers do not have this capability. I don't consider it one. it's pretty bright. and note that this command indicates that there's a problem with one of the virtual IP addresses! © Train Signal. does not yet know which router is the active router.The router is now a candidate to become the active router.. Inc. 2002-2007 Speak.. but Cisco may. HSRP is not yet running on a router in Initial state. the router has a lot to learn! A router in this state has not yet heard from the active router. Always verify with show standby.docudesk. © Train Signal.) • Listen -. but is not the primary or the standby router. Standby and Active • Speak -.The router is now forwarding packets sent to the group's virtual IP address. Inc. It's listening for hello packets from those routers. either. • There's also no problem with configuring an interface to participate in multiple HSRP groups on most Cisco routers. It will continue to send Hellos in the Standby and Active states as well. Other than that.The router goes into this state when an HSRPenabled interface first comes up.com 76 .Trial :: http://www. • Learn -.The router is now sending Hello messages and is active in the election of the primary and standby routers. Some 2500. • Active -. .

ac05 (v1 default) Hello time 3 sec...Group 5 © Train Signal.34. Inc. When that interface's line protocol shows as "down". This can lead to another HSRP router on the network becoming the active router . hold time 10 sec Preemption disabled Active router is unknown Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-1" (default) FastEthernet0/0 .12.0c07. 2002-2007 Show Standby Command – Part 2 State is Init (virtual IP in wrong subnet) Virtual IP address is 172.10 Active virtual MAC address is unknown Local virtual MAC address is 0000. hold time 10 sec Preemption disabled Active router is unknown Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-5" (default) © Train Signal. Inc.10 (wrong subnet for this interface) Active virtual MAC address is unknown Local virtual MAC address is 0000. the HSRP priority of the router is reduced. © Train Signal..docudesk.Show Standby Command – Part 1 R1#show standby FastEthernet0/0 . 2002-2007 HSRP Interface Tracking • Using interface tracking can be a little tricky at first. Basically. the status of this interface will dynamically change the HSRP priority for a specified group.com 77 . 2002-2007 PDF Created with deskPDF PDF Writer .Trial :: http://www.23.Group 1 State is Listen Virtual IP address is 172.ac01 (v1 default) Hello time 3 sec. but it's a feature that can really come in handy. this feature enables the HSRP process to monitor an additional interface.but that other router must be configured with the preempt option.12.0c07. Inc.

HSRP can be configured to drop R2's priority if the line protocol of R2's Serial0 interface goes down. (The default decrement in the priority when the tracked interface goes down is 10..com 78 . making R3 the primary router. Inc. Inc.23. R3 has the default priority of 100.23. R2 will therefore be handling all the traffic sent to the virtual router's IP address of 172.872 secs Preemption disabled Active router is local Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-Fa0/0-1" (default) © Train Signal.Group 1 State is Active 2 state changes..ac01 Local virtual MAC address is 0000. last state change 01:08:58 Virtual IP address is 172. © Train Signal. the hosts will be unable to reach the server farm. R2 is the primary due to its priority of 105. but there is a potential single point of failure.Trial :: http://www. 2002-2007 Example – Part 1 R1#show standby FastEthernet0/0 . That's fine. If R2's Serial0 interface fails.10.0c07.12. 2002-2007 PDF Created with deskPDF PDF Writer .Default Priority • In the following network. hold time 10 sec Next hello sent in 2.0c07.) © Train Signal. Inc.12.ac01 (v1 default) Hello time 3 sec. 2002-2007 Priority/decrement value Problem • The #1 problem with an HSRP Interface Tracking configuration that is not working properly is a priority / decrement value problem.docudesk..10 Active virtual MAC address is 0000.

Inc.. changed state to up R1# *Apr 9 20:15:14.543: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0.542: HSRP: Fa0/0 API MAC address update *Apr 9 20:15:10. Inc.554: HSRP: Fa0/0 API Add active HSRP addresses to ARP table R1# *Apr 9 20:15:11. changed state to up R1# *Apr 9 20:15:12..550: HSRP: Fa0/0 API Add active HSRP addresses to ARP table *Apr 9 20:15:10. hold time 10 sec Preemption disabled Active router is unknown Standby router is unknown Priority 75 (default 100) Track interface Serial0/0 state Down decrement 25 IP redundancy name is "hsrp-Fa0/0-5" (default) © Train Signal.12..485: HSRP: Fa0/0 Interface min delay expired *Apr 9 20:15:14. 2002-2007 PDF Created with deskPDF PDF Writer .483: HSRP: Fa0/0 Starting minimum interface delay (1 secs) *Apr 9 20:15:13.541: HSRP: API Hardware state change *Apr 9 20:15:12.ac05 (v1 default) Hello time 3 sec.483: HSRP: Fa0/0 Interface up *Apr 9 20:15:13.541: %LINK-3-UPDOWN: Interface FastEthernet0/0.10 (wrong subnet for this interface) Active virtual MAC address is unknown Local virtual MAC address is 0000.485: HSRP: Fa0/0 Grp 1 Init: a/HSRP enabled *Apr 9 20:15:14. Inc.Example – Part 2 FastEthernet0/0 .546: HSRP: Fa0/0 API Software interface coming up *Apr 9 20:15:10. 2002-2007 Debug Example – Part 2 *Apr 9 20:15:13.0c07.545: HSRP: Fa0/0 API Add active HSRP addresses to ARP table © Train Signal.648: %SYS-5-CONFIG_I: Configured from console by console *Apr 9 20:15:12.Group 5 State is Init (virtual IP in wrong subnet) Virtual IP address is 172.541: HSRP: Fa0/0 API Software interface coming up *Apr 9 20:15:12.com 79 .34.485: HSRP: Fa0/0 Grp 1 Init -> Listen *Apr 9 20:15:14. 2002-2007 Debug Example – Part 1 R1#debug standby *Apr 9 20:15:10.docudesk.Trial :: http://www.485: HSRP: Fa0/0 Grp 1 Redundancy "hsrpFa0/0-1" state Init ->Backup © Train Signal.

who will all have their gateway address set to the virtual router's address . However. With GLBP. a WAN interface can be tracked and a router's VRRP priority dropped when that interface goes down. VRRP now has an Object Tracking feature.) This is the router that has the virtual router's IP address as a real IP address on the interface it will receive packets on.0. Inc. I'm sure you can tell that the primary purpose of the Gateway Load Balancing Protocol (GLPB) is just that . – The MAC address of VRRP virtual routers is 00-00-5e-00-01-xx. the hosts think they're sending all of their data to a single gateway. but accurate load balancing is not among them. VRRP is the open-standard equivalent of the Cisco-proprietary HSRP.. © Train Signal. some hosts point to gateway B" business we had with HSRP load balancing. 2002-2007 VRRP – Part 2 – The physical routers in a VRRP Group combine to form a Virtual Router.. – VRRP's equivalent to HSRP's Standby router state is the Backup state. rather than having a primary router handle all of it while the standby routers remain idle.0. 2002-2007 HSRP and VRRP • HSRP and its open-standard relation VRRP have some great features. – As of IOS Version 12.VRRP – Part 1 • Defined in RFC 2338. and is suited to a multivendor environment. – VRRP Advertisements are multicast to 224. GLBP allows every router in the group to handle some of the load in a round-robin format. because GLBP is Ciscoproprietary. – "preempt" is a default setting for VRRP routers. Inc.18. it's not truly load balancing. VRRP works very much like HSRP.the xx is the group number in hexadecimal. GLBP routers will be placed into a router group. Inc. • As with HSRP and VRRP. • GLBP also allows standard configuration of the hosts. The operation of the two is so similar that you basically learned VRRP while going through the HSRP section! There are a few minor differences.com 80 . © Train Signal.3(2)T. a few of which are: – VRRP's equivalent to HSRP's Active router is the Master router. Similar to HSRP's Interface Tracking feature.. and you guessed it . but actually multiple gateways are in use at one time. While both allow a form of load sharing.Trial :: http://www. (Some VRRP documentation refers to this router as the IP Address Owner.docudesk. 2002-2007 PDF Created with deskPDF PDF Writer .none of this "some hosts point to gateway A. © Train Signal.load balancing! It's also suitable for use only on Cisco routers.

the default being round-robin.Trial :: http://www. (If the routers all have the same GLBP priority.Key to GLBP • The key to GLBP is that when a host sends an ARP request for the MAC of the virtual router. • In the following illustrations. The higher the assigned weight. and this router will send back ARP responses containing virtual MAC addresses. The host will then have the IP address of the virtual router and the MAC address of a physical router in the group. • If a host or hosts need the same MAC gateway address every time it sends an ARP request.com 81 . the router with the highest IP address will become the AVG.. © Train Signal. The three hosts will have the same Layer 3 address for their gateway. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . one of the physical routers will answer. accomplishing the desired load balancing while allowing standard configuration on the hosts. but a different L2 address. • Weighted MAC assignments affect the percentage of traffic that will be sent to a given AVF. the three hosts send an ARP request for the MAC of the virtual router. © Train Signal. The virtual MAC addresses are assigned by the AVG as well.. 2002-2007 GLBP’s load balancing • GLBP's load balancing also offers the opportunity to finetune it to your network's needs. the more often that particular router's virtual MAC will be sent to a requesting host. 2002-2007 Active Virtual Gateway • The Active Virtual Gateway (AVG) will be the router with the highest GLBP priority.) © Train Signal. Inc. GLBP offers three different forms of MAC address assignment. a host that sends an ARP request will receive a response containing the next virtual MAC address in line. host-dependent load balancing is the way to go..docudesk. Inc. With round-robin assignments.

1. SLB represents multiple physical servers to hosts as a single virtual server.but there's another helpful service. that does the same for servers.14.1.1. Inc. We'll first add 210.com 82 .Command examples • GLBP is enabled just as VRRP and HSRP are .1.1.10 • To change the interface priority.10 to group 5. use the glbp priority command.. MLS(config-if)# glbp 5 priority 150 MLS(config-if)# glbp 5 preempt © Train Signal. followed by creating the virtual server. The following command will assign the address 172.Trial :: http://www.11 to the server farm: MLS(config)# ip slb serverfarm ServFarm MLS(config-slb-sfarm)# real 210.docudesk. To allow the local router to preempt the current AVG.1. use the glbp preempt command. and CLBP all represent multiple physical routers to hosts as a single virtual router. Inc. MLS(config-if)# glbp 5 ip 172.1.14.1. They're represented to the hosts as the virtual server 210. • The basic operations of SLB involves creating the server farm.. 2002-2007 PDF Created with deskPDF PDF Writer .1. not knowing that they're actually communicating with the routers in ServFarm. three physical servers have been placed into the SRB group ServFarm. and also serves to hide the actual IP addresses of the servers in ServFarm.1. While HSRP. 2002-2007 Server Load Balancing • We've talked at length about how Cisco routers and multilayer switches can work to provide router redundancy . © Train Signal.1.11 MLS(config-slb-real)# inservice © Train Signal. Server Load Balancing. This allows quick cutover if one of the physical servers goes down. 2002-2007 Hosts communication • The hosts will seek to communicate with the server at 210. Inc. VRRP.1. • In the following illustration.by assigning an IP address to the virtual router..

Inc.. those will be the only clients that can connect to the virtual server. The following configuration would allow only the hosts on the subnet 210.. Note that this command uses wildcard masks.0 /24 to connect to the virtual server.1.1..1. The real and inservice commands should be repeated for each server in the server farm.255 © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer .14 MLS(config-slb-vserver)# inservice © Train Signal. Inc.Trial :: http://www.1. MLS(config-slb-vserver)# client 210. • To create the virtual server: MLS(config)# ip slb vserver VIRTUAL_SERVER MLS(config-slb-vserver)# serverfarm ServFarm MLS(config-slb-vserver)# virtual 210.0. The inservice command is required by SLB to consider the server as ready to handle the server farm's workload.0 0. Inc. with the real command specifying the IP address of the real server.docudesk. 2002-2007 Controlling connections • You may also want to control which of your network hosts can connect to the virtual server.1.com 83 . If hosts or subnets are named with the client command.Creating Server Farm • The first command creates the server farm. 2002-2007 IP Telephony & Cisco IP Phones • • • • • • • IP Phone Basics Voice VLANs Voice QoS DiffServ at L2 & L3 Trusting Incoming Values Basics of AVVID Power Over Ethernet © Train Signal.1.0.

2002-2007 PDF Created with deskPDF PDF Writer .com 84 . another to the phone ASIC. © Train Signal. • Voice and security are the two fastest-growing sectors of our business. Configuring this link as a trunk gives us the advantage of creating a voice VLAN that will carry nothing but voice traffic while allowing the highest Quality of Service Possible.Trial :: http://www. They’re not going to slow down anytime soon. 2002-2007 Link between switch and IP phone • The link between the switch and the IP phone can be configured as a trunk or an access link. • Configuring the link as an access link results in voice and data traffic being carried in the same VLAN. we’ve got four choices: – Configure the link – Configure the link 802. • Most Cisco IP phones will have three ports. you’re okay for now – you’ll be able to understand this chapter with no problem. I say “for now” because all of us need to know some basic VoIP.. I urge you to look into a Cisco voice certification. Inc.. either. Once you’re done with your CCNP.docudesk. Voice traffic is much more delay-sensitive than data traffic. Inc. and another will be an access port that will connect to a PC. giving the delay-sensitive voice traffic priority over “regular” data handled by the switch.1p – Configure the link tag voice traffic – Configure the link Voice VLAN as an access link as a trunk link and use as a trunk link and do not as a trunk link and specify a © Train Signal. Inc. which can lead to delivery problems with the voice traffic.. The problem isn’t that the voice traffic will not get to the switch – it simply may take too long. 2002-2007 Four Choices • When it comes to the link between switch and the IP Phone. © Train Signal.Voice over IP • If you don’t have much (or any) experience with Voice Over IP (VoIP) yet. One will be connected to a Catalyst switch. There are plenty of good vendor-independent VoIP books on the market as well.

. Inc. The commands to perform these tasks are mls qos and the interfacelevel command mls qos trust cos. Inc.Trial :: http://www.. there are just a few details you should be aware of when configuring: – When Voice VLAN is configured on a port. © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer . 2002-2007 Details you should know about – Part 2 – You can configure voice VLANs on ports running port security or 802. – CDP must be running on the port leading to the IP phone. but take a few seconds to make sure with show cdp neighbor. Portfast is automatically enabled – but if you remove the Voice VLAN. 2002-2007 Details you should know about – Part 1 • As always. It is recommended that port security be set to allow more than one secure MAC address. – Particularly when implementing video conferencing. VLAN 0 © Train Signal. Inc. respectively. – Voice VLANs are supported only on L2 access ports. CDP should be globally enabled on all switch ports. © Train Signal. – Cisco recommends that QoS be enabled on the switch and the switch port connected to the IP phone be set to trust incoming CoS values. This allows for network control traffic to flow through the network and helps to prevent jitter as well. Portfast is NOT automatically disabled.com 85 . make sure your total overall traffic doesn’t exceed 75% of the overall available bandwidth.docudesk.. and data! Cisco also recommends that voice and video combined not exceed 33% of a link’s bandwidth.Dot1p Option • The dot1p option has two effects: – The IP Phone grants voice traffic high priority – Voice traffic is sent through the default voice native VLAN. That inclues video.1x authentication. voice.

© Train Signal. I grant you that’s a poor excuse for a compliment! IntServ uses the Resource Reservation Protocol (RSVP) to do its job. but we’ve got three main enemies when it comes to successful voice transmission: – Jitter – Delay – Packet Loss © Train Signal.Three Main Enemies • I mentioned jitter earlier. or IntServ. Where IntServ reserves an entire path in advance for the entire voice packet flow to use. is far superior to best-effort.com 86 . Inc. • The Integrated Services Model. Inc.docudesk... Best-effort works fine for UDP. or DiffServ. The creation of this path is sometimes referred to as Guaranteed Rate Service (GRS) or simple Guaranteed Service. 2002-2007 PDF Created with deskPDF PDF Writer . but not for voice traffic. instead. 2002-2007 QoS • Best-effort delivery is the QoS you have when you have no explicit QoS configuration – the packets are simply forwarded in the order in which they came into the router.. DiffServ does not reserve bandwidth for the flow. 2002-2007 DiffServ • That issue is address with the Differentiated Services Model.Trial :: http://www. DiffServ makes its QoS decisions on a per-hop basis as the flow traverses the network. The device that wants to transmit the traffic does not do so until a reserved path exists from source to destination. and that reservation involves creating a high-priority path in advance of the voice traffic’s arrival. Inc. © Train Signal.

Where the VLAN ID indicates the VLAN whose hosts should receive the frame. Inc. Inc. 2002-2007 PDF Created with deskPDF PDF Writer . with all the differences between these two that you’ve already mastered. Inc. the frame should receive.) Marking is the process of tagging data with a value. © Train Signal. this is easy! © Train Signal. 2002-2007 Code of Service – Part 1 • You know that the physical link between two switches is a trunk. ISL and IEEE802. if any. the CoS is used by the switch to make decisions on what QoS. and classification is taking the appropriate approach to queueing and transmitting that data according to that value. but they work very closely together.docudesk.1p priority bits that make up the CoS value. as you’ll see.1Q (“dot1q”) handle CoS differently. © Train Signal. but three binary bits give us a range of decimal values of 0 – 7.DiffServ Model • The DiffServ model allows each network device along the way to make a separate decision on how best to forward the packet towards its intended destination. • It certainly won’t surprise you to find that our trunking protocols. rather than having all forwarding decisions made in advance. • The core tasks of DiffServ QoS are marking and classification. This process is Per-Hop Behavior (PHB). 2002-2007 Code of Service – Part 2 • The ISL tag includes a 4-bit User field... and again that gives us a decimal range of 0-7. You might not know that another value – a Code of Service (CoS) value – can also be placed on that frame. the last three bits of that field indicated the CoS value. but this field is built a little differently.. • The dot1q tag has a User field as well. (They are two separate operations.Trial :: http://www. Dot1q’s User fields has three 802. I know I don’t have to tell you this. Hey. and you know that the VLAN ID is tagged on the frame before it goes across the trunk.com 87 .

ToS
• The IP ToS byte consists of...
– an IP precedence value, generally referred to as IP Prec (3 bits) – a Type Of Service Value (4 bits) – a zero (1 bit)

• DiffServ uses this 8-bit field as well, but refers to this as the Differentiated Services (DS) field. The DS byte consists of...
– a Differentiated Service Code Point value (DSCP, 6 bits, RFC 2474) – an Explicit Congestion Notification value (ECN, 2bits, RFC 2481)

• The 6-bit DSCP value is itself divided into two parts
– a Class Selector value, (3 bits) – a Drop Precedence value (3 bits)
© Train Signal, Inc., 2002-2007

Class Selector Values
• Here’s a quick description of the Class Selector values and their meanings:
– Class 7 (111) – Network Control, and the name is the recipe – this value is reserved for network control traffic (STP, routing protocol traffic, etc.) – Class 6 (110) – Internetwork Control, same purpose as Network Control – Class 5 (101) – Expedited Forwarding (EF, RFC 2598) – Reserved for voice traffic and other time-critical data. Traffic in this class is practically guaranteed not to be dropped. – Classes 1-4 (001 – 100) – Assured Forwarding (AF, RFC 2597) – These classes allow us to define QoS for traffic that is not as time-critical as that in Class 5, but that should not be left to besteffort forwarding, which is... – Class 0 (000) – Best-effort forwarding. This is the default.
© Train Signal, Inc., 2002-2007

Assured Forwarding classes
• We’ve got four different classes in Assured Forwarding, and RFC 2597 defines three Drop Precedence values for each of those classes:
– High – 3 – Medium – 2 – Low – 1

• The given combination of any class and DP value is expressed as follows: AF (Class Number)(Drop Precedence) • That is, AF Class 2 with a DP of “high” would be expressed as: “AF23”
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

88

Other Techniques
• We’ve talked at length about using a priority queue for voice traffic, but there are some other techniques we can use as well. As with any other QoS, the classification and marking of traffic should be performed as close to the traffic source as possible. Access-layer switches should always perform this task, not only to keep the extra workload off the core switches but to ensure the end-to-end QoS you wanted to configure is the QoS you’re getting. • Another method of improving VoIP quality is to configure RTP Header Compression. This compression takes the IP/UDP/RTP header from its usual 40 bytes down to 2-4 bytes. • RTP header compression is configured with the interface-level ip rtp header-compression command, with one option you should know about – passive. If the passive option is configured, outgoing packets are subject to RTP compression only if incoming packets are arriving compressed.
© Train Signal, Inc., 2002-2007

AVVID – Part 1
• Cisco’s Architecture for Voice, Video, and Integrated Data (AVVID) is a comprehensive network architecture approach which integrates Voice and Video into an existing Data network. (But you knew that from the name, right?) • A PDF available on Cisco’s website lists these five AVVID components as primary concerns:
– – – – – High Availability Quality of Service Security Enterprise Mobility Scalability
© Train Signal, Inc., 2002-2007

AVVID – Part 2
• Basically, AVVID is designed to take an organization’s existing infrastructures and combine them into one large infrastructure. Cisco’s theory holds that doing so will reduce overall costs while preparing the infrastructure to run the latest and greatest Cisco technologies. Storage Networking is becoming more and more important every day, and is also an important part of an AVVID design.
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

89

Wide-Ranging AVVID
• To show you how wide-ranging AVVID is, a single AVVID infrastructure is designed to hold all of the following hardware:
– – – – – – – Cisco routers Cat switches IP phones Voice trunking Cisco Call Manager Analog and digital gateways to the PSTN Voice modules
© Train Signal, Inc., 2002-2007

POE
• With POE, the electricity necessary to power the IP Phone is actually transferred from the switch to the phone over the UTP cable that already connects the two devices. • Not every switch is capable of running POE. Check your particular switch’s documentation for POE capabilities and details. • The IEEE standard for POE is 802.3af. There is also a proposed standard for High-Power POE, 802.3at. To read more than you’d ever want to know about POE, visit http://www.poweroverethernet.com.
© Train Signal, Inc., 2002-2007

POE-capable switches – Part 1
• By default, ports on POE-capable switches do attempt to find a device needing power on the other end of the link. We’ve got a couple of options for POE as well: SW4(config)#int fast 1/0/1 SW4(config-if)#power inline ? auto Automatically detect and power inline devices consumption Configure the inline device consumption never Never apply inline power static High priority inline power interface
© Train Signal, Inc., 2002-2007

PDF Created with deskPDF PDF Writer - Trial :: http://www.docudesk.com

90

Inc.POE-capable switches – Part 2 • The Auto setting is the Default. The area of coverage the WAP provides is called a cell. The consumption option allows you to set the level of power sent to the advice: SW4(config-if)#power inline consumption ? • And naturally. 2002-2007 PDF Created with deskPDF PDF Writer ..com 91 . Inc. 2002-2007 WLAN • A common wireless topology is an Infrastructure Wireless Local Area Network (WLAN) . 2002-2007 Wireless Networking • • • • • • Wireless Basics and Standards Antenna Types and Usage CSMA/CA CCX Program The Lightweight Access Point Protocol Aironet System Tray Utility © Train Signal. the never option disables POE on that port. The SSID is the public name of the wireless network.Trial :: http://www.docudesk. POE options and capabilities differ from one device to the next. SSIDs are case-sensitive and can be up to 32 characters in length. so check your switch’s documentation ‘carefully’ before using POE. that cell can shrink and grow without warning! • Hosts successfully connecting to the WAP in a BSS are said to have formed an association with the WAP. and as any of us who have used wireless networks know. © Train Signal. A SSID is simply a string of text. © Train Signal. also called a Basic Service Set (BSS). Forming this association usually requires the host to present required authentication and/or the correct Service Set Identifier (SSID)... where a Wireless Access Point (WAP) is used to allow multiple devices to intercommunicate. Inc.

Inc. WAP • Cisco uses the term AP instead of WAP in much of their documentation. • Open system is basically one station asking the receiving station "Hey. Those of us who are roaming users understand the "theoretical" part! • Speaking as a roaming user. 2002-2007 WLAN Authentication (And Lack of Same) • Of course. will (theoretically) always be in the provider's coverage area. shared key is the authentication system you're more familiar with. Inc. which in this case is the AP. :) Seriously. 2002-2007 Active and Passive scanning • What we do know is that there are two different methods the client can use to find the next AP . I'll call it an AP for the rest of this section. did you ever wonder how your wireless card decides to quit using its current AP and start using the next one in line? Well. since they all use different standards on when that cutover needs to be performed..Trial :: http://www.active scanning and passive scanning. keep wondering. 2002-2007 PDF Created with deskPDF PDF Writer . Inc.docudesk.AP vs. wireless vendors keep us guessing on this one. you don't want just any wireless client connecting to your WLAN! The 802.com 92 . do you recognize me?" • Hopefully. • Passive scanning is just what it sounds like .. since open system is a little too open! Shared key uses Wired Equivalent Privacy (WEP) to provide a higher level of security than open system. If multiple Probe Responses are heard. • A BSS operates much like a hub-and-spoke network in that all communication must go through the hub. No Probe Request frames are sent. They're both pretty much what they sound like. or roaming user. © Train Signal. © Train Signal. © Train Signal. the client sends Probe Request frames and then waits to hear Probe Responses.. • APs can also be arranged in such a way that a mobile user. just be prepared to see this term expressed either way on your exam and in network documentation.11 WLAN standards have two different authentication schemes open system and shared key. With active scanning. the client chooses the most appropriate WAP to use in accordance with vendor standards.the client listens for beacon frames from APs.

the Wi-Fi Alliance improved the original WPA standards. © Train Signal. particularly those designed for home use.org) saw the need for stronger security features in the wireless world..Trial :: http://www.11i . • When the IEEE issued 802. As a result.. 2002-2007 PDF Created with deskPDF PDF Writer . WPA was adopted by many wireless equipment vendors while the IEEE was working on a higher standard as well. a higher standard for wireless security. Inc. both WPA and WPA2 are major improvements over WEP. 2002-2007 WPA and WPA2 • To put it lightly.but it wasn't adopted by every vendor. Sadly. and came up with WPA2. not all older wireless cards will work with WPA2. LEAP has several advantages over WEP: – There is two-way authentication between the AP and the client – The AP uses a RADIUS server to authenticate the client – The keys are dynamic. so a different key is generated upon every authentication © Train Signal. Their answer was Wi-Fi Protected Access (WPA). offer WEP as the default protection . WPA is considered to work universally with wireless NICs. 2002-2007 Wi-Fi Alliance • Recognizing the weaknesses inherent in WEP. • Basically. the Lightweight Extensible Authentication Protocol.. 802. As you might expect.com 93 .A Giant LEAP Forward • The Extensible Authentication Protocol (EAP) was actually developed originally for PPP authentication. the Wi-Fi Alliance (their home page is http://wi-fi. many users will prefer WEP simply because the password is shorter. Inc.so don't just click on all the defaults when you're setting up a home wireless network! The WPA or WPA2 password will be longer as well they're actually referred to as passphrases. RFC 3748 defines EAP. not static.docudesk. © Train Signal. Inc.11i. • Cisco's proprietary version of EAP is LEAP. but not with all early APs. but has been successfully adapted for use in wireless networks. Many wireless devices.

11g • 802.com 94 . 2002-2007 PDF Created with deskPDF PDF Writer .11b has a typical data rate of 6. (And you thought they were just annoying when people burn popcorn in the office microwave!) Solid objects such as walls and other buildings can disturb the signal in any bandwidth. but microwave ovens also share the 2.Trial :: http://www.11g has a typical data rate of 25 MBPS. 802. or just "b/g".5 MBPS.4 GHz. • 802. not directly. In an ad hoc WLAN ("wireless LAN"). • 802. In the real world.11n • You can have trouble with 802. you'll almost always here them call ad hoc networks. 2002-2007 802. 802.4 GHz band.11a has a typical data rate of 25 MBPS. but can reach speeds of 54 MBPS. © Train Signal.11b.11b/g". © Train Signal... a peak data rate of 540 MBPS. and an indoor range of 100 feet.docudesk.11b and 802. • 802. Inc. Indoor range is 100 feet. Operating frequency is 5 GHz.11g from an unexpected source – popcorn! Well. Operating frequency is 2. Inc.4 GHz or 5 GHz. Inc.IBSS • APs are not required to create a wireless network. © Train Signal. but can reach speeds of 11 MBPS.4 GHz. The official name for an ad hoc WLAN is an Independent Basic Service Set (IBSS). Operating frequency is 2.11n has a typical data rate of 200 MBPS.11a. 802.. and the presence of a microwave in an office can actually cause connectivity issues. Operating frequency is either 2. and an indoor range of 160 feet.11g and 802. Indoor range is 100 feet. the wireless devices communicate with no AP involved.11g are compatible to the point where many wireless routers and cards that use these standards are referred to as "802. a peak data rate of 54 MBPS. 2002-2007 802. but it couldn't hurt to keep the official name in mind for your exam.

we can't just call these antennae by one name! Yagis are also known as pointto-point and directional antenna. Inc. an Omni ("omnidirectional") antenna sends a signal in all directions on a particular plane.1 compliant. and even that might not be enough . but the IrDA is concerned with standards for transmitting data over infrared light. which has a theoretical maximum speed of 4 MBPS. Which doesn't sound like fun. Inc. the full name is "Yagi-Uda antenna") sends its signal in a single direction.. 2002-2007 Antenna Types – Part 2 • Since this is networking.docudesk.0 only allowed for a range of 1 meter and transmitted data at approximately 115 KBPS. • The IrDA notes that to reach that 4 MBPS speed. The two standards are compatible. • Both Yagi and Omni antennas have their place in wireless networks. © Train Signal. © Train Signal. the hardware must be 1.1. 2002-2007 Antenna Types – Part 1 • A Yagi antenna (technically. which means it must be aligned correctly and kept that way. Omni antennas are also known as omnidirectional and point-to-multipoint antenna.com 95 . IrDA 1.the software may have to be modified as well. The multidirectional signal sent by Omni antennas help connect hosts to APs. The unidirectional signal a Yagi antenna sends makes it particularly helpful in bridging the distance between APs. including roaming laptop users -. The transmission speed was greatly improved with IrDA 1. Inc..only infrared light streams.like the ones who connect to the Net while eating lunch! © Train Signal. since they send their signal in a particular direction.. Yagi antennas are sometimes called directional antennas.Infrared Data Association (IrDA) • The IrDA is another body that defines specifications.Trial :: http://www. 2002-2007 PDF Created with deskPDF PDF Writer . • In contrast. • Keep in mind that neither IrDA standard has anything to do with radio frequencies .

. waits for the DIFS timer to expire.you'll find the site quickly. I'm sure they're great at what they do. In our example. this random amount of time is the Backoff Time. Instead. and that random value helps avoid collisions.the Cisco Compatible Extension (CCX) website. © Train Signal. Wireless LANs can't listen and send at the same time . • "How The $&!(*% Can I Figure Out Which Equipment Supports Which Features?" • A valid question! :) • Thankfully.. you may just wonder.Trial :: http://www..CSMA/CA • With "Wireless LANs". The formula for computing Backoff Time is beyond the scope of the BCMSN exam. • Let’s walk through an example of Wireless LAN access. • The website name is a little long to put here. 2002-2007 The Cisco Compatible Extensions Program • When you're looking to start or add to your wireless network.you'll get the Chicago Climate Exchange. but don't trust them to verify wireless capabilities! © Train Signal. and it may well change. © Train Signal. Inc. the station must wait for the Distributed Interframe Space (DIFS) time interval to expire before doing so. and then sends frames. Host A finds the wireless channel to be idle. Cisco's got a great tool to help you out .docudesk. Don't just enter "CCX" in there .. (Carrier Sense Multiple Access with Collision Avoidance).they're half-duplex so traditional collision detection techniques cannot work. CSMA/CA... Inc. wireless LANs will use IEEE standard 802.Cisco also certifies wireless devices that are guaranteed to run a desired wireless feature.11.com 96 . • The foundation of CSMA/CA is the Distributed Coordination Function (DCF). Cisco certification isn't just for you and I . 2002-2007 PDF Created with deskPDF PDF Writer . so I recommend you simply enter "Cisco compatible extension" into your favorite search engine . and you’ll see where the “avoidance” part of CSMA/CA comes in. Inc. 2002-2007 DCF-speak • In DCF-speak. life isn't so simple. but the computation does involve a random number. The key rule of DCF is that when a station wants to send data.

ensuring that each LAP is consistently enforcing the same set of wireless network access rules and regulations. Inc.com 97 . the colors aren't exactly intuitive. • By no small coincidence. © Train Signal. and more. Cisco has developed such an authority as part of their Cisco Unified Wireless Network . Inc.make sure to do your research before purchasing! © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer .docudesk. 2002-2007 Aironet System Tray Utility • We're all familiar with the generic icon on a laptop or PC that shows us how strong (or weak) our wireless signal is. the icon will change color to indicate signal strength and other important information. This communication takes place via LWAPP. The WLAN Controller than informs the LAPs of these policies and procedures. The WLAN Controller will be configured with security procedures. the LightWeight Access Point Protocol. • Problem is.the WLAN Controller. Quality of Service (QoS) policies. so we better know what they mean! Here's a list of ASTU icon colors and their meanings. Inc. • Many Cisco Aironet access points can operate autonomously or as an LAP. mobile user policies. Here are a few of those models: – 1230 AG Series – 1240 AG Series – 1130 AG Series • Some other Aironet models have circumstances under which they cannot operate as LAPs ... we really need some kind of central authority to ensure that a consistent access policy is successfully implemented..The Lightweight Access Point Protocol (LWAPP) • As our wireless networks get larger and larger. 2002-2007 WLAN Controller • The WLAN Controller is basically the quarterback of the WLAN. which communicates with Lightweight Access Points (LAP). with the LAPs serving as the other players. © Train Signal.Trial :: http://www. The Aironet System Tray Utility (ASTU) gives us that information and a lot more. Instead of just indicating how strong the wireless signal is.

Access Layers Enterprise Composite Network Model Server Farm Block Network Management Block Enterprise Edge Block Service Provider Edge Block © Train Signal. © Train Signal.No connection to AP is present. Inc. Inc. and signal strength is very good. but that the signal strength is low. • Green . © Train Signal.Connection to AP is present. • White . 2002-2007 EAP Authentication • If you're connecting to an ad hoc network. dark gray means there is no connection to an AP or remote client. and white means the adapter is disabled. • Dark Gray . The key is to know that red. • Yellow ..Red. and yellow are referring to signal strength.docudesk. but you are *not* EAP-authenticated. Distribution. Inc.com 98 . green.. 2002-2007 PDF Created with deskPDF PDF Writer . light gray indicates a lack of EAP authentication. but signal strength is fair. you are connected to an AP and are authenticated if necessary.Client adapter is disabled. Yellow and Green • Red . 2002-2007 Network Design and Models • • • • • • Core.This does not mean that you don't have a connection to an access point! It means that you do have connectivity to an AP. EAP authentication is in place if necessary. just substitute "remote client" for "AP" in the above list. • Light Gray ..Trial :: http://www. and you are authenticated via EAP if necessary.Again.Connection to AP is present.

so examine your particular network's requirements and switch documentation thoroughly before making a decision on purchasing core switches. 2002-2007 PDF Created with deskPDF PDF Writer . but for now.Trial :: http://www. © Train Signal. We want our core switches to handle switching. and let distribution-layer switches handle routing.. It's vital to keep any extra workload off the core switches. or Quality of Service. © Train Signal. Inc. Inc. and this is more than a full-time job. Switches at the core layer allow switches at the distribution layer to communicate.The Core Layer • The term core switches refers to any switches found here. 2002-2007 Core Switches – Part 2 • Core layer switches are usually the most powerful in your network.switches that can handle both the routing and switching of data. Leave ACLs and other filters for other parts of the network. Advanced QoS is generally performed at the core layer. and allow them to do what they need to do . Inc. so we're going to leave most frame manipulation and filtering to other layers. so we're interested in high-speed data transfer and very low latency. everything we do on a Cisco router or switch has a cost in CPU or memory.. We'll go into much more detail regarding QoS in another section. That's it! The core layer is the backbone of our network. 2002-2007 Core Switches – Part 1 • Today's core switches are generally multilayer switches . The throughput of core switches must be high. • The exception is Cisco QoS.com 99 . Remember. know that QoS is basically high-speed queueing where special consideration can be given to certain data in certain queues. the core layer. © Train Signal..docudesk.switch! • The core layer is the backbone of your entire network. capable of higher throughput than any other switches in the network. so we've got to optimize data transport.

so not only do the distribution-layer switches have to have high-speed ports and links. so fault tolerance needs to be as high as you can possibly get it. © Train Signal.so redundant uplinks are vital. The accesslayer switches are all going to have their uplinks connecting to these switches. Inc. 2002-2007 The Access Layer . • Distribution-layer switches must be able to handle redundancy for all links as well. Root bridges should also be located in the core layer whenever possible. VLAN membership is handled at this layer.com 100 ..Redundancy • We always want redundancy. • Redundancy is important at this layer as well . This is the nerve center of your entire network.hey. 2002-2007 The Distribution Layer • The demands on switches at this layer are high. Inc. as well as traffic filtering and basic QoS. 2002-2007 PDF Created with deskPDF PDF Writer . That's one reason you'll find powerful multilayer switches at this layer . © Train Signal. they've got to have quite a few to connect to both the access and core switches. when isn't redundancy important? . The distribution layer is also where routing should take place when utilizing multilayer switches. not routing. Examine your network topology closely and check vendor documentation before making purchasing decisions on distribution-layer switches... Inc.Trial :: http://www.switches that work at both L2 and L3. but you want a lot of redundancy in your core layer.Part 1 • End users communicate with the network at this layer. since the access layer is busy with end users and we want the core layer to be concerned only with switching. The uplinks should also be scalable to allow for future network growth. © Train Signal.docudesk.

Inc. 2002-2007 PDF Created with deskPDF PDF Writer . although hopefully there are easier ways for you to perform the filtering you need.. I want to remind you that networking models are guidelines. Devices in a switch block work together to bring network access to a unit of the network. and again.Part 2 • You also want your access layer switches to have as many ports as possible. which have both L2 and L3 capabilities (found at the distribution layer). © Train Signal. Inc. Inc. A good rule of thumb for access switches is "low cost.The Access Layer . These layers contain both the traditional L2 switches (found at the access layer) and multilayer switches.. A campus network is basically a series of LANs that are interconnected by a backbone. © Train Signal. which is one popular model used to design campus networks.) Collision domains are also formed at the access layer. and should be used as such.com 101 . plan for future growth. 2002-2007 Switch blocks • Switch blocks are units of access-layer and distribution-layer devices. but a month from now you might just wish you had bought a 24-port switch. 2002-2007 The Enterprise Composite Network Model • This model is much larger than the Cisco threelayer model. © Train Signal. Don't assume that today's sufficient port density will be just as sufficient tomorrow! • You can perform MAC address filtering at the access layer. as you'll see in just a moment. A 12-port switch may be fine one week. such as a single building on a college campus or in a business park.docudesk. This is particularly true of the Enterprise Composite Network Model.. (MAC filtering is a real pain to configure.Trial :: http://www. high switchport-to-user ratio".

though! • The Enterprise Composite Network Model uses the term block to describe the three layers of switches we just described. which is the backbone mentioned earlier..the number of LANs involved. Inc. This is a tremendous responsibility. and it's the major reason that I'll keep mentioning that we want the access and distribution layers to handle as many of the "extra" services in our network whenever possible. Inc.Trial :: http://www. The access and distribution layer switches are referred to as the switch blocks. Inc. © Train Signal. © Train Signal. 2002-2007 PDF Created with deskPDF PDF Writer ... again) • In turn. Helpful guidelines. The core block is the collection of core switches. We want the core switches to be left alone as much as possible so they can concentrate on what they do best .switch.so again. and these core blocks allow the switch blocks to communicate.docudesk.Core blocks • Core blocks consist of the high-powered core switches. the Campus Infrastructure module consists of these modules: – Building Access module (Access-layer devices) – Building Distribution module (Distribution-layer devices) – Campus Backbone (Interconnects multiple Distribution modules) © Train Signal. 2002-2007 Model Parts • Overall. the physical layout of the building or buildings involved being just two of them . 2002-2007 Few Factors • The design of such a network is going to depend on quite a few factors .com 102 . remember that these models are guidelines. there are three main parts of this model: – The Enterprise Campus – The Enterprise Edge – The Service Provider Edge • The Enterprise Campus consists of the following modules: – – – – Campus Infrastructure module Server Farm module Network Management module Enterprise Edge (yes.

. 2002-2007 PDF Created with deskPDF PDF Writer .. • A smaller network may not need switches to serve only as core switches. © Train Signal. distribution.com 103 . the server farm block will be a separate switch block. AAA servers. © Train Signal.Dual Core • The core design shown here is often referred to as dual core.in today's networks. or frankly. The combination of access. network monitoring tools. Inc. The point at which the switch block ends and the core block begins is very clear. and intruder detection tools are found in almost every campus network today. syslog servers. and core layers shown here is sometimes referred to as the Campus Infrastructure. may not be able to afford such a setup. the network management block. Inc. © Train Signal. referring to the redundant fashion in which the switch blocks are connected to the core block.. Inc. where certain switches will perform both as distribution and core switches. complete with access and distribution layer switches. 2002-2007 Server Farm Block • As much as we'd like to get rid of them sometimes. Smaller networks can use a collapsed core.Trial :: http://www. All of these devices can be placed in a switch block of their own.docudesk. 2002-2007 The Network Management Block • Network management tools are no longer a luxury . they're a necessity. we're not going to have much of a network without servers! In a campus network.

© Train Signal.. • Take a look at all the lines leading to those core switches.Internet and WAN connectivity – Part 1 • Internet and WAN connectivity for a campus network is a two-block job . The Enterprise Edge Block is indeed the edge of the campus network. we have no control over the actual structure of this block. 2002-2007 Bonus Video: Queueing • • • • Weighted Fair Queueing Class Maps & Policy Maps Priority Queueing Custom Queueing © Train Signal. Inc. we don't really care! The key here is that this block borders the Enterprise Edge Block. and this block of the routers and switches needed to give the needed WAN connectivity to the rest of the campus network.. Now you know why we want to dedicate as much of these switches' capabilities to pure switching we're going to need it! © Train Signal.Trial :: http://www. the other we do not.docudesk. And frankly. 2002-2007 PDF Created with deskPDF PDF Writer .com 104 . Inc.one block we have control over. and is the final piece of the Internet connectivity puzzle for our campus network.. 2002-2007 Internet and WAN connectivity – Part 2 • While the Service Provider Edge Block is considered part of the campus network model. Inc.

• Flow-Based WFQ takes these packet flows and classifies them into conversations. Inc. 2002-2007 First Reaction to WFQ • The first reaction to WFQ is usually something like this: "That sounds great.and CBWFQ does involve access list configuration.com 105 . rather than the router?" Good question! There's an advanced form of WFQ. WFQ gives priority to the interactive. and then splits the remaining bandwidth fairly between the noninteractive. FIFO may be all you need. Class-Based Weighted Fair Queueing (CBWFQ) that allows manual configuration of queueing .. but shouldn't the network administrator be deciding which flows should be transmitted first.. low-bandwidth conversations. FIFO is fine for many networks. Inc.there is no priority traffic. © Train Signal. These flows are defined by WFQ and require no access list configuration.First In.. high-bandwidth conversations. © Train Signal. © Train Signal.docudesk. FIFO is not your best choice. no traffic classes. no queueing decision for the router to make. 2002-2007 PDF Created with deskPDF PDF Writer . and if you have no problem with network congestion. Inc. 2002-2007 WFQ • What's so "fair" about Weighted Fair Queueing (WFQ)? WFQ prevents one particular stream of network traffic. from using most or all of the available bandwidth while forcing other streams of traffic to sit and wait. If you've got traffic that's especially timesensitive such as voice and video. First Out • FIFO is just what it sounds like . Flow-based WFQ is the default queueing scheme for Serial interfaces running at E1 speed or below. or flow.Trial :: http://www.

and don't forget all the other services that will need bandwidth as well! © Train Signal. Only 75% of that bandwidth can be assigned through CBWFQ.. It also includes bandwidth allocated for the following: – – – – – Low Latency Queueing (LLQ) IP Real Time Protocol (RTP) Priority Frame Relay IP RTP Priority Frame Relay PVC Interface Priority Queueing Resource Reservation Protocol (RSVP) © Train Signal.75 = 1158. Inc.it's a very common error with CBWFQ configurations. We can assign only 1158 kbps of a T1 interface's bandwidth in the policy map. Always go with a minimum of 75% of available bandwidth. 2002-2007 Reservable bandwidth • The "reservable bandwidth" referenced in this command isn't just the bandwidth assigned in CBWFQ. Inc. © Train Signal. because 25% is reserved for network control and routing traffic. We have already assigned 800 kbps to class 17210100. and 1544 x . Don't jump to the conclusion that bandwidth 64 is the proper command to use when you've got a 64 kbps link and you want to enable voice traffic to use all of it.docudesk. 2002-2007 PDF Created with deskPDF PDF Writer . 1544 kbps. you can't assign over 75% of an interface's bandwidth via CBWFQ. 2002-2007 Available Bandwidth • Why is 358 Kbps all that's available? Start with the bandwidth of a serial interface. By default. leaving only 358 kbps for other classes..com 106 .CBWFQ • CBWFQ configuration does have its limits.Trial :: http://www. Inc.. • Keep this 75% rule in mind .

.com 107 . Basically. the congestion is reduced. that results in underutilization of the bandwidth. the senders are either sending too little or too much traffic at any given time. Inc. Inc. but there are two major issues with it. 2002-2007 Dropped packets • Packets dropped due to tail drop result in the TCP senders reducing their transmission rate.docudesk. 2002-2007 TCP Global Synchronization • The result of TCP global synchronization? When the TCP sender simultaneously slow their transmission. packets are dropped and must be retransmitted. • All TCP senders will gradually increase their transmission speed as a result of the reduced congestion . © Train Signal. • As the transmission slows.. This is a result of TCP's behavior when packets are lost. • The other issue with tail drop is TCP global synchronization. First. © Train Signal. the bandwidth is oversubscribed.. What if this were voice traffic that needed to go to the head of the line? Tail drop offers no mechanism to look at a packet and decide that a packet already in the queue should be dropped to make room for it. When the TCP senders all increase their transmission rate at the same time. Inc.which results in congestion occurring all over again. and the entire process begins all over again.Trial :: http://www. 2002-2007 PDF Created with deskPDF PDF Writer .Tail Drop • Tail drop may be the default. © Train Signal. this isn't a very discriminating way to drop traffic.

2002-2007 CBWFQ • CBWFQ is definitely a step in the right direction.Trial :: http://www. so the queue-limit and priority commands are mutually exclusive. If the priority queue becomes full. the bandwidth and priority commands are also mutually exclusive. allowing us to avoid the jitter that comes with voice traffic that is not given the needed priority queueing.. RED will proactively drop packets before the queue gets full. © Train Signal. there are a couple of commands and services we've mentioned that don't play well with LLQ: – WRED and LLQ can't work together. Low Latency Queueing (LLQ) is an "add-on" to CBWFQ that creates such a strict priority queue for such traffic. but the decision of which packets will be dropped is still random. primarily voice traffic. Inc. it shouldn't surprise you to learn that the command to enable LLQ is priority. © Train Signal. Inc. © Train Signal.docudesk. Random Early Detection (RED) or Weighted Random Early Detection (WRED) can be used in place of Tail Drop.com 108 . 2002-2007 PDF Created with deskPDF PDF Writer .. 2002-2007 Before LLQ Configuration • Before we configure LLQ. LLQ doesn't have strict queue limits. – By its very nature. The random-detect and priority commands can't be used in the same class. but what we're looking for is a guarantee (or something close to it) that data adversely affected by delays is given the highest priority possible. • WRED gives the best service it can to packets in a priority queue.. Inc. and the voice traffic that will use LLQ's priority queue is UDP-based. – Finally.) • Since we're mentioning "priority" so often here.RED and WRED • To avoid the TCP Global Synchronization problems. Why? Because WRED is effective only with TCP-based traffic. (Cisco recommends that you use an LLQ priority queue only to transport Voice Over IP traffic. WRED uses either a packet's IP Precedence or Differentiated Services Code Point (DSCP) to decide which packets should be dropped. WRED will drop packets from other queues before dropping any from the priority queue.

0. Medium.255 range 17000 18000 permit udp 210.0.0.0 0.0..0 0.0.Example R2#show access-list Extended IP access list 155 permit udp 210. Normal.1.1.docudesk.255 range 20000 21000 R2(config)#class-map VOICE_TRAFFIC_PRIORITY R2(config-cmap)#match access-group 155 R2(config)#policy-map VOICE R2(config-pmap)#class VOICE_TRAFFIC_PRIORITY R2(config-pmap-c)#priority 45 R2(config-pmap-c)#class class-default R2(config-pmap-c)#fair-queue R2(config-pmap-c)#interface serial0 R2(config-if)#service-policy output VOICE © Train Signal.1. making HQ and LLQ the queueing solutions to use when a priority queue is needed.0.1. 2002-2007 Priority Queueing • The "next level" of queueing is Priority Queueing (PQ).1.1.. © Train Signal.0 0. Traffic is placed into one of these four queues through the use of access lists and priority lists.0. 2002-2007 Predefined queues – Part 1 • These four queues are predefined.0 0. as are their limits: – High-Priority Queue: 20 Packets – Medium-Priority Queue: 40 Packets – Normal-Priority Queue: 60 Packets – Low-Priority Queue: 80 Packets © Train Signal..255 220.1. Inc.0. Inc.1.com 109 . Inc. The High queue is also called the strict priority queue. where four predefined queues exist: High. 2002-2007 PDF Created with deskPDF PDF Writer .255 220. and Low.Trial :: http://www.

the packet limit for each configurable queue is 20 packets and each will send 1500 bytes when it's that queue's turn to transmit. CQ doesn't have the same queues that PQ has. with queues 1 . OSPF. there's one very important concept that you must keep in mind when developing a PQ strategy. packets in the Normal and Low queues may never be sent! This is sometimes referred to as traffic starvation or packet starvation. IGRP. 2002-2007 PDF Created with deskPDF PDF Writer . they're going to be sent before any packets in the lower queues. but the last thing we need is a third name for it. • If too many traffic types are configured to go into the High and Medium queues. Traffic that uses Queue Zero includes….Trial :: http://www. © Train Signal. By default..16 being configurable. – Hello packets for EIGRP.com 110 .CQ actually allows you to define how many bytes will be forwarded from every queue when it's that queue's turn to transmit. Before we configure PQ and change these limits.docudesk. Inc.) © Train Signal. though.. PQ is not round-robin. (I personally think it's more like queue starvation. 2002-2007 Network Control Traffic • The phrase "network control traffic" in regards to Queue Zero covers a lot of traffic. ISIS – Syslog messages – STP keepalives © Train Signal. when there are packets in the High queue.. • Queue Zero carries network control traffic and cannot be configured to carry additional traffic. CQ has 17 queues. 2002-2007 Custom Queueing • Custom Queueing (CQ) takes PQ one step further .Predefined queues – Part 2 • It won't surprise you to learn that these limits can be changed. Inc. Inc.

Round-Robin System • CQ uses a round-robin system to send traffic. • Configuring CQ is basically a three-step process: – Define the size of the queues – Define what packets should go in each queue – Define the custom queue list by applying the list to the appropriate interface © Train Signal.Trial :: http://www.. Inc. that queue will transmit until it's empty or until the configured byte limit is reached.docudesk. CQ allows you to allocate the desired bandwidth for any and all traffic types. 2002-2007 PDF Created with deskPDF PDF Writer . When it's a queue's turn to send.com 111 . By configuring a byte-limit.